Veza 2025.2: Identity Security Platform Advancements
Last updated
Was this helpful?
Welcome to the monthly Veza product update! Recent releases have included a range of new and enhanced capabilities for access visibility and access intelligence products, enriched user experience, and enterprise-scale access governance across your environments. This document offers a summary of the latest features, enhancements, and usability improvements across the platform, with highlights including:
Non-Human Identities (NHI): New product module with actionable dashboards, owner accountability features, and extended monitoring across AWS, Azure, and Salesforce to identify and remediate NHI security risks.
Access Visibility: Improved resource ownership tracking with attribute filters and saved queries, enhanced conditional access filtering, and Query Builder improvements for exposing critical access relationships.
Access Intelligence: Operationalized dashboards with new “Veza Actions” options, enhanced query filters for ownership tracking, and improved SoD risk management with owner assignment capabilities.
Access Reviews: Improved administrative interfaces, the ability for Access Intelligence to launch 1-step reviews, and new integration with Lifecycle Management - launch reviews on-demand as part of Lifecycle Management workflows.
Lifecycle Management: Automated identity governance with draft Access Profiles, property overrides for special cases, and integrated access reviews for personnel transitions.
Access Request: Multi-level approvals and a redesigned and more intuitive catalog experience for requesting access.
Integrations: Improved management and integration insights with redesigned integration pages, visual entity breakdowns, and expanded support for MongoDB, Kubernetes, Dropbox, and other key platforms.
See the sections below for more details about specific changes in each product area, and contact your Veza representative with any questions or your valued feedback.
Expanded NHI Insights: The NHI Security page now includes new tabs featuring actionable dashboards for NHI management:
Keys and Secrets: All keys, secrets, and access credentials, and associated risks.
Inventory: NHI entities arranged by integration type, like workloads (AWS EC2 instances, Microsoft Azure virtual machines, and Google Kubernetes Engine clusters), keys and secrets, and non-human local users across a wide range of systems.
Risks: NHI risk insights, including dormant keys/accounts, unrotated keys, and NHIs with privileged permissions
Owners for NHI Accounts: You can now assign users responsible for NHI entities directly from the Accounts overview, using the "Assign Entity Owners" row action for individual entities, or with a bulk selection.
Rules and Alerts for NHI Account Owners: You can now use alerts to trigger notifications and actions on NHI account owner status changes, such as when an owner is de-provisioned in your identity provider.
Enhanced Integrations:
Amazon Web Services:
Activity Monitoring now supports AWS Key Management Service keys. In addition to the "Last Activity At" property, KMS keys now support a "Last Viewed" property, which records any activity consuming the key material for a cryptographic operation, such as Decrypt.
The AWS IAM User "Last Activity At" property now shows activity for all events where the User is the principal (regardless of whether the resource/service is supported for Activity Monitoring). For example, an AWS IAM User performing RunInstances in EC2 will still have this activity counted towards its Last Activity At timestamp.
Microsoft Azure: Keys and Secrets now have the "Last Rotated" and "Versioned" attributes.
Salesforce: The integration now discovers Connected Applications in Salesforce and automatically categorizes them as non-human identities, providing visibility into OAuth applications with access to Salesforce data.
Design and Usability Enhancements:
The NHI Security > Accounts page now supports exporting the table of results to CSV or PDF.
Columns on the NHI Security > Accounts page are now renamed from their source attributes to clarify their meaning:
"Authentication Method" is now "Linked Keys & Secrets"
"Created At" is now "Age"
Clicking an NHI risk score now opens the risk score details, with the option to view all contributing risks in Query Builder.
Added icons for each NHI entity type
Tooltips are now shown when hovering over filters
NHI table actions now include the option to "Open in Graph"
Enhanced Dashboard Operationalization:
For better insight into data freshness, each dashboard tile shows the last time results were updated, with an option to refresh single tiles or the full dashboard.
When editing a dashboard, users can now choose to publish it and notify all users about its availability.
Veza actions are now more consistent across every tile and every dashboard (Create Rule, Alert on Change, Launch Access Review, etc.)
When configuring webhooks Orchestration Actions, you can now configure which query result attributes to include in the JSON payload when alerts trigger.
When using the "Launch Access Review" action, the review builder is now populated with default values for faster 1-step review creation.
The behavior of static reports is now aligned with dynamic reports. When marking the visibility of a report as "Public", any private queries will be automatically removed from the report.
Improved visibility of Created By info, Public/Private status, and tooltips on integration icons shown in Veza Dashboards.
APIs for Snowflake Least Privilege Implementation: Four new assessment APIs are now available in early access for advanced role analysis, permission, comparisons, and least-privilege access management in Snowflake environments.
Okta Activity Dashboard: Updated the Okta Activity report to include new out-of-the-box queries: Okta apps that have not been accessed by 75% or more of the users assigned to them, Okta Users that are under-utilizing their App Access, and Okta Super Admins that have never Logged In.
Traceability for API-based Query Changes: For improved audit compliance and change management, queries updated via API are now clearly distinguished with "(via API)" indicators in the "Updated By" field.
Attribute Filters for Owners: You can now use attribute filters to detect entities where the list of owners is empty, has any values, or includes a specific user.
Saved Query Filters for Owners: You can now use saved query filters to find resources such as NHI accounts owned by specific users (e.g., AWS KMS Keys owned by users deactivated in Okta, or S3 Buckets owned by users in high-risk departments), and get alerts when there are owner status changes. To do so, save a query that identifies a set of users, then use it to filter a query that identifies the NHI type. After applying the filter, results will only include resources owned by users in the results of the first query.
Search for Unsupported IAM Conditions: Added support for filtering on conditional access within AWS granted by a policy condition that Veza cannot fully evaluate. In "Effective" query mode, you can now apply permission filters to show or hide relationships that involve some or all of the conditional permissions. By default, results will include all access relationships, including those granted by unsupported conditions.
Design and Usability Enhancements:
Query Explanations now include information about any saved query filters (pipeline queries).
Clicking a query on the Queries page now opens the query details view instead of Query Builder.
The "Show [relates to entities]" option in Query Builder is now preserved on page refresh.
Launch Access Reviews from Access Intelligence: When 1-step access reviews are enabled, you can now create reviews directly from any saved query, dashboard tile, or SoD rule with the "Launch Access Review" action.
Access Reviews with Lifecycle Management: Access Reviews now support instantiating on-demand reviews triggered by Lifecycle Management workflows, enabling automatic reviews as part of joiner, mover, and leaver workflows.
Improved Review Administration:
"Mark as Fixed" Behavior: Rows can now only be marked as fixed if they are rejected and signed off.
Orchestration Actions: Webhook orchestration actions can now trigger when rows are marked as fixed or notes are edited and include the full row details in the payload.
Event Details: Access Review events now capture changes to review configurations, to better meet audit requirements.
Info-level "Access Review Configuration Modified" events now include the previous and new values for changed configuration metadata, including the review scope, snapshot, and configuration name/description.
Administrators can review configuration changes in Veza by opening the Administration > Events page and clicking "Show Details" to the right of an event.
Review Auto-Expiration: Administrators can now configure auto-expiration settings of past due reviews per individual review configurations (previously this setting impacted all reviews).
Custom Comments for Auto-Rejected Items: Administrators can now improve audit documentation by configuring custom comments that automatically apply to rows rejected due to review expiration.
Individual reviews can now be renamed.
Review exports now show updated_by information in three columns: updated_by_id, name, and email.
Product Design and Usability:
Access Review Settings: Global settings for Access Reviews are now organized in tabs and have an improved layout for better management.
Completed Reviews: Enhanced review tracking in the Access Reviews > Completed Reviews tab. You will now find columns showing the total rows completed, remaining work, last modified, last modified by status, and percentage completed indicator.
Improved List Details: When opening a row in the sidebar to view access details, attributes that contain lists (e.g. "Managers") now show each list element on a new line.
Reviewer Interface Enhancements: When comparing historical decisions for the same review configuration, the "previous decision" column now appears next to the "status" column for better visibility.
Access Profile Drafts (Early Access): Administrators can now create and publish draft versions of Access Profiles. A draft version will not be used by Lifecycle Management or Access Request until it has been published.
Override Properties for Identities: It is now possible for administrators to override identity property values that were originally set at the source of identity. This override ability gives administrators greater control over provisioning, de-provisioning, and other identity-related actions. Note: This override does not affect the identity in Access Visibility or Access Intelligence; it only applies within Lifecycle Management.
History for Identity Property Changes: A history of identity property changes is now viewable, allowing administrators to track modifications over time. Note: Historical data will only be available from the introduction of this feature onward.
Mover Workflows: Added support for triggering workflows with a user-defined system attribute to identify the movers where the workflow will apply, e.g., sys_attr__is_mover eq true.
Access Reviews Integration: Lifecycle Management policy and workflows can now trigger automated access reviews using the "Create Access Review" workflow action. Note: The resulting access review will be dynamically constrained to just the identity being processed through the workflow.
Access Request Approvals: Policies for Access Requests can now require one or more levels of approval before access is granted.
Access Requests support assigning a beneficiary's manager as the request approver.
Approvers can now reassign requests to another approver.
Catalog Customization: Access Profiles can now appear in the Catalog with a rich-text description and custom icon, and be marked as "recommended." Administrators can update catalog settings when editing a profile using the "Set Catalog Item Info" action.
Request Lifecycle and Integrations:
Access Requests Policies now can enforce Just-In-Time (JIT) settings (min and max duration for an allowed request) per access profile.
Requests can now be revoked in the "completed" state.
Administrators can now start and pause policies under Lifecycle Management Settings > Access Request Policies.
A history of all request actions is now available.
Added API-level support for 3rd party ITSM integration, where the actual request is completed by the external tool.
Catalog UX Enhancements: The Catalog in the Access Hub is fully redesigned for a more intuitive ability to search for Catalog items as well as improved request and approval workflow processes:
The Catalog now shows request forms in a grid view.
In the Catalog, the Requests table is now split into dedicated "Requests" and "Approvals" sections.
Login Activity Anomaly Detection: Added support for showing Okta user activity and anomalies based on login timestamps, as an Early Access feature in Access Hub. The Manager Dashboard now includes a heatmap of recent user logins, making it easier to spot unusual patterns.
Integrations Overview: The main Veza Integrations page is now grouped into collapsible sections for each integration type, making it easier to add, monitor, and edit configurations when you have many connected data sources. A search bar now enables quick search by integration name or type.
Integration Details: A new Overview tab in Integration Details offers a breakdown and summary of node counts across entity categories, with a visual chart for better data representation and analysis.
You can get more information about any configured integration by clicking its name on the Integrations page to view details.
The details page now includes a bar chart showing all the entities of different types that Veza has discovered within each data source.
Click the name of any entity type to open a search in Query Builder and show the full entity attributes, search for relationships, or apply additional filters.
Salesforce: The Salesforce integration can now discover extension package objects from Conga Apptus. For existing configurations, you will need to update the permission set for the Salesforce integration user to include the new object types, and enable the non-default objects when configuring the integration.
Docusign: Added support for multiple Docusign accounts as a data source.
Privacera: Added support for Security Zone Admins and Privacera Portal Users.
Workday: The integration no longer gathers the "Gender" attribute for Workday Workers.
Active Directory: Added support for gathering AD User "Service Principal Name" attribute.
Open Authorization API (OAA): Added support for identity mapping from OAA Custom HRIS employees to OAA Custom IdP Users.
The following integrations are now generally available: MongoDB, MongoDB Atlas, Kubernetes on EKS, Dropbox, and SCIM (OAuth2).
