# Release Notes: 2025-07-09 ### Access Monitoring #### Enhancements * **FR-3782, EAC-46868 Query Builder Last Activity Time Filtering**: You can now filter Query Builder results by last activity timestamps when Access Monitoring is enabled for AWS, Snowflake, Google Cloud BigQuery, SharePoint, and Okta. Filters now support using absolute timestamps or relative ranges like "activity within the last 30 days" to identify dormant access and over-provisioned permissions. Note that "Show destination entities" must be enabled to show destination-related activity filters. ### Access Intelligence #### Enhancements * **EAC-47293 Dashboard Use Cases**: You can now access organized collections of pre-built dashboards grouped by security scenarios like MFA analysis, NHI monitoring, ISPM, and cloud security frameworks. This Early Access feature is now generally available to help you quickly explore relevant dashboard collections based on your needs. ### Lifecycle Management #### New Features * **EAC-49652 Create RANDOM\_INTEGER transformer**: You can now create a `RANDOM_INTEGER` transformer that generates random integer values within a specified range (minimum and maximum values). This transformer is useful for creating unique identifiers, test data, or randomized values in lifecycle workflows. #### Enhancements * **EAC-48434 Improved UX for Sync Identities Write-back Mode**: The write-back mode for the Sync Identities action now activates automatically when selecting a Source of Identity integration as the target for Sync Identities. The interface clearly shows "Writing back to identity source" status and hides unnecessary options for SOI integrations, reducing complexity when configuring bidirectional synchronization workflows. * **EAC-49737 Continuous Sync Usability - Sync only changed improvements**: Added a Tip information icon to display the following text: Controls how Sync Identities Actions behave on workflows with Continuous Sync enabled. Choose whether to skip syncing when no source changes are detected or to sync after a minimum delay. * **FR-3664, EAC-48466 Access Profile Type Name Transformers**: Administrators can now configure automatic naming rules for Access Profiles that standardize profile names using organizational data or dynamic values. For example, when creating a new Access Profile Type, you can now configure a profile name formatter derived from attributes of the Active Directory integration when linking to an existing Active Directory Group. When creating a new Access Profile of this previously specified type, the name of the Access Profile can now be automatically derived from attributes on the linked Active Directory Group. * **EAC-48195 Allow modification of a saved unique identifier value within a target system**: Provide the ability to modify the unique identifier value in the target system, which later can be used in the deprovision process, for example. #### Bug Fixes * **EAC-46254 The State Initial Start By Admin feature is not working correctly**: Fixed an issue where creating a Profile Type with the State Initial Start By Admin setting displays a Start option to all users rather than Admin only. * **EAC-49702 The Access Profile throws an unknown error when starting**: Fixed an issue when creating a Profile successfully, and an unknown error is thrown during start time. * **EAC-49458 Cannot save changes to Common Attribute Transformer**: Fixed an issue where the common transformers cannot be saved when the LOOKUP Transformer is used in pipeline functions, creation, deletion, and editing functions. * **EAC-49421 The Publish button is enabled for the Policy even when Workflow changes are not saved properly**: Fixed a behavior where changes made in the Workflow are not reflected in the UI; however, the saved Workflow and Publish buttons are enabled. * **EAC-49643 The Expiration Time is displayed in seconds when a period is specified**: The UI displays the Expiration Time (in seconds), even when a period is provided. This text is no longer displayed in the UI. * **EAC-49323 The Access Profile recreates the Entitlement on the target system during manual synchronization, but not being updated correctly in the UI**: Fixed the issue where the Entitlement displayed in the Access Profile is duplicate and when it is deleted and a manual sync is performed, the Entitlement list will recreate the entitlement and duplicated on the Access Profile. * **EAC-46916 Improve validation of LOOKUP transformers**: Fixed issues within the attribute transformer where the LOOKUP table and associated columns are validated during the transfer process. * **EAC-4927 Encountering error when trying to clone and save a workflow**: Fixed an error that occurred when cloning and saving workflows due to incorrect validation of workflow action name uniqueness. ### Veza Integrations #### New Features * **FR-3330, EAC-45558 Salesforce Guest User Profiles and Sites**: The integration now includes support for discovering Guest User Profiles that provide public access to Salesforce Sites and communities. You can now view object-level and field-level permissions for unauthenticated visitors to assess potential data exposure by enabling "Gather Non-Standard Salesforce Users" in integration settings and filtering search results by User Type "Guest". * **FR-3713, EAC-48244 Azure Secrets Vault Support**: When configuring an Azure integration, you can now use Azure integration credentials (client ID, client secret, certificates) stored in external secret vaults instead of directly in Veza. This option requires a configured Insight Point with vault access and secrets stored in JSON format containing all required Azure authentication fields. #### Enhancements * **FR-3395, EAC-46166 OAA Entity Owner Support**: You can now assign entity owners directly in Open Authorization API payloads, eliminating separate API calls after entity creation. Owner assignments integrate with Access Reviews auto-assignment, NHI Security governance, and Query Builder filtering and extend legacy tag-based resource manager assignments. * **FR-3845, EAC-49247 Complete GCP IAM Role Permissions**: The Google Cloud Platform integration now shows the complete, unfiltered set of GCP IAM role permissions. All permissions for custom and predefined roles across project, organization, and folder levels are now shown in the Veza Graph for privilege analysis and reporting. Previously, Veza applied filtering that may have omitted certain IAM permissions during discovery, potentially limiting visibility into the full scope of access capabilities. * **FR-2858, EAC-48681 Azure Sensitivity Label Support**: The Azure integration now extracts and displays Microsoft Purview Information Protection sensitivity labels applied to Azure AD groups and SharePoint Online sites, for visibility into data classification policies across Microsoft 365 environments. Veza captures sensitivity label metadata including name, description, color coding, sensitivity level hierarchy, and protection settings (encryption, access controls, watermarks). The feature requires the InformationProtectionPolicy.Read.All Microsoft Graph permission for the Veza Enterprise Application and integrates with existing Azure AD group discovery and SharePoint site extraction. * **EAC-49729 LDAP**: The generic LDAP integration now supports configurable group object classes and member attributes, enabling compatibility with LDAP implementations beyond the default `groupOfUniqueNames` standard. This enhancement allows integration with Red Hat Identity Manager and other LDAP systems that use different group schemas such as `groupOfNames` with member attributes. The connector also includes improved paging for large LDAP directories to handle extractions more efficiently. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-07-09.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.