# Release Notes: 2025-04-30 ### Access Requests #### New Features * **EAC-46221 Entitlement Sync**: Veza can now synchronize entitlements to enforce group assignments for Active Directory users. This ensures that Access Profiles remain the authoritative source for linked Active Directory group membership, automatically re-adding removed users, removing unauthorized out-of-band additions, and recreating accidentally deleted groups. * You can now enable continuous sync and configure the time between sync checks when creating Access Profiles that grant entitlements. In the Profile Type settings, configure a **Time Before Sync Check in Seconds** to enable synchronization for an Access Profile Type. * When synchronization is enabled, Veza will periodically: * Verify target entitlements still exist with correct properties * Verify all profile members have proper relationships with entitlements * Remove relationships for non-members of the Access Profile * Recreate any missing Active Directory groups * Track the Lifecycle Management identity that created the profile * **EAC-45946 Delegation and Deny Lists**: Administrators can now configure delegate approvers, approver deny lists, and requestor deny lists in Access Request Settings. * **EAC-47014 About This App Instructions**: Custom "About This App" instructions can now be configured for any Access Profile directly via a sidebar, table, or row details action, with support for rich text via markdown. #### Enhancements * **EAC-46790 Automatic Profile Type Selection**: If only one Access Profile Type is available, the type is now pre-selected when creating new Access Profiles. * **EAC-46621 Manual Synchronization**: Added support for manually triggering entitlement synchronization directly from Access Profile actions. * **EAC-46439 Default Access Request Policies**: Default Access Request Policies can now be defined per Access Profile Type. Profile Type Settings now include the option to select a default profile, and enable or disable using alternate policies when creating profiles of that type. * **EAC-46692 Profile Integration Limits**: When creating a new Access Profile Type, integration options show a checkbox for the **Limit to a single integration** option. It can now be enabled concurrently with the options to "Limit to a single integration type" or "Allow multiple integration types" for profiles of that type. * **EAC-46669 Pre-Set Integration**: Profile creators are no longer prompted to choose a target integration when this setting is pre-determined by the Access Profile Type. * **EAC-46655 Active Directory Account Name Support**: Added support for account name as a transformer on Create Entitlement actions. * **EAC-46576 Profile Creation Permissions**: Administrators can now configure Veza users and groups allowed to create profiles using the **Access Profile Settings** > **Manage Permissions** menu. * **EAC-46892 Profile Type Visibility**: Administrators can now restrict Access Profile Type visibility for specific Veza users or groups using the **Manage Permissions** action on the **Profile Types** settings page. * **EAC-46801 Profile Member Management**: Administrators can now directly add or remove Access Profile members using the **Access Profiles** > **Manage Members** action. #### Bug Fixes * **EAC-46656**: Fixed an issue where "Active Directory User not found" was displayed for users with graph mappings after Access Profile Owners add new members. * **EAC-46566**: Added feature checking for Access Request Settings and Access Request Policies. These tabs are no longer shown unless Access Requests is supported for the tenant. * **EAC-46679**: Naming validation is now performed during initial profile creation, preventing errors due to transformations exceeding character limits in provisioning targets. ### Lifecycle Management #### New Features * **EAC-45078 Policy Safety Limits**: Provisioning Policies can now include **Safety Limits**, blocking changes that impact more than a specified number of identities, and optionally triggering email notifications. * When the safety limit is exceeded, further processing is halted. A warning will appear in the **Policies** UI, with options to view details, process the pending changes, or ignore and re-enable the policy. * The Activity Log now shows a "SAFETY\_LIMIT\_REACHED" event, and policies that have encountered a limit have a warning shown next to their name on the Policies list. * **EAC-45877 Policy Write Back Mode**: Sync Identity Actions can now explicitly enable or disable **Write Back Mode**, preventing any changes to policy identity sources. When enabled, the action can include steps to update or create attributes in the identity source based on values in the target application. * **EAC-46313 Coupa CCW**: Added support for Coupa CCW as a source of identity. #### Enhancements * **EAC-46762 Policy Draft Mode**: Administrators can now toggle **Enable Policy Draft Mode** on the Lifecycle Management **Settings** > **Policy Settings** page. * When disabled, users can only save or edit the latest published version of any policy. * When enabled, users can view version information and history using the **See Version History** action in the policy editor. * **EAC-46919 Lookup Table Export**: Added support for exporting lookup tables to CSV for troubleshooting purposes. * **EAC-46940 Entitlement Type Selection**: To prevent confusion when adding entitlements to an Access Profile, users now choose a single **Entitlement Type** before choosing one or more **Entitlements** of that type. You can add relationships to other entity types by adding new sets of entitlements. * **EAC-46723 Fallback Transformers**: Common Transformers can now include fallback formatters, used if the default transformation fails during attribute creation. * **EAC-46578 Azure AD Guest Options**: Azure AD *Create Guest Account* actions now support creating accounts with or without an invitation email. #### Bug Fixes * **EAC-46490 Active Directory**: Fixed an issue with Lifecycle Management requests failing due to escaped commas in CNs. * **EAC-46735 Okta**: Fixed user status checking when activating users in Okta, resulting in hanging Sync Identities actions. ### Access Reviews #### Enhancements * **EAC-46174 No Reviewer Filter**: You can now filter the **Reviewers** column by `Does not exist` to find rows with no assigned reviewers. * **EAC-45491 Group By Controls**: When using the "Group By" option, reviewers can now quickly expand or collapse all groups. ### Access Hub #### Bug Fixes * **EAC-47000 Paused Profile Visibility**: Fixed an issue where Access Profiles could unexpectedly remain visible in the Catalog when the Access Profile was paused. * **EAC-46658 Active Directory Group Entitlement Creation**: Fixed an issue where Access Profiles could fail to create group entitlements for Active Directory. * **EAC-46701 Performance Improvement**: Improved performance when opening the **My Access** overview and **Resources** pages, and fixed an issue where empty pages did not load. * **EAC-46657 My Access Visibility**: Fixed an issue where certain users couldn't see the "My Access" option in the Access Hub side menu. All users with the following roles now see this option: Administrator, Operator, Viewer, and Reviewer. * **EAC-46567 Access Profiles Menu Fix**: Fixed an issue where the **Access Profiles** page within Access Hub appeared as a menu option while Lifecycle Management was disabled. The **Access Profiles** page is no longer available for customers without the Lifecycle Management product. * **EAC-46852 Access Hub Identity Setting**: Added a support-enabled setting to use either 1) the **Global Identity Provider** or 2) **Lifecycle Management Identities** to link Veza users logging in to Access Hub with their associated external identity. ### Non-Human Identity Security #### Enhancements * **EAC-42804 Workday Integration System Users**: Workday Accounts now include the *Is Integration User* property, indicating if the Account is an Integration System User (application or service principal). Two rules are now applied to identify NHIs: * Accounts for Integration System Users have the nonhuman identity type, enabling NHI management and search for workloads using Integration System Users to access downstream resources. * Accounts with UI access disabled (indicated by the *Do Not Allow UI Sessions* property) have the nonhuman identity type, even if they are not an Integration System User. * **EAC-42806 Google Cloud Secret Manager**: Added support for discovering **Google Secret Manager** Secrets and filtering by attributes `last_rotated`, `status`, and `secret_type`. The integration also now extracts and shows these attributes for KMS Keys. * **EAC-45324 NHI Access Reviews**: You can now create [On-Demand Access Reviews](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/on-demand-reviews.md) from the **Non-Human Identities** overview page. * This enables review creation using an existing Review Configuration (typically scoping the generated access reviews to the target NHI entity types). * Support for [1-Step Access Reviews](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/1-step-review.md) (immediate review of the selected query results) is planned for a future release. ### Separation of Duties #### New Features * **EAC-45202 View SoD Conflicts**: You can now view the exact conflicting entitlements (e.g., groups, roles, or permission sets) from the Separation of Duties query details with a new **View Conflicts** action. Clicking **Open In Analysis** on the SoD landing page now shows this option to open a sidebar with the conflicting entitlements for each record. ### Access Intelligence #### New Features * **EAC-45967 "Affected Entities" for Risks**: The **Risks** page now includes an **Affected Entities** tab for searching entities in the results of Risks by node type, integration, and risk level. You can use row actions on this page to manage risk levels or view entities in Graph or Query Builder, and use row actions or bulk actions to add or remove exceptions. * **EAC-45316 Redesigned Alerts UI**: The **Alerts** page now has a redesigned **Query Alerts** and **Rules** tabs for reviewing triggered alerts and all configured rules. The **Rules** tab includes a new sidebar for viewing details, opening saved query details, and editing rule details and conditions. #### Enhancements * **EAC-46651 Query Export Secondary Emails**: Users can now select secondary email addresses when scheduling query exports, and export emails will be sent to those addresses as well. * **EAC-46403 Dashboard Exports**: Exporting dashboards to CSV now includes a column for minimum and maximum risks during the selected time range. * **EAC-46317 Query Details**: Query explanations in **Query Details** view are updated to better communicate saved query conditions. #### Bug Fixes * **EAC-46847**: Fixed an issue preventing access recommendations from running on the **Recommend** page. ### Access Monitoring #### New Features * **EAC-46316 Google Activity Monitoring**: Added support for generating activity monitoring events when a Google Workspace User accesses resources by impersonating a Service Account. #### Enhancements * **EAC-45134 Last Activity Filtering**: In Query Builder, you can now filter results on the "Last Activity At" and "Last Activity With Resource At" columns. These filters enable tracking both: * Last time of any activity for a particular entity/resource * Last activity from a particular identity on a particular resource Note that these filters are only enabled for services that support Activity Monitoring. ### Veza Integrations #### New Features * **EAC-45752 Dynamics ERP**: The Azure integration can now discover Users, Groups, Application Users, and Security Roles for [Microsoft Dynamics 365 ERP](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/dynamics-365-erp.md). #### Enhancements * **EAC-46960 Okta**: Added support for the `WORKFLOWS_ADMIN` built-in Okta role. * **EAC-46907 Open Authorization API**: The Custom Identity Provider template now supports setting an external identity on IDP Groups for identity mapping purposes. * **EAC-46619 Salesforce**: Added `RecordTypeId` attribute to Account and Opportunity Salesforce objects * **EAC-46532 Workday**: Added support for gathering Workday Workers Custom Reports using an OAuth token. #### Bug Fixes * **EAC-46241 Active Directory**: `CommonName` attribute is now correctly populated for Active Directory Users. * **EAC-46896 AWS**: Fixed datasource removal for AWS IAM. * **EAC-46362 Exchange Online**: Fixed Exchange Online errors when extracting mailbox folders for non-enabled users. * **EAC-46571 GitHub**: Fixed a typo for GitHub role permission `delete_tag_protection_rule`. * **EAC-46667 MySQL**: Fixed MySQL database error: `cannot extract proxies_priv`. * **EAC-46690 Okta**: Improved handling of `X-Rate-Limit-Limit` header for Okta. * **EAC-46645 Oracle EBS**: Fixed unmarshalling of float menu entry sequences for Oracle EBS. * **EAC-47075 Salesforce Commerce Cloud**: Trim trailing slash from config hostname for Commerce Cloud. * **EAC-46630 Snowflake**: Added check for Snowflake if the optional secrets view exists before extracting from it. * **EAC-46649 SQL**: Removed port validation for SQL server. * **EAC-46898 Veza**: Fixed Veza (self) integration to properly initialize. * **EAC-46875**: Fixed an issue causing extractions to hang in the `Pending Parsing` state. * **EAC-46715**: Fixed extraction failures with multiple sources of identity enabled. ### Veza Platform #### New Features * **PLT-352 SCIM User Provisioning**: Veza now provides SCIM-compliant REST APIs for automated user provisioning. See the [documentation](/4yItIzMvkpAvMVFAamTf/developers/api/scim.md) for full API reference and configuration guides. * **PLT-1486 OpenID Connect**: OpenID Connect (OIDC) is now available to all customers. See [Single Sign-On with Okta (OIDC)](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/oidc/oidc-okta.md) for example configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-04-30.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.