Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.
{
"identity_id": "example-snowflake.com/user/ALICE",
"identity_type": "SnowflakeUser",
"resource_permissions": [
{
"resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
"resource_type": "SnowflakeTable",
"permissions": ["SELECT", "INSERT"]
}
],
"grantee_type": "SnowflakeRole",
"max_grantee_count": 5,
"result_order": "LEAST_PRIVILEGED"
}{
"identity_id": "example-snowflake.com/user/ALICE",
"identity_type": "SnowflakeUser",
"resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
"resource_type": "SnowflakeTable",
"raw_permissions": {
"values": ["SELECT", "INSERT"],
"operator": "AND"
},
"grantee_type": "SnowflakeRole",
"max_grantee_count": 5,
"result_order": "LEAST_PRIVILEGED"
}{
"ordered_node_access_changes": [
{
"node_type": "SnowflakeRole",
"id": "example-snowflake.com/role/ANALYST",
"name": "ANALYST",
"resource_access_changes": [
{
"resource_type": "SnowflakeTable",
"old_accessible_resource_count": 10,
"new_accessible_resource_count": 25,
"old_raw_permissions": ["SELECT"],
"new_raw_permissions": ["SELECT", "INSERT"],
"old_effective_permissions": ["SELECT"],
"new_effective_permissions": ["SELECT", "INSERT"]
}
]
},
{
"node_type": "SnowflakeRole",
"id": "example-snowflake.com/role/DATA_EDITOR",
"name": "DATA_EDITOR",
"resource_access_changes": [
{
"resource_type": "SnowflakeTable",
"old_accessible_resource_count": 10,
"new_accessible_resource_count": 32,
"old_raw_permissions": ["SELECT"],
"new_raw_permissions": ["SELECT", "INSERT", "UPDATE"],
"old_effective_permissions": ["SELECT"],
"new_effective_permissions": ["SELECT", "INSERT", "UPDATE"]
}
]
}
],
"is_identity_highly_connected": false,
"result_time": "2025-02-25T10:15:30Z",
"identity_already_has_all_access": false
}Veza API key for authentication. Generate keys in Administration > API Keys.
only one of resource_permissions or (resource_id, resource_type, raw_permissions, effective_permissions) can be set in the input
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types which have self-referential edges. Cannot be used with labels.
The properties that are returned on node, this allows the ability to limit the amount of properties retrieved through the graph This currently is only available on the source_node_types collection If used during an export, it is supported for source_node_types, relates_to_expression.node_types and path summary node types. In this case, the field is used to filter which properties will be exported, in the order in which they are specified.
Boolean operator for combining multiple node specs.
0Possible values: The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
The comparison function to use for this condition. For list properties (like emails), use LIST_ANY_ELEMENT_* functions. Value 5 (LIST_CONTAINS) is deprecated - use LIST_ANY_ELEMENT_EQ instead.
0Possible values: The node property to compare. Use the property name as shown in the Graph. For custom properties from OAA integrations, prefix with customprop_ (e.g., customprop_display_name).
emailRepresents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
If true, negates the condition (e.g., fn=EQ with not=true means "not equals").
falseIf value_property_name is set, the value will be retrieved from the property instead of using value above
Only effective when value_property_name is used. true -> value from <other_node>.<value_property_name> false (default) -> value from <current_node>.<value_property_name> A "true" input is valid only in destination nodes.
Property from saved query (RIGHT) to extract for IN_FROM_QUERY_SOURCE_RESULTS conditions. Defaults to "id" if not set (for backward compatibility).
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Required in that case.
Only used when fn is "IN_FROM_QUERY_SOURCE_RESULTS". Optional in that case. Used for remapping the tag key from the source query to the key in the "tag" field.
Boolean operator for combining conditions in the expression.
0Possible values: Boolean operator for combining conditions in the expression.
0Possible values: When result_type=DEFAULT, setting no_extra_stats to true will also skip these queries:
result_order is by default minimal access count, but can be set to LEAST_PRIVILEGED and enable new features including resource_permissions and faster response
OK
Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
The type of the serialized message.
{
"ordered_node_access_changes": [
{
"node_type": "text",
"id": "text",
"name": "text",
"resource_access_changes": [
{
"resource_type": "text",
"old_accessible_resource_count": 1,
"new_accessible_resource_count": 1,
"old_raw_permissions": [
"text"
],
"new_raw_permissions": [
"text"
],
"old_effective_permissions": [
"text"
],
"new_effective_permissions": [
"text"
]
}
]
}
],
"is_identity_highly_connected": true,
"result_time": "2026-03-27T18:55:57.121Z",
"identity_already_has_all_access": true
}POST /api/private/assessments/access_relationship HTTP/1.1
Host: your-tenant.vezacloud.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 3995
{
"identity_id": "text",
"identity_type": "text",
"resource_id": "text",
"resource_type": "text",
"raw_permissions": {
"values": [
"text"
],
"operator": 1
},
"effective_permissions": {
"values": [
1
],
"operator": 1
},
"grantee_type": "text",
"grantee_filter": {
"query_type": 1,
"source_node_types": {
"nodes": [
{
"node_type": "text",
"condition_expression": {
"specs": [
{
"fn": 0,
"property": "email",
"value": null,
"not": false,
"value_property_name": "text",
"value_property_from_other_node": true,
"source_property": "text"
}
],
"tag_specs": [
{
"tag": {
"type": "text",
"key": "text",
"value": "text",
"properties": {
"ANY_ADDITIONAL_PROPERTY": null
}
},
"exclude": true,
"fn": 1,
"source_query_id": "text",
"source_tag_key": "text"
}
],
"child_expressions": "[Circular Reference]",
"operator": 0,
"not": true
},
"node_id": "text",
"count_condition_expression": "[Circular Reference]",
"direct_relationship_only": true,
"node_type_grouping_constraint": {
"node_types": [
"text"
],
"constraint_type": 1
},
"properties_to_get": [
"text"
],
"tags_to_get": [
{
"type": 1,
"key": "text"
}
],
"integration_types": [
"text"
]
}
],
"nodes_operator": 0
},
"customized_variables": [
{
"key": "text",
"value": "text"
}
],
"access_filter": {
"engagement_score": {
"op": 1,
"value": 1
},
"over_provisioned_score": {
"op": 1,
"value": 1
},
"include_secondary_grantee": true,
"include_indirect_resource": true,
"exclude_indirect_grantee": true,
"anomaly_detection_history_days": "text",
"last_used": {
"op": 1,
"value": "2026-03-27T18:55:57.121Z",
"target": 1,
"relative_timevar_value": "text",
"not": true
}
},
"node_relationship_type": 1,
"relates_to_exp": {
"specs": [
{
"node_types": "[Circular Reference]",
"required_intermediate_node_types": "[Circular Reference]",
"avoided_intermediate_node_types": "[Circular Reference]",
"raw_permissions": {
"values": [
"text"
],
"operator": 1
},
"effective_permissions": {
"values": [
1
],
"operator": 1
},
"unsupported_condition_mode": 1,
"no_relation": true,
"direction": 1,
"path_type": 1
}
],
"child_expressions": [
{
"specs": "[Circular Reference]",
"child_expressions": "[Circular Reference]",
"operator": 1,
"not": true,
"and_op_type": 1
}
],
"operator": 1,
"not": true,
"and_op_type": 1
},
"path_summary_node_types": {
"nodes": [
{
"node_type": "text",
"condition_expression": {
"specs": [
{
"fn": 0,
"property": "email",
"value": null,
"not": false,
"value_property_name": "text",
"value_property_from_other_node": true,
"source_property": "text"
}
],
"tag_specs": [
{
"tag": {
"type": "text",
"key": "text",
"value": "text",
"properties": {
"ANY_ADDITIONAL_PROPERTY": null
}
},
"exclude": true,
"fn": 1,
"source_query_id": "text",
"source_tag_key": "text"
}
],
"child_expressions": "[Circular Reference]",
"operator": 0,
"not": true
},
"node_id": "text",
"count_condition_expression": "[Circular Reference]",
"direct_relationship_only": true,
"node_type_grouping_constraint": {
"node_types": [
"text"
],
"constraint_type": 1
},
"properties_to_get": [
"text"
],
"tags_to_get": [
{
"type": 1,
"key": "text"
}
],
"integration_types": [
"text"
]
}
],
"nodes_operator": 0
},
"all_entity_condition": {
"specs": [
{
"fn": 0,
"property": "email",
"value": null,
"not": false,
"value_property_name": "text",
"value_property_from_other_node": true,
"source_property": "text"
}
],
"tag_specs": [
{
"tag": {
"type": "text",
"key": "text",
"value": "text",
"properties": {
"ANY_ADDITIONAL_PROPERTY": null
}
},
"exclude": true,
"fn": 1,
"source_query_id": "text",
"source_tag_key": "text"
}
],
"child_expressions": [
{
"specs": [
{
"fn": 0,
"property": "email",
"value": null,
"not": false,
"value_property_name": "text",
"value_property_from_other_node": true,
"source_property": "text"
}
],
"tag_specs": [
{
"tag": {
"type": "text",
"key": "text",
"value": "text",
"properties": {
"ANY_ADDITIONAL_PROPERTY": null
}
},
"exclude": true,
"fn": 1,
"source_query_id": "text",
"source_tag_key": "text"
}
],
"child_expressions": [
"[Circular Reference]"
],
"operator": 0,
"not": true
}
],
"operator": 0,
"not": true
},
"path_summary_count_conditions": {
"conditions": [
{
"fn": 1,
"value": "text",
"value_as": 1
}
]
},
"result_value_type": 1
},
"saved_query_id_for_grantee_ids": "text",
"max_grantee_count": 1,
"resource_types_to_display": [
"text"
],
"max_resource_count": 1,
"no_extra_stats": true,
"resource_permissions": [
{
"raw_permissions": [
"text"
],
"node_type": "text",
"node_id": "text"
}
],
"result_order": 1,
"direct_grantee_to_resource_only": true
}