User Guide
Release Notes

2022.10.1

Welcome to the latest Veza update! We’ve been hard at work on new features, product usability, and the latest integrations, and are pleased to announce the changes in the October release. Some highlights include:

  • Azure integration: new support for Data Lake Storage (ADLS) and Key Vault

  • New integrations for Oracle Cloud Infrastructure (OCI) and Databricks

  • Enhancements for Authorization Graph Search, and Queries

  • Visual overhaul, including an updated Veza color palette and branding

This release notes also covers a range of usability and scalability improvements for Veza Workflows. Some of these improvements to enable enterprise-scale workflows have been added as part of Veza 2022.6.2, and may already be live in your environment:

  • Extended Smart Actions, customization options, and improved access reviewer UX

  • Improved functionality for owner/manager-based autoassignment

  • New query options to enable additional compliance scenarios

  • Preview API changes to support custom integrations

Please see below for the full release notes:

1. Access and Entitlement Workflows

Administration

  • When viewing stats for a completed or expired certification, admins and operators can now view the total number of rows that are Signed-off, rejected but fixed and Signed-off, rejected and not fixed.

  • The Workflow link in reminder emails now links directly to the related certification, rather than the overview page.

  • Adjusted certification reminder and expiration schedule: reminder emails are now sent at 11 AM PST, and certifications expire at 8 PM PST on the due date.

  • Certification Expiration can now be enabled. Certifications will be able to have the EXPIRED status, and can't be changed once 24 hours have passed since the due date (support-enabled option).

  • You can now set if users are prompted to add notes when approving or rejecting results, and conditionally require a note with decisions (support-enabled option).

  • It’s now possible to customize default columns for all reviewers, as well as the sort column and sort order (support-enabled option).

Certifications

  • Improved Certifications UX for phones and tablets.

  • Reviewers can now choose how many results are displayed per page (30—200).

  • The ability to modify fixed status on results is now admin/operator-only. Reviewers can no longer view certification metadata such as total result count, workflow query details, notification settings, and other reviewer assignments.

  • Smart Action improvements:

    • Smart actions can now be applied based on result decisions, fix status, and other result properties.

    • Users can now view their previous and currently running smart actions on certifications, including the number of rows updated or skipped, and the option to filter on the affected rows.

    • Improved handling of long-running smart actions: After applying a filter-based action, an "In progress" notification is now shown. A second action can't be started while the current one is running.

  • Improved column titles when certifying workflows that query entities with the "Role" super-type. For example, "Role Name" is now shown instead of "Source Name.”

  • Added a User Unique ID column to differentiate between users with similar names, using their email addresses, database usernames, or other unique value.

  • Text-based filters are now case-insensitive.

  • Certifications can now be exported to PDF

Reviewer autoassignment

  • “Resource Manager” Veza Tags can now be set on any entity Veza has discovered, to enable reviewer assignment for roles, policies, etc. based on ownership.

  • Users can no longer be assigned as access reviewers for results that include local accounts (such as OAA Custom Application Local Users) linked to that user's primary IdP identity.

    • A global IdP must be configured for Veza to detect the correlation. IdP>local user relationships are based on the most recent graph data.

    • Self-review is prevented when autoassigning reviewers or re-assigning using filter-based actions.

  • To prevent individual IdP or Veza system users from being autoassigned as reviewers, deny lists can be set using an API.

  • New fallback defaults for reviewer autoassignment: When assignment would be prevented due to self-review prevention or the deny list, the following order is now used to assign certification results: User’s manager (if active) -> Workflow creator -> Local Veza admin.

Workflows

  • All Top Level Principals can now be selected as the query source/destination when creating a new workflow.

    • Searching for top-level principals will create an audit of identities that can't be assumed by another identity. The certification will include only primary identities (such as Okta or Custom IdP users) for users, while filtering out the low-level entities they can assume, such as local user accounts.

    • The results will still include local users and service accounts that don’t correlate to a higher-level identity.

  • Local User can now be selected as a required intermediate node type. This “waypoint” node information is shown in a column when viewing certification results.

Workflows APIs

  • Added a new action log event type DECISION.

  • List Certifications responses now include the total_accepted_count (signed off and accepted result rows) and total_fixed_count (signed off, accepted, and fixed).

  • Get Access Graph now returns data source status (including last sync time).

  • Added a new method Get Certification Result to return a single certification result by id.

  • Added a new endpoint to update webhook info, used to publish details such as whether a ticket was successfully created and the date/status/owner for display in the Certification interface.

2. Insights

  • You can now click to change the display format of date/time values where they appear in search results, tables, and entity details.

  • Reports now include icons to identify the data/cloud/identity provider associated with entities in the assessment results.

  • When viewing a report, you can now choose to Hide assessments with all-zero values. When toggled, queries with no historical data are hidden.

  • Alert messages for Slack now include additional entity details & direct links to view details.

3. Integrations

New Integrations

  • Databricks is now supported as a standalone data source, including Workspaces, Clusters, Notebooks, Users, and Groups (Early Access).

  • Oracle Cloud Infrastructure (OCI) is now supported as a cloud provider, including IAM infrastructure and object storage resources (Early Access).

  • A PagerDuty connector is available for publishing user, role, and team metadata to the Veza Entity Catalog using the Open Authorization API.

Enhancements

  • Azure Key Vault: It's now possible to search relationships between AzureAD identities and Key Vault resources (encryption keys, TLS/SSL certificates, and secrets). Key Vault is discovered automatically for configured Azure tenants. Assessments include Vaults with RBAC Authorization model enabled, Vaults with Purge Protection Enabled, and Azure Vaults with Disk Encryption Enabled.

  • Azure Data Lake Storage: Veza now discovers filesystems, directories, and access control lists for ADLS-enabled Azure Storage Accounts. ADLS-related insights include Azure Blob Containers with data lake enabled, and Azure AD users with Datalake Filesystem WRITE permissions.

  • Added new support for connecting to Azure Government Cloud regions.

  • The Okta integration now gathers de-provisioned users and their activity status.

  • The default Snowflake extraction interval is now 6 hours.

  • AWS S3 Buckets now have the region property.

  • AWS Identity Center users and groups are now gathered without the need for an additional Okta integration. The AWS connector policy has been updated to include the new required permissions.

  • The Open Authorization API (OAA) payload can now be compressed.

  • OAA Custom Application Permissions can now map to sub-resources.

  • OAA Local Users now have a new user_type field to differentiate between human and non-human identities. Values can be "human" (default) or “service account”.

4. Search and Query Builder

Authorization Graph

  • When using Explain Effective Permissions, a tooltip now shows the corresponding C/R/U/D action for each raw permission.

  • Explain Effective Permissions view now shows when relationships are a result of policy "deny" statements, marked by a red path.

  • Search Display Filters now indicate when pagination is enabled and required due to many results.

Query Builder

  • Numeric constraints can now apply to the Grouped By entity type, to filter results based on the number of related destination nodes. This can be used, for example, to alert when an Okta user has access to more than a set number of Google Cloud Storage buckets.

  • Constraints can now be placed on intermediate nodes (such as IAM Roles between AWS IAM Users and S3 Buckets).

  • Constraints can now apply to entity super-types such as All Resources.

5. User Management

  • Veza users that don't use Single Sign On (SSO) can now reset their passwords. A password change is now required when logging in for the first time, and the landing page offers a password reset option. Veza admins can reset passwords from the User Management panel.

Previous2022.10.17Next2022.6.2

Last updated