Veza Launches Open Authorization API

Veza Launches Open Authorization API

Knowasiak April 28, 2022
0 Comments

Veza Overview
Veza is the data security platform built on the power of authorization. Our platform is purpose-built for multi-cloud
environments to help you use and share your data more safely. Veza makes it easy to dynamically visualize, understand
and control who can and should take what action on what data. We organize authorization metadata across identity
providers, data systems, cloud service providers, and applications — all to address the toughest data security
challenges of the multi-cloud era. To learn more, please visit us at veza.com.

Open Authorization API
Sometimes, you might want to integrate Veza to an app or system that we don’t yet support natively. You might have a
custom or homegrown SaaS or on-prem app – for example, a customer service or support app that holds or accesses
sensitive data – for which you want to see and manage authorization. Our Open Authorization API (OAA) enables a BYO-app
model to integrate with Veza. The Open Authorization API (OAA) enables Veza customers and partners to integrate custom
and other 3rd party applications and data systems using a standard interface.

In addition to the OAA, there is a small chunk of code that runs outside of the Veza SaaS infrastructure: the connector.
The connector has 3 jobs: it needs to pull authorization data from the target system (i.e., app, data storage system, or
service), transform that data into a format Veza can understand, and call the Veza API to import the data into Veza.

Using OAA and connectors, organizations can parse and upload authorization metadata for apps not natively supported by
Veza, and create a more complete view of permissions across cloud/data/identity systems to answer the question: “who can
and should take what action on what data?”

How OAA Works
OAA works by providing a mechanism to upload authorization information from a target system to Veza in a standardized
format. To integrate a new system, you utilize that system’s API (or other interfaces) to enumerate the identities,
permissions and resources that you want available in Veza. This information must then be formatted according to the OAA
JSON schema and uploaded to Veza using the OAA REST API.

Veza processes this schema mapping to integrate metadata from the new target system into its Authorization Metadata
Graph, which maps which identities have what permissions to what resources. Veza combines this information with
discovered data from Identity providers to expand group memberships and correlate identities. Identities can be local to
that application or linked to external Identity Providers (IdP) like Okta or AzureAD. The Veza schema can capture and
represent both standard Effective Permissions (Create, Read, Update, and Delete) as well as system-specific permissions
(like “Admin” or “Operator”).

Once a target application or system is integrated via OAA into Veza, it acts like any other data source. OAA-integrated
systems are fully available for the purpose of Veza search, governance workflows, reports, alerts, and more.

Working with OAA
Customers have the choice of integrating with the Open Authorization API directly through REST or leveraging the Python
SDK. Customers who choose the REST option can develop in any language they like to collect the authorization data,
format the OAA template and make REST calls.

Example Custom Application Payload
Below is a simplified example of defining authorization information for a custom application template. This example
demonstrates defining two users and two different permissions to access an application.

{
“applications”: [
{
“name”: “Support Portal”,
“application_type”: “support_portal”,
“description”: “Our customer support portal”,
“local_users”: [
{
“name”: “bob”,
“identities”: [
“bob@example.com”
],
“groups”: [
“admins”
],
“is_active”: true,
“last_login_at”: “2022-03-21T18:56:38Z”
},
{
“name”: “sue”,
“identities”: [
“sue@example.com”
] }
],
“local_groups”: [
{
“name”: “admins”
}
]
}
],
“permissions”: [
{
“name”: “admin”,
“permission_type”: [
“DataWrite”,
“DataRead”,
“DataDelete”,
“MetadataWrite”,
“MetadataRead”
]
},
{
“name”: “login”,
“permission_type”: [
“DataRead”,
“MetadataRead”
]
}
],
“identity_to_permissions”: [
{
“identity”: “bob”,
“identity_type”: “local_user”,
“application_permissions”: [
{
“application”: “Support Portal”,
“permission”: “login”

}
]
},
{
“identity”: “sue”,
“identity_type”: “local_user”,
“application_permissions”: [
{
“application”: “Support Portal”,
“permission”: “login”

}
]
},
{
“identity”: “admins”,
“identity_type”: “local_group”,
“application_permissions”: [
{
“application”: “Support Portal”,
“permission”: “admin”
}
]
}
]
}
Once the authorization payload is formatted into the OAA template the data is posted to the Veza REST API. Veza parses
the payload and loads the data into the Authorization Metadata Graph

Example Using the SDK
Also available is the oaaclient Python SDK that simplifies creation of the authorization payload and submission to
Veza. The SDK provides interfaces to creating all the support OAA template components and registering new sources with
Veza.

from oaaclient.client import OAAClient, OAAPermission
from oaaclient.templates import CustomApplication

# creates a connection class to communicate with Veza
veza_con=OAAClient(url=veza_url, token=veza_api_key)

# creates a new Custom Application model
custom_app=CustomApplication(name=”Sample App”, application_type=”sample”)
Once the CustomApplication class is instantiated you can access the public methods to add local users, groups and
resources and the authorization between identities and resources.

# define new permission
custom_app.add_custom_permission(“owner”, [OAAPermission.DataRead, OAAPermission.DataWrite])
# add users and identities
jane=custom_app.add_local_user(“jane”, identities=”jane@example.com”)
# add resources to the application to collect more granular authorization information
resource1=custom_app.add_resource(name=”Resource 1″, resource_type=”thing”)
# associate identities to resources based on their permissions
jane.add_permission(permission=”owner”, resources=[resource1])
Getting Started
To get started, request access to the OAA Community repository where you
will find complete connectors, SDK and code samples. You can request access by joining the Slack community channel below
or by email.

Join Us on Slack
Join us on Slack at #veza-oaa-community

Read More
Share this on knowasiak.com to discuss with people on this topicSign up on Knowasiak.com now if you’re not registered yet.

Categories: Entertainment
Tags: , ,
Knowasiak
Hey! look, i give tutorials to all my users and i help them!Bio: About:

Related Articles

Windows 11 Guide

Windows 11 Guide

A guide on setting up your Windows 11 Desktop with all the essential Applications, Tools, and Games to make your experience with Windows 11 great! Note: You can easily convert this markdown file to a PDF in VSCode using this handy extension Markdown PDF. Getting Started Windows 11 Desktop Bypass Windows 11’s TPM, CPU and…

Knowasiak June 11, 2022
0 Comments
What’s recent in Emacs 28.1?

What’s recent in Emacs 28.1?

By Mickey Petersen It’s that time again: there’s a new major version of Emacs and, with it, a treasure trove of new features and changes.Notable features include the formal inclusion of native compilation, a technique that will greatly speed up your Emacs experience.A critical issue surrounding the use of ligatures also fixed; without it, you…

Knowasiak April 9, 2022

Responses

Your email address will not be published. Required fields are marked *

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .