# Release Notes: 2025-11-26 ## Lifecycle Management ### Enhancements * **EAC-54971**: Lifecycle Management event notifications now support **formatters for email recipients**, for dynamic generation of email addresses based on identity attributes. Administrators can use formatters to create recipient emails derived from identity data (such as a user's manager email, department contact, or other attribute-based recipients), providing more flexible and contextual notification routing. * **EAC-54278**: Added support for **Azure AD as a source of identity** for Lifecycle Management. Organizations using Azure AD (Microsoft Entra ID) can now configure it as an authoritative identity source, enabling policies to synchronize and manage user identities based on changes in the source of truth. * **EAC-53281**: Lifecycle Management policies now include the option to **Show Matching Identities**, replacing the previous "View in Query Builder" button. This enables users to view the identities that match a workflow's trigger and condition criteria directly on the Identities list. * **EAC-52528**: **Improved dry run testing**, allowing administrators to safely preview the actions that would be taken before enabling a policy. You can now perform dry runs against all identities or filter to specific identities based on attribute values. The dry run interface displays detailed results showing which actions would execute for each identity * **EAC-54736**: Lifecycle Management workflows now support **custom HTTP headers in the Send REST Payload action**. Administrators can manage custom headers to better integrate with systems that require specific authentication tokens or other header-based configuration. * **EAC-55008**: The Send REST Payload action now supports **OAuth2 authentication and client login flows**, enabling more flexible integration with external systems that require token-based authentication. * **EAC-53992**: Added a new **Suspend account action for Okta integrations**. This action allows policies to suspend Okta user accounts without fully deactivating them, providing more granular control over account lifecycle management. * **EAC-55203**: The Bulk Dry Run feature now includes a **history table with all previous dry run task results**. You can review past dry run executions directly from the results page, making it easier to track testing iterations and compare outcomes across multiple runs. * **EAC-54890**: Dry run results now display the **full action configuration details for all action types** that would run, replacing the previous view that only showed attributes to be synced. This includes the configuration settings for each action, such as Create Email parameters, Reset Password complexity rules, Send REST Payload endpoints and headers, Manage Relationships mappings, and Create Access Review settings. ### Bug Fixes * **EAC-54751**: Fixed false positives in out-of-the-box Active Directory queries (including "Active Directory Users that are deactivated but Domain Admins"). The queries now correctly distinguish between actual group membership and ACL-based permissions on groups, eliminating incorrect results where users with permissions to modify a group were reported as group members. * **EAC-54397**: Fixed an issue where users could not edit empty properties when testing workflows in Dry Run mode. Users can now properly configure and test all identity properties during dry run testing. ## Integrations ### New Integrations ### Enhancements * **EAC-54620**: The **NetSuite** integration now supports configurable display of permission names. When editing a NetSuite integration, you can choose whether system permissions display using human-readable names (the new default) or technical shorthand keys (the previous behavior). * **EAC-54526**: The **CockroachDB Cloud** integration now supports effective permissions analysis, providing visibility into both direct and inherited access. This enhancement includes support for folder hierarchies, group-to-group relationships, and inheritance-based access calculations across organization, folder, and cluster levels. ### Bug Fixes * **EAC-54750**: Fixed an issue where Active Directory extended rights permissions displayed as GUID values instead of readable permission names. Extended rights such as `Send To` and `Send As` now display with their proper Active Directory labels. * **EAC-53510**: Added handling for MySQL database grants with wildcards. Fixed an issue where some MySQL users were not showing correct permissions when wildcard characters were used in database grant statements. * **EAC-54645**: Fixed SharePoint role assignments derived from site admin permissions. The integration now correctly distinguishes between limited permissions and full write/modify permissions for SharePoint libraries. * **EAC-54900**: Updated SCIM OAuth2 validation to fetch only a single page instead of retrieving all users, resolving "Operation expired before completion" errors during integration configuration. ## Access Reviews ### New Features * **EAC-54159**: Introduced new public API endpoints for **exporting Access Reviews programmatically**. The Access Review Export API (`POST /api/preview/awf/exports/access_review:create`) enables automated creation, monitoring, and download of access review results in CSV or XLSX format. This allows organizations to integrate Access Review data into existing reporting and compliance systems, with support for filtering, sorting, and differential exports comparing certification results over time. * **EAC-54112**: The **Create Certification** endpoint (`POST /api/preview/awf/certifications`) now supports **dynamic user identity filtering**. When creating an Access Review programmatically, you can include specific user identities via the `dynamic_information` parameter to filter the review results to those users. This enables targeted review use cases such as joiner reviews (new employees), mover reviews (role changes), leaver reviews (offboarding), and user-specific audits. ## Access Search ### Enhancements * **EAC-11654**: Added a new **Bulk Tag Operations** endpoint (`POST /graph/private/tags:bulk`) for **adding and removing tags across multiple entities** in a single atomic operation. This significantly improves efficiency when managing tags at scale, supporting up to 10,000 tag operations per request for bulk onboarding, environment migrations, and enterprise-scale tagging workflows. * **EAC-10861**: Extended support for **additional characters in Veza tag values**, allowing more flexible tag naming conventions. * **EAC-52680**: Query Builder now supports intermediate (waypoint) node types, matching the functionality available in Veza Access Reviews. Users can select intermediate node types in their query paths, enabling more sophisticated access path analysis and queries. * **EAC-53128**: Improved internal property indexing to increase Query Builder performance when sorting results by indexed properties, improving query execution time for large result sets. * **EAC-53329**: Users can now **filter Saved Queries by owner**, making it easier to locate specific queries in environments with many custom and out-of-the-box queries. The filter supports multi-select and works in combination with other filters (e.g., "Labels", "Integrations", "Risk Level"). An "Owners" column has also been added to the Queries table, and selections persist when exporting queries or navigating between pages. * **EAC-53398**: Improved **visual identification for AWS Bedrock entities** in Access Graph, with primary icons now distinguishing the entity type (Foundation Models, Knowledge Bases), while secondary badge icons identify the AI provider (such as Anthropic, Amazon, DeepSeek, Mistral AI, Meta, or OpenAI). * **EAC-34351/FR-1802**: **Explain Assumed Roles for AWS** is now generally available. This feature, previously in early access, helps users understand complex AWS IAM role assumption chains by visualizing and explaining the path from one role to another through trust relationships and permissions. ### Bug Fixes * **EAC-54960**: Fixed an issue that could cause asynchronous query services to return 503 errors when processing certain data structures. * **EAC-54672**: Fixed an issue where team policies that restrict users from viewing a limited set of providers would incorrectly generate INVALID\_ARGUMENTS errors when querying entities in Query Builder. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2025-11-26.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.