Release Notes: 2025-06-26

Lifecycle Management

New Features

• FR-3671/FR-3645, EAC-48539 Customizable Password Complexity Rules: Added support for password complexity rules within Lifecycle Management policies to ensure generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows. Administrators can now define reusable password complexity rules to enforce requirements for password length, character types (uppercase, lowercase, numbers, special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, Deprovision Identity, and Reset Password actions when working with integrations that support complex password requirements.

Enhancements

• EAC-48048 Enhanced Dry-Run Information: Lifecycle Management Dry Run results now include the workflow name and action responsible for potential changes.

• EAC-48159 Policy UX Improvements: Various usability improvements for editing and viewing Lifecycle Management Policies, including an enhanced workflow tab interface with improved navigation, unsaved changes warnings, and clone workflow functionality.

• EAC-48435 Nested Transformer Expressions: Transformer expressions now support nesting the results of one function inside another, enabling more complex data transformation workflows. For example:

  Copy

  {secondary.hire_date | ASSUME_TZ, "{location | LOOKUP, \"table_name\", \"loc\", \"tz\"}"}

  This uses a location lookup table to determine the appropriate timezone, then applies that timezone to the hire date.

• EAC-48773 Veza Action Integration for Notifications: Existing Veza Actions can now be selected when choosing webhook notifications for Lifecycle Management events.

• EAC-48864 Action Search Capability: Added search functionality when adding existing actions to Lifecycle Management Policy workflows, making it easier to find and reuse actions in large environments.

• EAC-48961 Improved Action Naming: Renamed the "Custom Action" Lifecycle Management action to "Update ServiceNow Table" to more accurately convey the action's specific functionality.

• EAC-48346 NEXT_NUMBER in Conditional Transformers: The NEXT_NUMBER transformer can now be used within IF/ELSE conditional transformers, enabling username generation with numbered alternatives and automatic fallback strategies. This enables workflows to generate usernames that progressively truncate, or change format when length constraints are exceeded based on conditional logic.

  For example, with a 20-character username limit and the name "Leonevenkataramanathan Foster" (29 characters):

  Copy

  IF sys_attr__would_be_value_len le 20
    {first_name | LOWER}.{last_name | LOWER | NEXT_NUMBER, 2, 3}
  ELSE
    {first_name | LOWER | FIRST_N, 18}.{last_name | LOWER | FIRST_N, 1 | NEXT_NUMBER, 2, 3}

  This will generate "leonevenkataramana.f" (20 chars) for the base value, with alternatives "leonevenkataramana.f2" and "leonevenkataramana.f3", using first and last name truncation and automatic numbering.

Bug Fixes

• EAC-48141 Active Directory Unique Identifier Handling: Fixed an issue where the Active Directory Identity Sync action might incorrectly handle unique identifier attributes like sAMAccountName, userPrincipalName, and distinguishedName.

• EAC-49174 Manager Retrieval Fix: Fixed a bug where the Sync Identities action would sometimes fail to retrieve a manager due to case sensitivity issues with distinguished names.

• EAC-49236 Attribute Transformer Validation: Fixed a bug where Lifecycle Management policies couldn't be saved due to false validation errors with the NEXT_NUMBER attribute transformer.

Access Requests

Enhancements

• EAC-47325 Access Profile Types: Enhanced the Create local user/account only option for Access Profile Types to provide more flexible local account creation without granting specific entitlements. When Create local user/account only is enabled under Limit to a Single Integration, entitlement and inheritance options are now disabled for the Access Profile Type.

Access Reviews

New Features

• EAC-45651/EAC-45652 Automatic Access Remediation Validation: A background validation system now automatically verifies if rejected access in an access review has been remediated, periodically checking if access marked as "rejected and signed off" still exists in the current environment. When rejected access is no longer detected in the Access Graph, rows are automatically marked as "Fixed," and the audit entry "Rejected access no longer detected by Veza" is attributed to SYSTEM. Administrators can configure validation behavior through new global and workflow-specific settings, including validation triggers and maximum validation duration (default 30 days).

Non-Human Identity (NHI) Security

New Features

• FR-3719, EAC-48795 NHI Security Administrator Role: Added a new NHI Security Administrator role that provides dedicated access to Non-Human Identity (NHI) security features and Access Intelligence functionality. This role enables users to discover, analyze, and govern NHI accounts, keys, and secrets without granting access to Access Requests or Access Reviews features. Administrators can now assign specialized NHI security responsibilities to specific users while maintaining strict separation of duties for access management workflows.

Veza Integrations

New Features

• FR-3722, EAC-48541 Integrations Owner Role: Added a new Integrations Owner role for isolated integration management. Users with this role can only see and manage integrations they own, with automatic ownership assignment for creators of new integrations. This allows organizations to delegate integration management (including CSV upload) to distributed teams without granting full administrative access, while ensuring users cannot interfere with each other's integrations. This feature is now available in Early Access.

Enhancements

• FR-3685, EAC-48089 Google Cloud Cross-Organization Service Account Impersonation: The Google Cloud integration now discovers and maps service account impersonation relationships across Google Cloud organizations. Veza identifies when Google Workspace users or service accounts in one organization have permissions to impersonate service accounts in different organizations, providing visibility into cross-organizational access pathways. This enhancement analyzes IAM policies to detect iam.serviceAccounts.getAccessToken permissions and establishes relationship mappings for both same-organization and cross-organization impersonation scenarios.

• EAC-49088 Crowdstrike Risk Score Import/Export: The Crowdstrike integration now supports bidirectional risk score synchronization between Veza and Crowdstrike Falcon Identity Protection. New configuration options allow customers to enable risk score import from Crowdstrike to Veza (applied as custom tags crowdstrike_risk_score and crowdstrike_risk_score_severity), export high-risk identities from Veza to Crowdstrike (identities with Veza Risk Score ≥ 50), or both. Requires Crowdstrike Identity Protection access and Veza API credentials for the target tenant.

• FR-3761, EAC-48897 GitHub Secrets Discovery: The GitHub integration now discovers and maps GitHub secrets at both repository and organization levels. Repository-level secrets are directly linked to their respective repositories. Organization-level secrets are now mapped to repositories based on their visibility settings (Public, Private/Internal, or Selected repositories). This provides visibility into GitHub secrets management and access patterns for better governance of CI/CD pipelines. Note: Requires read-only permissions for Repository Secrets and Organization Secrets to be added to the GitHub App configuration.

• EAC-46725 Coupa CCW Candidate Support: The integration now supports the extraction of job candidate information alongside existing contingent worker data. Veza now gathers candidates across all valid candidate statuses (including approved, interviewing, rejected, and onboarding states) and maps them to the HRIS system with an employment type of "CANDIDATE" and an "inactive" status. This enables organizations to include job candidates in Access Lifecycle Management workflows for workforce visibility and governance. This enhancement includes improved error handling for malformed candidate records that could previously cause extraction failures.

• EAC-48386 Snowflake Network Policies: Added support for Snowflake network policies, including legacy network policies with direct IP allow/block lists and modern network policies utilizing network rules. The integration now discovers network policies, network rules, network rule references, and relationships between these components. For legacy policies, Veza extracts allowed and blocked IP lists directly. For modern policies, the integration maps the relationships between network policies and network rules through network rule references, capturing both ALLOW and BLOCK actions.

• EAC-48385 Snowflake Password Policies: The Snowflake integration now discovers and maps password policies configured within Snowflake environments for visibility into password complexity requirements, aging settings, lockout controls, and password history policies applied to Snowflake user accounts. The integration now shows all password policy properties including minimum/maximum length, character type requirements (uppercase, lowercase, numeric, special), password expiration rules, retry limits, and lockout durations. Note: Password policy extraction requires MONITOR ON ACCOUNT privilege on the Snowflake account.

Bug Fixes

• EAC-48350 HiBob User Status Reporting: Fixed incorrect user status reporting in the HiBob connector, where all users were defaulting to active status regardless of their actual employment state. The connector now retrieves and evaluates the internal.lifecycleStatus field from HiBob to correctly determine employee status, treating only users with "employed" status as active. Note: This requires the Lifecycle permission "View selected employees' Lifecycle sections" to be added to the service user permission group to access the lifecycle status data.

Veza Platform

Enhancements

• PLT-1753 Enhanced Role Change Event Details: Role change events in Veza Platform Events now include more detailed information about user role modifications. This provides administrators with improved visibility into role transitions, showing both the previous roles and newly assigned roles for improved security auditing and compliance tracking. Events now display role changes in a clear format, such as "Updated roles for [Team Name] team from [Previous Roles] to [New Roles]" to help administrators understand the scope and impact of role modifications. A single role update operation can affect multiple teams, with each team's changes logged separately.