# Release Notes: 2025-07-23 ### Access Intelligence #### Enhancements * **EAC-50222 Risks Integrations Preselection**: When navigating to the **Risks** > **Overview** or **All Risks** pages, Veza now automatically detects and preselects Okta, Azure, and Active Directory integrations, provided they are configured and available within the tenant environment. ### Access Reviews #### Enhancements * **EAC-35845 Configuration Scheduling Usability**: Added an optional "Schedule set" column to the Review Configurations table for improved visibility and management of scheduled reviews. * **FR-3718, EAC-48986 Access Review Digest Notifications**: Digest notifications can now display the destination data sources associated with each review. This helps reviewers better understand which applications, databases, or services each review applies to, especially in environments with multiple applications of the same type. * A new template placeholder `{{DIGEST_NOTIFICATION_WITH_SUMMARY_TABLE}}` includes application names for each review. Administrators can use **Access Reviews** > **Settings** > **Notifications** to create custom digest notification templates using this placeholder. * Each Access Review workflow can now include custom digest summary text (configured via API) to identify a specific name to appear in digest notification summary tables. Existing templates continue to use `{{DIGEST_NOTIFICATION_TABLE}}`. ### Access Lifecycle Management #### Enhancements * **EAC-50408 Workflow delay trigger recheck control**: Added a new toggle to control whether workflows recheck their trigger conditions when executing delayed or scheduled actions. The toggle is automatically disabled when no delay is configured and automatically enabled for "mover" scenarios to prevent failed trigger rechecks. This provides better control over workflow execution timing for specific use cases, such as employee location changes. * **EAC-48291 "Run Once" for non-idempotent actions**: Improved support for non-idempotent (i.e. only trigger once) actions, providing better control over sensitive operations that should not be repeated. * All action types now include a `run_once` option to skip if action has already been run. This can be enabled for sensitive actions to prevent duplicate account creation, repeated notifications, or other conflicting operations. * Actions marked as `run_once` will skip execution if they have already completed successfully for the same identity. Note that failed actions can still be retried. * **EAC-49601 Sync Identity Selection for Deprovision Actions**: You can now choose which Sync Identity actions to match when configuring Deprovision Identity actions. The chosen Sync Identity actions will determine the targets for de-provisioning, enabling precise selection for policies that can sync multiple entities to the same target application/datasource. * **EAC-45279 Identity Properties Source**: Identity attributes shown in Dry Run previews and Identity view are now more accurate and up-to-date due to being sourced directly from the Identities metadata store. This also includes Lifecycle Management-specific attributes and value pairs. * **EAC-48593 Reset Password Action Unique Identifier**: This enhancement improves the Reset Password actions in Lifecycle Management policies, where Action Unique Identifiers are now supported for consistent identity resolution across all action types. Previously, these actions could only use account names to identify target accounts, while Sync and Deprovision Identity actions supported both account names and unique identifiers. * **FR-3905, EAC-48344 Azure Unique Identifier Support**: Lifecycle Management now supports configurable unique identifier lookup for Azure AD users, enabling alternative user identification methods during lifecycle operations. This addresses scenarios where User Principal Names (UPN) change during employee transitions, allowing organizations to use Employee ID or other stable identifiers for more reliable user matching across provisioning, synchronization, and de-provisioning workflows. * **EAC-49639 Access Profile Generated Names**: You can now configure name transformers in Access Profile Types to enable automatic name generation for new profiles of that type. Dry Run simulations for Access Profiles using name transformers now show the generated name. * **EAC-49578 Add "apply\_overrides" to Policy Identity**: You can now apply override value(s) to the individual identity name property in the Identities tab in Lifecycle Management. The override value is supported across the Policy Identity title, Email, Active, Department, and other fields in the UI. This enhancement is executed when performing a Dry Run simulation. #### Known Issues * **EAC-50378 HRIS active status conflicts when using both Position Status and Is\_Active fields**: When HRIS CSV imports contain both Position Status and Is\_Active columns, the `is_active` property is overwritten when `employment_status` equals `active` (case insensitive). To prevent this, use only one status field (`is_active` or `employment_status`) to avoid conflicts, or ensure both fields remain synchronized during data import. #### Bug Fixes * **EAC-50150 AD Password Reset Action - UID dropdown does not show the correct list**: Fixed an issue where the UID dropdown in Active Directory Password Reset actions did not display the correct list of available attributes. ### Non-Human Identity (NHI) Security #### Enhancements * **EAC-49752 Salesforce Non-Human Users**: Salesforce Users assigned a built-in API-only Integrations Profile are now marked with the Nonhuman Identity Type. These profiles are named: * Salesforce API Only System Integrations * Minimum Access - API Only Integrations See [Salesforce Help: Give Integration Users API Only Access](https://help.salesforce.com/s/articleView?id=platform.integration_user.htm\&type=5) for more details. * **EAC-49803**: You can now filter the **NHI Security** > **Accounts** view to focus on identities created within a specific date range. ### Veza Platform #### Enhancements * **EAC-49994**: Improved API performance when using `include_permissions_summary: true` in query\_spec:nodes requests. ### Veza Integrations #### New Features * **EAC-49671 CSV Upload Entity Owners**: CSV Upload now supports setting Entity Owners for custom applications with configurable owner ID columns for Users, Groups, Roles, and Resources. This enables direct import of ownership metadata for improved governance and owner-based access review auto-assignment. #### Enhancements * **EAC-49931 CSV Upload**: When assigning entity owners via CSV Upload or API submission, specifying the IdP type is no longer required if a global IdP is enabled. * **EAC-49866 SharePoint**: Added support for extracting SharePoint Term Store Administrators, enabling better visibility and governance of taxonomy management permissions. * Veza now collects and displays Term Store Administrators from your SharePoint tenant during periodic extractions. * The SharePoint integration supports both certificate-based and Windows token-based methods, required to access the Term Store API. See [SharePoint Online](/4yItIzMvkpAvMVFAamTf/integrations/integrations/sharepoint.md#expanded-functionality) For supported Term Store entities and additional configuration requirements. #### Bug Fixes * **EAC-49549 Google Cloud**: Fixed API endpoint to return complete AWS account ID in role ARN for GCP Workload Identity Federation setup. * **EAC-49943 Active Directory**: Fixed extractions failing due to duplicate objectGUID (ID) conflicts across different domains. * **EAC-49655 Veza Role Missing Description**: Added extracting description field to GetRoleResponse and RoleProperties. * **EAC-49241 Databricks**: Updated log level from Error to Info to avoid logging unnecessary error messages when all AWS services are selected but the AWS Databricks account ID is missing. * **EAC-49366 Integration Status not taking into account datasource state**: Fixed disabled data sources to not cause partial errors. * **EAC-50234 Sharepoint Audit Log**: Handle Sharepoint Audit log error where subscription is already enabled. * **EAC-50447 Oracle DB**: Close unused Oracle DB connections. * **EAC-49927 Coupa**: Added handling for duplicate Coupa Role permissions. * **EAC-50082 SAP Successfactors**: Removed the `internshipSchool` property from SAP Successfactors extraction. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-07-23.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.