2022.4.1
Welcome to the latest Veza release! As our first major release since our company launch, 2022.4.1
includes significant updates: access workflow enhancements, a new dashboard, improvements to tables view, authorization graph enhancements, and extended data source and user management options. See below for the full release notes, and please reach out to your Veza Sales and Customer Success team with any requests and feedback:
Authorization Graph & Search
Tables View enhancements: Each row now contains the complete relationship path when exporting search results using View as Tables. Each relationship and permissions set is included in the exported graph. A preview of the data is now shown when exporting.
Added a Data Source Status button to the search bar to enable validation of provider status and last sync time for the current snapshot.
New operations have been added to the Query Builder API to get destination nodes for entities in query builder results.
Pagination and constraints can now be applied to node-centric searches (such as when viewing all relationships for a single named entity).
Insights & Reporting
Added NEW dashboard with system insights and shortcuts as the primary Veza landing page.
Added new reports for visibility into
On-prem Data Entitlements
andAzure RBAC Advanced Configurations
.Added a modal to "Show Violation Details" for results on the Violations panel and violations appearing on the graph actions sidebar.
When starting a recipe, you can now select to deliver the instructions to a Notifications destination (such as ServiceNow, Slack, or a generic webhook).
Workflows
Added the option to export all workflows and certification status to CSV from the main Workflows panel.
Reviewers are now suggested from a workflow's historical certifiers.
When creating a new access workflow, query result previews are now sorted by type/name/id.
Access Workflow queries now support filtering by permissions to limit certification results to only include entities with escalated privileges.
It's now possible to list workflows and certifications and get and update results using
/preview
Workflows APIs.
Administration and Configuration
You can now manually refresh discovered data sources, IdP, and Cloud Providers using the "Start Extraction" option on the Apps & Data Sources panel.
Improved Events filtering and filter options, and added a refresh button.
Each user's type is now shown on the User Management panel.
Reworked the "Add Provider" configuration interface for better readability and organization and added additional tooltips.
Clicking a data source status on the Apps & Data Sources panel filters the Events page on the selected error.
Open Authorization API (OAA)
To model relationships between manually-added entities and discovered graph nodes, custom application resources and sub-resources can now have
connections
to another graph entitynode_type
andid
.Custom IdP template: Assumable Role ARNs are now allowed at the
groups
level (previously, ARNs could only be assigned to individual users).Custom application template: Added an optional
id
property to the resource schema. If set, it will be used as the unique ID instead of the entityname
. A specificresource_type
must have only resources with an ID or only resources without an ID.The custom application template now supports nested group relationships.
Added support for removing OAA providers and data sources using the push API.
Integrations
ServiceNow can now be added as a destination for alerts and notifications. The integration can be enabled by providing a
host
,username
, andpassword
. When the associated rule sends an alert, it will create a service desk ticket with the specifiedurgency
,description
, andticket table
.Google Workspace Groups now show a
Built In
property to identify system groups (such as "abuse" or "postmaster"). This allows, for example, filtering and preventing these entities from appearing as "empty group" violations.Active Directory groups now have an Owners property to identify and filter by group owner/manager.
Workflows now use the Okta
employee_id
andmanager
attribute to identify a user's manager.AWS EC2 instance
created_at
("launched at") date is now available as a searchable entity property.Processing SQL Server instances and each database is now a separate operation. This change will cause some limitations when searching standalone SQL Servers in historical snapshots. Primarily, connections between local SQL Server principals to effective permissions on SQL Server instances will not be available.
Added support for discovering and searching Google Cloud Organization Unit accounts (OUs). Organizational Unit Path has been added to the standard properties for Google Cloud entities. You can now search for Google Cloud Organization Units and filter by
Org Unit Path
,Parent Org Unit ID
,Parent Org Unit
Path
, and the OU name or its users.__ Requires the additional service account permission:
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
Product Usability
Upgraded the Authorization Graph Select a Relationship to Show dropdown for improved selection of entity types.
Improved visual clarity when using the Add Veza Tag modal
When filtering by permissions using the Query Builder, you are now prompted to choose whether to search effective or raw permissions.
Updated the style of the saved query details modal for improved readability and consistency with Access Workflow details.
All entity relationships are now shown (node-centric search) when opening a single node in Authorization Graph.
Added category descriptions to the Rule Builder.
Added tooltips to contextualize Veza tags, effective permissions, and Access Workflow states.
During certification review, the Resource Type column now includes an icon for better differentiation between providers.
Bug Fixes
Users are now required to provide their current password before being able to create a new one.
Built-in Google Groups with no users are no longer marked as violations.
Exporting events now correctly includes all records (instead of the last 1000).
Columns in Query Builder result views are now retained when modifying the search conditions.
Fixed an issue where OAA
remove_tag
incremental update operations wouldn't remove the tag. Deleting a custom resource now correctly removes tags, so they won't apply if the resource is recreated.Authorization Graph: Okta users no longer show a direct relationship to apps they are assigned only via a group.
Increased the limit on discoverable AWS tags to 10,000.
Users assigned the
operator
role no longer see the Insights Points panel on the navigation menu.S3 buckets with a public access block set at the account level no longer register as violations when the control is disabled for the individual bucket configuration.
Fixed a search failure when using the Authorization Graph to find a specific S3 bucket by
id
.Fixed a bug where Okta Group > AWS Identity Center Group connections were not available to search.
2022.3.1
2022.3.1
Workflows
Hovering over a certification line item now shows a text summary of the row details.
Reviewers and due dates can now be modified by choosing Settings from the workflow certifications list.
The certification view now includes columns to show the Application and Resource Type for each row.
A summary of data source status at the time of the most recent snapshot is now shown when initiating a new certification. Reviewers can select View Data Source Snapshot Status on the certification interface to check for stale data and confirm the data sources included in the certification.
Search
The Show Violation Events modal now includes options to Suppress all Violations for the selected query or suppress violations in bulk.
When viewing query builder results, you can now enable an additional column to show the tags on each result.
Added an Open in Query Builder shortcut for pivoting to the active search in Query Builder mode.
Property names are now case insensitive when adding search constraints.
Query Builder results can now be sorted by the number of destination entities.
The Authorization Graph now includes search quick links for Google Cloud when available.
Access Intelligence
Significant organizational improvements for reporting and assessment queries across categories.
New queries have been added for deep insight into toxic combinations and shadow admin privileges.
Heatmaps
A summary and list of source entities are now included alongside the main heatmap visualization.
Integrations
Added the option to set allow/deny lists to limit Trino catalog, schema, and table extraction.
Added the option to set allow/deny lists to limit Okta app and domain extraction.
Added a new assessment query for
Active Directory users that are Domain Admins
.AWS IAM Policy entities now show the
Permissions Boundary Usage Count
, enabling queries on unused policies with no relationship to any principals.Added an
is_guest_user
property to Google Workspace users to identify entities whose primary email address doesn't belong to any of the account's domains.Added a new
Application Template
property for AzureAD Enterprise Applications to enable differentiation between 3rd-partygallery
apps andcustom
app registrations.Added a new
app role assignment required
property for AzureAD enterprise applications, indicating whether the app is implicitly available to all users, or must be assigned (directly or via a group).You can now select individual services to enable/disable when adding or editing a Google Cloud provider configuration.
Open Authorization API: Added and improved warning and error responses when pushing authorization metadata.
Product Usability
Instead of listing all violations, the Violations panel now lists queries marked as violations. Clicking Show Events now provides options to Suppress all Violations for the selected query and suppress violations in bulk.
The original error message is now available when clicking the data source status on the Configuration panel or a message on the Events page.
When AWS accounts appear in search results, the account aliases are now shown in addition to account IDs.
Each result's number of destination entities is now included when exporting an assessment query.
The default time range on the Events panel is now one month.
The User Management panel now correctly paginates lists of more than 20 users.
Providers no longer are shown in an error state due to warnings for an unauthenticated or disabled data source.
The Authorization Graph filter bar now has an improved layout for better functionality.
Workflows: Hovering over a certification line item now shows a natural language text summary of the row details.
Workflows: When creating a new workflow, you can now select to preview results for either the source or destination entities.
Property names are now case insensitive when adding search constraints.
Query Builder results can now be sorted by the number of destination entities.
You can now select the accounts to apply highlighting when using Authorization Graph Filter by AWS account. Accounts are now identified by a tag as well as by color.
Bug Fixes
When using incremental updates with OAA,
add_tag
anddelete_tag
operations now correctly apply to tags on sub-resources.When deleting a configured identity provider, the status now correctly updates to
deleting
. The Edit button is no longer available for custom apps and identity providers.When the Only Saved Queries filter is enabled, adding another filter no longer resets the original selection. The Saved Queries filter state is now persistent when navigating away from the page.
Added retry logic and rate limits for Google Cloud extractions.
The complete results are now correctly included in Query Builder exports.
Last updated