User Guide
Release Notes

2023.2.6

Early Access

Path Summary Entities for Veza Workflows is a new feature that enhances and modifies the contents of a certification, complementing the existing Effective Permission and Intermediate Entity options. When enabled, the certification results will include all connections from one entity type to the other and show a summary of the path that made the connection.

This path summary is created by only showing the entity types specified in Path Summary Entities. For example, a query from User to Bucket with a path summary including Group and Role will return all the unique rows of Users connected to Buckets. The summarized path might look like GroupA->Role1, or Role2 (if no groups are in the path), or be empty for users with direct bucket access (not through a group or role).

Choosing Path Summary Entities is similar to an Intermediate entity selection, except that several types can be selected at a time. Adding a path summary can aid in reviewer decision-making and offers visibility into:

  • Whether access is granted by group or role membership, or direct assignment

  • The name of the group or role granting permissions

  • The type of group membership (owner, manager, member)

  • The resource a policy is attached to, which could be the destination resource (for directly-applied policies) or an upper-level entity in the resource hierarchy (for inherited policies)

Configuration mode for Veza Workflows, Authorization Graph, and Query Builder enables visualization and filters on the hierarchy of Role-Based Access Control (RBAC) entities connecting identities and resources. Using configuration mode can add additional context to understand and map privileges within providers such as Google Cloud and Microsoft Azure. Configuration mode can also enable granular workflows and rules based on intermediate authorization entities such as role binding, group membership, and IAM policy.

Please contact the Veza customer success team to learn more about enabling Early Access features.

Insights

  • New built-in assessments are now available as Saved Queries and included in Reports:

    • Dormant identity provider (IdP) accounts and local users with no recent activity (such as Okta Users with no recent activity but assigned Okta apps)

    • Local accounts without a corresponding IdP user (such as Salesforce Users with no mapped Azure AD Users)

    • Google Cloud and Workspace: Google Workspace Users who are granted Google Service Account Role, Google Workspace Groups who are granted Google Cloud Roles, Google Service Accounts which get access to resources via Google Workspace Group

    • AWS: AWS Service Principals with S3 delete permissions, and AWS Service Principals with S3 delete permissions

  • The Reports Library default page size is increased from 10 to 20

Integrations

  • Insight Points for Veza integrations can now be run as Oracle Virtual Appliances. For more information and download links, see the instructions for Oracle Virtualbox and VMWare VSphere

Bug Fixes

  • Resolved an issue causing unreasonably long extraction times for Salesforce

Previous2023.2.13Next2023.1.30

Last updated