Product Update: April'25
Veza 2025.4: Identity Security Platform Advancements
Welcome to the latest Veza product update! This document offers a summary of the latest features, enhancements, and usability improvements introduced in recent platform updates.
Veza's 2025.4 release delivers powerful enhancements across access governance, non-human identity (NHI) security, compliance reporting, and platform extensibility—helping organizations reduce risk, improve audit readiness, and simplify identity operations at scale.
Key Business Benefits:
Faster Access Decisions: New entitlement sync, delegation, and Access Profile improvements streamline approvals while ensuring consistent governance across AD and cloud systems.
Tighter Lifecycle Policy Control: Access Lifecycle Management now includes safety limits to prevent unintended mass changes.
Improved Audit Readiness: Access Reviews and Separation of Duties (SoD) enhancements improve filtering, conflict visibility, and reviewer controls to support clean audits.
NHI Risk Reduction: Expanded NHI support for Workday, Google Secret Manager, and Azure enables more comprehensive discovery, reviews, and remediation of machine identities.
Stronger Access Visibility and Access Monitoring: New dashboards and access monitoring tools offer granular insights into dormant accounts, over-provisioned roles, and key identity threats.
Enterprise Integration Coverage: New support for Microsoft Dynamics 365 ERP, Coupa CCW, and enhancements to Okta, Salesforce, Workday, and Active Directory strengthen enterprise reach.
Streamlined User Management: SCIM provisioning and OpenID Connect (OIDC) improve access lifecycle automation and simplify SSO adoption.
Specific capability enhancements include:
Access Requests: New entitlement synchronization capabilities, delegation controls, and Access Profile management features.
Access Lifecycle Management: Enhanced policy management with safety limits and Coupa CCW integration.
Access Reviews: Improved filtering and group management controls for reviewers.
Non-Human Identity (NHI) Security: Enhanced support for Workday and Google Cloud Secret Manager.
Separation of Duties (SoD): New conflict visualization capabilities for SoD risks.
Access Intelligence: Improved risk management and dashboards.
Access Monitoring: Enhanced monitoring insights and historic activity filtering.
Veza Integrations: Support for Microsoft Dynamics 365 ERP, Coupa CCW, and integration enhancements.
Veza Platform: SCIM user provisioning APIs and OpenID Connect (OIDC) for Single-Sign-On (SSO).
Access Intelligence
Risks Enhancements
Standardized terminology: The Risks page is overhauled to provide a clear distinction between individual risky entities, and rules that define overall risks. The following terms are now used throughout the Veza UI:
Risk: Any query that has been assigned a risk level to define risks (e.g., "Okta users with phishable MFA").
Affected Entities: The results of a Risk query, i.e., the 5 specific Okta users with phishable MFA. An affected entity can be marked as an exception when needed.
Improved Risks UI: You can now search and manage entities in risk results with dedicated tabs on the Risks page.
Navigate between sections to get a full picture of active and remediated risks over time, manage queries marked as risks, and investigate individual risks.
Overview: High-level summary with burndown, platform breakdown, filters
All Risks: Full risk registry, filterable by entity, integration, and label
Affected Entities: Drill-down view of impacted identities/resources per risk
Dashboards Enhancements
Dashboard Overhaul: We've added new dashboards aligned to identity security use cases and enhanced existing ones for clarity, usability, and immediate insight. Out-of-the-box dashboards now include:
MFA Coverage
Account Takeover Coverage (ATO)
Resource Risks on Unstructured Data
Residual Access Coverage for ISPM
Identity Threat Detection and Response Coverage
Dashboard (Key Risk Indicators / KRIs) by Use Cases: Based on customer feedback, Veza dashboards are now organized by core use cases, on a new Dashboards > Use Cases tab:
Dashboard Design and Usability:
For Dynamic (label-based) dashboards/reports, users can now rename section tiles and merge sections.
Redesigned tiles now provide immediate access to Veza Actions (Launch Access Review, etc.)
CSV exports now include minimum and maximum risk values to identify entities with volatile risk scores that may require closer monitoring.
The "Save As New" action is now available for uneditable queries, allowing users to create copies of system or reference queries they couldn't modify directly.
A universal search bar is now shown on the Dashboards > Favorites page
Webhook and Export Enhancements
Alert Webhooks: When creating alert rules, you can now configure specific entity attributes to include in the JSON payload for 3rd-party webhooks.
Secondary Emails for Query Export: Exporting query results to email now supports additional recipients, so you can add team distribution lists or peer reviewers, and maintain continuity during absences.
Access Requests
New Features
Delegation and Deny Lists: Administrators can now appoint delegate approvers and maintain deny lists to control who can approve and request access requests in your organization. Go to Access Request Settings to define delegates, approver deny lists, and requestor deny lists.
"About This App" Instructions: Profile owners can now add contextual information for applications and bundles of entitlements directly in Access Profiles. Users requesting access can refer to these instructions for detailed guidelines.
How to use it: Edit any Access Profile to add instructions with markdown formatting. You can also quickly add instructions using the row actions menu.
Provide access prerequisites or contact information that helps users understand what they're requesting and how to use it once access is granted. Keep instructions concise and include links to more detailed documentation when necessary.
Entitlement Synchronization: Veza now supports periodic or manual entitlement synchronization to maintain the integrity of Active Directory group assignments.
How to use it: When creating an Access Profile Type that grants Active Directory Group entitlements, enable the Continuous Sync of Access Profile option and set the sync frequency in days, or choose Actions > Manually Sync on the Access Profiles page.
Enabling synchronization ensures that Access Profiles membership remains the authoritative source for linked Active Directory group membership, automatically re-adding users removed out-of-band, removing unauthorized direct additions to the group, and recreating accidentally deleted groups.
Enhancements
We've introduced a range of enhancements to enable Catalog configuration using Access Profiles:
Default Access Request Policies: Administrators can now set a default Access Request Policy to define default approval requirements for each Access Profile of a particular Access Profile Type.
How to use it: When creating an Access Profile Type, select a default Access Request Policy and optionally enable the Allow overwrite of Access Request Policy option.
Setting a default approval policy at the Access Profile Type level can help enable consistent governance across Access Profiles of the same type without requiring manual policy selection for each new profile.
Profile Integration Limits: Administrators can now control which systems can be associated with specific Access Profile Types. Limiting Access Profiles to specific integrations or integration types can help maintain separation between different environments or administrative domains.
How to use it: When creating a Profile Type, use the "Limit to a single integration" option (can be combined with other integration type options).
Profile Creation and Visibility Controls: Administrators can now define who can create Access Profiles, and which Access Profile Types users can view in the Catalog.
How to use it: Use the Access Profile Settings > Manage Permissions option for creation rights. Use the Manage Permissions action for individual Access Profile Types to enable visibility controls.
Grant profile creation rights to teams who understand proper entitlement models, and restrict specialized profile visibility to appropriate end-users.
Entitlements for Access Profile Types: It's now possible to create multiple conditional entitlement rules within a single Access Profile Type.
This can streamline administration by defining entitlement creation logic based on specific conditions within a single configuration:
Administrators can now define one or more rules with string conditions or any-match criteria when adding Access Profile Types.
Each rule can trigger different entitlement creation based on your business requirements, reducing the need to maintain separate Access Profile Types for similar scenarios.
For example, you could define a single Access Profile Type that creates different user entitlements based on department or location.
Transformers for Access Profiles: For more precise control over user attribute transformations during provisioning workflows, you can now choose specific Sync Identity transformers to use when creating entitlements through Access Profiles.
This enables different formatting rules to apply based on the entitlement granted. For example, when a Lifecycle Management policy contains multiple Sync Identity actions for the same target system, you can configure one Access Profile to create standard user accounts with
{first_name}.{last_name}formatting while another creates admin accounts with{first_name}.{last_name}-adminformatting.
Slack Notifications (Early Access): You can now integrate Access Requests with Veza Actions for Slack to send announcements when an access request changes state.
Automatic Profile Type Selection: When creating new Access Profiles with only one available Access Profile Type, that type is pre-selected, reducing clicks in environments where only a single type is configured.
Access Lifecycle Management
New Features
Policy Safety Limits: Veza now supports configurable safety thresholds on policy execution to prevent unintended mass updates from occurring during workflow execution. When enabled, a warning appears when the number of impacted users exceeds the configured limit and the policy is halted. An administrator can choose to process the pending changes or ignore and re-enable the policy.
How to use it: When creating a Lifecycle Management policy, define a Safety Limit for the maximum number of identities that can be changed in a single policy run.
Implement safety limits for policies with broad selection criteria, especially in production environments. If a limit is exceeded, review the affected identities in the warning details before proceeding.
Coupa CCW Integration: Lifecycle Management now supports Coupa Contingent Workforce as a source of identity for non-employee identities.
How to use it: When adding the integration to Veza, toggle the Provisioning Source option in the integration configuration.
You can create separate Access Profiles and Lifecycle Management Policies for contractors to maintain distinct access models from regular employees.
Enhancements
Policy Draft Mode: Administrators can now enable a global option to choose between immediate policy updates and version-controlled policy editing.
How to use it: In Lifecycle Management > Settings > Policy Settings, toggle Enable Policy Draft Mode.
When enabled, users can edit policies in draft mode, review changes, and publish when ready. The complete version history is available in the editor for comparing changes and restoring previous versions when needed.
Lookup Table Export: You can now export custom lookup tables for offline analysis and troubleshooting.
How to use it: When viewing lookup tables for a Lifecycle Management Policy, use the export option to download the table in CSV format.
Refer to the CSV export to diagnose complex provisioning issues and compare expected mappings against actual attribute values.
ASCII Transformer for Identity Attributes: Lifecycle Management policies now support an ASCII transformer for handling international character sets. This transformer removes non-printable characters and converts non-ASCII characters to their closest ASCII equivalents, and can be especially useful when provisioning to legacy systems that only support ASCII.
Sync Identities Fallback Formatters: The Sync Identities action now supports Additional Formatters as part of the action configuration. These fallback formatters automatically generate alternative values during provisioning when unique ID attributes (like usernames or email addresses) are already in use.
How to use it: Configure fallbacks by editing a Sync Identities action and adding transformer patterns that will be tried sequentially until a unique value is found. Common implementations include using the NEXT_NUMBER transformer to append sequential numbers (e.g., jsmith1, jsmith2) or other transformers like RANDOM_ALPHANUMERIC_GENERATOR.
Access Reviews
Enhancements
No Reviewers Filter: Administrators and operators can now quickly filter to find rows missing reviewer assignments by filtering the Reviewers column.
How to use it: In the Reviewer Interface, choose the Filter By option in the Reviewers column and select Does not exist as the filter operation.
Use this option before publishing draft reviews to identify and fix incomplete reviewer assignments and mitigate orphaned review items.
Group By Controls: Reviewers can now expand or collapse all grouped rows with a single action.
How to use it: When using the "Group By" option in the review interface, look for the Expand/Collapse All controls above the groups.
Reviewer Reassignment Control: Administrators can now restrict reviewers from assigning other users to review their assigned rows.
How to use it: To enable this setting for an individual Review Configuration, toggle Enable Reviewer Reassignment when editing the configuration. To enforce this setting globally, toggle Access Reviews > Settings > Reviews > Enable Reviewer Reassignment.
Email Notification Templates: Administrators can now create multiple notification templates for the same event type and assign them to specific review configurations. Previously, only one template could exist per event type, which applied to all configurations.
How to use it: Customize templates under Access Reviews Settings > Notifications > Notification Templates.
Using custom notification templates, you can tailor notification language to specific teams or departments while maintaining consistent messaging elsewhere, including:
One default message template per event type (applied to all configurations)
Additional templates for each event type (review completed, on row sign-off, etc.)
Specific templates for individual review configurations as needed
Non-Human Identity Security
Enhancements
Workday Integration System Users: Veza now automatically identifies Workday Accounts associated with non-human identities.
Detection criteria: Accounts are classified as NHIs when they are Integration System Users or have UI access disabled.
Filter the NHI Accounts page by Workday integration to review and manage these service accounts. You can now incorporate these entities in recurring certification initiatives.
Google Cloud Secret Manager: The Google Cloud integration now supports enhanced NHI search and analysis for managed secrets:
Supported entities and attributes: Google Cloud Secrets and KMS Keys now have the
last_rotated,status, andsecret_typeattributes.
You can create queries combining these attributes to identify secrets requiring rotation or remediation (e.g., production secrets not rotated in 90+ days).
NHI Access Reviews: It's now possible to create targeted reviews directly from the NHI overview page.
Launch Access Review: Create On-Demand Reviews by navigating to the Non-Human Identities > Accounts overview, selecting entities for review, and choosing the Launch Access Review action.
Create dedicated NHI review configurations in advance with appropriate columns and reviewer assignments. To create access reviews, users must have the Administrator or Operator root team role.
Azure Managed Identities: Azure Managed Identities now automatically have the "nonhuman" identity type, enabling NHI management and search for Azure workloads using managed identities to access downstream resources.
NHI Accounts Overview: A banner on the NHI Security > Accounts page now provides immediate visibility into total NHI accounts detected and which integrations they come from.
Separation of Duties
Enhancements
Viewing Conflicting Entitlements for SoD Queries: You can now easily view roles and permissions causing SoD violations for individual users in the query results.
View Conflicts: From the SoD overview page, choose a query and click Open In Analysis, then use the new View Conflicts action to show entitlements for each user in a sidebar.
When remediating conflicts, use this view to determine precisely which entitlements need modification. Identify conflicts, document the specific entitlements involved, and work with resource owners to determine which access to revoke.
Access Monitoring
New Features
Access Monitoring Insights: The Access Monitoring page now surfaces key insights at a glance, including:
Dormant vs. Total metrics for IAM User, Role, and Group activity
Platform-specific metrics: Privileged Dormant Roles, Over-provisioned Dormant Users
Dedicated dashboards for Snowflake, AWS, and Okta
Google Activity Monitoring: Veza now tracks activity involving service account impersonation within Google Cloud. Activity events are now generated when a Google Workspace User accesses resources by impersonating a Service Account, and reflected in "Last Activity At" and "Last Activity With Resource At" timestamps.
Last Activity Filtering: In Query Builder, you can now filter results on the "Last Activity At" and "Last Activity With Resource At" columns. You can use these attributes to identify the:
Last time of any activity for a particular entity/resource
Last activity from a particular identity on a particular resource
You can use these attributes to identify dormant accounts by filtering for entities with no recent activity, infrequently used access rights by filtering for resources with minimal activity, and generate cleanup lists for access review campaigns using the saved query.
Veza Platform
New Features
Veza Integrations
New Integrations
Microsoft Dynamics 365 ERP: Discover users, groups, and security roles in the enterprise resource planning platform.
Coupa CCW: New Integration for Coupa Continent Workforce (CCW).
Integration Enhancements
CSV Upload Enhancements: An improved CSV upload flow for creating integrations is now generally available. The new integration supports modeling custom applications and HRIS systems using imported data, and mapping CSV columns to custom or built-in entity attributes.
Okta: Added support for the WORKFLOWS_ADMIN built-in role, providing visibility into highly privileged role assignments.
Okta: When configuring an Okta integration, administrators can now limit extractions to user entities, skipping groups, apps, roles, role assignments, app users, and app groups. When using this option, only
okta.users.readpermission is required for the integration.Open Authorization API: You can now set an external identity for IDP Groups when submitting a payload for a Custom Identity Provider. This will be used to map federated identities with a matching ID.
Salesforce: The
RecordTypeIdattribute is now available for Salesforce Account and Opportunity objects, enabling more granular permissions analysis.Workday: Added OAuth token support for gathering Custom Reports, for securely populating additional attributes for Workday Workers.
Active Directory: Added the ability to specify an explicit Service Principal Name (SPN) when using Kerberos authentication for Active Directory integration. This optional field defaults to
ldap/<domain_controller_hostname>if not provided.Salesforce: Veza can now extract additional attributes for Salesforce objects:
CreatedById,CreatedDate,LastActivityDate,LastModifiedDate,LastModifiedById,OwnerId,SystemModStamp. The integration also now shows AccountTypeand OpportunityType,StageName.
Last updated
Was this helpful?
