Release Notes: 2026-03-18

Veza Integrations

Bug Fixes

• Mulesoft: Fixed an issue where data push operations could fail with a permission denied error.

• Workday: Group extraction is now optional. Fixed an issue where Workday group membership extraction could fail when listing group members exceeded configured query limits.

• ServiceNow: Fixed an issue where user extraction failed with a JSON parse error when the sysparm_display_value option was enabled on the integration.

• Fastly: Fixed an issue where updating an expired API token caused an internal server error due to an uninitialized HTTP client.

• CSV Upload: Fixed an issue where role data was not extracted accurately when multiple roles shared the same name or included custom attributes.

Access Reviews

Enhancements

• Changes to activity monitoring filters in Access Reviews: Activity monitoring filters are no longer applied when creating access reviews from saved queries. All access rows matching the base query scope are included in the review, regardless of any activity monitoring filter configuration on the saved query.

  Activity timestamps (including Last Activity At and Last Activity With Resource At) continue to appear in review results for supported integrations. This change only affects whether those fields are used to scope which rows are included during review creation.

  This change improves performance when creating access reviews from large saved queries, as activity monitoring computation is no longer performed during review creation.

• Row notes and webhook notification status can now be updated via API during the grace period after a review completes or expires, but before it becomes read-only. Previously, the grace period (default duration is 7 days) only permitted marking rejected rows as Fixed. Admins, Access Reviews Admins, and Operators can now call the UpdateAccessCertResult and UpdateWebhookInfo API endpoints during this window, enabling more accurate post-review audit trails and automated remediation tracking.

Bug Fixes

• Access Review Configuration: Fixed an issue where the Revoke access of rejected row on sign-off checkbox in the Veza Actions section would be cleared without user input while the query support check was still loading.

• When Limit Access controls are enabled on specific Review Configurations, the NotificationWebhookUpdate and UpdateAwfResult endpoints now correctly respect the permissions of the admin and access_reviews_admin roles. Previously, users in these roles could not update webhook notification status or result notes for reviews they did not create.

Access Intelligence

Enhancements

• Assign Veza Tags via Enrichment Rules: Enrichment rules now support a Veza Tags rule type, enabling bulk tagging directly from the Veza UI. Previously, applying tags to large sets of entities required the Tags API. For configuration details, see Enrichment Rules.

• Dashboards can now be cloned directly from Dashboard Library actions, or from the header menu above any dashboard (⋮).

  • Cloning creates an editable copy (including all sections and queries) for customization and experimentation without modifying the original.

  • Cloned dashboards are automatically named "Copy of [original name]" and owned by the user who performed the clone.

  • Cloning requires a role with permission to Create dashboards.

Bug Fixes

• Fixed an issue where dashboard tiles displayed a misleading percentage change indicator for queries with no prior evaluation history.

  • The trend percentage is now suppressed when no historical baseline exists for comparison.

  • The Results column in the dashboard edit view also now shows actual result counts; queries with no evaluation history display a dash (–) instead of a blank value.

• Dashboard tiles have been updated with two display changes:

  • The hover tooltip on the clock icon in each tile now reads Last evaluated instead of Last sync, reflecting that the timestamp tracks when the query was last executed against the Access Graph rather than when data was synced from a source system.

  • The parenthetical past-value indicator (the baseline result count shown next to the trend percentage) has been removed from tile display. Trend percentage and current result count are unaffected.

• Query names in dashboard tiles now display up to three lines before truncating with an ellipsis.

• Improved performance for the Active Directory Risks dashboard by removing unnecessary pipeline query processing.

• Fixed an issue where Jira remediation notifications incorrectly reported a success status when the configured API token was expired or invalid. Users now receive clear error feedback when Jira remediation notifications fail due to invalid credentials.

Access Visibility

Bug Fixes

• Access Graph: Improved handling of large numbers of items when selecting nodes.

• Query Builder: The Show Related Entities checkbox is now correctly disabled when one or more query sets in a union query is incompatible with showing related entities. Previously, the option remained enabled in this configuration and caused errors when selected.

AI Agent Security

Enhancements

• Veza now automatically detects Model Context Protocol (MCP) servers hosted on AWS Lambda and EC2.

  • During data extraction, Veza inspects Lambda function metadata (including tags, handler names, environment variable keys, descriptions, container image URIs, and layer ARNs) and EC2 instance tags and names.

  • Resources identified as MCP servers receive an ai_tool_subtypes: MCP_SERVER label, which can be used in queries and access reviews to audit which identities have permissions over MCP server resources.

  • No configuration changes are required for existing AWS integrations. Customers whose AWS IAM policy does not include lambda:GetFunction will need to add that permission for full coverage of container image-packaged Lambda functions.

Lifecycle Management

Enhancements

• "Pipeline Functions" renamed to "Then Apply": In the Lifecycle Management workflow editor, the Pipeline Functions field has been renamed to Then Apply.

  • This new field, used to chain transformation functions with the pipe (|) character, works the same way. The label change appears in the transformer configuration panel, the workflow detail view, and the email notification settings display.

  • A tooltip has been added to the field explaining the syntax and providing an example. No existing workflow configurations are affected.

• Send REST Request workflow actions can now acquire authentication tokens through an Insight Point when configured with Login to Bearer or OAuth2 REST auth credentials.

  • This allows Lifecycle Management workflows to trigger actions against on-premises application APIs, including applications whose token endpoints are not publicly accessible.

  • Both the token acquisition call and the subsequent REST request execute within the customer's private network.

• The LDAP integration now supports Lifecycle Management as both a Source of Identity and a Target System.

  • Organizations using Red Hat Identity Manager, FreeIPA, OpenLDAP, or other LDAPv3-compliant directories can now configure LDAP as the identity source that triggers LCM policy actions, and as a provisioning target for automated user and group management.

  • Supported operations when LDAP is configured as an LCM target include creating and deleting users, enabling and disabling accounts, updating user attributes, and managing group memberships.

Bug Fixes

• Fixed an issue where the SCIM connector included an empty id field in create-user request payloads.

  • The SCIM 2.0 specification requires that id be omitted on create requests, as the target application assigns it. Strictly conformant SCIM servers, including Ardoq, rejected these payloads with an HTTP 400 error.

  • The id field is now omitted from SCIM create-user payloads, resolving provisioning failures against spec-compliant targets.

Veza Platform

Enhancements

• The Veza Events page now surfaces status changes for custom email (DKIM) configurations. When Veza detects that DNS or DKIM records for a configured sender domain are verified or have failed, a system event is logged in Administration > Events and available for subscription via Event Subscriptions.

  The following event types are now generated under the Email Configuration category:

  • Email Configuration DNS Validation Succeeded: emitted when DNS validation for the sender domain transitions from failing to passing.

  • Email Configuration DKIM Validation Succeeded: emitted when DKIM record validation for the sender domain transitions from failing to passing.

  • Email Configuration Validation Failed: emitted when DNS or DKIM validation fails after previously passing; includes the specific DNS or DKIM error detail.

  • Email Configuration Activated: emitted when the email configuration is activated.

  • Email Configuration Deactivated: emitted when the email configuration is deactivated due to validation failure.

  Administrators can use Event Subscriptions to receive proactive alerts through email, Slack, Microsoft Teams, ServiceNow, or a custom webhook when email configuration validation fails or the configuration is unexpectedly deactivated.