search
Release Notes

Product Update: November'25

hashtag
Veza Product Update: 2025.11

hashtag
News and Highlights from Veza Releases v2025.11.03 - v2025.11.24

Welcome to the monthly Veza product update! As organizations adopt AI infrastructure and expand automation, identity risk extends beyond human users to AI agents, service accounts, and OAuth tokens across every cloud platform. Security teams need visibility into these expanding attack surfaces and the efficiency to act on what they find.

Changes in this release deliver extended coverage for Google Cloud Vertex AI, strengthened lifecycle automation including comprehensive dry run testing, and streamlined access review workflows. Together, these capabilities help teams govern access confidently at scale.

Below you'll find detailed information on specific updates, along with a summary of release highlights. As always, please contact your Veza support team with questions and feedback.

Access Reviews

  • Reviewer experience improvements: New assignment tabs, "Needs My Review" filter, and improved progress tracking help access reviewers focus on their outstanding work.

  • Access Review APIs: Export reviews programmatically and create new reviews via API.

Why it matters: Streamlined reviewer workflows and programmatic review operations reduce certification cycle times while improving auditability.

Lifecycle Management

  • Azure AD as Source of Identity: Organizations can now drive Lifecycle Management workflows using Microsoft Entra ID as their authoritative identity source.

  • Enhanced Dry Run testing: Complete action configurations, identity filtering, and execution history for confident Lifecycle Management policy testing before production deployment.

  • Send REST Payload action: Configurable OAuth2 authentication and custom HTTP headers expand integration capabilities with external systems.

Why it matters: Comprehensive dry run testing and expanded identity sources enable organizations to automate identity lifecycle operations across heterogeneous infrastructure with confidence.

Non-Human Identity (NHI) Security

  • GCP Vertex AI integration: Visibility into AI agents, model registries, and deployed endpoints with IAM analysis across Vertex AI-specific permissions.

  • GitLab service accounts and tokens: Discovery of bot users, group tokens, project tokens, and personal access tokens for NHI security assessments.

  • Okta OAuth token monitoring: Activity visibility into OAuth credential usage including client secret reads and refresh token grants.

Why it matters: Expanded coverage for infrastructure and service account tokens enables identification and remediation of over-privileged non-human identities across cloud platforms.

Access Visibility

  • Explain Assumed Roles: Visualize AWS IAM role assumption chains through trust relationships and permissions, now generally available for all customers.

  • Bulk Tag Operations API: New endpoint supports up to 10,000 tag operations per request for enterprise-scale onboarding, migrations, and automated tagging workflows.

  • Query Builder Search: Filter query results to access paths passing through specific intermediate nodes (roles, groups), revealing how users gain access rather than just what they can access.

Why it matters: Help security teams understand not just what access exists, but how it was granted, critical for identifying over-permissioned paths and policy violations.

Integrations

  • CockroachDB Cloud: Visibility into distributed SQL database access with effective permissions analysis and inheritance across organization, folder, and cluster levels.

  • Integration enhancements: Databricks C2C OAuth, GitHub Organization Roles, LDAP nested groups, NetSuite permission name formatting, and AWS Resource Control Policies.

Why it matters: Expanded integration coverage and authentication options reduce manual effort to model complex environments in Access Graph.

hashtag
Access Reviews

hashtag
Reviewer Experience Improvements

  • Filter Review Items by Assignment: Access Reviews now feature "All" and "Assigned to Me" tabs in the reviewer interface, helping reviewers (who are also administrators with control of unassigned items) pivot between all review line items they can view, and line items specifically assigned to them.

  • "Needs My Review" Filter: The Reviews page now features a "Needs My Review" filter that helps reviewers (who are also administrators) quickly identify reviews where they are assigned as reviewers with outstanding work.

  • Dual Progress Tracking: For better visibility into individual responsibilities and overall review health, administrators now see two progress bars in the reviewer interface: My Progress (personally assigned review line items), and Total Progress (the overall completion status of the entire review).

  • Bulk Reassignment Notifications: Access Reviews now shows clear confirmation messages when reviewers perform bulk reassignment operations. Specific notifications now confirm reassignment actions for both single and multiple review items, providing better feedback and visibility into bulk operations.

  • Permissions for Assigned Reviewers: Any user assigned to specific review items in Access Reviews now receives the same permissions as a standard reviewer for those rows, including the ability to approve, reject, sign off, add notes, and reassign. This supports more flexible delegation workflows, where non-reviewers can take action on items assigned to them without admin intervention.

hashtag
Configuration and Notifications

  • Alternate Email for Access Review Notifications: Organizations can now configure alternate email addresses for Access Review notifications. Administrators can configure the specific user property that contains the alternate email address at a global or per-workflow level.

  • Schedule Time Selection: When scheduling access reviews, Veza now prevents selecting past hours for new schedules. Schedule preview accuracy has also been improved for better visibility into next-run times.

  • Review Managers: Managers are now more clearly identified as Reviewer Managers when configuring notifications for Access Reviews.

  • Single-Level Review Label: When viewing the list of reviews, the approval level label for single-level reviews is now explicitly marked 1 of 1 for consistency with multi-level reviews (which are denoted as either 1 of 2 or 2 of 2).

hashtag
Access Review API Enhancements

  • Access Review Export API: Introduced new public API endpoint for exporting Access Reviews programmatically. This new API endpoint enables automated creation, monitoring, and download of review results in CSV or XLSX format. This supports exporting Access Reviews information to external reporting and compliance systems, with options for filtering, sorting, and differential exports that compare results over time.

  • Dynamic User Identity Filtering: The Create Certification endpoint (POST /api/preview/awf/certifications) now supports dynamic user identity filtering. When creating an access review programmatically, the request can include specific user identities via the dynamic_information parameter. This will filter the review results to those users, and can be useful for targeted review use-cases, such as mover reviews (for role changes), leaver reviews (for offboarding), and user-specific audits.

  • Unpivot Fields for Ownership Attestation (Preview API): Access Reviews now support "unpivoting" multi-value fields, such as Reviewers when multiple reviewers are assigned to a line, to create individual rows for each value. This enables ownership attestation workflows where review line items with multiple owner-reviewers generate separate review items for each owner. For example, a resource with three owners can now create three review rows (one assigned to each owner) allowing independent certification of ownership rather than collective approval.

hashtag
Access Visibility

hashtag
Access Graph and Query Builder

  • Intermediate Node Types in Query Builder: Query Builder now supports waypoint node type filtering, enabling users to filter query results to only include access paths that pass through a specific intermediate entity type (such as a role or group). For example, this can help find all users with access to a resource only through IAM Roles, excluding users with direct permissions. This matches functionality previously available in Access Reviews queries.

  • Filter Queries by Owner: Users can now filter saved queries by owner, making it easier to locate specific queries in environments with many custom and out-of-the-box queries. A new Owner filter on the Queries page supports multi-select and works in combination with other filters (Labels, Integrations, Risk Level).

  • Nested Entity Navigation: Improved "Show Hierarchy" support and edge selection in Access Graph for better exploration of nested entity relationships.

  • Query Performance: Improved Query Builder performance when sorting results, and improved performance for queries using filters on the Name property of "Relates To" entities.

hashtag
Explain Assumed AWS IAM Roles

  • Explain Assumed Roles: The Explain Assumed Roles option in Access Graph is now generally available for all customers. This capability helps users understand complex AWS IAM role assumption chains by visualizing the path from one role to another through trust relationships and permissions.

hashtag
Bulk Tag Operations

  • Bulk Tag Operations API: A new API endpoint (POST /graph/private/tags:bulk) now supports adding and removing tags for multiple entities in a single atomic operation. This supports up to 10,000 tag operations per request for bulk onboarding, environment migrations, and enterprise-scale tagging workflows. Additionally, we have extended support for additional characters in Veza tag values.

hashtag
Lifecycle Management

hashtag
Azure AD as Source of Identity

  • Azure AD Source of Identity: Added support for Azure AD as a source of identity for Lifecycle Management. Organizations using Azure AD (Microsoft Entra ID) can now configure it as an authoritative identity source, enabling policies to synchronize and manage user identities based on changes in the source of truth.

hashtag
Enhanced Dry Run Testing

  • Bulk Dry Run Identity Filtering: Improved support for dry run testing, allowing administrators to safely preview the actions that would be taken before enabling a policy. You can now perform dry runs against all identities or filter to specific identities based on attribute values.

  • Full Action Configuration in Dry Runs: Dry run results now display the complete action configuration details for all action types that would run, replacing the previous view that only showed attributes to be synced. This includes the configuration settings for each action, such as Create Email parameters, Reset Password complexity rules, Send REST Payload endpoints and headers, Manage Relationships mappings, and Create Access Review settings.

  • Dry Run History Table: The Bulk Dry Run feature now includes a complete history table showing all previous dry run task results. Users can review past dry run executions directly from the results page, making it easier to track testing iterations and compare outcomes across multiple runs.

hashtag
New Actions and Workflow Controls

  • Okta Suspend Action: Added a new "Suspend" account action specifically for Okta integrations in Veza Lifecycle Management. This action allows policies to suspend Okta user accounts without fully deactivating them.

  • Show Matching Identities: Lifecycle Management policies now include a "Show Matching Identities" option, replacing the previous "View in Query Builder" button. This enables users to view the identities that match a workflow's trigger and condition criteria directly on the Identities list.

  • Email Recipient Formatters: Lifecycle Management event notifications now support formatters in the email recipient field, enabling dynamic email address generation based on identity attributes. Administrators can use formatters to create recipient emails derived from identity data (such as a user's manager email, department contact, or other attribute-based recipients), providing more flexible and contextual notification routing.

hashtag
Design and Usability Enhancements

  • Inline Date Formatter Testing: Added inline testing support for date formatters in Lifecycle Management workflow configurations. Administrators can now test and validate date format transformations with sample data directly within the policy editor.

  • Optional Identity Columns: The Identities table now supports additional columns that can be shown or hidden through the column selector: Title, Email, and Employee ID. These provide quick access to these attributes when relevant, without requiring drill-down into individual identity details when troubleshooting or auditing identity metadata.

  • Policy Version Timestamps: The policy version history now displays published timestamps for each policy version. Users can view when each version was published, along with the publisher's name, and toggle between relative format ("15 days ago") and absolute format (showing the full date and time zone).

  • Flexible Attribute Ordering: Formatters no longer require manual attribute reordering when attributes reference other attributes. Previously, attributes had to be positioned above any attributes that referenced them, requiring manual reordering of attributes using up/down arrow controls. Veza now supports attributes referencing other attributes positioned anywhere in the list.

hashtag
Send REST Payload Enhancements

  • Custom HTTP Headers: Lifecycle Management workflows now support custom HTTP headers in the Send REST Payload action. Users can add, edit, and remove custom headers, enabling better integration with systems that require specific authentication tokens, content types, or other header-based configurations.

  • OAuth2 Authentication: The Send REST Payload action now supports OAuth2 authentication and client login flows.

hashtag
Non-Human Identity (NHI) Security

hashtag
GCP Vertex AI Integration

  • Google Cloud Platform - Vertex AI Integration: Veza now supports Google Cloud Platform's Vertex AI service. New visibility into AI/ML infrastructure includes reasoning engines (AI agents), model registry, deployed endpoints, and their associated permissions.

  • The integration supports full IAM and Workspace connectivity, effective permission analysis across Vertex AI-specific permissions, and relationships between reasoning engines and service account identities:

    • Vertex AI Reasoning Engine: AI agents that execute custom code and tools

    • Vertex AI Model: Custom-tuned models from Model Registry (foundation, custom, and imported models)

    • Vertex AI Endpoint: Deployed model endpoints serving predictions

    • Vertex AI Service: The Vertex AI platform service entity

    • Vertex AI Policy: IAM policies for Vertex AI resources

    • Vertex AI Role Binding: IAM role grants to identities

hashtag
Okta OAuth Token Activity Monitoring

  • When audit logs are enabled, Veza now monitors OAuth credential usage events including client secret reads and refresh token grants. This enables Activity Monitoring visibility into how applications interact with OAuth credentials, supporting Non-Human Identity (NHI) security by tracking programmatic access patterns across Okta environments.

hashtag
GitLab Service Accounts and Access Tokens

  • The GitLab integration now discovers service accounts (bot users for automation) and their associated access tokens.

    • Veza extracts group access tokens, project access tokens, and service account personal access tokens as Access Credentials, providing visibility into Non-Human Identity (NHI) access patterns.

    • Each token includes scope, access level, and expiration metadata to support security assessments of programmatic GitLab access.

hashtag
AWS Bedrock Visualization

  • AWS Bedrock Graph Icons: AWS Bedrock entities in Access Graph now feature better visual identification. Primary icons distinguish entity types (Foundation Models, Knowledge Bases), while secondary badge icons identify the AI provider (Anthropic, Amazon, DeepSeek, Mistral AI, Meta, OpenAI). This improvement makes it easier to identify and distinguish AWS Bedrock resources when analyzing authorization paths in Graph search.

hashtag
Access Security

  • Destination Node Properties in Assessment Rules: Rules in Veza now support including destination node properties in alert notifications. When configuring rules that evaluate queries with destination nodes (such as queries checking relationships to resources), you can now select to include destination nodes in alerts and choose which destination properties to include from a dropdown menu.

  • Delete Scheduled Export: When exports are scheduled for a query, you can now delete the scheduled export directly from the row actions menu.

hashtag
Veza Integrations

hashtag
New Integrations

  • CockroachDB Cloud: Veza now supports CockroachDB Cloud, providing visibility into distributed SQL database access and permissions. The integration extracts organization structure, clusters, databases, users, and roles, and supports effective permissions analysis, providing visibility into both direct and inherited access. This includes support for folder hierarchies, group-to-group relationships, and inheritance-based access calculations across organization, folder, and cluster levels.

hashtag
Enhancements

  • Databricks: The integration now supports Client-to-Client (C2C) OAuth authentication flow, providing an alternative to Personal Access Token (PAT) authentication. C2C authentication enables secure machine-to-machine communication using OAuth 2.0 client credentials.

  • Open Authorization API: You can now delete OAA datasources directly from the Veza web interface. Previously, deleting an OAA datasource required using the REST API.

  • Anaplan: The integration now includes the workspace name as an attribute on Model entities. Previously, only the workspace ID was available, requiring users to cross-reference workspace names when reviewing model access manually.

  • Active Directory: The integration now uses the replicated lastLogonTimestamp attribute exclusively for tracking user logon activity, providing consistent values across environments with multiple Domain Controllers or load-balanced configurations.

  • NetSuite Permission Names: The NetSuite integration now supports configurable display of permission names. When editing a NetSuite integration, you can choose whether system permissions display using human-readable names (the new default) or technical shorthand keys (the previous behavior).

  • AWS Resource Control Policies: Added support for AWS Resource Control Policies.

  • GitHub Organization Roles: Added support for extracting GitHub Organization Roles and Role Assignments.

  • LDAP Nested Groups: Added support for nested group memberships.

  • LDAP Group-to-Group Mapping: Added support for Group-to-Group identity mapping from LDAP IDP providers.

  • SCIM OAuth: Added support for OAuth authentication using basic auth client_credentials.

  • Exchange Online: Added support for parallel extraction.

  • Azure Expiration Handling: Updated the Azure integration to properly handle expiration dates for credentials, keys, secrets, and certificates.

    • Microsoft uses Unix epoch (January 1, 1970) as a sentinel value for entities without expiration dates, which can be ambiguous when shown in Veza.

    • The Azure integration now converts these epoch sentinels to Veza's standardized zero-time sentinel, ensuring "never expires" values are consistently represented across Azure entities in Access Graph.

PreviousUX Update - New Global Navigation ExperienceNextProduct Update: October'25

Last updated

Was this helpful?