# Release Notes: 2026-02-18 ### Access Request #### Bug Fixes * Fixed an issue where access requests would enter an inconsistent state when users attempted to re-request access after their Just-In-Time (JIT) access was revoked. Access requests from JIT-revoked states now properly clear previous approvals, reset the approval workflow, and route the approval process through the correct workflow. Requestors can now cancel access requests after all approvals are complete, but before execution of the access grant (Plan Selected state). ### Access Reviews #### Enhancements * Administrators can configure Slack notifications in *Settings* > *Access Reviews* > *Digest Notification Settings* or *Review Alerts Settings* by selecting Slack App as a delivery method. Templates for Slack notifications can be customized with the same dynamic placeholders as email, buttons that link directly to specific reviews, and due dates with visual cues for overdue or approaching deadlines. #### Bug Fixes * The sign-off counter now updates immediately for instant visual feedback when approving, rejecting, or marking rows as fixed in Access Reviews. * Fixed an issue where enabling or disabling columns in the "Manage Columns" modal during Access Reviews would cause the page to become unresponsive. ### Lifecycle Management #### Enhancements * Lifecycle Management policies now support **Predictive Safety Limits** that block all changes before workflow execution if the system predicts the number of affected identities or workflow runs will exceed configured thresholds. This prevents unintended mass processing of identities when upstream identity or attribute changes at the Source of Identity would trigger undesired execution of workflows. The original Safety Limit feature is now called **Hard Limit** to distinguish between reactive (stops during processing when the hard limit is reached) and predictive (blocks before starting if the limit is predicted to be reached) behaviors. When a predictive limit triggers, changes are not processed, and a warning displays on the **Blocked Tasks** page with options to review, manually approve, or ignore the blocked tasks. Administrators can configure thresholds by specifying a maximum count. Safety limits can now exist at both the policy level and individual workflow level for more granular control. New activity log event types `PREDICTED_SAFETY_LIMIT_EXCEEDED` and `WORKFLOW_PREDICTED_SAFETY_LIMIT_EXCEEDED` correspond with triggered limits. * SCIM integrations now support alternate values for unique identifier attributes during user provisioning. When a username or email address is already in use, Veza automatically attempts alternate values provided by attribute transformers. This can prevent provisioning failures due to identifier conflicts. This applies to all SCIM-enabled applications and requires no configuration changes. #### Bug Fixes * Fixed an issue where deprovisioning an identity that was already in that state (e.g., an Active Directory user already disabled) would incorrectly report failure with no error message. The deprovision action now correctly reports success for idempotent operations where the target system has already reached the target state. Error messages from Active Directory deprovision operations no longer expose Distinguished Name values. ### Access Intelligence #### Enhancements * Administrators can now use enrichment rules to automatically apply Veza tags to entities based on query criteria. The new **Veza Tags** enrichment feature works with all entity types across all integrations, enabling scalable tag management through automation. * The **Entity Owners** enrichment rule option now supports dynamic owner assignment from graph properties. You can choose a property from the same node or a different node to set as the owner, enabling automated owner assignment based on existing organizational data in your identity sources. #### Bug Fixes * Fixed an issue where the destination properties selector was empty when creating rules for certain query types. When configuring alerts for queries with multiple destination node types or entity type groupings as destinations, the "Show destination node properties in alerts" option is now properly disabled with a clear explanation. The feature continues to work as expected for queries with a single concrete destination type. * Fixed an issue where Risk Profile tiles on the Risks Overview page would disappear after all risks in that category were resolved. All Risk Profile cards now remain visible with accurate counts (including zero). ### Access Visibility #### Bug Fixes * **Access Graph**: Fixed "cycle in non-self-referential nodes" errors when querying entity types such as "Resource" or "User" in environments where entities act as both resources and principals (such as AWS EC2 instances with IAM roles). * **Access Graph**: Fixed an issue preventing "does not relate to" queries when searching for relationships between entities of the same type. For example, you can now successfully query for "Active Directory groups that do not relate to other Active Directory groups" or "IAM roles not assumed by other roles." Previously, these queries would fail with an error. * **Query Builder**: Fixed an issue where table columns for name, destination count, and risk score could not be properly sorted when opening queries from Separation of Duties. Users can now sort these columns in both ascending and descending order to better analyze query results. * **Query Builder**: Fixed an issue with exports not including relationship columns even when "Show Relationships" is enabled. ### Integrations #### Enhancements * **Active Directory**: Added support for multiple domain controllers with automatic failover. Administrators can configure backup domain controllers using the new **Failover Hosts** field, or enable automatic DC discovery via DNS to dynamically discover all available domain controllers. Veza automatically fails over to the next available DC if the primary becomes unreachable during data extraction, for uninterrupted data collection during maintenance windows or outages. * **Public MCP Server Registry**: Veza now supports discovery of Model Context Protocol (MCP) servers from the public MCP registry, providing visibility into publicly available MCP servers and their exposed tools. * The Public MCP Registry integration discovers MCP server implementations and their capabilities, helping security teams understand the MCP ecosystem and MCP-based AI agent connections. * Tool information is available for servers that expose public endpoints. One Public MCP Registry instance can be configured per tenant. #### Bug Fixes * **SQL Server**: Resolved connection failures with SQL Server 2008 R2 and other legacy versions by implementing automatic TLS version negotiation. Veza now handles servers that require TLS 1.2 rather than TLS 1.3, eliminating "Cannot Read Handshake Packet" errors without requiring configuration changes. * **Okta**: The Okta integration now automatically retries when encountering transient server errors during MFA factor extraction, ensuring successful data collection even when Okta's API experiences temporary issues. * **Jenkins**: The Jenkins integration now automatically handles permissions from custom Jenkins plugins and correctly processes group role assignments, preventing "unrecognized permissions" and group identity assignment errors. * **CSV Upload**: Fixed an issue that prevented assigning Entity Owners to Users, Groups, and Roles imported via CSV Upload when viewed in Access Graph. * **BlackLine**: Resolved an issue that was causing BlackLine integrations to fail during authentication with "invalid\_grant" errors. The OAuth authentication flow has been corrected to properly format authentication parameters according to BlackLine's API specification. * **Wiz**: Fixed an internal server error in the Wiz integration that occurred when processing users without assigned roles. The integration now successfully completes data extraction even when Wiz users have empty or unpopulated role assignments. * **Crowdstrike Falcon**: Fixed authentication failures in the Crowdstrike Falcon integration that caused extractions to fail with 500 errors after 30 minutes. * **Workday**: Fixed a Workday integration error that caused extraction failures when retrieving security group memberships from tenants with large security groups. * **Workday**: Fixed incorrect graph edges for Workday constrained security groups that were causing false positives in authorization queries. Constrained security groups no longer create direct edges to organizations where their assignable role exists, and instead correctly use role-mediated authorization paths. * **Workday**: Increased API pagination limits to prevent extraction failures caused by throttling in large Workday environments. * **Salesforce**: Fixed invalid permission set group mappings that could incorrectly attribute extra permission sets to users with Permission Set Groups. * **ServiceNow**: Added handling for reference fields in ServiceNow custom properties, resolving an issue where custom properties were displaying incorrectly. * **OracleDB**: Fixed system privilege classification so that OracleDB database permissions are correctly categorized (previously, all database-level permissions were classified as non-data). * **Oracle HCM**: Resolved an integration failure after password updates by adding backwards-compatible configuration property handling. * **DocumentDB**: Fixed the DocumentDB parser to handle cross-database privileges and wildcard access. * **UKGPro**: Fixed an issue where UKGPro was not showing as an available identity source by prioritizing templates that support Source of Identity when creating LCM datasources. * **Atlassian Cloud**: Added automatic retry handling for stream errors during Atlassian Cloud integration data extraction. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2026-02-18.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.