Product Update: November'24

Welcome to the November product update! Our recent releases have delivered significant enhancements across Veza's product suite, with highlights including:

• Access Intelligence: New risk mitigation burndown charts for tracking resolution trends, and comprehensive dashboard improvements including AWS Risks, Azure AD Risks, and Identity Security Posture Management (ISPM).

• Access Reviews: Major usability improvements to the reviewer interface, enhanced orchestration capabilities, and new configuration options for review expiration and due dates.

• Separation of Duties (SoD): Now accessible from the main navigation menu, new overview page, and enhanced SoD query visualization capabilities.

• Lifecycle Management: Access Profile Intelligence for automated and improved Access Profile creation, lookup tables for attribute transformation, and integration support for Oracle HCM, Exchange Online, Ivanti Neurons, and Oracle Fusion Cloud.

• Veza Integrations: New integrations for Ivanti Neurons, Device42, Cisco Duo, Zoom, and Exchange Online, plus enhancements to existing integrations including support for Dynamic Data Masking in Snowflake.

Please read on for more details about specific changes in each product area, and contact your Veza representative with any questions or valued feedback.

Access Intelligence

Risk Mitigation Burndown Charts

Last month, we introduced support for assigning owners to individual risks for remediation. Now, you can use Veza to track the resolution of risks over time using burndown charts on the Access Risks page. These new trend charts track both new and resolved risks over the chosen time range.

Dashboards and Reports Enhancements

New and improved dashboards are now enabled by default, including:

• AWS Risks: Monitoring IAM privileges, access keys, MFA status, and resource access.

• Azure AD Risks: Tracking privileged users, MFA status, dormant accounts, and global admin risks.

• Active Directory Risks: Domain admin monitoring, password compliance, service accounts, and group analysis.

• Identity Security Posture Management (ISPM): Password metrics, MFA adoption, access blast radius, and cross-platform identity mapping.

• GitHub Security: GitHub Security insights around Access, NHI, and Hygiene.

• Salesforce, Snowflake, and Okta Risks: Platform-specific security dashboards organized by priority and risk criticality.

As part of our ongoing work to make Dashboards easier to use and take action on, recent releases have included several changes to improve navigation, customization, and risk visibility:

• Tabbed Dashboard Navigation: You can now switch between views using new tabs, including favorited dashboards and an overview of all available dashboards:

  • Home tab for primary dashboard

  • Favorites tab for quick access to preferred dashboards

  • All Dashboards tab listing all available dashboards

• Top Risks: Dashboards that contain queries with risks now include a section at the top of the page showing the top 3 risks from the dashboard tiles, calculated based on risk level and change in the specified time range.

• Custom Reports and Dashboards: Dashboards based on custom Reports now support a full range of filter options, including risk level, labels, and integrations. You can now title individual sections in dynamic reports.

• Tile Actions: Dashboard tiles now support the action to Schedule PDF Exports via Email.

Separation of Duties (SoD) Enhancements

The SoD feature is now available directly from the main navigation menu, providing easy access to both out-of-the-box queries for detecting SoD violations and a flexible interface for defining combinations of potentially dangerous actions across business processes, roles, and systems.

• A new SoD overview page shows all queries on a single page, with options to sort and filter by Last Update, Risk Level, Results, User Type, Relationships, and Owners.

Queries created using the SoD builder can now be opened in the full Query Details view, including:

• Trend visualization with risk level, explanations, and remediation details

• Results view of users in conflict, including filtering capabilities

• Integration with standard Query Details actions (Share Link, Schedule PDF Exports via Email, Alert on Change, etc.)

Search Enhancements

• Swap Entity Selection in QB: A Swap button has been added to QB, enabling switching between source and related entity types with a single click.

• Pipeline Query Filter Enhancements: If you are using another query (pipeline query) in a query filter, you can now click the name of the query in the Filters section to view that pipeline query's results in a new tab. This helps in quickly evaluating the query and checking its relevance for the query that you are developing.

• Graph Search: A natural language explanation of the selected path is now shown in Graph Search.

• Immediate Tag Visibility: Graph actions such as tagging and owner assignment now take place immediately.

• IdP/HRIS Enrichment for Query Builder: Results can now include information about the human resource information system (HRIS) employee profiles or identity provider (IdP) user identities mapped to users in the query. If enabled for a query, additional columns containing IdP/HRIS data are visible using the Show Destinations option. You can also sort and filter using column groups for the enrichment node type in the table of results.

• Graph Search Performance: Improved performance when visualizing relationships between authorization entities in Graph Search.

Lifecycle Management

Enhancements

• Integrations: Extended Lifecycle Management support for Veza integrations:

  • Oracle HCM: Added support for writing back user email addresses.

  • Exchange Online: Added support for creating email addresses and adding relationships to Distribution Lists.

  • Oracle Fusion Cloud: Now available as a provision/de-provisioning target for Lifecycle Management policies.

  • Ivanti Neurons: Added support for Lifecycle Management workflows using Ivanti as a source of identity.

• Access Profile Intelligence: Access Profile Intelligence now automates the process of setting entitlements on Access Profiles. By taking advantage of the Veza Access Graph, you can now quickly build Access Profiles based on entitlements belonging to an existing "typical" user.

• Transform Attributes Using a Lookup Table: When configuring attribute transformations, Lifecycle Management now supports referencing a CSV file for transforming one attribute to a corresponding value defined in the lookup table. This is useful for scenarios where attribute transformations cannot be defined algorithmically.

• Enhanced Access Profiles: The Access Profiles overview page and details view is updated for better readability when mapping application entitlements for users.

• Policies and Workflows Usability Enhancements: Many usability and look-and-feel improvements have been added to the Lifecycle Management workflow editor. These changes are currently available in Early Access and require a feature flag to be enabled to use.

Access Reviews

Enhancements

• Enhanced Row Details: The Row Details sidebar has been enhanced for a more efficient and organized review process. The sidebar has been visually refined overall for an improved mobile layout, with changes including:

  • New collapsible column groups help organize related information more clearly, with your preferred view saved for future sessions

  • Simplified labels and a cleaner layout make information easier to scan. Empty attributes are now automatically hidden by default, with an option to show or hide all empty non-metadata fields.

  • You can now close the sidebar using the Escape key

• Orchestration Actions: Administrators can now configure multiple Orchestration Actions for each trigger type (Approve/Reject/Complete).

• Enhanced Decision History: Reviewers can now get at-a-glance insight into how user access under review has changed since the last access review, with new visual indicators when rows represent new access or modified access. It's also now possible to see the last decision made on a given row, and when access previously existed but has since been revoked. Any changes in effective permissions since the last review are also now visualized per row.

• Help Pages in PDF Exports: If a custom help page template is enabled for a configuration, the content is now included when exporting associated reviews.

• Access Review Settings: Review expiration behavior can now be configured directly from the Access Reviews > Settings page. These global options control whether A) overdue reviews expire immediately once the due time has passed, and B) if incomplete rows are auto-rejected on expiration. Expired reviews are read-only for all users.

• Review Configurations: Reviews created using saved queries now support the option to enrich results with additional user metadata from an integrated IdP/HRIS system.

• Time Zone Support: You can now specify a time zone when selecting the review due date.

• Review Intelligence Policies: Rules for automating row decisions using prior certification data or filter conditions are now consistently labeled as Review Intelligence Policies.

• Access Reviews API: A preview endpoint is now available for updating review configurations.

Veza Integrations

New Integrations

• Ivanti Neurons: Our new integration for the Ivanti Neurons HRIS platform synchronizes employee data to enrich search results with up-to-date employee information and streamline access reviews with accurate organizational context.

• Device42: Discover and analyze users, groups, and permissions within your Device42 environment, for insights into IT asset management and data center infrastructure.

• Cisco Duo: Visibility into your organization's multi-factor authentication (MFA) infrastructure, including users, access credentials, and administrative roles for Duo Security.

• Zoom: New integration for gathering authorization metadata from the Zoom collaboration platform, including users, groups, system roles, and their associated permissions.

• Exchange Online: The Microsoft Azure integration now offers visibility into Exchange Online mailboxes, permissions, and distribution groups, providing insights into mail-related permissions and access controls within Microsoft 365. This includes mapping Exchange Online users to Azure AD identities, mailbox delegations, folder-level permissions, distribution group configurations and shared mailbox access.

• HashiCorp Vault, Oracle Database, Databricks Unity Catalog: These integrations are now generally available.

Enhanced Integrations

• Snowflake: Dynamic Data Masking is a Snowflake Enterprise Edition feature that protects sensitive data by selectively masking information at query time based on user roles and access privileges. Veza can now help teams evaluate and visualize these masking policies, and determine which users and roles can access unmasked data. The Snowflake integration now supports relationships between masking policies and the tables, views, and columns they protect, and connects these policies to the Snowflake users, roles, and application roles that can access unmasked values.

• Beeline: Added support for configuring custom identity mappings for Beeline users.

• Okta: Okta Applications now support the additional attributes Features, Status, Visibility.hide.iOS, Visibility.hide.web, SignOnMode, OauthClient.application_type, and ImplicitAssignment.

• Privacera: Added support for self-managed Privacera integration using basic http authentication.

• Salesforce: Salesforce Users now have the Created At attribute.

• Workday: Added support for ignoring specific Worker data using string matching.

Note: Releases can include additional bug fixes and performance improvements that are not detailed in these notes. For more information about any features or bug fixes, please contact your Veza representative.