Azure PostgreSQL Database

The Azure integration includes built-in support for PostgreSQL on Azure Database. After enabling the feature, you can use search, insights, and workflows to:

• Find principles with permissions on PostgreSQL Servers, Databases, Tables, and Schemas.

• Identify principles with privileged permissions (such as Delete) on PostgreSQL entities

This document provides steps to create the required database user, and configure the integration. See notes and supported entities for more details.

Configuring Azure Database for PostgreSQL

To enable the connection between Veza and Azure PostgreSQL, you will need to:

• Deploy an Insight Point in the same virtual network as the databases to discover, or a peered virtual network.

  • Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.

• Create local PostgreSQL user(s) Veza can use to log in.

• Enable PostgreSQL discovery by creating an Azure integration or editing an existing configuration.

Create a PostgreSQL user for Veza

For each server you want to discover, create a local user with read-only permissions on the required system tables. All Veza PostgreSQL users for different servers within a single Azure tenant must share the same username and password.

Log in as an administrator using your client of choice, and create a user with the required permissions. Replace [db_user] with the desired username:

CREATE USER [db_user] WITH LOGIN PASSWORD '[password]';
GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_database,
  pg_catalog.pg_auth_members,
  pg_catalog.pg_attribute,
  pg_catalog.pg_roles,
  pg_catalog.pg_trigger,
  pg_catalog.pg_proc,
  pg_catalog.pg_collation,
  pg_catalog.pg_conversion,
  pg_catalog.pg_type,
  pg_catalog.pg_event_trigger,
  pg_catalog.pg_extension,
  pg_catalog.pg_foreign_data_wrapper,
  pg_catalog.pg_foreign_table,
  pg_catalog.pg_language,
  pg_catalog.pg_largeobject_metadata,
  pg_catalog.pg_operator,
  pg_catalog.pg_opclass,
  pg_catalog.pg_opfamily,
  pg_catalog.pg_policy,
  pg_catalog.pg_publication,
  pg_catalog.pg_sequence,
  pg_catalog.pg_foreign_server,
  pg_catalog.pg_statistic_ext,
  pg_catalog.pg_subscription,
  pg_catalog.pg_tablespace,
  pg_catalog.pg_ts_config,
  pg_catalog.pg_ts_dict,
  pg_catalog.pg_parameter_acl
TO [db_user];

Explicitly granting the pg_catalog permissions is required for Single server deployments. When configuring the user for Azure Flexible Servers, new users will already have access to pg_catalog tables, and a no privileges were granted warning will appear.

You will enter the local username and password when configuring the Azure integration on the Veza platform.

Troubleshooting

To verify that new user can read the required tables, you can log in as the new user ( \c postgres [db_user] in psql) and run the following script:

DO $$
DECLARE
    result integer;
BEGIN
    SELECT 1 FROM pg_catalog.pg_user LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_group LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_namespace LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_class LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_database LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_auth_members LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_attribute LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_roles LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_trigger LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_proc LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_collation LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_conversion LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_type LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_event_trigger LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_extension LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_data_wrapper LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_table LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_languageLIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_largeobject_metadata LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_operator LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_opclass LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_opfamily LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_policy LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_publication LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_sequence LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_server LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_statistic_ext LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_subscription LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_tablespace LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_ts_config LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_ts_dict LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_parameter_acl LIMIT 1 INTO result;
    RAISE NOTICE 'All queries were successful';
EXCEPTION
    WHEN OTHERS THEN
        RAISE NOTICE 'A read query failed';
END $$;

See How to create database users in Azure Database for PostgreSQL for more details.

Enable PostgreSQL for the Azure integration

Log in to Veza as an administrator to finish configuring the integration. You can enable PostgreSQL for an existing integration, or when creating one.

1. In Veza, open the Integrations page..

   1. To add an integration, Click Add Integration > Azure and complete the steps to configure Microsoft Azure.

   2. To modify an existing integration, find the provider on the main list and click Edit.

2. From the Insight Point dropdown, pick the one you created for connecting to the PostgreSQL server.

3. Go to the Limit Services tab.

4. If you have already limited the services to discover, remember to enable Azure PostgreSQL.

5. Scroll to the bottom and enter the username and password for the PostgreSQL user.

6. Optionally, enter a comma-separated list of databases and schema to allow or deny. If the allow list is populated, only those resources are discovered. If the deny list is populated, the specified resources are skipped.

Notes and Supported Entities

The integration supports flexible server and single server deployments. Azure Arc enabled PostgreSQL is not supported.

Veza discovers the following PostgreSQL entities and attributes:

PostgreSQL User

An individual account or identity, assigned specific permissions to control access to databases, schemas, tables, and other database objects.

• ID

• Provider ID

• Datasource ID

• Is Super User

• Can Create DB

• Can Initiate Streaming Replication

• Can Bypass All Row Level Security

• External Account Type

PostgreSQL Database

A logical container within an Azure PostgreSQL service instance that stores data, organized into tables. Several databases can exist within a single PostgreSQL instance, each serving a distinct purpose or application.

• Name

• ID

• Provider ID

• Datasource ID

• Owner

• Server ID

PostgreSQL Group

Represents a logical grouping of database users or roles. Groups manage access control and permissions by assigning specific privileges to several users with common roles.

• Name

• ID

• Provider ID

• Datasource ID

PostgreSQL Instance

A PostgreSQL instance in Azure represents a dedicated, managed PostgreSQL database server hosted on Azure infrastructure. Each instance has its own connection endpoint, configurations, and access controls.

• Name

• ID

• Provider ID

• Datasource ID

• Server ID

• Azure Tenant ID

PostgreSQL Schema

A container within a PostgreSQL database that helps organize database objects, such as tables and views. Schemas logically group and manage database objects, making it easier to maintain and navigate a complex database structure.

• Name

• ID

• Provider ID

• Datasource ID

• Owner

PostgreSQL Table

A fundamental database object that stores structured data in rows and columns, allowing for efficient querying and manipulation of data.

• Name

• ID

• Provider ID

• Datasource ID

• Owner

PostgreSQL Procedure

A fundamental database object that allowing user to write and execute functions written in supported languages, such as C.

• Name

• ID

• Provider ID

• Datasource ID

• Owner

PostgreSQL Trigger

A fundamental database object that automatically executes a particular function whenever a certain type of operation is performed.

• Name

• ID

• Provider ID

• Datasource ID

• Owner

PostgreSQL Permissions

Veza creates additional entities to represent capabilities users can have on PostgreSQL resources:

• PostgreSQL Privilege: Configured permissions, shown in System query mode.

• PostgreSQL Effective Permission: Effective permissions, shown in Effective query mode.