1 of 24

Query APIs

Creating new queries, interacting with saved queries, and running query specs

The Query Builder APIs enable programmatic creation, execution, and management of assessment queries, using the Veza the Query Builder. You can use these operations to develop your own tools and integrate Veza search with external services and automation.

Queries created with these endpoints can define risks and have rules and alerts associated with them. Even if you and your team create and manage queries primarily from the user interface, this documentation may still be of interest for learning how queries are constructed and handled within Veza.

You can use these methods to:

List saved queries
Save a query
Get a saved query
Update a query
Delete a query
Get query destination nodes
Get query nodes
Get query result
Get query spec destination nodes
Get query spec nodes
Get query spec results

For more information about query options, see Query Builder Parameters.

Base URL

These endpoints are available under {{VezaURL}}/api/v1/. You must use the appropriate prefix when calling the API, for example:

curl -x GET 'https://your-org.vezacloud.com/api/v1/assessments/queries'

Authentication

You can create and manage API tokens for your user account from Administration > API Keys. Each API call must include the API key in the request header, passed as a bearer authentication token.

Getting started

The Usage Examples page consolidates some sample requests and responses.

An understanding of Veza's usage of graph terminology may be helpful. To learn more about the query object and options, see here. For more information about how to interpret the query response body, see Query Builder Results.

You can start working with pre-built and saved queries using the /assessments/queries endpoint. When you are ready to try running your own queries, see the /assessments/query_spec operations to run test queries without saving them.

Quick Start

API overview and sample queries

The Query Builder is fundamental to Rules and Risks, enabling external notifications and enhanced search visibility based on query constraints and conditions. When combined with Webhooks for remediation workflows, these can offer in-the-box tools to begin integrating Veza with external processes.

As Veza does not write changes to your environment, you can use the query builder API to build your own tools and integrate Veza with your internal systems and security processes.

For example, you might use Veza APIs to:

Programmatically detect and add Snowflake users to a role when another role already exists with the required permissions
Progressively query for data resources matching a naming pattern or other condition, and apply tags with the provider's built-in APIs
Discover and alter overly permissive policies granting access to sensitive data

Your Veza success team can offer additional support and access to development tools including a Python SDK. This guide covers some simple examples to help get started with custom queries, including links to additional documentation.

Authentication

To run the provided commands, you'll need to first generate a token from Administration > API Keys. You'll also need to know the base URL of your Veza deployment, such as your-org.veza.com.

Query specifications

You can validate that a query is functioning as intended before saving it with GetAssessmentQuerySpecResult, which will return the total number of entities in the search results.

GetAssessmentQuerySpecNodes returns a paginated list of query results, including entity details. This operation does not return a total count of results. A query spec does not require the full saved query parameters, and instead takes a condensed payload.

GetAssessmentQuerySpecDestinationNodes returns the related destination nodes for a single entity in the results of a saved query. This endpoint can be used, for example, to review the related roles for an individual user when the query specifies User > Role.

Sample Request

Post your request to /query_spec:nodes or /query_spec:result, depending on whether you need a list of the included nodes (including all entity properties), or want the full result count:

curl -X 'POST' "$VEZA_URL/api/v1/assessments/query_spec:nodes?page_token-page_size=1" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
 "node_relationship_type": "EFFECTIVE_ACCESS",
 "query_type": "SOURCE_TO_DESTINATION",
 "include_nodes": true,
 "no_relation": false,
 "source_node_types": {
  "nodes": [
   {
    "node_type": "OktaUser",
    "condition_expression": {
     "specs": [
      {
       "id": "b952cf69-5e31-42e5-ae66-372a45b2045b",
       "property": "mfa_active",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 },
 "destination_node_types": {
  "nodes": [
   {
    "node_type": "S3Bucket",
    "condition_expression": {
     "specs": [
      {
       "id": "b78d3e44-0272-4023-ba34-33abaf608e7e",
       "property": "block_public_acls",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 }
}'

See Query Builder Parameters for more information about possible options.

Sample Response

The response always returns a value, next_page_token, and has_more. If more results are available, you can get the next page of results by passing the page_token in the request query.

The values array will contain the Individual entity details:

id

Unique Authorization Graph entity ID.

type

Type of entity.

destination_node_count

Number of related entities matching the query conditions.

permissions

For , the permissions the source entity has to a specific destination entity.

{
  "values": [
    {
      "id": "00upa6s0hSGtl1eGL5d5",
      "type": "OktaUser",
      "properties": {
        "created_at": "2020-11-12T20:56:34Z",
        "datasource_id": "dev-5150036.okta.com",
        "email": "[email protected]",
        "first_name": "Abel",
        "idp_unique_id": "[email protected]",
        "is_active": true,
        "last_name": "Maclead",
        "login": "[email protected]",
        "mfa_active": false,
        "name": "[email protected]",
        "provider_id": "dev-5150036.okta.com",
        "status": "STAGED",
        "updated_at": "2020-11-12T20:56:34Z"
      },
      "destination_node_count": 5,
      "permissions": [],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "WARNING",
      "raw_permissions": [],
      "effective_permissions": []
    }
  ],
  "path_values": [],
  "next_page_token": "eyJGaXJzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1Nmg4cnI2dkFzSUJqMW41ZDciLCJsb3dlcl9uYW1lIjoiYWFyb24uYmluZm9yZEB2ZXphdGVzdC5jb20ifSwiTGFzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1cGE2czBoU0d0bDFlR0w1ZDUiLCJsb3dlcl9uYW1lIjoiYWJlbF9tYWNsZWFkQGNvb2tpZWRlbW8ub25taWNyb3NvZnQuY29tIn19",
  "has_more": true
}

For more information, see Query Builder Results.

Get destination nodes

Use GetAssessmentQuerySpecDestinationNodes to find the related entities for an individual result for a query spec. Specify the source_node_id of the entity to get relationships for:

Sample Request

curl -X 'POST' "$VEZA_URL/api/v1/assessments/query_spec:destination_nodes?page_size=0&page_token=" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
  "spec": {
 "node_relationship_type": "EFFECTIVE_ACCESS",
 "query_type": "SOURCE_TO_DESTINATION",
 "include_nodes": true,
 "no_relation": false,
 "source_node_types": {
  "nodes": [
   {
    "node_type": "OktaUser",
    "id": "StartNode",
    "condition_expression": {
     "specs": [
      {
       "id": "b952cf69-5e31-42e5-ae66-372a45b2045b",
       "property": "mfa_active",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 },
 "destination_node_types": {
  "nodes": [
   {
    "node_type": "S3Bucket",
    "id": "EndNode",
    "condition_expression": {
     "specs": [
      {
       "id": "b78d3e44-0272-4023-ba34-33abaf608e7e",
       "property": "block_public_acls",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 }
},
  "source_node_id": "00upa6s0hSGtl1eGL5d5"
}'

Sample response

{
  "values": [
    {
      "id": "arn:aws:s3:::cct-cct02-engineering",
      "type": "S3Bucket",
      "properties": {
        "allows_acls": true,
        "aws_account_id": "123456789012",
        "block_public_access_enabled": false,
        "block_public_acls": false,
        "block_public_policy": false,
        "created_at": "2021-03-18T08:26:23Z",
        "datasource_id": "123456789012:s3",
        "default_encryption_enabled": true,
        "default_retention_mode": "DISABLED",
        "has_public_policy": true,
        "hosts_website": false,
        "ignore_public_acls": false,
        "name": "cct-cct02-engineering",
        "object_lock_enabled": false,
        "object_ownership_controls": "ObjectWriter",
        "provider_id": "123456789012",
        "region": "us-east-2",
        "replication_rules_count": 0,
        "request_payer": "BucketOwner",
        "restrict_public_buckets": false,
        "server_access_logs_enabled": false
      },
      "destination_node_count": 0,
      "permissions": [
        {
          "id": "arn:aws:iam::123456789012:role/FederatedS3::eperm::123456789012/S3Bucket/affd3e3cd4f3d7f544628ecce27415ae13a984bb",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "123456789012",
            "datasource_id": "123456789012::eperm::123456789012:s3",
            "name": "Read",
            "permissions": [
              "s3:GetObject",
              "s3:GetObjectVersion"
            ],
            "provider_id": "123456789012"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        },
        {
          "id": "arn:aws:iam::123456789012:role/FederatedRedshiftAndS3::eperm::123456789012/S3Bucket/affd3e3cd4f3d7f544628ecce27415ae13a984bb",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "123456789012",
            "datasource_id": "123456789012::eperm::123456789012:s3",
            "name": "Read",
            "permissions": [
              "s3:GetObject",
              "s3:GetObjectVersion"
            ],
            "provider_id": "123456789012"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        }
      ],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "CRITICAL",
      "raw_permissions": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "effective_permissions": [
        "Read"
      ]
    }
  ],
  "path_values": [],
  "next_page_token": "",
  "has_more": false
}

Save a query

If you want to run the same query repeatedly, or enable Veza Rules or Risks based on the results, you can save it under /assessments/queries.

A saved query includes a name and description, along with any other query parameters.

Get saved query result count or entity details

Use the query ID to run a saved query. Just as for query_spec operations, you can request the paginated entity details or the result count, or get destination nodes for a result:

get query nodes

curl 'https://<baseUrl>/api/v1/assessments/queries/ab5b66df-6873-4e53-98e5-aa55b88c76bd:nodes?page_size=100' \
  -H 'authorization: <authToken>'

get query result

curl 'https://<baseUrl>/api/v1/assessments/queries/ab5b66df-6873-4e53-98e5-aa55b88c76bd:result' \
  -H 'authorization: Bearer <authToken>'

Responses will contain the node details or the total count, depending on the method used.

get query nodes

{
  "values": [
    {
      "id": "arn:aws:s3:::cct-cct01-finance",
      "type": "S3Bucket",
      "properties": {
        "block_public_acls": false,
        "name": "cct-cct01-finance"
      },
      "destination_node_count": 0,
      "permissions": []
    }
  ],
  "next_page_token": "MTAw",
  "has_more": false
}

get query result

{"result_type":"number","number_value":"1"}

Query Builder Terminology

Graph search concepts for working with the query builder

Entity (Node)

An entity, also referred to as a node, represents an authorization, data, or identity object discovered by Veza. It can be a concrete external named entity, such as AwsIamPolicy or OktaUser, or an edge aggregation node created by Veza for visualization and service purposes.

Entities, within the context of the Query Builder API, are the building blocks that represent various authorization, data, and identity objects discovered by Veza. They are used to construct queries, workflows, and Authorization Graph searches.

Entities encompass a wide range of elements, including identities, local users, data resources, identity domains, and IAM or RBAC elements such as security groups, policies, and roles.

When constructing queries, you will typically specify the source and destination entity types, such as Okta User to AWS S3 Bucket or Google User to Google Group, along with specific constraints on those entity types.

The Query Builder API offers top-level Entity Type Groupings such as User and Resource, providing an easy way to select and constrain all entities belonging to a particular supertype.

Entity Attribute

An entity attribute is a key-value pair associated with a specific entity type. These attributes carry rich metadata, enabling granular filters and search conditions.

Veza will add certain properties such as name, is human, or full admin during parsing. Other attributes such as mfa_enabled and is_encrypted can be directly ingested from the provider.

Entity Type

An entity type represents the final and precise specification of a node's category in an external system. Examples of external entity types include AwsIamUser, or S3Bucket.

Entity Type Grouping

An entity type grouping, or supertype, provides a top-level label to search for multiple entity types in a single query, such as User or Resource. Constraints can apply to an entity type grouping as if it were a single entity.

Supertypes are groupings of entities in the graph, allowing the specification of a "one of" style constraint among different concrete node types. A node type can be a member of one or more supertypes, and a supertype can contain concrete node types as well as other supertypes.

Effective and System Permissions

Raw or System permissions refer to individual privileges defined in the provider's internal terms, for example, AWS IAM s3:BucketDelete.

Effective Permissions represent the canonical C/R/U/D equivalents of system permissions. For example, MetadataWrite, DataRead, NonData.

Note: When filtering by permission, you must specify the type of permission. Effective and system permissions cannot both be specified for the same query. If a search does not involve privileged relationships to resources, the permissions filter has no effect (e.g., User->Policy search).

Query Builder Parameters

Options for saved and spec query requests

When calling query spec endpoints or saving a query, you will specify the search parameters in a JSON object in the request body. Saved queries and query specifications support a range of parameters and options, described in this document.

Queries begin with a source node type and optionally a destination node type. A simple query might show "all Okta users with relationships to S3 Buckets". A more advanced query will add additional constraints on entity attributes or tags, or filter on relationships to intermediate entities, such as a role, group, or local user.

Most requests will return entities of the source node type. Use GetAssessmentQuerySpecDestinationNodes or GetAssessmentQueryDestinationNodes to return related entities for an individual source entity in a query result.

As the Veza Query Builder uses these APIs, you can preview different sample requests and responses by constructing queries from the web interface, opening the Save dropdown menu, and choosing View Query Spec API.

Query parameters

Field

Type

Notes

all_entity_condition

object

A constraint to apply on all entities that happen to be a part of the query result (specified or not)

analysis_type

string

For built-in queries, indicates where the query originated (Query Builder or the Analysis page). Values can be UNSET USER GROUP ROLE or SEPARATION_OF_DUTY

avoided_intermediate_node_types

Any entity types that cannot exist in the path between the query source and destination.

description

string

A description of the assessment query, shown in the query details.

destination_node_types

If specified, results only include entities with a relationship to the destination node type.

effective_permissions

Effective permissions to search, and operator to use.

labels

array of strings

List of assessment labels for categorization in reports.

name

string

The name of the assessment query, shown in the Veza UI.

no_relation

boolean

deprecated (use relates_to_exp)

node_relationship_type

string

Query mode EFFECTIVE_ACCESS (default) or CONFIGURED.

query_type

string

always use SOURCE_TO_DESTINATION

raw_permissions

If specified, only return results that have the listed raw permissions.

relates_to_exp

object

Specify related note constraints

required_intermediate_node_types

Specifies requirements for the path connecting the source and destination nodes.

risk_level

string

Sets whether results are marked as risks based on the risk level: NONE (default), WARNING, or CRITICAL

risk_suppressed_constraints

object

Adds a risk exception for nodes matching the specification.

source_node_types

The source node type to return as results for SOURCE_TO_DESTINATION queries (for example AwsIamUser). Required to have only 1.

violation

boolean

Deprecated, use risk_level instead

visibility

string

Sets whether a query is public or visible only to owners. PUBLIC (default) or PRIVATE

include_nodes

boolean

When true, only return a result count.

NodeSpecCollection

A collection of node specifications, defining constraints or other query parameters on each entity type.

You can query for a single principal or resource by filtering on node ID.

Field

Type

Notes

nodes

node spec array

Contains an object for each node type

nodes_operator

string

Sets whether all or any of the node conditions must be true (AND(default), OR).

NodeSpec

Contains the type, tags, and conditions applied to a node, narrowing the focus of the query.

Note that you can add conditions and tags to either the source node type or the destination.

Field

Type

Notes

condition_expression

object

Logical tree of constraints to apply

conditions

array

Deprecated, use condition_expression

count_conditions

array

Count condition functions and values. count_conditions are only accepted in assessment queries, when the node spec defines destination_node_types.

direct_relationship_only

boolean

When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types with self-referential edges. Cannot be used with labels.

excluded_tags

array

tags to exclude from results.

node_id

string

For specifying an individual entity, a single graph entity ID

node_type

string

Concrete node type (e.g. AwsIamUser) or node label (e.g. User)

node_type_grouping_constraint

object

Contains an operator and list of node types to include or exclude

tags

array

tags to require, specified with key value pairs.

NodeTypeGroupingConstraint

Query specs support supertypes with constraints. They can specified in the same way as concrete node types. node_type_grouping_constraint can be used to limit the concrete node type set belonging to the specified super type, with possible constraint type values EXCLUDE or INCLUDE. Example spec:

{
    "node_relationship_type": "EFFECTIVE_ACCESS",
    "query_type": "SOURCE_TO_DESTINATION",
    "include_nodes": true,
    "source_node_types": {
        "nodes": [
            {
                "node_type": "User",
                "node_type_grouping_constraint" :{
                    "constraint_type" : "INCLUDE",
                    "node_types" : ["CustomIDPUser", "OktaUser"]
                }
            }
        ]
    },
    "destination_node_types": {
        "nodes": [
            {
                "node_type": "S3Bucket"
            }
        ]
    }
}

ConditionExpression

Additional constraints can be applied using a node condition_expression. Conditions specified within the expression can target node attributes such as name, date created, or any other properties Veza has discovered.

Conditions can always apply to source and destination node types. Conditions can only apply to intermediate node types when the query defines required_intermediate_node_types.

Conditions have a function (fn). Valid operators are:

EQ: 'Equals',
LT: 'Less Than',
LTE: 'Less Than or Equal',
GT: 'Greater Than',
GTE: 'Greater Than or Equal',
LIST_CONTAINS: 'List Contains',
IN: 'In',
STARTS_WITH: 'Starts With',
CONTAINS: 'Contains',
ENDS_WITH: 'Ends With',
EXISTS: 'Exists',
REGEX: 'Matches Regular Expression',

Date-based operators can be:

LT: 'Not in the Last', LTE: 'Before', GT: 'In the Last', GTE: 'After', EQ: 'At',

For example:

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser",
        "condition_expression": {
          "operator": "AND",
          "specs": [
            {
              "fn": "LTE",
              "property": "last_used_at",
              "value": "2022-01-02T17:59:59.494Z"
            },
            {
              "fn": "GTE",
              "property": "last_used_at",
              "value": "2022-01-01T06:00:00.494Z"
            }
          ]
        }
      }
    ]
  }
}

The condition value can be true, false, a number, an RFC3339 timestamp, or a string. For example, to find S3 Bucket destinations where public ACLs haven't been blocked:

{
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "block_public_acls",
              "value": false,
              "not": false
            }
          ]
        }
      }
    ]
  }
}

Conditions can also contain a string-typed value. For example, to find all Okta users with the prefix "sa-":

{
  "node_type": "OktaUser",
  "condition_expression": {
    "specs": [
      {
        "fn": "STARTS_WITH",
        "property": "name",
        "value": "sa-",
        "not": false
      }
    ]
  }
}

Note that you can specify nodes where the condition doesn't apply by setting "not": true for the constraint.

There can also be a not on the whole expression:

"condition_expression": {
  "operator": "OR",
  "not": true,
  "specs": [
    {
      "not": true,
      "fn": "EQ",
      ..
    },
    ..
  ]
}

You can get all the properties available for different node types (which vary depending on the provider and service) by searching for the entities in Authorization Graph and viewing the node details.

No relation

Enable no_relation to only return nodes without a relationship to the destination node types. For example, to show Microsoft Azure AD users that do not belong to the group "Alabama":

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AzureADUser"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "AzureADGroup",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "name",
              "stringValue": "Alabama"
            }
          ]
        }
      }
    ]
  },
  "no_relation": true,
  "include_nodes": true
}

Avoids intermediate node types

You may want to query for entities that have direct access to a resource, without a specific intermediate relationship. For example, you can query for IAM users whose resource access does not also involve a role.

To query for relationships that do not include a specific node type in the authorization path, specify an exclusion in the avoids_intermediate_node_types object:

...
"no_relation": false,
"avoids_intermediate_node_types": {
  "nodes": [
    {
      "node_type": "AwsIamRole"
    }
  ]
}

Query type

Query Type

Description

SYSTEM_CREATED

Used for pre-built system queries.

SOURCE_TO_DESTINATION

The search will return entities of the source node type with a relationship to the destination entity type.

DESTINATION_NODES

Return the destination nodes, instead of source nodes (deprecated, use query_spec:destination_nodes).

Permissions

To return only entities with one or more permissions to a resource, you can list either system or effective permissions, with an AND or OR operator.

RawPermissionCollection

"Raw" or "System" permissions describe privileges using the service providers terms, for example s3:PutBucketAcl.

Field

Type

Notes

values

string

String list of raw permission names

operator

string

AND, OR (default AND)

You can review all the possible permissions Veza has discovered for an entity by selecting it as a related entity in a Query Builder search. The "Permissions" dropdown menu will include all effective and raw permissions for the resource type.

EffectivePermissionCollection

Field

Type

Notes

values

string

Effective permissions can be METADATA_WRITE, METADATA_READ, METADATA_CREATE, METADATA_DELETE, DATA_READ, DATA_WRITE, DATA_CREATE, DATA_DELETE, NON_DATA ] (default METADATA_WRITE)

operator

string

AND, OR (default AND)

Effective permissions are an abstraction of an entity's authorization to a resource. When discovering authorization metadata for a connected provider, Veza maps each raw permission a principal has on a resource to the corresponding canonical permission, and calculates the cumulative effective permissions.

RelatesToExp

Queries constructed using the v1 API and the Segregation of Duty page can use "relates to" expressions to get results based on relationships to more than one related entity types, with AND | OR logic. For example: Show all users that are in Group A and Group B, or Show users that are in Group X and have Role Y.

RelatesToExp Evaluation

For E = { specs: [A, B, ...], child_expressions: [X, Y, ...], operator, not }

"source has a path to E" is defined as:
If operator is AND (default): "source has a path to ALL of (A,B, ..., X, Y, ...)"
If operator is OR: "source has a path to ANY of (A,B, ..., X, Y, ...)"
If not = true, boolean invert the result above

RelatesToExp Field Specifications

and_op_type: AndOperatorType (INFERRED [default], SOURCE_INTERSECT, PAIR_INTERSECT)
child_expressions: RelatesToExpressions Array
not: Boolean flag applied to specs and child_expressions
operator: Operator (AND [default], OR)
specs: RelatesToSpec array specifying node types and conditions

AndOperatorType

INFERRED (default): Replaced with SOURCE_INTERSECT or PAIR_INTERSECT based on query execution context.
SOURCE_INTERSECT: Intersection based on source node.
PAIR_INTERSECT: Intersection based on pairs of nodes.

Given the following graph relationship:

U1 -- P1 -- R1
    /
U2 -- P2 -- R2

U1 and U2 are entity type U, and R1 and R2 are entity type R. Here U2 is in the result of U-> (P1->R AND P2->R) with SOURCE_INTERSECT. With PAIR_INTERSECT, U2 is not in the result because neither R1 or R2 matches both U->P1->R and U->P2->R.

If we change the graph to have R1 match both U->P1->R and U->P2->R:

U1 -- P1 -- R1
    /     /
U2 -- P2 -

Now U2 is in the result of the same query with PAIR_INTERSECT. PAIR_INTERSECT makes more sense for queries like “users have permission A && B to database” when the meaning is “permission A && B to the same database”

AndOperatorType defaults:

INFERRED will be replaced with one of SOURCE_INTERSECT or PAIR_INTERSECT when executing the query.
INFERRED is replaced with PAIR_INTERSECT only if:
- The query doesn't have RelatesToExpression.Not == true in any child expressions, and
- All operands of the AND have the same sole node type, and
- All operands of the AND don't include conflicting "equal to" conditions on unique property (id and name)
Otherwise INFERRED is replaced with SOURCE_INTERSECT

RelatesToSpec

A RelatesToSpec represents a precise path definition:

source has a path to any node spec in node_types
- direction determines the direction of the path
the path has all required_intermediate_node_types
the path has none of avoided_intermediate_node_types
all or any of raw_permissions appear on the path, depending on raw_permissions.operator
all or any of effective_permissions appear on the path, effective_permissions on raw_permissions.operator
if no_relation=true, it instead means such a path does not exist

Field

Type

Description

avoided_intermediate_node_types

object

direction

string

RelatesToDirection

effective_permissions

object

no_relation

boolean

node_types

object

raw_permissions

object

A collection of raw permission names

required_intermediate_node_types

object

RelatesToDirection can be:

ANY_DIRECTION : Direction to be chosen by the API. Paths of any direction is accepted by the caller.
SINGLE_DIRECTIONAL: Direction to be chosen by the API if there is only one valid direction. Otherwise this input is invalid.
OUTGOING: Only accept result for paths of ( -> ...). This input is invalid if there is no such a path in schema.
INCOMING: Only accept result for paths of (... -> ). This input is invalid if there is no such a path in schema.

RiskSuppressedConstraintsCollection

NodeSpec define conditions on entity types to mark exceptions for queries with a risk level.

Query Builder Results

Examples and descriptions for query builder responses

Depending on the request, query results can be returned as a collection of entities (nodes), a numeric value, or a timestamp.

Requesting a query result will return the result value, which can be a total number of results, the node details, or a timestamp. To return a paginated list of node details instead, use Get Query Nodes.

Sample Response: Get Nodes

{
    "nodes_value": [
      {
        "id": "00upa6s0hSGtl1eGL5d5",
        "type": "OktaUser",
        "properties": {
          "created_at": "2020-11-12T20:56:34Z",
          "email": "[email protected]",
          "is_active": false,
          "login": "[email protected]",
          "name": "[email protected]",
          "status": "STAGED",
          "updated_at": "2020-11-12T20:56:34Z"
        },
        "destination_node_count": 0,
        "permissions": []
      }
    ]
}

Sample Response: Get Result

{
  "result_type": "string",
  "number_value": "string",
  "timestamp_value": "string",
  "nodes_value": {
    "values": [
      {
        "id": "string",
        "type": "string",
        "properties": {},
        "destination_node_count": 0,
        "permissions": [
          "string"
        ]
      }
    ],
    "next_page_token": "string",
    "has_more": true
  }
}

Field

Type

Description

result_type

string

Indicates whether the query returns nodes details, node count, or timestamp.

nodes_value

array

Contains node details (see below)

number_value

string

The count of nodes in the query results.

timestamp_value

string

Not currently supported

result_node_type

string

The type of nodes returned in the search results.

next_page_token

string

Pagination token

has_more

boolean

Indicates if more results are available

Node details

The node values contain individual entity details, including any properties Veza has discovered such as manager or date_created:

{
  "values": [
    {
      "id": "string",
      "type": "string",
      "properties": {},
      "destination_node_count": 0,
      "permissions": [
        "string"
      ]
    }
  ],
  "next_page_token": "string",
  "has_more": true
}

Field

Type

Description

id

string

The node's UUID in the Veza data catalog

type

string

The node type.

properties

dict

List of any entity properties, as key:value pairs

destination_node_count

int

For DESTINATION_NODES queries, the number of connected nodes.

permissions

array

The permissions a source node has to the destination resource.

List saved queries

ListAssessmentQueries retrieves a list of all built-in and user-created queries.

By default, this endpoint returns only the queries that are currently enabled. When the risks_only parameter is set to true, it will only return queries with a risk level.

Sample request

curl -X 'GET' \
"$BASE_URL/api/v1/assessments/queries?page_size=1&risks_only=true&filter=name+co+%22User%22" \
-H "authorization: Bearer $VEZA_TOKEN"

Sample response:

{
  "values": [
    {
      "id": "95ccaca3-c9f6-4711-9219-887e5c102701",
      "name": "AWS IAM Groups with iam:CreateAccessKey permission",
      "description": "AWS IAM Groups with iam:CreateAccessKey permission",
      "result_type": "NUMBER",
      "query_type": "SYSTEM_CREATED",
      "raw_permissions": {
        "values": [],
        "operator": "AND"
      },
      "effective_permissions": {
        "values": [],
        "operator": "AND"
      },
      "variables": [
        "AWS_ACCOUNT_LIST"
      ],
      "source_node_types": {
        "nodes": [
          {
            "node_type": "AwsIamGroup",
            "tags": [],
            "conditions": [],
            "condition_expression": {
              "specs": [
                {
                  "fn": "IN",
                  "property": "aws_account_id",
                  "value": [
                    "527398259632",
                    "877042069677",
                    "340069577982",
                    "241721837758",
                    "998048473876",
                    "973979857296"
                  ],
                  "not": false,
                  "value_property_name": "",
                  "value_property_from_other_node": false
                }
              ],
              "child_expressions": [],
              "operator": "AND",
              "not": false
            },
            "node_id": "",
            "excluded_tags": [],
            "count_conditions": [],
            "direct_relationship_only": false,
            "node_type_grouping_constraint": null
          }
        ],
        "nodes_operator": "AND"
      },
      "required_intermediate_node_types": {
        "nodes": [],
        "nodes_operator": "AND"
      },
      "avoided_intermediate_node_types": {
        "nodes": [],
        "nodes_operator": "AND"
      },
      "destination_node_types": {
        "nodes": [],
        "nodes_operator": "AND"
      },
      "no_relation": false,
      "access_filter": null,
      "created_by": "",
      "visibility": "PUBLIC",
      "owners": [],
      "node_relationship_type": "CONFIGURED",
      "integration_types": [
        "aws"
      ],
      "labels": [],
      "created_at": "2023-02-01T04:32:18.126875729Z",
      "updated_at": "2023-04-07T16:00:52.761867936Z",
      "source_type": "AwsIamGroup",
      "destination_types": [],
      "relates_to_exp": {
        "specs": [
          {
            "node_types": {
              "nodes": [
                {
                  "node_type": "AwsIamGroupedPermission",
                  "tags": [],
                  "conditions": [],
                  "condition_expression": {
                    "specs": [
                      {
                        "fn": "LIST_CONTAINS",
                        "property": "permissions",
                        "value": "iam:CreateAccessKey",
                        "not": false,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      },
                      {
                        "fn": "EXISTS",
                        "property": "deny",
                        "value": null,
                        "not": true,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      }
                    ],
                    "child_expressions": [],
                    "operator": "AND",
                    "not": false
                  },
                  "node_id": "",
                  "excluded_tags": [],
                  "count_conditions": [],
                  "direct_relationship_only": false,
                  "node_type_grouping_constraint": null
                }
              ],
              "nodes_operator": "AND"
            },
            "required_intermediate_node_types": null,
            "avoided_intermediate_node_types": null,
            "raw_permissions": null,
            "effective_permissions": null,
            "no_relation": false,
            "direction": "ANY_DIRECTION"
          }
        ],
        "child_expressions": [],
        "operator": "AND",
        "not": false,
        "and_op_type": "INFERRED"
      },
      "all_entity_condition": {
        "specs": [],
        "child_expressions": [],
        "operator": "AND",
        "not": false
      },
      "risk_level": "WARNING",
      "risk_suppressed_constraints": null,
      "analysis_type": "UNSET",
      "result": 0,
      "result_evaluated_at": null,
      "result_evaluated": false
    }
  ],
  "next_page_token": "eyJOZXh0Q3Vy==",
  "has_more": true
}

See Parameters for more information about the saved query object.

Save a query

CreateAssessmentQuery saves a new query with the specified conditions. See Query Parameters for all available constraints and options. To run a query without saving it, see the query spec operations.

Sample Request:

curl -X 'POST' \
"$BASE_URL/api/v1/assessments/queries" \
-H "authorization: Bearer $VEZA_TOKEN" \
--data-raw '{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "OktaUser",
        "tags": [],
        "conditions": [],
        "condition_expression": null,
        "node_id": "",
        "excluded_tags": [],
        "count_conditions": [],
        "direct_relationship_only": false,
        "node_type_grouping_constraint": null
      }
    ],
    "nodes_operator": "AND"
  },
  "destination_node_types": null,
  "required_intermediate_node_types": null,
  "avoided_intermediate_node_types": null,
  "raw_permissions": null,
  "effective_permissions": null,
  "customized_variables": [],
  "no_relation": false,
  "snapshot_id": "0",
  "access_filter": null,
  "node_relationship_type": "EFFECTIVE_ACCESS",
  "relates_to_exp": {
    "specs": [
      {
        "node_types": {
          "nodes": [
            {
              "node_type": "SnowflakeRole",
              "tags": [],
              "conditions": [],
              "condition_expression": {
                "specs": [
                  {
                    "fn": "EQ",
                    "property": "id",
                    "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/BILLING",
                    "not": false,
                    "value_property_name": "",
                    "value_property_from_other_node": false
                  }
                ],
                "child_expressions": [],
                "operator": "AND",
                "not": false
              },
              "node_id": "",
              "excluded_tags": [],
              "count_conditions": [],
              "direct_relationship_only": false,
              "node_type_grouping_constraint": null
            }
          ],
          "nodes_operator": "AND"
        },
        "required_intermediate_node_types": null,
        "avoided_intermediate_node_types": null,
        "raw_permissions": null,
        "effective_permissions": {
          "values": [],
          "operator": "OR"
        },
        "no_relation": false,
        "direction": "ANY_DIRECTION"
      }
    ],
    "child_expressions": [
      {
        "specs": [
          {
            "node_types": {
              "nodes": [
                {
                  "node_type": "SnowflakeRole",
                  "tags": [],
                  "conditions": [],
                  "condition_expression": {
                    "specs": [
                      {
                        "fn": "EQ",
                        "property": "id",
                        "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/AUDITOR",
                        "not": false,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      }
                    ],
                    "child_expressions": [],
                    "operator": "AND",
                    "not": false
                  },
                  "node_id": "",
                  "excluded_tags": [],
                  "count_conditions": [],
                  "direct_relationship_only": false,
                  "node_type_grouping_constraint": null
                }
              ],
              "nodes_operator": "AND"
            },
            "required_intermediate_node_types": null,
            "avoided_intermediate_node_types": null,
            "raw_permissions": null,
            "effective_permissions": {
              "values": [],
              "operator": "OR"
            },
            "no_relation": false,
            "direction": "ANY_DIRECTION"
          },
          {
            "node_types": {
              "nodes": [
                {
                  "node_type": "SnowflakeRole",
                  "tags": [],
                  "conditions": [],
                  "condition_expression": {
                    "specs": [
                      {
                        "fn": "EQ",
                        "property": "id",
                        "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/ROLE_A",
                        "not": false,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      }
                    ],
                    "child_expressions": [],
                    "operator": "AND",
                    "not": false
                  },
                  "node_id": "",
                  "excluded_tags": [],
                  "count_conditions": [],
                  "direct_relationship_only": false,
                  "node_type_grouping_constraint": null
                }
              ],
              "nodes_operator": "AND"
            },
            "required_intermediate_node_types": null,
            "avoided_intermediate_node_types": null,
            "raw_permissions": null,
            "effective_permissions": {
              "values": [],
              "operator": "OR"
            },
            "no_relation": false,
            "direction": "ANY_DIRECTION"
          }
        ],
        "child_expressions": [],
        "operator": "OR",
        "not": false,
        "and_op_type": "INFERRED"
      }
    ],
    "operator": "AND",
    "not": false,
    "and_op_type": "SOURCE_INTERSECT"
  },
  "path_summary_node_types": null,
  "all_entity_condition": null,
  "page_size": "0",
  "page_token": "",
  "variables": [],
  "name": "Okta Users to Snowflake Roles",
  "description": "SoD",
  "risk_level": "CRITICAL",
  "labels": [
    "another_new_label"
  ],
  "visibility": "PRIVATE"
}'

Sample response:

A successful response returns the saved query id, and full query specification in a value object:

{"id":"c169c41c-2650-4f39-8930-f198f70f892b","value":{"id":"c169c41c-2650-4f39-8930-f198f70f892b","name":"Okta Users to Snowflake Roles","description":"SoD","result_type":"NUMBER","query_type":"SOURCE_TO_DESTINATION","raw_permissions":{"values":[],"operator":"AND"},"effective_permissions":{"values":[],"operator":"AND"},"variables":[],"source_node_types":{"nodes":[{"node_type":"OktaUser","tags":[],"conditions":[],"condition_expression":null,"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":{"nodes":[],"nodes_operator":"AND"},"avoided_intermediate_node_types":{"nodes":[],"nodes_operator":"AND"},"destination_node_types":{"nodes":[],"nodes_operator":"AND"},"no_relation":false,"access_filter":null,"created_by":"e3ac5e6a-1946-4688-82a7-8a607133a1c8","visibility":"PRIVATE","owners":["e3ac5e6a-1946-4688-82a7-8a607133a1c8"],"node_relationship_type":"EFFECTIVE_ACCESS","integration_types":["okta","snowflake"],"labels":["another_new_label"],"created_at":"2023-07-29T19:28:30.908762576Z","updated_at":"2023-07-29T19:28:30.908762576Z","source_type":"OktaUser","destination_types":["SnowflakeRole"],"relates_to_exp":{"specs":[{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/BILLING","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"}],"child_expressions":[{"specs":[{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/AUDITOR","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"},{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/ROLE_A","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"}],"child_expressions":[],"operator":"OR","not":false,"and_op_type":"INFERRED"}],"operator":"AND","not":false,"and_op_type":"SOURCE_INTERSECT"},"all_entity_condition":{"specs":[],"child_expressions":[],"operator":"AND","not":false},"risk_level":"CRITICAL","risk_suppressed_constraints":null,"analysis_type":"UNSET","result":0,"result_evaluated_at":null,"result_evaluated":false}}

Get a saved query

GetAssessmentQuery retrieves a single saved query object based on the query ID.

Sample request:

curl -X 'GET' \
"$BASE_URL/api/v1/assessments/queries/0827c158-9973-444c-9ca4-b941b73528c9" \
-H "authorization: Bearer $VEZA_TOKEN"

Update a query

UpdateAssessmentQuery updates an existing saved query by id, with the provided full body. Partial updates are not currently supported.

Sample request:

See create query and query parameters for more details on the saved query object.

curl -X 'GET' \
"$BASE_URL/api/v1/assessments/queries/06799e24-cd93-4509-94bc-f00b27ed5e3c" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{"source_node_types":{"nodes":[{"node_type":"OktaUser","tags":[],"excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}]},"destination_node_types":{"nodes":[{"node_type":"S3Bucket","tags":[],"excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}]},"node_relationship_type":"EFFECTIVE_ACCESS","no_relation":false,"query_type":"SOURCE_TO_DESTINATION","raw_permissions":null,"effective_permissions":null,"include_nodes":true,"customized_variables":[],"name":"Okta User to S3","description":"updated description","labels":[],"visibility":"PRIVATE"}'

{id} (path) - string - ID of the query to modify.

Sample response:

A successful response will include the query details within a value object:

{"value":{"id":"06799e24-cd93-4509-94bc-f00b27ed5e3c","name":"Okta User to S3 - time machine","description":"specifies a snapshot to query against","result_type":"NUMBER","query_type":"SOURCE_TO_DESTINATION","raw_permissions":{"values":[],"operator":"AND"},"effective_permissions":{"values":[],"operator":"AND"},"variables":[],"source_node_types":{"nodes":[{"node_type":"OktaUser","tags":[],"conditions":[],"condition_expression":null,"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":{"nodes":[],"nodes_operator":"AND"},"avoided_intermediate_node_types":{"nodes":[],"nodes_operator":"AND"},"destination_node_types":{"nodes":[],"nodes_operator":"AND"},"no_relation":false,"access_filter":null,"created_by":"e3ac5e6a-1946-4688-82a7-8a607133a1c8","visibility":"PRIVATE","owners":["e3ac5e6a-1946-4688-82a7-8a607133a1c8"],"node_relationship_type":"EFFECTIVE_ACCESS","integration_types":["aws","okta"],"labels":[],"created_at":"2023-07-29T20:18:12.781964505Z","updated_at":"2023-07-29T20:18:57.359434701Z","source_type":"OktaUser","destination_types":["S3Bucket"],"relates_to_exp":{"specs":[{"node_types":{"nodes":[{"node_type":"S3Bucket","tags":[],"conditions":[],"condition_expression":null,"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":null,"no_relation":false,"direction":"ANY_DIRECTION"}],"child_expressions":[],"operator":"AND","not":false,"and_op_type":"INFERRED"},"all_entity_condition":{"specs":[],"child_expressions":[],"operator":"AND","not":false},"risk_level":"NONE","risk_suppressed_constraints":null,"analysis_type":"UNSET","result":0,"result_evaluated_at":null,"result_evaluated":false}}

Delete a query

DeleteAssessmentQuery removes a query by ID.

By default, this operation does not delete assessments that are currently included in a report. Set the force option to true to delete an assessment regardless of its usage in reports.

Sample request:

curl -X 'DELETE' \
"$BASE_URL/api/v1/assessments/queries/c169c41c-2650-4f39-8930-f198f70f892b?force=true" \
-H "authorization: Bearer $VEZA_TOKEN"

Sample response:

A successful response will be empty:

{}

Get query node destinations

GetAssessmentQueryDestinationNodes returns details about related destination nodes for an individual result, specified by source_node_id. GetAssessmentQueryNodes returns source nodes.

To return results, the query must specify a related entity type and cannot use the no_relation option.

Sample request:

curl -X 'GET' \
"$BASE_URL/api/v1/assessments/queries/06799e24-cd93-4509-94bc-f00b27ed5e3c/destination_nodes?source_node_id=00upa6s0hSGtl1eGL5d5" \
-H "authorization: Bearer $VEZA_TOKEN"

Sample response:

{
  "values": [
    {
      "id": "arn:aws:s3:::cai-demo-bucket",
      "type": "S3Bucket",
      "properties": {
        "allows_acls": true,
        "aws_account_id": "973979857296",
        "block_public_access_enabled": true,
        "block_public_acls": true,
        "block_public_policy": true,
        "created_at": "2021-02-24T18:09:03Z",
        "datasource_id": "973979857296:s3",
        "default_encryption_enabled": true,
        "default_retention_mode": "DISABLED",
        "hosts_website": false,
        "ignore_public_acls": true,
        "name": "cai-demo-bucket",
        "object_lock_enabled": false,
        "object_ownership_controls": "ObjectWriter",
        "provider_id": "973979857296",
        "region": "us-east-2",
        "replication_rules_count": 0,
        "request_payer": "BucketOwner",
        "restrict_public_buckets": true,
        "server_access_logs_enabled": false
      },
      "destination_node_count": 0,
      "permissions": [
        {
          "id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::973979857296/S3Bucket/9dab031e9731890b97dca09469ceaa68a23437b0",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "973979857296",
            "datasource_id": "973979857296::eperm::973979857296:s3",
            "name": "Read,Metadata,NonData",
            "permissions": [
              "s3:GetAccelerateConfiguration",
              "s3:GetAnalyticsConfiguration",
              "s3:GetBucketAcl",
              "s3:GetBucketCORS",
              "s3:GetBucketLocation",
              "s3:GetBucketLogging",
              "s3:GetBucketNotification",
              "s3:GetBucketObjectLockConfiguration",
              "s3:GetBucketPolicy",
              "s3:GetBucketPolicyStatus",
              "s3:GetBucketPublicAccessBlock",
              "s3:GetBucketRequestPayment",
              "s3:GetBucketTagging",
              "s3:GetBucketVersioning",
              "s3:GetBucketWebsite",
              "s3:GetEncryptionConfiguration",
              "s3:GetInventoryConfiguration",
              "s3:GetLifecycleConfiguration",
              "s3:GetMetricsConfiguration",
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:GetObjectLegalHold",
              "s3:GetObjectRetention",
              "s3:GetObjectTagging",
              "s3:GetObjectTorrent",
              "s3:GetObjectVersion",
              "s3:GetObjectVersionAcl",
              "s3:GetObjectVersionForReplication",
              "s3:GetObjectVersionTagging",
              "s3:GetObjectVersionTorrent",
              "s3:GetReplicationConfiguration",
              "s3:ListBucket",
              "s3:ListBucketMultipartUploads",
              "s3:ListBucketVersions",
              "s3:ListMultipartUploadParts"
            ],
            "provider_id": "973979857296"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        },
        {
          "id": "arn:aws:iam::973979857296:role/FederatedRedshiftAndS3::eperm::973979857296/S3Bucket/9dab031e9731890b97dca09469ceaa68a23437b0",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "973979857296",
            "datasource_id": "973979857296::eperm::973979857296:s3",
            "name": "Read,Metadata,NonData",
            "permissions": [
              "s3:GetAccelerateConfiguration",
              "s3:GetAnalyticsConfiguration",
              "s3:GetBucketAcl",
              "s3:GetBucketCORS",
              "s3:GetBucketLocation",
              "s3:GetBucketLogging",
              "s3:GetBucketNotification",
              "s3:GetBucketObjectLockConfiguration",
              "s3:GetBucketPolicy",
              "s3:GetBucketPolicyStatus",
              "s3:GetBucketPublicAccessBlock",
              "s3:GetBucketRequestPayment",
              "s3:GetBucketTagging",
              "s3:GetBucketVersioning",
              "s3:GetBucketWebsite",
              "s3:GetEncryptionConfiguration",
              "s3:GetInventoryConfiguration",
              "s3:GetLifecycleConfiguration",
              "s3:GetMetricsConfiguration",
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:GetObjectLegalHold",
              "s3:GetObjectRetention",
              "s3:GetObjectTagging",
              "s3:GetObjectTorrent",
              "s3:GetObjectVersion",
              "s3:GetObjectVersionAcl",
              "s3:GetObjectVersionForReplication",
              "s3:GetObjectVersionTagging",
              "s3:GetObjectVersionTorrent",
              "s3:GetReplicationConfiguration",
              "s3:ListBucket",
              "s3:ListBucketMultipartUploads",
              "s3:ListBucketVersions",
              "s3:ListMultipartUploadParts"
            ],
            "provider_id": "973979857296"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        }
      ],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "NONE",
      "raw_permissions": [
        "s3:GetAccelerateConfiguration",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucketAcl",
        "s3:GetBucketCORS",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetBucketWebsite",
        "s3:GetEncryptionConfiguration",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTagging",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionTorrent",
        "s3:GetReplicationConfiguration",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts"
      ],
      "effective_permissions": [
        "Metadata",
        "NonData",
        "Read"
      ]
    }
  ],
  "path_values": [],
  "next_page_token": "",
  "has_more": false
}

Get query nodes

GetAssessmentQueryNodes returns node details for entities in the query results, with a paginated response.

Please note that the total number of the results is not provided . To get a result count, use GetAssessmentQueryResult.

Sample request:

curl -X 'GET' "$BASE_URL/api/v1/assessments/queries/06799e24-cd93-4509-94bc-f00b27ed5e3c:nodes" \
-H "authorization: Bearer $VEZA_TOKEN"

Sample response:

{
  "values": [
    {
      "id": "arn:aws:iam::877042069677:user/j.smith",
      "type": "AwsIamUser",
      "properties": {
        "aws_account_id": "877042069677",
        "datasource_id": "877042069677:awsiam",
        "name": "j.smith",
        "provider_id": "877042069677"
      },
      "destination_node_count": 1,
      "permissions": [],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "CRITICAL",
      "raw_permissions": [],
      "effective_permissions": []
    },
    {
      "id": "arn:aws:iam::877042069677:user/jsmith-lab-01",
      "type": "AwsIamUser",
      "properties": {
        "aws_account_id": "877042069677",
        "datasource_id": "877042069677:awsiam",
        "name": "jsmith-lab-01",
        "provider_id": "877042069677"
      },
      "destination_node_count": 1,
      "permissions": [],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "CRITICAL",
      "raw_permissions": [],
      "effective_permissions": []
    }
  ],
  "path_values": [],
  "next_page_token": "",
  "has_more": false
}

Get query result

GetAssessmentQueryResult returns the total number of results for a saved query.

To get node details for the source entity type, use . To get related destination nodes for an individual result, use .

Sample request:

Sample Response:

The response will include a number_value representing the total number of results.

Get query spec node destinations

GetAssessmentQuerySpecDestinationNodes returns the related destination nodes, including effective permissions, for a single entity in the results of a saved query.

Sample request:

The request must include the full query spec object, and the source_node_id of the query result to return destination nodes for. You can additionally provide a snapshot_id to query against historical data.

Sample response:

Get query spec nodes

GetAssessmentQuerySpecNodes returns the entity details for nodes in the query without generating a result count. This option uses pagination and can be faster for complex queries where the total number of search results is not needed.

The request must include the full query spec object and the source_node_id of the query result to retrieve destination nodes for. Additionally, providing a snapshot_id will return destination nodes based on a Time Machine snapshot.

When specifying a page_size in the query string, responses will include the next_page_token and indicate has_more if additional results are available. Note that a page can be empty even when more results exist.

Sample request:

The following example searches for AWS IAM users with permissions to modify S3 bucket ACLs:

curl -X 'POST' \
"$BASE_URL/api/v1/assessments/query_spec:nodes?page_size=1&page_token=" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
  "query_type": "SOURCE_TO_DESTINATION",
  "include_nodes": true,
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket"
      }
    ]
  },
  "no_relation": false,
  "raw_permissions": {
    "operator": "OR",
    "values": [
      "s3:PutBucketAcl"
    ]
  }
}'

Sample response:

{
  "values": [
    {
      "id": "arn:aws:iam::877042069677:user/j.smith",
      "type": "AwsIamUser",
      "properties": {
        "aws_account_id": "877042069677",
        "created_at": "2021-11-15T15:14:47Z",
        "datasource_id": "877042069677:awsiam",
        "full_admin": true,
        "identity_unique_id": "j.smith",
        "last_used_at": "2023-05-25T00:00:00Z",
        "name": "j.smith",
        "password_last_used_at": "2023-05-25T00:00:00Z",
        "permission_boundary_controlled": false,
        "programmatic_access_count": 1,
        "programmatic_last_used_at": "2022-04-20T00:00:00Z",
        "provider_id": "877042069677",
        "root": false,
        "user_type": ""
      },
      "destination_node_count": 25,
      "permissions": [],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "CRITICAL",
      "raw_permissions": [],
      "effective_permissions": []
    }
  ],
  "path_values": [],
  "next_page_token": "eyJGaXJzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjRmYWIxZDUyLWYzZjgtNGNkZS05MmVmLWVmZTc4OThlM2M2MCIsImlkIjoiYXJuOmF3czppYW06Ojg3NzA0MjA2OTY3Nzp1c2VyL2Fhcm9uLmJpbmZvcmQiLCJsb3dlcl9uYW1lIjoiYWFyb24uYmluZm9yZCJ9LCJMYXN0Ijp7ImR1cGxpY2F0aW9uX3Njb3BlX2lkIjoiNGZhYjFkNTItZjNmOC00Y2RlLTkyZWYtZWZlNzg5OGUzYzYwIiwiaWQiOiJhcm46YXdzOmlhbTo6ODc3MDQyMDY5Njc3OnVzZXIvYWFyb24uYmluZm9yZCIsImxvd2VyX25hbWUiOiJhYXJvbi5iaW5mb3JkIn19",
  "has_more": true
}

Here is a more complex example, which identifies Okta Users related to Snowflake Local Roles.

Using conditions, the query will only return users related to the BILLING group AND another group, either the AUDITOR role OR ROLE_A

Request:

curl -X 'POST' \
"$BASE_URL/api/v1/assessments/query_spec:nodes?page_size=1&page_token=" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{"query_type":"SOURCE_TO_DESTINATION","source_node_types":{"nodes":[{"node_type":"OktaUser","tags":[],"conditions":[],"condition_expression":null,"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"destination_node_types":null,"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":null,"customized_variables":[],"no_relation":false,"snapshot_id":"0","access_filter":null,"node_relationship_type":"EFFECTIVE_ACCESS","relates_to_exp":{"specs":[{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/BILLING","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"}],"child_expressions":[{"specs":[{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/AUDITOR","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"},{"node_types":{"nodes":[{"node_type":"SnowflakeRole","tags":[],"conditions":[],"condition_expression":{"specs":[{"fn":"EQ","property":"id","value":"dn44266.us-east-2.aws.snowflakecomputing.com/role/ROLE_A","not":false,"value_property_name":"","value_property_from_other_node":false}],"child_expressions":[],"operator":"AND","not":false},"node_id":"","excluded_tags":[],"count_conditions":[],"direct_relationship_only":false,"node_type_grouping_constraint":null}],"nodes_operator":"AND"},"required_intermediate_node_types":null,"avoided_intermediate_node_types":null,"raw_permissions":null,"effective_permissions":{"values":[],"operator":"OR"},"no_relation":false,"direction":"ANY_DIRECTION"}],"child_expressions":[],"operator":"OR","not":false,"and_op_type":"INFERRED"}],"operator":"AND","not":false,"and_op_type":"SOURCE_INTERSECT"},"path_summary_node_types":null,"all_entity_condition":null}'

Response:

{"values":[{"id":"00upfs3bV7G3ImWCL5d5","type":"OktaUser","properties":{"created_at":"2020-11-12T21:10:47Z","datasource_id":"dev-5150036.okta.com","email":"[email protected]","first_name":"Simona","idp_unique_id":"[email protected]","is_active":true,"last_name":"Morasca","login":"[email protected]","mfa_active":false,"name":"[email protected]","provider_id":"dev-5150036.okta.com","status":"STAGED","updated_at":"2020-11-12T21:10:47Z"},"destination_node_count":0,"permissions":[],"engagement_access_stats":null,"access_stats":null,"destination_node_ids":[],"risk_level":"CRITICAL","raw_permissions":[],"effective_permissions":[]}],"path_values":[],"next_page_token":"eyJGaXJzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1Nmg4cnI2dkFzSUJqMW41ZDciLCJsb3dlcl9uYW1lIjoiYWFyb24uYmluZm9yZEB2ZXphdGVzdC5jb20ifSwiTGFzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1NTJzc3FldkozQ1d3QlM1ZDciLCJsb3dlcl9uYW1lIjoieXV3dUB2ZXphLmNvbSJ9fQ==","has_more":false}

Get query spec results

GetAssessmentQuerySpecResult Returns the total count of results for a query specification.

The response will include a number_value representing the total number of results.

Sample request:

curl -X 'POST' \
"$BASE_URL/api/v1/assessments/query_spec:result" \
-H "authorization: Bearer $VEZA_TOKEN" \
--data-raw '{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "OktaUser",
        "tags": [],
        "conditions": [],
        "condition_expression": null,
        "node_id": "",
        "excluded_tags": [],
        "count_conditions": [],
        "direct_relationship_only": false,
        "node_type_grouping_constraint": null
      }
    ],
    "nodes_operator": "AND"
  },
  "destination_node_types": null,
  "required_intermediate_node_types": null,
  "avoided_intermediate_node_types": null,
  "raw_permissions": null,
  "effective_permissions": null,
  "customized_variables": [],
  "no_relation": false,
  "snapshot_id": "0",
  "access_filter": null,
  "node_relationship_type": "EFFECTIVE_ACCESS",
  "relates_to_exp": {
    "specs": [
      {
        "node_types": {
          "nodes": [
            {
              "node_type": "SnowflakeRole",
              "tags": [],
              "conditions": [],
              "condition_expression": {
                "specs": [
                  {
                    "fn": "EQ",
                    "property": "id",
                    "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/BILLING",
                    "not": false,
                    "value_property_name": "",
                    "value_property_from_other_node": false
                  }
                ],
                "child_expressions": [],
                "operator": "AND",
                "not": false
              },
              "node_id": "",
              "excluded_tags": [],
              "count_conditions": [],
              "direct_relationship_only": false,
              "node_type_grouping_constraint": null
            }
          ],
          "nodes_operator": "AND"
        },
        "required_intermediate_node_types": null,
        "avoided_intermediate_node_types": null,
        "raw_permissions": null,
        "effective_permissions": {
          "values": [],
          "operator": "OR"
        },
        "no_relation": false,
        "direction": "ANY_DIRECTION"
      }
    ],
    "child_expressions": [
      {
        "specs": [
          {
            "node_types": {
              "nodes": [
                {
                  "node_type": "SnowflakeRole",
                  "tags": [],
                  "conditions": [],
                  "condition_expression": {
                    "specs": [
                      {
                        "fn": "EQ",
                        "property": "id",
                        "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/AUDITOR",
                        "not": false,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      }
                    ],
                    "child_expressions": [],
                    "operator": "AND",
                    "not": false
                  },
                  "node_id": "",
                  "excluded_tags": [],
                  "count_conditions": [],
                  "direct_relationship_only": false,
                  "node_type_grouping_constraint": null
                }
              ],
              "nodes_operator": "AND"
            },
            "required_intermediate_node_types": null,
            "avoided_intermediate_node_types": null,
            "raw_permissions": null,
            "effective_permissions": {
              "values": [],
              "operator": "OR"
            },
            "no_relation": false,
            "direction": "ANY_DIRECTION"
          },
          {
            "node_types": {
              "nodes": [
                {
                  "node_type": "SnowflakeRole",
                  "tags": [],
                  "conditions": [],
                  "condition_expression": {
                    "specs": [
                      {
                        "fn": "EQ",
                        "property": "id",
                        "value": "dn44266.us-east-2.aws.snowflakecomputing.com/role/ROLE_A",
                        "not": false,
                        "value_property_name": "",
                        "value_property_from_other_node": false
                      }
                    ],
                    "child_expressions": [],
                    "operator": "AND",
                    "not": false
                  },
                  "node_id": "",
                  "excluded_tags": [],
                  "count_conditions": [],
                  "direct_relationship_only": false,
                  "node_type_grouping_constraint": null
                }
              ],
              "nodes_operator": "AND"
            },
            "required_intermediate_node_types": null,
            "avoided_intermediate_node_types": null,
            "raw_permissions": null,
            "effective_permissions": {
              "values": [],
              "operator": "OR"
            },
            "no_relation": false,
            "direction": "ANY_DIRECTION"
          }
        ],
        "child_expressions": [],
        "operator": "OR",
        "not": false,
        "and_op_type": "INFERRED"
      }
    ],
    "operator": "AND",
    "not": false,
    "and_op_type": "SOURCE_INTERSECT"
  },
  "path_summary_node_types": null,
  "all_entity_condition": null,
  "page_size": "0",
  "page_token": ""
}'

Sample response:

The response will contain a number_value of total results:

{
  "number_value": 97
}

Private APIs

Documentation for Veza's private APIs for advanced access assessments

Overview

This section contains documentation for APIs in the private/ namespace for advanced access assessment capabilities. These APIs currently support advanced role analysis, entitlement comparisons, and access management for Snowflake environments.

Available APIs

API

Description

Identifies grantees (such as roles) that provide specific access permissions to a given identity for a set of resources

Checks whether a role with specific resource permissions already exists

Simulates modifications to an existing role's permissions and checks if other roles with the resulting permission set already exist

Provides insights into role accessibility for users within a specified cost center

Common Use Cases

These APIs enable several identity security use cases:

Role Rationalization: Identify and consolidate redundant roles to simplify access management
Least Privilege Implementation: Find roles that provide necessary access with minimal excess permissions
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles
Access Pattern Analysis: Discover common access patterns among users in the same organizational unit
Privileged Access Management: Analyze what additional privileges different roles would provide to a user

Limitations

These features are currently limited to the Snowflake integration.
Some APIs may have performance limitations with highly connected identities or complex permission structures.

Get Access Relationship

Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The GetAccessRelationship API takes an identity (user), a list of resources with permissions, and responds with potential grantees (roles) that can grant these access permissions to the user. The response includes detailed information about the additional access these grantees would provide. This API is particularly designed for role recommendations and permissions analysis in Snowflake environments.

Use cases and features

This API returns potential grantees (i.e., Snowflake roles) that can provide specific permissions, with results ordered by the level of "extra access" they provide (access not already available to the user). The response includes comparisons between current access and potential access and supports filtering by grantee type and other criteria.

Role Recommendations: Find the most appropriate roles to grant a user for specific access needs
Privilege Analysis: Analyze what additional privileges different roles would provide to a user
Access Management: Compare different access options before making permission changes
Least Privilege Implementation: Identify roles that provide necessary access with minimal excess permissions

Limitations

This feature is currently limited to the Snowflake integration.
For highly connected identities (>10,000 accesses or accessible resources), the calculation of "extra access" can be performance-intensive. For a timely response, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources. In such cases, is_identity_highly_connected will be set to true in response.

Get Access Relationship

Request Parameters

The API accepts a GetAccessRelationshipRequest object with the following parameters:

Parameter

Type

Required

Description

identity_id

string

Yes

ID for the principal (user) in Veza node ID format

identity_type

string

Yes

Veza node type for the principal (currently must be SnowflakeUser)

resource_id

string

ID of the resource to analyze

resource_type

string

Type of the resource to analyze (used to calculate impact)

raw_permissions

RawPermissionCollection

Collection of raw permissions to analyze

effective_permissions

EffectivePermissionCollection

Collection of effective permissions to analyze

grantee_type

string

Veza node type for the grantee (currently must be SnowflakeRole)

grantee_filter

AssessmentQuerySpecFilter

Filter to apply on potential grantees

saved_query_id_for_grantee_ids

string

ID of a saved query, source nodes in its result will be used as a filter

max_grantee_count

int32

Maximum number of grantees to return

resource_types_to_display

string[]

Resource types to include in the result (in addition to resource_type above)

max_resource_count

int32

Grantees with access to more resources will be excluded from the results. 0 (unset) uses the default value of 100,000. Setting a higher value will include grantees with more resources.

no_extra_stats

boolean

Show less stats to makes the API respond faster: when True, the response will not contain permission summaries and resource access changes, but the grantee IDs are still returned in the correct order.

resource_permissions

ResourcePermissions[]

Only valid when result order is LEAST_PRIVILEGED. Returned grantees will be able to access all resources with the permissions in resource_permissions.

result_order

RoleRecommendationResultOrder

Ordering method for results (default is by minimal access count)

direct_grantee_to_resource_only

boolean

When true, only return roles with direct access to the input resources

Important: Either resource_permissions or the combination of (resource_id, resource_type, raw_permissions, effective_permissions) must be provided in the request, but not both.

Result Ordering

The API provides two options for ordering the returned grantees:

Default Order (Minimal Access Count): By default, the API returns grantees ordered by their access count, prioritizing roles with fewest total accesses.
Least Privileged: When setting "result_order": "LEAST_PRIVILEGED", the API orders grantees by least privilege principle (minimum necessary permissions) and enables several advanced features:
- No system-defined admin roles will be returned in the results
- The resource_permissions parameter can be used, which allows input of multiple resources

Special Considerations

When max_resource_count is reached for an identity, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources.
The no_extra_stats parameter improves performance when detailed statistics aren't needed. This parameter will:
- Skip saved query lookup for grantee IDs
- Only include basic resource count information in the response
- Ignore the saved_query_id_for_grantee_ids parameter
- Only return old_accessible_resource_count and new_accessible_resource_count for the input resource_type
- This parameter is not effective when result_order is set to LEAST_PRIVILEGED
The resource_permissions parameter is only usable when result_order is set to LEAST_PRIVILEGED

Response Structure

The API returns a GetAccessRelationshipResponse object with the following fields:

Field

Type

Description

ordered_node_access_changes

NodeAccessChange[]

List of grantees and their access statistics, ordered according to the input result_order

is_identity_highly_connected

boolean

Indicates if the identity has access to many resources (>10,000 accesses for a single resource type)

result_time

Timestamp

Time when the cache was refreshed (if cache was used)

identity_already_has_all_access

boolean

Indicates if the principal already has all the requested access

Note: There are deprecated fields in the response (role_id, resource_type, new_accessible_resource_count) that should not be used. Use the ordered_node_access_changes field instead.

NodeAccessChange Structure

Each NodeAccessChange object contains:

Field

Type

Description

node_type

string

The node type of the grantee

id

string

The node ID of the grantee

name

string

The name of the grantee

resource_access_changes

ResourceAccessChange[]

Access changes per resource type

ResourceAccessChange Structure

Each ResourceAccessChange object contains:

Field

Type

Description

resource_type

string

Type of the resource

old_accessible_resource_count

int32

Count of resources accessible before granting

new_accessible_resource_count

int32

Count of resources accessible after granting

old_raw_permissions

string[]

List of raw permissions before granting

new_raw_permissions

string[]

List of raw permissions after granting

old_effective_permissions

string[]

List of effective permissions before granting

new_effective_permissions

string[]

List of effective permissions after granting

Usage Examples

Example 1: Using Resource Permissions (Recommended)

This example shows how to use the API to find roles that would give a specific Snowflake user access to certain resources using the resource_permissions parameter.

Request

{
  "identity_id": "example-snowflake.com/user/ALICE",
  "identity_type": "SnowflakeUser",
  "resource_permissions": [
    {
      "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
      "resource_type": "SnowflakeTable",
      "permissions": ["SELECT", "INSERT"]
    }
  ],
  "grantee_type": "SnowflakeRole",
  "max_grantee_count": 5,
  "result_order": "LEAST_PRIVILEGED"
}

Example 2: Using Resource ID and Permissions

This example shows how to use the API with the resource ID and permissions approach.

This example uses LEAST_PRIVILEGED result ordering. The response will prioritize grantees that provide the minimum necessary permissions to meet the requested access requirements.

Request

{
  "identity_id": "example-snowflake.com/user/ALICE",
  "identity_type": "SnowflakeUser",
  "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
  "resource_type": "SnowflakeTable",
  "raw_permissions": {
    "values": ["SELECT", "INSERT"],
    "operator": "AND"
  },
  "grantee_type": "SnowflakeRole",
  "max_grantee_count": 5,
  "result_order": "LEAST_PRIVILEGED"
}

Response

{
  "ordered_node_access_changes": [
    {
      "node_type": "SnowflakeRole",
      "id": "example-snowflake.com/role/ANALYST",
      "name": "ANALYST",
      "resource_access_changes": [
        {
          "resource_type": "SnowflakeTable",
          "old_accessible_resource_count": 10,
          "new_accessible_resource_count": 25,
          "old_raw_permissions": ["SELECT"],
          "new_raw_permissions": ["SELECT", "INSERT"],
          "old_effective_permissions": ["SELECT"],
          "new_effective_permissions": ["SELECT", "INSERT"]
        }
      ]
    },
    {
      "node_type": "SnowflakeRole",
      "id": "example-snowflake.com/role/DATA_EDITOR",
      "name": "DATA_EDITOR",
      "resource_access_changes": [
        {
          "resource_type": "SnowflakeTable",
          "old_accessible_resource_count": 10,
          "new_accessible_resource_count": 32,
          "old_raw_permissions": ["SELECT"],
          "new_raw_permissions": ["SELECT", "INSERT", "UPDATE"],
          "old_effective_permissions": ["SELECT"],
          "new_effective_permissions": ["SELECT", "INSERT", "UPDATE"]
        }
      ]
    }
  ],
  "is_identity_highly_connected": false,
  "result_time": "2025-02-25T10:15:30Z",
  "identity_already_has_all_access": false
}

Role Existence API
Role Maintenance API
Cohort Role Analysis API

Role Existence

Check whether a role with specific resource permissions already exists.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Role Existence API allows users to check whether a role with specific resource permissions already exists in the system. This API is particularly useful for role management and access governance in Snowflake environments.

Use cases and features

This API enables efficient role management by identifying existing roles that already have the permissions you're looking for. Key use cases include:

Role Discovery: Find existing roles that match specific permission requirements
Prevent Role Proliferation: Avoid creating duplicate roles with the same permissions
Permission Auditing: Verify which roles have specific permissions to resources
Role Standardization: Identify standard roles that can be reused for similar access requirements

Limitations

This feature is currently limited to the Snowflake integration.

Role Existence API

Request Parameters

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

grantee_type

string

Yes

The type of grantee for which the role existence is checked (currently supports only SnowflakeRole)

resource_permissions

ResourcePermissions[]

Yes

A list of resource permissions to match against existing roles

ResourcePermissions Structure

Each ResourcePermissions object contains:

Field

Type

Required

Description

node_type

string

Yes

The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)

node_id

string

Yes

Veza node ID of the resource (i.e., ID property in graph and query builder)

raw_permissions

string[]

Yes

A list of permissions to check (e.g., USAGE, SELECT, etc.)

Protocol Definition

Proto Message Definitions

The API uses the following protocol buffer message definitions:

message RoleExistsRequest {
  string grantee_type = 1;
  repeated GetRoleMatchingRequest.ResourcePermissions resource_permissions = 2;
}

message RoleExistsResponse {
  repeated string grantee_ids = 1;
}

Response Structure

The API returns a response object with the following field:

Field

Type

Description

grantee_ids

string[]

A list of existing role IDs that match the given permissions

Usage Example

Request

This example checks if there's an existing role with USAGE permission on a specific Snowflake database:

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "example-snowflake.com/database/SECURITY_DB",
      "raw_permissions": ["USAGE"]
    }
  ]
}

Response

The response indicates that a matching role exists:

{
  "grantee_ids": [
    "example-snowflake.com/role/SECURITY_READER_ROLE"
  ]
}

Example: Multiple Resource Permissions

You can check for roles that have permissions across multiple resources:

Request

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "example-snowflake.com/database/ANALYTICS",
      "raw_permissions": ["USAGE"]
    },
    {
      "node_type": "SnowflakeSchema",
      "node_id": "example-snowflake.com/database/ANALYTICS/schema/PUBLIC",
      "raw_permissions": ["USAGE", "SELECT"]
    }
  ]
}

Response

{
  "grantee_ids": [
    "example-snowflake.com/role/ANALYTICS_READER_ROLE",
    "example-snowflake.com/role/REPORTING_USER_ROLE"
  ]
}

Example: No Matching Roles

In this example, the request is checking for roles with specific permissions, but no matching roles are found:

Request

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA",
      "raw_permissions": ["OWNERSHIP"]
    },
    {
      "node_type": "SnowflakeSchema",
      "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA/schema/EXPERIMENTS",
      "raw_permissions": ["CREATE TABLE", "CREATE VIEW", "MODIFY"]
    }
  ]
}

Response

The response indicates that no matching roles with the specified permission combination exist:

{
  "grantee_ids": []
}

When you receive an empty response like this, it suggests that a new role might need to be created to satisfy these specific permission requirements, as no existing role has the exact permission set requested.

Get Access Relationship API
Role Maintenance API
Cohort Role Analysis API

Role Maintenance

Modify role permissions and find matching existing roles.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Role Maintenance API allows you to simulate modifications to an existing role's permissions and check if other roles with the resulting permission set already exist. This API is particularly useful for role rationalization and consolidation in Snowflake environments.

Use cases and features

This API enables effective role maintenance and governance with several key capabilities:

Role Rationalization: Find existing roles that match a desired permission set after modifications
Role Consolidation: Identify opportunities to consolidate roles by checking for existing roles with similar permissions
Permission Planning: Plan permission changes and identify existing alternatives before implementation
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles

Limitations

This feature is currently limited to the Snowflake integration.

Role Maintenance API

Request Parameters

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

grantee_type

string

Yes

The type of grantee (currently only supports SnowflakeRole)

grantee_id

string

Yes

Veza node ID of the grantee (role) to be modified

modifications

GranteeModification[]

Yes

A list of resource permission modifications to apply to the role

GranteeModification Structure

Each GranteeModification object contains:

Field

Type

Required

Description

from_resource_permissions

ResourcePermissions

Permissions to remove from the role

to_resource_permissions

ResourcePermissions

Permissions to add to the role

Note: You can specify either or both of these fields:

If only from_resource_permissions is set, those permissions will be removed
If only to_resource_permissions is set, those permissions will be added
If both are set, the permissions will be updated accordingly

This flexibility allows you to model different types of permission changes within a single API call. For example, you can simultaneously remove access to one resource while adding access to another, or modify permission levels on the same resource.

ResourcePermissions Structure

Each ResourcePermissions object contains:

Field

Type

Required

Description

node_type

string

Yes

The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)

node_id

string

Yes

Veza node ID of the resource (ID property in graph and query builder)

raw_permissions

string[]

Yes

A list of permissions (e.g., USAGE, SELECT, etc.)

Request and Response Protocol

Proto Message Definitions

The API uses the following protocol buffer message definitions:

message RoleMaintenanceRequest {
  string grantee_type = 1;
  string grantee_id = 2;
  repeated GranteeModification modifications = 3;
}

message GranteeModification {
  GetRoleMatchingRequest.ResourcePermissions from_resource_permissions = 1;
  GetRoleMatchingRequest.ResourcePermissions to_resource_permissions = 2;
}

message RoleMaintenanceResponse {
  repeated string grantee_ids = 1;
}

Response Structure

The API returns a response object with the following field:

Field

Type

Description

grantee_ids

string[]

A list of existing role IDs that match the permission set after the requested modifications

Usage Example

Request

This example simulates removing database and schema permissions from one role while adding database permissions to another:

{
  "grantee_type": "SnowflakeRole",
  "grantee_id": "example-snowflake.com/role/DATA_INGEST_ROLE",
  "modifications": [
    {
      "from_resource_permissions": {
        "node_type": "SnowflakeDatabase",
        "node_id": "example-snowflake.com/database/ANALYTICS_DB",
        "raw_permissions": ["USAGE"]
      }
    },
    {
      "from_resource_permissions": {
        "node_type": "SnowflakeSchema",
        "node_id": "example-snowflake.com/database/ANALYTICS_DB/schema/RAW_DATA",
        "raw_permissions": ["CREATE FUNCTION", "CREATE PIPE", "CREATE STREAM", "CREATE TABLE", "CREATE TASK", "USAGE"]
      }
    },
    {
      "to_resource_permissions": {
        "node_type": "SnowflakeDatabase",
        "node_id": "example-snowflake.com/database/CLOUD_DB",
        "raw_permissions": ["USAGE"]
      }
    }
  ]
}

Response

The response indicates that a role with the resulting permission set exists:

{
"grantee_ids": [
    "example-snowflake.com/role/CLOUD_LOGS_READONLY_ROLE"
]
}

Example: Adding permissions only

This example shows adding permissions to a role:

Request

{
  "grantee_type": "SnowflakeRole",
  "grantee_id": "example-snowflake.com/role/ANALYST_BASIC_ROLE",
  "modifications": [
    {
      "to_resource_permissions": {
        "node_type": "SnowflakeSchema",
        "node_id": "example-snowflake.com/database/ANALYTICS/schema/FINANCE",
        "raw_permissions": ["USAGE", "SELECT"]
      }
    }
  ]
}

Response

{
  "grantee_ids": [
    "example-snowflake.com/role/FINANCE_VIEWER_ROLE"
  ]
}

Example: Removing permissions only

This example shows removing permissions from a role:

Request

{
  "grantee_type": "SnowflakeRole",
  "grantee_id": "snowhouse.snowflakecomputing.com/role/DATA_SCIENTIST",
  "modifications": [
    {
      "from_resource_permissions": {
        "node_type": "SnowflakeSchema",
        "node_id": "snowhouse.snowflakecomputing.com/database/SENSITIVE_DATA/schema/PII",
        "raw_permissions": ["SELECT", "INSERT"]
      }
    }
  ]
}

Response

{
  "grantee_ids": [
    "snowhouse.snowflakecomputing.com/role/ANALYST_BASIC"
  ]
}

Get Access Relationship API
Role Existence API
Cohort Role Analysis API

Cohort Role Analysis

Analyze roles accessible to Snowflake users within a specified cost center.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Cohort Role Analysis API provides insights into role accessibility for Snowflake users within a specified cost center. It identifies which roles are accessible to users in that cost center and orders them by least privilege, helping to establish common access patterns and standardize role assignments. The response includes:

A list of roles accessible to users in the cost center
An indication of whether these roles are accessible to all users or only some users in the cost center

The API first attempts to find roles that are accessible to all principals (users) in the cost center. If no roles are accessible to all principals, it falls back to returning roles that are accessible by at least one principal, indicated by the accessibility_type field in the response.

Use cases and features

This API can help organizations understand common access patterns within organizational units and can support role standardization efforts:

Role Standardization: Identify common roles used within organizational units
Access Pattern Analysis: Discover shared access patterns among users in the same cost center
Least Privilege Implementation: Find roles that provide necessary access with minimal permissions
Onboarding Planning: Determine appropriate roles for new hires based on their cost center

Limitations

This feature is currently limited to the Snowflake integration.
Role analysis is based on cost center information, which must be properly configured in your system.

Cohort Role Analysis API

Request Parameters

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

cost_center

string

Yes

The identifier for the cost center whose roles should be analyzed

limit

uint32

The maximum number of roles to return (defaults to 5 if not specified)

Protocol Definition

Proto Message Definitions

The API uses the following protocol buffer message definitions:

message CohortRoleAnalysisRequest {
  string cost_center = 1;
  uint32 limit = 2;
}

enum GranteeAccessibility {
  ALL_PRINCIPALS = 0; // Grantees accessible from all principals
  ANY_PRINCIPAL = 1;  // Grantees accessible from at least one principal
}

message CohortRoleAnalysisResponse {
  repeated string grantee_ids = 1;
  GranteeAccessibility accessibility_type = 2;
}

Response Structure

The API returns a response object with the following fields:

Field

Type

Description

grantee_ids

string[]

A list of role IDs that are accessible to users in the specified cost center

accessibility_type

GranteeAccessibility

Indicates whether roles were accessible to all principals or any principal

Accessibility Types

The accessibility_type field can have one of the following values:

Value

Description

ALL_PRINCIPALS

Roles accessible from all principals in the cost center

ANY_PRINCIPAL

Roles accessible from at least one principal in the cost center

Note: If no roles are accessible to all principals in the cost center, the API falls back to returning roles accessible by any principal, and the accessibility_type will be set to ANY_PRINCIPAL.

Usage Example

Example 1: Roles Accessible to All Principals

Request

{
  "cost_center": "CC-SALES",
  "limit": 5
}

Response

The response indicates these roles are accessible to all users in the cost center:

{
  "grantee_ids": [
    "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
    "example-snowflake.com/role/DATA_LINEAGE_READONLY_ROLE",
    "example-snowflake.com/role/WAREHOUSE_USER_ROLE"
  ],
  "accessibility_type": "ALL_PRINCIPALS"
}

Example 2: Roles Accessible to Any Principal

Request

{
  "cost_center": "CC-MARKETING"
}

Response

The response indicates no roles are accessible to all users, but these roles are accessible to at least one user in the cost center:

{
  "grantee_ids": [
    "example-snowflake.com/role/MARKETING_PARTNER_READONLY_ROLE",
    "example-snowflake.com/role/MARKETING_ENTERPRISE_READONLY_ROLE",
    "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
    "example-snowflake.com/role/MARKETING_PRODUCT_READONLY_ROLE",
    "example-snowflake.com/role/MARKETING_UTILS_READONLY_ROLE"
  ],
  "accessibility_type": "ANY_PRINCIPAL"
}

Get Access Relationship API
Role Existence API
Role Maintenance API

Create, Add, Remove Tag

Create, apply, and remove Veza tags

New in 2022.3.2: Tagging operations are now available as part of the v1/ API set.

Methods

Create Veza Tag

Post {VezaURL}/api/v1/graph/tags

Define a new tag that can be applied to any discovered entity, as a key:value pair. The tag value is optional.

{
    "tag": {
        "key": "note",
        "value": "tags_can_be_used_as_searchable_properties,_or_add_extended_notes"
    }
}

Parameter

Description

tag

body

Contains a single key:value pair

key

body

Max length 255 characters (alphanumeric and _)

value

body

Max length 4096 characters (alphanumeric, _ and ,).

A successful response will be empty ({}).

Add Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags

Apply one or more tags to an entity by providing an entity ID. A new Tag will be created if one doesn't already exist.

{
    "node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
    "tags": [
        {
            "key": "PII",
            "value": "GRPC"
        }
        {
            "key": "environment",
            "value": "production"
        }
    ]
}

Parameter

Description

node_id

body

Veza entity ID

tags

body

Array of tags to add

To retrieve an entity ID, you can use the Query Builder API, or browse the Identity Data Entities catalog.

Remove Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags:remove

Remove a tag from an entity.

Parameter

Description

node_id

body

ID of the entity to modify

tag_key

body

Must contain a single tag to remove

{
	"node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
	"tag_key": "environment"
}

A successful response will be empty ({}).

Promoted Tags

Operations for adding, removing, and listing tags for entity enrichment.

Tag promotion for Access Reviews is currently available in Early Access. Please contact our support team to enable this capability.

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

For example, in AWS, you may automatically tag identities with a 3rd-party security tool, or use tags to label S3 buckets containing sensitive data. When a tag is promoted, Veza Access Reviews will treat the tag as a built-in entity attribute, and show this information for reviewers in an optional column.

Promote tag
Demote tag
List tag promotions

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

include_entity_types: if true, promote tags for the listed type(s).
exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

You can promote tags for any integration that supports them, such as Snowflake or Google Cloud. Use Veza tags for integrations that do not support vendor-native tags or when built-in tagging is unavailable. Example tag types:

AWSTag
CookieTag (Veza Tag)
GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

OAA.PagerDuty.User
ActiveDirectoryUser
OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

Get all promotion rules for all entity types.

{ "values": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ "[Circular Reference]" ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "path_values": [ { "source": { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ "[Circular Reference]" ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 }, "abstract_permissions": [ "text" ], "concrete_permissions": [ "text" ], "destination": { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ "[Circular Reference]" ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 }, "path_summary_nodes": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ "[Circular Reference]" ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "results_truncated": true } ], "next_page_token": "text", "has_more": true }

{ "value": { "id": "text", "name": "text", "description": "text", "result_type": "NUMBER", "query_type": "SYSTEM_CREATED", "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "variables": [ "text" ], "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "no_relation": true, "created_by": "text", "visibility": "PUBLIC", "owners": [ "text" ], "node_relationship_type": "EFFECTIVE_ACCESS", "integration_types": [ "text" ], "labels": [ "text" ], "created_at": "2025-07-03T08:30:14.801Z", "updated_at": "2025-07-03T08:30:14.801Z", "source_type": "text", "destination_types": [ "text" ], "relates_to_exp": { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "risk_level": "NONE", "risk_suppressed_constraints": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ] }, "analysis_type": "UNSET", "result": 1, "result_evaluated_at": "2025-07-03T08:30:14.801Z", "result_evaluated": true } }

PUT /api/v1/assessments/queries/{id} HTTP/1.1 Host: Bearer: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 10058 { "name": "text", "description": "text", "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "no_relation": true, "visibility": "PUBLIC", "node_relationship_type": "EFFECTIVE_ACCESS", "labels": [ "text" ], "relates_to_exp": { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": "[Circular Reference]", "child_expressions": "[Circular Reference]", "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true } ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "analysis_type": "UNSET" }

{ "id": "text", "value": { "id": "text", "name": "text", "description": "text", "result_type": "NUMBER", "query_type": "SYSTEM_CREATED", "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "variables": [ "text" ], "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "no_relation": true, "created_by": "text", "visibility": "PUBLIC", "owners": [ "text" ], "node_relationship_type": "EFFECTIVE_ACCESS", "integration_types": [ "text" ], "labels": [ "text" ], "created_at": "2025-07-03T08:30:14.801Z", "updated_at": "2025-07-03T08:30:14.801Z", "source_type": "text", "destination_types": [ "text" ], "relates_to_exp": { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "risk_level": "NONE", "risk_suppressed_constraints": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ] }, "analysis_type": "UNSET", "result": 1, "result_evaluated_at": "2025-07-03T08:30:14.801Z", "result_evaluated": true } }

{ "result_type": "text", "number_value": "text", "timestamp_value": "text", "nodes_value": { "values": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": [ { "id": "text", "type": "text", "properties": {}, "destination_node_count": 1, "permissions": "[Circular Reference]", "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "engagement_access_stats": { "engagement_score": 1, "over_provisioned_score": 1, "total_count": "text", "accessed_count": "text" }, "access_stats": { "last_used": "2025-07-03T08:30:14.801Z", "count": 1, "concrete_permissions": [ "text" ], "canonical_permissions": [ "text" ] }, "destination_node_ids": [ "text" ], "risk_level": "NONE", "raw_permissions": [ "text" ], "effective_permissions": [ "text" ], "destination_node_percentage_of_total": 1 } ], "next_page_token": "text", "has_more": true } }

POST /api/v1/assessments/query_spec:nodes HTTP/1.1 Host: Bearer: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 10136 { "query_type": "SYSTEM_CREATED", "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "customized_variables": [ { "key": "text", "value": "text" } ], "no_relation": true, "snapshot_id": "text", "node_relationship_type": "EFFECTIVE_ACCESS", "relates_to_exp": { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": "[Circular Reference]", "child_expressions": "[Circular Reference]", "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true } ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "result_value_type": "UNDEFINED", "page_size": "text", "page_token": "text" }

POST /api/v1/assessments/query_spec:result HTTP/1.1 Host: Bearer: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 10136 { "query_type": "SYSTEM_CREATED", "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "customized_variables": [ { "key": "text", "value": "text" } ], "no_relation": true, "snapshot_id": "text", "node_relationship_type": "EFFECTIVE_ACCESS", "relates_to_exp": { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": "[Circular Reference]", "child_expressions": "[Circular Reference]", "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true } ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "result_value_type": "UNDEFINED", "page_size": "text", "page_token": "text" }

{ "values": [ { "id": "text", "name": "text", "description": "text", "result_type": 1, "query_type": 1, "raw_permissions": { "values": [ "text" ], "operator": 1 }, "effective_permissions": { "values": [ 1 ], "operator": 1 }, "variables": [ "text" ], "source_node_types": { "nodes": [ { "node_type": "text", "condition_expression": "[Circular Reference]", "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "condition_expression": "[Circular Reference]", "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "condition_expression": "[Circular Reference]", "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "destination_node_types": { "nodes": [ { "node_type": "text", "condition_expression": "[Circular Reference]", "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "access_filter": { "engagement_score": { "op": 1, "value": 1 }, "over_provisioned_score": { "op": 1, "value": 1 }, "include_secondary_grantee": true, "include_indirect_resource": true, "exclude_indirect_grantee": true, "anomaly_detection_history_days": "text", "last_used": { "op": 1, "value": "2025-07-03T08:30:14.801Z", "target": 1 } }, "created_by": "text", "visibility": 1, "owners": [ "text" ], "node_relationship_type": 1, "integration_types": [ "text" ], "labels": [ "text" ], "created_at": "2025-07-03T08:30:14.801Z", "updated_at": "2025-07-03T08:30:14.801Z", "source_type": "text", "destination_types": [ "text" ], "relates_to_exp": { "specs": [ "[Circular Reference]" ], "child_expressions": [ "[Circular Reference]" ], "operator": 1, "not": true, "and_op_type": 1 }, "all_entity_condition": { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": [ { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": "[Circular Reference]", "operator": 1, "not": true } ], "operator": 1, "not": true }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "condition_expression": "[Circular Reference]", "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "path_summary_count_conditions": { "conditions": [ { "fn": 1, "value": "text", "value_as": 1 } ] }, "risk_level": 1, "risk_suppressed_constraints": { "nodes": [ "[Circular Reference]" ] }, "analysis_type": 1, "result": 1, "result_evaluated_at": "2025-07-03T08:30:14.801Z", "result_evaluated": true, "risk_explanation": "text", "risk_remediation": "text", "updated_by": "text", "natural_language": "text", "result_enrichment": { "join_node_specs": [ { "with": "text", "node_spec": "[Circular Reference]", "as": "text" } ], "outlier_detection": { "type": 1 } }, "change_source": 1, "uneditable": true, "approx_total_source_nodes_count": "text", "include_sub_permissions": true, "save_mode": 1, "vql_query": "text", "source_type_integration": "text" } ], "next_page_token": "text", "has_more": true }

{ "values": [ { "id": "arn:aws:s3:::aws-cloudtrail-logs-877042069677-a35f269d", "type": "S3Bucket", "properties": { "allows_acls": true, "aws_account_id": "877042069677", "block_public_access_enabled": true, "block_public_acls": true, "block_public_policy": true, "created_at": "2022-02-07T20:33:19Z", "datasource_id": "877042069677:s3", "default_encryption_enabled": true, "default_retention_mode": "DISABLED", "hosts_website": false, "ignore_public_acls": true, "name": "aws-cloudtrail-logs-877042069677-a35f269d", "object_lock_enabled": false, "object_ownership_controls": "ObjectWriter", "provider_id": "877042069677", "region": "us-east-1", "replication_rules_count": 0, "request_payer": "BucketOwner", "restrict_public_buckets": true, "server_access_logs_enabled": false }, "destination_node_count": 0, "permissions": [ { "id": "arn:aws:iam::877042069677:user/j.smith::eperm::877042069677/S3Bucket/9e5c59f46ddc58231c08bc23534d1a83c0bffe87", "type": "AwsIamEffectivePermission", "properties": { "aws_account_id": "877042069677", "datasource_id": "877042069677::eperm::877042069677:s3", "name": "Create,Write,Delete,Read,Metadata,NonData", "permissions": [ "s3:AbortMultipartUpload", "s3:BypassGovernanceRetention", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListMultipartUploadParts", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutInventoryConfiguration", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject" ], "provider_id": "877042069677" }, "destination_node_count": 0, "permissions": [], "engagement_access_stats": null, "access_stats": null, "destination_node_ids": [], "risk_level": "NONE", "raw_permissions": [], "effective_permissions": [] } ], "engagement_access_stats": null, "access_stats": null, "destination_node_ids": [], "risk_level": "NONE", "raw_permissions": [ "s3:AbortMultipartUpload", "s3:BypassGovernanceRetention", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:GetAccelerateConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListMultipartUploadParts", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutInventoryConfiguration", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject" ], "effective_permissions": [ "Create", "Delete", "Metadata", "NonData", "Read", "Write" ] } ], "path_values": [], "next_page_token": "", "has_more": false }

POST /api/v1/assessments/query_spec:destination_nodes HTTP/1.1 Host: Bearer: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 5807 { "spec": { "query_type": "SYSTEM_CREATED", "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "customized_variables": [ { "key": "text", "value": "text" } ], "no_relation": true, "snapshot_id": "text", "node_relationship_type": "EFFECTIVE_ACCESS", "relates_to_exp": { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": "[Circular Reference]", "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "result_value_type": "UNDEFINED", "page_size": "text", "page_token": "text" }, "source_node_id": "text", "snapshot_id": "text" }

POST /api/v1/assessments/queries HTTP/1.1 Host: Bearer: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 10869 { "name": "text", "description": "text", "query_type": "SYSTEM_CREATED", "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "source_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "no_relation": true, "violation": true, "visibility": "PUBLIC", "node_relationship_type": "EFFECTIVE_ACCESS", "labels": [ "text" ], "relates_to_exp": { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": [ { "node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "raw_permissions": { "values": [ "text" ], "operator": "AND" }, "effective_permissions": { "values": [ "METADATA_WRITE" ], "operator": "AND" }, "no_relation": true, "direction": "ANY_DIRECTION" } ], "child_expressions": [ { "specs": "[Circular Reference]", "child_expressions": "[Circular Reference]", "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" } ], "operator": "AND", "not": true, "and_op_type": "INFERRED" }, "all_entity_condition": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": "[Circular Reference]", "operator": "AND", "not": true } ], "operator": "AND", "not": true } ], "operator": "AND", "not": true }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ], "nodes_operator": "AND" }, "path_summary_count_conditions": { "conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ] }, "risk_level": "NONE", "risk_suppressed_constraints": { "nodes": [ { "node_type": "text", "tags": [ { "key": "text", "value": "text" } ], "conditions": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "condition_expression": { "specs": [ { "fn": "EQ", "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": "AND", "not": true }, "node_id": "text", "excluded_tags": [ { "key": "text", "value": "text" } ], "count_conditions": [ { "fn": "EQ", "value": "text", "value_as": "COUNT" } ], "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": "EXCLUDE" }, "properties_to_get": [ "text" ] } ] }, "analysis_type": "UNSET" }

POST /api/private/assessments/access_relationship HTTP/1.1 Host: Authorization: Bearer Bearer <API key> Content-Type: application/json Accept: */* Content-Length: 3575 { "identity_id": "text", "identity_type": "text", "resource_id": "text", "resource_type": "text", "raw_permissions": { "values": [ "text" ], "operator": 1 }, "effective_permissions": { "values": [ 1 ], "operator": 1 }, "grantee_type": "text", "grantee_filter": { "query_type": 1, "source_node_types": { "nodes": [ { "node_type": "text", "condition_expression": { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": "[Circular Reference]", "operator": 1, "not": true }, "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "customized_variables": [ { "key": "text", "value": "text" } ], "access_filter": { "engagement_score": { "op": 1, "value": 1 }, "over_provisioned_score": { "op": 1, "value": 1 }, "include_secondary_grantee": true, "include_indirect_resource": true, "exclude_indirect_grantee": true, "anomaly_detection_history_days": "text", "last_used": { "op": 1, "value": "2025-07-03T08:30:14.801Z", "target": 1 } }, "node_relationship_type": 1, "relates_to_exp": { "specs": [ { "node_types": "[Circular Reference]", "required_intermediate_node_types": "[Circular Reference]", "avoided_intermediate_node_types": "[Circular Reference]", "raw_permissions": { "values": [ "text" ], "operator": 1 }, "effective_permissions": { "values": [ 1 ], "operator": 1 }, "no_relation": true, "direction": 1 } ], "child_expressions": [ { "specs": "[Circular Reference]", "child_expressions": "[Circular Reference]", "operator": 1, "not": true, "and_op_type": 1 } ], "operator": 1, "not": true, "and_op_type": 1 }, "path_summary_node_types": { "nodes": [ { "node_type": "text", "condition_expression": { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": "[Circular Reference]", "operator": 1, "not": true }, "node_id": "text", "count_condition_expression": "[Circular Reference]", "direct_relationship_only": true, "node_type_grouping_constraint": { "node_types": [ "text" ], "constraint_type": 1 }, "properties_to_get": [ "text" ], "tags_to_get": [ { "type": 1, "key": "text" } ], "integration_types": [ "text" ] } ], "nodes_operator": 1 }, "all_entity_condition": { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": [ { "specs": [ { "fn": 1, "property": "text", "value": null, "not": true, "value_property_name": "text", "value_property_from_other_node": true } ], "tag_specs": [ { "tag": { "type": "text", "key": "text", "value": "text", "properties": { "ANY_ADDITIONAL_PROPERTY": null } }, "exclude": true } ], "child_expressions": [ "[Circular Reference]" ], "operator": 1, "not": true } ], "operator": 1, "not": true }, "path_summary_count_conditions": { "conditions": [ { "fn": 1, "value": "text", "value_as": 1 } ] }, "result_value_type": 1 }, "saved_query_id_for_grantee_ids": "text", "max_grantee_count": 1, "resource_types_to_display": [ "text" ], "max_resource_count": 1, "no_extra_stats": true, "resource_permissions": [ { "raw_permissions": [ "text" ], "node_type": "text", "node_id": "text" } ], "result_order": 1, "direct_grantee_to_resource_only": true }

{ "ordered_node_access_changes": [ { "node_type": "text", "id": "text", "name": "text", "resource_access_changes": [ { "resource_type": "text", "old_accessible_resource_count": 1, "new_accessible_resource_count": 1, "old_raw_permissions": [ "text" ], "new_raw_permissions": [ "text" ], "old_effective_permissions": [ "text" ], "new_effective_permissions": [ "text" ] } ] } ], "is_identity_highly_connected": true, "result_time": "2025-07-03T08:30:14.801Z", "identity_already_has_all_access": true }

Query Builder Parameters

Options for saved and spec query requests

Query parameters

Field

Type

Notes

all_entity_condition

object

A constraint to apply on all entities that happen to be a part of the query result (specified or not)

analysis_type

string

For built-in queries, indicates where the query originated (Query Builder or the Analysis page). Values can be UNSET USER GROUP ROLE or SEPARATION_OF_DUTY

avoided_intermediate_node_types

Any entity types that cannot exist in the path between the query source and destination.

description

string

A description of the assessment query, shown in the query details.

destination_node_types

If specified, results only include entities with a relationship to the destination node type.

effective_permissions

Effective permissions to search, and operator to use.

labels

array of strings

List of assessment labels for categorization in reports.

name

string

The name of the assessment query, shown in the Veza UI.

no_relation

boolean

deprecated (use relates_to_exp)

node_relationship_type

string

Query mode EFFECTIVE_ACCESS (default) or CONFIGURED.

query_type

string

always use SOURCE_TO_DESTINATION

raw_permissions

If specified, only return results that have the listed raw permissions.

relates_to_exp

object

Specify related note constraints

required_intermediate_node_types

Specifies requirements for the path connecting the source and destination nodes.

risk_level

string

Sets whether results are marked as risks based on the risk level: NONE (default), WARNING, or CRITICAL

risk_suppressed_constraints

object

Adds a risk exception for nodes matching the specification.

source_node_types

The source node type to return as results for SOURCE_TO_DESTINATION queries (for example AwsIamUser). Required to have only 1.

violation

boolean

Deprecated, use risk_level instead

visibility

string

Sets whether a query is public or visible only to owners. PUBLIC (default) or PRIVATE

include_nodes

boolean

When true, only return a result count.

NodeSpecCollection

A collection of node specifications, defining constraints or other query parameters on each entity type.

You can query for a single principal or resource by filtering on node ID.

Field

Type

Notes

nodes

node spec array

Contains an object for each node type

nodes_operator

string

Sets whether all or any of the node conditions must be true (AND(default), OR).

NodeSpec

Contains the type, tags, and conditions applied to a node, narrowing the focus of the query.

Note that you can add conditions and tags to either the source node type or the destination.

Field

Type

Notes

condition_expression

object

Logical tree of constraints to apply

conditions

array

Deprecated, use condition_expression

count_conditions

array

Count condition functions and values. count_conditions are only accepted in assessment queries, when the node spec defines destination_node_types.

direct_relationship_only

boolean

excluded_tags

array

tags to exclude from results.

node_id

string

For specifying an individual entity, a single graph entity ID

node_type

string

Concrete node type (e.g. AwsIamUser) or node label (e.g. User)

node_type_grouping_constraint

object

Contains an operator and list of node types to include or exclude

tags

array

tags to require, specified with key value pairs.

NodeTypeGroupingConstraint

{
    "node_relationship_type": "EFFECTIVE_ACCESS",
    "query_type": "SOURCE_TO_DESTINATION",
    "include_nodes": true,
    "source_node_types": {
        "nodes": [
            {
                "node_type": "User",
                "node_type_grouping_constraint" :{
                    "constraint_type" : "INCLUDE",
                    "node_types" : ["CustomIDPUser", "OktaUser"]
                }
            }
        ]
    },
    "destination_node_types": {
        "nodes": [
            {
                "node_type": "S3Bucket"
            }
        ]
    }
}

ConditionExpression

Conditions can always apply to source and destination node types. Conditions can only apply to intermediate node types when the query defines required_intermediate_node_types.

Conditions have a function (fn). Valid operators are:

EQ: 'Equals',
LT: 'Less Than',
LTE: 'Less Than or Equal',
GT: 'Greater Than',
GTE: 'Greater Than or Equal',
LIST_CONTAINS: 'List Contains',
IN: 'In',
STARTS_WITH: 'Starts With',
CONTAINS: 'Contains',
ENDS_WITH: 'Ends With',
EXISTS: 'Exists',
REGEX: 'Matches Regular Expression',

Date-based operators can be:

LT: 'Not in the Last', LTE: 'Before', GT: 'In the Last', GTE: 'After', EQ: 'At',

For example:

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser",
        "condition_expression": {
          "operator": "AND",
          "specs": [
            {
              "fn": "LTE",
              "property": "last_used_at",
              "value": "2022-01-02T17:59:59.494Z"
            },
            {
              "fn": "GTE",
              "property": "last_used_at",
              "value": "2022-01-01T06:00:00.494Z"
            }
          ]
        }
      }
    ]
  }
}

The condition value can be true, false, a number, an RFC3339 timestamp, or a string. For example, to find S3 Bucket destinations where public ACLs haven't been blocked:

{
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "block_public_acls",
              "value": false,
              "not": false
            }
          ]
        }
      }
    ]
  }
}

Conditions can also contain a string-typed value. For example, to find all Okta users with the prefix "sa-":

{
  "node_type": "OktaUser",
  "condition_expression": {
    "specs": [
      {
        "fn": "STARTS_WITH",
        "property": "name",
        "value": "sa-",
        "not": false
      }
    ]
  }
}

Note that you can specify nodes where the condition doesn't apply by setting "not": true for the constraint.

There can also be a not on the whole expression:

"condition_expression": {
  "operator": "OR",
  "not": true,
  "specs": [
    {
      "not": true,
      "fn": "EQ",
      ..
    },
    ..
  ]
}

You can get all the properties available for different node types (which vary depending on the provider and service) by searching for the entities in Authorization Graph and viewing the node details.

No relation

Enable no_relation to only return nodes without a relationship to the destination node types. For example, to show Microsoft Azure AD users that do not belong to the group "Alabama":

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AzureADUser"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "AzureADGroup",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "name",
              "stringValue": "Alabama"
            }
          ]
        }
      }
    ]
  },
  "no_relation": true,
  "include_nodes": true
}

Avoids intermediate node types

To query for relationships that do not include a specific node type in the authorization path, specify an exclusion in the avoids_intermediate_node_types object:

...
"no_relation": false,
"avoids_intermediate_node_types": {
  "nodes": [
    {
      "node_type": "AwsIamRole"
    }
  ]
}

Query type

Query Type

Description

SYSTEM_CREATED

Used for pre-built system queries.

SOURCE_TO_DESTINATION

The search will return entities of the source node type with a relationship to the destination entity type.

DESTINATION_NODES

Return the destination nodes, instead of source nodes (deprecated, use query_spec:destination_nodes).

Permissions

To return only entities with one or more permissions to a resource, you can list either system or effective permissions, with an AND or OR operator.

RawPermissionCollection

"Raw" or "System" permissions describe privileges using the service providers terms, for example s3:PutBucketAcl.

Field

Type

Notes

values

string

String list of raw permission names

operator

string

AND, OR (default AND)

You can review all the possible permissions Veza has discovered for an entity by selecting it as a related entity in a Query Builder search. The "Permissions" dropdown menu will include all effective and raw permissions for the resource type.

EffectivePermissionCollection

Field

Type

Notes

values

string

Effective permissions can be METADATA_WRITE, METADATA_READ, METADATA_CREATE, METADATA_DELETE, DATA_READ, DATA_WRITE, DATA_CREATE, DATA_DELETE, NON_DATA ] (default METADATA_WRITE)

operator

string

AND, OR (default AND)

RelatesToExp

RelatesToExp Evaluation

For E = { specs: [A, B, ...], child_expressions: [X, Y, ...], operator, not }

"source has a path to E" is defined as:
If operator is AND (default): "source has a path to ALL of (A,B, ..., X, Y, ...)"
If operator is OR: "source has a path to ANY of (A,B, ..., X, Y, ...)"
If not = true, boolean invert the result above

RelatesToExp Field Specifications

and_op_type: AndOperatorType (INFERRED [default], SOURCE_INTERSECT, PAIR_INTERSECT)
child_expressions: RelatesToExpressions Array
not: Boolean flag applied to specs and child_expressions
operator: Operator (AND [default], OR)
specs: RelatesToSpec array specifying node types and conditions

AndOperatorType

INFERRED (default): Replaced with SOURCE_INTERSECT or PAIR_INTERSECT based on query execution context.
SOURCE_INTERSECT: Intersection based on source node.
PAIR_INTERSECT: Intersection based on pairs of nodes.

Given the following graph relationship:

U1 -- P1 -- R1
    /
U2 -- P2 -- R2

If we change the graph to have R1 match both U->P1->R and U->P2->R:

U1 -- P1 -- R1
    /     /
U2 -- P2 -

AndOperatorType defaults:

INFERRED will be replaced with one of SOURCE_INTERSECT or PAIR_INTERSECT when executing the query.
INFERRED is replaced with PAIR_INTERSECT only if:
- The query doesn't have RelatesToExpression.Not == true in any child expressions, and
- All operands of the AND have the same sole node type, and
- All operands of the AND don't include conflicting "equal to" conditions on unique property (id and name)
Otherwise INFERRED is replaced with SOURCE_INTERSECT

RelatesToSpec

A RelatesToSpec represents a precise path definition:

source has a path to any node spec in node_types
- direction determines the direction of the path
the path has all required_intermediate_node_types
the path has none of avoided_intermediate_node_types
all or any of raw_permissions appear on the path, depending on raw_permissions.operator
all or any of effective_permissions appear on the path, effective_permissions on raw_permissions.operator
if no_relation=true, it instead means such a path does not exist

Field

Type

Description

avoided_intermediate_node_types

object

direction

string

RelatesToDirection

effective_permissions

object

no_relation

boolean

node_types

object

raw_permissions

object

A collection of raw permission names

required_intermediate_node_types

object

RelatesToDirection can be:

ANY_DIRECTION : Direction to be chosen by the API. Paths of any direction is accepted by the caller.
SINGLE_DIRECTIONAL: Direction to be chosen by the API if there is only one valid direction. Otherwise this input is invalid.
OUTGOING: Only accept result for paths of ( -> ...). This input is invalid if there is no such a path in schema.
INCOMING: Only accept result for paths of (... -> ). This input is invalid if there is no such a path in schema.

RiskSuppressedConstraintsCollection

NodeSpec define conditions on entity types to mark exceptions for queries with a risk level.

Query APIs

Base URL

Authentication

Getting started

Quick Start

Authentication

Query specifications

Get destination nodes

Save a query

Get saved query result count or entity details

Query Builder Terminology

Entity (Node)

Entity Attribute

Entity Type

Entity Type Grouping

Effective and System Permissions

Tags

Query Builder Parameters

Query parameters

NodeSpecCollection

NodeSpec

NodeTypeGroupingConstraint

ConditionExpression

Tags

No relation

Avoids intermediate node types

Query type

Permissions

RawPermissionCollection

EffectivePermissionCollection

RelatesToExp

RelatesToExp Evaluation

RelatesToExp Field Specifications

AndOperatorType

RelatesToSpec

RiskSuppressedConstraintsCollection

Query Builder Results

Sample Response: Get Nodes

Sample Response: Get Result

List saved queries

Save a query

Get a saved query

Update a query

Delete a query

Get query node destinations

Get query nodes

Get query result

Get query spec node destinations

Get query spec nodes

Get query spec results

Private APIs

Overview

Available APIs

Common Use Cases

Limitations

Related Documentation

Get Access Relationship

Overview

Use cases and features

Limitations

Get Access Relationship

Request Parameters

Result Ordering

Special Considerations

Response Structure

NodeAccessChange Structure

ResourceAccessChange Structure

Usage Examples

Example 1: Using Resource Permissions (Recommended)

Example 2: Using Resource ID and Permissions

Response

Related APIs

Role Existence

Overview

Use cases and features

Limitations

Role Existence API

Request Parameters

ResourcePermissions Structure

Protocol Definition