Veza Product Update - October'23
Welcome to the latest monthly summary of the many changes in recent releases, intended to improve your experience on the platform and deliver additional product features and capabilities. Some highlights include:
Access Intelligence and Visibility
Search results now have Risk Scores enabling users to sort and compare risks and focus on the most important ones.
Access Reviews
Operators can now create more flexible Workflow queries with several destination entity types.
Operators can now periodically create Certifications with Access Review Scheduling.
Operators can now enable Access Review Intelligence to automatically act on results based on result attributes or prior certification data.
Veza Integrations
New integrations
New PingOne identity provider integration.
CSV Import for creating custom providers and publishing authorization metadata in a standard format.
The Microsoft Azure integration now supports Azure PIM.
Enhanced integrations
On-platform setup for Ramp, Google Drive, and DocuSign.
Improved capabilities for Okta, Microsoft SharePoint, Snowflake, and AWS RDS MySQL.
Veza Platform
Administrators can now create read-only API keys by scoping them to teams.
Please get in touch with your feedback and questions, and see the following sections for more details:
Access Intelligence and Visibility
New features
Entity Risk Scores: You can now compare and sort potentially risky users or other entities by their importance using Risk Scores for more granular comparison of Critical or Warning risks. All entities now have a
Risk Scoreattribute of 0-100, which is based on the number of queries with a critical or warning risk level that the entity is in the results of. You can create queries and rules to detect and alert when risk scores change or exceed a threshold.Tags in Query Builder: For improved filtering and review of entities with tags applied to them, you can now show tags in columns using Include all source tags and Include all destination tags options.
Enhancements
When selecting a Query Builder source entity type, you can now specify entities of multiple types with grouping types such as User. You can now specify relative date filters for hours or days in the future in Query Builder.
New Query Builder columns now show the System Permissions and the Effective Permissions equivalent for each result.
You can now select any nestable source or destination entity type as Summary Entities in Query Builder. This enables advanced search in scenarios where groups can belong to other groups, or when one role can assume another (such as showing intermediate roles between Snowflake Users and Snowflake Roles).
For improved Graph readability, "Service"-type entities are now hidden by default, along with some other entities such as Organizational Units, Accounts, and Domains. These are now optionally visible by enabling Relationship Options > Advanced View.
Query Builder exports now reflect any changes made to column ordering. The maximum length for saved query descriptions is now extended to 16,383 characters.
Access Reviews
New features
Multiple destinations in Workflow Queries: You can now choose a combination of several related entity types when creating a Workflow.
Scheduling: Access Reviews now support scheduling rules for automated Certification creation. To enable, go to Access Reviews, find a Workflow, and click Actions > Create Schedule. Veza will start new Certifications at the specified times weekly using the latest Authorization Graph data.
Automated Intelligence: You can now use historical decision data to automatically approve or reject results when creating Certifications. For example, you can run Automations to auto-approve previously approved or auto-reject previously rejected items.
Enhancements
Operators can now choose any nestable source or destination entity type as Summary Entities for Access Review queries. This allows reviewers to inspect intermediate relationships in scenarios where roles can assume other roles, or groups can belong to groups (such as intermediate groups between AD Users and AD Groups).
Certification exports now include additional columns:
decision_by_id,decision_by_name,decision_by_email, anddecision_at.Approve & Sign Off: This action is now universally available for certification reviewers.
Swipe mode is now enabled by default when opening Certifications on a mobile device.
Enhanced mobile support for Review interface, including landscape mode compatibility and iPhone 12 Pro support.
Veza Integrations
New Integrations
Azure PIM: Added support for Azure Privileged Identity Management (PIM), revealing temporary role assumptions based on scheduling rules.
New "Role Eligibility Schedule Schema" entities can now connect Users and Roles.
You can filter on properties such as scope, status, or start and end time of eligibility.
To collect PIM metadata, you must enable the option by editing the Azure integration and choosing Extract PIM Eligibility.
CSV Import: Administrators can now create custom providers and populate data sources directly from CSV files. Use the provided template to upload user, group, and role metadata and create OAA integrations with no command-line interaction required.
PingOne (Early Access): A Veza-built integration is now available for discovering Users, Groups, and Roles, along with Populations, Applications, and external Identity Providers.
Connectors for Ramp, Google Drive, and DocuSign are now available on Veza in Early Access.
Enhancements
Microsoft SharePoint Online:
Added support for SharePoint Lists: These are now represented by a new entity type created by the SharePoint integration. -Added support for Sharing Capability: SharePoint Online entities now have the Sharing Capability property indicating the maximum-permitted sharing settings available to all children of the given tenant.
Sharing Capability and List discovery require additional integration permissions.
SharePoint Folder Library Type: SharePoint Folders now inherit the Library Type property from their parent Library:
personal,business, ordocumentLibrary.SharePoint Folder Sharing Links: Sharing Links are now listed as properties on SharePoint Folders in the format
<scope>|<type>|<url>.User Details: Veza now gathers additional attributes: Is Guest, Is Site Admin, User Principal Name, Is Deleted, Deleted Date, Last Activity Date, Viewed Or Edited File Count, Synced File Count, Shared Internally File Count, Shared Externally File Count, Visited Page Count, Assigned Products.
Snowflake role types: Added support for Snowflake Role types to help differentiate between custom, inherited, and system roles.
Veza collects this role attribute automatically unless using an alternative database for the integration. If this is the case, see Enable role type extraction to update integration permissions.
AWS RDS MySQL system schema: Extended AWS RDS MySQL discovery to include system schemas such as 'sys', 'performance_schema', and 'mysql'. To enable, choose Gather System Tables when configuring an AWS integration.
NetSuite insights: Added built-in queries for NetSuite to find identities such as deactivated users, administrators, and deactivated Okta or Microsoft Azure AD users with NetSuite permissions.
Okta timestamps: Timestamp-type entity attributes now include hours, minutes, and seconds (before, these rounded to the nearest day).
Veza Platform
New Features
API Keys for Teams: Introduced optional scoping of API keys to Teams, allowing for non-root, read-only API access. Administrators can now choose from available teams when creating keys and view team scopes on the API Keys page.
MFA for local users: Users can now enable built-in MFA for an additional security layer when not using Single Sign-On.
Last updated