Product Update: January'25

Welcome to the January product update. Our recent releases have focused on improvements to dashboard functionality, enhanced monitoring capabilities, and streamlined workflows across the platform, including:

• Access Intelligence: New out-of-the-box dashboards for privileged access, service account governance, and identity insights, plus enhanced dashboard actions and improved alert management.

• Access Monitoring: New BigQuery activity monitoring with Over Provisioned Access Score calculations for users and service accounts.

• Access Reviews: Introduction of 1-Step Access Reviews (Early Access), customizable email templates, and improved notification management.

• Access Visibility: New Path Selection feature in Graph search for precise relationship exploration and filtering.

• Lifecycle Management: Enhanced policy version history with restore capabilities and new action grace periods.

• Integrations: New Qualys and Microsoft Teams integrations, plus enhanced support for Azure AD, Coupa, GitHub, and Oracle EBS.

• Veza Platform: Introduction of the CSV Manager Role and improved event subscription management.

See each section for more details about specific changes in each product, and please contact your Veza representative with any questions or feedback.

Access Intelligence

Enhancements

• New out-of-the-box dashboards: New dashboards are available featuring curated detection queries, designed to be shared across teams for visibility into important trends:

  • Privileged Access Dashboard: Privileged Access Insights across cloud environments, SaaS, IdP, and integrated databases.

  • Service Account Governance: Insights into Service Accounts across Active Directory, AWS, Microsoft Azure, GCP, Okta, Salesforce, and ServiceNow

  • IDP Identity Insights: Identity insights across identity provider identities and groups, and local identities.

  • Okta Activity Report: Insights into Okta User, Admin, and App activity (requires Activity Monitoring).

• Dashboard Actions and Enhancements: We've continued to improve the usability of favorite dashboards, and make dashboard insights more actionable and easy to interpret.

  • You can now use dashboard tile actions to schedule query results export to PDF, CSV, or Snowflake.

  • Dashboard tile actions now include a shortcut to trigger on-demand Access Reviews for the query results with Alert Rules.

  • New out-of-the-box dashboards are now labeled for easier identification, and are now included on the list of favorite dashboards by default.

  • When viewing a dashboard in the Dashboard view, the header now includes labels showing if the dashboard is system-created and the last edit date.

  • You can now search across all favorite dashboards and quickly add or remove favorites by clicking the star icon next to the active dashboard's name.

  • Dashboard tiles are now color-coded to indicate the risk severity level (none, low, high, medium, or critical).

  • You can now use the Export menu to download the active dashboard in CSV format or schedule recurring exports to an allowed email recipient.

• Improved Alerts and Webhooks: You can now retry failed actions for alert events using the Rules and Alerts > Alert Details view. Each event now shows the triggered action, indicates if the event succeeded or failed, and includes the full error message if available.

• Design and Usability Enhancements

  • The layout on the Query Details > Results tab now has a more consistent look and feel.

  • The Access Intelligence landing page now provides a streamlined overview of configured integrations and entity types, with options to export, share, or view details in Query Builder.

  • The Dashboards favorites tab is now shown by default when logging in to Veza.

  • The Tagged Entities page for tag-based search is now located with other search features in the Access Visibility section.

  • Menu and tab names have been shortened for better readability throughout the Access Intelligence section.

  • Burndown charts have been removed from the Risks overview.

  • Access Intelligence views now have a standardized color scheme and more consistent filter organization across pages.

Access Monitoring

New Features

• Access Monitoring for Google BigQuery: The Google Cloud integration now supports activity monitoring, including Over Provisioned Access Score calculations for users and service accounts with unused permissions on BigQuery datasets and tables.

Non-Human Identities (NHI)

Enhancements

• The NHI Accounts overview now includes a Share button for copying a link to the current filtered view.

• The NHI Accounts page now includes columns to show the Account Created date and total Authentication relationships, with a link to open the related entities in Query Builder.

Separation of Duties (SoD)

Enhancements

• Bulk Export for SoD Queries: The Separation of Duties overview page now supports exporting query results in bulk, with up to 10 simultaneous CSV exports.

• Design and Usability Enhancements:

  • When viewing details for queries with a risk level, any details or mitigating controls documented in the Risk Explanation and Risk Remediation fields now appear above other query metadata.

  • The Separation of Duties overview page now includes a Last Updated By column for visibility into changes across all configured SoD rules.

Access Visibility

Enhancements

• Path Selection and Filtering: Graph search now features a Path Selection sidebar for exploring and filtering entity relationships with greater precision. When hovering over a node to see its connections and clicking the circle indicator on its edge, the graph locks that path and opens the new sidebar. From there, you can use a step-based builder to select specific incoming or outgoing connections, progressively filtering the view to focus on particular relationships with the original root node as an anchor point. You can use the sidebar to inspect specific permissions and relationships within the locked path, and open detailed attributes for any entity.

• Query Builder percentage filters now support the use of AND and OR operators.

• Query Builder CSV export now always includes all results in a single file.

• In Graph search, you can now change the page size of the column details modal.

• Graph Explain Effective Permissions view now has scrollbars for better usability.

Access Reviews

Enhancements

• 1-Step Access Reviews (Early Access): Administrators can now create access reviews in a single step. Although still supported, it is now no longer necessary for administrators to complete the preliminary step of creating a review configuration. When this feature is enabled, the primary Access Reviews > Reviews page now offers two options to create a review: "1-Step" or "Use Configuration". The 1-Step review builder offers a simplified workflow for selecting a review scope using the quick builder (covering common review scenarios for integrations such as Active Directory, Microsoft Azure AD, SharePoint, Okta, NetSuite, Salesforce, AWS, and more) or using a saved query.

• Email Template Customization: Administrators can now customize the content of email notifications using HTML templates on the Access Reviews > Settings page. This provides a convenient way to customize default messages sent to reviewers and other stakeholders, previously configurable via API.

• Streamlined Notification Settings: Reminder and escalation notifications are now enabled under the Advanced Notifications menu when creating a review configuration. Administrators are now encouraged to use Digest Notifications to prevent excessive notifications to reviewers with the option to use review-specific notifications when needed.

• Enhanced Group By (Early Access): When using the Group By option to organize rows in the reviewer interface, you can now group by Risk Level, Role, Group, and Status (rows changed since the last review).

• Review Export Enhancements:

  • Exports now include a column indicating the "% Completed" of total rows.

  • PDF exports now include the query description.

  • Exports now show the signed off and decision states with human-readable labels: "Signed Off", "Not Signed Off" / "Accepted", "Rejected", "Fixed", or "No Decision".

  • PDF exports now include additional row completion details for each reviewer, including the total number of signed-off approved or rejected rows, total rows not acted on, and reviewer details.

• New Filter Operators "Exists" and "Does not exist" are now supported for most fields to filter by empty or any value. Example: Show all rows where Manager DOES NOT EXIST.

• SharePoint: Folder name rejection notification messages now show the full SharePoint folder path (Parent Path + Name).

• Orchestration Actions: "Reviewer Change" events now include the full row details in the JSON payload.

• Added a global and per-review configuration setting to enable Access Intelligence. When enabled, the Risk Score and Risk Level columns are shown by default in the reviewer interface. When disabled, these columns are available but must be enabled optionally.

• The reviewer interface now respects column name overrides set at the workflow level. These column_name_overrides are currently customizable via API, with general availability planned for a future release.

• Reviewer Notes: When configuring pre-defined decision notes, you can now choose to show or hide the other option. This can be used to prompt users to always add a predefined note instead of allowing both choices.

• Design and Usability Enhancements:

  • The primary Access Reviews landing page is now the Access Reviews > Reviews overview (instead of the Access Reviews > Configurations list).

  • The Configurations page has been simplified and redesigned to use the latest Veza Design System components for searching and editing configurations and scheduling reviews.

  • Exporting the current column selection now defaults to selecting all displayed columns in the reviewer interface, and the Decision and Signed Off columns.

  • A tooltip now provides naming guidelines when creating configurations.

Veza Integrations

New Integrations

• Qualys: New integration for visibility into resources, users, roles, and permissions on the Qualys platform.

• Microsoft Teams: The Azure integration now supports discovering teams, channels, and guest users in Microsoft Teams.

Enhancements

• Azure AD Users now have the "Guest" attribute.

• Coupa Users now have the "Supply Chain User" attribute.

• GitHub Repositories now have the "Owner" attribute.

• The Oracle EBS integration now supports Menu Binding entities.

• Added support for custom identity mappings to OAA HRIS and custom identity provider integrations.

• Added out-of-the-box assessment queries for Microsoft Teams.

Lifecycle Management

New Features

• Policy lifecycle management for Lifecycle Management policies: Lifecycle Management policies now include the full version history, enabling better visibility into previous policy configurations and the ability to restore prior versions. The full history is now available using Actions > See Version History in the policy editor. You can use this view to inspect earlier versions, set an older version as the current draft, and publish or discard the current draft.

Enhancements

• Access Profile Intelligence: Supports the ability to specify multiple users or entire groups of users (i.e., all users in a common department) to determine overlapping entitlements when creating or editing Access Profiles. This helps accelerate the process of creating Access Profiles as well as ensuring that entitlements are properly set for the given cohort of users. Filtering by percent overlap is also supported.

• Action Grace Periods: Policies now support configuring a grace period to delay individual actions in a workflow.

• Multiple Policy Drafts: You can now restore, create, and save draft versions directly from the Policy Detail view. Previously, only the most recent draft was shown in the user interface.

• Design and Usability Enhancements

  • All tables now have updated row styling for better consistency when navigating between Lifecycle Management pages.

  • When opening rows to show the details sidebar (such as for an identity on the Identities page or a profile on the Access Profiles page), the selected row is now highlighted for clarity.

  • Long text strings are now shown in full when hovering in the Access Profile details view.

  • Access Profiles that are inherited by another profile can no longer be deleted.

  • When creating a policy and choosing an integration, integrations associated with existing policies are now grayed out to indicate they cannot be selected.

  • You can now get detailed data source information for troubleshooting purposes (such as Lifecycle Management Data Source IDs) by clicking the magnifying glass icon next to the "Lifecycle Management: Enabled" badge in integration details.

Access Requests

New Features

• Ability to create guest accounts in Microsoft Entra ID via API adds support for programmatically initiating the creation of guest accounts in Microsoft Entra ID (formerly known as Azure AD) using a guest email address.

• Ability to auto-create entitlements for supported IDPs Administrators can now create Access Profiles for use by either/or Access Requests and Lifecycle Management to auto-create entitlements in various IDPs, including:

  • Azure AD (Groups, Roles, and Exchange Distribution Groups)

  • Okta (Groups)

  • AWS (AWS SSO Group)

  • Google Cloud (Groups)

  Note: The ability to automatically create groups in Active Directory was previously supported.

• Create Entitlement: Support max length for attributes allows enforcing a limit on a resulting group name to a max number of characters, such as 64 characters for Active Directory groups.

• Create Entitlements: Lookup identities attributes supports using the attributes of the user who is creating an Access Profile to set Access Profile field values.

• Access Profile on Access Hub changes for improved management of Access Profiles on the Access Hub, including:

  • Preventing editing of the Access Profile name if the Access Profile Type has "Create Entitlement" selected

  • Columns in the Access Hub Access Profile table now indicate the Name, Description, Integration Types, and Status

  • In Use and Last Published date now appear in sidebars and detail pages.

  • If the Access Profile Type does not allow inheritance, it no longer shows the "Inherited Profiles" tab.

• Support for Access Request approver policies including defining users who can or cannot approve or revoke access requests.

Enhancements

• Active Directory group entitlement creation updates including splitting the Distinguished Name into Name and BaseDN and adding new, non-required attributes, including Description, IsSecurityGroup, GroupScope (Domain, Global, Universal), and MemberOf (parent group).

• Added support for creating a new entitlement if none exists when creating a new Access Profile Type.

• More graceful management of Access Profiles for more than 2 Access Profile Types. Note: All customer tenants running Lifecycle Management and/or Access Requests all start by supporting only the following Access Profiles Types: Profiles and Business Roles (by default).

• Access Request UX enhancements

  • Added support for all access request states

  • Now shows the Action History tab under Details

  • Now shows the Access Plan tab under Details

  • Now shows the Events tab under Details

• Access Profile owners are listed as Owners in the graph: When viewing an Access Profile in the graph, the Owner property lists the owner(s) of the Access Profile.

• Access Catalog view in the Access Hub split into Assigned vs Requestable items: The Access Catalog is now logically separated between catalog items already assigned to the user and catalog items available for request.

• Pending access request banner now displayed in the Access Hub: When a user has a pending access request to approve, a notification banner is now displayed in the Access Hub after the user logs in.

• Updated Notification settings: Allows administrators ability to configure how Lifecycle Management/Access Requests emits notifications for different settings

Veza Platform

• CSV Manager Role: Administrators can now assign a new role with minimum permissions for managing CSV integrations, restricted to creating, configuring, and updating CSV-based integrations assigned to the user's team.

• Event Subscriptions and Email Alerts: You can now use the Administration > Event Subscriptions & Alerts page to configure email notifications for Veza platform events by severity and category. Alerts can be configured to send a summary of events within the specified interval (e.g., all matching alerts within 15 minutes to 24 hours).

Note: Individual releases can include additional bug fixes and performance improvements that are not detailed in these notes. For more information about any features or bug fixes, please contact your Veza representative.