# Release Notes: 2025-10-02 ### Access Security #### Enhancements * **EAC-52599 Risks Actions**: We've expanded the available Veza Actions on the Risks Page. In addition to the existing actions, users can now launch an Access Review and initiate Rule or Alert creation directly from the table row action menu. * **FR-4260, EAC-52604 Query Management UX**: The saved query management view now has improved sorting and visual indicators. Saved queries are now sorted by creation date (newest first) by default, and feature badge indicators to highlight recently created queries. Additionally, fixed duplicate query handling for shared queries across different teams by improving unique identification in table displays. * **EAC-52971 Risks Profiles and Top Affected Integrations sections**: We introduced new sections to improve risk visibility. One section displays risks by risk profile, along with their respective counts. The other section highlights the Top 5 Affected Integrations, showing the number of risks per category (Critical, High, Medium, and Low). * **EAC-52976 Risk Exceptions Modal**: When managing risk exceptions, users now only see the exceptions related to the selected risk, rather than all entities. Exceptions can be added or removed directly within the modal. ### Access Reviews #### Enhancements * **FR-3413, EAC-52085 Persistent "Group By" Settings**: Access Review "Group By" preferences are now automatically saved and restored across sessions, and can be customized for all reviewers by an administrator: * Reviewers can set their preferred grouping option (e.g., by User, Source, Destination, Risk Level, or Status), and this selection will persist when they return or navigate between reviews. * In the reviewer interface, administrators can now use the **Admin** > **Set Columns as Default** option to make the selected columns and grouping option (e.g., by user, by risk level, etc.) default for all reviews using that configuration. Note that available source and destination columns, as well as row grouping options, depend on the query specified in the review configuration. * **EAC-52830 Access AI Side Panel (Early Access)**: Users can now access AI-driven summary and analysis features without interrupting their primary view, with Access AI explainability for queries and Access Reviews now appearing in a dedicated side panel. #### Bug Fixes * **EAC-53019 Entity Owner Auto-Assignment**: Fixed Access Review reviewer assignment to ensure entity owners are automatically included as reviewers for source-only queries involving non-resource entities. Previously, when access reviews were scoped to queries that only examined source entities (without destination resources), the system would not consider entity owners for automatic reviewer assignment, potentially missing key stakeholders in the review process. ### Access Visibility #### Enhancements * **FR-2856, EAC-52481 Performance Enhancements**: Improved performance when working with cached and paginated result sets in Query Builder. #### Bug Fixes * **EAC-52871**: Fixed an issue with Query Builder where missing timestamps could appear as "1754-08-30" in rare cases. ### Lifecycle Management #### New Features * **EAC-37258, EAC-52475**: *Secondary Sources of Identity* are now generally available when configuring Policies, enabling administrators to enrich primary identity records with supplementary data from additional systems (such as adding manager information from departmental systems to core HR data). * **EAC-43805, EAC-52475**: The *Create Access Review* action is now generally available for use in policies, to automatically trigger access reviews during identity lifecycle events, such as role changes or transfers. This is especially useful for "mover" workflows, where a user changes job roles and new access should be reviewed. #### Enhancements * **EAC-50856 Access Profiles Usability**: Improved user interface design and user experience across Lifecycle Management Access Profiles pages. These changes focus on modernizing visual presentation and interactions, and providing a more intuitive experience when working with Access Profiles to govern how application entitlements are assigned to employees based on common roles, functions, levels, or locations in the organization. * **EAC-51853 Attribute Transformer Native Names**: When configuring attribute transformers within a policy or action, Veza now displays the native attribute name from the source system alongside the Veza-normalized name. When a destination attribute has a native name that differs from its normalized name, both names are shown to help users accurately identify and map attributes. * **FR-4026, EAC-52478 Access Review Creation State Control**: Added the ability to configure the initial state (active or draft) for access reviews triggered by Lifecycle Management workflows. * **EAC-52856 Common Transformer Cloning**: Added support for cloning existing transformers within Lifecycle Management policies. Admins can now duplicate transformer configurations by selecting any existing transformer from the Common Transformers table and choosing the clone action, which opens the creation modal pre-populated with the selected configuration. This can significantly improve admin efficiency when creating similar attribute transformation rules across multiple workflows. * **EAC-52857 Workflow Actions Usability**: Reorganized Lifecycle Management workflow actions by relocating the "clone" and "delete" operations from primary action buttons to additional actions menus ("**⋮**"). * **EAC-52245 / FR-4234 MySQL Database Lifecycle Management Support**: Veza now supports provisioning and deprovisioning operations for standalone MySQL databases, enabling automated user provisioning, role assignment, and account deprovisioning directly within MySQL. Supported operations include: * **Creating** MySQL users with username and host attributes as unique identifiers * **Assigning and removing** MySQL role memberships using GRANT/REVOKE operations * **Disabling** MySQL users using ACCOUNT LOCK to prevent login while preserving user data and permissions ### Non-Human Identity (NHI) Security #### Enhancements * **FR-4090, EAC-52021 HashiCorp Vault KV2 Key-Level Discovery**: Enhanced HashiCorp Vault integration with granular key-level discovery for KV2 (Key-Value version 2) secrets engines. Extending existing KV2 support, administrators can now enable key-level extraction to discover individual key-value pairs as separate entities in the Access Graph, rather than treating entire secret paths as single resources. * **EAC-52827 Okta API Token Graph Layer Organization**: Improved Okta API Token organization in Access Graph visualizations by moving tokens from the general "Access Credentials" category to a dedicated "Access Mechanism" layer. API tokens now appear in their own distinct layer positioned before users in graph hierarchies, providing clearer visual separation and better conceptual organization for Non-Human Identity (NHI) governance. ### Veza Integrations #### Enhancements * **EAC-51708 / FR-4150 GCP: Workload Identity Federation Identity Pools**: Veza now supports Google Cloud Workload Identity Federation Identity Pools, enabling visibility into how Azure identities can access GCP resources through federated identity relationships. The Google Cloud integration now discovers and maps Azure AD Enterprise Applications and Azure RBAC Managed Identities to GCP Workload Identity Pools, providing complete visibility into cross-cloud access patterns and helping organizations identify potential security risks from federated identity configurations. * **FR-4146, EAC-52458 Oracle Database**: Added support for SSL for Oracle Database integrations using an Oracle Wallet file. * **EAC-52918 Cassandra**: The Cassandra integration now supports an optional configuration to *disable* SSL host verification when connecting to Cassandra clusters over SSL/TLS. * This enables connectivity to Cassandra environments where nodes use dynamic IP addresses with shared certificates, such as when certificate Subject Alternative Names (SANs) don't match individual node hostnames. * Host verification remains enabled by default to maintain security best practices, but can be disabled when operationally necessary for specific deployment architectures. #### Bug Fixes * **EAC-51808 CSV Uploader Case Sensitivity**: Fixed case sensitivity for owner identifiers using CSV Upload. * **EAC-52576 Workday Integration Stability**: Fixed panic if there are no custom reports when validating from the tunnel handler. * **EAC-52929 Beeline**: Improved error handling during Beeline integration configuration when the Beeline API returns rate limit errors during credential validation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-10-02.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.