User Guide
Release Notes

2023.1.30

Insights

Reports

As part of an ongoing effort to improve actionability and time to value of Veza Insights, Reports now use a redesigned tiles layout for better readability and easier customization. It's now easier to show only the most relevant insights, and quickly pivot from Veza Reports to Authorization Graph or Query Builder.

  • Clicking a result value (min/max/change) opens a trend chart for the assessment query.

  • Clicking edit opens the assessment query for customization in the Query Builder.

  • You can now expand or collapse each section in a report and filter by providers, AWS accounts, and Azure tenants.

Authorization Risks Dashboard

Administrators can now tailor the Insight Reports shown on the Veza dashboard, which is now driven by the customizable Authorization Risks Report category. Administrators can remove queries from these reports to hide them on the main landing page, and exclude false positives by adding filters to the original out-of-the-box (OOTB) query.

  • Clicking an authorization risk tile on the main dashboard now opens the corresponding report.

  • Administrators can edit Authorization Risks dashboard reports to hide individual assessment queries for all users.

Report and Saved Query privacy settings

For improved collaboration and security in multi-user environments, user-created reports are now private by default (visible only to owners). Setting a report to public publishes it for all users. A new Reports Library provides an overview of all built-in and custom reports and their privacy settings.

  • Changing a report to Public is permanent.

  • Reports can only be edited by their owners.

  • Veza admins are the default owners of system queries and reports. Users own any queries and report they create.

New Critical Risk Assessments

  • A range of built-in IdP Analysis assessment queries are now provided out-of-the-box. These assessments are now included in Authorization Risks reports for insight into:

    • Disabled IdP identities with cross-service permissions (such as disabled Azure AD Users with Snowflake access)

    • Disabled accounts with system-wide access and high-risk roles (such as disabled Azure AD Admins & Enterprise Admins)

    • Identities assigned Okta Groups with names containing '"VPN"'

    • IdP identities with MFA disabled

  • Added a new AWS IAM assessment External AWS AssumeRole relationship without setting ExternalID. The query returns AWS accounts that are not integrated with (external to) Veza, yet able to assume temporary credentials in an integrated AWS account. AWS Accounts configured to use a trusted external ID (as is best practice) are excluded from the results.

  • Reports have been reorganized to offer more relevant insights. The Dormant Entities and Guest users with any access reports are now named Disabled users with excessive permissions, and Guest users with excessive permissions

Integrations

  • The Salesforce integration now discovers cross-service connections for Azure AD. A custom identity mapping is no longer needed to correlate AD principals with the local accounts they can assume.

  • The Salesforce integration now includes the option to Gather Non-Standard Users. By default, Veza will only gather users with license types in the "standard" category (including Salesforce Platform and Salesforce Platform One).

  • You can now change the Insight Point used for discovery when editing a saved SQL Server or Okta integration.

Search

  • All assessment queries in reports now support Open in Authorization Graph. Note that a unique filter label indicates when opening a query with unsupported parameters (particularly Related Entity Limits). In such cases, results can drift over time and are not compatible with graph snapshots.

  • Opening an assessment query in Authorization Graph now carries over filters on the provider AWS account or Azure tenant.

  • You can now specify required intermediate entity types in Authorization Graph (alongside the current excludes intermediate entity types advanced option). This will constrain relationships shown to only those that traverse the required entity types.

Workflows

  • Operators creating a workflow can now set path requirements on excluded and required intermediate entity types. Doing so will constrain results based on whether the selected entity type (such as group, role, or IAM policy) exists in the authorization path between the query source and destination.

  • Improved performance when filtering certification results by reviewer.

  • To prevent unintentional removal of reviewers, a reviewer must now be selected to run a re-assign reviewers Smart Action. A fallback reviewer is now required when using auto-assignment.

Bug Fixes

  • Query Builder: Fixed an issue where table view failed to render when searching "Custom" entity types.

  • Workflows: Fixed an issue where creating several certifications in parallel (using auto-assignment) resulted in errors.

  • Workflows: Using a checkbox to select a certification result now longer resets any changes to column order.

Previous2023.2.6Next2023.1.23

Last updated