# Release Notes: 2025-09-03 ### Access Intelligence #### Enhancements * **EAC-48896 Query Explanations with Access AI**: You can now get natural language overviews for saved queries directly from the query details view by clicking the *Access AI* button, making complex queries easier to understand and troubleshoot. This feature requires Access AI to be enabled for your organization. * **EAC-51393 Monthly Query Export Scheduling**: Scheduled query export now support monthly scheduling options in addition to existing weekly capabilities. You can now configure query exports to run on specific months of the year and choose between the 1st or 15th day of selected months. ### Access Visibility #### New Features * **FR-3155, EAC-49975 Query Builder Path Type Selection**: Added a new "Path Type" selector in Query Builder advanced options. You can now choose between "Permission" paths (following only permission-granting relationships) and "Non-Permission" paths (following organizational or structural relationships) when searching for source and destination entities. * **EAC-51926 Access Graph Agentic User Visualization**: Added visual indicators including colors and icons for agentic users in Graph search, making it easier to identify and track non-human identities and their access relationships. * **FR-3155, EAC-50677 Access Graph Path Controls**: Graph search now supports advanced query options matching those available in the Query Builder. You can now specify "Direction Options" (Outgoing, Incoming, or Any Direction) and "Path Type Options" (Permission, Non-Permission, or Any) for Access Graph queries using advanced options. #### Bug Fixes * **EAC-51810 Access Graph Navigation Fix**: Fixed an issue where the "Go back" button in Graph search would navigate to unrelated pages when no query history existed. The button now properly clears the query when there's no search history to navigate back to. ### Integrations #### Supported Non-Human Identities and Secrets * **FR-4050, EAC-51028 Azure AD/Entra NHI Discovery**: The Azure integration now automatically classifies service principals as non-human identities and discovers their authentication methods. Veza also now captures app registration credentials, OAuth2 access tokens, and tracks credential lifecycle metadata for governance via the NHI Security dashboard. * **FR-4014, FR-4015, EAC-51029 & EAC-51031 AWS Identity Center**: The AWS integration now discovers certificate-based authentication and OAuth2 access tokens for AWS IAM Identity Center. The integration now maps X.509 certificates, trusted token issuers, and OAuth2 tokens with their associated permission sets. #### Enhancements * **FR-4018, EAC-50915 AWS IAM Roles Anywhere**: Added support for AWS IAM Roles Anywhere, an optional AWS service that enables workloads outside of AWS to obtain temporary AWS credentials using X.509 certificate-based authentication instead of long-term access keys. * **EAC-50603 AWS IAM OIDC Identity Providers**: Added support for discovering OIDC Identity Providers from AWS IAM in addition to existing SAML providers, providing complete identity provider visibility for organizations using OpenID Connect for AWS identity federation. * **EAC-49835 GitLab SAML Group Sync and Group Links**: The GitLab integration now discovers SAML Group Sync configurations and Group Links, providing visibility into federated identity relationships. The integration maps how IDP groups connect to GitLab role assignments through group memberships, eliminating duplicate role assignments that previously occurred through both user and group mappings. * **FR-4013, EAC-51027 Okta**: Okta integration configurations now support API token-based authentication. The integration also discovers API tokens and maps them to their associated users for improved visibility into programmatic access. * **FR-4015, EAC-51030 AWS Certificate Manager Support**: Added support for AWS Certificate Manager to discover and track X.509 certificates used for authentication across AWS services. **Note:** Additional IAM permissions are required (`acm:ListCertificates`, `acm:DescribeCertificate`, `acm:ListTagsForCertificate`). * **FR-4089, EAC-51603 PingOne**: Added support for PingOne as a destination data source type in Custom Identity Mapping Configurations. * **FR-4111, EAC-51733 CSV Integration Priority**: CSV uploads through the CSV Integration UI are now automatically prioritized for faster parsing. * **FR-4115, EAC-51718 Custom IDP Identity Mapping**: Custom Identity Mapping configurations now support Custom Identity Provider data sources as destination types. You can now map identities from providers like Active Directory and Okta to target custom IDP implementations, with support for filtering by IDP type to create different mapping rules for different custom IDP sources. #### Bug Fixes * **EAC-51608**: Improved Okta API rate limits handling to prevent integration failures when retrieving audit logs (429 status codes). * **EAC-51778**: Fixed TLS certificate validation issues for Cassandra Database integration. * **EAC-51197**: Fixed an issue with Identity Mappings involving Custom IDPs that could result in missing connections in Graph. ### Access Reviews #### Bug Fixes * **EAC-51615**: Fixed an issue where User Access Review scheduled start dates would unexpectedly change after saving the schedule configuration. ### Lifecycle Management #### Enhancements * **EAC-51874 Common Synced Attributes Ordering**: The Policy editor now supports manual ordering of common synced attributes. You can now drag and drop to reorder attributes to determine the priority in which they are applied during identity synchronization. * **EAC-51970**: The identity details table now displays all available properties, including those with blank or null values. You can now view and override any attribute that exists in the schema but was previously hidden when empty, enabling operations like emergency terminations using overrides for properties like termination\_date. * **FR-3838, EAC-51180 Workflow Trigger on Change**: Added support for workflows execution only when specific identity properties have changed since the last extraction. You can now select which identity attributes should trigger execution when configuring a workflow in the Policy editor. * **FR-4154, EAC-51884 SCIM OAuth2 Authentication Support**: Extended the SCIM integration for Lifecycle Management to support OAuth2 authentication alongside bearer token authentication, enabling automated user lifecycle management for OAuth2-protected SCIM endpoints across enterprise applications. #### Bug Fixes * **FR-3720, EAC-51183**: Enhanced the Lifecycle Management identity table to dynamically display integration icons based on the active source of identity. * **EAC-51308**: Fixed a bug where Lifecycle Management dry run operations failed to properly trigger workflows when secondary source of identity attributes were included in conditions. * **EAC-51493**: Fixed an Okta Lifecycle Management integration bug where sync identity operations failed with "Invalid Search Attribute" errors when updating user attributes like Department and Title with employee\_id as the unique identifier. * **EAC-51618**: Fixed an issue with Create Access Review actions where the fallback reviewer dropdown only displayed a paginated partial list, preventing users from selecting reviewers beyond the initial results. * **EAC-51683**: Fixed an Okta Lifecycle Management bug where selecting "Employee ID" as the unique identifier failed with "Invalid search attribute" error. * **EAC-51812**: Fixed a dependency ordering issue in Lifecycle Management attribute transformers where $target references failed when action-specific transformers were processed before common transformers that defined the target attributes. * **EAC-51969**: Fixed a validation error preventing Lifecycle Management Policies from being saved when using $target references with case-sensitive attribute names. * **EAC-52087**: Fixed an issue where re-uploading existing lookup tables with the same column structure would fail due to incorrect validation logic. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-09-03.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.