Veza Product Update - May'23

Search and Insights

Analysis for users, groups, and roles (Early Access): Veza users can use a new Access Intelligence > Analysis page to inspect individual identities, groups, and roles.

The streamlined search interface offers ways to build simple queries for everyday IGA tasks, by picking an entity and choosing the analysis to run. Depending on the chosen entity (e.g. User), Analysis provides the ability to:

• Find all groups a user belongs to or the roles they can assume.

• Find all the users or groups that are members of a group.

• Find the users or other roles capable of accessing a role.

You can further alter search parameters, add rules, or set risk levels by opening the results of an analysis in Query Builder.

Extended historic data for risk trends: You now choose to visualize data for the “Past 6 Months” or “Past Year” when viewing changes for risks over time.

New built-in report collections: Two new categories are now included on the Reports page, pre-filled with relevant insights into privileged access and cloud IAM settings. The report categories Privileged Access Dashboard and Cloud IAM Dashboard will appear for new users on their first login.

Notes for risk exceptions: It’s now possible to add context and details with an optional message when setting one or more risk exceptions. Any existing notes now appear in an extra column when browsing lists of risks and exceptions.

Integrations

Active Directory (AD): Users now have the email attribute, enabling filters on the email address associated with each user. Azure AD: Azure AD Groups now have a greatly-expanded range of attributes available for filters, including group Classification, Description, Mail, onPremisesLastSyncDateTime, hasMembersWithLicenseErrors. The integration also collects the properties allowExternalSenders, hideFromAddressLists, and hideFromOutlookClients for groups where securityEnabled is true.

AWS EKS: Veza can now gather metadata for EKS Services and EKS Clusters. Note that the integration now requires an updated policy that allows eks:ListClusters and eks:DescribeCluster. New saved assessment queries for AWS identify:

• AWS EKS Clusters with public endpoint access

• AWS IAM Roles with EKS permissions

• AWS IAM Users with EKS permissions

Custom Identity Mapping enhancements: Custom mappings can now apply to more scenarios in which users from an integrated identity provider can assume local user accounts in other integrations:

• Administrators can now specify relationships between IDP users and the local accounts those IDP users assume within an integrated system, using up to four different attributes.

• Administrators can now disable the default IdP User > Local User mapping by email when adding a custom mapping for an integration.

Open Authorization API (OAA): OAA entities now have the Datasource Name as a filterable attribute.

Google Cloud (GCP): Administrators can now configure the integration to restrict KMS extraction based on service region.

Google Cloud cross-organization permissions (Early Access): The Google Cloud integration can now detect identities in one integrated Google organization with permissions on resources in another integrated Google organization. Please contact the Veza support team to enable cross-organization mapping with the most appropriate setting for your environment.

Okta admin roles: The Okta integration now includes support for the Okta Role entity, enabling search and certification of built-in and custom administrator role assignments for Okta users. Please note that the integration now requires a token with the super admin role (upgraded from read-only admin) to collect the new entities.

OneLogin: The integration now supports new entity types:

• OneLogin Groups

• OneLogin Roles

• OneLogin Apps

Workato: A new OAA connector enables the discovery of Users, Roles, and Projects within a Workato Workspace.

Veza on Veza (Early Access): Admins can now configure a Veza integration from the Configuration page to enable Authorization Graph support for Veza domains, teams, roles, and users. New Saved queries are now available to identify deactivated and inactive Veza users.

Platform

Veza RBAC (Early Access): To enable federated usage of Veza for users beyond IT and Security teams, administrators can now create custom Teams granting access to a limited scope of provider integrations and a read-only viewer role for users.

• Administrators can manage team and role assignments from a new Team Management page after enabling the feature.

• We look forward to your feedback as we refine and improve collaboration and productivity for Veza users.

List Events (API Preview): A new ListEvents operation returns a list of Veza platform events, optionally filtered by category or severity.

Veza Workflows

Certification progress bars: Reviewers and operators can now review key certification statistics within a collapsible summary, such as the Approved/Rejected status of all rows (or all assigned rows) and the total number of days since the certification started (or time remaining until the due date).

Custom help pages (Early Access): Administrators can now use a preview API to add splash pages for certification reviewers containing customized instructions for the workflow.

Access reviews for Veza platform users and permissions (Early Access): Operators can now create user access reviews on the Users, Teams, and Roles within your Veza domain using the built-in integration.

Veza Product Design

Left Sidebar consistency across Query Builder, Access Workflows, and Authorization Graph:

• Collapsible search sidebar: Users can collapse the left sidebar on Graph, Query Builder, and AWF to get more width for smaller screens.

• The time machine for selecting a graph snapshot is now part of the left sidebar instead the top bar.

Usability improvements for Saved Queries:

• Users can add labels to newly saved queries.

• Users can now add more than one Alert Rule to newly saved queries.

• Users can filter saved queries by query labels, integration, risk level, and severity.

Improved attribute filter usability:

• Query Builder, Access Workflows, and Authorization Graph filters for dates are easier to read and more consistent throughout the UI.

• A new filter operator enables checking if a property EXISTS.