Veza Product Update - November'23
Welcome to the latest monthly summary of the many changes in recent releases, intended to improve your experience on the platform and deliver additional product features and capabilities. Some highlights include:
Access Reviews:
Time Machine: Operators can now create Certifications based on Authorization Graph snapshot data to review access at a specific point in time.
Details Sidebar: Reviewers can now open a sidebar to view result details and actions, and quickly navigate between Certification rows using the arrow keys to inspect and approve or reject results.
Access Intelligence:
Filtered Permissions: New columns for better visibility into SoD violations and remediation of conflicting permissions.
Veza Integrations:
Microsoft Dynamics 365 (Early Access)
UKGPro (Early Access)
Terraform
Microsoft Azure Kubernetes Service (AKS)
Google Kubernetes Engine (GKE)
Google Cloud SQL
Platform:
Administrators can now control read-only access to Veza with Teams for user management.
Please get in touch with your feedback and questions, and see the following sections for more details:
Access Reviews
Access Reviews for historical or current data: Operators can now pick Time Machine snapshots when creating Certifications to source results from the most recent snapshot, an earlier date, or the current graph data.
Decision columns: Certifications now have optional columns
Decision At
andDecision By
for better visibility into row decisions, and enabling the option to filter on these values.Result details sidebar: Reviewers can now click Certification Actions > See Row Details to open the result in a sidebar, with support for keyboard navigation and filtering on any attribute or value. Users can approve, reject, and sign off directly from the details panel and navigate between rows using the arrow keys.
An optimized Access Reviews Review interface is now available for all customers, including the option to view history for any result.
Access Visibility
Filtered Permissions in Query Builder: New columns indicate the Filtered Effective and System Permissions for source and destination pairs. After applying an effective permissions filter and showing related entities, these columns contain the equivalent system permissions that match any applied filters, and their corresponding effective permissions.
These columns are most useful for Segregation of Duty (SoD) queries (written via Access Intelligence > Analysis > Segregation of Duties or with Query Builder APIs). For SoD queries, they make results more actionable by providing the relevant effective and system-level permissions matching each filter in the query. Users can review these columns to find the set of filtered permissions to remove in order to remediate an SoD conflict.
This enhancement provides improved visibility into principals' relevant capabilities on a resource, especially for Segregation of Duty analysis involving both permission types (for example, remediating IAM Users with
s3:deletebucket
and any otherDATA WRITE
capability).
Integrations
Microsoft Dynamics 365 (Early Access): The Azure integration now supports Dynamics 365, including Business Units, Users, Teams, Application Uses, and Security Roles. When enabled, you can specify one or more environments to discover when adding or editing an Azure configuration.
UKGPro (Early Access): A built-in OAA connector is now available for gathering Users and Roles on the UKG HRIS platform.
Terraform: Added a new OAA-on-Veza connector for discovering Terraform users, groups, and roles.
Active Directory: Added support for cross-domain user and group relationships involving sub-domains (before, this was only supported for external domains).
Box: Increased user extraction speeds and decreased extraction interval for improved efficiency and lower API costs.
Google Cloud SQL: The GCP integration now supports gathering SQL Server services, instances, databases, and users.
Concur: To enable custom mapping for external identities, Concur Users now have an
Identities
attribute containing the local username.Kubernetes: Added support for connecting to managed Kubernetes services on Google Cloud and Microsoft Azure.
Open Authorization API: Custom Role Assignments can now have developer-defined attributes specified in
custom_property_definition.role_assignment_properties
. Role Assignments now inherit any custom properties on assigned Roles.Grouped AWS S3 Bucket Policy Statements: AWS S3 Bucket Policy Statements are now represented as grouped entities; Statements with the same
Effect
,Action
,NotAction
,Principal
, andCondition
properties across separate Bucket Policies are now parsed as a single graph entity representing the same statement.Salesforce: Profiles and permission sets now include the
description
attribute.Microsoft Active Directory Foreign Security Principals: The AD integration now supports related users and groups from different domains when each domain is integrated with Veza. Active Directory Users and Groups now have a
SID
attribute, which Veza uses to compute cross-domain connections.Added a
Timestamp (Windows AD Format)
type for custom properties and updated all AD property configurations to indicate that timestamps use this format.
Access Intelligence
Reports can now contain up to 150 queries.
Query exports now include a tags column when using Advanced Options > Include Source Tags.
Veza Platform
Teams: All customers can now manage users with Teams and the read-only
viewer
role. Previously this functionality was provided in Early Access.User session timeouts (Early Access): Added an option to the System Settings page for controlling when users are logged out after a period of inactivity. Session idle timeout is now configurable between a minimum of 10 minutes and a maximum of 2 hours.
Product Design and Usability
The Risks page and exported lists of risks now include entity IDs to help differentiate between entities with the same name.
Outbound integrations and Webhooks are now managed under Orchestration Actions (renamed from Collaborations).
Hints for swipe mode now appear when opening a Certification on a mobile device for the first time.
The Add Integration button is now hidden when choosing the integration to create (and clicking Next is the only option). After completing the form, click Create Integration at the top right to save the configuration.
Last updated