# Release Notes: 2026-01-07 ### Access Security #### Enhancements * **FR-4043, FR-4658 Dashboard Remediation Actions**: You can now initiate remediation actions for individual queries or entire Dashboards directly from the Dashboard interface using the **Remediate** button. Four remediation channels are available: * **Email**: Select recipients, customize the email subject, and add optional notes for context. Recipients receive an email that includes a direct link to the query or dashboard in Veza. * **Jira**: Select one or more Jira Veza Actions, optionally assign a team member, and add contextual notes. Tickets are automatically created in Jira based on the action configurations, each including a direct link back to the corresponding query or dashboard. * **ServiceNow**: Choose from configured ServiceNow Veza Actions and add optional notes. Tickets are created in ServiceNow with a direct link to the query or dashboard. * **Slack**: Select one or more Slack Veza Actions and add optional notes for context. Messages are posted to configured Slack channels with links to view the findings.

Remediation is only available for dashboards and queries that contain findings with a risk level other than "None." Veza detects available notification channels based on your configured Veza Actions.

* **FR-4903 Formatted Alert Email Templates**: Alert and event email notifications now use formatted HTML templates by default instead of raw JSON payload. The new email format includes structured presentation of alert details (severity, category, event type), timestamps, data values, and direct links to alert details and related queries. * **FR-4839 Role Engineering: Targeted User Persona Analysis**: API requests can now provide one or more unique user identifiers as input when analyzing user personas (instead of analyzing all possible attribute combinations across the dataset). When specified, Veza will analyze the specific user's attributes and all possible combinations of resources and entitlements appropriate for that user ID. * **FR-4558 Risk Profile Selection in Query Builder**: You can now set the Risk Profile for user-created queries directly from the Query Builder interface when saving a query. Available risk profiles include MFA Health, Privilege Access, Blast Radius, Dormant Access, Orphaned Access, Access Risk, Identity Hygiene, and Informational. Veza automatically enforces compatibility between risk profiles and risk levels (for example, "Informational" can only be assigned to queries with "None" risk level). ### Access Reviews #### New Features * **FR-3167 Microsoft Teams Notifications**: Access Reviews now supports Microsoft Teams as a notification channel for reviewer notifications. Reviewers can receive digest notifications and review alerts directly in Teams via Adaptive Cards. Configuration requires a Microsoft Bot Framework app with Azure credentials (bot ID, bot password, tenant ID, app ID). #### Enhancements * **FR-4054 Decision Clearing in Action Log**: The Action Log now records when a reviewer clears a decision on an access review item, providing a complete audit trail for decision changes. The log entry captures the previous decision, the original decider, and the reason for clearing (either manual clear by the reviewer or automatic clear due to reviewer reassignment). This enhancement is particularly useful for multi-level reviews where the Level 2 reviewer needs to override the decision made by the Level 1 reviewer. Previously, cleared decisions were attributed to "None" in the Action Log without context. * **FR-3515 Bulk Actions for Reviews**: Reviewers can now apply operations to multiple reviews simultaneously using the new bulk actions toolbar in the Reviews table. Supported bulk operations include publishing draft reviews, deleting reviews, adding/removing/replacing labels on reviews, and updating due dates. ### Access Visibility #### Enhancements * **FR-4483 Entity Type Groupings as Summary Entities**: Query Builder now allows entity type groupings such as User, Group, or Role to be used directly as summary entities when displaying path information for source-to-destination queries. #### Bug Fixes * **Custom Property Timestamp Handling**: Fixed an issue where timestamps in custom properties or from OAA integrations might not be treated as timestamps when sorting or filtering. Custom properties with timestamp values are now properly typed and support time-based sorting and filtering operations. * **Access Graph Export Options**: Fixed an issue where export options could be missing for certain configurations. PDF exports now correctly include intermediate node types, custom properties, and path summary options. * **Query Builder Query Results**: Fixed an issue where "Failed to fetch query results" could appear when displaying queries already run within the past hour. * **FR-4643 Query Builder Graph Button**: Fixed an issue which could cause the "Open in Graph" button to be disabled for users with multiple roles including the Dashboard Viewer role. ### Agent Security #### New Features * **FR-4748 AI Agents and Models Discovery**: Veza now supports discovery and visibility for AI Agents and AI Models as distinct entity types. This provides insight into non-human identities that interact with AI services across your environment. The new base types include standardized properties for AI Agents (publisher information and platform associations) and AI Models (publisher, model family, and model series). These entity types are implemented across AWS Bedrock, Google Vertex AI, Azure AI Foundry, and Microsoft Copilot Studio integrations. #### Enhancements * **Google Vertex AI Integration**: Added support for Google Vertex AI models as a service, enabling visibility into AI model access and permissions within GCP environments. The integration discovers Reasoning Engines (AI Agents) with service account associations, Foundation Models with publisher and version information, Custom Models linked to their base foundation models, and Endpoints with IAM policy tracking. * **Okta Cross-Application Service Account Discovery**: Enhanced Okta integration to support cross-application service account discovery, creating direct App-to-App edges using the `CAN_ASSUME` relationship type. This improves visibility into non-human identities that access multiple Okta applications. * **AWS Bedrock Guardrail Policies**: Added support for AWS Bedrock Guardrail Policies, enabling visibility into AI safety controls and their associated permissions. The integration tracks content filter configurations (input/output) by severity level, blocked word policies with word counts, and guardrail-to-agent version relationships. ### Lifecycle Management #### New Features * **FR-4080 ServiceNow as Source of Identity**: ServiceNow is now supported as a Source of Identity (SOI) for Lifecycle Management policies. This enables identity synchronization and workflow automation based on ServiceNow user data from the `sys_user` table, including user identity extraction with attributes, group and role memberships, and relationship processing for group memberships and role assignments. #### Enhancements * **`TITLE_CASE` and `SENTENCE_CASE` Formatters**: Added two new formatters for attribute transformation in LCM policies: * **`TITLE_CASE`**: Capitalizes the first letter of each word, lowercases the rest (e.g. "john doe" becomes "John Doe"). Also handles dot-separated values specially (e.g. "john.doe" becomes "John.Doe") * **`SENTENCE_CASE`**: Capitalizes only the first non-whitespace character, and lowercases the rest. Preserves any leading whitespace. (e.g. "the quick brown fox jumps over the lazy dog" becomes "The quick brown fox jumps over the lazy dog") * **Attribute Type Display in Transformer Testing**: The inline transformer testing modal now shows the attribute type (String, Number, Boolean, or Timestamp) for each attribute being transformed. For timestamp fields, a tooltip provides format guidance (ISO8601 or RFC3339). * **EAC-56098 Policy Publish No Longer Triggers Extraction**: Publishing or updating Lifecycle Management policies no longer automatically triggers a data source extraction. Administrators can manually trigger extractions from the Integrations page when needed, providing greater control over extraction timing. ### Integrations #### New Features * **FR-3363 DevRev**: New integration for discovery of DevRev authorization data including users with profile information and SAML identities, groups/teams with membership associations, roles with permission assignments and conditional access (caveats), and field-level permissions with read/write tracking. * **FR-3805 Grafana**: Veza now supports Grafana for visibility into platform authorization. The integration discovers: * **Users**: Including login credentials, authentication methods, and provisioning status * **Teams**: With membership associations and external sync status * **Service Accounts**: Non-human identities with associated token counts * **Roles**: RBAC roles with permission associations (auto-detects if RBAC is enabled) * **Permissions**: Action-based and scoped permissions for granular access control #### Enhancements * **FR-4492 Snowflake MFA**: Improved coverage of MFA methods for Snowflake, expanding beyond Duo Security to include all Snowflake-supported MFA providers: * **Duo Security Enabled** (`duo_security_enabled`): A new attribute indicating whether Duo Security specifically is enabled for a user, sourced from Snowflake's `EXT_AUTHN_DUO` column * **MFA Enabled** (`mfa_enabled`): Now uses Snowflake's `HAS_MFA` flag to detect any MFA provider, including Duo Security, Azure and other methods This provides visibility into users with MFA enabled through providers other than Duo. For older Snowflake versions without `HAS_MFA` support, Veza falls back to using Duo status as the MFA indicator. * **UKG Pro Time Zone Configuration**: Added optional time zone configuration for employee date fields using IANA format (e.g., `America/Los_Angeles`). This enables more precise handling of termination dates and hire dates across different time zones. When configured, date strings from UKG Pro reports are parsed in the specified time zone rather than UTC. * **FR-3693 GitLab**: Enhanced integration with support for service accounts, access tokens, hierarchical resources, and SAML SSO visibility. GitLab users are now automatically correlated with identities from connected Identity Providers using email addresses. * **FR-4637 Workday Datasource Selection**: When configuring the integration, you can now choose which datasources to discover and extract from Workday: Worker data, IAM data, or both. This provides flexibility for organizations that only need specific Workday data: * **Worker**: Employee records, custom properties, organizational data * **IAM**: Accounts, security groups, policies, roles, organizations When the services list is empty or not configured, all datasource types are enabled by default. * **FR-4556 OracleDB User Date Attributes**: Added support for tracking password and login activity for OracleDB Local Users and Common Users: * **Password Change Date** (`password_change_date`): Available in Oracle 19c+, indicates when the user last changed their password (only populated when authentication type is PASSWORD) * **Password Expiration Date** (`expires_at`): Profile-based password expiration timestamp * **Last Login Date** (`last_used_at`): Tracks when the user last logged in, updated via volatile extraction for frequent refresh * **FR-3939 AWS ECR Permission**: Added `ecr:PutAccountSetting` permission to the ECR permission set supported by the integration. This permission enables IAM principals to modify ECR account settings that control registry-level behaviors including scanning configuration, image tag mutability defaults, and registry replication settings. #### Bug Fixes * **iManage OnPrem**: Fixed an issue where extraction could fail with "Invalid Arguments" error. The fix adds fallback logic for user and group names, and role assignment validation. * **LDAP**: Fixed an extraction panic caused by a missing map initialization in the LDAP gatherer. The `GroupToAncestorGroups` map is now properly initialized during connector setup. * **Identity Mapping Property Dropdowns**: Fixed an issue where custom property dropdown entries could conflict with standard property entries in identity mapping configuration. The *Property* dropdown now shows only regular properties, while the *Custom Property* dropdown shows only custom properties (with prefix stripped for display). When naming conflicts exist, the full property name is displayed to distinguish between them. * **Insight Point Reassignment**: For certain integrations, fixed an issue that prevented changing the assigned Insight Point after initial configuration. ### Veza Platform #### Enhancements * **OIDC Claims from Access Tokens (GA)**: Reading OIDC claims from JWT access tokens is now generally available. This enables Veza to extract identity information from access tokens issued by OIDC providers, with configuration options including custom access token issuer validation, custom audience (aud claim) validation, and attribute extraction from access tokens alongside ID tokens and UserInfo endpoint. The system uses a "first value wins" strategy when merging attributes from multiple sources, with email addresses automatically normalized to lowercase. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2026-01-07.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.