1 of 1

OAA Entity Owners

Setting Entity Owners in OAA Payloads

Early Access: OAA Entity Owners functionality is currently in Early Access for automatic assignment of entity ownership during OAA payload submission. Please contact our customer success team to enable this feature for your environment.

Overview

OAA supports setting Entity Owners on OAA Entities as part of the submission for some templates. This enables a single operation to submit the OAA Entity and its owner.

Entity Owners enable automated assignment and accountability in access management and other workflows:

Owners can be used by Access Workflows for automatic assignment of review rows
Assigning owners for entities that represent non-human identities enables visibility into those users on the Non-Human Identities (NHI) overview page.
If Veza assigns a Risk Score to the entity, an owner assignment can help identify the user best able to remediate the risk.

Supported Templates and Entity Types

Currently supported OAA Templates and entity types for Entity Owners:

Application Template:

Application (owners can be set at the application level itself)
Users
Groups
Roles
Resources
Access Credentials

Requirements:

Entity Owners must be a User entity type from an Identity Provider integration enabled in Veza. If a Global Identity provider is configured, the owner must be a user entity from the Global IDP.

Entity Owner Entry

Use the owners property on supported entities to specify entity owners as an array of objects.

{
    "external_id": "[email protected]",
    "owner_type": "OktaUser",
    "primary": true
}

Attribute

Value

external_id

The ID of the owner from the IDP. External ID supports the same lookup attributes as

owner_type

The node type of the owner (case insensitive). For custom identity providers, use format OAA.{idp_type}.IDPUser, where {idp_type} is the value specified when creating the custom IdP provider. To find your idp_type value, use the . The attribute is optional when the Global IDP is configured

primary

If true, user is the primary owner, defaults to false

Example Usage

For example, setting the owner on a role may look like the following:

      "local_roles": [
        {
          "name": "User Admin",
          "permissions": [
            "view_all",
            "manage_users"
          ],
          "owners": [
            {
              "external_id": "[email protected]",
              "owner_type": "OktaUser",
              "primary": true
            }
          ]
        }
      ]

Owner Type Values

For custom identity providers, you will need to determine the correct owner_type format to identify the entities in Veza Graph. You can find this information through the Veza UI or using an API request:

In the Veza UI:

Go to Access Visibility > Graph
Search for a user from your custom identity provider
Click on the user to open the sidebar and choose Basic Actions > View Details
The entity type is displayed in the user details (e.g., "OAA.Custom_IDP.IDPUser")
Use this exact node type as your owner_type value

Alternately, you can use GET /api/v1/providers/custom to list all custom providers and their idp_type values. The owner_type format should be OAA.{idp_type}.IDPUser

See the table below for common IdP types and corresponding owner entity types:

Provider Type

idp_type Value

owner_type Format

Standard Okta

"Okta"

OktaUser

Standard Azure AD

"AzureAD"

AzureADUser

Active Directory

"ActiveDirectory"

ActiveDirectoryUser

Ping Identity

"PingOne"

PingOneUser

OneLogin

"OneLogin"

OneLoginUser

AWS IAM Identity Center

"AwsSso"

AwsSsoUser

Google Workspace

"Google"

GoogleWorkspaceUser

Custom LDAP

"company_ldap"

OAA.company_ldap.IDPUser

Custom Identity Provider

"custom_idp"

OAA.custom_idp.IDPUser

Warnings and Errors

If an Owner entry is malformed, references an unsupported owner type, or conflicts with the Global IDP setting a Field Violation error will be returned and the OAA payload will be rejected.

If an owner identity cannot be found, a warning will be returned with the successful response and the OAA payload will be accepted and processed with the unknown owner(s) being ignored.

Entity owners must originate from the primary Global IdP source. Users from alternate manager lookup sources cannot be used as entity owners.

Next Steps

After submitting an OAA payload with entity owners, verify the assignment by locating the entity in Query Builder or Graph Search. You can then configure automatic reviewer assignment to use these owners in access review workflows.

OAA Entity Owners

Setting Entity Owners in OAA Payloads

Overview

OAA supports setting Entity Owners on OAA Entities as part of the submission for some templates. This enables a single operation to submit the OAA Entity and its owner.

Entity Owners enable automated assignment and accountability in access management and other workflows:

Owners can be used by Access Workflows for automatic assignment of review rows
Assigning owners for entities that represent non-human identities enables visibility into those users on the Non-Human Identities (NHI) overview page.
If Veza assigns a Risk Score to the entity, an owner assignment can help identify the user best able to remediate the risk.

Supported Templates and Entity Types

Currently supported OAA Templates and entity types for Entity Owners:

Application Template:

Application (owners can be set at the application level itself)
Users
Groups
Roles
Resources
Access Credentials

Requirements:

Entity Owners must be a User entity type from an Identity Provider integration enabled in Veza. If a Global Identity provider is configured, the owner must be a user entity from the Global IDP.

Entity Owner Entry

Use the owners property on supported entities to specify entity owners as an array of objects.

{
    "external_id": "[email protected]",
    "owner_type": "OktaUser",
    "primary": true
}

Attribute

Value

external_id

The ID of the owner from the IDP. External ID supports the same lookup attributes as

owner_type

primary

If true, user is the primary owner, defaults to false

Example Usage

For example, setting the owner on a role may look like the following:

      "local_roles": [
        {
          "name": "User Admin",
          "permissions": [
            "view_all",
            "manage_users"
          ],
          "owners": [
            {
              "external_id": "[email protected]",
              "owner_type": "OktaUser",
              "primary": true
            }
          ]
        }
      ]

Owner Type Values

In the Veza UI:

Go to Access Visibility > Graph
Search for a user from your custom identity provider
Click on the user to open the sidebar and choose Basic Actions > View Details
The entity type is displayed in the user details (e.g., "OAA.Custom_IDP.IDPUser")
Use this exact node type as your owner_type value

Alternately, you can use GET /api/v1/providers/custom to list all custom providers and their idp_type values. The owner_type format should be OAA.{idp_type}.IDPUser

See the table below for common IdP types and corresponding owner entity types:

Provider Type

idp_type Value

owner_type Format

Standard Okta

"Okta"

OktaUser

Standard Azure AD

"AzureAD"

AzureADUser

Active Directory

"ActiveDirectory"

ActiveDirectoryUser

Ping Identity

"PingOne"

PingOneUser

OneLogin

"OneLogin"

OneLoginUser

AWS IAM Identity Center

"AwsSso"

AwsSsoUser

Google Workspace

"Google"

GoogleWorkspaceUser

Custom LDAP

"company_ldap"

OAA.company_ldap.IDPUser

Custom Identity Provider

"custom_idp"

OAA.custom_idp.IDPUser

Warnings and Errors

If an Owner entry is malformed, references an unsupported owner type, or conflicts with the Global IDP setting a Field Violation error will be returned and the OAA payload will be rejected.

If an owner identity cannot be found, a warning will be returned with the successful response and the OAA payload will be accepted and processed with the unknown owner(s) being ignored.

Entity owners must originate from the primary Global IdP source. Users from alternate manager lookup sources cannot be used as entity owners.