User Guide
Release Notes

2022.4.1

Welcome to the latest Veza release! As our first major release since our company launch, 2022.4.1 includes significant updates: access workflow enhancements, a new dashboard, improvements to tables view, authorization graph enhancements, and extended data source and user management options. See below for the full release notes, and please reach out to your Veza Sales and Customer Success team with any requests and feedback:

Authorization Graph & Search

  • Tables View enhancements: Each row now contains the complete relationship path when exporting search results using View as Tables. Each relationship and permissions set is included in the exported graph. A preview of the data is now shown when exporting.

  • Added a Data Source Status button to the search bar to enable validation of provider status and last sync time for the current snapshot.

  • New operations have been added to the Query Builder API to get destination nodes for entities in query builder results.

  • Pagination and constraints can now be applied to node-centric searches (such as when viewing all relationships for a single named entity).

Insights & Reporting

  • Added NEW dashboard with system insights and shortcuts as the primary Veza landing page.

  • Added new reports for visibility into On-prem Data Entitlements and Azure RBAC Advanced Configurations.

  • Added a modal to "Show Violation Details" for results on the Violations panel and violations appearing on the graph actions sidebar.

  • When starting a recipe, you can now select to deliver the instructions to a Notifications destination (such as ServiceNow, Slack, or a generic webhook).

Workflows

  • Added the option to export all workflows and certification status to CSV from the main Workflows panel.

  • Reviewers are now suggested from a workflow's historical certifiers.

  • When creating a new access workflow, query result previews are now sorted by type/name/id.

  • Access Workflow queries now support filtering by permissions to limit certification results to only include entities with escalated privileges.

  • It's now possible to list workflows and certifications and get and update results using /preview Workflows APIs.

Administration and Configuration

  • You can now manually refresh discovered data sources, IdP, and Cloud Providers using the "Start Extraction" option on the Apps & Data Sources panel.

  • Improved Events filtering and filter options, and added a refresh button.

  • Each user's type is now shown on the User Management panel.

  • Reworked the "Add Provider" configuration interface for better readability and organization and added additional tooltips.

  • Clicking a data source status on the Apps & Data Sources panel filters the Events page on the selected error.

Open Authorization API (OAA)

  • To model relationships between manually-added entities and discovered graph nodes, custom application resources and sub-resources can now have connections to another graph entity node_type and id.

  • Custom IdP template: Assumable Role ARNs are now allowed at the groups level (previously, ARNs could only be assigned to individual users).

  • Custom application template: Added an optional id property to the resource schema. If set, it will be used as the unique ID instead of the entity name. A specific resource_type must have only resources with an ID or only resources without an ID.

  • The custom application template now supports nested group relationships.

  • Added support for removing OAA providers and data sources using the push API.

Integrations

  • ServiceNow can now be added as a destination for alerts and notifications. The integration can be enabled by providing a host, username, and password. When the associated rule sends an alert, it will create a service desk ticket with the specified urgency, description, and ticket table.

  • Google Workspace Groups now show a Built In property to identify system groups (such as "abuse" or "postmaster"). This allows, for example, filtering and preventing these entities from appearing as "empty group" violations.

  • Active Directory groups now have an Owners property to identify and filter by group owner/manager.

  • Workflows now use the Okta employee_id and manager attribute to identify a user's manager.

  • AWS EC2 instance created_at ("launched at") date is now available as a searchable entity property.

  • Processing SQL Server instances and each database is now a separate operation. This change will cause some limitations when searching standalone SQL Servers in historical snapshots. Primarily, connections between local SQL Server principals to effective permissions on SQL Server instances will not be available.

  • Added support for discovering and searching Google Cloud Organization Unit accounts (OUs). Organizational Unit Path has been added to the standard properties for Google Cloud entities. You can now search for Google Cloud Organization Units and filter by Org Unit Path, Parent Org Unit ID, Parent Org Unit Path, and the OU name or its users.

    __ Requires the additional service account permission: https://www.googleapis.com/auth/admin.directory.orgunit.readonly

Product Usability

  • Upgraded the Authorization Graph Select a Relationship to Show dropdown for improved selection of entity types.

  • Improved visual clarity when using the Add Veza Tag modal

  • When filtering by permissions using the Query Builder, you are now prompted to choose whether to search effective or raw permissions.

  • Updated the style of the saved query details modal for improved readability and consistency with Access Workflow details.

  • All entity relationships are now shown (node-centric search) when opening a single node in Authorization Graph.

  • Added category descriptions to the Rule Builder.

  • Added tooltips to contextualize Veza tags, effective permissions, and Access Workflow states.

  • During certification review, the Resource Type column now includes an icon for better differentiation between providers.

Bug Fixes

  • Users are now required to provide their current password before being able to create a new one.

  • Built-in Google Groups with no users are no longer marked as violations.

  • Exporting events now correctly includes all records (instead of the last 1000).

  • Columns in Query Builder result views are now retained when modifying the search conditions.

  • Fixed an issue where OAA remove_tag incremental update operations wouldn't remove the tag. Deleting a custom resource now correctly removes tags, so they won't apply if the resource is recreated.

  • Authorization Graph: Okta users no longer show a direct relationship to apps they are assigned only via a group.

  • Increased the limit on discoverable AWS tags to 10,000.

  • Users assigned the operator role no longer see the Insights Points panel on the navigation menu.

  • S3 buckets with a public access block set at the account level no longer register as violations when the control is disabled for the individual bucket configuration.

  • Fixed a search failure when using the Authorization Graph to find a specific S3 bucket by id.

  • Fixed a bug where Okta Group > AWS Identity Center Group connections were not available to search.

2022.3.1

Workflows

  • Hovering over a certification line item now shows a text summary of the row details.

  • Reviewers and due dates can now be modified by choosing Settings from the workflow certifications list.

  • The certification view now includes columns to show the Application and Resource Type for each row.

  • A summary of data source status at the time of the most recent snapshot is now shown when initiating a new certification. Reviewers can select View Data Source Snapshot Status on the certification interface to check for stale data and confirm the data sources included in the certification.

Search

  • The Show Violation Events modal now includes options to Suppress all Violations for the selected query or suppress violations in bulk.

  • When viewing query builder results, you can now enable an additional column to show the tags on each result.

  • Added an Open in Query Builder shortcut for pivoting to the active search in Query Builder mode.

  • Property names are now case insensitive when adding search constraints.

  • Query Builder results can now be sorted by the number of destination entities.

  • The Authorization Graph now includes search quick links for Google Cloud when available.

Access Intelligence

  • Significant organizational improvements for reporting and assessment queries across categories.

  • New queries have been added for deep insight into toxic combinations and shadow admin privileges.

Heatmaps

  • A summary and list of source entities are now included alongside the main heatmap visualization.

Integrations

  • Added the option to set allow/deny lists to limit Trino catalog, schema, and table extraction.

  • Added the option to set allow/deny lists to limit Okta app and domain extraction.

  • Added a new assessment query for Active Directory users that are Domain Admins.

  • AWS IAM Policy entities now show the Permissions Boundary Usage Count, enabling queries on unused policies with no relationship to any principals.

  • Added an is_guest_user property to Google Workspace users to identify entities whose primary email address doesn't belong to any of the account's domains.

  • Added a new Application Template property for AzureAD Enterprise Applications to enable differentiation between 3rd-party gallery apps and custom app registrations.

  • Added a new app role assignment required property for AzureAD enterprise applications, indicating whether the app is implicitly available to all users, or must be assigned (directly or via a group).

  • You can now select individual services to enable/disable when adding or editing a Google Cloud provider configuration.

  • Open Authorization API: Added and improved warning and error responses when pushing authorization metadata.

Product Usability

  • Instead of listing all violations, the Violations panel now lists queries marked as violations. Clicking Show Events now provides options to Suppress all Violations for the selected query and suppress violations in bulk.

  • The original error message is now available when clicking the data source status on the Configuration panel or a message on the Events page.

  • When AWS accounts appear in search results, the account aliases are now shown in addition to account IDs.

  • Each result's number of destination entities is now included when exporting an assessment query.

  • The default time range on the Events panel is now one month.

  • The User Management panel now correctly paginates lists of more than 20 users.

  • Providers no longer are shown in an error state due to warnings for an unauthenticated or disabled data source.

  • The Authorization Graph filter bar now has an improved layout for better functionality.

  • Workflows: Hovering over a certification line item now shows a natural language text summary of the row details.

  • Workflows: When creating a new workflow, you can now select to preview results for either the source or destination entities.

  • Property names are now case insensitive when adding search constraints.

  • Query Builder results can now be sorted by the number of destination entities.

  • You can now select the accounts to apply highlighting when using Authorization Graph Filter by AWS account. Accounts are now identified by a tag as well as by color.

Bug Fixes

  • When using incremental updates with OAA, add_tag and delete_tag operations now correctly apply to tags on sub-resources.

  • When deleting a configured identity provider, the status now correctly updates to deleting. The Edit button is no longer available for custom apps and identity providers.

  • When the Only Saved Queries filter is enabled, adding another filter no longer resets the original selection. The Saved Queries filter state is now persistent when navigating away from the page.

  • Added retry logic and rate limits for Google Cloud extractions.

  • The complete results are now correctly included in Query Builder exports.

Previous2022.5.1Next2022.3.1

Last updated