# Release Notes: 2026-04-29 ### Veza Integrations #### New Integrations * **Freshservice**: Veza now integrates with Freshservice by Freshworks (Early Access). The integration discovers agents, groups, and roles from Freshservice and populates the Access Graph with authorization metadata. The integration supports optional CMDB extraction to discover Configuration Items and link them to identities in the Access Graph using Cross-Service Correlation (CSC), enabling asset ownership visibility for Suggested Owners and compliance reporting. * **Personio**: New HRIS integration for discovering employees, departments, teams, and cost centers from Personio, with support for custom Personio attributes, reporting relationships, and employment status. #### Enhancements * **ServiceNow**: When configuring a ServiceNow integration that requires certificate-based authentication, you can now generate and download an X.509 certificate and RSA key pair directly from the Veza integration configuration page. * **Kubernetes**: The Kubernetes integration now exposes RBAC policy rules in the Veza UI. Kubernetes RBAC permissions are now shown in Access Graph, enabling visibility into role-based access control policies across Kubernetes clusters. * **CyberArk Privilege Cloud**: The CyberArk Privilege Cloud integration now discovers Active Directory group privileges to Safes. Groups that are safe members are linked to their effective permissions, and Azure AD and Active Directory principals that are safe members are now connected to their corresponding identity provider nodes for full access path visibility. * **AWS**: The AWS integration now discovers Lambda Layers and Lambda Layer Versions as distinct entity types, along with IAM permissions on Lambda Layer resources. * **Identity Mapping**: Custom identity mapping configurations now dynamically expose available source node types for each integration. The UI shows which mapping modes (user, group, role) are available, with improved property matching suggestions when configuring identity mappings. * **Identity Provider Applications**: Identity provider application entities (such as OktaApp, OneLoginApp, and AzureAD Enterprise Application) now support entity owner assignment. Administrators can assign owners to IdP application nodes using the management API or enrichment rules, enabling owner-based access reviews and governance workflows for application entities. * **Azure**: Added enhanced logging for Microsoft Teams channel extraction, including channel ID, name, and HTTP status code, improving traceability for intermittent channel NotFound errors during Azure extraction. * **LDAP**: Improved extraction resilience by adding automatic retry for transient server-side Code 52 ("Unavailable") errors. Extractions that previously failed due to brief LDAP server interruptions now recover automatically. #### Bug Fixes * **SQL Server**: Resolved connection failures with SQL Server 2008 R2 and other legacy versions by implementing automatic TLS version negotiation. * **GitLab**: Fixed repeated GitLab extraction failures caused by rate limiting. The connector now parses all standard rate-limit headers (`Retry-After`, `RateLimit-Reset`, `X-RateLimit-Reset`, `RateLimit-ResetTime`) to compute accurate backoff durations. Max retries increased from 5 to 15. * **Snowflake**: When configuring a Snowflake integration with key pair authentication, you can now generate and download an X.509 certificate and RSA key pair directly from the Veza integration configuration page. This eliminates the need to generate certificates manually using OpenSSL. ### Access Intelligence #### Enhancements * Dashboard tiles now show change as an absolute delta with a trend direction indicator, replacing the previous percentage-based metric. The indicator is color-coded to reflect whether the trend is improving or worsening relative to the beginning of the selected time period. * Remediation actions no longer require queries to have an assigned risk level. This enables remediation workflows for any query, including Non-Human Identity (NHI) queries that do not use risk scoring. * Administrators can now enable or disable the **Disable Accounts** remediation action for supported queries directly from the dashboard tile options menu. * The Risks page is now the default landing page when selecting Access Intelligence from the navigation menu. The previous default Overview page now has a retirement notice directing users to the Integrations page for equivalent metrics. * Role Mining now supports Microsoft Entra ID as a data source. Administrators can now analyze Entra ID access patterns alongside existing supported integrations to identify opportunities for role consolidation. * **ServiceNow**: Rule alert and remediation notification tickets sent to ServiceNow now use standardized templates. Alert tickets include a `[Veza Alert]` prefix with severity, rule name, trigger time, and query summary. Remediation tickets include a `[Veza Action]` prefix with query or dashboard details, triggering user, and timestamp. #### Bug Fixes * Fixed an issue where scheduled exports in Query Builder continued sending email notifications to previously removed recipients. Clearing all recipients from an export configuration now correctly stops future email deliveries. * Fixed an issue where historical alerts displayed the current rule condition instead of the condition that was active when the alert fired. After editing a rule's threshold or logic, previously triggered alerts now correctly reflect the original configuration. * Fixed an issue where Dashboard Queries displayed incorrect risk level values. Dashboard queries now show accurate severity classifications for all query results. * Fixed an issue where "New Veza Dashboards to Review" notifications and a bookmark icon appeared incorrectly on the Role Mining page. These UI elements now display only on Access Security Dashboards. ### Access Reviews #### Enhancements * When multi-level approval is enabled, a new **Level 1 Due Date** column is available on the main Access Reviews list page. The existing **Due Date** column is renamed to **Final Due Date**. Pending reviews have color-coded due date indicators: a warning highlight when due within 7–15 days, a critical highlight when due within 7 days, and an alert icon when overdue. For single-level reviews, both columns display the same value. Highlighting applies only when the review is currently on level 1. #### Bug Fixes * Fixed an issue where the available owners list included users from all identity provider instances instead of only users from the configured global identity provider. * Configurations with unpivot properties set now correctly preserve those values when other fields are updated. ### Access Visibility #### Bug Fixes * **Query Builder**: Fixed an issue where some entity types, including the User supertype, were missing from Query Builder dropdowns. The display limit has been increased to ensure all node types and supertypes are visible when building queries. * **Query Builder**: Fixed an issue where the query explanation panel failed to load for union queries. Explanations now render correctly for queries that combine multiple source node types. ### NHI Security #### Enhancements * **ServiceNow**: Dormancy detection for ServiceNow non-human identities now incorporates last-API-access timestamps from the Machine Identity Console (`sys_mi_user_tracker`, Zurich+). The **Last Login At** attribute is now the maximum of `last_login_time`, `last_login`, and `last_used` (MIC API access) from ServiceNow, so NHIs using REST or OAuth authentication are no longer misreported as dormant. Instances without the Machine Identity Console skip this enrichment and continue using `last_login_time` and `last_login` only. #### Bug Fixes * **ServiceNow**: Fixed an issue where ServiceNow users with identity types such as `employee`, `contractor`, or `customer` were incorrectly classified as Non-Human Identities. ServiceNow users are now classified as human by default unless their identity type explicitly indicates a non-human type, such as `service_account` or `ai_agent`. ### AI Agent Security #### Enhancements * **AWS Bedrock**: AWS Bedrock AI Agent entities now represent individual agent versions rather than the parent agent container. Each version includes its own active status, platform, publisher, and model association, enabling precise visibility into which specific agent version has access to foundation models and IAM roles. Queries and saved searches for AWS Bedrock AI Agents will now return version-level entities; the parent agent container remains as an identity node. * **ServiceNow**: The ServiceNow integration now discovers AI Agents, Tools, Gen AI Skills, AI Models, and Gen AI Configs from the Now Assist platform, along with the ACL rules that govern access to each resource. AI Agents configured to run as a specific ServiceNow user are linked to that user, providing visibility into AI-driven access paths. Requires the AI Agent Studio (`sn_aia`) plugin; Now Assist Skill Kit and the Generative AI Controller are also supported. ### Lifecycle Management #### Enhancements * Provisioning policies now support a new **Get Node From Graph** action type that queries the Veza Access Graph for entities during workflow execution. * Policies can now look up any graph entity type (such as Jira users or Okta users), apply SCIM filters, and use the query results in later policy actions. * This enables use cases such as verifying a user exists and is active in a target system before submitting a provisioning request. * Provisioning policies now display real-time processing status (Running, Waiting, Stopped, or Disabled) instead of a static Enabled/Disabled tag. Clicking any active status pill now shows the run details, including each pipeline step (identity detection, validation, workflow filtering, and task execution), with links to the Activity Log. * You can now save bulk dry run results to a file. From the dry run results table, use the new export option to download all results, including identity details, department, and labels. * Veza now distinguishes between directly-assigned and group-inherited licenses for Azure/Entra ID Deprovision Identity and Manage Relationships actions, skipping group-inherited licenses during deprovisioning. #### Bug Fixes * Fixed an issue where Lifecycle Management action notification emails displayed raw placeholder text (such as `{{WORKFLOW_NAME}}` and `{{EVENT_IDENTITY_NAME}}`) instead of the actual values. Email templates now correctly resolve all documented placeholders. * Fixed SCIM group membership verification for providers (such as AWS IAM Identity Center) that do not return group assignments in user GET responses, preventing errors due to timeouts during access request workflows. * Fixed an issue where disconnected applications (such as CSV Custom Applications) were not available as data sources when creating Catalog Definitions. The data source selection now correctly includes all applications that support entitlement or relationship management. * Fixed an issue where users with the Operator role received a 404 error when accessing Catalog Definition detail pages. Operators can now view Catalog Definition details in read-only mode. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/release-notes/release-notes/2026-04-29.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.