Product Update: July'24

Our July 2024 releases featured improvements across Access Intelligence, Access Reviews, and Lifecycle Management and introduced the Veza Access Portal for managers to gain visibility into their direct reports’ access. Some notable changes, all designed to help you improve your control and visibility over your access landscape, include expanded dashboards for tracking non-human identities, the introduction of granular risk levels, and enhanced support for access keys and other machine credentials.

We've also added early access features aimed at simplifying team access management. Redesigned overviews and a new reviewer experience provide tools for managers to oversee and review direct reports' access. Additionally, we've continued to build and enhance integrations to expand Veza's support for modern data systems and SaaS applications.

Read on for more details about specific changes by product and please reach out to our team with your questions and invaluable feedback:

Access Intelligence

• Non-Human Identities: Last month, we introduced a series of dashboards focused on managing non-human identities (NHI), now augmented by new out-of-the-box assessment queries. You can modify these queries to meet specific needs for visibility across integrated data sources, including:

  • Inactive identities that can access keys and secrets.

  • Non-human identities that are not active and can use access credentials.

  • New keys, secrets, and access credentials.

  • Keys and secrets that have not been rotated.

• Expanded Risk Levels: For more flexible risk management and compatibility with external systems, saved queries now support the following risk levels: LOW, MEDIUM, HIGH, or CRITICAL. Risk scores now take into account the updated risk levels and dashboards are now filtered to focus on critical and high-risk entities. You may want to review and adjust existing queries, alerting rules, and reports to align with the new risk score thresholds (changed from CRITICAL, WARNING).

• Remediation Details: Queries with a risk level can now include specific remediation details and instructions, editable when saving or editing a query. Any other user can reference this information on the Risks page by clicking the expand icon to view risk details. Veza now provides this context out-of-the-box for all CRITICAL risks. We plan to add more remediation details for current and upcoming integrations.

• Access Key Attributes: All entities with the “Key” type now always have common filterable attributes: Is Active, Created At, Last Used At, and Last Rotated At.

• Enrichment Rules for Non-Human Identities: Administrators can now configure saved queries to automatically mark identities as “human” or "non-human" at parse time on the Integrations > Enrichment page.

Access Portal

This month, we're excited to release our newest features intended to help managers understand and review access for members of their team. Initially integrating with Access Intelligence and Access Reviews, the Veza Access Portal provides a centralized hub for non-technical people managers to complete important access-related tasks.

• Manager-Centric Access Reviews: A fully re-imagined Access Review experience designed for managers is now available in Early Access. This experience enables faster review of direct reports’ access, better visibility into outstanding review tasks, and the ability to review and sign off on all access for a direct report – across all applications under review, on a single page.

• My Team: This landing page, powered by Access Intelligence, offers quick insights for managers into the level of access for their direct reports. Managers can use this overview to inspect the top roles and resource types for each of their direct reports and filter on specific data sources.

Please reach out to our customer success team to learn more about enabling Access Portal, now available in Early Access for evaluation and feedback.

Access Reviews

• Display Column Customization: Custom default display columns can now be configured via API for all reviews of a particular configuration. Default display columns can now include metadata about a related identity provider (IdP) user or employee profile in a connected human resources information system (HRIS) when enrichment is enabled in the review configuration.

• Review Exports: The complete review and configuration details, data source status, completion statistics, and reviewer information are now included when exporting active or completed reviews to PDF, along with the row and relationship metadata.

Lifecycle Management

• GitHub: Added support for GitHub as a provisioning target.

• Okta: Added support for Okta as a Lifecycle Management source.

• Email Notification Customization: Email notifications triggered by Lifecycle Management workflows can now be customized using an API.

• Orchestration Actions: Lifecycle Management workflows can now trigger events in downstream systems such as Slack or Jira, using a built-in orchestration action or a custom webhook.

• Policies: Added support for pausing and resuming Lifecycle Management policies.

• Manual Workflows: It is now possible for administrators to manually run a workflow for any identity.

• Attribute Transformers: Additional transformers are available when syncing attributes.

• Azure: Added support for setting custom attributes on provisioning targets, and revoking access to SharePoint Online and OneDrive on termination.

• Active Directory: Added support for removing users from the Global Address List.

Integrations

New integrations

• Data Systems: Apache Cassandra, Oracle Database

• SaaS Apps: Fastly, HubSpot, Smartsheet, Boomi

Enhancements

• AWS RDS: AWS integration configurations can now limit RDS extractions to the database level, skipping lower-level entities such as Schemes and Tables. Added support for using AWS Secret Manager to integrate with Oracle Database on RDS.

• Coupa: Integration configuration now includes an option to directly map permissions to roles using an exported Coupa report.

• Microsoft Azure: The Azure integration now supports Azure Entra ID Devices and Storage Account Access Keys.

• Salesforce: Improved parse times for large Salesforce environments.

• SCIM: Added support for authenticating with OAuth 2.0 Client Credentials.

• SharePoint: Max folder depth is now configurable by your Veza support team (default 2).

• Snowflake: The Snowflake integration can now discover Snowflake Application Roles granted to account roles and other application roles, and supports access monitoring for Snowflake Secrets.

• Snowflake: Snowflake tables and views now have a Has Masking Policy attribute denoting which have masking policies applied to them.

• Windows Server: Upgraded to support .NET 8.0.

• Workday: Workday Workers now have an attribute showing their Management Level ID. Workday Domain Security Policies now have a new attribute Using Parent Permissions, indicating if the policy inherits from its parent policy.

• Workday: Administrators can now specify built-in Worker attributes in the Properties to Redact field when configuring the Workday integration. These attributes are skipped during extraction and appear as REDACTED in search results and Worker details.

• New saved queries are now provided out-of-the-box for popular integrations: HashiCorp Vault, Blackline, 1Password, Crowdstrike, Egnyte, Jenkins, Zscalar, Confluent, and Delinea.

Platform

• Audit and Event Log Export: Administrators can now configure a recurring export of audit logs and platform events to an external Snowflake database for continuous synchronization. When scheduled exports are enabled, audit and/or event data is exported in a tabular format for analysis and storage.

• Integration Extraction Intervals: On the System Settings page, admins can now customize extraction intervals for OAA-based integrations on a per-integration basis (such as individual frequencies for SCIM, Anaplan, or Jira Data Center). The original options to set extraction intervals globally or by template type are also available.

• Role Mappings: Administrators can now directly map SAML groups to non-root teams and roles when configuring single sign-on. This option eliminates the need to remap claims within your identity provider and is now in Early Access for customers using Entra ID.

Product Design and Usability

• Access Intelligence: Breadcrumbs now preserve workflow history and are shown consistently when traversing the Access Intelligence section. For example, when browsing from the Saved Queries page to Analyze a single query, and then opening it in Query Builder, shortcuts provide easy access to each recently-visited page.

• Access Visibility: The Query Builder column picker now includes a "Select All" option to show or hide all columns within a group. When a user saves a query with Show Destination Nodes checked, the Show Destination Nodes option is now enabled when re-opening the saved query.

• Access Reviews: Rows with decisions auto-applied due to a Review Intelligence Rule are no longer hidden by default. Before, the Include rows with decisions by other reviewers filter had to be active to show these rows.

• Lifecycle Management: Administrators can now more easily understand and make changes to Lifecycle Management configuration, with a series of enhancements for improved access profile and policy management, especially around workflows, identities, transformers, and notifications.

• Integrations: Starting an extraction now requires a confirmation, informing the user that a currently running job will be canceled. When adding custom identity mappings for an Identity Provider, you can now type to search the dropdown menu.

• Platform: Introduced separate management for personal and team API keys on the API Keys page, with team key creation and administration now done on a dedicated tab (Early Access).