User Guide
Release Notes

2022.5.1

Welcome to the latest Veza release! This monthly update includes some significant changes to improve the enterprise scalability of Workflows, with new support for per-row reviewers, final sign-off, and extended search, export, and diff options. Additionally, 2022.5.1 introduces usability improvements throughout the product including:

  • Improved viewing of search results across multiple providers of the same type

  • Quick assignment of team and resource managers directly from Authorization Graph

  • New administration options for managing federated access and disabled users

Please see below for the complete release notes, and please reach out to your Veza Sales and Customer Success team with any requests and feedback:

Workflows

Individual reviewer assignments for each row: Workflows now support per-row reviewer assignments for easier collaboration, and to enable organization-wide campaigns where any user can be flagged as a reviewer for individual results, log in with single sign-on, and see only the information they need to make a decision.

  • You can now assign a default set of zero or more reviewers when creating a new workflow. The default reviewers can be overridden by assigning a row-level reviewer from the certification interface.

  • To support per-row reviewers, new reviewers can only see results they can make decisions on. Users with the access_reviewer role can only view certifications that A) are incomplete and B) have 1 or more rows assigned as a default reviewer. Additionally, access_reviewers can only diff against certifications where they were assigned at least one row in that cert.

  • Inactivity notifications & reminders are now sent to individual reviewers based on their assigned row progress. Messages now contain additional details on rows remaining for sign-off. Notifications are now delivered when a certification row is assigned.

Sign-Off on certification decisions: Certifiers (or another auditor) can now "Sign-Off" on the decisions made by default or row-level reviewers. This allows reviewers to tentatively accept or reject access, and sign off once they are confident in their choice. Only when a row is signed-off will any configured webhooks be triggered.

  • Once sign-off is complete the rows decision can't be changed by a reviewer. However, an admin or operator can update the status of a "rejected" row to "fixed", or from "fixed" to "rejected".

  • Hovering over the signed-off button shows who has signed off on a row, and when.

  • /preview/ API responses and notification webhooks show the status of signed-off rows and notification details (ticket #, success status).

Improved visibility on reviewer progress and certification status: Additional details are now shown in the Certification view. Users with the access_reviewer role are now shown their current count of assigned rows. For non-access_reviewer roles, full progress details are shown (for example, 1/4/10 in-progress/signed-off/total-assigned).

In progress means a row is ACCEPTED, REJECTED, or FIXED. Unassigned rows are now shown above the reviewer list.

Multi-selection across results pages: You can now use smart Actions to perform bulk actions on certification rows with a given column value. This facilitates decisions on all rows by applying an action to results where Column x IS NOT EQUAL TO "<<empty string>>".

Smart Assignment for team and resource managers: When creating a new certification, there is now a one-time option to "auto-assign" row reviewers based on graph metadata (an IdP must be configured).

Intermediate Roles for certification results: When creating a new workflow query, you can now specify a role entity type (such as Snowflake, OAA, or AWS IAM role) to only show results with a relationship to the selected role. Intermediate roles are now shown in the certification results table and included in the row hover description.

Additional Workflows enhancements:

  • Added the ability to export the current certification, including the latest results OR the diff against a prior certification for the same workflow.

  • Query Snapshot IDs are now included in webhook payloads in a CertificationSnapshotID field.

  • Custom names can now be assigned to graph entities by applying a tag with the SYSTEM_alt_name key. The tag value will be shown for better readability when reviewing certification results and allow business-friendly labels for entities such as AWS roles.

  • When creating an access review, you can use predefined attribute filters to filter on common user properties such as manager. This option is only available if IdP Settings are configured, for the user entity type specified in the IdP Settings.

  • The ListWorkflowResults and UpdateWorkflowResult endpoints now use a renamed value object: effective_permissions and raw_permissions have been changed to accumulated_effective_permissions and accumulated_raw_permissions.

  • API responses now include details about intermediate relationships: AccessCertQueryResult now includes node details for each waypoint_node, and AccessQuery now returns the constraints on waypoint_node_types. AccessResultInfo now returns any waypoint_properties, the count num_unique_waypoint_nodes, and the boolean waypoint_nodes_have_alternate_names.

Authorization Graph & Search

  • You can now search data authorization to all discovered resource types by selecting an identity type (such as Okta User) and selecting "Resources" from the Add Relationship dropdown.

  • Tag-based filters can now be applied to queries on "All Resources" or "All Principals."

  • Resource managers are now assignable from the graph actions sidebar. Suggestions will be made based on the configured Workflow identity provider (the system user list or a connected graph IdP).

  • Search keywords in the results summary are now shown as Tags for better readability.

  • The human-friendly account "name" provided when configuring an AWS or Snowflake integration is now the primary display name for better readability of search results that include multiple instances of the same provider type.

  • Alternate IDs (such as AWS Account ID and Azure Tenant ID) are now shown in tooltips and node labels to better distinguish between entities with the same name across different accounts.

  • A new action to open the underlying search in Query Builder is now available on the Reporting panel.

  • Results are now paginated when searching for a single entity type.

Administration and Configuration

  • The initial Veza administrator can now enforce SSO for other users using the "Enable Local Accounts" toggle under Sign-In Settings. When enabled, new user accounts can only be created by signing in through the SSO IdP.

  • Administrators can now enable or disable other users and show or hide disabled accounts from the User Management page.

Integrations and Data Pipeline

  • Added new /private/ endpoints for customizing Workflows email templates.

  • Data pipeline optimizations for public cloud providers, Okta, and standalone data sources.

Bug Fixes

  • The entity catalog now correctly shows a scroll bar when more entries are available.

  • The "region" field is now case insensitive when configuring a Snowflake integration.

  • The View Events action for rows in the Standalone Databases table on the Configurations > Apps and Data Sources panel has been removed. Events can still be viewed by viewing events on the discovered data sources associated with those standalone databases.

  • Added horizontal scrolling to the "View Policy" modal to enable viewing the complete JSON statement.

  • When configuring Workflow notifications, it's now clarified that re-assigning a certification will notify all reviewers. When picking new reviewers for an existing certification, you are now prompted to "re-assign reviewers."

  • Scheduled extractions are now skipped when the associated Insight Point is unavailable.

  • Pushing local OAA application roles without permissions now returns a warning instead of an error.

Previous2022.6.1Next2022.4.1

Last updated