This document provides a high-level overview and examples for getting started with a new OAA connector to integrate Veza with SaaS applications, infrastructure systems, custom-built applications, and other systems. These examples use Python and the oaaclient SDK.

When developing a connector, the source systems and customer needs can require changes to code flow for different deployment scenarios. The overall goals, best practices, and flow will apply for most integrations:

Code goals

The sample code was written with the following goals in mind:

• Connector should be easy to run from automation platforms and the command line.

  • Parameters are passed through environment variables as well as command line flags. This makes the code easier to package into containers or serverless stacks and control through outside configuration. Connectors by nature require secrets such as the Veza API key. Managing these through variables affords additional options for secrets management.

• Connectors do not require state:

High-level code flow

The exact flow of the connector can change to meet specific requirements, but the general steps are as follows:

1. Process and validate configuration parameters. Ensure you have supplied all necessary values such as host names, user names, and API keys.

2. Call the main run function with all the required and optional parameters.

3. Initialize the oaaclient connection to the Veza tenant. Initializing the client verifies that the Veza URL and API key are valid before starting any application discovery.

Implementing from the example

1. Update the Provider Name, App Type, and Application Name based on the source system. These values will typically be set to the product name. The data source name must be unique - check that an appropriate distinguishing value such as hostname is included in the data source name. For more information on naming, see

2. Define any needed in the __init__ method. Properties must be defined on the CustomApplication entities before setting them.

Code walkthrough for custom application

The code below can serve as a template and the comments explain the reasoning beyond the patterns.

Copyright 2023 Veza Technologies Inc.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

class CaseInsensitiveDict

Case Insensitive Key Dictionary

Dictionary like object with case insensitive keys for types that support .lower() such as strings.

Keys do not have to be strings, in the case where the key type does not support .lower() such as integers the value is used as is.

Example: from oaaclient.structures import CaseInsensitiveDict >>> x = CaseInsensitiveDict() >>> x["User"] = "value" >>> x.get("user") 'value' >>> "USER" in x True >>> print(x) {'user': 'value'} >>> x CaseInsensitiveDict({'user': 'value'})

method __init__

The `oaaclient` package provides data models, methods and a command-line interface for using the Open Authorization API. You can use it to populate OAA templates including as Application, IdP, and HRIS, pushing OAA data to Veza and even as a general Veza API client.

The oaaclient SDK includes the following components:

• oaaclient.client: Veza API communication (data provider management, payload push, etc.). Requires an API key for authentication.

• oaaclient.templates: Classes for modeling and generating an OAA payload.

• oaaclient.utils

For example usage, please see and the directory.

Sample Workflow

Create the Veza API connection and a new custom application:

Once the CustomApplication class is instantiated, you can use the public methods to populate the new app with local users, groups, resources, and permissions metadata:

Once all identities, permissions and resources are added to the CustomApplication object, the client connection handles the final push to Veza:

See the directory for complete examples.

Handling Errors

The OAAClient class handles API connections to Veza. If there are errors connecting or the API returns errors OAAClient will raise an OAAClientError exception. If the payload doesn't conform to the template requirements the OAAClientError.details will contain a list of any issues encountered.

Additional documentation

Since any given source application or service will have different methods for retrieving entities, authorization, and other required metadata, each OAA connector will be slightly different. You should consult the API documentation for your application when considering how you will source the information, and refer to existing Veza-supported OAA connectors for real-world examples.

Connector source code and oaaclient are thoroughly annotated, for reference when building your own integrations.

For additional information about developing a custom OAA integration, please see section of the User Guide.

Modules

• client: Classes for calling Veza APIs and managing OAA providers and data sources.

• : Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").

• : oaaclient utility functions.

Classes

• : OAA API Connection and Management.

• : Error raised by OAAClient.

• : Base class for CustomApplication.

Functions

• : Helper function to simplify appending.

• : Returns a list of unique strings from input list case insensitive

oaaclient utility functions.

Copyright 2022 Veza Technologies Inc.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

helper functions commonly used by OAA integrations

function log_arg_error

Helper function for logging errors when loading parameters

Helper function used to create consistent messages in connectors when required parameters can be set at command line or as environment variables.

Message can include information on parameter and/or environment variable but must provide one.

Args:

• log (object): logging facility object to log to

• arg (str, optional): Command line option for parameter such as --veza-url. Defaults to None.

• env

Raises:

• Exception: if neither arg or env are supplied

function load_json_from_file

Load JSON from file

Args:

• json_path (str): path to JSON file on disk

Raises:

• Exception: Unable to process JSON

• Exception: Error reading JSON file

Returns:

• dict: JSON decoded to dictionary

function encode_icon_file

read an icon file to a base64 encoded string

Args:

• icon_path (str): Path to icon file on disk

Returns:

• str: base64 encoding of file

function exists_in_query_array

function build_report

Creates or updates a Veza report from a dictionary

Creates a report and containing queries from a dictionary definition. Function will create any queries it does not find based on name. If a query with the same name already exists the existing query will be added to the report.

If a report already exists with the same name any missing queries will be added to the report.

report_definition must be a dictionary with name for the report and queries list of Veza query definitions:

{"name": "My Report", "queries": [{..},{...}]}

Args:

• veza_con (OAAClient): OAAClient connection to make Veza API calls

• report_definition (dict): Report definition

Raises:

• ValueError: Missing name or queries key

Returns:

• dict: API response from Report creation or update

function truncate_string

Helper function to truncate strings

Helper function to truncate strings to conform to maximum length requirements for templates.

Returns a string that is the first N bytes of the source string

Args:

• source_str (str): Source string to truncate

• length (int, optional): Length to shorten to. Defaults to 256.

Returns:

• str: truncated string

Classes for calling Veza APIs and managing OAA providers and data sources.

Copyright 2022 Veza Technologies Inc.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

• OAACLIENT_VERSION

Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").

Copyright 2022 Veza Technologies Inc.

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

• PROPERTY_NAME_REGEX

function append_helper

Helper function to simplify appending.

Handles multiple cases:

• base is None: starts a list

• addition is list: extends base with list

• addition is anything else: append element to list

Args:

• base (List or None): base list to append to, can be None

• addition (*): What to append to the list

Returns:

• list: will always return a list

function unique_strs

Returns a list of unique strings from input list case insensitive

Returns the unique list of strings from input list in a case insensitive manner. For duplicate strings with different cast (e.g. "STRING" and "string") the case of the first occurrence is returned.

Args:

• input (list): list of strings

Returns:

• list: list of unique strings

class OAATemplateException

General exception used for violations of the template schema.

method __init__

class OAAPermission

Canonical permissions used by Veza Authorization Framework.

Used to describe the raw data or metadata permissions granted by CustomPermission

class OAAIdentityType

Types of identities for permission mapping.

class Provider

Base class for CustomProvider.

method __init__

method serialize

class Application

Base class for CustomApplication.

method __init__

class CustomApplication

Class for modeling application authorization using the OAA Application template.

CustomApplication class consists of identities, resources and permissions and produces the OAA JSON payload for the custom application template.

Class uses dictionaries to track most entities that can be referenced after creation. Dictionaries keys are case insensitive of the entity identifier (name or id). This applies to local_users, local_groups, local_roles, idp_identities, resources and custom_permissions.

Args:

• name (str): Name of custom application

• application_type (str): Searchable property, can be unique or shared across multiple applications

• description (str, optional): Description for application. Defaults to None.

Attributes:

• application_type (str): Searchable application type

• custom_permissions (dict[OAAPermission]): Dictionary of class instances

• description (str): Description for application

method __init__

method add_access

Legacy method for backwards compatibility.

.. deprecated:

Create an Access Credential

Access creds can be used to represent alternative access methods such as API keys or application integrations.

Access creds can be assigned roles and permissions similar to local users. Access credentials can exist independently for use cases such as administratively created integrations or can be assigned to a local user for use cases like personal access tokens.

Args:

• unique_id (str): unique identifier for access cred

• name (str): name for access cred

Raises:

• OAATemplateException: Access credential with unique ID already exists

Returns:

• AccessCred: New access cred

method add_custom_permission

Create a new custom permission.

Creates a new CustomPermission object for the application that can be used to authorize identities to the application, resources/sub-resource or as part of a role.

Args:

• name (str): Name of the permission

• permissions (list[OAAPermission]): Canonical permissions the custom permission represents

• apply_to_sub_resources

Returns: CustomPermission

method add_idp_identity

Create an IdP principal identity.

IdP users and groups can be authorized directly to applications and resources by associating custom application permissions and roles with an IdP identity's name or email.

Args:

• name (str): IdP unique identifier for user or group.

Returns: IdPIdentity

method add_local_group

Create a new local group.

Groups can be associated to resources via permissions or roles. All users in the local group are granted the group's authorization.

Local groups will be identified by name by default, if unique_id is provided it will be used as the identifier instead

Local groups can be referenced after creation using .local_groups dictionary attribute. Dictionary is case insensitive keyed by unique_id or name if not using unique_id.

Args:

• name (str): Display name for group

• identities (list): List of IdP identities to associate group with.

• unique_id

Returns: LocalGroup

method add_local_role

Create a new local role.

• A local role represents a collection of permissions.

• Identities (local user, group, idp user) can be assigned a role to the application or resource, granting the role's permissions.

• Local roles will be identified by name by default, if unique_id

Args:

• name (str): Display name for role

• permissions (list): List of Custom Permission names to include in role. CustomPermission must be created separately.

Returns: LocalRole

method add_local_user

Create a new local user for application.

Local users can be assigned to groups and associated with resources via permissions or roles. Groups and identities can be provided at creation or added later. See Identity and LocalUser class for operations.

Local users will be identified by name by default, if unique_id is provided it will be used as the identifier instead.

Local users can be referenced after creation using the .local_users dictionary attribute. Dictionary is case insensitivekeyed by unique_id or name if not using unique_id.

Use unique_id when name is not guaranteed to be unique. All permission, group and role assignments will be referenced by unique_id.

Args:

• name (str): Display name for user

• identities (list): List of identities as strings (usually email) for local user. Used to map local user to discovered IdP identities.

• groups

Returns: LocalUser

method add_resource

Create a new resource under the application.

Resource type is used to group and filter application resources. It should be consistent for all common resources of an application.

Returns new resource object.

Resource is identified by name by default unless unique_id is provided. name must be unique if not using unique_id.

Resources can be referenced after creation using the .resources dictionary attribute. Dictionary is keyed by unique_id or name if not using unique_id. Use unique_id when name is not guaranteed to be unique.

Args:

• name (str): Name of resources

• resource_type (str): Type for resource

• description

Returns: CustomResource

method add_tag

Add a tag to the Application

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method app_dict

Return the 'applications' section of the payload as serializable dictionary.

method define_custom_permission

Add a custom permission to the application.

.. deprecated: ``` See CustomApplication.add_custom_permission()

Collect authorizations for all identities into a single list.

method get_payload

Get the OAA payload.

Returns the complete OAA template payload for application as serializable dictionary

Returns:

• dict: OAA payload as dictionary

method permissions_dict

Return the 'permissions' section of the payload as serializable dictionary.

method set_property

Set a custom property value for the application.

Property name must be defined for CustomApplication before calling set_property. See example below and ApplicationPropertyDefinitions.define_application_property for more information on defining properties.

Args:

• property_name (str): Name of property to set value for, property names must be defined as part of the application property_definitions

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

• ignore_none

Raises:

• OAATemplateException: If property name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_application_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app.set_property("my_property", "property value")

class CustomResource

Class for resources and sub-resources.

Should be used for representing components of the application to which authorization is granted. Each resource has a name and a type. The type can be used for grouping and filtering.

Arguments:

• name (str): display name for resource, must be unique to parent application or resource unless using unique_id

• resource_type (str): type for resource

• description

Attributes:

• name (str): display name for resource, must be unique to parent application or resource

• unique_id (str): resource's unique identifier if provided.

• resource_type

method __init__

method add_access

No longer supported, access should be added through identity (local_user, local_group, idp)

method add_resource_connection

Add an external connection to the resource.

Used to add a relationship to another entity discovered by Veza such as a service account or AWS IAM role.

Args:

• id (str): Unique identifier for connection entity

• node_type (str): Veza type for connecting node

method add_sub_resource

Create a new sub-resource under current resource

Args:

• name (str): display name for resource

• resource_type (str): type for resource

• description

Returns: CustomResource

method add_tag

Add a new tag to resource.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method set_property

Set the value for a custom property on a resource or sub-resource.

Property name must be defined for resource type before calling set_property(). See example below and ApplicationPropertyDefinitions.define_resource_property for more information on defining properties.

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

• ignore_none

Raises:

• OAATemplateException: If property_name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_resource_property(resource_type="cog", name="my_property", property_type=OAAPropertyType.STRING) >>> cog1 = app.add_resource(name="cog1", resource_type="cog") >>> cog1.set_property("my_property", "this value")

method to_dict

Return the dictionary representation of resource.

class Identity

Base class for deriving all identity types (should not be used directly).

Args:

• name (str): name of identity

• identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)

• unique_id (str, optional): ID of entity for reference by ID

Attributes:

• name (str): name of identity

• identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)

• application_permissions (list[CustomPermission]): List of permissions identity has directly to custom application

method __init__

method add_permission

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

• permissions ([str]): List of strings representing the permission names

• resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.

• apply_to_application

method add_role

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

• role (str): Name of role as string

• resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.

• apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

method add_tag

Add a new tag to identity.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method get_identity_to_permissions

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

• dict: JSON serializable dictionary of all the identity's permissions and roles

method set_property

Set a custom defined property to a specific value on an identity.

Property name must be defined for identity type before calling set_property(). See example below for LocalUser and ApplicationPropertyDefinitions.define_local_user_property for more information on defining properties. Property must be defined for the correct Identity type (LocalUser or LocalGroup, IdPIdentity does not support custom properties).

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

• OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")

class LocalUserType

Enum for

class LocalUser

LocalUser identity, derived from Identity base class.

Used to model an application user. Can be associated with an external IdP user, or represent a local account.

Args:

• name (str): name of identity

• identities (list): list of strings for IdP identity association

• groups

Attributes:

• name (str): name of identity

• id (str): ID of entity for ID based reference

• email

method __init__

method add_access_cred

Add access cred to user (access cred must be created separately)

Args:

• access_cred (str): unique identifier of access cred

method add_group

Add user to local group (group must be created separately).

Args:

• group (str): identifier of local group

method add_identities

Add multiple identities to a local user from a list.

Args:

• identities (list[str]): list of identities to add to user

method add_identity

Add an identity to user.

Identity should match the email address or another principal identifier for an IdP user (Okta, Azure, ect). Veza will create a connection from the application local user to IdP identity.

Args:

• identity (str): email or identifier for IdP user

method add_permission

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

• permissions ([str]): List of strings representing the permission names

• resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.

• apply_to_application

method add_role

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

• role (str): Name of role as string

• resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.

• apply_to_application

method add_tag

Add a new tag to identity.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method get_identity_to_permissions

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

• dict: JSON serializable dictionary of all the identity's permissions and roles

method set_property

Set a custom defined property to a specific value on an identity.

Property name must be defined for identity type before calling set_property(). See example below for LocalUser and ApplicationPropertyDefinitions.define_local_user_property for more information on defining properties. Property must be defined for the correct Identity type (LocalUser or LocalGroup, IdPIdentity does not support custom properties).

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

• OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")

method to_dict

Output user to dictionary for payload.

class LocalGroup

LocalGroup identity.

Derived from Identity base class. Used to represent groups of local users for application.

Args:

• name (str): name of group

• identities (list): list of strings for IdP identity association

• unique_id

Attributes:

• name (str): name of identity

• identities (list): list of strings for IdP identity association

• groups

method __init__

method add_group

Add a nested group to local group (group must be created separately).

Args:

• group (str): identifier of local group

method add_identity

Add an identity to group.

The email address or another valid identifier should match that of an IdP principal (Okta, Azure, ect). Veza will create a connection from the application local group to IdP identity.

Args:

• identity (str): primary IdP identifier for group to associate

method add_permission

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

• permissions ([str]): List of strings representing the permission names

• resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.

• apply_to_application

method add_role

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

• role (str): Name of role as string

• resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.

• apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

method add_tag

Add a new tag to identity.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method get_identity_to_permissions

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

• dict: JSON serializable dictionary of all the identity's permissions and roles

method set_property

Set a custom defined property to a specific value on an identity.

Property name must be defined for identity type before calling set_property(). See example below for LocalUser and ApplicationPropertyDefinitions.define_local_user_property for more information on defining properties. Property must be defined for the correct Identity type (LocalUser or LocalGroup, IdPIdentity does not support custom properties).

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

• OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")

method to_dict

Output group to dictionary for payload.

class IdPIdentity

IdP identity derived from Identity base class.

Used to associate IdP identities (users or groups) directly to resource where concept of local users/groups doesn't apply to application.

Args:

• name (str): Primary IdP identifier for identity (email, group name, etc)

Attributes:

• name (str): name of identity

• identity_type (OAAIdentityType): Veza Identity Type, (idp)

• application_permissions (list[CustomPermission]): permissions identity has directly to custom application

method __init__

method add_permission

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

• permissions ([str]): List of strings representing the permission names

• resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.

• apply_to_application

method add_role

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

• role (str): Name of role as string

• resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.

• apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

method add_tag

Add a new tag to identity.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method get_identity_to_permissions

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

• dict: JSON serializable dictionary of all the identity's permissions and roles

method set_property

Set custom IdP property (no functionality).

IdP identities do not support custom properties since the identity is discovered through the provider (Okta, Azure, etc)

class AccessCred

Access Credential derived from Identity base class.

Access Creds can be used to represent non-user based methods that grant access such as API keys or integrations.

AccessCreds can be assigned roles or permissions to an application or resource. An AccessCred can stand-alone or be associated to a local user.

Args:

• unique_id (str): Unique identifier for access cred

• name (str): Name for access cred, does not need to be unique

Attributes:

• unique_id (str): Unique identifier for access cred

• name (str): Name for access cred, does not need to be unique

• is_active (bool): Indicate if credential is active, defaults to True

method __init__

method add_permission

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

• permissions ([str]): List of strings representing the permission names

• resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.

• apply_to_application

method add_role

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

• role (str): Name of role as string

• resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.

• apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

method add_tag

Add a new tag to identity.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method get_identity_to_permissions

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

• dict: JSON serializable dictionary of all the identity's permissions and roles

method set_property

Set a custom defined property to a specific value on an access credential.

Property name must be defined for access credentials before calling set_property(). See example below and ApplicationPropertyDefinitions.define_access_cred_property for more information on defining properties.

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

• OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_access_cred_property(name="my_property", property_type=OAAPropertyType.STRING) >>> cred1 = app.add_access_cred(unique_id="cred001", name="Cred 001") >>> cred1.set_property("my_property", "value for cred001")

method to_dict

Output Access credential dictionary for payload

class LocalRole

Represent a Custom Application Local Role.

Local Roles are a collection of permissions (as CustomPermission). Roles can be used to associate a local user, group or IdP identity to an application, resource or sub-resource.

Permissions can either be assigned at creation and/or added later.

If the CustomPermission definition includes resource types in the resource_types list, the permission will only be assigned to resources/sub-resources that match that type as part of an assignment.

Args:

• name (str): name of local role

• permissions (list[CustomPermission], optional): List of custom permission names (strings) to associate with the role. Defaults to empty list.

• unique_id (string, optional): Unique identifier for role for identification by ID

Attributes:

• name (str): name of local role

• unique_id (str): Unique identifier for role for identification by ID

• permissions (list[CustomPermission]): list of custom permission names (strings) to associate with the role

method __init__

method add_permissions

Add a permission to the role.

Args:

• permissions (list): List of permission names (strings) to add to role

method add_role

Add a nested sub-role to the role (nested role must be created separately)

Args:

• role (str): identifier of the local role to nest inside this role

method add_tag

Add a new tag to role.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method set_property

Set the value for custom property on a local role.

Property name must be defined for local roles before calling set_property(). See example below and ApplicationPropertyDefinitions.define_local_role_property for more information on defining properties.

Args:

• property_name (str): Name of property to set value for

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

• ignore_none

Raises:

• OAATemplateException: If property name is not defined.

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_role_property(name="my_property", property_type=OAAPropertyType.STRING) >>> role1 = app.add_local_role(name="role1") >>> role1.set_property(property_name="my_property", property_value="role1s value")

method to_dict

Convert role to dictionary for inclusion in JSON payload.

Returns:

• dict: serializable dictionary of role

class CustomPermission

CustomPermission class for defining CustomApplication permissions.

• Custom permissions represent the named permissions for the application in its terms (e.g. "Admin" or "PUSH") and define the Veza canonical mapping (e.g. DataRead, MetadataRead, DataWrite).

• A permission can either be applied directly to an application or resource or assigned as part of a role.

• Optionally, when permissions are used as part of a role, if the resource_types list is populated the permission will only be applied to resources who's type is in the resource_types

Args:

• name (str): Display name for permission

• permissions (list): List of OAAPermission enums that represent the canonical permissions

• apply_to_sub_resources (bool, optional): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource. Defaults to

Attributes:

• name (str): Display name for permission

• permissions (list[OAAPermission]): List of OAAPermission enums that represent the canonical permissions

• apply_to_sub_resources (bool): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource.

method __init__

method add_resource_type

Add a resource type to the resource_types list.

Extends the list of resource types permission applies to when used in role assignment.

Args:

• resource_type (str): The resource type string value

method to_dict

Returns dictionary representation for payload.

class OAAPropertyType

Supported types for custom properties on OAA entities such as application, resource, and identity.

class ApplicationPropertyDefinitions

Model for defining custom properties for application and its entities (users, groups, roles, resources).

Property definitions define the names for additional entity properties and the expected type.

Args:

• application_type (str): type of custom application property definitions apply to

Attributes:

• application_properties (dict): property definitions for application

• local_user_properties (dict): property definitions for local users

• local_group_properties (dict): property definitions for local groups

method __init__

method define_access_cred_property

Define an access cred property.

Args:

• name (str): name for property

• property_type (OAAPropertyType): type for property

method define_application_property

Define an application property.

Args:

• name (str): name for property

• property_type (OAAPropertyType): type for property

method define_local_group_property

Define a local group property.

Args:

• name (str): name for property

• property_type (OAAPropertyType): type for property

method define_local_role_property

Define a local role property.

Args:

• name (str): name for property

• property_type (OAAPropertyType): type for property

method define_local_user_property

Define a local user property.

Args:

• name (str): name for property

• property_type (OAAPropertyType): type for property

method define_resource_property

Define a property for a resource by type of resource.

Args:

• resource_type (str): type of resource property definition is for

• name (str): property name

• property_type (OAAPropertyType): type for property

method define_role_assignment_property

method to_dict

Return property definitions as dictionary ready for OAA payload

method validate_name

Check property name for valid characters

Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.

Args:

• name (str): name of property to validate

Raises:

• OAATemplateException: Name is not a string

• OAATemplateException: Name contains invalid characters or does not start with a letter

method validate_property_name

Validate that a property name has been defined for given resource type.

Args:

• property_name (str): name of property to validate

• entity_type (str): type of entity custom property is for (application, local_user, local_group, local_role, resource)

• resource_type

Raises:

• OAATemplateException: If property name has not been previously defined for entity

class IdPEntityType

IdP entity types.

class IdPProviderType

Veza supported IdP provider types.

class CustomIdPProvider

CustomIdPProvider class for modeling Identity Providers (IdP) using OAA Custom Identity Provider Template.

CustomIdPProvider class consists of IdP domain information, user, group and external associations for identities like AWS Roles.

Classes uses dictionaries to track most components, dictionaries are all keyed by string of the entity name

Args:

• name (str): Name of IdP

• idp_type (str): Type descriptor for IdP, can be unique or share across multiple IdP e.g. ldap, IPA

• domain (str): IdP domain name

Attributes:

• name (str): Name of custom IdP

• idp_type (str): Type for IdP

• description (str): Description for IdP

method __init__

method add_app

summary

Args:

• id (str): description

• name (str): description

Raises:

Returns:

• CustomIdPApp: description

method add_group

Add group to IdP.

Arguments:

• name (str): primary ID for group

• full_name (str): optional display name for group

• identity (str): optional unique identifier for group, if None name is used as identity

method add_user

Add user to IdP

if no identity is set name will be used as identity

Arguments:

• name (str): primary ID for user

• full_name (str): optional full name for display

• email (str): optional email for user

Returns: CustomIdPUser

method get_payload

Return formatted payload as dictionary for JSON conversion and upload

class CustomIdPDomain

Domain model for Custom IdP provider.

Args:

• name (str): domain name

Attributes:

• name (str): domain name

method __init__

method add_tag

Add a new tag to IdP Domain.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method set_property

Set custom property value for domain.

Property name must be defined for domain before calling set_property(). See example below and IdPPropertyDefinitions.define_domain_property for more information.

Args:

• property_name (str): Name of property

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

• ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

• OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_domain_property(name="my_property", property_type=OAAPropertyType.STRING) >>> idp.domain.set_property(property_name="my_property", property_value="domain property value")

method to_dict

Output function for payload.

class CustomIdPUser

User model for CustomIdPProvider.

Args:

• name (str): username for identity

• email (str): primary email for user

• full_name (str): Display name for user

Attributes:

• name (str): username for identity

• email (str): primary email for user

• full_name (str): display name for user

method __init__

method add_app_assignment

Create App assignment for user

Args:

• id (str): ID of App assignment, must be unique for user

• name (str): Name of assignment

• app_id (str): App ID, must exist in list of Apps for IDP

Raises:

• OAATemplateException: Duplicate assignment ID

• OAATemplateException: Unknown assignment property name

method add_assumed_role_arns

Add AWS Roles to list of roles user can assume by ARN.

Args:

• arns (list): list of role ARNs as strings that the user is allowed to assume

method add_groups

Add user to group(s) by group name

Args:

• group_identities (list): list of strings for group identities to add user to

method add_tag

Add a new tag to IdP User.

Args:

• key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.

• value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

method set_property

Set custom property value for user.

Property name must be defined for users before calling set_property(). See example below and IdPPropertyDefinitions.define_user_property for more information.

Args:

• property_name (str): Name of property

• property_value (Any): Value for property, type should match OAAPropertyType for property definition

• ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

• OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = idp.add_user(name="User 1") >>> user1.set_property("my_property", "user1 value")

method set_source_identity

Set an source external identity for user.

• source_identity will connect CustomIdP user to a Veza graph IdP user.

• provider_type limits scope for finding matching IdP identities

• search all providers with IdPProviderType.ANY

Args:

• identity (str): Unique Identity of the source identity

• provider_type (IdPProviderType): Type for provider to match source identity from

method to_dict

Function to prepare user entity for payload

class CustomIdPGroup

Group model for CustomIdPProvider.

Args:

• name (str): name of group

• full_name (str): optional full name for group

• identity (str): optional identifier for group if name is not reference identifier

Parameters:

• name (str): name of group

• full_name (str): optional full name for group

• identity (str): optional identifier for group, if None name is used as identity

method __init__

method add_app_assignment

Create App assignment for group

Args:

• id (str): ID of App assignment, must be unique for group

• name (str): Name of assignment

• app_id (str): App ID, must exist in list of Apps for IDP