# Release Notes: 2025-09-17 ### **Non-Human Identities** * **FR-4012, EAC-50905 Okta OAuth Token and Credential Discovery**: Enhanced Non-Human Identity (NHI) detection to support OAuth and credential discovery. * The integration now gathers OAuth Application Client Secrets, Refresh Tokens, and Key Credentials for full visibility into machine identities in Okta. * Enabling extraction requires a new *Gather credentials* configuration option (disabled by default). * **EAC-49749, EAC-52298 Key Vault Activity Monitoring:** Enhanced the Azure Key Vault integration with audit logging capabilities to track key and secret access patterns, rotation events, and usage activities. * When configured with a Log Analytics workspace (new field `log_analytics_workspace_id` in Azure configuration), Veza now extracts audit trails from Azure's `AzureDiagnostics` table, and displays this activity data in Access Monitoring dashboards. * **EAC-52352 Salesforce Agentforce and Einstein Bot Discovery**: The Salesforce integration now supports discovery and mapping of AI agents, including bot definitions, the service accounts they operate under, and which users have permissions to access these AI agents through profiles and permission sets. * **EAC-52684 Okta API Token Relationships**: The Okta integration now represents user-to-token relationships in Access Graph (instead of token-to-user), making it easier to identify API token owner relationships for non-human identity governance. ### **Lifecycle Management** #### Enhancements * **FR-3842, SCIM Integration for External OAA Applications**: Veza now supports using external Open Authorization API (OAA) applications as provisioning targets in Lifecycle Management policies and Access Request workflows through SCIM API endpoints. This enhancement enables organizations to extend automated Joiner, Mover, and Leaver workflows to custom applications that implement SCIM standards, significantly expanding the range of systems that can be integrated with Lifecycle Management. * **FR-3732, EAC-51899 Updated Action Type Icons**: The Lifecycle Management policy builder now features distinct, purpose-built icons for each action type in provisioning workflows. This visual enhancement makes it easier to quickly identify different workflow actions at a glance when designing Joiner, Mover, and Leaver scenarios, including specialized icons for common provisioning tasks. * **FR-3811, EAC-49102**: Lifecycle Management policies now correctly interpret boolean values in condition transformers used within workflow actions. Previously, boolean strings like "true" and "false" were compared as text, which could lead to unexpected workflow behavior in Joiner, Mover, and Leaver scenarios. #### Bug Fixes * **EAC-51971**: Fixed an issue where secondary Source of Identity (SOI) mappings were incorrectly correlating identities across multiple systems in Lifecycle Management policies. The fix ensures that when correlation maps are modified during policy execution, all primary-to-secondary identity relationships are properly updated, and provider IDs are consistently maintained regardless of data extraction order. * **EAC-52658**: Fixed an issue that prevented password complexity rules from being enforced when provisioning users to Okta through Lifecycle Management policies. Organizations can now successfully apply their password complexity requirements (length, character types, special character restrictions, etc.) when creating new Okta users through Sync Identity actions. * **EAC-51310**: Fixed an issue where Dry Run operations did not properly trigger workflows that contained expressions using transformers. * **EAC-51771**: Fixed an issue where scheduled tasks were not appearing in the default Workflow Tasks view. * **EAC-52350**: Fixed an issue where Sync Identity Actions were unable to reactivate previously deactivated users. ### **Integrations** #### **Enhancements** * **FR-4259, EAC-52554, EAC-52537 Azure Subscription Filters**: The Azure integration now supports subscription ID allow and deny lists, enabling control over which Azure subscriptions are included in metadata extraction. This filtering capability applies to both Azure RBAC and Azure Blob Storage services. Using subscription filters is recommended for large Azure environments where limiting the extraction scope improves performance and reduces noise from non-production or third-party managed subscriptions. * **EAC-510977 Beeline**: The integration is updated to extract workers/employees data using the Export Worker API (not RaaS). Beeline configurations now require the `site_id`, `client_id`, and `client_secret` for extraction. * **EAC-52376**: OAA Custom Properties can now contain numbers after the first character. Property names like `level_1` are now supported. #### **Bug Fixes** * **EAC-52402 Open Authorization API**: Fixed issue with OAA Entity Owner Property unpacking by making NodeType validation more flexible for custom IDP users * **EAC-51818**: Fixed an issue where searching for integrations could yield no results. Added functionality for searching integrations by `internal_app_name`. * **EAC-51997 AWS**: Fixed an issue with incorrect IAM permission mappings for KMS Grant operations (CreateGrant, RevokeGrant, RetireGrant). * **EAC-50509 AWS**: Fixed an issue where IAM Managed Policies were not appearing when no entities (users, groups, or roles) were attached to them. * **EAC-52393 SAP SuccessFactors**: Removed the `isContingentWorker` and `workLocation` properties from the SuccessFactors API call due to data quality issues. * **EAC-52010 GitHub**: Removed enterprise-level permission from Organization Roles to improve permission accuracy. ### **Access AI** #### **Bug Fixes** * **EAC-52434:** The original natural language query is now shown when re-opening the Access AI search interface, as long as the resulting query parameters are not altered. This makes it easier to review your original expression and make edits without having to re-enter the information manually. ### **Access Reviews** #### **New Features** * **FR-3397, EAC-52118 EAC-52119** **Veza Slackbot for Access Review Notifications**: Access Review notifications and reminders can now be delivered through Slack in addition to email. You can configure a Slack app integration for review notifications, including review initiation, completion, reviewer changes, due date reminders, and inactivity alerts. Alerts are routed directly to applicable users in Slack and include links to take action in Veza. The Slack integration complements email-based notifications, allowing administrators to choose email-only, Slack-only, or multiple delivery methods. * **FR-2312, EAC-52013 Predefined Question Sets**: Administrators can now add required questions that reviewers must answer when approving or rejecting access. This can help standardize review decision justification using standardized question sets with support for either multiple-choice or free-form answers. #### **Bug Fixes** * **EAC-48817**: Fixed an issue where relationships could be ignored in reviews where the relationship was of an entity type related to the search entity type. * **EAC-45732**: Access Reviews and Quick Reviews pagination now processes on the backend for improved performance when large numbers of reviews are available. ### **Separation of Duties** #### **Enhancements** * **EAC-52053**: Segregation of Duty (SoD) query exports now include comprehensive metadata, including reporting generation timestamp, query details, creation information, risk levels, and assigned SoD managers. Exports also feature new columns for conflicting roles/permissions, exception status, notes, and risk assignees, along with improved XLSX formatting. ### **Platform** #### **Enhancements** * **PLT-2258 Default MFA for local accounts**: Multi-factor authentication (MFA) is now enabled by default for all local accounts in new tenants, prompting users to enroll in MFA during their first login for immediate account protection. This change does not affect existing tenants (an administrator should enable MFA requirements in Sign-In Settings). ### **Product Design and Usability** #### **Enhancements** * **EAC-49396 Redesigned Global Navigation (Early Access)**: A new and streamlined navigation experience is now available for preview, featuring a collapsible and optimized main navigation bar for maximized screen real estate. * The redesign elevates primary navigation items, introduces universal search across all pages, and reorganizes product areas with contextual sub-navigation. * When enabled, administrative functions are relocated to an Account toolbar in the top-right corner, separating operational and configuration tasks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-09-17.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.