# Release Notes: 2026-04-15 ### Veza Integrations #### Enhancements * **AWS**: The IAM integration now retrieves policies and roles in batch using `iam:GetAccountAuthorizationDetails`, replacing per-resource API calls and reducing extraction time. Tags for customer-managed policies are now fetched in batch via `tag:GetResources`. To use the optimized path, include `iam:GetAccountAuthorizationDetails` in the Veza IAM policy. Without this permission, the previous behavior will apply. * **Freshservice** integration (Early Access) enables the discovery of Configuration Items, users, and groups from Freshservice ITSM and mapping them to identities across your environment. * **Integration Configuration**: Advanced and optional settings in integration configuration forms are now organized into collapsible sections, reducing visual clutter when setting up or editing integrations. Fields validate inline when a section is collapsed, and conditional fields update dynamically based on earlier selections. * A new API **GetValidEnrichmentRuleOtherNodeQueries** is available. The endpoint returns the set of saved queries compatible with the **Owner Query** field in dynamic owner assignment rules, supporting use cases where ownership information exists on a connected entity, such as a ServiceNow CMDB Configuration Item. #### Bug Fixes * **Workday**: Fixed an issue where the Identity Matchers configuration page only showed the AWS option. All supported identity provider options are now available when configuring Workday identity matching rules. * **ServiceNow**: Large queries are now split into batches with improved error handling to further reduce extraction time for large deployments. * **GitHub**: Fixed GitHub enterprise org scoping by correctly associating roles and effective permissions with organizations and restricting ON\_RESOURCE linking to matching orgs. * **OAA**: Fixed an issue with timeouts during long-running multi-part upload operations. * **Active Directory / Okta**: Fixed an issue where Access Graph queries traversing from Active Directory to Okta could fail with "Failed to Fetch Query Results." * **Bitbucket Cloud**: Fixed an issue where user email addresses were not populated in Veza. Emails are now collected from workspace and group membership data. * **Oracle Fusion Cloud**: Downgraded role hierarchy cycle validation errors to warnings to unblock extractions, and added safeguards preventing cyclic traversal downstream. * **Databricks**: Fixed Databricks extraction failures by skipping inaccessible catalogs and continuing schema discovery without privileges when permissions are denied. * **UiPath**: Fixed UiPath extraction failures by ensuring non-empty resource names with ID-based fallbacks. * **LDAP**: Fixed extraction failures (Result Code 4 "Size Limit Exceeded") that occurred when querying large directories. * **Google Workspace**: Fixed an issue that prevented the integration from discovering top-level organizational units. Veza now lists all Google Workspace organizational units, including nested OUs. * **Oracle Fusion Cloud**: Fixed a failure when creating an Oracle Fusion Cloud integration in environments where the SCIM user list endpoint returns 403 errors. Extraction now proceeds when SCIM user enumeration is restricted. * **LDAP**: Fixed an issue where group members were not linked to user entities when the `uniqueMember` attribute stored full distinguished names (DNs) rather than short names. ### Access AI #### Enhancements * **Access AI** now supports saving queries suggested by the search agent. When Access AI suggests a query during a conversation, you can now use the **Save Query** action to persist the query without leaving the chat. * When entering a prompt in **Access AI**, users can now select a **destination folder** directly from the prompt interface, organizing the new conversation thread into the appropriate folder at creation time. * **Dashboard tiles** now include an **Explain with Access AI** option in the actions menu. Selecting it opens the Access AI chat panel and generates a plain-language explanation of the query, with results cached for re-use. * The **Query Details Page** now includes an **Explain Query** option in the actions menu. Selecting it opens Access AI in the side panel with a natural-language explanation of the query configuration, what it covers, and the access patterns it analyzes. ### Access Intelligence #### Enhancements * When a **Disable Accounts** action fails because the integration has not been enabled for provisioning, Veza now displays a clear notification explaining the cause. Previously, the error message did not indicate that provisioning needed to be enabled on the integration. #### Bug Fixes * **Veza Actions**: Actions now display their associated rules and load more efficiently. * **Dashboards**: Improved **Access Intelligence Overview** page loading, preventing issues where the page could remain stuck in a loading state. * **Dashboards**: Fixed an issue where dashboards containing out-of-the-box (Veza-created) queries could not be shared. Dashboards that include system-created queries can now be shared across teams. ### Access Visibility #### Enhancements * **Query Builder**: Added an "Unsupported Conditions" column. When Veza cannot fully evaluate one or more conditions attached to a permission, that information is now visible in the Query Builder results table and included in CSV exports for a more complete permissions context. * **Query Builder**: Users can now view background query results before a query finishes loading. Once enough initial data has been fetched, you can click the **View Results** button to review partial results while the remaining rows load, with a loading progress indicator for overall status. #### Bug Fixes * **Export to Snowflake**: Fixed an issue where scheduling exports to Snowflake could fail for queries with long names. Veza now truncates the generated Snowflake table name to comply with Snowflake's 255-character identifier length limit. * **Export to CSV**: Fixed an issue where exporting query results to CSV failed when all columns related to the source entities were deselected. Exports now succeed regardless of the column groups displayed. * **Query Builder**: Improved performance of some long-running background queries, resolving slow loading times for certain tenant configurations. * **Query Builder**: Fixed an issue where query explanations could not be shown for saved union queries (configured to return results for one or more query sets). Explanations are now available for all saved query types. * **Access Graph**: Improved loading experience for very large graphs, reducing intermittent slow page load times. * **Separation of Duties**: Fixed an issue where VQL queries using path result types (destination nodes, destination node count, or path summary) displayed a record count but returned no data rows. Veza now returns a clear error when a VQL query requests result types unsupported by the SoD query engine. ### Lifecycle Management #### Enhancements * **SCIM Provisioning**: Provisioning now supports configurable unique identifiers. You can select either `userName` or `emails` as the unique identifier for matching SCIM users in Sync Identities actions. `userName` remains the default. * **Workflow Actions**: Transformer expressions can now insert multiple `` values as JSON field values in **Send REST Request** action payloads, enabling richer attribute mapping in provisioning workflows. * **Google Workspace Provisioning**: When creating Google Workspace users through provisioning workflows, administrators can now specify the target **Organizational Unit (OU)** for the new user, rather than always creating users in the default OU. #### Bug Fixes * **Azure AD (dynamic groups)**: Fixed an issue where deprovisioning workflows failed when attempting to remove users from Entra ID dynamic groups and Exchange Online dynamic distribution groups. Because membership in these groups is determined automatically by Azure based on user attributes, manual removal is not supported. Veza now detects dynamic group types and skips them during manage relationship operations, logging a message that the group was skipped. * **Azure AD (group-assigned licenses)**: Fixed a separate issue where manage relationship operations reported errors when reconciling license relationships during deprovisioning. When an Entra ID user holds licenses assigned through a group rather than directly, the Microsoft Graph API rejects direct removal with HTTP 400. Veza now queries each user's license assignment states before reconciliation, skips group-assigned licenses, and processes only directly-assigned licenses. Group-assigned licenses do not need direct removal because they are released automatically when the user's group membership is removed. ### NHI Security #### New Features * **NHI Suggested Owners**: A new AI-powered ownership analysis workflow automatically identifies the most likely human owner of an unowned NHI entity by analyzing the Veza Access Graph. The agent evaluates direct properties, graph neighbors, structural patterns from similar NHIs, and validates candidates against connected identity providers. Up to three owner candidates are presented with confidence scores and reasoning. (Early Access) * **NHI Key Rotation**: You can now trigger key rotation for Azure Key Vault keys directly from the Veza NHI interface. When reviewing credentials in the NHI inventory, the **Trigger Key Rotation** action initiates rotation without leaving Veza. See [Rotate Key](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/actions/rotate-key.md). (Early Access) * Added a public API endpoint (`POST /api/v1/list_available_owners`) that returns paginated active IdP users eligible to be assigned as entity owners. Supports optional search by name or email. See [List Available Owners](/4yItIzMvkpAvMVFAamTf/developers/api/management/owners/listavailableowners.md). * Added a public API endpoint (`POST /api/v1/batch_set_owners`) for programmatic owner assignment across multiple entities in a single request, supporting assign, add, and permanent-removal operations in bulk without requiring callers to fetch existing ownership state first. See [Batch Set Owners](/4yItIzMvkpAvMVFAamTf/developers/api/management/owners/batchsetowners.md). * Four endpoints are now available for listing AI platforms, publishers, model families, and model series. See [/api/v1/nhi/ai/](/4yItIzMvkpAvMVFAamTf/developers/api/nhi.md) documentation for details. #### Bug Fixes * Fixed an issue where terminated or inactive IdP users could appear as selectable candidates when assigning owners to NHI entities. The owner picker now shows only active IdP users, preventing ownership from being assigned to users who are no longer active in the identity provider. * **ServiceNow**: For improved dormancy detection for NHIs that authenticate through non-interactive flows such as API or OAuth, the `last_login_at` attribute for non-human identities now uses the `last_login_time` field (datetime precision) as the primary source, with fallback to `last_login` (date precision) when unavailable. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2026-04-15.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.