Reports overview

Browse to Access Intelligence > _Reports > All Reports to view all reports. For any query in a report, you can

• See the percent change, current result, or trend chart.

• View the underlying query details and conditions.

• Each query indicates the current result value. Click the % Change to view a trend chart.

• Hide zero value results will conceal assessment queries where the value column is 0 (no current results).

• To view all results in Query Builder or edit the saved query, click the Query name or value.

• To refresh the query from the most recent graph data, click Run Query under the actions dropdown menu. All results automatically refresh daily.

Reports landing page

The main Access Intelligence > Reports page allows you to organize and rank reports intended for regular review. Expand a category to view the reports within it, and click a report's name to open it. You can create additional categories, and add or remove built-in or custom reports:

• Search for specific reports, labels, or integration types by applying filters.

• Click + Add Category to create a grouping and Add or Create reports within it.

• Reports added to the Dashboard Reports category are shown on the main dashboard.

Drag an item to arrange the report categories. You can also hide or re-categorize several reports at one time with a multi-selection.

Reports library

Report filters

To make reports containing many different queries more digestible, you can temporarily filter the information to show and export.

• To show queries by keyword such as "MFA," "Service Account," or "Bucket", start typing into the Find queries by name field at the top of the report.

• Changing the Time Range updates the minimum and maximum values to show values for that period.

• Clicking a cloud provider icon within a report subcategory will show only queries for that provider (such as Okta or Azure AD).

• To only show results for a subset of Azure tenants or AWS accounts, use the Select one or more accounts dropdown. This can be useful for focusing on a specific account of interest among several similar provider integrations.

Exporting reports

To export a report to CSV or PDF, click Export and select an option. The data export will include columns for Name, Value, Min_Range, Max_Range, and Time_Range, for the currently-filtered set of queries.

Creating reports

1. Browse to Access Intelligence > Reports.

2. Click + Create Report.

3. Give the report a Name and Description.

4. Choose a Report Type:

   • Dynamic: These reports automatically include all queries with the chosen labels and integrations, and will dynamically update when queries receive those tags or integrations. Queries and sections cannot be manually added or removed.

   • Query Based: Customize report sections and pick from any saved queries. You can add or remove queries and change report sections after creating the report.

5. Pick a visibility setting. Private reports are only visible to their owners. Setting a report to Public publishes it for other Veza users.

6. To enable the report as a dashboard, use the Collections dropdown to add the report to the "Dashboard Reports" collection.

7. Use the Queries tab to construct the report:

   • For dynamic reports, choose the labels and integrations to include in the report.

   • For query-based reports, click New Section to add as many sections as you need. Search for queries to add by clicking the Add Queries icon within each section.

Editing reports

To edit a report, open the report from the dashboard or Reports library, and click Edit Report.

You can use edit mode to:

• Add or remove queries.

• Add or remove or rename sections.

• Change the report name or description.

• Change a private report to public visibility.

Click Save to close the builder and see the changes.

Add or remove queries from reports

To add an item to the report, change to Edit mode and click the Add Queries button. Filter or search to find the queries you want to add. Click on one or more, and Save the changes.

To remove a query from a report, click Edit Report.

• Click the trash can icon in the query actions to remove that query from the report.

• Deleting a query only removes it from the report. You can still add the query to other reports, and find it listed under Saved Queries.

• To delete a report, open it and click the trash can icon, or use the Reports Library to manage many reports at one time.

Report owners and visibility settings

When creating a report, users must set the visibility to public or private (default). Changing a report to public is permanent. The Reports Library shows all built-in and custom reports and privacy settings.

• To modify report owners, edit a report and choose Edit Owners.

• Only the report owners can view or edit private reports.

• Users are the owners of any queries and report they create.

• Users with the admin role are the default owners of out-of-the-box queries and reports.

To navigate the Access Intelligence Overview page:

1. Use the Platform dropdown menu to choose an integration type. The overview will show all the discovered entities from integrations of that type (e.g., across all AWS account integrations).

2. Click on any entity to open a search in Query Builder, where you can review individual entities and their attributes.

You can also export the current display for stakeholders who don't have a Veza account or share a direct link:

• Export: Download a PDF containing the summary of risks, entity types, and their total counts.

• Share: Copy a secure link to the clipboard. Another user can open the URL and sign in to open the current filtered view.

Early Access: Veza Analyze queries are currently available as an optional feature. Contact the Veza support team to learn more and to enable for your Veza tenant.

You can investigate users, groups, and role assignments from the Access Intelligence > Analyze page. This feature offers a simple interface to review a variety of authorization relationships for an individual entity.

For comparing access permissions between entities, see the Compare feature. For identifying toxic access combinations and Separation of Duties violations, see the dedicated Separation of Duties (SoD) feature.

For example, Analyze page offers a way to:

• show all users that can assume a Snowflake role.

• find all users or other groups that belong to an Active Directory group.

• find all groups or roles that an AWS IAM user can assume or is assigned.

After running an analyze, you can review the results immediately or open the search in Query Builder to add parameters and assign rules and risk levels.

Analyzing a user, group, or role

1. Click User Analyze, Group Analyze, or Role Analyze.

2. Use the Type dropdown to choose the user, group, or role by provider (such as "Salesforce User").

3. Select an individual entity from the second dropdown.

4. Pick the Analyze query to run on the chosen entity.

If results are available, they will appear in the table of records.

• Click Columns to show or hide any group, role, or user properties

• Click Open in Query Builder to open a search in Query Builder, with an attribute filter on the entity name.

Analyze queries

The possible analyze options depend on whether you have chosen a user, group, role, and the entity's provider integration. The following actions are available based on the specified entity category:

• User

  • All Groups the User is in

  • All Roles the User can assume

• Group

  • All Users that are in the Group

  • All Roles the Group can assume

• Role

  • All Users that can assume the Role

  • All Roles that can assume the Role

In Veza, an NHI secret is a piece of private data that grants access to resources, systems, and services. Non-human identities (like applications, functions, and other workloads) use secrets to authenticate and establish their permissions. Secrets typically have a fixed lifespan and are used at scale for programmatic access, with examples including:

• Database connection strings and passwords

• API keys for service-to-service communication

• Service account credentials providing access to cloud resources

• Cloud provider access keys that authorize infrastructure changes

• SSH and TLS private keys for system access

• Infrastructure automation tokens

• Webhook signing secrets

Veza discovers and provides metadata about secrets across your cloud and application environments, enabling comprehensive visibility into security and compliance posture, including which non-human identities can access secrets, and how they are protected.

Supported Secrets

Secrets are represented in the Veza Graph as distinct entity types. When creating queries, you can select individual entity types or use top-level groupings to search for all entities of that category. For example, searching for Keys will include both AWS KMS Customer Master Keys and Azure Key Vault Keys in the results.

Secrets

Application-level secrets including credentials and sensitive configuration:

• AWS Secrets Manager Secrets

• Azure Key Vault Secrets

• HashiCorp Vault Secrets Engine Resources

Keys

Cryptographic keys used for data encryption:

• AWS KMS Customer Master Keys

• Azure Key Vault Keys

• Google Cloud KMS Keys

Access Credentials

Long-lived authentication tokens and certificates:

• Azure Key Vault Certificates

• GitHub Personal Access Tokens

Dashboards in Veza offer visibility into your organization's authorization landscape across cloud providers, identity systems, and data stores. Combining pre-built intelligence with customizable insights, dashboards enable teams to identify risks, track access patterns, and enforce least privilege principles.

The primary Dashboards page provides a central hub for monitoring and analyzing authorization insights. Each dashboard features curated tiles to surface critical findings driven by Veza's graph search. Each tile includes options to review trends, analyze results, and create rules.

Veza provides built-in dashboards for a range of identity security use cases, including reports for dormant entities, non-human identities, privileged access by roles, and many more. The main Access Analytics Summary highlights top risks, rules, and recent alerts for your integrations. Teams can edit saved queries and reports to customize and extend these featured dashboards.

Dashboard Insights

Each dashboard tile represents a single insight, supporting trend visualization, historical comparison, drill-down, and integration with Query Builder and Graph.

• Risk level (low, medium, high, or critical)

• Current value and trend indicator

• Change over the chosen time period (percentage and total value)

• Historical trend graph for the time period

Click the menu (⋮) on any tile to access quick actions:

• Expand: View and export detailed trend data and analysis

• Analyze: Visualize the underlying data for the saved query

• Share This Tile: Copy a link to share findings with team members

• Open in Query Builder: View and customize the underlying query

• Open in Graph: Visualize relationships in Authorization Graph

• Alert on Change: Configure notifications for changes

• Create Rule: Set thresholds for critical changes and configure appropriate notification channels and Veza Actions

• Schedule Export: Automate data exports and reporting

Navigating the Built-in Dashboards

Use the left panel to access and manage dashboards, and customize their order for quick access to the most relevant insights.

• Click to open built-in dashboards organized by category

• Search for specific dashboards using the search bar

• Add, hide, or reorder dashboards using the edit mode

Time Range Controls and Filters

Use the time range controls to analyze trends across different periods:

• Past Hour

• Past Day

• Past 7 Days

• Past 30 Days

• Past 90 Days

• Past 6 Months

• Past Year

For 6 months and 1-year views, charts represent weekly values instead of daily values. The value shown is for the last day of a week. For example, the week of 11/19-11/25 appears on the X-axis as 11/19, and the value is the query result on 11/25.

To toggle the insights displayed, use the visibility options:

• Integration Filtering: Focus on specific platforms or accounts

• Risk Level Filtering: Prioritize insights by criticality

• Zero Result Hiding: Remove tiles with no findings

Access dashboard-level controls in the top right:

• Share: Generate shareable dashboard links

• Export: Download dashboard data

• Edit: Customize dashboard content and layout

• Clone: Create a copy for customization

• Delete: Remove dashboard

Building a Foundation

Veza offers out-of-the-box dashboards for monitoring critical access patterns, tracking changes over time, and generating and sharing insights. Built-in dashboards are available to help manage:

• Identity and Privilege Access Insights

• Dormant Entities

• Snowflake Activity Monitoring

• Salesforce Misconfigurations

• GitHub Misconfigurations

• Cloud IAM Insights

• Snowflake Insights

• Databricks Insights

• Redshift Insights

• BigQuery Insights

• Data Insights

• Top Insights

• Privileged Account Dashboard

• Privileged Access by Deactivated Accounts

• Accounts that can Bypass MFA

• Privileged Access by Accounts

• Privileged Access by Roles

• Privileged Access by External Accounts

• Privileged Access by Machine Identities and Service Accounts

• Snowflake Data Governance Dashboard

• Salesforce Security Dashboard

• Google Drive

• SaaS Security Posture Management (SSPM)

• NHI Insights

• AWS IAM Insights

• Google Cloud IAM Insights

• Okta Insights

• Active Directory and Azure AD Insights

• Identity Protection Risks

• NHI Access Tracker

• Snowflake Role Mining Insights

• AWS Role Mining Insights

Based on the data sources integrated with Veza, you can use dashboards to immediately start identifying top risks, and analyzing and acting on the most important findings.

Activating Access Intelligence

Review and customize dashboard insights for key systems (AWS IAM, Snowflake, etc.). During this phase, work with stakeholders to:

You can then expand usage to include:

Customizing Dashboards

You can create reports containing both built-in and custom saved queries. You can then add these reports to your dashboard to focus on the data points most important to you. You can then share these reports with your team to provide fine-tuned visibility into the risks and trends.

1. Open the saved query details view or edit in Query Builder

2. Open the Add To Report (Optional) tab

Veza's query-driven insights enable organizations to observe, track, and remediate authorization risks using the power of the Authorization Graph. See following sections and related topics to learn more about Reports, Rules and Alerts, Risks, and Analyze.

Getting started

You can quickly get started with Veza Insights by exploring the Dashboard, and clicking Open in Reports to view the associated Queries in detail.

6. Repeat the process for other Saved Queries.

Reports

Opening a report shows a summary of current results, with the option to view trends, investigate entities and relationships in Graph, or open and change the original search in Query Builder.

Reports can be Veza-built or user-created, and set to private or public visibility. Owners can make customizations by opening a report and clicking Edit.

Dashboards

Rules and alerts

• Rules can trigger when the total number of results change

• Rules can also trigger when there are changes in properties for entities in the query results.

• Rules can trigger an alert in the form of a service desk ticket, an email, or a custom webhook.

Risks

You can track least privilege violations, anomalies, and non-standard configurations by marking a Saved Query as a risk and setting a risk level. You can write your own queries to define potential exploits and access control risks, or use out-of-the-box saved queries.

Analyze and Compare

The Analyze page provides utility search interfaces for specific tasks like reviewing Group and Role assignments. For example, you can find all users belonging to a group, all users that can assume a role, or review all group/role access for a single user.

The Compare feature allows security and identity teams to perform side-by-side comparative analysis of permissions between users or between roles. This functionality helps identify access differences, potential privilege violations, and supports access governance initiatives. See Compare for more details.

Compare offers two main functionalities:

1. User Comparison - Compare two users of the same type

2. Role Comparison - Compare two roles of the same type

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or a standardized AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how group and resource access varies from the established norm.

Veza users can now schedule a periodic export (daily, weekly, etc.) of query results delivered via a secure link in email. When configured, recipients receive a secure link in email which they can download only if they have permission to view the query’s results in Veza.

When clicking a link to download a scheduled export, users are redirected to the Veza login page for Single Sign On (SSO), and the results are downloaded in CSV format. This enables Veza users to share sensitive query results data with other stakeholders while ensuring query data from Veza is protected.

Link Expiration

• Download links expire after 28 days from the export date. This is a security measure to protect customer data. Expired links cannot be reactivated. If you need to keep the links active beyond 28 days, please contact the Veza support team.

Granting Download Access

Recipients must have appropriate Veza permissions to download the data. Users must have one of these roles: Admin, Operator, or Viewer. User permissions are checked at download time, and users without sufficient permissions will be unable to download the results.

1. Users must have one of these Veza roles:

   • Admin

   • Operator

   • Viewer

2. For users with other roles (e.g., Reviewer):

   • Assign them the Viewer role in addition to their current role

   • This grants them access to view and download query results

   • Note: This also gives them access to other queries and dashboards

   • Contact Veza Support if you need more granular permissions

How scheduled exports work:

1. Click on “Schedule Export” on the kebab menu on a query’s details page or query builder page:
2. Select the CSV Via Secure Link in Email option in the next window:
3. Configure the schedule and recipient email address

4. At the scheduled intervals, recipients will receive an email containing basic usage instructions and:

   • A secure link to download the query results

   • The query name and execution timestamp

Scheduling Saved Query Exports

• From the Query Details view (Query Actions > Schedule Export)

• Choose a query on the Separation of Duties overview and choose Schedule Export from the row actions.

To configure the exports from the Save Query page:

1. On the Scheduled Exports tab, click CSV via Secure Link in Email

2. Choose a single email recipient

3. Choose an export time (UTC)

4. Choose the days of the week for the export to run

5. (Optional) Configure additional settings for the export:

   • Include all source tags in results: Add a column for Veza Tags or provider-native tags on source entities.

   • Include all destination tags in results: Add a column for tags on destination entities.

   • Show {Destination Entity} properties: Add columns for attributes on the destination entity type.

   • Show Summary Entities: Add a column for a summary of entities between the source and destination nodes (if specified in the original query).

Use the Queries > Exports tab page to review all queries that have been exported or are scheduled for export. The status column indicates whether the results were exported successfully. Use the actions menu to:

• Edit scheduling settings

• Rerun an export

• Cancel an in-progress export

Risk scoring in Veza helps you identify and prioritize critical authorization issues across your cloud environments, enabling security and governance teams to focus their efforts for maximum impact. By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can:

• Triage identity and access issues at scale

• Prioritize remediation efforts based on risk severity

• Add risk context to access review decisions

• Track risk metrics and trends over time

• Enable risk-based alerting and automation

Use the Access Intelligence > Access Risks page to get an overview of all queries with risk levels and details about each entity flagged as a risk.

Risk Remediation and Details

Risks can have informational descriptions and remediation details that help teams understand and address security issues. Many out-of-the-box queries have these built-in, but you can add them for any risk by editing the saved query.

To view risk remediation and details:

1. Hover over a query to show the "expand" icon

2. Click the icon to open the sidebar

3. Review the notes on the Risk Info and Details tabs

4. Click Details to open the saved query details view

To add risk details and remediations:

1. Open the Saved Query Details

2. Click Edit to open in Query Builder

3. Click Save

4. On the Details tab, enter the details in the Risk Explanation and Risk Remediation sections. You can use markdown syntax to format the text.

5. Click Save.

How Risk Scoring Works

Risk scores in Veza are calculated based on how many queries with risk levels an entity appears in the results of. The scoring system considers both:

• The severity of risks (Critical, High, Medium, Low)

• The total number of risks affecting an entity

Risk Score Calculation

Veza assigns a base score derived from the highest risk level an entity has, then increments the score based on additional risks:

For example: An identity with 1 critical risk, 2 medium risks, and 1 low risk would have a score of 99:

• 90 (base score for critical)

• +4 (1 critical risk)

• +4 (2 medium risks at +2 each)

• +1 (1 low risk)

Working with Risks

Define Risks from Queries

1. Create a query in Access Intelligence > Query Builder or open an existing saved query

2. When saving the query, set the Risk Level to Warning or Critical

3. Click Save to apply the risk level

You can also set risk levels for existing queries:

1. Go to Access Intelligence > Saved Queries

2. Filter by "Risk Level: None" to find queries without a risk level

3. Click the Actions dropdown for a query and select Set Risk Level

View and Manage Risks

After creating queries with risk levels, you can investigate results from the Access Intelligence > Access Risks overview:

1. Use the Risk Queries tab to:

   • Review all queries with risk levels

   • Expand a query to view entity details

   • Filter by label, risk level, and integration.

   • Sort by time, name, risk level, total risks, or percent change

   • View trending changes over the selected time period

   • Open the actions (⋮) menu on the right of each query to:

     • Manage Exceptions: Select entities to add or remove as exceptions

     • Manage Risk Level: Set a new risk level for the query

     • Open in Graph: Analyze entities and relationships in graph search

     • Open in Query Builder: View results and detailed attributes in Query Builder

     • Expand Risk Chart: Open the full trend chart, with the option to select a time range and save the image

2. Use the Risks tab to:

   • View all individual entities currently flagged as risks

   • Filter and sort by risk level

   • Manage exceptions for individual risks

   • Export risk data for reporting

   • Use the actions (⋮) menu on the right to:

     • Open the risk in graph or query builder

     • Mark the risk as an exception

     • Add an owner for the risk

     • Add a note.

Making Exceptions

When an entity appears in query results with a risk level, it remains flagged as a risk until either:

• The entity no longer matches the query conditions

• The entity is marked as an exception

To manage exceptions:

1. On the Risk Queries tab:

   • Choose a query and click Actions > Manage Exceptions

   • Or select individual entities and click Mark as Exception

2. Add an optional note explaining why the exception was made

3. Click Confirm to save the exception

You can also add filters to the original query to automatically exclude entities matching certain criteria.

Using Risk Scores in Access Reviews

Risk scores can provide important context during access reviews:

1. Create review configurations targeting high-risk entities:

   • Use saved queries with risk levels to scope the review

   • Condider higher review frequencies for high-risk access

2. During review, risk scores are visible to reviewers:

   • High scores may indicate access should be rejected

   • Reviewers can click risk indicators to view details

   • Notes can document risk-based decisions

Enable Risk-Based Alerting

1. The number of entities with risks increases beyond a threshold

2. New Critical or High risks are detected

3. Risk scores change significantly

You can configure rules to trigger:

• Email notifications

• Slack messages

• Jira tickets

• ServiceNow incidents

• Custom webhooks

• On-demand Access Reviews

Recommendations

• Start with built-in queries that detect common risks like over-privileged access and misconfigurations

• Create custom queries for risks specific to your environment and security policies

• Use risk scores to prioritize access review scheduling and remediation efforts

• Document exceptions with notes to maintain an audit trail

• Monitor risk trends over time to measure security program effectiveness

• Enable alerts for critical risks that require immediate attention

Veza automatically applies classification logic to the identities it discovers and assigns an Identity Type, indicating if the entity represents a human user or an NHI entity.

Dashboards and out-of-the-box queries are available to help monitor and manage both human and non-human entities across cloud and enterprise systems. These queries can power a range of Veza features such as Access Reviews, Rules, and Veza Actions.

This document includes a list of supported identity types and an overview of built-in and user-defined rules for NHI classification.

Non-Human Identities

These entities are assigned the “non-human” identity type:

• Active Directory: Computer

• Active Directory: Managed Service Account

• AWS EMR: Cluster

• AWS: Service Principal

• AWS IAM: Identity Provider

• AWS EC2: Instance

• AWS Lambda: Function

• AWS EKS: Cluster

• Azure AD: Enterprise Application

• Azure: Virtual Machine

• Azure AKS: Managed Cluster

• Databricks: Service Principal

• Databricks: Account Service Principal

• Dynamics 365: Application User

• Google Cloud: Service Account

• Google Cloud Compute: Virtual Machine

• Google Cloud Run: Service Instance

• Google Kubernetes Engine: Cluster

• GitHub: Deploy Key

• GitHub: App

• Kubernetes: Service Account

Human Identities

These entities have the “human” identity type by default:

• AWS SSO: User

• Azure AD: User

• Azure: Classic Administrator

• Bitbucket: User

• Box: User

• Custom HRIS (Open Authorization API): Employee

• Databricks: User

• Databricks: Account User

• Google Workspace: User

• GitHub: Personal Account

• Kubernetes: User

• MongoDB Atlas: User

• OneLogin: User

• Oracle Cloud IAM: User

• Oracle DB: User

• PingOne: User

• SAP ECC: User

• SharePoint: User

• SQL Server: Login

• Veza: User

• Workday: Worker

Entities That Can Be Human or Non-Human

The following entities can be marked “human” or “non-human” depending on Veza rules for identifying NHIs:

• Active Directory: User (Built-in Rule)

• AWS Redshift: User

• AWS RDS Postgres: User

• AWS RDS MySQL: User

• AWS RDS MySQL: User Instance

• AWS: IAM User (Built-in Rule)

• Open Authorization API: Custom User

• Open Authorization API: Custom IDP User

• Open Authorization API: Custom Principal User

• Microsoft Dynamics 365: User (Built-in Rule)

• AWS ElasticSearch: User

• Google Cloud SQL: User (Built-in Rule)

• Hashicorp Vault: Alias (Built-in Rule)

• Hashicorp Vault: Entity (Built-in Rule)

• Mongo DB User

• Mongo DB Atlas Database User

• Okta User (Built-in Rule)

• PostgreSQL User

• Salesforce User

• ServiceNow User (Built-in Rule)

• Snowflake User (Built-in Rule)

• SQL Server Database User

• Trino User

• Workday Account (Built-in Rule)

Veza has internal rules to assign some of these identity types as non-human. See the following section for rule details.

For some integrations, there is no consistent method to automatically detect non-human identities. In Veza, these are shown as “human” by default. This behavior can be changed to label certain identities based on tags, naming patterns, groups, or other conventions employed by your organization.

Determining Human vs. Non-Human Identities

Veza uses the following rules to distinguish between human and non-human accounts in supported integrations:

Non-Human Identity (NHI) Enrichment Rules

Veza provides Non-Human Identity (NHI) Enrichment Rules to automate NHI labeling based on specific conditions. For example, you might assign users as non-human when their email contains “service-account-%”, “svc-%”, or is missing.

Administrators can add rules on the Integrations > Enrichment page:

1. Save a Query: In Query Builder, save a query that identifies the entities to mark as non-human. For example, you could query for SAP ECC Users where the Email or Name contains the text “system-”.

2. Enable Enrichment Rules: Configure the saved query as an enrichment rule. When extracting metadata, Veza will update the Identity Type attribute for any entities that match the query conditions.

Overview

Veza's rules engine enables active monitoring of authorization changes within your environment. Rules and Alerts offer ways to establish security baselines based on any custom or built-in assessment query, and trigger notifications and Veza Actions when changes occur. For example, you might use Veza rules to:

• Identity new or removed accounts with superuser permissions on sensitive resources

• Get notifications for storage buckets with incorrect configurations

• Watch for changes to roles, IAM policies, or any other entity Veza has discovered.

When a rule is configured for a saved query, actions will trigger when the query results meet the conditions established by the rule. The baseline query, thresholds, and notification settings for these alert events are set when creating the rule. You can create your own queries to define the rule scope, or choose from built-in assessment queries. Alert notifications can use a webhook, email, or an external integration.

Possible rule and query combinations include:

• When your environment includes one or more Azure AD groups with no users

• When a new AWS IAM policy granting access to * resources is detected

• When the number of federated Okta users with AWS DynamoDB access changes

• When there are fewer than 2 principles with permissions for critical administrative tasks (in case one becomes unavailable)

Use the actions dropdown menu to create or edit rules for any assessment in a report. You can create and manage rules when saving a query.

Alert firing logic: Veza's alert system prevents excessive notifications. Once an alert is triggered by a specific condition—such as the result count exceeding 5—it will not re-trigger for the same condition until the metric falls back to or below 5 and then rises above it again.

Add a rule to a query

To create a rule for a saved query, go to Access Search > Saved Queries. You can also create rule directly from the Query Builder or any dashboard.

To add a rule for a saved query:

1. On the Saved Queries page, filter or search to find a built-in or user-created query. Click Manage Rules from the actions menu to edit rules for the query.
2. Click Add a new rule to open the rule builder:
3. Give the rule a name and description, and set the severity level.

   You can configure escalating levels of rules to trigger different actions based on the severity level: High, Medium, or Low.
4. Configure rule conditions:

   Choose to trigger the rule based on the number of Query Results, or changes in Query Properties:

   • Query Results: Choose an operator (equals, less than, more than, changed by, changed by more than, increased by more than) and count to trigger the rule.

   • Query Properties: Choose an attribute that will trigger the rule if it changes.

5. Configure rule actions (optional):

   Check the box to deliver the alert via the selected Veza Action: email, webhook, ServiceNow, or Jira. The alert will include details about the query result that triggered the rule for remediation purposes.

   If you have not configured a supported Veza Action, click Create Veza Action to open the builder in a new tab. To enable Webhooks and other destinations, see Veza Actions.

6. Click Save to close the rule builder.

7. On the Save Query flow, add additional rules as desired.

8. Click Save Query to save your changes.

Once saved and enabled, the rule will appear active on the Rules tab of the Access Intelligence > Rules & Alerts page.

Delivering notifications with alert actions

• The query and results that triggered the rule

• The previous query results

• The entities that changed between the two updates

Supported targets for alerts are:

Viewing alerts

Veza notifications are always enabled for active rules. A notification icon with the number of any new alerts is shown on the Veza navigation menu, with more details available on the Access Intelligence > Rules and Alerts page. The list can be sorted by date or severity.

• Each row on the Rules tab represents a Query with a rule attached, with the option to view query details, edit the rule, or delete the rule.

• The Alert Details tab shows individual alert events for each time the rule has been triggered, including the trigger condition and description.

Overview

The Access Intelligence > Compare feature enables side-by-side analysis of access and attributes between users or roles.

Often, environments will contain identical or very similar users, roles and other entities (such as dozens of AWS accounts with identically named roles like admin_terraform). When one of these is well-maintained, you can compare it with others and make adjustments to align with all the ideal example. Compare makes this easier.

In addition, comparison can help security teams identify access and attribute differences to support access governance initiatives in the following ways:

• Identify excessive access by comparing users/roles with ideal user/role

• Identify missing access by comparison

• Identify key identifying attributes that helps one differentiate between two users/roles clearly

• Identify incorrect attributes for users/roles by comparing with others

Compare supports two entity types for comparison, and different ways to examine entities:

1. Users - Compare two users of the same type

2. Roles - Compare two roles of the same type

3. Properties - Compare attributes and metadata such as creation dates, IDs, and configuration settings

4. Relationships - Compare access relationships, such as which resources an identity can access

Best Practices

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how properties and access vary from the established norm.

To effectively leverage the Compare feature in your security program, organizations should:

• Establish standardized baseline profiles for each job function and role type

• Conduct regular, scheduled audits comparing production users and roles against baselines

• Document intentional deviations when discovered and approved

User Comparison

User comparison provides insights for teams managing user access across systems. You can use it to verify the effectiveness of role-based access control by comparing users with similar roles:

• Validate onboarding by comparing new users against established templates

• Detect privilege creep where users have accumulated excessive permissions

• Support offboarding processes by comparing departing employees with their replacements

Role Comparison

Role comparison can enable standardization for similar roles, and reduce security gaps and confusion in environments with many roles:

• Identify and consolidate redundant roles for reduced complexity

• Identify drift when similar roles have gained or lost permissions over time

• Validate role designs by confirming roles have the appropriate access for their intended function (neither too permissive nor too restrictive)

• Focus specifically on role differences rather than reviewing all permissions from scratch

Using the Compare Feature

1. From the main Veza navigation, go to the Access Intelligence > Compare section

2. Select either the User Comparison or Role Comparison tab

3. Configure the comparison:

   • Select the Type (e.g., AWS IAM Role, Okta User, Azure AD User)

   • Select Entity 1 (typically your baseline entity)

   • Select Entity 2 (the entity you want to compare)

   • Choose the Type of Comparison

     • Property - Compare the properties of the two entities (such as creation date, ID fields, etc.)

     • Relationship - Compare the relationships between entities (such as access to resources)

   • For Relationship comparison, use the Relates To filter to choose a related entity type (e.g., S3 Bucket).

4. Click Run to generate the comparison

The result output changes based on the comparison type:

Property Comparison

Property comparison shows differences in the attributes of two users or roles. The table of results includes information about:

• Access Matching - Whether the property values match between the two entities

  • "Complete Match" - The property value is identical for both entities

  • "No Match" - The property values differ between entities

• Both Have Property - Shows values common to both entities

• User/Role 1 Only - Shows values specific to the first entity

• User/Role 2 Only - Shows values unique to the second entity

Relationship Comparison

Relationship comparison shows the access relationships between entities. When comparing roles, you can see the resources to which each role has an access-granting relationship. When comparing users, you can review the resources that two users can access.

For relationship comparison, the results display:

• Visual indicators (checkmarks and X marks) showing which entities have access

• Matching status (Complete Match, No Match), indicating whether access is the same or different

• Filtering options to focus on specific resources or access patterns

Queries typically specify source and destination entity types, such as Okta Users related to AWS S3 Buckets or Google Users related to Google Groups, returning all entities with that relationship. Higher-level Entity Type Groupings, such as All Users or All Resources, enable search across multiple entity types simultaneously, or within specific types within a group. For example, the User entity type grouping includes all entities that Veza categorizes as a user, such as Okta Users, Snowflake Local Users, and AWS IAM Users.

Entity metadata attributes are the rich properties associated with each node in the graph. You can use filters to refine search results based on these attributes, which can potentially include custom properties if the integration supports them. Some attributes may be added by Veza during parsing (such as risk_score, identity_type, or full_admin), while most are ingested directly from the integration data source (such as mfa_enabled for users or is_encrypted for S3 Buckets).