# Release Notes: 2025-08-20 ### Access Search * **EAC-51232 Access AI Integration in Query Builder (Early Access)**: Added natural language search capabilities in Query Builder, enabling queries that are automatically converted to structured search conditions from user input. Access AI for Query Builder leverages the existing engine for Graph Search to make complex queries more intuitive and accessible. #### Bug Fixes * **EAC-43874**: Fixed an issue where the text "undefined" could appear instead of "All Elements In" in Query Builder. * **EAC-51305**: Fixed a rare issue where lengthy asynchronous queries could fail due to an internal error. ### Access Reviews #### Enhancements * **FR-3816, EAC-50881 One Click Risk Score Details**: We've streamlined how reviewers get visibility into risk score details during access reviews. Now, when you click on either source or destination scores, the Reviewer Interface now shows all contributing queries, reducing extra clicks to understand how multiple risk factors contribute to individual risk scores. #### Bug Fixes * **EAC-49831**: Fixed an issue where metadata fields (Decision By, Decision At, Updated By) that were displayed in Access Reviews were not automatically selected for inclusion when exporting the review in the CSV or PDF formats. These fields are now correctly included as pre-selected fields for export when they are visible in the Reviewer Interface, improving behavioral consistency with other displayed fields. * **EAC-46699**: Queries involving Azure AD Users accessing Azure Storage Accounts with summary entities now show both Role and System Permissions metadata in System query mode. * **EAC-51295**: Fixed an issue where Salesforce access reviews using source or destination grouping would hang indefinitely and never complete. ### Access Requests #### Enhancements * **FR-3559, EAC-48464 Skip Approval Steps for Inactive Approvers**: Access Request policies can now automatically skip approval steps when all assigned approvers at a particular step are inactive users. This feature is configurable per approval step (via API-only at present) the new `skip_inactive_approvers` setting. ### Lifecycle Management #### Enhancements * **EAC-51021 NEXT\_NUMBER Max Length**: The NEXT\_NUMBER transformer now supports an optional maximum length parameter to simplify complex username generation workflows. Enabling will automatically evaluate combined strings (such as `{first_name}_{last_name}`) and truncate to specified character limits before appending numerical suffixes. * **EAC-51022 APPEND and PREPEND Attribute Transformers**: Added new APPEND and PREPEND attribute transformers These transformers enable string concatenation by appending text to the end or prepending text to the beginning of attribute values during identity provisioning workflows. For example: * `{first_name | APPEND, "." | APPEND, "{last_name}"}@company.com` Results in `john.smith@company.com` * `{location | PREPEND, "CORP_"}` Results in `CORP_NYC` * `{first_name | APPEND, "." | APPEND, "{last_name}" | LOWER | NEXT_NUMBER, 9, 2, 9}@append.com` Results in `tom.jones@append.com` (base user account), `tom.jone9@append.com`, `tom.jon10@append.com` (for conflicting account names) * **EAC-51338 Workflow Priority Configuration**: Lifecycle Management policies now support configurable priority settings for workflows. Administrators can set workflow task priority levels (Unset, Low, Normal, Medium, High, Critical) to control the execution order of workflow tasks when multiple workflows are triggered. Priority will be UNSET for new and existing workflows (shown as "Not Set" in the UI). * **EAC-51700 Native Property Mapping**: Added `native_name` to the `DefinitionSyncAttribute` definition returned for integrations that support Lifecycle Management. This field shows the native property name in the source system (e.g., "mail" for Active Directory) alongside Veza's normalized attribute names, helping administrators understand attribute mappings for configured Lifecycle Management integrations. ### Veza Integrations #### New Features * **FR-2597, EAC-50911 AWS Systems Manager Parameter Store Support**: Added support for AWS Systems Manager Parameter Store to help meet PCI 4.0 compliance requirements for sensitive assets like long-lived tokens and access credentials. * The AWS integration now extracts parameters including their types (SecureString parameters indicate secrets), parses IAM permissions to these parameters, and links parameters to their respective KMS keys for encryption visibility. * Systems Manager extraction requires additional policy permissions `ssm:DescribeParameters` and `ssm:ListTagsForResource` for the AWS integration. * **EAC-50603 Missing AWS IAM OIDC Identity providers in Veza**: Added support for extracting OIDC Identity Providers from AWS IAM in addition to existing SAML providers. Organizations using OpenID Connect for AWS identity federation can now have complete identity provider visibility in Veza. * **FR-3886 Authentication Group Role Mapping**: The Veza integration now provides visibility into how external authentication groups (in your SAML or OIDC identity provider used for single sign-on) map to Veza roles and team assignments. * The Veza integration now supports new entity types *Veza Auth Group* and *Veza Role Mapping* * User Access Reviews can include these entities for visibility into which external authentication groups grant users their Veza roles, making it easier to validate the full authorization chain from external identity providers to Veza teams and roles. #### Bug Fixes * **EAC-51614:** Fixed an issue where Query Builder would show `OAA entity type is not supported` errors when looking up users from CSV Uploader integrations. * **EAC-50954 Bitbucket Cloud**: Fixed a credentials conflict that prevented using Bitbucket alongside Jira and Confluence simultaneously. * **EAC-50223 PingOne**: Upgraded PingOne SDK to V2 version to resolve user extraction issues. * **EAC-50435 Azure AD**: Improved retry-after duration display in log lines for Azure AD integrations. * **EAC-51172 Blackline**: Fixed an issue where user roles were not correctly updated by distinguishing same roleIds based on product for Blackline integrations. ### Veza Platform #### New Features * **PLT-2173**: Added event notifications for when data planes enter a degraded state. * **PLT-2342, PLT-2208**: Added support for webhooks and ServiceNow as configurable destinations for alert subscriptions on Veza platform events. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-08-20.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.