# Release Notes: 2025-10-15 ### Non-Human Identity Security #### Enhancements * **EAC-53225 AWS Bedrock Agent to IAM Role relationships**: The AWS integration now captures and displays the relationship between Bedrock Agents and their associated IAM Roles, enabling security teams to audit how Bedrock AI agents access AWS resources and what permissions they inherit from their execution roles. * **EAC-53272 Improved ServiceNow NHI classification accuracy**: The ServiceNow integration now uses the native `identity_type` field to more accurately distinguish between human users and non-human identities (service accounts, integrations). See [Identity Classification Logic](/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-entities.md#determining-human-vs-non-human-identities). #### Bug Fixes * **EAC-51300**: Fixed "Failed to query for NHIs" error on the NHI Security page that could occur for certain integrations. ### Access Reviews #### Enhancements * **EAC-52039 Access AI summaries for Access Reviews (Early Access)**: Access Reviews can now be summarized in natural language with Access AI, including a summary of the query and the number of pending, approved, and rejected rows assigned to the current user. See [Access AI Explainability for Access Reviews](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/access-ai-explainability.md). * **FR-4085, EAC-53430 Complete risk visibility for IdP users**: The Access Review side panel now displays all contributing risks for IdP User risk scores. Previously, the risks tab only showed risks for source, destination, and waypoint nodes, but omitted risks from joined nodes (IdP users). This enhancement ensures that reviewers have complete visibility into all factors contributing to a user's risk score when evaluating access review items. * **FR-2943, EAC-47118 Decision clearing warnings for reviewer reassignment**: When reassigning Access Review rows to a different reviewer, reviewers now receive a warning that existing approval or rejection decisions will be cleared. The Action Log modal now includes `DECISION_CLEARED` events for visibility into decision ownership transfers. * **EAC-48308 Persistent filter selections**: Filter selections on the **Configurations** and **Reviews** list views are now preserved in the URL for easier sharing and navigation. When you apply filters and return to these pages, your filter settings are automatically restored, enabling team collaboration through shared links. #### Bug Fixes * **EAC-50156**: Fixed an error that could occur when using "All X" entity types as the query source. ### Lifecycle Management #### New Features * **FR-4124, EAC-52251 Custom REST API action for provisioning workflows**: Provisioning policy workflows now support a new "Send REST Request" action that enables integration with external systems and custom applications. Administrators can configure custom REST API calls with URL settings, request payloads, response output mapping, and additional options such as timeout settings. This enables policies to trigger actions in third-party systems or custom applications during user provisioning, deprovisioning, or attribute update operations. * **FR-4234, EAC-52245 MySQL Database Lifecycle Management Support**: Veza now supports Lifecycle Management actions for standalone MySQL databases, enabling automated user provisioning, role assignment, and account deprovisioning. Supported operations include: * Creating MySQL users with username and host attributes as unique identifiers * Assigning and removing MySQL role memberships using GRANT/REVOKE operations * Disabling MySQL users using ACCOUNT LOCK to prevent login while preserving user data and permissions #### Enhancements * **FR-4173, EAC-52255 Dynamic SCIM extension attribute support**: SCIM-based integrations now support custom extension attributes dynamically without requiring code changes. The system automatically fetches SCIM schemas from the target server at runtime and creates the appropriate graph properties, enabling lifecycle management operations (provisioning, deprovisioning, attribute updates) on custom user attributes. This eliminates the previous limitation where only hardcoded enterprise extensions were supported. * **FR-4138, EAC-52990 Improved policy workflow editor**: The Policy editor now supports drag-and-drop reordering of actions across different conditional branches, making it easier to reorganize complex policy logic without recreating actions. This change supports both sibling-level reordering (within the same condition) and hierarchical moves (between different conditions). * **FR-4101, EAC-52240 Custom Email Templates**: Lifecycle management workflows now support custom email templates for notifications. Administrators can choose between event-based *Notification Templates* (existing default behavior) and *Custom Email Templates* when configuring workflow notifications. This provides the choice of custom email templates at the policy event notification level or in Send Notification workflow actions. Note that selection is exclusive between event-based and custom email template types. See [Custom Email Templates](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/lifecycle-management-notification-templates.md#custom-email-templates). * **FR-4423, EAC-52476 Active identity source prioritization (Early Access)**: When both primary and secondary sources exist for a policy, the **Identities** table now supports showing attributes from the active identity source. * Active status is determined by the `is_active` field from each source system (typically representing employment or account status). * Previously, Veza always displayed primary source attributes regardless of active status. Now, if the primary source is inactive but the secondary source is active, Veza shows the secondary source attributes. * For example, when an employee terminates but continues as a contractor, the table shows the contractor system attributes reflecting their current active status. ### Access Visibility #### Enhancements * **FR-2856, EAC-48907 In-table filtering and sorting for Query Builder results**: Query Builder results now support in-table filtering and sorting directly from column headers. Supported filter columns include Name, Label, Integration Type, Risk Level, Risk Assignee, and Owner. Results are cached to improve performance; click the data freshness indicator to refresh cached data when needed. See [Filtering and sorting results](/4yItIzMvkpAvMVFAamTf/features/search/query-builder.md#filtering-and-sorting-results). * **FR-4304, EAC-53299 Improved Direction Options labels**: Improved the clarity of *Direction Options* labels in Query Builder and Access Graph to make them more intuitive and context-aware. The updated terminology is now: * "Incoming" → "Incoming to \[node type]" (e.g., "Incoming to AWS IAM Role") * "Outgoing" → "Outgoing from \[node type]" (e.g., "Outgoing from AWS IAM Role") * "Any Direction" → "Default Direction" #### Bug Fixes * **EAC-48817**: Fixed an issue where relationships could be ignored in reviews where the relationship was of an entity type related to the search entity type. * **EAC-53221**: Fixed an issue where queries with very large numbers of columns could show *Failed to fetch query results* errors. * **EAC-53435**: Fixed a case where *Explain Effective Permissions* from Graph view could get stuck while loading. ### Veza Integrations #### Bug Fixes * **EAC-49192 AWS**: Updated pagination and retry logic during extraction. * **EAC-53170 AWS**: Fixed issue where the "Enable Audit Logs" button in AWS integrations was unresponsive. * **EAC-51607 Veza**: Fixed duplicate path display when mapping Veza local users to teams via role bindings and auth groups. * **EAC-53039 Azure Custom Mappings**: Fixed OAA destination matcher for multiple destinations. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-10-15.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.