# Release Notes: 2025-06-11 ### Access Hub #### Enhancements * **FR-3593, EAC-48880 Access Hub Product Visibility Settings**: Enhanced the Access Hub settings interface to support customizing product visibility. For the products and features that are licensed or enabled, administrators can now use toggle switches to control which Access Hub pages (My Access, Team Access, Access Reviews, Access Profiles, and Catalog) are visible to users. ### Access Request #### Enhancements * **EAC-47721 Access Request Policy Expiration Handling**: Administrators can now configure expiration policies within Access Request Policies to automatically handle requests that expire. * Policies can be set to automatically approve, reject, or escalate expired requests based on configurable timeframes. * When escalation is selected, requests can be routed to administrators, application owners, profile owners, manager hierarchies (Level 1 and 2), or specific users and groups. ### Access Reviews #### New Features * **FR-3414, EAC-47811 Risk Score Details**: For visibility into contributing risks behind user and resource risk scores, Access Reviews now include detailed risk score information including contributing risks in the Row Details > Risks panel. * Reviewers can use the Rows Details > Risks panel to understand the contributing risks for source and destination entities in each row, such as the user risk score or role or resource risk score. These contributing risks are based on the risk detection queries configured in Access Intelligence. * Use Access Intelligence must be enabled on Review Configuration. * Users will need the appropriate role to view detailed risk descriptions and actual risk query results. * **FR-2656, EAC-43336 Consolidated Reports**: Administrators can now generate complete reports across multiple access reviews in a single PDF file - effectively consolidating multiple reviews into a single report. * Users can select reviews using filters including labels, date range, and review status, with support for up to 20 reviews per report. * Reports include aggregated statistics (approval/rejection rates, completion percentages, Review Intelligence auto-decision metrics) and full metadata for each review (status, timelines, reviewers, approval levels). * Each report combines high-level metrics with detailed row-level data and clear sectioning between reviews, streamlining audit preparation and compliance monitoring for enterprise customers. * **FR-2004, EAC-43548 Labels for Access Reviews**: Reviews and Review Configurations now support labels for improved organization and management of access reviews. * Administrators can centrally create and manage labels in Access Review Settings. Administrators can also create new labels inline whilst creating or editing Review Configurations and Reviews. * Operators and administrators can apply labels onto both Review Configurations and Reviews during creation Additionally, operators and administrators can filter lists of Reviews and Review Configurations by labels on the list pages. They can also add and remove labels from Reviews and Review Configurations as needed. * The Reviews and Review Configuration overview pages now use a unified design with consolidated filters and simplified navigation, replacing separate tabs with integrated status- and label-based filtering. #### Enhancements * **FR-3650, EAC-48027 Individual Review Notifications**: Improved privacy for Access Review notifications by placing reviewers on the BCC line instead of the To/CC lines. * Each reviewer now receives an email where they cannot see the full list of other recipients, while maintaining efficient email delivery with one message per review. * Platform Events now provide granular tracking with individual notification events for each reviewer. #### Bug Fixes * **EAC-48750 Self-Review Prevention**: Fixed an issue where reviewers were able to review their access rows when SELF\_REVIEWER\_CHECKING\_ENABLED was configured. * **EAC-48331 Digest Notification Event Tracking**: Fixed an issue where digest notification emails sent as part of Access Reviews were not being captured in Veza Events. * **EAC-48838 Pagination Controls for Access Reviewers**: Fixed an issue where users with the access reviewer role could not see pagination controls at the bottom of review windows, preventing them from accessing additional pages of review items beyond the first page displayed. * **EAC-48790 Multi-Level Approval for Draft Certifications**: Fixed an issue where draft certifications with multi-level approval were not correctly advancing from first-level to second-level review. Draft certifications now properly persist first-level decisions and automatically advance to the second level when all rows are reviewed, following the same approval sequence as published certifications. * **EAC-48586 Access Review Performance**: Improved database performance when deleting large Access Reviews. This fixes timeout issues that could occur when deleting reviews with extensive annotation data. * **EAC-48433 Fix "sorting type and rootconditions: duplicate key"**: Fixed an issue in graph processing causing 500 errors when node list requests contained duplicate keys in sorting conditions. This fix prevents AWF endpoints from failing when using labels as input. ### Lifecycle Management #### Enhancements * **FR-3690, EAC-48046 Workflow Cloning**: When editing a Lifecycle Management Policy, you can now clone existing workflows to quickly create new provisioning or deprovisioning workflows by copying an existing branch of trigger conditions and actions. * **EAC-48517 Conditional Transformers**: Added support for preview-based conditional logic using *sys\_attr\_\_would\_be\_value* and *sys\_attr\_\_would\_be\_value\_len* attributes. * These can be used to create intelligent attribute transformations based on what the final value would be, such as conditionally adding ".com" to email addresses only when needed, or adjusting name formats based on character length limits. (e.g., `IF sys_attr__would_be_value co ".com" {email | LOWER} ELSE {email | LOWER}.com`) * **FR-3577 EAC-47391 Workflow Date Formatters**: Enhanced date formatting and transformation capabilities for workflow trigger execution dates and attribute mapping. * Workflows can now reference date attributes from secondary integration sources when configuring trigger details (execution timing), apply format transformations (including LDAP Z-time format like "20240101100000Z"), and perform date calculations (such as adding days or months for contractor expiration dates). * This feature supports dynamic date handling for use cases like setting trigger execution based on secondary SOI termination dates, calculating Active Directory extension attributes with hire date plus 30 days, and enabling provisioning workflows that automatically calculate expiration dates and format dates according to target system requirements. * **FR-2900, EAC-47739 Dynamic Access Profiles**: The Manage Relationship action in Lifecycle Management workflows now supports dynamic access profile selection using attribute transformers: * Administrators can now configure access profile names that automatically resolve based on user attributes during provisioning. For instance, this allows expressions to create dynamic access profile names such as {department}-profile or {location}-{role}-access. * This allows a single workflow to provision users to different access profiles based on their SOI attributes (such as department, location, or role) without requiring separate workflows for each combination. * The feature includes validation for empty values, autocomplete support for available attributes, syntax highlighting for complex expressions, and support for multiple dynamic profiles per action. #### Bug Fixes * **EAC-48490 Common Transformers**: Fixed an issue where Common Transformers with the same UID could not be used within the same Action. You can now set the unique identifier to "none" in Common Transformers to reset it, allowing the UID to be configured per action instead of being synced across all uses. * **EAC-48837 Workflow Condition Evaluation**: Fixed workflow conditions not triggering when the entity type of a transformer is not found, resolving cases where workflows would silently fail to execute due to undefined transformer entity types. ### Veza Integrations #### Enhancements * **EAC-48031 Open Authorization API**: Open Authorization API (OAA) now supports handling payloads larger than the previous API limit, improving support for organizations with extensive access data in custom applications, identity providers, or HRIS platforms. * **EAC-48579 Provider Owner Management**: Added the ability to set and manage provider owners directly from the integration management interface for all provider types (such as CSV Upload Integrations). * **EAC-47917 Salesforce Encrypted Private Keys**: The Salesforce integration now supports using encrypted private keys. You can now specify a password configuration field to provide a password for decryption. * **EAC-47919 Active Directory**: Added support for LDAP Channel Binding in Active Directory integrations, resolving connection issues for customers with enforced LDAP channel binding in their enterprise environments. * **EAC-48188 Snowflake Network Policies**: Network policy extraction is now optional and can be disabled if errors are encountered during integration. * **EAC-48789 Open Authorization API Field Length**: Increased the maximum field length for Open Authorization API (OAA) entity names from 256 to 512 characters to support organizations with longer role names and other entity identifiers. #### Bug Fixes * **EAC-48238 Active Directory**: Improved Active Directory integration stability by implementing retry logic when LDAP connection establishment fails. This resolves intermittent "Failed to get connection from host" errors and provisioning task failures caused by transient network connectivity issues. * **EAC-44350 Azure Intune**: Fixed an issue where device enrollment properties (`EnrollmentType`, `JoinType`, `DeviceEnrollmentType`) were incorrectly mapped to user entities instead of Intune Managed Device entities. These properties now correctly appear on the appropriate device entities. * **EAC-40161 HiBob**: Fixed an issue where the HiBob integration was displaying numerical values instead of actual job titles for some users. The integration now correctly retrieves JobTitle and Department information from the HumanReadable API section, ensuring accurate employee data display across all users. * **EAC-48133 Qualys**: Extremely long host ID strings are now automatically truncated to the maximum allowed length of 4096 characters, preventing extraction failures when device location strings exceed system limits. ### Veza Platform #### Enhancements * **PLT-1654 Platform Page Renaming**: Updated page names in the **Platform** section for improved consistency: * The **Veza Events** page is now **Platform Events**. The **Veza Support User Access** is now **Support User Access**. * Authentication configuration descriptions for SSO IdP-managed roles and SCIM provisioning have been updated for clarity. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-06-11.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.