Veza Product Update - March'23
Overview of major changes and enhancements in 2023.3.x releases
Integrations
AWS Lambda: The AWS integration now supports Lambda Functions as Authorization Graph entities, enabling Search, Tags, Workflows, and Rules for
AWS Users and Roles with the ability to create or edit Lambda functions.
AWS services and resources Lambda Functions can access.
IAM roles assumed by Lambda to access AWS services and resources.
AWS Cognito: The AWS integration can now discover AWS Cognito Identity Pools used to grant temporary privileges to other AWS services.
AWS Cognito Identity Pools that allow unauthenticated identities
AWS IAM Roles assumed by AWS Cognito Identity Pool identities.
Note that updated permissions for the AWS integration must be updated to enable listing Lambda functions and tags and Cognito identity pools. To gather these new entities, the must include the latest "Cognito"and "Lambda"Sids.
Active Directory: Custom security attributes for AD Users are now supported and can be specified by property name and type when configuring an AD integration.
Once enabled, these attributes are added to entities and can be used to filter and sort search results.
Password Last Set is now supported as a default attribute for AD User entities, containing the timestamp when a password was last set.
Snowflake: Entities now include the "Comment" attribute containing optional descriptions on Snowflake Role, User, Database, Schema, Table, and View objects.
The permissions for the Snowflake Integration are updated to include the additional columns (only required if using an alternative database name for the integration).
Administration: Integrations on the Configurations page now indicate the running sync or parse job status (such as "Waiting for Parsing").
Detailed status info now shows the completed and current job steps (such as "Gathering Users" or "Gathering Roles") and the total number of gathered entities.
An icon next to the Data Source status indicates when you can click a label for more details.
Veza Monitoring
You can now filter by inactive or active resources when viewing Over Provisioned Score (OPS) details for entities that support Access Monitoring. It's additionally possible to toggle between viewing Effective and System permissions.
Rules can now trigger Alerts when there are changes to Over Provisioned Score (OPS) in the associated query's results.
Alerts will now include more details for entities with OPS changes.
Veza Search and Insights
Dashboards on the Home page have had a visual refresh. Each tile now shows results and changes for all sections in the report.
Dashboards show trends and change over time, customizable by setting the Time Range to the past week or month.
Graph, Workflow, and Query Builder now support Regular Expressions for attribute filters. Regex enables filters on properties matching one or more possible text patterns and complex "OR" conditions.
The Access Search > Saved Queries page now offers query search by keyword, label, or integration. Users can now mark any Saved Query as a violation from an extended Actions dropdown menu.
AWS EC2 Instances are now shown on the left when searching relationships to other resource entity types (such as AWS S3 Bucket) in Authorization Graph for improved visualization of resource-type entities acting as principals.
Early Access Authorization Graph Advanced Options now include toggles to show or hide relationships that involve nestable entity types such as IAM Roles and Local Groups.
Early Access Users can now add Rules directly from Veza Saved Queries and the Query Builder. When enabled:
An enhanced Saved Queries page replaced the Rules page. Saved Queries now include Rule details and a streamlined Create Rule wizard. Users can now optionally add it to Reports or create a Rule when saving a query.
Saved queries will have an additional option Actions > Configure Alert Rule. The Alerts page includes an overview of recently-triggered rules.
Veza Workflows
Precise Certification Due Dates
Workflow owners can now specify an exact deadline when selecting Certification deadlines (in addition to a general calendar date).
Reviewer Assignment Fallback Behavior
Workflow creators can now always add Fallback Reviewers, used when rules prevent the assignment of the original user or when a manager does not exist for a certification result row. Alternate reviewer selection methods are now available.
Show or Hide Indirect Access (Early Access)
Workflow creators can now include or exclude from certification results relationships that involve nested entities. These might include roles assumed by another role, or groups belonging to a parent group.
When enabled, Show Assumed Entities Types is an option under Advanced Options > Relationship Options when the query source or destination (such as Snowflake Group or AWS IAM Role) can be nested.
Reviewer Usability Enhancements
Certifications on mobile devices now allow acting on a full page of results. Reviewers can now choose several items to approve, reject, or sign off with a single action.
Reviewers can now apply pre-configured filters to Show Undecided Items and Only Show Signed Off Items found under Certification Filters > Saved Filters.
Clicking Permissions, Concrete Permissions, or Reviewers for a Certification result row lists all the values for that field.
When acting on several certification items with Bulk Actions, Reviewers can now apply any action, whether or not the action applies to the selected rows. Any result the decision can't apply to is skipped.
Filter on Summary Entities (Early Access): Reviewers can now filter Certification rows based on the contents of the Path Summary column, such as the an intermediate entity Name, ID, or Type.
Veza Product Design
Unified views for Tagging: Veza Tags, AWS Tags, Google Cloud Tags, Google Cloud Labels, and Google Cloud Tag Ids now reside in the Data Catalog.
Updated color theme and palette across Veza.
Updated charts throughout the UI for improved visualization.
Last updated