Product Update: May'24

Welcome to the May 2024 Veza Product Update! As always, we’ve been hard at work developing new features and products and incremental changes over weekly releases. We’re excited to share some highlights to help you make the best use of our latest capabilities.

Some of these changes include improved visibility into non-human identities (NHI), fully redesigned and customizable dashboards on the Veza home page, and advanced export to Snowflake. We’ve also improved programmatic user management, enabled access reviews from saved queries, and added and enhanced integrations to support a wider range of SaaS applications.

The product team is committed to continuously improving your experience with Veza and would love your feedback on the changes. Please read on to explore all the newest improvements, designed to empower your identity security and access management practices.

Access Intelligence

• Built-In Dashboards: A range of new Dashboards now offer visibility and actionable intelligence across integrated systems:

  • Dormant Entities Report: This report summarizes users, groups, and roles that have not accessed resources they have permissions on. It is now included in Veza's main dashboards when Activity Monitoring is enabled, including new out-of-the-box queries such as Okta users with dormant access to AWS Secrets Manager secrets.

  • Identity and Privilege Access Insights: For visibility into least privilege violations and trends for users, groups, and service accounts across integrations, this built-in report is now available as a single-tile dashboard.

  • SaaS Security Posture Management (SSPM) Dashboard: Trends and insights for identity risks in SaaS applications, based on out-of-the-box Veza queries you can customize for your environment.

  • The AWS IAM Insights and Google Cloud IAM Insights reports are now featured dashboards, shown when users log in to Veza when the integration is enabled.

• Customizable Dashboards: Individual users can now choose and re-order dashboards to include on the Veza home page using a dropdown menu.

• Snowflake Export: Additional statistics are now included as columns when exporting query results to Snowflake, indicating the last extraction and parse time for the source and destination entities. Veza administrators can now use the Saved Queries > Query Export tab to view the status and schedule for exports created by any user.

• Alert Rules Support Multiple Rules & Multiple Actions: You can now configure more than one rule for a single query. This is useful for triggering actions and alerts at different thresholds, representing the increasing severity of the risk. You can also now configure multiple actions for any given rule, for example, to both send an email and file a Jira ticket.

• Dashboard Actions: Users can now directly run a wider range of actions for any query in a report: Open In QB, Expand, Analyze - to slice-and-dice data easily, Share, Open In Graph, Alert On Change, or Create Rule. Dashboards now show additional customization options to Export, Share, Edit, Clone, or Delete the dashboard report.

• Access Comparison for Users and Roles: You can now compare any two users or roles to see if they have similar attributes, or have the same access assignments to another entity such as a local user, resource, or group. Comparison is typically used to check if a newly added group or role is equivalent to a pre-existing entity used as a baseline.

Access Visibility

• Explain Assumed Roles: In Graph search, you can now better understand and investigate how policies, policy statements, and group memberships allow one IAM role to assume another role and inherit its permissions. Click on an AWS IAM Role to open the sidebar and use the Explain Assume Role action to inspect how different roles are assumable by a given role, with the option to save the view as a PNG.

• Query Pipeline Filters: You can now use the NOT operator when adding a saved query filter. This will cause the main query to exclude any results in the output of the sub-query.

• Graph Supertypes: In Veza search, supertypes are entity types that group multiple similar entities. For example, the User supertype includes AWS IAM Users, Okta Users, Snowflake Local Users, and others. Similarly, the Key supertype encompasses AWS Secrets Manager Secrets, Microsoft Azure Keys, etc. You can now use supertypes in search to construct advanced queries that include specific types of entities. When selecting a supertype in the query builder, you can apply a subfilter to restrict the query to specific sub-types (such as only Okta User and AWS IAM User entities within the User supertype).

• Non-Human Identities: A new attribute named “Identity Type” is available for all entities with the Identity supertype. This suggests whether the entity is HUMAN or NON-HUMAN, determined by Veza’s algorithms for auto-detecting Human/Non-Human Identities. Entities that can be non-human identities include:

  • AWS: EC2 Instance, EKS Cluster, EMR Cluster, Lambda Function

  • Microsoft Azure: AD Enterprise Application, AKS Cluster, Azure VM

  • Google Cloud: Compute VM, Run Service Instance, Kubernetes Engine Cluster.

Activity Monitoring

• Last Usage Date in Query Builder: When available, a Last Used column indicates the last activity date for a source and destination pair.

Access Reviews

• Access Reviews from Saved Queries: When creating a Review Configuration, you can now use a saved query to specify the access relationships to review. You can use this to review any users that meet risk criteria or define more complex conditions using saved query filters.

• Access Review Scheduling: Review scheduling frequency is now more customizable, enabling recurring review campaigns on a biweekly, monthly, every other month, or quarterly basis. When creating a schedule, you can now preview the upcoming dates when the review will trigger.

• Source-Only Access Reviews: Access review queries no longer require a destination entity type, so you can now specify a single source entity type (such as groups, users, or roles) to approve, reject, and sign off.

• Access Review Enrichment: Access reviews for local users can now show enriched user details with additional metadata from the related Identity Provider identity or HRIS profile. For example, this provides visibility into attributes such as Title or Department alongside local user details in an access review. When auto-assigning reviewers, Veza will use the linked IdP or HRIS user's Manager attribute to identify a reviewer for that row.

• Reviewer Interface Filters: For improved flexibility when selecting rows in an access review, filters on decisions can now use the Not Equal operator (for example, show rows not Rejected)

• Access Review Export: Exporting the list of Reviews now includes additional metadata including the remaining work, last modification date, and remaining rows for all items

• Usability Improvements: To indicate the draft or publication status of an Access Review, the publication date is now shown on the Access Reviews overview page and the review details sidebar. We’ve also generally improved performance for reviewers when loading assigned Access Reviews.

Integrations

New Integrations

• BitBucket Data Center: Previously available as an OAA connector, a new built-in integration for self-managed BitBucket editions now enables the discovery of workspaces, users, projects, and repositories.

• Jamf: New integration for discovering users, groups, and sites within Jamf Pro.

• PTC Windchill: Discovers users, groups, and projects for the Windchill Product Lifecycle Management (PLM) system.

• Tableau: Discovers users, groups, and projects on the Tableau Cloud business intelligence platform.

Enhancements

• Snowflake: Added support for discovering additional entity usage attributes. An administrator will need to update the integration permissions to collect new metadata:

  • Table: last altered, last accessed at.

  • View: last altered, last accessed at.

  • Database: last altered, last accessed at.

  • Local User: owner.

• Oracle EPM: Added support for skipping discovery of Identity Domain Administrator (IDM) roles. Extracted IDM roles are now identified with the attribute is_idm_role.

• Workday: Added support for custom property types: Self-referencing instance, Currency, Rich Text, Date Time, and Time Zone.

• GitHub and GitLab: Improved visualization of projects shared between groups.

• Salesforce: Enhanced support for Salesforce Permission Sets and optimized our effective permissions model for improved parsing times and query performance.

Open Authorization API

• Identity Mapping for OAA Apps: Custom Identity Mappings can now apply to individual custom applications. Before, mappings needed to apply all integrations created with an Open Authorization API template.

• Comparison for OAA-based integrations: You can now compare entities from Custom Applications and Custom Identity Providers.

• Custom Application Native IDs: The Custom Application template now supports a native_id property for all entities, for entering a predictable and provider-specific unique ID. This enables a provider-defined and queryable ID as an alternative to the Veza-generated ID property.

• Email attributes: Custom Application Local Users now have a built-in email attribute, which is always case-insensitive for search purposes. This should provide a consistent field for apps that store addresses in a different format than expected.

Lifecycle Management

• Added preliminary support for Google Workspace and AWS Identity Center as provisioning targets.

Platform

• Added new v1 User Management APIs for managing users and updating team and role assignments: Update User, and List Roles.