# Release Notes: 2026-04-01 ### **Veza Integrations** #### **Enhancements** * **Delinea Secret Server**: Added support for OAuth2 `client_credentials` as an alternative authentication method. When enabled, you can choose between password authentication and client credentials when configuring the integration. (Early Access) #### **Bug Fixes** * **Atlassian Cloud**: Fixed incomplete group membership data caused by a pagination change in the Atlassian Admin v2 API. * **Azure AD MS Teams**: Improved extraction performance by preloading channels before processing. * **Azure AD MS Teams**: Fixed duplicate privilege edges for channels with multiple direct members. * **Cassandra**: Fixed a CQL syntax error in the `ListRoles` query. * **CSV Upload (HRIS)**: Fixed a bug where manager relationships were dropped when the manager's row appeared after the direct report's row in the file. Manager references are now resolved in a second pass after all rows are processed. * **MongoDB**: Fixed incorrect edges created for cross-database role relationships, preventing subgraph validation failures in multi-database deployments. * **Okta**: Improved extraction efficiency by skipping user, group, and credential API calls for inactive applications. * **ServiceNow**: Optimized user-to-role queries to use a single OR group instead of independent sub-queries, reducing overall extraction time. * **Smartsheets**: Fixed an issue where users removed from the Smartsheets organization still showed as active in Veza. Users discovered only through group membership now default to inactive. * **Workday**: Added an `IsInherited` property to Security Group Bindings to distinguish directly assigned bindings from those inherited from a parent organization. You can now use the **Is Inherited** filter in Query Builder to exclude inherited bindings when querying account-to-organization access paths. ### **Access Reviews** #### **Enhancements** * **Admin Override on Completed and Expired Reviews**: Users with the Administrator, Access Reviews Admin, or Operator role can now update the decision field on any row in a completed or expired review. Valid target decisions are Rejected, Fixed, and Unknown. Row notes can also be updated. Reviewer assignment, sign-off state, and predefined question responses cannot be modified. * **Action Allow List**: A new Action Allow List restricts which users can delete In Progress reviews or modify their due dates. When enabled, users not on the list will not see the Delete or Edit Due Date options, and API requests are rejected. The list supports individual users and groups as principals. Draft reviews are not affected. The allow list is enabled and managed via API — there is no management UI. For configuration details, see [Action Allow List](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/action-allow-list.md). * **All Access Paths in Rejection Notifications**: Rejection notification emails now include a CSV attachment listing all access paths between the principal and resource for each rejected row. The attachment is included in every rejection notification and contains the following columns: Row Type, Principal Name, Principal ID, Principal Type, Path Summary Node Names, Path Summary Node IDs, Resource Name, Resource ID, Resource Type, Rejection Notes, Rejected By, and Rejected At. * **Consolidated Report Column Consistency**: The consolidated report (exported from **Access Reviews** > **Export All**) now reflects each review's column settings. Each review's section uses the column order and names configured for that review's workflow in the UI. Reviews with no custom column configuration use a default fixed column set for backward compatibility. * **Bulk Action Row Deselection**: After a bulk Approve, Reject, Approve and Sign Off, or Sign Off action, all selected rows are automatically deselected. This applies in standard, group-by, and cohort views. #### **Bug Fixes** * Fixed an issue where employee attributes from linked HRIS systems (such as enriched department, job title, or manager attributes) were missing from Access Review identity data for some users. ### **Access Security** #### **Enhancements** * **Dashboards**: When saving a dashboard, a confirmation modal now offers two options: * **Save Only** to save. Public dashboards will be available, but will not appear in the **New from Team** section under Favorites. * **Save and Notify Team** to publish and notify teammates. Published dashboards appear in teammates' **New from Team** section under Favorites. The **Save and Notify Team** option requires the dashboard to have Public visibility. * **Assessment Queries**: Updated the out-of-the-box query "Azure AD Users without MFA with Access to SharePoint Resources" to include an explicit filter for Azure AD users where `is_mfa_capable` is false. #### **Bug Fixes** * **Assessment Queries**: Refactored 32 out-of-the-box assessment queries to inline filter conditions that previously depended on sub-query result references, removing inter-query dependencies and simplifying query structure. ### **Access Visibility** #### **Enhancements** * **Query Builder**: Export options are now consolidated in the **Save** menu in Query Builder, replacing the standalone export button previously shown in the results area. Available options include Save Results as CSV, Send email with Results as CSV, Export to Snowflake, and Schedule Export. Save Results as CSV is disabled for queries returning more than 10,000 rows. Use Schedule Export or Send email with Results as CSV for large result sets. * **Query Builder**: Save Results as CSV and Send email with Results as CSV are now also available from the saved query details page, in addition to Query Builder. Export to Snowflake remains available in Query Builder only. * **Access AI**: The Access AI side panel can now be resized by dragging its left edge. Panel width is saved and restored between sessions. * **Access AI**: Thread management options (rename, move, delete) are now available directly in the chat sidebar without navigating away from the current conversation. #### **Bug Fixes** * **Query Builder**: Improved the **Swap Entity Type and Relates To** behavior. Filter type values are now swapped correctly, and attribute filters are preserved rather than removed after swapping entities. * **Query Builder/Access Graph**: Optimized performance of queries using on-path node type filters by pre-computing type reachability and skipping unnecessary graph searches. * **Query Builder**: Fixed an issue where changing filters while not on the first page of results caused incorrect or missing results. Filters now reset to page one automatically. ### **Lifecycle Management** #### **Enhancements** * Provisioning policies can now be enabled before any workflows are configured. Enabling a policy without workflows allows the Identities table to begin populating from the connected identity source immediately, without requiring a complete provisioning workflow to be in place first. * After a Sync Identities action provisions or updates an Active Directory user, the resulting AD user attributes (including standard attributes such as email, department, title, given name, and display name), and any custom properties defined in the integration configuration are now available as variable substitutions in downstream Send REST Request action URLs and payloads. Previously, only source-of-identity attributes (from the connected HR system or identity provider) could be referenced in Send REST Request actions; attributes on the provisioned AD user were not available to subsequent workflow steps. * Reset Password and Sync Identities actions can now include generated passwords in the action output, making them available to subsequent workflow actions via transformer expressions. * This functionality is currently available in Early Access. When enabled, passwords are available in-memory during workflow execution only and are not stored in Veza. * Because passwords are passed as plaintext values to downstream actions, use this feature only when required for the provisioning workflow, and ensure that receiving endpoints use HTTPS and handle credentials securely. #### **Bug Fixes** * Fixed an issue where Access Profiles assigned through birthright access showed **Not In Use** even when users were actively assigned. The status calculation now correctly evaluates birthright membership data. * Fixed an issue where Send REST Request actions configured with an Insight Point data source and Login to Bearer or OAuth2 auth credentials made the token acquisition request from the Veza control plane rather than the Insight Point. This caused failures when the token endpoint was only reachable within the customer's network. Both the token acquisition and the subsequent REST call now execute on the Insight Point. ### **My Access** #### **Bug Fixes** * Fixed intermittent errors on the **My Access** page where user access statistics failed to load. ### **Access Requests** #### **Enhancements** * Administrators can now create catalog definitions with the type **Send REST Payload**. When a user submits a request for this catalog item, Veza triggers the configured Send REST Payload action directly rather than creating an ITSM ticket. Administrators can configure the catalog definition by selecting an existing Send REST Payload action from the associated provisioning policy. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2026-04-01.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.