All pages
Powered by GitBook
1 of 5

Loading...

Loading...

Loading...

Loading...

Loading...

Private APIs

Documentation for Veza's private APIs for advanced access assessments

Overview

This section contains documentation for APIs in the private/ namespace for advanced access assessment capabilities. These APIs currently support advanced role analysis, entitlement comparisons, and access management for Snowflake environments.

Available APIs

API
Description

Identifies grantees (such as roles) that provide specific access permissions to a given identity for a set of resources

These APIs enable several identity security use cases:

  1. Role Rationalization: Identify and consolidate redundant roles to simplify access management

  2. Least Privilege Implementation: Find roles that provide necessary access with minimal excess permissions

  3. Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles

  • These features are currently limited to the .

  • Some APIs may have performance limitations with highly connected identities or complex permission structures.

Access Pattern Analysis: Discover common access patterns among users in the same organizational unit
  • Privileged Access Management: Analyze what additional privileges different roles would provide to a user

  • Checks whether a role with specific resource permissions already exists

    Simulates modifications to an existing role's permissions and checks if other roles with the resulting permission set already exist

    Provides insights into role accessibility for users within a specified cost center

    Common Use Cases

    Limitations

    Related Documentation

    Snowflake integration
    Snowflake Integration
    Query APIs
    Get Access Relationship
    Role Existence
    Role Maintenance
    Cohort Role Analysis

    Cohort Role Analysis

    Analyze roles accessible to Snowflake users within a specified cost center.

    Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

    Overview

    The Cohort Role Analysis API provides insights into role accessibility for Snowflake users within a specified cost center. It identifies which roles are accessible to users in that cost center and orders them by least privilege, helping to establish common access patterns and standardize role assignments. The response includes:

    • A list of roles accessible to users in the cost center

    • An indication of whether these roles are accessible to all users or only some users in the cost center

    The API first attempts to find roles that are accessible to all principals (users) in the cost center. If no roles are accessible to all principals, it falls back to returning roles that are accessible by at least one principal, indicated by the accessibility_type field in the response.

    This API can help organizations understand common access patterns within organizational units and can support role standardization efforts:

    1. Role Standardization: Identify common roles used within organizational units

    2. Access Pattern Analysis: Discover shared access patterns among users in the same cost center

    3. Least Privilege Implementation: Find roles that provide necessary access with minimal permissions

    • This feature is currently limited to the .

    • Role analysis is based on cost center information, which must be properly configured in your system.

    The API accepts a request object with the following parameters:

    Parameter
    Type
    Required
    Description

    The API uses the following protocol buffer message definitions:

    The API returns a response object with the following fields:

    Field
    Type
    Description

    The accessibility_type field can have one of the following values:

    Value
    Description

    Note: If no roles are accessible to all principals in the cost center, the API falls back to returning roles accessible by any principal, and the accessibility_type will be set to ANY_PRINCIPAL.

    Request

    Response

    The response indicates these roles are accessible to all users in the cost center:

    Request

    Response

    The response indicates no roles are accessible to all users, but these roles are accessible to at least one user in the cost center:

    Onboarding Planning: Determine appropriate roles for new hires based on their cost center

    No

    The maximum number of roles to return (defaults to 5 if not specified)

    cost_center

    string

    Yes

    The identifier for the cost center whose roles should be analyzed

    limit

    message CohortRoleAnalysisRequest {
      string cost_center = 1;
      uint32 limit = 2;
    }
    
    enum GranteeAccessibility {
      ALL_PRINCIPALS = 0; // Grantees accessible from all principals
      ANY_PRINCIPAL = 1;  // Grantees accessible from at least one principal
    }
    
    message CohortRoleAnalysisResponse {
      repeated string grantee_ids = 1;
      GranteeAccessibility accessibility_type = 2;
    }

    grantee_ids

    string[]

    A list of role IDs that are accessible to users in the specified cost center

    accessibility_type

    GranteeAccessibility

    Indicates whether roles were accessible to all principals or any principal

    ALL_PRINCIPALS

    Roles accessible from all principals in the cost center

    ANY_PRINCIPAL

    Roles accessible from at least one principal in the cost center

    {
      "cost_center": "CC-SALES",
      "limit": 5
    }
    {
      "grantee_ids": [
        "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
        "example-snowflake.com/role/DATA_LINEAGE_READONLY_ROLE",
        "example-snowflake.com/role/WAREHOUSE_USER_ROLE"
      ],
      "accessibility_type": "ALL_PRINCIPALS"
    }
    {
      "cost_center": "CC-MARKETING"
    }
    {
      "grantee_ids": [
        "example-snowflake.com/role/MARKETING_PARTNER_READONLY_ROLE",
        "example-snowflake.com/role/MARKETING_ENTERPRISE_READONLY_ROLE",
        "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
        "example-snowflake.com/role/MARKETING_PRODUCT_READONLY_ROLE",
        "example-snowflake.com/role/MARKETING_UTILS_READONLY_ROLE"
      ],
      "accessibility_type": "ANY_PRINCIPAL"
    }

    Use cases and features

    Limitations

    Cohort Role Analysis API

    Request Parameters

    Protocol Definition

    Proto Message Definitions

    Response Structure

    Accessibility Types

    Usage Example

    Example 1: Roles Accessible to All Principals

    Example 2: Roles Accessible to Any Principal

    Related APIs

    Snowflake integration
    Get Access Relationship API
    Role Existence API
    Role Maintenance API

    uint32

    post
    Authorizations
    AuthorizationstringRequired

    Veza API key for authentication. Generate keys in Administration > API Keys.

    Body
    cost_centerstringOptional
    limitinteger · uint32Optional
    Responses
    200

    OK

    application/json
    grantee_idsstring[]Optional
    accessibility_typeinteger · enumOptional
    default

    Default error response

    application/json

    The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

    codeinteger · int32Optional

    The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

    messagestringOptional

    A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

    @typestringOptional

    The type of the serialized message.

    Other propertiesanyOptional
    post/api/private/assessments/cohort_role_analysis
    {
      "grantee_ids": [
        "text"
      ],
      "accessibility_type": 1
    }
    POST /api/private/assessments/cohort_role_analysis HTTP/1.1
    Host: your-tenant.vezacloud.com
    Authorization: Bearer YOUR_SECRET_TOKEN
    Content-Type: application/json
    Accept: */*
    Content-Length: 32
    
    {
      "cost_center": "text",
      "limit": 1
    }

    Role Existence

    Check whether a role with specific resource permissions already exists.

    Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

    Overview

    The Role Existence API allows users to check whether a role with specific resource permissions already exists in the system. This API is particularly useful for role management and access governance in Snowflake environments.

    Use cases and features

    This API enables efficient role management by identifying existing roles that already have the permissions you're looking for. Key use cases include:

    1. Role Discovery: Find existing roles that match specific permission requirements

    2. Prevent Role Proliferation: Avoid creating duplicate roles with the same permissions

    3. Permission Auditing: Verify which roles have specific permissions to resources

    4. Role Standardization: Identify standard roles that can be reused for similar access requirements

    • This feature is currently limited to the .

    The API accepts a request object with the following parameters:

    Parameter
    Type
    Required
    Description

    Each ResourcePermissions object contains:

    Field
    Type
    Required
    Description

    The API uses the following protocol buffer message definitions:

    The API returns a response object with the following field:

    Field
    Type
    Description

    This example checks if there's an existing role with USAGE permission on a specific Snowflake database:

    The response indicates that a matching role exists:

    You can check for roles that have permissions across multiple resources:

    In this example, the request is checking for roles with specific permissions, but no matching roles are found:

    The response indicates that no matching roles with the specified permission combination exist:

    When you receive an empty response like this, it suggests that a new role might need to be created to satisfy these specific permission requirements, as no existing role has the exact permission set requested.

    Role Maintenance

    Modify role permissions and find matching existing roles.

    Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

    Overview

    The Role Maintenance API allows you to simulate modifications to an existing role's permissions and check if other roles with the resulting permission set already exist. This API is particularly useful for role rationalization and consolidation in Snowflake environments.

    Use cases and features

    This API enables effective role maintenance and governance with several key capabilities:

    1. Role Rationalization: Find existing roles that match a desired permission set after modifications

    2. Role Consolidation: Identify opportunities to consolidate roles by checking for existing roles with similar permissions

    3. Permission Planning: Plan permission changes and identify existing alternatives before implementation

    4. Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles

    • This feature is currently limited to the .

    The API accepts a request object with the following parameters:

    Parameter
    Type
    Required
    Description

    Each GranteeModification object contains:

    Field
    Type
    Required
    Description

    Note: You can specify either or both of these fields:

    • If only from_resource_permissions is set, those permissions will be removed

    • If only to_resource_permissions is set, those permissions will be added

    • If both are set, the permissions will be updated accordingly

    This flexibility allows you to model different types of permission changes within a single API call. For example, you can simultaneously remove access to one resource while adding access to another, or modify permission levels on the same resource.

    Each ResourcePermissions object contains:

    Field
    Type
    Required
    Description

    The API uses the following protocol buffer message definitions:

    The API returns a response object with the following field:

    Field
    Type
    Description

    This example simulates removing database and schema permissions from one role while adding database permissions to another:

    The response indicates that a role with the resulting permission set exists:

    This example shows adding permissions to a role:

    This example shows removing permissions from a role:

    Yes

    A list of resource permissions to match against existing roles

    Yes

    Veza node ID of the resource (i.e., ID property in graph and query builder)

    raw_permissions

    string[]

    Yes

    A list of permissions to check (e.g., USAGE, SELECT, etc.)

    post
    Authorizations
    AuthorizationstringRequired

    Veza API key for authentication. Generate keys in Administration > API Keys.

    Body
    grantee_typestringOptional
    raw_permissionsstring[]Optional
    node_typestringOptional
    node_idstringOptional
    Responses
    200

    OK

    application/json
    grantee_idsstring[]Optional
    default

    Default error response

    application/json

    The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

    codeinteger · int32Optional

    The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

    messagestringOptional

    A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

    @typestringOptional

    The type of the serialized message.

    Other propertiesanyOptional

    grantee_type

    string

    Yes

    The type of grantee for which the role existence is checked (currently supports only SnowflakeRole)

    resource_permissions

    node_type

    string

    Yes

    The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)

    node_id

    message RoleExistsRequest {
      string grantee_type = 1;
      repeated GetRoleMatchingRequest.ResourcePermissions resource_permissions = 2;
    }
    
    message RoleExistsResponse {
      repeated string grantee_ids = 1;
    }

    grantee_ids

    string[]

    A list of existing role IDs that match the given permissions

    {
      "grantee_type": "SnowflakeRole",
      "resource_permissions": [
        {
          "node_type": "SnowflakeDatabase",
          "node_id": "example-snowflake.com/database/SECURITY_DB",
          "raw_permissions": ["USAGE"]
        }
      ]
    }
    {
      "grantee_ids": [
        "example-snowflake.com/role/SECURITY_READER_ROLE"
      ]
    }
    {
      "grantee_type": "SnowflakeRole",
      "resource_permissions": [
        {
          "node_type": "SnowflakeDatabase",
          "node_id": "example-snowflake.com/database/ANALYTICS",
          "raw_permissions": ["USAGE"]
        },
        {
          "node_type": "SnowflakeSchema",
          "node_id": "example-snowflake.com/database/ANALYTICS/schema/PUBLIC",
          "raw_permissions": ["USAGE", "SELECT"]
        }
      ]
    }
    {
      "grantee_ids": [
        "example-snowflake.com/role/ANALYTICS_READER_ROLE",
        "example-snowflake.com/role/REPORTING_USER_ROLE"
      ]
    }
    {
      "grantee_type": "SnowflakeRole",
      "resource_permissions": [
        {
          "node_type": "SnowflakeDatabase",
          "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA",
          "raw_permissions": ["OWNERSHIP"]
        },
        {
          "node_type": "SnowflakeSchema",
          "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA/schema/EXPERIMENTS",
          "raw_permissions": ["CREATE TABLE", "CREATE VIEW", "MODIFY"]
        }
      ]
    }
    {
      "grantee_ids": []
    }

    Limitations

    Role Existence API

    Request Parameters

    ResourcePermissions Structure

    Protocol Definition

    Proto Message Definitions

    Response Structure

    Usage Example

    Request

    Response

    Example: Multiple Resource Permissions

    Request

    Response

    Example: No Matching Roles

    Request

    Response

    Related APIs

    Snowflake integration
    Get Access Relationship API
    Role Maintenance API
    Cohort Role Analysis API

    ResourcePermissions[]

    string

    Yes

    Veza node ID of the grantee (role) to be modified

    modifications

    GranteeModification[]

    Yes

    A list of resource permission modifications to apply to the role

    No

    Permissions to add to the role

    Yes

    Veza node ID of the resource (ID property in graph and query builder)

    raw_permissions

    string[]

    Yes

    A list of permissions (e.g., USAGE, SELECT, etc.)

    post
    Authorizations
    AuthorizationstringRequired

    Veza API key for authentication. Generate keys in Administration > API Keys.

    Body

    grantee_type

    string

    Yes

    The type of grantee (currently only supports SnowflakeRole)

    grantee_id

    from_resource_permissions

    ResourcePermissions

    No

    Permissions to remove from the role

    to_resource_permissions

    node_type

    string

    Yes

    The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)

    node_id

    message RoleMaintenanceRequest {
      string grantee_type = 1;
      string grantee_id = 2;
      repeated GranteeModification modifications = 3;
    }
    
    message GranteeModification {
      GetRoleMatchingRequest.ResourcePermissions from_resource_permissions = 1;
      GetRoleMatchingRequest.ResourcePermissions to_resource_permissions = 2;
    }
    
    message RoleMaintenanceResponse {
      repeated string grantee_ids = 1;
    }

    grantee_ids

    string[]

    A list of existing role IDs that match the permission set after the requested modifications

    {
      "grantee_type": "SnowflakeRole",
      "grantee_id": "example-snowflake.com/role/DATA_INGEST_ROLE",
      "modifications": [
        {
          "from_resource_permissions": {
            "node_type": "SnowflakeDatabase",
            "node_id": "example-snowflake.com/database/ANALYTICS_DB",
            "raw_permissions": ["USAGE"]
          }
        },
        {
          "from_resource_permissions": {
            "node_type": "SnowflakeSchema",
            "node_id": "example-snowflake.com/database/ANALYTICS_DB/schema/RAW_DATA",
            "raw_permissions": ["CREATE FUNCTION", "CREATE PIPE", "CREATE STREAM", "CREATE TABLE", "CREATE TASK", "USAGE"]
          }
        },
        {
          "to_resource_permissions": {
            "node_type": "SnowflakeDatabase",
            "node_id": "example-snowflake.com/database/CLOUD_DB",
            "raw_permissions": ["USAGE"]
          }
        }
      ]
    }
    {
    "grantee_ids": [
        "example-snowflake.com/role/CLOUD_LOGS_READONLY_ROLE"
    ]
    }
    {
      "grantee_type": "SnowflakeRole",
      "grantee_id": "example-snowflake.com/role/ANALYST_BASIC_ROLE",
      "modifications": [
        {
          "to_resource_permissions": {
            "node_type": "SnowflakeSchema",
            "node_id": "example-snowflake.com/database/ANALYTICS/schema/FINANCE",
            "raw_permissions": ["USAGE", "SELECT"]
          }
        }
      ]
    }
    {
      "grantee_ids": [
        "example-snowflake.com/role/FINANCE_VIEWER_ROLE"
      ]
    }
    {
      "grantee_type": "SnowflakeRole",
      "grantee_id": "snowhouse.snowflakecomputing.com/role/DATA_SCIENTIST",
      "modifications": [
        {
          "from_resource_permissions": {
            "node_type": "SnowflakeSchema",
            "node_id": "snowhouse.snowflakecomputing.com/database/SENSITIVE_DATA/schema/PII",
            "raw_permissions": ["SELECT", "INSERT"]
          }
        }
      ]
    }
    {
      "grantee_ids": [
        "snowhouse.snowflakecomputing.com/role/ANALYST_BASIC"
      ]
    }

    Limitations

    Role Maintenance API

    Request Parameters

    GranteeModification Structure

    ResourcePermissions Structure

    Request and Response Protocol

    Proto Message Definitions

    Response Structure

    Usage Example

    Request

    Response

    Example: Adding permissions only

    Request

    Response

    Example: Removing permissions only

    Request

    Response

    Related APIs

    Snowflake integration
    Get Access Relationship API
    Role Existence API
    Cohort Role Analysis API

    string

    ResourcePermissions

    string

    post/api/private/assessments/role_recommendations_role_exists
    POST /api/private/assessments/role_recommendations_role_exists HTTP/1.1
    Host: your-tenant.vezacloud.com
    Authorization: Bearer YOUR_SECRET_TOKEN
    Content-Type: application/json
    Accept: */*
    Content-Length: 113
    
    {
      "grantee_type": "text",
      "resource_permissions": [
        {
          "raw_permissions": [
            "text"
          ],
          "node_type": "text",
          "node_id": "text"
        }
      ]
    }
    grantee_typestringOptional
    grantee_idstringOptional
    raw_permissionsstring[]Optional
    node_typestringOptional
    node_idstringOptional
    raw_permissionsstring[]Optional
    node_typestringOptional
    node_idstringOptional
    Responses
    200

    OK

    application/json
    grantee_idsstring[]Optional
    default

    Default error response

    application/json

    The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

    codeinteger · int32Optional

    The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

    messagestringOptional

    A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

    @typestringOptional

    The type of the serialized message.

    Other propertiesanyOptional
    post/api/private/assessments/role_recommendations_role_maintenance
    POST /api/private/assessments/role_recommendations_role_maintenance HTTP/1.1
    Host: your-tenant.vezacloud.com
    Authorization: Bearer YOUR_SECRET_TOKEN
    Content-Type: application/json
    Accept: */*
    Content-Length: 247
    
    {
      "grantee_type": "text",
      "grantee_id": "text",
      "modifications": [
        {
          "from_resource_permissions": {
            "raw_permissions": [
              "text"
            ],
            "node_type": "text",
            "node_id": "text"
          },
          "to_resource_permissions": {
            "raw_permissions": [
              "text"
            ],
            "node_type": "text",
            "node_id": "text"
          }
        }
      ]
    }
    {
      "grantee_ids": [
        "text"
      ]
    }
    {
      "grantee_ids": [
        "text"
      ]
    }

    Get Access Relationship

    Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.

    Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

    Overview

    The GetAccessRelationship API takes an identity (user), a list of resources with permissions, and responds with potential grantees (roles) that can grant these access permissions to the user. The response includes detailed information about the additional access these grantees would provide. This API is particularly designed for role recommendations and permissions analysis in Snowflake environments.

    Use cases and features

    This API returns potential grantees (i.e., Snowflake roles) that can provide specific permissions, with results ordered by the level of "extra access" they provide (access not already available to the user). The response includes comparisons between current access and potential access and supports filtering by grantee type and other criteria.

    1. Role Recommendations: Find the most appropriate roles to grant a user for specific access needs

    2. Privilege Analysis: Analyze what additional privileges different roles would provide to a user

    3. Access Management: Compare different access options before making permission changes

    4. Least Privilege Implementation: Identify roles that provide necessary access with minimal excess permissions

    • This feature is currently limited to the .

    • For highly connected identities (>10,000 accesses or accessible resources), the calculation of "extra access" can be performance-intensive. For a timely response, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources. In such cases, is_identity_highly_connected will be set to true in response.

    The API accepts a GetAccessRelationshipRequest object with the following parameters:

    Parameter
    Type
    Required
    Description

    Important: Either resource_permissions or the combination of (resource_id, resource_type, raw_permissions, effective_permissions) must be provided in the request, but not both.

    The API provides two options for ordering the returned grantees:

    • Default Order (Minimal Access Count): By default, the API returns grantees ordered by their access count, prioritizing roles with fewest total accesses.

    • Least Privileged: When setting "result_order": "LEAST_PRIVILEGED", the API orders grantees by least privilege principle (minimum necessary permissions) and enables several advanced features:

      • No system-defined admin roles will be returned in the results

    • When max_resource_count is reached for an identity, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources.

    • The no_extra_stats parameter improves performance when detailed statistics aren't needed. This parameter will:

      • Skip saved query lookup for grantee IDs

    The API returns a GetAccessRelationshipResponse object with the following fields:

    Field
    Type
    Description

    Note: There are deprecated fields in the response (role_id, resource_type, new_accessible_resource_count) that should not be used. Use the ordered_node_access_changes field instead.

    Each NodeAccessChange object contains:

    Field
    Type
    Description

    Each ResourceAccessChange object contains:

    Field
    Type
    Description

    This example shows how to use the API to find roles that would give a specific Snowflake user access to certain resources using the resource_permissions parameter.

    Request

    This example shows how to use the API with the resource ID and permissions approach.

    This example uses LEAST_PRIVILEGED result ordering. The response will prioritize grantees that provide the minimum necessary permissions to meet the requested access requirements.

    Request

    Yes

    Veza node type for the principal (currently must be SnowflakeUser)

    resource_id

    string

    No

    ID of the resource to analyze

    resource_type

    string

    No

    Type of the resource to analyze (used to calculate impact)

    raw_permissions

    RawPermissionCollection

    No

    Collection of raw permissions to analyze

    effective_permissions

    EffectivePermissionCollection

    No

    Collection of effective permissions to analyze

    grantee_type

    string

    No

    Veza node type for the grantee (currently must be SnowflakeRole)

    grantee_filter

    AssessmentQuerySpecFilter

    No

    Filter to apply on potential grantees

    saved_query_id_for_grantee_ids

    string

    No

    ID of a saved query, source nodes in its result will be used as a filter

    max_grantee_count

    int32

    No

    Maximum number of grantees to return

    resource_types_to_display

    string[]

    No

    Resource types to include in the result (in addition to resource_type above)

    max_resource_count

    int32

    No

    Grantees with access to more resources will be excluded from the results. 0 (unset) uses the default value of 100,000. Setting a higher value will include grantees with more resources.

    no_extra_stats

    boolean

    No

    Show less stats to makes the API respond faster: when True, the response will not contain permission summaries and resource access changes, but the grantee IDs are still returned in the correct order.

    resource_permissions

    ResourcePermissions[]

    No

    Only valid when result order is LEAST_PRIVILEGED. Returned grantees will be able to access all resources with the permissions in resource_permissions.

    result_order

    RoleRecommendationResultOrder

    No

    Ordering method for results (default is by minimal access count)

    direct_grantee_to_resource_only

    boolean

    No

    When true, only return roles with direct access to the input resources

    The resource_permissions parameter can be used, which allows input of multiple resources

    Only include basic resource count information in the response

  • Ignore the saved_query_id_for_grantee_ids parameter

  • Only return old_accessible_resource_count and new_accessible_resource_count for the input resource_type

  • This parameter is not effective when result_order is set to LEAST_PRIVILEGED

  • The resource_permissions parameter is only usable when result_order is set to LEAST_PRIVILEGED

  • result_time

    Timestamp

    Time when the cache was refreshed (if cache was used)

    identity_already_has_all_access

    boolean

    Indicates if the principal already has all the requested access

    name

    string

    The name of the grantee

    resource_access_changes

    ResourceAccessChange[]

    Access changes per resource type

    new_accessible_resource_count

    int32

    Count of resources accessible after granting

    old_raw_permissions

    string[]

    List of raw permissions before granting

    new_raw_permissions

    string[]

    List of raw permissions after granting

    old_effective_permissions

    string[]

    List of effective permissions before granting

    new_effective_permissions

    string[]

    List of effective permissions after granting

    post
    Authorizations
    AuthorizationstringRequired

    Veza API key for authentication. Generate keys in Administration > API Keys.

    Body

    identity_id

    string

    Yes

    ID for the principal (user) in Veza node ID format

    identity_type

    ordered_node_access_changes

    NodeAccessChange[]

    List of grantees and their access statistics, ordered according to the input result_order

    is_identity_highly_connected

    boolean

    Indicates if the identity has access to many resources (>10,000 accesses for a single resource type)

    node_type

    string

    The node type of the grantee

    id

    string

    The node ID of the grantee

    resource_type

    string

    Type of the resource

    old_accessible_resource_count

    int32

    Count of resources accessible before granting

    {
      "identity_id": "example-snowflake.com/user/ALICE",
      "identity_type": "SnowflakeUser",
      "resource_permissions": [
        {
          "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
          "resource_type": "SnowflakeTable",
          "permissions": ["SELECT", "INSERT"]
        }
      ],
      "grantee_type": "SnowflakeRole",
      "max_grantee_count": 5,
      "result_order": "LEAST_PRIVILEGED"
    }
    {
      "identity_id": "example-snowflake.com/user/ALICE",
      "identity_type": "SnowflakeUser",
      "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
      "resource_type": "SnowflakeTable",
      "raw_permissions": {
        "values": ["SELECT", "INSERT"],
        "operator": "AND"
      },
      "grantee_type": "SnowflakeRole",
      "max_grantee_count": 5,
      "result_order": "LEAST_PRIVILEGED"
    }
    {
      "ordered_node_access_changes": [
        {
          "node_type": "SnowflakeRole",
          "id": "example-snowflake.com/role/ANALYST",
          "name": "ANALYST",
          "resource_access_changes": [
            {
              "resource_type": "SnowflakeTable",
              "old_accessible_resource_count": 10,
              "new_accessible_resource_count": 25,
              "old_raw_permissions": ["SELECT"],
              "new_raw_permissions": ["SELECT", "INSERT"],
              "old_effective_permissions": ["SELECT"],
              "new_effective_permissions": ["SELECT", "INSERT"]
            }
          ]
        },
        {
          "node_type": "SnowflakeRole",
          "id": "example-snowflake.com/role/DATA_EDITOR",
          "name": "DATA_EDITOR",
          "resource_access_changes": [
            {
              "resource_type": "SnowflakeTable",
              "old_accessible_resource_count": 10,
              "new_accessible_resource_count": 32,
              "old_raw_permissions": ["SELECT"],
              "new_raw_permissions": ["SELECT", "INSERT", "UPDATE"],
              "old_effective_permissions": ["SELECT"],
              "new_effective_permissions": ["SELECT", "INSERT", "UPDATE"]
            }
          ]
        }
      ],
      "is_identity_highly_connected": false,
      "result_time": "2025-02-25T10:15:30Z",
      "identity_already_has_all_access": false
    }

    Limitations

    Get Access Relationship

    Request Parameters

    Result Ordering

    Special Considerations

    Response Structure

    NodeAccessChange Structure

    ResourceAccessChange Structure

    Usage Examples

    Example 1: Using Resource Permissions (Recommended)

    Example 2: Using Resource ID and Permissions

    Response

    Related APIs

    Snowflake integration
    Role Existence API
    Role Maintenance API
    Cohort Role Analysis API

    string

    identity_idstringOptional
    identity_typestringOptional
    resource_idstringOptional

    only one of resource_permissions or (resource_id, resource_type, raw_permissions, effective_permissions) can be set in the input

    resource_typestringOptional
    valuesstring[]Optional
    operatorinteger · enumOptional
    valuesinteger · enum[]Optional
    operatorinteger · enumOptional
    grantee_typestringOptional
    query_typeinteger · enumOptional
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    keystringOptional
    valuestringOptional
    opinteger · enumOptional
    valueinteger · int32Optional
    opinteger · enumOptional
    valueinteger · int32Optional
    include_secondary_granteebooleanOptional
    include_indirect_resourcebooleanOptional
    exclude_indirect_granteebooleanOptional
    anomaly_detection_history_daysstringOptional
    opinteger · enumOptional
    valuestring · date-timeOptional
    targetinteger · enumOptional
    relative_timevar_valuestringOptional
    notbooleanOptional
    node_relationship_typeinteger · enumOptional
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    valuesstring[]Optional
    operatorinteger · enumOptional
    valuesinteger · enum[]Optional
    operatorinteger · enumOptional
    unsupported_condition_modeinteger · enumOptional
    no_relationbooleanOptional
    directioninteger · enumOptional
    path_typeinteger · enumOptional
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    valuesstring[]Optional
    operatorinteger · enumOptional
    valuesinteger · enum[]Optional
    operatorinteger · enumOptional
    unsupported_condition_modeinteger · enumOptional
    no_relationbooleanOptional
    directioninteger · enumOptional
    path_typeinteger · enumOptional
    child_expressionsobject · RelatesToExpression[]Optional
    ⤷Circular reference to object · RelatesToExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    and_op_typeinteger · enumOptional
    operatorinteger · enumOptional
    notbooleanOptional
    and_op_typeinteger · enumOptional
    node_typestringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    node_idstringOptional
    keystringOptionalDeprecated
    valuestringOptionalDeprecated
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    child_expressionsobject · NodeSpec_CountConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpec_CountConditionExpression[]
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    operatorinteger · enumOptional
    notbooleanOptional
    include_zero_count_resultsbooleanOptional
    direct_relationship_onlybooleanOptional

    When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.

    node_typesstring[]Optional
    constraint_typeinteger · enumOptional
    properties_to_getstring[]Optional

    The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.

    typeinteger · enumOptional
    keystringOptional
    integration_typesstring[]Optional
    nodes_operatorinteger · enumOptional

    Boolean operator for combining multiple node specs.

    Example: 0Possible values:
    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    fninteger · enumOptional

    The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.

    Example: 0Possible values:
    propertystringOptional

    The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).

    Example: email
    valueanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    notbooleanOptional

    If true, negates the condition (e.g., fn=EQ with not=true means "not equals").

    Default: false
    value_property_namestringOptional

    If value_property_name is set, the value will be retrieved from the property instead of using value above

    value_property_from_other_nodebooleanOptional

    Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.

    source_propertystringOptional

    Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).

    typestringOptional
    keystringOptional
    valuestringOptional
    Other propertiesanyOptional

    Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

    excludebooleanOptional
    fninteger · enumOptional
    source_query_idstringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.

    source_tag_keystringOptional

    Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.

    child_expressionsobject · NodeSpecCollection_ConditionExpression[]Optional
    ⤷Circular reference to object · NodeSpecCollection_ConditionExpression[]
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    operatorinteger · enumOptional

    Boolean operator for combining conditions in the expression.

    Example: 0Possible values:
    notbooleanOptional
    fninteger · enumOptional
    valuestringOptional
    value_asinteger · enumOptional
    result_value_typeinteger · enumOptional
    saved_query_id_for_grantee_idsstringOptional
    max_grantee_countinteger · int32Optional
    resource_types_to_displaystring[]Optional
    max_resource_countinteger · int32Optional
    no_extra_statsbooleanOptional

    When result_type=DEFAULT, setting no_extra_stats to true will also skip these queries:

    • saved_query_id_for_grantee_ids will be ignored
    • response will only contain old_accessible_resource_count and new_accessible_resource_count for input resource_type.
    raw_permissionsstring[]Optional
    node_typestringOptional
    node_idstringOptional
    result_orderinteger · enumOptional

    result_order is by default minimal access count, but can be set to LEAST_PRIVILEGED and enable new features including resource_permissions and faster response

    direct_grantee_to_resource_onlybooleanOptional
    Responses
    200

    OK

    application/json
    role_idstringOptionalDeprecated
    resource_typestringOptionalDeprecated
    new_accessible_resource_countinteger · int32OptionalDeprecated
    node_typestringOptional
    idstringOptional
    namestringOptional
    resource_typestringOptional
    old_accessible_resource_countinteger · int32Optional
    new_accessible_resource_countinteger · int32Optional
    old_raw_permissionsstring[]Optional
    new_raw_permissionsstring[]Optional
    old_effective_permissionsstring[]Optional
    new_effective_permissionsstring[]Optional
    is_identity_highly_connectedbooleanOptional
    result_timestring · date-timeOptional
    identity_already_has_all_accessbooleanOptional
    default

    Default error response

    application/json

    The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

    codeinteger · int32Optional

    The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

    messagestringOptional

    A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

    @typestringOptional

    The type of the serialized message.

    Other propertiesanyOptional
    post/api/private/assessments/access_relationship
    POST /api/private/assessments/access_relationship HTTP/1.1
    Host: your-tenant.vezacloud.com
    Authorization: Bearer YOUR_SECRET_TOKEN
    Content-Type: application/json
    Accept: */*
    Content-Length: 3995
    
    {
      "identity_id": "text",
      "identity_type": "text",
      "resource_id": "text",
      "resource_type": "text",
      "raw_permissions": {
        "values": [
          "text"
        ],
        "operator": 1
      },
      "effective_permissions": {
        "values": [
          1
        ],
        "operator": 1
      },
      "grantee_type": "text",
      "grantee_filter": {
        "query_type": 1,
        "source_node_types": {
          "nodes": [
            {
              "node_type": "text",
              "condition_expression": {
                "specs": [
                  {
                    "fn": 0,
                    "property": "email",
                    "value": null,
                    "not": false,
                    "value_property_name": "text",
                    "value_property_from_other_node": true,
                    "source_property": "text"
                  }
                ],
                "tag_specs": [
                  {
                    "tag": {
                      "type": "text",
                      "key": "text",
                      "value": "text",
                      "properties": {
                        "ANY_ADDITIONAL_PROPERTY": null
                      }
                    },
                    "exclude": true,
                    "fn": 1,
                    "source_query_id": "text",
                    "source_tag_key": "text"
                  }
                ],
                "child_expressions": "[Circular Reference]",
                "operator": 0,
                "not": true
              },
              "node_id": "text",
              "count_condition_expression": "[Circular Reference]",
              "direct_relationship_only": true,
              "node_type_grouping_constraint": {
                "node_types": [
                  "text"
                ],
                "constraint_type": 1
              },
              "properties_to_get": [
                "text"
              ],
              "tags_to_get": [
                {
                  "type": 1,
                  "key": "text"
                }
              ],
              "integration_types": [
                "text"
              ]
            }
          ],
          "nodes_operator": 0
        },
        "customized_variables": [
          {
            "key": "text",
            "value": "text"
          }
        ],
        "access_filter": {
          "engagement_score": {
            "op": 1,
            "value": 1
          },
          "over_provisioned_score": {
            "op": 1,
            "value": 1
          },
          "include_secondary_grantee": true,
          "include_indirect_resource": true,
          "exclude_indirect_grantee": true,
          "anomaly_detection_history_days": "text",
          "last_used": {
            "op": 1,
            "value": "2026-07-19T00:48:17.001Z",
            "target": 1,
            "relative_timevar_value": "text",
            "not": true
          }
        },
        "node_relationship_type": 1,
        "relates_to_exp": {
          "specs": [
            {
              "node_types": "[Circular Reference]",
              "required_intermediate_node_types": "[Circular Reference]",
              "avoided_intermediate_node_types": "[Circular Reference]",
              "raw_permissions": {
                "values": [
                  "text"
                ],
                "operator": 1
              },
              "effective_permissions": {
                "values": [
                  1
                ],
                "operator": 1
              },
              "unsupported_condition_mode": 1,
              "no_relation": true,
              "direction": 1,
              "path_type": 1
            }
          ],
          "child_expressions": [
            {
              "specs": "[Circular Reference]",
              "child_expressions": "[Circular Reference]",
              "operator": 1,
              "not": true,
              "and_op_type": 1
            }
          ],
          "operator": 1,
          "not": true,
          "and_op_type": 1
        },
        "path_summary_node_types": {
          "nodes": [
            {
              "node_type": "text",
              "condition_expression": {
                "specs": [
                  {
                    "fn": 0,
                    "property": "email",
                    "value": null,
                    "not": false,
                    "value_property_name": "text",
                    "value_property_from_other_node": true,
                    "source_property": "text"
                  }
                ],
                "tag_specs": [
                  {
                    "tag": {
                      "type": "text",
                      "key": "text",
                      "value": "text",
                      "properties": {
                        "ANY_ADDITIONAL_PROPERTY": null
                      }
                    },
                    "exclude": true,
                    "fn": 1,
                    "source_query_id": "text",
                    "source_tag_key": "text"
                  }
                ],
                "child_expressions": "[Circular Reference]",
                "operator": 0,
                "not": true
              },
              "node_id": "text",
              "count_condition_expression": "[Circular Reference]",
              "direct_relationship_only": true,
              "node_type_grouping_constraint": {
                "node_types": [
                  "text"
                ],
                "constraint_type": 1
              },
              "properties_to_get": [
                "text"
              ],
              "tags_to_get": [
                {
                  "type": 1,
                  "key": "text"
                }
              ],
              "integration_types": [
                "text"
              ]
            }
          ],
          "nodes_operator": 0
        },
        "all_entity_condition": {
          "specs": [
            {
              "fn": 0,
              "property": "email",
              "value": null,
              "not": false,
              "value_property_name": "text",
              "value_property_from_other_node": true,
              "source_property": "text"
            }
          ],
          "tag_specs": [
            {
              "tag": {
                "type": "text",
                "key": "text",
                "value": "text",
                "properties": {
                  "ANY_ADDITIONAL_PROPERTY": null
                }
              },
              "exclude": true,
              "fn": 1,
              "source_query_id": "text",
              "source_tag_key": "text"
            }
          ],
          "child_expressions": [
            {
              "specs": [
                {
                  "fn": 0,
                  "property": "email",
                  "value": null,
                  "not": false,
                  "value_property_name": "text",
                  "value_property_from_other_node": true,
                  "source_property": "text"
                }
              ],
              "tag_specs": [
                {
                  "tag": {
                    "type": "text",
                    "key": "text",
                    "value": "text",
                    "properties": {
                      "ANY_ADDITIONAL_PROPERTY": null
                    }
                  },
                  "exclude": true,
                  "fn": 1,
                  "source_query_id": "text",
                  "source_tag_key": "text"
                }
              ],
              "child_expressions": [
                "[Circular Reference]"
              ],
              "operator": 0,
              "not": true
            }
          ],
          "operator": 0,
          "not": true
        },
        "path_summary_count_conditions": {
          "conditions": [
            {
              "fn": 1,
              "value": "text",
              "value_as": 1
            }
          ]
        },
        "result_value_type": 1
      },
      "saved_query_id_for_grantee_ids": "text",
      "max_grantee_count": 1,
      "resource_types_to_display": [
        "text"
      ],
      "max_resource_count": 1,
      "no_extra_stats": true,
      "resource_permissions": [
        {
          "raw_permissions": [
            "text"
          ],
          "node_type": "text",
          "node_id": "text"
        }
      ],
      "result_order": 1,
      "direct_grantee_to_resource_only": true
    }
    {
      "ordered_node_access_changes": [
        {
          "node_type": "text",
          "id": "text",
          "name": "text",
          "resource_access_changes": [
            {
              "resource_type": "text",
              "old_accessible_resource_count": 1,
              "new_accessible_resource_count": 1,
              "old_raw_permissions": [
                "text"
              ],
              "new_raw_permissions": [
                "text"
              ],
              "old_effective_permissions": [
                "text"
              ],
              "new_effective_permissions": [
                "text"
              ]
            }
          ]
        }
      ],
      "is_identity_highly_connected": true,
      "result_time": "2026-07-19T00:48:17.001Z",
      "identity_already_has_all_access": true
    }