1 of 7

OAA Python SDK

Building blocks for your custom OAA integration

oaaclient can be downloaded from , or installed with pip3 install oaaclient.

The `oaaclient` package provides data models, methods and a command-line interface for using the Open Authorization API. You can use it to populate OAA templates including as Application, IdP, and HRIS, pushing OAA data to Veza and even as a general Veza API client.

The oaaclient SDK includes the following components:

oaaclient.client: Veza API communication (data provider management, payload push, etc.). Requires an API key for authentication.
oaaclient.templates: Classes for modeling and generating an OAA payload.
oaaclient.utils: Additional utility functions (icon encoding, etc.).

For example usage, please see and the directory.

Sample Workflow

Create the Veza API connection and a new custom application:

Once the CustomApplication class is instantiated, you can use the public methods to populate the new app with local users, groups, resources, and permissions metadata:

Once all identities, permissions and resources are added to the CustomApplication object, the client connection handles the final push to Veza:

See the directory for complete examples.

The OAAClient class handles API connections to Veza. If there are errors connecting or the API returns errors OAAClient will raise an OAAClientError exception. If the payload doesn't conform to the template requirements the OAAClientError.details will contain a list of any issues encountered.

Since any given source application or service will have different methods for retrieving entities, authorization, and other required metadata, each OAA connector will be slightly different. You should consult the API documentation for your application when considering how you will source the information, and refer to existing Veza-supported OAA connectors for real-world examples.

Connector source code and oaaclient are thoroughly annotated, for reference when building your own integrations.

For additional information about developing a custom OAA integration, please see section of the User Guide.

oaaclient modules

Modules

client: Classes for calling Veza APIs and managing OAA providers and data sources.
templates: Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").
utils: oaaclient utility functions.

: OAA API Connection and Management.
: Error raised by OAAClient.
: Base class for CustomApplication.

: Helper function to simplify appending.
: Returns a list of unique strings from input list case insensitive

Client

Classes for calling Veza APIs and managing OAA providers and data sources.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

OAACLIENT_VERSION
PROVIDER_ICON_MAX_SIZE

Entry point for oaaclient-report-builder command

Reads a JSON file and passes it to the oaaclient.utils.build_report method

Error raised by OAAClient.

Raised for issues connecting to the OAA API and when the API returns an error.

Args:

error (str): short string for error message
message (str): detailed error message
status_code (int, optional): status code for HTTP related errors. Defaults to None.

Error returned from API Call

Error with API Connection

Class for OAA API Connection and Management.

Utilities for OAA-related operations with Veza API calls. Manages custom providers and data sources, and can push OAA payloads from JSON or template objects.

Connection url and API key can be automatically loaded from OS environment values if set. To utilize environment variables initialize OAAClient without providing a URL or API key value and set the VEZA_URL and VEZA_API_KEY OS environment variables.

Args:

url (str, optional): URL for Veza instance.
api_key (str, optional): Veza API key.
username (str, optional): Not used (legacy). Defaults to None.

Attributes:

url (str): URL of the Veza instance to connect to
api_key (str): Veza API key
enable_compression

Raises:

OAAClientError: For errors connecting to API and if API returns errors

Add a Query to a Report

Adds a Query to an existing Report by ID

Args:

report_id (str): Report UUID to add Query to
query_id (str): Query UUID to add

Returns:

dict: API Response

Perform REST API DELETE operation.

Args:

api_path (str): API Path API path relative to Veza URL

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response from call

Perform a Veza API GET operation.

Makes the GET API call to the given path and processes the API response. Returns the value or values result returned from the API.

For API endpoints that return a list like /api/v1/providers/custom function will return a list of entities or an empty list if the API returns no results.
For API endpoints that are a specific ID such as /api/v1/providers/custom/<uuid> function will return the dictionary result of the JSON returned by the API.

Args:

api_path (str): API path relative to Veza URL (example /api/v1/providers).

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

list|dict: Returns list or dict based on API destination

Perform REST API PATCH operation.

Args:

api_path (str): API Path API path relative to Veza URL

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response from call

Perform a Veza API POST operation.

Call POST on the supplied Veza instance API path, submitting a data payload.

Returns value or values response from API result. Paginated responses are automatically processed to collect all responses a single list.

Args:

api_path (str): API path relative to Veza URL example /api/v1/providers
data (dict): dictionary object included as JSON in body of POST operation
params

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response as dictionary

Perform Veza API PUT operation.

Call PUT on the supplied Veza instance API path, including the data payload.

Returns value or values response from API result. Paginated responses are automatically processed to collect all responses a single list.

Args:

api_path (str): API path relative to Veza URL example /api/v1/providers
data (dict): dictionary object included as JSON in body of PUT operation
params

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response as dictionary

Create a new Data Source for the given Provider ID.

Args:

name (str): Name for new Data Source
provider_id (str): Unique identifier for the Provider
options: (dict, optional): Additional arguments to be included with data source create call to Veza. Defaults to None.

Raises:

ValueError: Data source name contains invalid characters

Returns:

dict: dictionary of new Data Source

Deprecated Legacy function for backward-compatibility.

Create a new Provider.

Creates a new Provider with the given name. An error will be raised for naming conflicts.

Args:

name (str): new Provider name
custom_template (str): the OAA template to use for the Provider ("application" or "identity_provider")
base64_icon

Raises:

ValueError: Provider name contains invalid characters

Returns:

dict: dictionary representing the created Provider

Create a new Assessment Query

For details on how to define an Assessment Query see the Veza docs.

Args:

query (dict): Query definition

Returns:

dict: API response including ID of created Query

Create a new Report

For details on how to define a new Report see the Veza docs.

Args:

report (dict): Report definition

Returns:

dict: API response including ID of created Report

Delete an existing Data Source by ID.

Removes a Data Source and all entity data.

Args:

data_source_id (str): ID of Data Source to delete
provider_id (str): ID of Data Source Provider

Returns:

dict: API response

Delete an existing provider by ID.

Deleting a provider removes all datasources and historical data. Fully deleting the provider is a background operation that will complete after API response is returned.

Args:

provider_id (str): ID of provider to delete

Returns:

dict: API response

Delete an Assessment Query by ID

Args:

id (str): UUID of Query to delete
force (bool): Force deletion of query that may be part of a report. Defaults to False

Returns:

dict: API response from delete

Delete Report by ID

Args:

id (str): UUID of Report to delete

Returns:

dict: API response

Get Provider's Data Source by name.

Find a Data Source from a specific provider based on the name of the Data Source

Args:

name (str): Data Source name
provider_id (str): Provider unique ID

Returns:

dict: Data Source as dict or None

Get Data Sources for Provider by ID.

Get the list of existing Data Sources, filtered by Provider UUID.

Args:

provider_id (str): ID of Provider

Returns:

list[dict]: List of Data Sources as dictionaries

Get Provider by name.

Args:

name (str): name of Provider

Returns:

dict: dictionary representing Provider or None

Get Provider by UUID identifier.

Args:

provider_id (str): Unique global identifier for provider

Returns:

dict: dictionary representation of Provider or None

Return list of Providers.

Returns:

list[dict]: Returns a list of existing Providers as dictionaries

Get all saved Assessment Queries

Veza can filter out queries that include inactive entity types (e.g. Okta Users on a system without Okta configured). To only retrieve queries that include active entity types set include_inactive_queries to False.

Args:

include_inactive_queries (bool): Set False to exclude inactive queries from result. Defaults to True.

Returns:

list: List of assessment Queries as dictionaries

Get Assessment Query by ID

Args:

id (str): UUID identifier for Query

Returns:

dict: Query definition

Get Report by ID

Veza can filter out queries from reports that only contain entity types that are not configured (e.g. Okta Users on a system without Okta configured). To only return queries configured on the report that match entity types configured on the system set include_inactive_queries to False

Args:

id (str): UUID of Report to get
include_inactive_queries (bool): Set True to include inactive queries. Default True.

Returns:

dict: Report definition

Get all Reports

Gets Reports created on the system. To get all reports include_inactive_reports and include_inactive_queries must be set to True.

Args:

include_inactive_reports (bool, Optional): Set to True to include reports that contain no active providers, defaults to True.
include_inactive_queries (bool, Optional): Set to True to include reports that contain only inactive queries, defaults to True.

Returns:

list[dict]: List of Reports as dictionary objects

Push an OAA Application Object (such as CustomApplication).

Extracts the OAA JSON payload from the supplied OAA class (e.g. CustomApplication, CustomIdPProvider, etc) and push to the supplied Data Source.

The Provider with provider_name must be a valid existing Provider or create_provider must be set to True. A new data source will be created automatically by default if it does not already exist.

For logging, and debugging, the optional save_json flag writes the payload to a local file (before push). Output file name is formatted with a timestamp: {data source name}-{%Y%m%d-%H%M%S}.json

Args:

provider_name (str): Name of an existing Provider.
data_source_name (str): Name for Data Source (will be created if it doesn't exist).
application_object (Class): OAA object to extract the payload from

Raises:

OAAClientError: If any API call returns an error (including errors processing the OAA payload).

Returns:

dict: API response from push, including any warnings that are returned.

Push an OAA payload dictionary to Veza.

Publishes the supplied metadata dictionary representing an OAA payload to the specified provider and data source. The function will create a new data source if it does not already exist, but requires the Provider be created ahead of time.

Args:

provider_name (str): Name of existing Provider
data_source_name (str): Name for Data Source, will be created if doesn't exist.
metadata (dict): Dictionary of OAA payload to push.

Raises:

OAAClientError: If any API call returns an error including errors processing the OAA payload.

Returns:

dict: API response to the push request (including any warnings).

Update an existing custom provider icon from base64 encoded string.

To load an icon from file, use utils.encode_icon_file to get the base64 encoding of the file first

Args:

provider_id (str): unique ID of existing provider
base64_icon (str): base64 encoded string of new icon

Raises:

ValueError: If icon size exceeds maximum allowed size

Update an existing report

Args:

report_id (str): UUID of Report to updated
report (dict): Updated Report definition

Returns:

dict: API response

Updates the User-Agent string passed with all API calls

Generates a User-Agent with the oaaclient version, Python version and platform information.

The optional extra string will be appended if provided.

Args:

extra (str, optional): Additional information to append to User-Agent string. Defaults to "".

Super class for urllib3.util.retry

Super class to allow modifying the default max backoff time from 120 seconds to our own value

Args:

Retry (type): description

Structures

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

`class` `CaseInsensitiveDict`

Case Insensitive Key Dictionary

Dictionary like object with case insensitive keys for types that support .lower() such as strings.

Keys do not have to be strings, in the case where the key type does not support .lower() such as integers the value is used as is.

Example: from oaaclient.structures import CaseInsensitiveDict >>> x = CaseInsensitiveDict() >>> x["User"] = "value" >>> x.get("user") 'value' >>> "USER" in x True >>> print(x) {'user': 'value'} >>> x CaseInsensitiveDict({'user': 'value'})

Utils

oaaclient utility functions.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

helper functions commonly used by OAA integrations

function `log_arg_error`

log_arg_error(log: object, arg: str = None, env: str = None) → None

Helper function for logging errors when loading parameters

Helper function used to create consistent messages in connectors when required parameters can be set at command line or as environment variables.

Message can include information on parameter and/or environment variable but must provide one.

Args:

log (object): logging facility object to log to
arg (str, optional): Command line option for parameter such as --veza-url. Defaults to None.
env

Raises:

Exception: if neither arg or env are supplied

Load JSON from file

Args:

json_path (str): path to JSON file on disk

Raises:

Exception: Unable to process JSON
Exception: Error reading JSON file

Returns:

dict: JSON decoded to dictionary

read an icon file to a base64 encoded string

Args:

icon_path (str): Path to icon file on disk

Returns:

str: base64 encoding of file

Creates or updates a Veza report from a dictionary

Creates a report and containing queries from a dictionary definition. Function will create any queries it does not find based on name. If a query with the same name already exists the existing query will be added to the report.

If a report already exists with the same name any missing queries will be added to the report.

report_definition must be a dictionary with name for the report and queries list of Veza query definitions:

{"name": "My Report", "queries": [{..},{...}]}

Args:

veza_con (OAAClient): OAAClient connection to make Veza API calls
report_definition (dict): Report definition

Raises:

ValueError: Missing name or queries key

Returns:

dict: API response from Report creation or update

Helper function to truncate strings

Helper function to truncate strings to conform to maximum length requirements for templates.

Returns a string that is the first N bytes of the source string

Args:

source_str (str): Source string to truncate
length (int, optional): Length to shorten to. Defaults to 256.

Returns:

str: truncated string

Client

Classes for calling Veza APIs and managing OAA providers and data sources.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

OAACLIENT_VERSION
PROVIDER_ICON_MAX_SIZE

Entry point for oaaclient-report-builder command

Reads a JSON file and passes it to the oaaclient.utils.build_report method

Error raised by OAAClient.

Raised for issues connecting to the OAA API and when the API returns an error.

Args:

error (str): short string for error message
message (str): detailed error message
status_code (int, optional): status code for HTTP related errors. Defaults to None.

Error returned from API Call

Error with API Connection

Class for OAA API Connection and Management.

Utilities for OAA-related operations with Veza API calls. Manages custom providers and data sources, and can push OAA payloads from JSON or template objects.

Args:

url (str, optional): URL for Veza instance.
api_key (str, optional): Veza API key.
username (str, optional): Not used (legacy). Defaults to None.

Attributes:

url (str): URL of the Veza instance to connect to
api_key (str): Veza API key
enable_compression

Raises:

OAAClientError: For errors connecting to API and if API returns errors

Add a Query to a Report

Adds a Query to an existing Report by ID

Args:

report_id (str): Report UUID to add Query to
query_id (str): Query UUID to add

Returns:

dict: API Response

Perform REST API DELETE operation.

Args:

api_path (str): API Path API path relative to Veza URL

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response from call

Perform a Veza API GET operation.

Makes the GET API call to the given path and processes the API response. Returns the value or values result returned from the API.

For API endpoints that return a list like /api/v1/providers/custom function will return a list of entities or an empty list if the API returns no results.
For API endpoints that are a specific ID such as /api/v1/providers/custom/<uuid> function will return the dictionary result of the JSON returned by the API.

Args:

api_path (str): API path relative to Veza URL (example /api/v1/providers).

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

list|dict: Returns list or dict based on API destination

Perform REST API PATCH operation.

Args:

api_path (str): API Path API path relative to Veza URL

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response from call

Perform a Veza API POST operation.

Call POST on the supplied Veza instance API path, submitting a data payload.

Returns value or values response from API result. Paginated responses are automatically processed to collect all responses a single list.

Args:

api_path (str): API path relative to Veza URL example /api/v1/providers
data (dict): dictionary object included as JSON in body of POST operation
params

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response as dictionary

Perform Veza API PUT operation.

Call PUT on the supplied Veza instance API path, including the data payload.

Returns value or values response from API result. Paginated responses are automatically processed to collect all responses a single list.

Args:

api_path (str): API path relative to Veza URL example /api/v1/providers
data (dict): dictionary object included as JSON in body of PUT operation
params

Raises:

OAAResponseError: API returned an error
OAAConnectionError: Connection error during HTTP operation

Returns:

dict: API response as dictionary

Create a new Data Source for the given Provider ID.

Args:

name (str): Name for new Data Source
provider_id (str): Unique identifier for the Provider
options: (dict, optional): Additional arguments to be included with data source create call to Veza. Defaults to None.

Raises:

ValueError: Data source name contains invalid characters

Returns:

dict: dictionary of new Data Source

Deprecated Legacy function for backward-compatibility.

Create a new Provider.

Creates a new Provider with the given name. An error will be raised for naming conflicts.

Args:

name (str): new Provider name
custom_template (str): the OAA template to use for the Provider ("application" or "identity_provider")
base64_icon

Raises:

ValueError: Provider name contains invalid characters

Returns:

dict: dictionary representing the created Provider

Create a new Assessment Query

For details on how to define an Assessment Query see the Veza docs.

Args:

query (dict): Query definition

Returns:

dict: API response including ID of created Query

Create a new Report

For details on how to define a new Report see the Veza docs.

Args:

report (dict): Report definition

Returns:

dict: API response including ID of created Report

Delete an existing Data Source by ID.

Removes a Data Source and all entity data.

Args:

data_source_id (str): ID of Data Source to delete
provider_id (str): ID of Data Source Provider

Returns:

dict: API response

Delete an existing provider by ID.

Deleting a provider removes all datasources and historical data. Fully deleting the provider is a background operation that will complete after API response is returned.

Args:

provider_id (str): ID of provider to delete

Returns:

dict: API response

Delete an Assessment Query by ID

Args:

id (str): UUID of Query to delete
force (bool): Force deletion of query that may be part of a report. Defaults to False

Returns:

dict: API response from delete

Delete Report by ID

Args:

id (str): UUID of Report to delete

Returns:

dict: API response

Get Provider's Data Source by name.

Find a Data Source from a specific provider based on the name of the Data Source

Args:

name (str): Data Source name
provider_id (str): Provider unique ID

Returns:

dict: Data Source as dict or None

Get Data Sources for Provider by ID.

Get the list of existing Data Sources, filtered by Provider UUID.

Args:

provider_id (str): ID of Provider

Returns:

list[dict]: List of Data Sources as dictionaries

Get Provider by name.

Args:

name (str): name of Provider

Returns:

dict: dictionary representing Provider or None

Get Provider by UUID identifier.

Args:

provider_id (str): Unique global identifier for provider

Returns:

dict: dictionary representation of Provider or None

Return list of Providers.

Returns:

list[dict]: Returns a list of existing Providers as dictionaries

Get all saved Assessment Queries

Args:

include_inactive_queries (bool): Set False to exclude inactive queries from result. Defaults to True.

Returns:

list: List of assessment Queries as dictionaries

Get Assessment Query by ID

Args:

id (str): UUID identifier for Query

Returns:

dict: Query definition

Get Report by ID

Args:

id (str): UUID of Report to get
include_inactive_queries (bool): Set True to include inactive queries. Default True.

Returns:

dict: Report definition

Get all Reports

Gets Reports created on the system. To get all reports include_inactive_reports and include_inactive_queries must be set to True.

Args:

include_inactive_reports (bool, Optional): Set to True to include reports that contain no active providers, defaults to True.
include_inactive_queries (bool, Optional): Set to True to include reports that contain only inactive queries, defaults to True.

Returns:

list[dict]: List of Reports as dictionary objects

Push an OAA Application Object (such as CustomApplication).

Extracts the OAA JSON payload from the supplied OAA class (e.g. CustomApplication, CustomIdPProvider, etc) and push to the supplied Data Source.

For logging, and debugging, the optional save_json flag writes the payload to a local file (before push). Output file name is formatted with a timestamp: {data source name}-{%Y%m%d-%H%M%S}.json

Args:

provider_name (str): Name of an existing Provider.
data_source_name (str): Name for Data Source (will be created if it doesn't exist).
application_object (Class): OAA object to extract the payload from

Raises:

OAAClientError: If any API call returns an error (including errors processing the OAA payload).

Returns:

dict: API response from push, including any warnings that are returned.

Push an OAA payload dictionary to Veza.

Args:

provider_name (str): Name of existing Provider
data_source_name (str): Name for Data Source, will be created if doesn't exist.
metadata (dict): Dictionary of OAA payload to push.

Raises:

OAAClientError: If any API call returns an error including errors processing the OAA payload.

Returns:

dict: API response to the push request (including any warnings).

Update an existing custom provider icon from base64 encoded string.

To load an icon from file, use utils.encode_icon_file to get the base64 encoding of the file first

Args:

provider_id (str): unique ID of existing provider
base64_icon (str): base64 encoded string of new icon

Raises:

ValueError: If icon size exceeds maximum allowed size

Update an existing report

Args:

report_id (str): UUID of Report to updated
report (dict): Updated Report definition

Returns:

dict: API response

Updates the User-Agent string passed with all API calls

Generates a User-Agent with the oaaclient version, Python version and platform information.

The optional extra string will be appended if provided.

Args:

extra (str, optional): Additional information to append to User-Agent string. Defaults to "".

Super class for urllib3.util.retry

Super class to allow modifying the default max backoff time from 120 seconds to our own value

Args:

Retry (type): description

Templates

Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

PROPERTY_NAME_REGEX

`function` `append_helper`

append_helper(base, addition)

Helper function to simplify appending.

Handles multiple cases:

base is None: starts a list
addition is list: extends base with list
addition is anything else: append element to list

Args:

base (List or None): base list to append to, can be None
addition (*): What to append to the list

Returns:

list: will always return a list

Returns a list of unique strings from input list case insensitive

Returns the unique list of strings from input list in a case insensitive manner. For duplicate strings with different cast (e.g. "STRING" and "string") the case of the first occurrence is returned.

Args:

input (list): list of strings

Returns:

list: list of unique strings

General exception used for violations of the template schema.

Canonical permissions used by Veza Authorization Framework.

Used to describe the raw data or metadata permissions granted by CustomPermission

Types of identities for permission mapping.

Base class for CustomProvider.

Base class for CustomApplication.

Class for modeling application authorization using the OAA Application template.

CustomApplication class consists of identities, resources and permissions and produces the OAA JSON payload for the custom application template.

Class uses dictionaries to track most entities that can be referenced after creation. Dictionaries keys are case insensitive of the entity identifier (name or id). This applies to local_users, local_groups, local_roles, idp_identities, resources and custom_permissions.

Args:

name (str): Name of custom application
application_type (str): Searchable property, can be unique or shared across multiple applications
description (str, optional): Description for application. Defaults to None.

Attributes:

application_type (str): Searchable application type
custom_permissions (dict[OAAPermission]): Dictionary of class instances
description (str): Description for application

Legacy method for backwards compatibility.

.. deprecated:

Create an Access Credential

Access creds can be used to represent alternative access methods such as API keys or application integrations.

Access creds can be assigned roles and permissions similar to local users. Access credentials can exist independently for use cases such as administratively created integrations or can be assigned to a local user for use cases like personal access tokens.

Args:

unique_id (str): unique identifier for access cred
name (str): name for access cred

Raises:

OAATemplateException: Access credential with unique ID already exists

Returns:

AccessCred: New access cred

Create a new custom permission.

Creates a new CustomPermission object for the application that can be used to authorize identities to the application, resources/sub-resource or as part of a role.

Args:

name (str): Name of the permission
permissions (list[OAAPermission]): Canonical permissions the custom permission represents
apply_to_sub_resources

Returns: CustomPermission

Create an IdP principal identity.

IdP users and groups can be authorized directly to applications and resources by associating custom application permissions and roles with an IdP identity's name or email.

Args:

name (str): IdP unique identifier for user or group.

Returns: IdPIdentity

Create a new local group.

Groups can be associated to resources via permissions or roles. All users in the local group are granted the group's authorization.

Local groups will be identified by name by default, if unique_id is provided it will be used as the identifier instead

Local groups can be referenced after creation using .local_groups dictionary attribute. Dictionary is case insensitive keyed by unique_id or name if not using unique_id.

Args:

name (str): Display name for group
identities (list): List of IdP identities to associate group with.
unique_id

Returns: LocalGroup

Create a new local role.

A local role represents a collection of permissions.
Identities (local user, group, idp user) can be assigned a role to the application or resource, granting the role's permissions.
Local roles will be identified by name by default, if unique_id is provided it will be used as the identifier instead.

Args:

name (str): Display name for role
permissions (list): List of Custom Permission names to include in role. CustomPermission must be created separately.

Returns: LocalRole

Create a new local user for application.

Local users can be assigned to groups and associated with resources via permissions or roles. Groups and identities can be provided at creation or added later. See Identity and LocalUser class for operations.

Local users will be identified by name by default, if unique_id is provided it will be used as the identifier instead.

Local users can be referenced after creation using the .local_users dictionary attribute. Dictionary is case insensitivekeyed by unique_id or name if not using unique_id.

Use unique_id when name is not guaranteed to be unique. All permission, group and role assignments will be referenced by unique_id.

Args:

name (str): Display name for user
identities (list): List of identities as strings (usually email) for local user. Used to map local user to discovered IdP identities.
groups

Returns: LocalUser

Create a new resource under the application.

Resource type is used to group and filter application resources. It should be consistent for all common resources of an application.

Returns new resource object.

Resource is identified by name by default unless unique_id is provided. name must be unique if not using unique_id.

Resources can be referenced after creation using the .resources dictionary attribute. Dictionary is keyed by unique_id or name if not using unique_id. Use unique_id when name is not guaranteed to be unique.

Args:

name (str): Name of resources
resource_type (str): Type for resource
description (str, optional): Description of resources. Defaults to None.

Returns: CustomResource

Add a tag to the Application

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Return the 'applications' section of the payload as serializable dictionary.

Add a custom permission to the application.

.. deprecated: ``` See CustomApplication.add_custom_permission()

Collect authorizations for all identities into a single list.

Get the OAA payload.

Returns the complete OAA template payload for application as serializable dictionary

Returns:

dict: OAA payload as dictionary

Return the 'permissions' section of the payload as serializable dictionary.

Set a custom property value for the application.

Property name must be defined for CustomApplication before calling set_property. See example below and ApplicationPropertyDefinitions.define_application_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for, property names must be defined as part of the application property_definitions
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_application_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app.set_property("my_property", "property value")

Class for resources and sub-resources.

Should be used for representing components of the application to which authorization is granted. Each resource has a name and a type. The type can be used for grouping and filtering.

Arguments:

name (str): display name for resource, must be unique to parent application or resource unless using unique_id
resource_type (str): type for resource
description

Attributes:

name (str): display name for resource, must be unique to parent application or resource
unique_id (str): resource's unique identifier if provided.
resource_type

No longer supported, access should be added through identity (local_user, local_group, idp)

Add an external connection to the resource.

Used to add a relationship to another entity discovered by Veza such as a service account or AWS IAM role.

Args:

id (str): Unique identifier for connection entity
node_type (str): Veza type for connecting node

Create a new sub-resource under current resource

Args:

name (str): display name for resource
resource_type (str): type for resource
description (str, optional): String description. Defaults to None.

Returns: CustomResource

Add a new tag to resource.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set the value for a custom property on a resource or sub-resource.

Property name must be defined for resource type before calling set_property(). See example below and ApplicationPropertyDefinitions.define_resource_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property_name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_resource_property(resource_type="cog", name="my_property", property_type=OAAPropertyType.STRING) >>> cog1 = app.add_resource(name="cog1", resource_type="cog") >>> cog1.set_property("my_property", "this value")

Return the dictionary representation of resource.

Base class for deriving all identity types (should not be used directly).

Args:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)
unique_id (str, optional): ID of entity for reference by ID

Attributes:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)
application_permissions (list[CustomPermission]): List of permissions identity has directly to custom application

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

Set a custom defined property to a specific value on an identity.

Property name must be defined for identity type before calling set_property(). See example below for LocalUser and ApplicationPropertyDefinitions.define_local_user_property for more information on defining properties. Property must be defined for the correct Identity type (LocalUser or LocalGroup, IdPIdentity does not support custom properties).

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")

Enum for

LocalUser identity, derived from Identity base class.

Used to model an application user. Can be associated with an external IdP user, or represent a local account.

Args:

name (str): name of identity
identities (list): list of strings for IdP identity association
groups

Attributes:

name (str): name of identity
id (str): ID of entity for ID based reference
email (string): Users email address

Add access cred to user (access cred must be created separately)

Args:

access_cred (str): unique identifier of access cred

Add user to local group (group must be created separately).

Args:

group (str): identifier of local group

Add multiple identities to a local user from a list.

Args:

identities (list[str]): list of identities to add to user

Add an identity to user.

Identity should match the email address or another principal identifier for an IdP user (Okta, Azure, ect). Veza will create a connection from the application local user to IdP identity.

Args:

identity (str): email or identifier for IdP user

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

Set a custom defined property to a specific value on an identity.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

Output user to dictionary for payload.

LocalGroup identity.

Derived from Identity base class. Used to represent groups of local users for application.

Args:

name (str): name of group
identities (list): list of strings for IdP identity association
unique_id

Attributes:

name (str): name of identity
identities (list): list of strings for IdP identity association
groups

Add a nested group to local group (group must be created separately).

Args:

group (str): identifier of local group

Add an identity to group.

The email address or another valid identifier should match that of an IdP principal (Okta, Azure, ect). Veza will create a connection from the application local group to IdP identity.

Args:

identity (str): primary IdP identifier for group to associate

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

Set a custom defined property to a specific value on an identity.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

Output group to dictionary for payload.

IdP identity derived from Identity base class.

Used to associate IdP identities (users or groups) directly to resource where concept of local users/groups doesn't apply to application.

Args:

name (str): Primary IdP identifier for identity (email, group name, etc)

Attributes:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type, (idp)
application_permissions (list[CustomPermission]): permissions identity has directly to custom application

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

Set custom IdP property (no functionality).

IdP identities do not support custom properties since the identity is discovered through the provider (Okta, Azure, etc)

Access Credential derived from Identity base class.

Access Creds can be used to represent non-user based methods that grant access such as API keys or integrations.

AccessCreds can be assigned roles or permissions to an application or resource. An AccessCred can stand-alone or be associated to a local user.

Args:

unique_id (str): Unique identifier for access cred
name (str): Name for access cred, does not need to be unique

Attributes:

unique_id (str): Unique identifier for access cred
name (str): Name for access cred, does not need to be unique
is_active (bool): Indicate if credential is active, defaults to True

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application (bool): Apply permission to application when True, defaults to False

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

Set a custom defined property to a specific value on an access credential.

Property name must be defined for access credentials before calling set_property(). See example below and ApplicationPropertyDefinitions.define_access_cred_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_access_cred_property(name="my_property", property_type=OAAPropertyType.STRING) >>> cred1 = app.add_access_cred(unique_id="cred001", name="Cred 001") >>> cred1.set_property("my_property", "value for cred001")

Output Access credential dictionary for payload

Represent a Custom Application Local Role.

Local Roles are a collection of permissions (as CustomPermission). Roles can be used to associate a local user, group or IdP identity to an application, resource or sub-resource.

Permissions can either be assigned at creation and/or added later.

If the CustomPermission definition includes resource types in the resource_types list, the permission will only be assigned to resources/sub-resources that match that type as part of an assignment.

Args:

name (str): name of local role
permissions (list[CustomPermission], optional): List of custom permission names (strings) to associate with the role. Defaults to empty list.
unique_id (string, optional): Unique identifier for role for identification by ID

Attributes:

name (str): name of local role
unique_id (str): Unique identifier for role for identification by ID
permissions (list[CustomPermission]): list of custom permission names (strings) to associate with the role

Add a permission to the role.

Args:

permissions (list): List of permission names (strings) to add to role

Add a nested sub-role to the role (nested role must be created separately)

Args:

role (str): identifier of the local role to nest inside this role

Add a new tag to role.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set the value for custom property on a local role.

Property name must be defined for local roles before calling set_property(). See example below and ApplicationPropertyDefinitions.define_local_role_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property name is not defined.

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_role_property(name="my_property", property_type=OAAPropertyType.STRING) >>> role1 = app.add_local_role(name="role1") >>> role1.set_property(property_name="my_property", property_value="role1s value")

Convert role to dictionary for inclusion in JSON payload.

Returns:

dict: serializable dictionary of role

CustomPermission class for defining CustomApplication permissions.

Custom permissions represent the named permissions for the application in its terms (e.g. "Admin" or "PUSH") and define the Veza canonical mapping (e.g. DataRead, MetadataRead, DataWrite).
A permission can either be applied directly to an application or resource or assigned as part of a role.
Optionally, when permissions are used as part of a role, if the resource_types list is populated the permission will only be applied to resources who's type is in the resource_types

Args:

name (str): Display name for permission
permissions (list): List of OAAPermission enums that represent the canonical permissions
apply_to_sub_resources (bool, optional): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource. Defaults to

Attributes:

name (str): Display name for permission
permissions (list[OAAPermission]): List of OAAPermission enums that represent the canonical permissions
apply_to_sub_resources (bool): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource.

Add a resource type to the resource_types list.

Extends the list of resource types permission applies to when used in role assignment.

Args:

resource_type (str): The resource type string value

Returns dictionary representation for payload.

Supported types for custom properties on OAA entities such as application, resource, and identity.

Model for defining custom properties for application and its entities (users, groups, roles, resources).

Property definitions define the names for additional entity properties and the expected type.

Args:

application_type (str): type of custom application property definitions apply to

Attributes:

application_properties (dict): property definitions for application
local_user_properties (dict): property definitions for local users
local_group_properties (dict): property definitions for local groups

Define an access cred property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

Define an application property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

Define a local group property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

Define a local role property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

Define a local user property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

Define a property for a resource by type of resource.

Args:

resource_type (str): type of resource property definition is for
name (str): property name
property_type (OAAPropertyType): type for property

Return property definitions as dictionary ready for OAA payload

Check property name for valid characters

Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.

Args:

name (str): name of property to validate

Raises:

OAATemplateException: Name is not a string
OAATemplateException: Name contains invalid characters or does not start with a letter

Validate that a property name has been defined for given resource type.

Args:

property_name (str): name of property to validate
entity_type (str): type of entity custom property is for (application, local_user, local_group, local_role, resource)
resource_type (str): (optional) type for validating resource property names, only applicable to entity_type resource

Raises:

OAATemplateException: If property name has not been previously defined for entity

IdP entity types.

Veza supported IdP provider types.

CustomIdPProvider class for modeling Identity Providers (IdP) using OAA Custom Identity Provider Template.

CustomIdPProvider class consists of IdP domain information, user, group and external associations for identities like AWS Roles.

Classes uses dictionaries to track most components, dictionaries are all keyed by string of the entity name

Args:

name (str): Name of IdP
idp_type (str): Type descriptor for IdP, can be unique or share across multiple IdP e.g. ldap, IPA
domain (str): IdP domain name

Attributes:

name (str): Name of custom IdP
idp_type (str): Type for IdP
description (str): Description for IdP

summary

Args:

id (str): description
name (str): description

Raises:

Returns:

CustomIdPApp: description

Add group to IdP.

Arguments:

name (str): primary ID for group
full_name (str): optional display name for group
identity (str): optional unique identifier for group, if None name is used as identity

Add user to IdP

if no identity is set name will be used as identity

Arguments:

name (str): primary ID for user
full_name (str): optional full name for display
email (str): optional email for user

Returns: CustomIdPUser

Return formatted payload as dictionary for JSON conversion and upload

Domain model for Custom IdP provider.

Args:

name (str): domain name

Attributes:

name (str): domain name

Add a new tag to IdP Domain.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set custom property value for domain.

Property name must be defined for domain before calling set_property(). See example below and IdPPropertyDefinitions.define_domain_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_domain_property(name="my_property", property_type=OAAPropertyType.STRING) >>> idp.domain.set_property(property_name="my_property", property_value="domain property value")

Output function for payload.

User model for CustomIdPProvider.

Args:

name (str): username for identity
email (str): primary email for user
full_name (str): Display name for user

Attributes:

name (str): username for identity
email (str): primary email for user
full_name (str): display name for user

Create App assignment for user

Args:

id (str): ID of App assignment, must be unique for user
name (str): Name of assignment
app_id (str): App ID, must exist in list of Apps for IDP

Raises:

OAATemplateException: Duplicate assignment ID
OAATemplateException: Unknown assignment property name

Add AWS Roles to list of roles user can assume by ARN.

Args:

arns (list): list of role ARNs as strings that the user is allowed to assume

Add user to group(s) by group name

Args:

group_identities (list): list of strings for group identities to add user to

Add a new tag to IdP User.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set custom property value for user.

Property name must be defined for users before calling set_property(). See example below and IdPPropertyDefinitions.define_user_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = idp.add_user(name="User 1") >>> user1.set_property("my_property", "user1 value")

Set an source external identity for user.

source_identity will connect CustomIdP user to a Veza graph IdP user.
provider_type limits scope for finding matching IdP identities
search all providers with IdPProviderType.ANY.

Args:

identity (str): Unique Identity of the source identity
provider_type (IdPProviderType): Type for provider to match source identity from

Function to prepare user entity for payload

Group model for CustomIdPProvider.

Args:

name (str): name of group
full_name (str): optional full name for group
identity (str): optional identifier for group if name is not reference identifier

Parameters:

name (str): name of group
full_name (str): optional full name for group
identity (str): optional identifier for group, if None name is used as identity

Create App assignment for group

Args:

id (str): ID of App assignment, must be unique for group
name (str): Name of assignment
app_id (str): App ID, must exist in list of Apps for IDP

Raises:

OAATemplateException: Duplicate assignment ID
OAATemplateException: Unknown assignment property name

Add AWS Roles to list of roles group members can assume by ARN.

Args:

arns (list): list of role ARNs as strings that the group members are allowed to assume

Add group to group(s) by group name

Adds current group to another parent group by the group identifier

Args:

group_identities (list): list of strings for group identities to add group to

Add a new tag to IdP Group.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set custom property value for group.

Property name must be defined for groups before calling set_property(). See example below and IdPPropertyDefinitions.define_group_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_group_property(name="my_property", property_type=OAAPropertyType.STRING) >>> group1 = idp.add_group(name="Group 1") >>> group1.set_property("my_property", "group1 value")

Function to prepare user entity for payload.

App model for CustomIdPProvider

Args:

id (str): ID for App, must be unique
name (str): Name for App
property_definitions (IdPPropertyDefinitions, optional): Custom property definitions, required to set custom properties. Defaults to None.

Attributes:

id (str): ID for App, must be unique
name (str): Name for App
description (str): Description property for App

Add AWS Roles to list of roles App can assume by ARN. Any Users or Groups assigned to the App are represented as being able to assume the roles.

Args:

arns (list): list of role ARNs as strings that the user is allowed to assume

Add a new tag to IdP User.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

Set custom property value for app.

Property name must be defined for app before calling set_property(). See example below and IdPPropertyDefinitions.define_app_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_app_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app1 = idp.add_app(id="app1", ="App 1") >>> app1.set_property("my_property", "app1 value")

Model for defining custom properties for CustomIdPProvider and its entities (users, groups, domain).

Property definitions define the names for additional entity properties and the expected type.

Attributes:

domain_properties (dict): property definitions for IdP Domain
user_properties (dict): property definitions for IdP users
group_properties (dict): property definitions for IdP groups

Define an app assignment custom property

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

Define an app custom property

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

Define a domain custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

Define a group custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

Define a user custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

Returns custom IdP property definitions.

Validate that a property name has been defined for a given IdP entity.

Raises exception if property name has not been previously defined for entity

Args:

property_name (str): name of property to validate
entity_type (str): type of entity custom property is for (domain, users, groups)

Raises:

OAATemplateException: If property name is not defined

Veza Tag data model.

Args:

key (str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only.

Attributes:

key (str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str): Value for tag, will appear in Veza as key:value. Must be letters, numbers and the special characters @,._ only.

Class for modeling Human Resource Information Systems (HRIS) Template

HRIS template consists of base information about the HRIS instance, Employees and Groups.

Employees and Groups are tracked in case insensitive dictionaries that can be used to reference entities after creation.

Args:

name (str): Name for HRIS Instance
hris_type (str): Type for HRIS. Typically the vendor or product name.
url (str): Instance URL for HRIS.

Attributes:

employees (dict[string]): Dictionary of HRISEmployee instances keyed by Employee ID
groups (dict[string]): Dictionary of HRISGroup instances keyed by Group ID

Add a new Employee

Function creates a new HRISEmployee instance and adds it to the HRISProvider.employees keyed by the unique_id

Args:

unique_id (str): Unique Identifier for Employee
name (str): Display name for employee
employee_number (str): The employee's number that appears in the third-party integration.

Raises:

OAATemplateException: Employee with ID already exists

Returns:

HRISEmployee: Entity for new employee

Add a new Group

Used to represent any subset of employees, such as PayGroup or Team. Employees can be in multiple Groups. Groups can also be members of other groups to create hierarchy.

Some properties of HRISEmployee such as department must reference an existing HRISGroup by its ID.

Args:

unique_id (str): Unique ID for group
name (str): Display name
group_type (str): Type for group such as "Team", "Department", "Cost Center"

Returns:

HRISGroup: Entity for new group

Get the OAA payload.

Returns the complete OAA template payload for HRIS as serializable dictionary

Returns:

dict: OAA payload as dictionary

HRISSystem information

Representation for HRISSystem information. The system information is used to represent additional details for the HRIS Instance.

Args:

name (str): Name for system Instance
url (str, optional): URL for instance . Defaults to "". TODO: Is this right?

Link HRIS to External IdP of given type

Sets the IdP types (Okta, AzureAD, ect) for Veza to link employee identities too.

Args:

provider_type (IdPProviderType): Type of IdP for source identities

Raises:

ValueError: provider_type must be IdPProviderType enum

Returns:

list[IdPProviderType]: List of configured IdP types

HRIS Employee Entity

Represents an employee record in the HRIS system. Each employee must have a unique ID to identify it in the payload. This ID is also used to reference one employee to the other for manager hierarchy.

Init variables are all required and must not be empty such as ""

Args:

unique_id (str): Unique Identifier for Employee
name (str): Name for employee record.
employee_number (str): The employee's number that appears in the third-party integration.

Parameters:

company (str): The company (or subsidiary) the employee works for.
preferred_name (str): The employee's preferred first name.
display_full_name (str): The employee's full name, to use for display purposes.

Raises:

ValueError: Any of the required arguments are empty.

Add employee to group

Adds employee to a group by the group ID. Group must also be defined for HRISInstance with HRISProvider.add_group()

Args:

group_id (str): Unique ID of HRISGroup to add employee too

Add manager to Employee

Adds a manager to the employee by the manager's HRISEmployee instance unique ID. Manger employee record must also exist.

Args:

manager_id (str): Unique ID for manager HRISEmployee instance

Set Employee custom property value

Property name must be defined for employee before calling set_property

Args:

property_name (str): Name of property
property_value (any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Output employee to dictionary for payload.

HRIS Group

Represents any group of employees in the HRIS system. HRISGroups can be used to represent teams, departments, cost centers or any organizational unit. Each group has a type to make searching and grouping easier.

Group's Unique ID must be unique across all group types.

Args:

unique_id (str): Unique ID for group
name (str): Display name
group_type (str): Type for group such as "Team", "Department", "Cost Center"

Set HRIS Group custom property value

Property name must be defined for group before calling set_property

Args:

property_name (str): Name of property
property_value (any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Dictionary output for inclusion in payload

Check property name for valid characters

Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.

Args:

name (str): name of property to validate

Raises:

OAATemplateException: Name is not a string
OAATemplateException: Name contains invalid characters or does not start with a letter

OAA Python SDK

oaaclient modules

Modules

Client

Structures

class CaseInsensitiveDict

Utils

function log_arg_error

OAA Python SDK

Handling Errors

Additional documentation

oaaclient modules

Modules

Classes

Functions

Client

Utils

function log_arg_error

function report_builder_entrypoint

function main

class OAAClientError

method __init__

class OAAResponseError

method __init__

class OAAConnectionError

method __init__

class OAAClient

method __init__

method add_query_report

method api_delete

method api_get

method api_patch

method api_post

method api_put

method create_data_source

method create_datasource

method create_provider

method create_query

method create_report

method delete_data_source

method delete_provider

method delete_query

method delete_report

method get_data_source

method get_data_sources

method get_provider

method get_provider_by_id

method get_provider_list

method get_queries

method get_query_by_id

method get_report_by_id

method get_reports

method push_application

method push_metadata

method update_provider_icon

method update_report

method update_user_agent

class OAARetry

method __init__

function load_json_from_file

function encode_icon_file

function exists_in_query_array

function build_report

function truncate_string

Structures

class CaseInsensitiveDict

method __init__

Templates

function append_helper

function unique_strs

class OAATemplateException

method __init__

class OAAPermission

class OAAIdentityType

class Provider

method __init__

method serialize

class Application

method __init__

class CustomApplication

`class` `CaseInsensitiveDict`

function `log_arg_error`

function `log_arg_error`

`function` `report_builder_entrypoint`

`function` `main`

`class` `OAAClientError`

`method` `init`

`class` `OAAResponseError`

`method` `init`

`class` `OAAConnectionError`

`method` `init`

`class` `OAAClient`

`method` `init`

`method` `add_query_report`

`method` `api_delete`

`method` `api_get`

`method` `api_patch`

`method` `api_post`

`method` `api_put`

`method` `create_data_source`

`method` `create_datasource`

`method` `create_provider`

`method` `create_query`

`method` `create_report`

`method` `delete_data_source`

`method` `delete_provider`

`method` `delete_query`

`method` `delete_report`

`method` `get_data_source`

`method` `get_data_sources`

`method` `get_provider`

`method` `get_provider_by_id`

`method` `get_provider_list`

`method` `get_queries`

`method` `get_query_by_id`

`method` `get_report_by_id`

`method` `get_reports`

`method` `push_application`

`method` `push_metadata`

`method` `update_provider_icon`

`method` `update_report`

`method` `update_user_agent`

`class` `OAARetry`

`method` `init`

function `load_json_from_file`

function `encode_icon_file`

function `exists_in_query_array`

function `build_report`

function `truncate_string`

`class` `CaseInsensitiveDict`

`method` `init`

`function` `append_helper`

`function` `unique_strs`

`class` `OAATemplateException`

`method` `init`

`class` `OAAPermission`

`class` `OAAIdentityType`

`class` `Provider`

`method` `init`

`method` `serialize`

`class` `Application`

`method` `init`

`class` `CustomApplication`

`method` `init`

`method` `add_access`

`method` `add_custom_permission`

`method` `add_idp_identity`

`method` `add_local_group`

`method` `add_local_role`

`method` `add_local_user`

`method` `add_resource`

`method` `add_tag`

`method` `app_dict`

`method` `define_custom_permission`

`method` `get_payload`

`method` `permissions_dict`

`method` `set_property`

`class` `CustomResource`

`method` `init`

`method` `add_access`