Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Secure and understand your environment with Veza integrations and products.
Veza's Authorization Graph integrates with cloud identity providers, cloud IAM, cloud services, apps, and data systems to discover authorization metadata, translating the complexity into a simple language of effective permissions.
Veza then provides insights into the relationships between entities such as identities, policies, roles, and resources, and enables users to create reports, queries, access reviews, and more using the latest data or a historical snapshot. Risk, compliance, security, and IT teams use Veza for visibility into which people and automated services can access sensitive data assets.
Veza answers the questions "Who has access to what," and "How do they have access?" With Veza, you'll pass your audits faster with less pain, be empowered to lock down data to only those who need it, and securely migrate cloud assets.
The documentation includes guides, reference material, and release updates for the Veza authorization platform. Use the information within to configure and administer Veza, and learn about core features.
Questions and answers about the Veza cloud platform, features, and policies
“Authorization metadata graph” provides an end to end visualization of authorization relationships between users (including non-human identities and service accounts), applications, and data sources. This includes the cloud identity providers (users, groups, and roles) and access management services (such as AWS IAM, GCP IAM, and Azure RBAC.) making a user's access possible. By presenting effective permissions (read, write, delete...) in a single control plane for any enterprise identity and data source, the Veza graph simplifies the complexity of interwoven authorization structures and enterprise data systems.
Veza Cloud Platform can analyze identity and authorization data from public cloud providers and external identity providers (IDPs), along with non-cloud-native data sources like MySQL or Active Directory.
Yes, Veza utilizes the publicly available APIs published by identity providers and cloud providers to analyze these providers automatically. The nature of the API access is read-only, scoped to only essential metadata, and collected out-of-band.
Graph Scale and Performance: Veza is built to manage complex authorization metadata efficiently using advanced graph technology. Our architecture includes a robust data model, a persistence model ensuring crash-consistent metadata management, and an object model capable of handling billions of small objects. Veza is available in both SaaS and On-Premises deployment models.
Our testing indicates that the Veza platform can support up to 100 million nodes (including identities, groups, roles, policies, and resources) and 500 million edges (which represent relationships and connections among these entities). While the platform maintains functionality beyond these thresholds, some features may experience performance impacts. For optimal performance when exceeding these limits, contact support@veza.com.
After adding a built-in integration, you can use out-of-the-box queries defining common Separation of Duties (SoD) violations. You can edit these queries or define your own violations using the Access Intelligence > Separation of Duties page. SoD rules can apply to custom data sources, such as users ingested from CSV or SCIM.
Veza evaluates effective and system-level permissions when parsing integrated data sources. Violations are identified when executing an SoD query, either manually or as part of risk assessment.
By creating a rule for queries that are SoD violations, you can send announcements or create issues in systems like Jira, Slack, or ServiceNow when new violations are detected. Rules can also trigger automation using custom webhooks.
Veza integrates with 250+ systems natively and supports many more via our Open Authorization API framework. As soon as the user access data is ingested into the platform, Veza will identify toxic combinations of access based on configured SoD policies.
When a snapshot doesn't contain the specified relationship, creating a review will result in "No Data Available" error. Note that the snapshot are taken on a daily basis.
Upon saving a Review Configuration and starting a new Review, it's possible that there are no results due to data not existing in the environment for the query parameters. To check if this is the case, search with Query Builder or Authorization Graph using the same search conditions.
While it's possible to edit some parameters such as notification settings after saving a Review Configuration, the original query cannot be altered. This is by design, and to maintain the integrity of the certification as a permanent record.
When creating a Review Configuration, you can select a specific source or destination entity type, and apply attribute filters on a value such as Datasource ID
.
When creating a Review Configuration, you can filter on any tag Veza has discovered, as well as native Veza Tags. To do so, select the desired entity types and apply a tag-based filter.
Yes, custom apps configured using OAA are selectable as an entity type, just like the built-in configuration sources. You can either select an individual "Custom Application" or "Custom IdP" entity, or query "All Users" or "All Custom Applications".
You can set customized notifications when adding a Review Configuration, or configure them for each Review. Veza Actions will trigger based on reviewer actions (assignment, creation, decision, owner change) and certification states. Veza Actions can trigger webhooks, create ServiceNow tickets, and send alerts to Slack channels. Operators can also configure email reminders based on certification events and deadlines.
To create a single certification for one manager, apply a constraint on the identity's manager
field, and choose the resource(s) the certification applies to. You can also identify managers for any entity type using tags.
Create a new certification, and assign the manager. To ensures the manager can view and certify only their assigned Reviews (and not access other Veza functionality), you can assign the manager's Veza account the access_reviewer
role.
Certifications can have one or more "default" reviewers, assigned when starting the certification. These default reviewers can request other reviewers from your organization, for any result they decide they aren't an appropriate reviewer for. These assigned reviewers can only view and act on the results they're assigned to.
Veza can use metadata such as manager_id
from your Identity Provider or Veza Tags, and use this to automatically assign reviewers when creating a certification.
You can set due dates on certifications, and automatically send reminders by email to the owners, participants, and optional creators/facilitators. The functionality to schedule certification campaigns is planned for a future release.
You can configure a variety of certification completion options, including enforcing that all rows must have a decision before a certification can complete.
To ensure that the Review represents a point-of-time state, Veza utilizes immutable snapshots of your environment at the point of certification. Once complete, it isn't possible to delete a Review, or the Review Configuration that contains it.
You can show attributes for any source, destination, or intermediate node that Veza has discovered, using the column selector. Columns can also show approval status, assigned reviewers, and notes. From the Certifications view, you can apply filters to narrow broad sets of results down to actionable groups. You can apply decisions to more than one page of filtered results by choosing an action above the list of results.
We recognize the need to group rows by column in the certifications and the option is planned for a future release. You can use filters to focus on results (for example, an individual user name
or resource id
).
Veza includes predefined reports that provide users with insights into their environment. These can be viewed within the platform.
Veza is tested and optimized for use with Chromium-based web browsers. For the best experience and full functionality, we recommend using the latest versions of the following browsers:
Google Chrome
Microsoft Edge
Veza uses browser cookies to authenticate users to the platform. If you see an error when attempting to log in after a password change, try clearing out browser cookies before signing in again.
If you're new to the platform, you can learn about Veza features and recommended first steps on the overview.
Depending on how much initial setup you have completed, you may need to integrate Veza with your identity, app, and data providers using the page.
After initial integration discovery to populate the data catalog, you can get immediate intelligence through and , connections between entities, and begin defining your own and conditional .
We are committed to making our customers successful and rely on your feedback to drive product innovation. Please contact your Veza support representative with questions or requests. Please report any documentation issues or feedback to .
: Veza parses the identities, resources, and authorization controls within and across cloud environments to create a network of entities and relationships you can explore using a variety of search interfaces.
: Create and manage access and entitlement reviews using the Authorization Graph.
: Identity, security, and compliance teams can use hundreds of Veza queries built to identify risks, misconfigurations, and anomalies, organized within dashboards and reports. Rules for custom or pre-built graph queries provide ways to create security baselines for alerts and notifications.
: Information on Veza security procedures and policies.
There is no manual step. However, you can use the to connect apps and identity providers that don't have a native integration.
All reject decisions from a given certification are retrievable programmatically as a .
Today, reviewers only have visibility to the Reviews that they are assigned. This is by design to prevent them from accessing privileged information. However, we do recognize the power of our visual graph for revealing the chain of privilege and how important seeing that path is for determining if access is appropriate. By creating , you can scope access to the Veza graph that will empower the reviewer to make decisions while limiting what they can see.
Users can optionally generate PNG files to capture visual aspects of the . These graphics could contain identities (human users or service accounts), authorization entities (IAM roles, groups, policies), and data sources (database names, table names) from your environment.
Changes in Veza releases v2025.3.17-1 - v2025.3.31-1
EAC-44833 Query Change Logs: You can now review a complete change history for any query using the Show Edit History option when viewing Query Details. A sidebar now shows all changes to date, including modifications to risk level, query permissions, or query parameters.
EAC-44131 Manager Assignments for Separation of Duties: For improved governance, ownership and better delegation of Separation of Duties (SoD) queries, we've introduced new functionality and terminology specifically for delegating and managing SoD queries.
New SoD Managers: The term "SoD Manager" now replaces "Owner", creating a clear distinction between query creators and those responsible for managing SoD policies
You can now assign and change SoD Managers.
Multiple SoD managers can be assigned
You can now select multiple SoD queries and assign one or multiple managers to all items.
SoD Manager assignment options are available on the Separation of Duties overview page. Look for the new "Assign SoD Manager" button.
EAC-45672 Veza Actions: To provide greater clarity when configuring outbound actions (such as webhooks for alert rules, email notifications, and Access Review automation), Orchestration Actions are now referred to as Veza Actions throughout the product interface. The new terminology should more intuitively communicate that these are actions originating from the Veza platform.
EAC-45501 Email Alerts: Emails sent for alert notifications now show the friendly entity name
instead of the entity unique id
.
EAC-45096 Enrichment Rules: Enrichment rules now have a Priority field. This defaults to 0.0 and has a maximum of 10.0. The higher the priority, the later it will run, meaning that higher priority rules will override values set by lower priority rules.
EAC-39274 VQL Autocomplete: The VQL editor now provides autocomplete suggestions, for improved user experience with faster and more accurate query completion.
EAC-45008 NHI Account Summaries: There is now a banner above the NHI Security > Accounts page, indicating how many total NHI accounts are detected, and which integrations they come from.
EAC-45655 Access Request Approvals with Veza Groups: Veza Groups can now be added to an Access Request Policy when selecting other approvers, in addition to individual users.
EAC-45028 Application/Integration Owner Approvals: It is now possible for the Application/Integration Owner to be designated as an approver within an Access Requests Policy.
EAC-45027 Access Requests Digest Notification: Access Request digest notifications are now available, showing the recipient user a summary of requests created and completed during the selected time range.
EAC-45534 Custom Property Value Constraints: Specific values can be defined in Access Profile Settings as constraints for custom property values. When these specific values are set, the value of a custom property is limited to the preconfigured value.
EAC-45533 Custom Properties for Entitlements: Entitlements can now have custom property values applied to them, differing from custom properties associated with the Access Profile.
EAC-45059 Prevent Reviewer Reassignment: Administrators can now prevent individual reviewers from reassigning review rows. This setting can now be configured globally on the Access Reviews > Settings page or per Review Configuration (via API).
EAC-44730 Integration Parsing Warning for Reviews on Active Graph Data: When creating an access review, a warning message has been added to the "From the moment the review is created" option to illustrate that it will temporarily pause all active data source parsing jobs until the review creation completes.
EAC-45179 Auto-Assignment to User Managers Fix: Fixed an issue preventing certain managers from being correctly identified during auto-assignment.
EAC-46001 Current User Lookups Enhancement: When looking up the current user in the Access Graph, Veza now uses the idp_unique_id
property of identity provider users as a fallback if there is no matching email
property. Previously, lookups would fail if the email property didn't match.
EAC-39491 New Lifecycle Management Landing Page: A new Lifecycle Management landing page was released and is being progressively enabled for customers. Among the highlights of this new landing page are:
An overview, status, and statistics for Lifecycle Management policies
An overview and statistics for Access Profiles
Identity metrics for active/inactive identities
An overview, health status, and statistics for Integrations
An overview of pending and completed access requests by status
A summary of recent provisioning errors
A summary of recent provisioning activity
EAC-45701 Active Directory as Identity Source: Active Directory can now be used as an identity source for both Lifecycle Management and Access Requests.
EAC-45093 Azure AD Guest Invitation Creation: The option to create an Azure AD guest user invitation has been added to Sync Identities actions for Azure AD.
EAC-45086 Azure/M365 License Management: Lifecycle Management can now add and remove M365 licenses for Azure AD users with the Manage Relationships action in a Lifecycle Management workflow.
EAC-45083 Identity Attributes in Email Templates: Any attributes provisioned by Lifecycle Management can now be piped into Lifecycle Management email notification templates.
EAC-45765 Lifecycle Management Access Review Creation Fix: Fixed an issue where no access review was created when an administrator manually triggered a Lifecycle Management workflow where Create Access Review was configured as an action.
EAC-45495 Access Reviewer Pagination Fix: Prior to the fix, only the first page of reviewers was shown in the Reviewer dropdown when creating the action.
EAC-44801 API Response Missing Value Fix: Prior to the fix, the value for access_profile_ids
was missing after POST /api/private/lifecycle_management/policies/<policy_id>:dry_run
.
EAC-45752 Dynamics ERP Integration: The Azure integration can now discover Users, Groups, Application Users, and Security Roles for Microsoft Dynamics 365 ERP.
EAC-44077 Coupa CCW Integration: New Integration for Coupa Continent Workforce (CCW).
EAC-45700 Integration Overviews Categorization: When viewing the summary of discovered entities on the integration overview page, entities are now grouped into three categories for better readability:
Identities (principals accessing resources)
Resources (entities on which a principal can take actions)
IAM Entities (entities that specify and assign permissions such as roles, groups, role bindings, and permission sets).
EAC-42806 Google Cloud Enhancements: Added support for discovering Google Secret Manager Secrets and filtering by attributes last_rotated
, status
, and secret_type
. The integration also now extracts and shows these attributes for KMS Keys.
EAC-45085 Microsoft Azure License Entities: Azure/Microsoft 365 Licenses are now represented as searchable entitlement entities that can be related to one or more users. Previously, license information was only available as a user property.
EAC-43469 Microsoft Azure Role Attributes: Azure AD Roles now include attributes to show the full role Description
and indicate if the role is Privileged
.
EAC-45419 Open Authorization API Identity Type Support: The oaaclient
SDK now supports setting identity type (human or nonhuman) for Custom IdP Users.
EAC-44051 Snowflake Network Policy Attribute: Snowflake Users now have the Network Policy Exists
attribute, set to true
when a Network Policy has been added to the user.
EAC-45690 Azure Custom Roles Fix: Added handling for custom roles and custom role assignments.
EAC-45631 OAA Custom Identity Mappings Fix: Fixed an issue with custom identity mappings between Okta and Users created with the "Custom Principle" OAA template.
EAC-45883 Workday Integration Performance: Optimized performance when saving a Workday integration by reducing the number of reports fetched.
EAC-45548 Workday Identity Mapping Fix: Fixed an issue where Workday identity mapping configurations did not include all relevant node type properties.
EAC-32570 Windows Server Task IDs: Changed Windows Server Scheduled Task unique IDs to match the task's fully qualified path.
PLT-1050 API Keys Management: Veza API keys can be blocked by customers via the Enable API Keys option found within Administration > Sign-in settings.
PLT-1309 API Keys Disable Behavior: When API Keys are disabled from the UI, all API key access is disabled. The API keys management page is hidden for all users.
Changes in Veza releases v2025.3.10-1 - v2025.3.17-1
EAC-45004, EAC-44959: The NHI Accounts page now includes the "Type" column to indicate what entity is listed and options to filter by integration and integration type.
EAC-44949: The NHI accounts page now contains a "view details" button for each line item which brings you to a query details page for the specific result.
EAC-43200: Enrichment rules are now supported for all integrations that use custom application templates (e.g., Terraform, DocuSign, PagerDuty, and Zoom).
EAC-28997: The Graph search home page now includes your customer name, e.g., "Welcome to Evergreen Trucks Access Graph." Contact your Veza Customer Success Manager to customize this setting for your tenant.
EAC-44927: Fixed an issue where scheduled export links could appear as expired before reaching their 28-day limit.
EAC-44219: Some legacy reports could contain private queries despite being a public report, a condition that is no longer permitted. Veza now filters out all private queries from public reports to unify this behavior.
EAC-34937: Fixed an issue where the user was unable to attach a webhook when editing an existing rule.
EAC-45381: In the reviewer interface, display options to Include Other Reviewers' Decisions, Include Signed-Off Rows, and Compare With Prior Review are now contained in the View dropdown menu above the results. These were previously under the "Filters" menu, which has been relocated for better visibility.
EAC-45426: A "help" link is now shown when configuring digest notifications.
EAC-44466 New Iconography for Effective Permissions: Reviewers can now more easily scan reviews to identify access permission differences with new visual indicators that highlight variations in Effective Permissions. These indicators use color and icons to distinguish permission states, making pattern recognition across multiple rows faster. This Early Access feature is now enabled by default.
EAC-44467: In-column actions are now enabled by default in the reviewer interface, providing an easier way to rename, hide, filter, sort, or group by individual columns.
EAC-43560: Administrators and Operators can now customize column names, order, and visibility in the reviewer interface and publish these settings for all reviewers. A new "Admin" button allows administrators to set the current column settings as the default for all reviewers, manage renamed columns, or edit the review configuration. Any customizations made will apply to all reviews using the same configuration.
EAC-40094: Administrators can now configure predefined approval, rejection, and custom decision notes directly in the Veza UI. This ensures consistency in the review process by providing standard note options for reviewers.
EAC-43220: When using alternate lookup settings for review auto-assignment, auto-assignment now functions for rows that include users in the main IdP.
EAC-42732: PDF exports now include completed, approved, rejected, and unactioned row percentages.
EAC-45240: When using the Group By option in access reviews, reviewers can now sign off with a single click once all rows in a group have a decision. Additionally, reviewers can use the Clear Decision row action to reset any item that has not yet been signed off. A Signed Off badge now indicates when all rows in a group are final.
EAC-44703 In a "Mover" Lifecycle Management Policy workflow, it is now possible to configure a grace period before removing entitlements: When a user changes job roles the organization may want to allow them continued access to the previous job role's entitlements for some time. You can now configure this in a Lifecycle Management Workflow in the "Manage Relationships" action.
EAC-44063 Retired and Draft Access Profile Versions: If Access Profile versioning is enabled, it's now possible to view retired or draft versions of the Access Profile in addition to the currently published version.
EAC-45090: Workflows now support "Password Reset" actions, enabling you to create identities in advance of an employee's start date and then automatically set their password on an actual start date.
EAC-44674: Fixed an issue with custom property validation in attribute formatters.
EAC-45025: You can now select how user identities are uniquely identified when logging into the Access Hub using SSO, either by email address (default) or employee ID.
EAC-44386: Access Profiles now allow adding customer-defined properties to add more metadata to the Access Profile. This enhancement also includes the ability to search on the customer-defined properties and their values.
EAC-44726 Microsoft Azure: The integration now discovers groups assigned to Azure AD (Entra ID) roles, and supports search for users within those groups.
EAC-45125 Active Directory: Adds support for Kerberos authentication when binding to LDAPS.
EAC-45299 Active Directory: You can now choose to exclude disabled users from extractions when configuring the integration.
EAC-44076 Exchange Online: The Azure integration can now discover Exchange Online Role Groups.
EAC-45418 Open Authorization API (OAA): The Custom Identity Provider template now supports setting the identity_type
property during user submission, allowing identities to be designated as either human
or non-human
within the payload.
EAC-45138 Okta: Both STAGED
and PROVISIONED
user statuses are now considered as isActive = false
(no activity).
EAC-45144 SharePoint: Adds support for skipping discovery of SharePoint sites with identical GUIDs.
EAC-45234 Active Directory: Fixed handling of surname attribute in Active Directory integration.
EAC-44993 Teleport: Fixed a "Connection Refused" error when configuring the Teleport integration.
EAC-44858 AWS KMS: Adds error handling for UnsupportedOperationException
.
EAC-44395 AWS Redshift: Invalid database names are now skipped during extraction.
EAC-43517: Integration names in Veza now support additional characters (such as ()
, -
).
Changes in Veza release v2024.8.26
EAC-38053 Quick Filters: You can now click the filter icon at the top of any Query Builder column to apply a filter on that source or destination attribute.
EAC-36708 Open in Graph: When Summary Entities are selected in Query Builder, the Open in Graph action now enables opening all results in Authorization Graph, or an individual entity (from the entity details view). Note that summary entities are not included in the Graph query when using this option.
EAC-37518 Segregation of Duties (SoD) : Fixed an issue with using breadcrumbs to navigate to the previous page after using Open in Analysis option to edit a saved query using the SoD builder.
EAC-38052 Manager Portal: The Direct Report filter on the Quick Review page now uses auto-complete to suggest users.
EAC-38078 SCIM: Added support for OAA-based SCIM integrations as provisioning and deprovisioning targets.
EAC-38004 Access Profiles: LCM Access Profiles can now be created and viewed by non-root teams.
EAC-37809 Graph Navigation: From the Identity page, you can now navigate directly to graph to show that entity's relationships.
EAC-38123 Attribute Syntax: Fixed an issue with AD manager
attribute sync during deprovisioning.
EAC-38165 HiBob: New integration for the HiBob HRIS provider, with the option to enable as a Lifecycle Management identity source.
EAC-37814 Privacera: You can now specify an optional CA Cert and URL when configuring the Privacera integration.
EAC-37929 SwiftConnect: Veza now assigns Access Levels (roles) to Access Profiles (users), instead of directly assigning Access Credentials.
EAC-37924 SQL Server: Veza now gathers and shows permissions on system databases such as master
, model
, msdb
, tempDB
, and resourceDB
.
EAC-38036 API Keys: Added a programmatic_key_manager
role for programmatic API key generation (Early Access).
First steps with the core authorization platform
Welcome to Veza, your unified access control platform for data governance, data access management, cloud entitlements, privileged access, and much more.
This page introduces important features to help you implement and operationalize Veza for your organization and teams. You will learn how to enable external integrations and begin leveraging Access Intelligence, Access Search, and Access Reviews.
See the following sections for details:
To fully make use of Veza, you will need to integrate the Identity, Cloud, and application providers used by your organization. Veza periodically connects to these application providers and data sources to populate the Authorization Graph and build your Entity Catalog.
Veza builds a catalog of all your entities across identity providers, cloud providers, apps, and data systems. You can review all of these on the Dashboards > Home page. Choose data sources from the menu to view all the entity types Veza has discovered, and click an entity type to bring up a list of those entities in the Query Builder, where you can view additional attributes and details.
The metadata Veza discovers includes Tags from cloud providers (such as AWS tags or GCP labels) You can also create and apply Veza tags to identify sensitive cloud data assets across multiple providers and applications. Open the Access Intelligence > Tags page to see the tags Veza has already discovered.
Veza ships with hundreds of out-of-the-box assessment queries to provide rapid insight into risks, anomalies, and the overall state of authorization within integrated systems.
The main Dashboards page showcases some of these top risks and important insights, with the option to open any query to inspect the detailed results. Use the Access Intelligence > Reports page to review all the built-in reports. Then, try creating a custom report to capture data access trends and track risks for your organization.
Veza discovers the connections between entities in the Authorization Graph and makes these relationships searchable with a visual Graph search and flexible Query Builder.
You can use these Access Visibility features to explore the different types of entities in the Data Catalog. To get started, go to the Saved Queries page, and try opening some out-of-the-box assessments in the Query Builder to fine-tune them based on your organization's priorities and unique environments.
Search for a single entity (such as an Okta User or Snowflake Database) using the Graph search bar to show all the connections Veza has found.
Specify a source and destination entity in Query Builder to find all entities of the source type with a relationship to entities of the destination type.
Apply filters on any of the entity attributes Veza has discovered to narrow your search using rich metadata such as user department
, manager
, or last activity date
.
Veza Access Reviews enable repeatable, granular, and integrated certification campaigns. These can be conducted by a single auditor, or involve collaborators automatically assigned from many departments and teams. Open the Access Reviews page to create and manage configurations for user access reviews, privileged access reviews, entitlement management, role management, identity lifecycle, and more.
Depending on the business and compliance requirements, Access Reviews can audit user access to data, resource entitlements, roles, groups, and policies, or any other source -> destination relationship discovered by Veza.
After creating a configuration that defines the scope of a review, administrators and operators can create and schedule new reviews, and assign each result row to individual managers or resource managers for review and attestation.
Veza is designed to support collaboration between users and teams and integrate with external systems and workflows. Once you've familiarized yourself with the platform, you can invite your team, enable outbound actions and alerts, and enable advanced functionality:
Questions and answers for enterprise customers and security teams
This document addresses advanced topics on Veza platform security. These include questions about authentication, encryption and key management, access controls, network security, and other procedures ensuring the security of our SaaS and cloud-premise deployments.
Veza's SaaS production environment runs on AWS. Our architecture emphasizes security, scalability, and efficient resource management with a multi-VPC structure. Key components include Amazon EKS for container orchestration, AWS WAF for web application security, and integrated monitoring tools.
What authentication methods does Veza support?
Interactive Users: Local User Accounts, SAML Single Sign-On, OpenID Connect (Early Access).
Non-Interactive Access: API Keys
For SAML-based authentication, do you handle user-provided XML? Do you validate XML to protect from malformed XML?
Veza accepts user-provided XML for SAML configuration. We validate the input to protect against malformed XML input.
For API authentication, do you support access tokens instead of API keys? If so, what tokens are supported?
Not at present.
Do you check if MFA is performed on the IdP side for single sign-on?
No. The desire that MFA is performed for session creation can be configured via ACR Values with OpenID Connect (OIDC). The configuration is specific your identity provider and the IdP configuration. It does not guarantee that the MFA was performed.
How long are access tokens valid? Is the duration of access tokens configurable?
The valid duration of regular session/access tokens is 20 hours (non-configurable). Session tokens must refresh every 15 minutes or will expire.
API keys do not expire.
The customer can configure session idle time on the Veza Sign-in Settings page.
Do you use cookies? How are your cookies defined?
Yes. We use cookies, including a session token, for session tracking. We assign our cookies as HTTPOnly
and Secure
.
Are all human users accessing Veza’s EKS backend required to use MFA?
All access to Veza's EKS backend is limited to a select few SRE individuals and requires multiple layers of MFA.
How does Veza avoid spoofing attacks, where an attacker impersonates the Veza application to gain unauthorized access?
Veza can prevent spoofing attacks. Here are the details:
Using a single SAML-based IdP (e.g., Okta) as the SSO provider.
Customers can disable local accounts.
Customers can allow a Super Admin user, managed by the customer, access for break-glass situations. This user's activity can be audited for any actions the user performs.
How does in-transit and at-rest encryption for data ingested into Veza work?
For in-transit data, we support TLS 1.3 (default) with ECDSA, RSA, and TLS 1.2; for at-rest data encryption, we use AES-256-GCM. We use GPG to encrypt the secrets for all integrations.
Encryption and storage: All storage is encrypted at rest (EBS Volumes, S3 buckets, Database storage).
How are keys managed?
We use AWS KMS to manage and secure keys.
Does Veza implement chains of trust?
We use AWS Certificate Manager (ACM) to issue our public TLS certificates. Internally, we use our own certificate authority (CA) and self-signed certificates for mTLS between services to prevent a supply chain compromise of internal communications security.
How are keys rotated? How often are keys rotated?
We rotate AWS and Veza KMS keys yearly
Certificates are rotated every 6 months
How is communication between the Insight Point and Veza platform secured?
All communication between the Veza Platform and the Insight Point is performed via TLS (Transport Layer Security). All requests are also signed to provide data authenticity and integrity.
Access Control Infrastructure: At the infrastructure level (Kubernetes cluster, tenant), what access control does Veza enforce to ensure infrastructure security?
Only specific personnel have access to production environments.
We perform quarterly access reviews to audit production environment access.
Authorized personnel can only access customer-managed clusters through a designated bastion host.
Bastion host activities are monitored and audited via SysDig.
We require SSO and MFA for all production systems.
All cluster traffic is encrypted.
All internal communications use mTLS.
All access is tracked in audit logs.
Is the network where customer data resides segmented from other networks, with only necessary ports and protocols allowed? Does Veza disable Public/Remote Access to EKS Cluster Endpoints?
Network policies isolate the tenant network. All external (incoming and outgoing) traffic is limited to the components that need it.
EKS access is only enabled from the Bastion host and limited to access from the private VPC. Public access is disabled.
Firewall and Intrusion Prevention: Does Veza Deploy Web Application Firewalls (WAFs) and intrusion prevention systems (IPS) to detect and block malicious traffic? Does Veza Regularly update signatures and rules? Is remote access to EKS cluster node groups disabled from the internet?
All external traffic must go through AWS WAF.
VPC traffic is analyzed and scanned to detect anomalies.
Signatures are updated automatically.
We restrict EKS node access to the private VPC from the bastion host.
Does Veza routinely review accounts with access to production tenants and the EKS backend to ensure no stale or unauthorized accounts exist? Do you ensure that Cluster Node Group IAM Policies are maintained? Is the worker node IAM user for cluster EKS Namespaces segmented?
Veza performs regular quarterly access reviews.
Veza maintains least-privilege IAM policies/permissions.
IAM policy integrity is maintained by regularly reconciling infrastructure-as-code configured policy against the running policy.
Tenants have strong access isolation through the IAM policy and Kubernetes Role-Based Access Controls (RBAC).
Do you support multi-tenancy? If so, can you describe how accesses are isolated among tenants?
Yes, Veza supports multi-tenancy:
Each tenant is an isolated deployment in a separate namespace
Tenant data and permissions are isolated, with controls to prevent cross-tenant data access.
Do you support RBAC for customer users in the same tenant? What roles are supported? What isolation is provided?
Veza supports four static roles:
Administrator (user management, provider management, and system settings)
Operator (access to all platform capabilities, like reports, rules, access workflows, etc.)
Access Reviewer (a specialized role for participating in access reviews)
Two additional roles are available in Early Access:
Viewer (Subset of operator role, preventing any changes or modifications)
Re-assigner (Subset of operator role, allowing re-assignment of any result in an Access Review)
Veza also supports Teams to limit access to specific integrations: users in a Team can only see data for integrations assigned to that Team.
How does Veza avoid repudiation (the inability to prove the occurrence of events or actions leading to disputes)?
Veza implements logging and monitoring to maintain an immutable record of all service activity:
Logs include the timestamp, the pod name that initiates the call, and all other operation details (which function, which line, etc.)
Logs are protected against tampering and stored immutably
We forward logs using TLS to our logging utility.
AWS CloudTrail is also used to monitor and audit access to AWS assets through the command line or console.
How does Veza avoid Denial of Services for supported integrations?
Veza implements rate limiting for all integrations.
Veza also monitors and allocates resources appropriately to handle spikes:
Default extraction intervals vary depending on the integration and can vary from 1 hour to 24 hours depending on target data source capabilities. Customers may set this to a larger time interval as desired.
Our EKS backend uses auto-scaling groups to achieve elasticity based on usage.
Resource usage is monitored and alerted on CPU, memory, and storage thresholds.
How does Veza avoid exploiting vulnerabilities to gain elevated privileges?
Veza uses strict permissions to ensure we use minimum necessary read permissions for each integration.
We audit Veza permissions and roles regularly.
Vulnerability Assessment and Patching:
Veza EKS backend must undergo regular vulnerability assessments.
Veza performs regular ECR image scans and patch images.
Veza assesses discovered vulnerabilities and patches them per CISA standards.
Veza automatically scans code dependencies continuously.
Veza keeps all system components up-to-date with a regular upgrade cadence.
Veza uses images with minimal dependencies necessary for each service.
How does Veza define data retention policies for metadata stored in the EKS backend and ensure secure deletion methods that comply with industry standards (e.g., NIST's Guidelines for Media Sanitization)?
Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.
All metadata is stored in encrypted S3 buckets and encrypted EBS volumes. AWS deletion policies and procedures comply with NIST guidelines for media sanitization.
Anomaly Detection: Does Veza implement behavioral analytics to detect unusual patterns in data access or system behavior, which might indicate a breach or other security incident? Does Veza maintain a detailed incident response plan and conduct regular threat isolation and mitigation drills?
Veza uses behavioral analytics to detect anomalies in CloudTrail and VPC flow logs.
Incident response plans are created and routinely reviewed.
We perform incident response drills at least annually.
Continuous Monitoring: Does Veza implement solutions like Security Information and Event Management (SIEM) systems to gather, correlate, and analyze logs from all parts of the environment? Does Veza ensure CIS controls are met for the EKS and AWS resources used to store and manage customer data? Is a CSPM used to track CIS controls?
We use GuardDuty to continuously monitor Production AWS accounts, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Kubernetes Service (Amazon EKS) clusters, and data stored in Amazon Simple Storage Service (Amazon S3) for malicious activity.
We use Sysdig to continuously monitor bastion host activities. Only authorized Veza personnel can use the host to access EKS and related AWS resources for the production AWS accounts.
Definitions and explanations for key terms and concepts used within Veza.
As Veza evolves and integrates more advanced functionalities, the terminology can sometimes be intricate. The Veza glossary serves as a reference for terms and related topics. Whether you're a new user getting acquainted with the platform, or just seeking a refresher, this glossary can help you learn the essential terms.
Browse the categories to explore, or search to find a specific term.
A time-bound snapshot of entities, relationships, and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.
A Cloud Service Provider (CSP), such as AWS or Microsoft Azure, offers a platform for infrastructure, applications, storage, and other services such as Identity and Access Management or data warehousing.
Permissions are the individual rights and authorizations that a user has to perform actions on resources. In modern IAM, “effective permissions” are the actual permissions a user is authorized to perform after applying all the constructs of IAM, including deny, service control policy, permission boundary, or other access controls. “System permissions” are the permissions that are directly assigned or granted to a principal (e.g., user, group, or role) on a specific resource (e.g., file, folder, or object). These permissions are typically defined and managed within the security system and set the basic level of access.
In Veza, Effective Permissions can be Data (C)reate, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata.
In Graph search, (S)ub indicates when a principal has permissions on sub-resources within a service. Examples of effective permissions and corresponding capabilities
MetadataWrite
, MetadataRead
, MetadataCreate
, MetadataDelete
- Permission to create a Redshift Database table, or change an S3 bucket policy.
DataRead
, DataWrite
, DataCreate
, DataDelete
- A data read, write, create, or delete permission, such as reading database tables, or pushing to a repository.
NonData
- All other permissions that do not apply to data, such as permission to cancel a Redshift query or reboot a Redshift cluster.
A group is a collection of users sharing the same set of permissions.
Identity and Access Management (IAM) is a security framework that helps organizations manage and control access to their resources and applications.
An Identity Provider (IdP), such as Okta or AWS SSO, is a service that stores and verifies user identity. IdPs are typically cloud-hosted and enable single sign-on to other systems.
A set of permissions that are local to a single data system, computer, or device within an organization.
An account created on a single system (data systems, an app, etc.), computer, or device within an organization. Local accounts cannot be used on other data systems, computers, or devices.
Role-Based Access Control (RBAC) is a method of managing access to resources and applications based on the roles of individual users.
In Role-based Access Control (RBAC), a role is a collection of permissions that define the actions a user is authorized to perform for resources within an organization’s IT environment.
Veza Search features include Graph, Query Builder, and Tagged Entity Search. Veza Access Reviews leverage graph queries and entity metadata for access and entitlement review.
Service accounts are non-human accounts that log into servers, run batch jobs and scripts. Machine identities are similar but connote devices and IOT principals. Meanwhile, bots are similar but focused on automation. All these are sometimes summarized as non-human identities.
A webhook is a way for an application to provide other applications with real-time information. It is a simple HTTP callback that allows a sender to provide information to a receiver when a particular event occurs.
When configuring an integration, use this tab to specify additional attributes on entities to collect, by providing the name and type of attribute Veza will gather. For example, if an organization uses custom security attributes for Azure AD or Okta (such as deskNumber
), these custom properties can be enabled when adding the integration, and used to filter results for search and access reviews.
Data Sources are the individual resources (SaaS apps, data lakes, databases, etc.) from which Veza extracts authorization metadata.
A connector built directly into Veza, for ingesting data from external systems. Each inbound integration represents an inbound connection to a cloud provider, identity provider, or external application. Some integrations support activity monitoring, audit logs, and lifecycle Management (when granted additional permissions). Each integration may have multiple child discoverers and data sources representing services and resources. Veza Actions are outbound integrations for triggering actions in external systems.
Option to globally prevent discovery of all resources for a provider service (for example, AWS EC2).
Option when configuring an Identity Provider integration, allowing users to define cross-service connections between Identity Provider accounts and local accounts in other integrated systems (if Veza cannot automatically detect the connection).
Veza Activity Monitoring features provide insight into resource and privilege utilization for your users. These include Overprovisioned Access Scores and special reports leveraging cloud provider audit logs.
An Open Authorization API integration built by Veza, a customer, or the open-source community that is available in our community GitHub repository.
An Open Authorization API integration built by a customer for one of their proprietary systems that is not published to the public repository.
An Open Source framework for adding off-the-shelf or in-house-developed proprietary applications and identity providers to the Veza graph.
An integration built directly into Veza for sending data to external systems and enabling downstream processes around Veza alerts and access reviewer actions. You can configure generic webhooks, create Jira issues, or ServiceNow tickets with Veza Actions, or enable Slack and email notifications.
Option when configuring an integration, setting limits on the individual resources Veza will attempt to extract and parse (for example, AWS S3 Bucket).
A Veza-provided VM image or docker container to enable connections to systems without APIs, or without publicly reachable APIs.
Workers are the components that find and catalog the authorization metadata and Data Source components of the integration.
A customizable period used to calculate Over Provisioned Scores for users and roles, based on entitlement usage within a set period of time. To change the range, go to the System Settings page and pick 1, 7, 30, 60, 90, or 120 days as the value. The default value (Auto) is 30 days.
Alerts activate when a built-in or custom rule condition is met. Each alert includes a summary of changed entities since the last rule evaluation. Alerts are published via notifications, which include a summary of the original query. Notification delivery methods include email and outbound integrations or webhooks.
The primary Veza landing page features customizable dashboards and report summaries. The dashboard provides a high-level overview of access risks and out-of-the-box insights, with options to quickly act on any tile. You can add or remove reports to Dashboards by adding them to the Dashboard Reports report category.
An entity to ignore as a Risky Entity, due to matching a condition or being individually marked as an exception. Constraints on the query can mark entities as "Exceptions" based on a filter rule (for example, all resources in a test environment, or system roles that are not reasonably actionable).
Veza Insights provide tools to understand and act on risky entities and relationships using the Authorization Graph. Veza Insights include customizable Reporting, the Access Risks Dashboard, Rules, and Alerts.
OPAS represents the percentage of resources an identity is granted permission to access, but has not utilized recently. For example, if a user reads on 3 tables, but is entitled to read from 10, they are over-provisioned by 70%. The OPAS can change depending on the resources and permissions selected by the original query.
A system-provided attribute listing all integrations involved in a query. You can filter by integration when searching for queries to add to Reports, or on the Saved Queries page.
A customer or system-provided attribute, intended for risk categorization and query organization.
A collection of queries, organized into sections for actionable insights on Authorization Graph data. Reports can be built-in or user-created, and private or public.
Report categories are used to group reports on the Reporting > Reports page. Access Risk tiles are based on reports in the Dashboard report category.
Sections in reports contain groups of saved queries, based on the provider, type or risk, or other customizable criteria.
Any entity that appears in the results of a saved query with a risk level is considered a Risk. Marking a query as a Risk can define security baseline, misconfiguration, common access risk, or other anomalies, enabling alerts and recommendations. You can mark a Risk as an Exception to prevent it from appearing as a risk.
Level of risks if the query result contains non-zero results. Risk level can be 'critical' or 'warning'.
A rule consists of a baseline query, thresholds of conditions, and notification settings, delivered when conditions are met. The default action is to send an Alert to the Alerts page.
A Page with a complete list of system events as well as events related to Integrations and Rules
Predefined filter that narrows down search results to specific parent Azure tenants or AWS accounts. Particularly useful in multi-environment setups.
A time-bound snapshot of entities, relationships, and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.
Advanced Graph visualization options for labeling entities by provider account or tenant, and highlighting relationships of interest such as assume role paths, disabled users, or risky entities. Display options will vary based on the entity types in your search.
Option to only return results of the source type with NO relationship to entities of the destination type
Entities represent the authorization, data, and identity objects discovered by Veza, as shown in search results or on the Entities page. Entities can be data services or resources, identity domains, users or groups, and IAM or RBAC elements such as policies and roles. Entities have properties to contain attribute metadata such as manager
, is_active
, or encryption_enabled
. Queries typically will specify both source and destination entity types, such as Okta User to AWS S3 Bucket
or Google User to Google Group
. Higher-level entity type groupings such as All Users and All Resources can be used to search for several entity types at once.
Entity Attributes are the rich metadata associated with an entity, to enable granular filters based on a range of possible properties. These attributes may be added by Veza during parsing (such as name
, is human
, or full admin
), or ingested directly from the provider (mfa_enabled
, is_encrypted
, and so on)
Search option to only return results where source and destination are NOT connected by a particular entity type (for example, to show access granted without an assigned group). This can be used to show only access granted in a way that bypasses a user's intended groups, and filter results that aren't related to particular groups, roles, or policies.
Advanced Action in Effective graph search mode to show raw permissions and IAM relationships resulting in an effective permission calculation (represented by an EP node).
Filters which constrain query results based on the source, destination, or intermediate entity''s attributes (such as Name
, ID
, or Is Active
).
Option to filter query results by raw or effective permissions, such as s3:DeleteBucket
or Data Delete
.
Condition to filter results based on a Veza Tag or native provider tag applied to the source, destination, or intermediate entity. Filters can always apply to source and destination entities. The query must define Required intermediate entities to filter by tags on intermediate entity types.
Graph search shows the relationships between entities and resulting effective permissions, based on the latest Authorization Graph or Time Machine snapshot. Actions and filters provide utilities for traversing the graph and understanding and remediating risky access.
A search against the Veza graph. Queries can be built-in or created using the Query Builder. Saved Queries are shown in Veza Reports and on the Saved Queries page. Queries can -have labels and be assigned a risk level. Integrations associated with entities in the query are saved as query attributes, for easier retrieval and organization.
Search option to either show Effective Permissions from source to destination entities OR additional intermediate entity types such as IAM/RBAC roles and policy bindings.
Effective mode calculates and shows all possible actions, after accounting for any potential restrictions (such as policy deny
statements and other controls). Effective Permissions represent all the metadata and non-data actions the principal can take on a resource.
System mode shows the configured permissions and access path, before processing potentially overriding policies such as deny statements, SCPs, and network policies. Configuration mode is useful for understanding, certifying, and enforcing rules based on User > Role relationships and role-based permissions for CSPs like Google and Azure.
Depending on the query mode, reviewers will sign off on the combined Permissions for each result, or the Path Summary and Concrete Permissions for each result.
Query Builder option to filter results based on the number of related destination entities. The count operator can be <
, =
, >
, etc.
The final entity type for a query. By default, each result will include the effective permissions between the source and destination entities.
Advanced Graph visualization options to show or hide graph columns (layers/entity types) and relationships. Depending on the search, the Advanced View toggle shows additional intermediate entities such as local user accounts between principal identities and data resources.
Parameter to only return results where an entity of the selected type (such as a local group) connects the source and destination nodes. Requiring an intermediate entity enables filters on the intermediate entity's attributes
Graph search option indicating that pages of results are shown instead of all results. Pagination will be enabled by default for graph searches that return more results than Veza can render at once.
Parameter to include or exclude indirect and nested relationships (such as roles that are assumed by other roles, or groups that are members of other groups) from search and in the reviewer interface. The option to Show assumed [entity type] appears under Advanced Options > Relationship Options when the query source or destination is nestable (such as Snowflake Group or AWS IAM Role).
The initial node for a query. Entities of the Source type are included in a review scope for review and attestation if a relationship exists between that entity and another entity of the Destination type. If no destination is specified, the query will return all entities of the source entity type.
Option to select a single entity of the selected source or destination entity type, and only return relationships for that unique identity, IAM/RBAC entity, or resource.
An individual privilege defined in the provider-native terms, such as s3:BucketDelete
in AWS Identity and Access Management (IAM). System permissions are the basic building blocks of access control, and are typically assigned directly to principals (users, groups, or roles) on resources (files, folders, or objects).
The Tagged Entities page provides a way to view and search all entities that have matching Tags.
Tags are used to add extra metadata to entities, using key:value
pairs. Two types of tags are supported by the Veza platform:
Veza Tags that users add to Authorization Graph entities
Provider-specific tags that Veza discovers, such as AWS tags, Snowflake tags, and Google Cloud labels. Tagged Entity Search offers a way to quickly find entities with a matching tag. You can also add tag filters to constrain search results based on whether entities have (or do not have) a certain set of tags.
Option indicating the Authorization Graph snapshot to execute the query against.
Access Reviews can use a time machine snapshot or use the most recent one when a review is created.
Use the Authorization Graph Time Machine to search against a snapshot of relationships and entities at a specific point in time.
A query including a source entity type, destination entity type, and other search parameters defining the access under review. Individual reviews will show the query results as rows for review and sign-off, based on a historical snapshot or the current graph data.
Queries can be very broad (All Users to All Resources) or very specific, including filters on tags, property-based constraints, and intermediate node requirements.
Each query has a source and optionally a destination node. Entities of the Source type are included in the results for review and attestation if a relationship exists between that entity and another entity of the Destination type.
Results shown in the reviewer interface include source and destination entity details, the effective permissions for that relationship, and optionally, a summary of the path that made the connection.
Features for user access and entitlement review. Access Reviews provide a framework for repeatable, multi-user review processes with a full audit trail, using the power of Veza graph search.
Status indicating that all review rows were signed off by the due date.
Individuals explicitly specified as Reviewers (for all results) when creating a review.
An alternate user assigned to carry out the responsibilities of an original user who would be auto-assigned as a reviewer but is unavailable.
Status indicating that not all rows were signed off in a review. by the due date.
Fallback Reviewers are specified when creating a review and assigned when rules prevent the assignment of the original user, or when a manager does not exist for a row.
In the context of an access review scope, graph, or query builder search, filters apply constraints based on attributes, tags, or permissions. When reviewing access, filters limit the number of results shown at one time and can be used to act on many results with the same attribute at once.
Filters can apply to the source or destination entity, or an intermediate entity property (such as Last Login
).
In the reviewer interface, filters can apply to result properties such as decision state (Signed Off
).
Bulk actions can be used to act on all review rows matching a filter.
System-wide setting to enable reviewer recommendation and manager auto-assignment using an integrated Identity Provider. This enables any user in your organization to log in with Single Sign-On and review their assigned rows.
In the context of an access review, a manager is another user from your identity provider, specified as in the manager
attribute of the source entity. When this metadata is available, managers can be suggested or auto-assigned to each row.
Managers or owners of resources, assigned as reviewers for an access review. Veza can identify potential reviewers using metadata from an identity provider, or with Veza Tags. Resource owners can be assigned as reviewers using auto-assignment.
Operator action to indicate that the recommendation has been carried out for a row. Rejected and Signed-off items can be Marked as Fixed to log that remediation took place.
Emails sent to update users involved in an access review, including notifications when rows are reassigned, and reminders about inactivity and deadlines.
Status for reviews that are not expired, and still have items pending sign-off.
Support-enabled option to highlight special rows such as disabled users, based on filter criteria.
Reviewer or operator action assigning one or more rows to another reviewer, after a review has begun.
Type of email notification sent to remind reviewers and stakeholders that action is needed due to inactivity or approaching deadlines. Final reminders can also be configured to escalate remaining tasks.
A review is a scheduled instance of access or entitlement review, with unique deadlines and reviewers.
Each review has an underlying configuration, which defines:
A query defining the entities and relationships under review.
Default notification and integration settings, inherited by reviews for the configuration.
Attributes such as a name and description, for identification and internal reference.
Reviewer assignments, defining the initial reviewers and fallback reviewers.
Reviewers can open a review instance to see the results of the query, and sign off on each row.
Reviewers can accept, reject, or delegate items.
Rejected items can be marked as "fixed" by operators after remediation
Reviews are based on immutable graph snapshots and an underlying query.
When reviewing their assigned rows, reviewers will:
Accept: Reviewer decision to approve the access specified in the row (as legitimate access).
Reject: Reviewer decision to refute the current access as illegitimate. Reject actions can trigger remediation processes using webhooks integrations.
Sign Off: Action to finalize the decision for a row, making it immutable. Signed-off items can be marked as fixed by operators.
Reviewers can also re-assign rows to another user, add a note, or view more details.
A row in an access review describes a source entity, and typically its permissions on a destination entity. Depending on the review scope, rows can describe a single entity, a relationship between two entities, or include a summary of intermediate entities such as groups, roles, or projects.
Option to assign managers and resource owners as reviewers using metadata Veza has discovered, with fallback reviewers if a match can't be found or a rule prevents review. Auto-assignment enables review owners to assign many reviewers at once, either to specific reviewers, or to resource or team managers using metadata from an identity provider, or Veza Tags. The identity provider must be integrated with Veza and Global IdP Settings must be enabled.
Global list of users who are blocked from being assigned as reviewers.
Review scope option, enabling visibility into a single connecting entity and its properties, existing between the source and destination nodes. The reviewer interface will include optional columns for each intermediate attribute, such as the name and type of the connecting group or role.
Review scope option, enabling visibility into the RBAC configuration granting access to the destination entity. When configured, reviews will include a default Summary Entities column, showing the names and sequence of selected entities when they connect the source and destination. For example, when a group is selected as a summary entity, the column will contain either:
Group 1
(indicating access is granted directly by that group)
Group 1 > Group 2
(indicating that the first group allows access to the second)'
Status for pending reviews with no signed-off items.
Role that enables users to review and certify items within their assigned access reviews. Allows access solely to the Access Reviews panel and assigned reviews.
Highest-level user role with full control over settings, integrations, and privileges. Inherits all capabilities of Operator and Access Reviewer roles.
Integration configurations are saved settings for connecting to an external platform, including the credentials and optional settings for the connection. Integrations are added and managed on the Integrations page.
Role allowing users to create configurations and initiate reviews, as well as review all items in reviews they create. Operators can access all Veza features such as Search and public Reports, but cannot manage other users or integrations.
Sign-in Settings is a Veza Administration panel for managing Multi-factor authentication (MFA), Single Sign-On (SSO), and configuring local account (non-SSO) access for your Veza tenant
The page where users can be added, removed, or edited and have roles assigned.
Webhooks are automated messages containing a payload of instructions that are sent to a specific URL when the conditions associated with the webhook are met.
At Veza, security is an integral aspect of the product, from the initial design to implementation, deployment, and daily operation. We embrace industry best practices including data-at-rest and inflight encryption, strict role-based access controls, and tenant isolation with zero external access.
Veza is committed to maintaining the confidentiality, integrity, and availability of customer data.
Veza is prepared to explain and demonstrate safeguards and compliance, and help meet customer security obligations.
Technology, regulations, and business change quickly. Veza will always adapt and improve safeguards to ensure entrusted data is always protected.
How is communication between Veza and customer systems protected, and is all data encrypted? Veza implements industry-standard techniques to secure data at rest and in transit. All network traffic uses SSL/TLS certificates (HTTPS). All customer data and backups use disk-level encryption.
Are user passwords encrypted in transit and during storage? Yes. Veza local user credentials are encrypted using the Argon2 cryptographic algorithm during transit and secured with AES-256 encryption at rest.
How are integration credentials secured? Integration credentials are encrypted using RSA-4096. All other credentials, such as for Jira webhooks, are encrypted using AES-256. All platform communications use TLS.
Does Veza regularly undergo penetration testing by an independent party? 3rd-party scans for network and application vulnerabilities are part of Veza's cloud, application, and network security practices. The results of these tests are available under NDA.
What metadata does Veza collect from connected systems? Veza gathers metadata such as resource names and user IDs to generate the authorization graph and map relationships between identities and resources. Veza also collects attributes, such as last activity date or bucket encryption state, for use in search and insights. Veza retains this information for the duration of a customer account. Customer data is deleted within 30 days of service termination.
Does Veza have a Business Continuity and Disaster Recovery (BCDR) plan? Yes. Veza's incident response strategy is reviewed and tested annually.
To maintain the integrity and confidentiality of customer data, strict access controls and principles of least privilege are diligently applied across all production and development environments.
Access to production and staging environments is limited to authorized Veza personnel only.
Multi-Factor authentication (MFA) is required to access all production environments and business applications
Dedicated VPN endpoint per cluster with granular access to each customer namespace
The Veza platform monitors and verifies access granted to critical systems
Veza is a 100% cloud-based solution, using native AWS security controls to provide a layer of infrastructure protection for every customer environment. Key controls include:
Dedicated Kubernetes namespace for each customer
Application Load Balancer (ALB) with Web Application Firewall (WAF) for all inbound traffic
AWS Shield for protection against DDoS attacks
Private subnet where Veza software (including control, management, and analytics) open only to incoming traffic through environment-specific WAF and ALB.
VPN endpoint and bastion host for upgrades and maintenance only accessible by authorized Veza personnel using MFA
In addition to internal scanning and testing programs, Veza implements broad penetration tests by third-party security experts on an annual basis. Your Veza account executive can provide the penetration test report.
Veza maintains SOC 2 Type II certification, demonstrating compliance in core trust service areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Additionally, Veza complies with the ISO 27001 standard for information security.
The SOC 2 Type 2 certification and report is available for all customers. Additional documents (such as Data Protection Policy, Data Security Exhibit, and summaries) are available on request.
Data is encrypted by default across the Veza platform, both at rest and in transit:
Communication between the Veza Control Plane and the Veza Insights Plane is always encrypted using SSL/TLS 1.2+ and AES-256 encryption.
Every Veza Insights Plane instance has a unique key pair. A public key encrypts all credentials uploaded by the customer in the Veza platform, ensuring that only the customer’s Veza Insights Plane can decrypt the credentials for that customer environment.
Disk encryption is enabled by default on all EKS compute instances, all databases, and all messaging subsystems.
Local user passwords are encrypted in transit and at rest.
Veza collects two kinds of information from customer systems: user identity information (such as first name, last name, and email) from identity providers, and resource metadata, enabling visibility and insight into privileged access.
Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.
Veza users with the admin
or operator
role can generate reports in a range of formats, including PNG, CSV, and JSON. Veza administrators and operators can elect to publish Veza notifications to email addresses or other external systems.
Veza adheres to industry standards and follows all best practices for secure software development, including:
Annual 3rd-party penetration testing
Code versioning and branching practices follow OWASP standards
Strong guidelines for error handling, availability, and security during the system design phase
For platform enhancements, Quality Assurance Engineering maintains a strong focus on automated unit testing, integration testing, and approved test plans.
All code merged to the production environment is peer-reviewed
Continuous security scanning as part of code developer flow
Separation of duties for staff who develop code and staff who push code to production
Design reviews conducted with engineering and product leadership during development and release cycles
Veza minimizes third-party vendor risks by conducting security reviews on all vendors with any level of access to systems or data.
All the latest Veza features and enhancements
Veza releases are named according to the deployment date and patch increment (e.g. v2024.9.23-1
). You can find your current version by clicking the profile icon in the main Veza navigation menu.
For questions about specific versions or changes, please contact our support team at support@veza.com.
Platform news, features, enhancements, and bug fixes in recent releases:
Changes in Veza releases v2025.4.21-1 - v2025.4.28-1
EAC-46221 Entitlement Sync: Veza can now synchronize entitlements to enforce group assignments for Active Directory users.
This ensures that Access Profiles remain the authoritative source for linked Active Directory group membership, automatically re-adding removed users, removing unauthorized out-of-band additions, and recreating accidentally deleted groups.
You can now enable continuous sync and configure the time between sync checks when creating Access Profiles that grant entitlements. In the Profile Type settings, configure a Time Before Sync Check in Seconds to enable synchronization for an Access Profile Type.
When synchronization is enabled, Veza will periodically:
Verify target entitlements still exist with correct properties
Verify all profile members have proper relationships with entitlements
Remove relationships for non-members of the Access Profile
Recreate any missing Active Directory groups
Track the Lifecycle Management identity that created the profile
EAC-45946 Delegation and Deny Lists: Administrators can now configure delegate approvers, approver deny lists, and requestor deny lists in Access Request Settings.
EAC-47014 About This App Instructions: Custom "About This App" instructions can now be configured for any Access Profile directly via a sidebar, table, or row details action, with support for rich text via markdown.
EAC-46790 Automatic Profile Type Selection: If only one Access Profile Type is available, the type is now pre-selected when creating new Access Profiles.
EAC-46621 Manual Synchronization: Added support for manually triggering entitlement synchronization directly from Access Profile actions.
EAC-46439 Default Access Request Policies: Default Access Request Policies can now be defined per Access Profile Type.
Profile Type Settings now include the option to select a default profile, and enable or disable using alternate policies when creating profiles of that type.
EAC-46692 Profile Integration Limits: When creating a new Access Profile Type, integration options show a checkbox for the Limit to a single integration option. It can now be enabled concurrently with the options to "Limit to a single integration type" or "Allow multiple integration types" for profiles of that type.
EAC-46669 Pre-Set Integration: Profile creators are no longer prompted to choose a target integration when this setting is pre-determined by the Access Profile Type.
EAC-46655 Active Directory Account Name Support: Added support for account name as a transformer on Create Entitlement actions.
EAC-46576 Profile Creation Permissions: Administrators can now configure Veza users and groups allowed to create profiles using the Access Profile Settings > Manage Permissions menu.
EAC-46892 Profile Type Visibility: Administrators can now restrict Access Profile Type visibility for specific Veza users or groups using the Manage Permissions action on the Profile Types settings page.
EAC-46801 Profile Member Management: Administrators can now directly add or remove Access Profile members using the Access Profiles > Manage Members action.
EAC-46656: Fixed an issue where "Active Directory User not found" was displayed for users with graph mappings after Access Profile Owners add new members.
EAC-46566: Added feature checking for Access Request Settings and Access Request Policies. These tabs are no longer shown unless Access Requests is supported for the tenant.
EAC-46679: Naming validation is now performed during initial profile creation, preventing errors due to transformations exceeding character limits in provisioning targets.
EAC-45078 Policy Safety Limits: Provisioning Policies can now include Safety Limits, blocking changes that impact more than a specified number of identities, and optionally triggering email notifications.
When the safety limit is exceeded, further processing is halted. A warning will appear in the Policies UI, with options to view details, process the pending changes, or ignore and re-enable the policy.
The Activity Log now shows a "SAFETY_LIMIT_REACHED" event, and policies that have encountered a limit have a warning shown next to their name on the Policies list.
EAC-45877 Policy Write Back Mode: Sync Identity Actions can now explicitly enable or disable Write Back Mode, preventing any changes to policy identity sources. When enabled, the action can include steps to update or create attributes in the identity source based on values in the target application.
EAC-46313 Coupa CCW: Added support for Coupa CCW as a source of identity.
EAC-46762 Policy Draft Mode: Administrators can now toggle Enable Policy Draft Mode on the Lifecycle Management Settings > Policy Settings page.
When disabled, users can only save or edit the latest published version of any policy.
When enabled, users can view version information and history using the See Version History action in the policy editor.
EAC-46919 Lookup Table Export: Added support for exporting lookup tables to CSV for troubleshooting purposes.
EAC-46940 Entitlement Type Selection: To prevent confusion when adding entitlements to an Access Profile, users now choose a single Entitlement Type before choosing one or more Entitlements of that type. You can add relationships to other entity types by adding new sets of entitlements.
EAC-46723 Fallback Transformers: Common Transformers can now include fallback formatters, used if the default transformation fails during attribute creation.
EAC-46578 Azure AD Guest Options: Azure AD Create Guest Account actions now support creating accounts with or without an invitation email.
EAC-46490 Active Directory: Fixed an issue with Lifecycle Management requests failing due to escaped commas in CNs.
EAC-46735 Okta: Fixed user status checking when activating users in Okta, resulting in hanging Sync Identities actions.
EAC-46174 No Reviewer Filter: You can now filter the Reviewers column by Does not exist
to find rows with no assigned reviewers.
EAC-45491 Group By Controls: When using the "Group By" option, reviewers can now quickly expand or collapse all groups.
EAC-47000 Paused Profile Visibility: Fixed an issue where Access Profiles could unexpectedly remain visible in the Catalog when the Access Profile was paused.
EAC-46658 Active Directory Group Entitlement Creation: Fixed an issue where Access Profiles could fail to create group entitlements for Active Directory.
EAC-46701 Performance Improvement: Improved performance when opening the My Access overview and Resources pages, and fixed an issue where empty pages did not load.
EAC-46657 My Access Visibility: Fixed an issue where certain users couldn't see the "My Access" option in the Access Hub side menu. All users with the following roles now see this option: Administrator, Operator, Viewer, and Reviewer.
EAC-46567 Access Profiles Menu Fix: Fixed an issue where the Access Profiles page within Access Hub appeared as a menu option while Lifecycle Management was disabled. The Access Profiles page is no longer available for customers without the Lifecycle Management product.
EAC-46852 Access Hub Identity Setting: Added a support-enabled setting to use either 1) the Global Identity Provider or 2) Lifecycle Management Identities to link Veza users logging in to Access Hub with their associated external identity.
EAC-42804 Workday Integration System Users: Workday Accounts now include the Is Integration User property, indicating if the Account is an Integration System User (application or service principal). Two rules are now applied to identify NHIs:
Accounts for Integration System Users have the nonhuman identity type, enabling NHI management and search for workloads using Integration System Users to access downstream resources.
Accounts with UI access disabled (indicated by the Do Not Allow UI Sessions property) have the nonhuman identity type, even if they are not an Integration System User.
EAC-42806 Google Cloud Secret Manager: Added support for discovering Google Secret Manager Secrets and filtering by attributes last_rotated
, status
, and secret_type
. The integration also now extracts and shows these attributes for KMS Keys.
This enables review creation using an existing Review Configuration (typically scoping the generated access reviews to the target NHI entity types).
EAC-45202 View SoD Conflicts: You can now view the exact conflicting entitlements (e.g., groups, roles, or permission sets) from the Separation of Duties query details with a new View Conflicts action. Clicking Open In Analysis on the SoD landing page now shows this option to open a sidebar with the conflicting entitlements for each record.
EAC-45967 "Affected Entities" for Risks: The Risks page now includes an Affected Entities tab for searching entities in the results of Risks by node type, integration, and risk level. You can use row actions on this page to manage risk levels or view entities in Graph or Query Builder, and use row actions or bulk actions to add or remove exceptions.
EAC-45316 Redesigned Alerts UI: The Alerts page now has a redesigned Query Alerts and Rules tabs for reviewing triggered alerts and all configured rules. The Rules tab includes a new sidebar for viewing details, opening saved query details, and editing rule details and conditions.
EAC-46651 Query Export Secondary Emails: Users can now select secondary email addresses when scheduling query exports, and export emails will be sent to those addresses as well.
EAC-46403 Dashboard Exports: Exporting dashboards to CSV now includes a column for minimum and maximum risks during the selected time range.
EAC-46317 Query Details: Query explanations in Query Details view are updated to better communicate saved query conditions.
EAC-46847: Fixed an issue preventing access recommendations from running on the Recommend page.
EAC-46316 Google Activity Monitoring: Added support for generating activity monitoring events when a Google Workspace User accesses resources by impersonating a Service Account.
EAC-45134 Last Activity Filtering: In Query Builder, you can now filter results on the "Last Activity At" and "Last Activity With Resource At" columns. These filters enable tracking both:
Last time of any activity for a particular entity/resource
Last activity from a particular identity on a particular resource
Note that these filters are only enabled for services that support Activity Monitoring.
EAC-46960 Okta: Added support for the WORKFLOWS_ADMIN
built-in Okta role.
EAC-46907 Open Authorization API: The Custom Identity Provider template now supports setting an external identity on IDP Groups for identity mapping purposes.
EAC-46619 Salesforce: Added RecordTypeId
attribute to Account and Opportunity Salesforce objects
EAC-46532 Workday: Added support for gathering Workday Workers Custom Reports using an OAuth token.
EAC-46241 Active Directory: CommonName
attribute is now correctly populated for Active Directory Users.
EAC-46896 AWS: Fixed datasource removal for AWS IAM.
EAC-46362 Exchange Online: Fixed Exchange Online errors when extracting mailbox folders for non-enabled users.
EAC-46571 GitHub: Fixed a typo for GitHub role permission delete_tag_protection_rule
.
EAC-46667 MySQL: Fixed MySQL database error: cannot extract proxies_priv
.
EAC-46690 Okta: Improved handling of X-Rate-Limit-Limit
header for Okta.
EAC-46645 Oracle EBS: Fixed unmarshalling of float menu entry sequences for Oracle EBS.
EAC-47075 Salesforce Commerce Cloud: Trim trailing slash from config hostname for Commerce Cloud.
EAC-46630 Snowflake: Added check for Snowflake if the optional secrets view exists before extracting from it.
EAC-46649 SQL: Removed port validation for SQL server.
EAC-46898 Veza: Fixed Veza (self) integration to properly initialize.
EAC-46875: Fixed an issue causing extractions to hang in the Pending Parsing
state.
EAC-46715: Fixed extraction failures with multiple sources of identity enabled.
Changes in Veza Release v2024.9.9
EAC-38418 Scheduled Exports: Scheduling exports for a saved query now includes the option to Export to CSV in Email with Secure Link, supplementing the original option to export query results to Snowflake. You can configure these exports by choosing a frequency and target email from configured Orchestration Actions. Veza will email a secure link at the scheduled intervals that recipients can use to download the results.
EAC-38166 Access Intelligence: The Analytics page is now the default landing page when navigating to Access Intelligence.
EAC-36447 Enrichment Rules for Critical Resources: Administrators can now define enrichment rules to mark resource-type entities as "critical" on the Integrations > Enrichment page. Depending on the configured enrichment rules, these resources now have the built-in attribute Criticality Level
set to LOW
, MEDIUM
, HIGH
, or CRITICAL
.
EAC-38321 Manager Dashboard: Managers can now view and filter resources grouped by integrations on the Overview tab. Clicking on a specific resource name or count opens the new Resources tab for more details.
EAC-37251 Dashboards: Filtering by type on the Analysis page now shows correct results.
EAC-36780 Query Builder: The relationship between a selected destination node and resource node in Graph search is now shown when opening a destination entity in Query Builder table results.
EAC-37782 Quick Query Builder: When creating a new review configuration, you can now use a simplified builder to choose from applications, resource types, and review scopes based on common access review queries.
EAC-34897 Multi-Level Approval and Sign-Off: You can now enable second-level reviewers when creating a new access review.
EAC-38290, EAC-38347 Path Summary Details and Export: When summary entities are enabled to show intermediate roles, groups, or other entities in the path connecting a source and destination, attributes for each selected entity type are now presented in dedicated column groups. Summary entity attributes can be shown or hidden using the column selector, and visible columns are included when exporting query results.
EAC-38446, EAC-38320 Tags in Query Builder: You can now choose one or more source or destination tag keys to show and export dedicated columns for each one, supplementing the original Include Source/Destination Tags option to include all tags in a single column. The Query Builder API now supports an array of tags_to_get
.
EAC-38652, EAC-38271, EAC-38266 Entity Type Groupings: Searches that use an entity type grouping to query multiple entity types (such as User) can now show columns for any properties on entities within the selected grouping (before, only name
, id
, and type
were supported). You can hide or show these columns using the column selector. When queries specify individual entity types within a grouping, the column selector now shows attributes just for those entities.
EAC-38246 Activity Log: Added a Workflow Tasks table to show more information about workflows executed on an identity.
EAC-38161 Event Export: Events in the Activity Log can now be exported to CSV or PDF.
EAC-37943 Jamf Pro: Fixed missing permission creation and invalid site assignment errors.
EAC-38148 Events: You can now use the time range selector to filter events by Past Hour.
Bug Fixes
EAC-38275 Email Digests: Fixed an edge case for disabled Veza users receiving digest emails.
Changes in Veza release v2024.9.23
EAC-39081 Risk Remediation: You can now see if a risk has remediation details, directly from the main Queries With Risks overview. A new column indicates if remediation is available, with a link to open the details in a sidebar.
EAC-39082 Saved Queries: After paginating the Saved Queries overview and navigating to another page, the browser's back or forward functionality now opens the last visited page.
EAC-36286 Enrichment Rules for Open Authorization API: Enrichment rules for marking entities as privileged roles, critical resources, or non-human identities now support OAA integrations.
EAC-38510 Enrichment Rules Configuration: Added a private
API for disabling specific enrichment rules.
EAC-38647 Cohort API: Added a private
API to get a common least privileged role from a list of Snowflake users.
EAC-39172 Okta: Activity Monitoring for Okta now supports agentless Desktop SSO.
EAC-39054 Access Search: Clicking a risk score in graph search now opens the risk score details.
EAC-38159 Open Authorization API: Improved performance when calculating "Relates To" entity types.
EAC-38902 Open Authorization API: The HRIS OAA Template now supports full identity mapping configurations.
EAC-38916 Confluence: Truncated resource description length to the current max length of 256 characters.
EAC-37356 Oracle Fusion Cloud: Fixed a timeout for Oracle Fusion Cloud integration.
Changes in Veza release v2024.9.16
EAC-37942 Query Builder: Users can now see a description of the selected entity type grouping by hovering over the info icon when such a description is available.
EAC-38321 Manager Dashboard Overview: Managers can now view and filter resources grouped by integrations on the Overview tab. Clicking on a specific resource name or count opens the new Resources tab for more details.
EAC-38090 Role Recommendation: Added support for role substitution for Snowflake.
EAC-36545 Access Review Digest Notifications: Access Reviews now support digest emails for informing reviewers of work they have left to do.
EAC-37949 Dashboard Performance: Enhanced dashboard loading performance.
EAC-36713 Graph Visualization: Added keyboard and mouse movements for easier usability.
EAC-38827 Identities: Moved Identities to the top navigation, instead of under a policy
EAC-38689 Azure: Added an option to remove personal devices from Intune when de-provisioning users.
EAC-38558 Policies: Added the ability to set notifications on individual actions, as well as global notifications for the policy.
EAC-38222 Power BI Connector: New integration supporting Power BI for visibility to Users, Roles, Permissions, Groups, and Workspaces.
EAC-37362: Support for Oracle JDE in-platform connector
EAC-38670 Integrations Page: Renamed column from "Team" to "Team Owner."
EAC-38916 Confluence: Truncated resource description length to the current max length of 256 characters.
EAC-38730 Swiftconnect: Omitted collection of Swiftconnect access credentials.
EAC-38603 Workday: Added LIMIT
Clause with 1000000
value
EAC-37512 Okta: Handle imported group events incrementally
EAC-35963 Integration Events: Renamed data source "warning" filter label, now included in "error" filtered results
Global Navigation Enhancements (Early Access): You can now browse Veza products and features from a new global sidebar on the left side of the screen, which can be collapsed to focus on the current task, and features updated visuals to better align with Veza's public branding. Clicking an updated navigation icon opens the primary landing page for Integrations, Access Intelligence, Access Reviews, and other top-level products, with the option to open individual sections and features from links in the top bar. These changes are part of a larger design overhaul; please reach out to our support team to enable the new user experience.
Changes in Veza release v2024.9.2
EAC-38322 Manager Dashboard Resources Page: A new Resources section on the manager dashboard now enables managers to inspect all resources of a specific type in a paginated table view.
EAC-38251 Preview API and Webhooks: When enabled in the review configuration, enrichment data from an IdP or HRIS provider as well as tags on source and destination entities are now included in API responses and webhook payloads.
EAC-38272 Query Builder: To enable constraints on several entities of different types, tag filters can now be applied to entity type groupings such as "User."
EAC-38161 Activity Log: Lifecycle Management events can now be exported to CSV or PDF.
EAC-38160 Identities: Added a full screen table view for viewing details and events for specific identities.
EAC-38123: Fixed an issue with AD manager
attribute sync during de-provisioning.
EAC-38369 Workday: A configuration option Gather Inactive Workers
is now available for Workday integrations. Disabling this option will skip inactive workers from Workday extractions.
EAC-38291 Jamf: Added an optional URL
parameter to integration configuration, used for API connectivity (including an alternate port if necessary).
EAC-37814 Privacera: You can now specify an optional CA Cert
and Privacera instance URL
when configuring the integration.
EAC-37943 Jamf Pro: Fixed missing permission creation and invalid site assignment errors.
EAC-37913 BitBucket: Fixed project pagination logic to prevent an infinite loop scenario
EAC-38262 Veza Navigation: Added a hover animation to the Veza logo on the left navigation.
To add integrations, open the Integrations page, and click Add Integration. For more details, see and . You can learn more about the requirements for each integration in the related setup guide.
See the overview for more information about Risks, Rules, and the Analysis section.
See the overview for more information about the Graph and Query Builder search interfaces.
See for more information about creating a Workflow and starting and reviewing Certifications.
Configure in other enterprise apps such as Jira, Slack, and ServiceNow.
Enable for your identity provider.
and create .
Create to get notifications when thresholds and conditions are met.
Explore and customize .
Explore .
Enable for supported integrations.
This document includes information about Veza security practices, and answers some common questions customers ask. Please reach out to your account executive or for additional details or evidence.
Does Veza adhere to industry compliance standards and frameworks? What compliance attestations does Veza hold? Veza holds a current SOC 2 (System and Organization Controls) Type II Report and follows the ISO27001 standard for information security. See for more information and downloads.
Our security team requires additional information — who can we contact? Reach out to your Veza account executive or the support team at if you have a question that is not covered here. They will be happy to assist in providing any evidence to help meet your security obligations and requirements.
Veza publishes release notes every two weeks, covering major changes and bug fixes. Our engineering team continues to deploy updates weekly, for continuous improvement and timely bug fixes. The Veza product team prepares periodic summarizing major features and enhancements over time.
v2025.4.21
, v2025.4.28
2025/04/30
v2025.4.7
, v2025.4.14
2025/04/16
v2025.3.24
, v2025.3.31
2025/04/02
v2025.3.10
, v2025.3.17
2025/03/19
For past release notes from 2022-2024, see the .
EAC-45324 NHI Access Reviews: You can now create from the Non-Human Identities overview page.
Support for (immediate review of the selected query results) is planned for a future release.
EAC-45752 Dynamics ERP: The Azure integration can now discover Users, Groups, Application Users, and Security Roles for .
PLT-352 SCIM User Provisioning: Veza now provides SCIM-compliant REST APIs for automated user provisioning. See the for full API reference and configuration guides.
PLT-1486 OpenID Connect: OpenID Connect (OIDC) is now available to all customers. See for example configuration.
EAC-37856 Microsoft Intune: Microsoft Intune is now supported as an optional service within the Microsoft Azure integration. Veza will discover and connect Managed Devices and Role Assignments to corresponding Azure AD (Entra ID) identities. Specific Microsoft Graph API permissions are required for this service; see the for details.
EAC-37362 Oracle JD Edwards EnterpriseOne (JDE): New integration for .
EAC-34115 Teleport: New integration for .
EAC-37213 API Keys: Added support for .
EAC-37593 Sign-in Settings: Added support for configuring for SAML single sign-on (SSO).
EAC-37856 Microsoft Intune: Microsoft Intune is now supported as an optional service within the Microsoft Azure integration. Veza will discover and connect Managed Devices and Role Assignments to corresponding Azure AD (Entra ID) identities. Specific Microsoft Graph API permissions are required for this service; see the for details.
Changes in Veza release v2024.7.22
EAC-35340: Fixed an issue where the chosen notification options could be deselected when editing a review configuration.
EAC-36792: Fixed auto-assignment and query creation for reviews for saved queries using saved query filters.
EAC-37025: Improved UI and query performance for customers with many Open Authorization API integrations.
EAC-37122: Okta is now a supported identity source for Lifecycle Management Policies.
EAC-36683: Added support for configuring webhooks alongside email notifications when LCM events trigger.
EAC-36598: From the identities tab, you can now trigger a workflow manually even if the identity doesn't meet the trigger conditions.
EAC-36418 Snowflake: The Snowflake integration now supports the discovery of Snowflake Secrets and attributes owner
, owner_role_type
, and secret_type
. If you are using an alternate system database for the integration, you will need to add the following view:
With Activity Monitoring enabled, search results can now include Over-Provisioned Scores and last usage times for Snowflake Secrets.
EAC-35044 AWS: Added support for configuring AWS Secrets Manager Secrets to authenticate with AWS RDS Oracle Database instances (Early Access).
EAC-36345 Azure: The Azure integration now discovers Azure Entra ID Devices. Customers will need to grant the Device.Read.All
Microsoft Graph permission to the Veza app registration to extract devices.
EAC-37052 Identity Mapping: Added search functionality to the dropdown menu, and fixed an issue where duplicate entries appeared in the "Destination Data Source Type" dropdown when editing an integration Mapping Configuration.
Changes in Veza release v2024.8.5
EAC-35113 Inherited tags: Added the Veza Inherited tag type, used to identify Veza tags that are inherited from another entity (e.g. role tags inherited by role bindings).
EAC-37581: Fixed issue with Query Builder exports downloading multiple times.
EAC-37546: Fixed an issue where running queries were not correctly polled for completion.
EAC-37545: Increased performance when selecting related entities in Query Builder search.
EAC-37450: Entity risk scores now appear red when the risk score exceeds 90.
EAC-37515: Prevented excessive icon loading that could cause performance issues in Graph and Query Builder.
EAC-37544 Fixed an issue with PDF exports failing to open.
EAC-37442: A toggle on the Integrations page now enables Lifecycle Management for any OAA-based integration (Early Access).
EAC-37560: Attribute transformers now support adding pipeline functions to the entire transformation.
EAC-37434: Lifecycle management workflows now support changing the order of conditions.
EAC-37423 AWS RDS: Added support for Aurora PostgreSQL on AWS RDS.
EAC-37260 Open Authorization API: The Custom Application template now supports a Configured Permission entity (Early Access). These can be used to model the individual permissions configured for each Local Role in the application.
EAC-37386 Workday: Added support for omitting specific built-in Worker attributes during extraction by specifying them in the Properties to Redact field when configuring the integration. The listed attributes appear as REDACTED
in columns and Worker details.
EAC-36930: Oracle Database (standalone) and Apache Cassandra integrations now support assuming an AWS IAM role to connect to AWS Secrets Manager for database extraction credentials. This capability is currently provided in Early Access.
Extraction secrets for these integrations can now specify an aws_assume_role_name
and aws_assume_role_external_id
.
The resource_id
for these secrets must be a URL-encoded <server_address>:<server_port>/<db_name>
(for Oracle Database), or the <host>:<port>
(for Cassandra).
EAC-36344 SCIM: Added support for authenticating with OAuth 2.0 Client Credentials (Early Access).
EAC-37514 Open Authorization API: Improved push performance whenever there are many OAA data sources.
EAC-37488 AWS RDS: Prevented integration failures due to non-unique names when discovering instances and clusters. Datasource paths now use the ARN instead of the database/cluster name.
EAC-37464 BitBucket: Fixed a credentials validation error when configuring the BitBucket Data Center integration. Global permission assignments are now skipped for users excluded from the localUsers
map.
EAC-35905 AWS: The NotPrincipal
field is now supported in AWS Resource Policies for S3 and KMS.
Changes in Veza release v2024.8.12
EAC-37683 Effective Permission Details: In Graph search, the Explain Effective Permissions sidebar action now shows individual effective permission nodes and their mapping to system permissions.
EAC-37772 Microsoft SharePoint: Activity monitoring for SharePoint now supports monitoring folder actions.
EAC-32066 On-demand Reviews: Added a Creation Source column for On-demand reviews.
EAC-32698 Beeline: New integration for gathering employees within the Beeline HRIS platform (Early Access).
EAC-33536 Orchestration Actions: Jira Orchestration Action configurations can now reuse existing hostnames.
EAC-37860 AWS RDS: Updated legacy RDS cert to use the latest truststore link
EAC-37684 AWS RDS: Implemented support for table-level permissions in AWS RDS PostgreSQL.
EAC-37492 Tableau: Added support for Tableau 3.22 API version.
Changes in Veza release v2024.7.15
EAC-36374: When a user saves a query with Show Destination Nodes checked, the Show Destination Nodes option is now enabled when re-opening the saved query.
EAC-36206: Fix for "% entity count" column.
EAC-36119: Improved Authorization Graph browser rendering behavior for large results.
EAC-36640: Added support for hiding emails from the exchange GAL via AD property msExchHideFromAddressLists
.
EAC-36597: Added ability to manually run a workflow on any identity.
EAC-36382: Change password emails no longer contain the user's name.
EAC-35044 Oracle Database (AWS RDS): Added support for using AWS Secrets Manager Secrets to authenticate with AWS RDS Oracle Database instances (Early Access).
EAC-36745 Snowflake: Added support for Snowflake application roles.
EAC-36473 HashiCorp Vault: Added Veza queries for the HashiCorp Vault integration. Customers can now review these on the Saved Queries page after configuring a HashiCorp Vault integration.
EAC-35888 Oracle Database: Added support for data contained in the CDB Root, such as common users and roles. The graph will now show connections between common users and roles, and their local representations in each database.
EAC-27998 Active Directory: Added a new "Timestamp (Windows AD Format)" option for custom properties. Updated all AD property configurations to show they are parsed in this format.
EAC-36851 AWS: Fixed an Internal Server Error impacting AWS IAM Volatile extractions.
EAC-36726 Snowflake: The Snowflake integration correctly extracts account roles and does not treat instance and application roles as account roles.
EAC-36725 SCIM: Added support for SCIM vendor implementations using numbers for user and group IDs.
EAC-36723 SCIM: The SCIM integration now handles cases where the meta
field for group objects is unset.
EAC-35969 Okta: Fixed a bug on empty Okta custom properties with the "string list" type. These can contain no values, and still be defined in Veza.
EAC-36626: Local Veza usernames can now be updated on the User Management page.
EAC-36302: Starting an extraction now informs the user that a currently running job will be canceled.
Changes in Veza release v2024.7.29
EAC-35968 Manager Dashboard Insights (Early Access): A new dashboard designed for managers enables review of resources categorized by provider type for users reporting to them, with the option to filter on specific provider types. The page highlights the top roles and resources for each reporting user, and user details such as email, job title, manager, organization, division, department, and cost center.
EAC-36792: Fixed auto-assignment and query creation errors for reviews from saved queries involving saved query filters. There is a known issue causing review creation to fail if the query used as a filter returns enough results to require pagination.
EAC-37303: Fixed a bug where some attribute constraints resulted in an "Oops!! Something went wrong" error.
EAC-37090: Improved performance when searching for node types in Query Builder, Authorization Graph, and throughout the product.
EAC-36684 Azure: Added support for syncing custom Azure properties.
EAC-36600: A pause action is now available to halt lifecycle management workflows for a set duration.
EAC-36151 Fastly: New integration for discovering users, roles, and services for the Fastly Edge Cloud Platform.
EAC-36390 HubSpot: New integration for discovering HubSpot users, roles, permissions, and teams.
EAC-33330 AWS: Added an option to limit RDS extractions to the database level, skipping lower-level entities such as Schemes and Tables.
EAC-37356 Oracle Fusion Cloud: Fix timeout for Oracle Fusion Cloud integration.
EAC-37137 Workday: Workday Domain Security Policies now have a new attribute Using Parent Permissions
, indicating if the policy inherits from its parent policy. In Effective query mode, non-inheriting policies no longer show access from entities able to access the parent policy.
Identity Providers
Configure the services used by your organization for identity management and authentication:
Cloud Providers
Configure your organizations cloud providers to discover identities, services, and resources:
Apps and Data Systems
Integrate additional applications with built-in connectors, or Open Authorization API (OAA) for custom data sources:
Changes in Veza release v2024.8.19
EAC-36856 Saved Query Filters: In Query Builder, you can now choose to filter results based on the output of a saved query, selected by risk level, integration, or label.
EAC-37917 PDF Export: Exporting queries with count conditions to PDF can now include source and destination node details.
EAC-37909 Saved Query Filters: Fixed an issue where some pipeline queries could result in the display of percentages over 100%.
EAC-37402 Notifications: Added support for configuring email and webhook notifications directly from the Lifecycle Management UI.
EAC-37055 Azure: Azure AD Users now have the attribute last_successful_login
.
EAC-37977 Delinea: Added token expiration tracking and renewal checks to prevent errors during long extractions.
EAC-38018 SCIM: Added support for uploading a self-signed/non-root cert when configuring the SCIM OAuth2 connector.
Changes in Veza release v2024.7.1
EAC-35581, EAC-35734 Column Customization: The Veza support team can now help you define default columns for all reviews for a particular configuration. Default columns can now include metadata about a related entity, when IdP/HRIS enrichment is enabled in the review configuration.
EAC-34309 PDF Export: Exporting a single review now includes additional reviewer and row completion statistics. The title page now features the publish date, completion date, and the user who completed the review. Exports now also include pages containing the review details, configuration details, reviewer list, and data source status for the exported review.
FR-2302, EAC-36355 Review Intelligence Policies: Rows with automatically-applied decisions are no longer hidden by default. Before, the "Include rows with decisions by other reviewers" filter had to be active to show these rows.
EAC-35406 iManage: Added URL as an optional config parameter for connecting to self-managed deployments (default: https://cloudimanage.com
).
EAC-35486 Snowflake: Veza now adds the has_masking_policy
attribute to Snowflake tables and views, denoting which ones have masking policies applied to them.
Policy references will be queried from the POLICY_REFERENCES
view in the ACCOUNT_USAGE
schema.
If you have configured the integration to use an alternative system database, you will need to create the POLICY_REFERENCES
view in that database and grant access to the configured role:
FR-1935, EAC-36359 Integration Extraction Intervals: On the System Settings page, you can now customize extraction interval for OAA-based integration on a per-integration basis (e.g. individual frequencies for SCIM, Anaplan, Jira Data Center, etc.). Original options to set extraction intervals globally or by template type are also available.
EAC-35808 SCIM Integration: Added an option to upload a CA certificate when creating a SCIM integration, used for authentication when the SCIM service requires an SSL connection.
EAC-35447 Non-Human Identities "Key"-type entities now always have common filterable attributes: is_active
, created_at
, last_used_at
, and last_rotated_at
.
FR-1895, EAC-36122 Workday: When adding a Workday integration via API, you can now omit the extraction of certain built-in Worker attributes by listing them in the properties_to_redact
field (string list).
EAC-35865 Coupa: Added a configuration option to upload permission to role mappings using an exported Coupa report in CSV format. The expected CSV headers are Controller,Action,Description,Roles
.
EAC-36307 Salesforce: Fixed an "index out of range" error that could occur during integration parsing.
EAC-35712 Team API Keys (Early Access): Introduced separate management for personal and team API keys on the API Keys page, with team key creation and administration now done on a dedicated tab.
EAC-36339 SAML SSO: Fixed an issue where editing an SSO configuration showed the default request protocol binding, instead of the saved value.
EAC-35449 Non-Human Identities: New out-of-the-box queries are available to help track and manage non-human identities such as access keys, secrets, and credentials. These queries search across multiple entity types to enable risks and alert rules on access keys, secrets, and credentials in the Veza graph. Use them for insight into total inventory, inactive identities with access, last-used keys and secrets, and human and non-human identities associated with keys, secrets, and credentials.
EAC-35710 Enrichment Rules for Non-Human Identities: An administrator can now automatically label identities as "non-human" at parse time using a saved query on the Integrations > Enrichment page.
FR-2067, EAC-35892 Query Builder: The columns dropdown menu now includes a "Select All" option to show or hide all columns within a group.
EAC-35553 Access Intelligence Navigation: Breadcrumbs now preserve workflow history and are shown consistently when traversing the Access Intelligence section. For example, when browsing from the Saved Queries page to Analyze a single query, and then opening it in Query Builder, a sequence of links provides easy access to each recently-visited page.
Changes in Veza release v2024.6.10
EAC-35213 Non-Human Identities: Added support for NHI entity type groupings in Query Builder and Graph search. When used as a query source or destination, these enable search across all entities with the Identity
, Access Creds
, Keys
, or Secrets
supertypes.
FR-2171 Row Annotation: The row actions dropdown now includes the option to Add a Note for a single row.
EAC-35623 Row Details: In the reviewer interface, the icon to open the full row details in a sidebar now appears only on hover.
EAC-35626, EAC-35568 Terminology Updates: Improved consistency of titles and button labels throughout the Access Reviews UI.
EAC-35473 Workday Custom Reports and Worker Attributes (Early Access): Added the ability to get custom reports and add fields as custom properties for Workday Workers. To enable this, the Workday integration must include the custom reports URL and a password for basic HTTP authentication.
EAC-35534 HashiCorp Vault Nested Secrets: The HashiCorp Vault integration now supports gathering nested secrets, which can exist within secrets engines such as KV2. Any nested secrets now appear as sub-resources of the parent secret in Authorization Graph.
EAC-35302 Integrations Usability: It is now significantly easier to filter the list of Integrations by provider name, type, or status.
EAC-34354 Errors in Google Cloud Integration: When required APIs are not enabled for GCP Cloud Run and Kubernetes Engine, the Veza integration now creates empty data sources for these services and suppresses further errors. This prevents issues when a service is enabled for some, but not all projects in a GCP organization.
Changes in Veza release v2024.6.17
EAC-35343, EAC-35317, EAC-35549 Access Analytics Overview: The Access Analytics overview is now the default Access Intelligence landing page, shown when logging in to Veza.
Access Analytics replaces the Entities page, providing an at-a-glance summary of discovered entities and the associated Risks, Alerts, and Rules for each integrated data source. It replaces the original overview dashboard, and now includes extra detail about identity, resources, and role counts for top integrations.
From this overview page, you can Export to PDF or Share a link to coordinate on findings with other Veza users or external stakeholders.
EAC-34309 PDF Exports: PDF exports for individual Reviews now have an additional page with reviewer and row completion statistics. The title page now features the publish date, completion date, and the user who completed the review.
EAC-35353 Reviewer Re-Assignment: The confirmation window now accurately shows the total impacted rows when reassigning reviewers across several pages.
EAC-35815 Review Scheduling: Fixed an issue with incorrect "Next Run On" dates for biweekly frequencies.
EAC-35875 Query Export: Exported query results now include a destination_tags
column listing tag keys and values for the related entity.
EAC-35873 Query Builder Export: Users can now cancel long-running exports directly from the Query Builder.
EAC-35548 Query Builder Filters: Queries using a supertype (such as Identity
or Resource
) as the source or destination now support attribute filters on specific entity types within that supertype (e.g. Okta User
or S3 Bucket
).
EAC-35717: Fixed an issue where opening an entity on the Risks page showed "No Results".
EAC-29403: Fixed an issue with saved queries and reports not indicating the related integrations if they used an Open Authorization API (OAA) template.
EAC-35334 CSV Import:
Importing a custom application from CSV now supports the full range of OAA user properties, including password_last_changed_at
and last_login_at
.
Roles and Groups can now be assigned by creating additional rows for a user.
Improved encoding support to support CSV files generated with a wider range of applications.
EAC-35485 Google Cloud Platform: Veza now shows Service Account Keys for a parent Service Account, and their effective permissions on resources assigned to the Service Account.
EAC-35978 Workday Custom identity mappings for identity provider integrations now correctly show Workday Worker as a destination data source, enabling correlation and manual mapping of IdP Users to Workday Workers based on Employee ID or another attribute.
EAC-35515 Workday: Increased Workday API client timeout to prevent inconsistent errors during extraction.
EAC-33610 User Management: Increased password complexity requirements for local accounts.
EAC-35971 Events: Added logging on the Events page when an Insight Point is unavailable.
EAC-36536, EAC-36513 Customizable Popup Messages: The now supports additional usages for customizing messages shown to users at review start (before performing a review and signing off on rows.), and row sign-off (when finalizing the decision for an approved or rejected row). You can still use this API to customize a global or per-configuration help page.
EAC-35849 Azure: The Azure integration now supports gathering metadata for Storage Account Access Keys. The for the integration must have the Reader and Data Access
subscription role to enable extraction.
EAC-36259 HashiCorp Vault: The integration can now discover and show created_at
, last_used_at
, and last_rotated_at
times for Vault secrets. The Vault must be amended to support the read
operation on secrets engine subresources.
EAC-35667 Risk Levels: Queries now support 5 risk levels (NONE
, LOW
, MEDIUM
, HIGH
, and CRITICAL
), instead of the original 3 (NONE
, WARNING
, CRITICAL
). The WARNING
risk level is replaced by LOW
. is updated to reflect the new levels.
EAC-36209 Segregation of Duties A last_activity_at
column is now included on the SOD page when metadata is available.
EAC-34733, EAC-35546 Support Access Extension: Clicking the button to extend access for a now always adds 24 hours to the current expiry time, limited to 7 days in the future.
EAC-35541 Snowflake: Veza can now extract and parse Snowflake Database Roles. If using an for Snowflake integration, you will need to update the roles view to include role_type
and role_database_name
fields.
Changes in Veza release v2024.4.22
EAC-34056 Entity Comparison: You can now quickly compare differences in attributes for any two users or roles on the Access Intelligence > Comparison page:
Open the Users or Roles section, and use the dropdown menus to pick two entities.
Pick Entity Diff as the Comparison Type.
Optionally, use the search box on top of the result table to only show a specific attribute.
Use the Access Matching dropdown to filter by partial, full, or no matches.
The Access Matching column shows the difference in values for each attribute.
EAC-34087 Comparison for OAA-based integrations: You can now compare entities from custom applications or identity providers (Early Access).
EAC-34126: Fixed an issue where result counts could be 0
on the Saved Queries page when more results appeared in Query Builder. When evaluating a recently-saved query and no results are available, the count is now shown as -
.
EAC-33952: Reviewers can now filter results in an Access Review using multi-valued OR
expressions (such as Username
is Value1
or Value2
or Value3
). Specify additional filter values by clicking Add More or pasting multiple values at once.
This option appears for columns that contain attributes (such as entity name, region, or other properties). Mutable fields such Decision, Notes, and Signed-off state currently only support single-value filters.
EAC-34046: Fixed an issue that prevented entity type groupings such as Custom User
from appearing in the Relationship dropdown when creating a review configuration.
EAC-34032: Entity type groupings for OAA-based integrations (e.g. Custom Resource
) now support filters on Last Pushed At
time. This enabled queries and alerting based on the last time authorization metadata was updated for a custom application or identity provider.
EAC-34113: Improved performance for queries with Summary Entities enabled.
EAC-33853, EAC-33943: Attributes Last Activity With Resource At
for related entities and data source Last Extraction Time
are now included when exporting saved queries to Snowflake (Early Access).
EAC-34047: Fixed an issue where summary entities were not handled properly with pagination enabled. Veza now shows placeholder nodes as substitutes when path summaries exceed the maximum.
EAC-32013 BitBucket Cloud: New integration for discovering Bitbucket Cloud Workspace Projects, Repositories, Groups, Users, Roles, and Permissions.
EAC-33070: Optimized credential validation when configuring the Snowflake integration, which could lag when connecting to large environments.
EAC-33863: You can now choose whether to connect to a production or development environment when configuring the DocuSign integration (before, only developer URLs were supported.)
EAC-33946: Enabled single logout support after migrating to the updated SAML provider. An administrator can download the signing certificate and specify a sign out URL when configuring SAML single sign-on.
EAC-34244: Prevented SAML login failures due to case-sensitive user email matching.
Changes in Veza release v2024.5.27
EAC-35178 Dashboard Risk Levels: Dashboards now include icons to filter on queries for specific integrations. Each tile now shows the risk level (for queries with risks).
EAC-35161 Dashboard Trend Charts: Added an option to show the total Y-axis instead of just the changes over time.
EAC-35405 Human/Non-Human Identity Queries: Added new out-of-the-box queries to track total Human Identities and Non-Human Identities, based on the identity_type
attribute for all identities discovered by Veza.
EAC-35120 Dashboard Export: Dashboards now include an Export button for saving the current view as a PDF.
EAC-35277 Menu Bar Reorganization: Navigation options under Access Intelligence are re-organized:
Risks > Access Risks
Analysis > Access Analyzer
Comparison > Access Comparison
Segregation of Duties (SoD) > now a top-level nav section
EAC-35340 Review Configuration Details: Fixed an issue where the chosen notification options could be de-selected when editing a review configuration.
EAC-35418 Query Builder Enhancements: When using the Show option to get results as source-destination pairs, columns now enable filtering and visualizing each destination node attribute.
EAC-35343 Improved Query Details: Opening a query to view details or clicking a dashboard tile now opens a redesigned details page featuring a spreadsheet-like view of the results.
EAC-34940 API Keys and Secrets: Entities representing authentication credentials are now labeled with the Secret
and Key
supertypes. You can specify a supertype as a query source or destination to select all entity types with that label:
AWS Secrets Manager Secret: Secret, Key
Azure Key: Key
Azure Secret: Secret, Key
Hashicorp Vault Secrets Engine Subresource: Secret, Key
Google Cloud KMS Key: Key
EAC-35026 GitHub PATs: Veza now discovers GitHub Personal Access Tokens and their effective repository permissions. The integration needs the additional scope Personal Access Tokens (Read Only) to discover permissions and metadata for these entities, used for programmatic access to GitHub resources.
EAC-34017 AWS Access Keys: Added support for discovering AWS Access Keys and their attributes, such as Name
, Active
, CreatedAt
, LastUsedAt
, LastUsedService
, and LastUsedRegion
.
EAC-35440 Credential Expiration Distinction: Adds the can_expire
attribute to GitHub Personal Access Tokens and AWS Access Keys to distinguish access credentials supporting expiry dates from those that do not.
EAC-35421 PTC Windchill: Added support for using self-signed certificates to configure the PTC Windchill integration.
EAC-35400 Snowflake Role Type Correction: Local roles with the type DATABASE_ROLE
no longer appear in search results. These roles are now skipped during extraction and will be supported in a future release.
Changes in Veza release v2024.5.20
EAC-35011 Snowflake Export: Additional statistics are now included as columns when exporting query results to Snowflake, indicating the last extraction and parse time for the source and destination entities.
EAC-34651, EAC-34483 Snowflake Export: Veza administrators can now use the Saved Queries > Query Export page to view the status and schedule for exports created by any user.
EAC-34868: Fixed an issue where the Help button did not open the configured instructions page.
EAC-35035: The AWS Account Name column no longer incorrectly shows permission set names.
EAC-34969 Snowflake: Veza now tracks events that involve inherited roles, and marks them as used when evaluating over-provisioned access.
EAC-34333 Identity Mapping Filtering: Custom Identity Mappings can now apply to individual custom applications. Before, mappings needed to apply all integrations created with an Open Authorization API template.
EAC-30660 Salesforce: Improved performance and accuracy in Salesforce permissions calculation, reducing integration pipeline delays.
EAC-34746 Snowflake: Fixed an issue that could cause parsing to fail after a successful sync.
EAC-34983 GitHub: Fixed a retry loop when gathering GitHub security advisory metadata.
EAC-35002 Open Authorization API: Fixed an issue where Role Assignment entities shown in Graph had the same name even when their properties differed. Role assignment names now include a hash of the entity attributes to ensure uniqueness.
EAC-34882 OpenID Connect: Added an option to set a Resource parameter when configuring sign-on using OIDC with Microsoft Azure.
EAC-34430 Password Strength Enforcement: Users are prevented from setting insecure passwords by default. When enabled, Veza checks if the password has been compromised in a known data breach. This setting can be disabled for tenants with networking restrictions.
Changes in Veza releases v2025.4.7-1 - v2025.4.14-1
EAC-46051 Reviewer Reassignment Control: Administrators now have the ability to restrict individual reviewers from reassigning their review rows. This setting can be enabled within individual Review Configurations (toggle Enable Reviewer Reassignment) or globally under Access Reviews > Settings > Reviews > Enable Reviewer Reassignment.
EAC-45064 Email Notification Template Enhancements: Administrators can now create multiple notification templates for the same event type and assign them to specific review configurations under Access Reviews Settings > Notifications > Notification Templates. Custom notification templates can now be used to:
Create one default message template per event type (applied to all configurations)
Create unlimited additional templates for each event type
Assign specific templates to individual review configurations
Previously, only one template could exist per event type, which applied to all configurations.
This allows organizations to tailor notification language to specific teams or departments while maintaining consistent messaging elsewhere.
Additionally, the workflow for adding templates is improved for more streamlined mapping of different event types to custom notification templates. Users cannot assign multiple templates to the same review configuration and event type.
EAC-44977 Improved CSV Export Formatting: When exporting the list of access reviews to a CSV file, the certification state is now displayed in a human-readable format (e.g., "Expired" instead of "CERT_STATE_EXPIRED"). Available states include: In Progress, Expired, Errored, and Completed.
EAC-46207 1-Step Review UI Fix: Fixed an issue where the option to launch a 1-step Review was shown when the feature was unavailable, resulting in unexpected UI behavior.
EAC-45765 Create Access Review Action Fix: Fixed an issue where no access review is created when an administrator manually triggers a Lifecycle Management workflow where "Create Access Review" was configured as an action.
EAC-46366 Access Profile Types: It's now possible to create multiple conditional entitlement rules within a single Access Profile Type. This can streamline administration by defining entitlement creation logic based on specific conditions within a single configuration.
Administrators can now define one or more rules with string conditions or any-match criteria when adding profile types.
Each rule can trigger different entitlement creation based on your business requirements, reducing the need to maintain separate profile types for similar scenarios.
For example, you could define a single profile type that creates different entitlements for developers based on their department or location.
EAC-45944 Access Profiles: For more precise control over how user attributes are transformed during provisioning, you can now choose specific sync identity actions to use when creating entitlements through Access Profiles.
This enables different formatting rules to apply based on the entitlement granted.
For example, you can configure one group to use a standard username format while another uses an administrative format when the same user needs accounts in both contexts.
EAC-45030 Slack Notifications: You can now integrate Access Requests with Slack notifications to send messages when an access request changes state.
EAC-46262 ASCII Transformer for Identity Attributes: Lifecycle Management policies now support an ASCII transformer for handling international character sets. This transformer:
Removes non-printable characters
Converts non-ASCII characters to their closest ASCII equivalents to prevent provisioning errors for systems with character limitations such as Active Directory sAMAccountName restrictions.
EAC-42675 "Additional Formatters" in Lifecycle Management Policy Workflows: It's now possible to add additional formatters for attributes in the Sync Identities action of a workflow. These fallback formatters will be used when there is a conflict due to a unique ID attribute already being in use.
EAC-46297 Access Profile Member Search: Fixed a visibility issue that prevented Access Profile owners from seeing all available users when adding new members to an Access Profile.
EAC-46002 Access Hub Navigation: Fixed an issue in the Manager's Access Dashboard where the browser's Back button wouldn't properly return users to the Overview tab when viewing a user's specific resources.
EAC-46382 Azure Managed Identities Classification: Azure Managed Identities now automatically have the "nonhuman" identity type, enabling NHI management and search for Azure workloads using managed identities to access downstream resources.
EAC-46502: The "Save As New" action is now available for uneditable queries, allowing users to create copies of system or reference queries they couldn't modify directly.
EAC-46076: Added a universal search bar from the Dashboards > Favorites page for all dashboard pages.
EAC-45868: By default, Dynamic Dashboard/Report sections with the same name are now merged when fetched. The skip_section_merge
parameter is available on the List and Get API methods to display the separate sections.
EAC-45721: Risks and daily Risk aggregate counts may now be filtered by integration type:
Newly detected Risks now include their integration type.
Pre-existing Risks will have their integration types populated via a background job.
Daily aggregate counts for previous dates cannot be updated, but new aggregates will begin including the necessary data for filtering by integration type.
During the background update process, there may be temporary discrepancies in new daily aggregate counts filtered by integration type, but these will resolve once processing completes. All existing filter views remain fully accurate.
EAC-45328: Tables that show large numbers of tags now use a smart tag display system that shows a limited number of tags with a "+X more" indicator.
You can now view the complete list of tags in a slideout panel by clicking on the cell.
This change should significantly improve page load times and overall application stability for searches involving extensive tag data.
EAC-46306 AWS Policy Processing: AWS policies with ARN principals using StringSliceMatch conditions are now properly evaluated, preventing potential permission evaluation errors.
EAC-46376 Okta "Sync Users Only" Option: When configuring an Okta integration, administrators can now limit extractions to user entities, skipping groups, apps, roles, role assignments, app users, and app groups. When using this option, only okta.users.read
permission is required for the integration.
EAC-46276 CSV Upload Enhancements: An improved CSV upload flow for creating integrations is now generally available. The new integration supports modeling custom applications and HRIS systems using imported data, and mapping CSV columns to custom or built-in entity attributes.
EAC-46094 Active Directory Kerberos Authentication: Added the ability to specify an explicit Service Principal Name (SPN) when using Kerberos authentication for Active Directory integration. This optional field defaults to ldap/<domain_controller_hostname>
if not provided.
EAC-45883 Workday: Optimized performance when saving a Workday integration by reducing the number of reports fetched.
EAC-45410 CSV Upload: When creating an HRIS integration from CSV, you can now specify a list of columns for mapping local users to associated IdP identities.
EAC-46235 Salesforce: Supported extraction of additional attributes on Salesforce objects:
CreatedById
CreatedDate
LastActivityDate
LastModifiedDate
LastModifiedById
OwnerId
SystemModStamp
Account: Type
Opportunity: Type, StageName
EAC-34457 Active Directory: Fixed AD integration not working when Insight Point is changed.
EAC-44482 Oracle EBS: Fix for missing menu bindings in effective mode when a menu tree could contain the same submenu at different parts of the menu tree.
EAC-45123 Oracle EBS: Fix for missing functions on AZN Menus when the function belongs to a submenu that was not an AZN menu.
EAC-45307 Oracle EBS: Fixed a connection issue that could result in SESSIONS_PER_USER
limit errors.
EAC-45370 Privacera: Added support for Privacera portal roles.
EAC-45492 Active Directory: Corrected typo in AD sync status.
EAC-45543 Windows: Fixed Windows File Share folder id generation to retain folder tags.
EAC-45901 Dropbox: Fixed "Error getting Dropbox credentials from environment" message.
EAC-45998: Fixed form validation for integrations.
EAC-46043 Azure: Fixed parsing of AzureAdLicense entities.
EAC-46098 Artifactory: Fixed a bug forcing the usage of http prefix in URL.
EAC-46168 Salesforce: Fixed Commerce Cloud parsing to not fail on missing effective permission mapping.
EAC-46206 Azure: Fixed an issue where the Manager
attribute field couldn't be selected when filtering Azure AD Users.
EAC-46357 Azure: Fixed pagination for MS Dynamics client.
EAC-46365 Oracle EBS: Fixed an error that could occur when attempting to change the integration Insight Point.
EAC-46414 CSV Upload: Fix for user-role mapping with CSV upload.
EAC-46459 Okta: Supported extracting Okta users with only email field.
Changes in Veza release v2024.5.27
EAC-34486 Dashboard Customization (Early Access): Users can now add any report as a dashboard on the home page from the left navigation menu, or by adding reports to the Dashboard Reports category. Users can edit and re-order dashboards using the sidebar.
EAC-35254 Dashboard Reports: Three new reports are now included on home page dashboards: Okta Insights, Active Directory and Azure AD Insights, and Identity Protection Risks.
Non-Human Identities: The Identity supertype for selecting multiple entities at a time now includes machine identities for major cloud platforms: AWS: EC2 Instance, EKS Cluster, EMR Cluster, Lambda Function, Azure: AD Enterprise Application, AKS Cluster, Azure VM Google Cloud: Compute VM, Run Service Instance, Kubernetes Engine Cluster.
EAC-34482 Dashboard Actions: The dropdown menu next to each tile now offers a full range of query actions: Open In QB, Expand, Analyze, Share, Open In Graph, Alert On Change, or Create Rule. Dashboards now show additional customization options to Export, Share, Edit, Clone, or Delete the dashboard report.
EAC-35162 Rules Usability: When creating an alert from a dashboard tile, the rule wizard pre-fills with useful default values, or shows the existing dashboard action rule
EAC-34924 Risks Usability: To make the list of Risks easier to scan, explainer labels on the Queries with Risks tab are now shown above the list of queries.
EAC-35047: Fixed an issue with missing destination entities when creating Access Reviews from saved queries.
EAC-35217: Improved performance when loading a user's assigned Access Reviews.
EAC-35166: Fixed an issue causing incorrect "Decision was made by someone else" indicators for reviewers with both local and SAML user accounts.
EAC-35055 Last Usage Date in Query Builder: When usage metadata is available, a "Last Used" column now shows the last activity timestamp for the source and destination entities.
FR-2150 PTC Windchill: New integration for discovering Users, Groups, and Projects.
FR-2138 Workday: Added support for additional custom property types: Self-referencing instance
, Currency
, Rich Text
, Date Time
, and Time Zone
.
EAC-35076 Oracle EPM: Added support for skipping discovery of Identity Domain Administrator (IDM) roles. Extracted IDM roles are now identified with the attribute is_idm_role
.
EAC-34516 Salesforce: Optimized effective permissions model for improved parse and query speed for large environments.
EAC-35163 DocuSign: Fixed an extraction error when encountering users without a security profile.
EAC-35191 DocuSign: Fixed a credential validation issue that could occur when editing an integration.
EAC-34485 GitLab: Veza now correctly evaluates permissions for projects shared between groups, and no longer shows duplicated project resources.
EAC-35116 API Keys: API tokens now have a type
property indicating the type of API key: personal
or service
.
EAC-34314 Platform Look and Feel: Updated fonts and colors throughout the Veza UI to consistently match our current branding.
Changes in Veza release v2024.5.13
EAC-34392, EAC-34855, EAC-34386 Dashboards: A new SaaS Security Posture Management (SSPM) Identity Risks dashboard provides trends and insights for identity risks, based on built-in queries. The AWS IAM Insights and Google Cloud IAM Insights built-in reports are now featured as dashboards, shown when users log in to Veza.
EAC-34392 Rules and Alerts: You can now configure Rules to trigger more than one orchestration action, enabling notifications to several integrated systems when query results meet a rule.
EAC-34361: Veza now accounts for access granted by secondary roles when generating Over Provisioned Scores for Snowflake users.
EAC-34719: Veza now supports the FAIL
and objects_modified
events when evaluating over-provisioned access. Activity time is now based on the beginning of the hour, and no longer rounded to the closest hour.
EAC-33348 Access Reviews from Saved Queries: When creating a Review Configuration, you can now use a saved query to specify the access relationships to review. You can use this to review any users that meet risk criteria, or define more complex conditions using saved query filters.
EAC-33559 Access Reviews for Single Entity Types: Access Reviews no longer require both a source and related entity type. You can now create Review Configurations with only a source entity type (such as groups, users, or roles) to approve, reject, and sign off.
FR-1598 Access Reviews Scheduling: Review scheduling frequency is now more customizable, enabling recurring review campaigns on a biweekly, monthly, every other month, or quarterly basis. When creating a schedule, you can now preview the upcoming dates when the review will trigger.
EAC-33921: To indicate the draft or publication status of an Access Review, the publication date is now shown on the "Review Actions" page and the review details sidebar.
EAC-33920: Exporting the list of Reviews now includes additional metadata for all items: name
, remaining work
, last modified at
, last modified by
, description
, expired at
, published at
, published by
, and total rows rejected
, approved
, and fixed
.
EAC-34185 Tableau: New integration for discovering Users, Groups, and Projects on the Tableau Cloud business intelligence platform.
FR-2098 AWS: For visibility into actual AWS account names instead of the Veza-assigned name, new attributes assigned_aws_account_name
and assigned_aws_account_id
are now available in optional columns. To enable this field, AWS integration data will be re-parsed when upgrading.
EAC-34803 Open Authorization API: Custom Application Local Users now have a built-in email
attribute. For compatibility with existing connectors, user.email
is set to user.custom_properties.email
on payload push. Graph search on the email
attribute is always case-insensitive, providing a more consistent query experience for apps that store addresses in a different format than expected.
EAC-34728 Salesforce Entity Names: The more user-friendly Label
attribute is now shown as the Salesforce Permission Set name. The Name
attribute is shown if there is no label. Permission sets now have the label
attribute, which always equals the Label
field, and permission_set_name
, containing the original Name
. Permission Set Groups now use MasterLabel
as the default display name.
EAC-34675 Manual Identity Mappings: For easier selection of individual identities, the name is now shown before the entity ID when configuring manual identity mappings.
EAC-34723 SCIM: The SCIM integration now supports target systems that do not implement a Groups
endpoint (before, this caused extraction to fail).
EAC-34797 Snowflake: Fixed an extraction failure when encountering a ROLE_TYPE
column with NULL
values.
EAC-34542 OIDC (Early Access): Added support for selecting an authentication type Secret
or Private Key JWT
.
EAC-34681 Concurrent Exports: Query exports to CSV and Snowflake can now run in parallel. When the concurrency limit is reached, Veza will queue exports and process them as capacity is available. Export requests will remain CREATED
until they can be processed.
EAC-34790 Single Sign-On: Fixed an issue where users had to re-authenticate before the maximum user session time expired (20hrs).
EAC-34890: Fixed login issues when the IdP SAML claim contained duplicate groups.
Changes in Veza release v2024.6.24
EAC-35653 Access Risks: You can now quickly view a risk's explanation and remediation instructions by hovering over it on the Queries with Risks page and opening the details sidebar.
EAC-35321 Non-Human Identities: Added support for automatically labeling human and non-human identities with Enrichment Rules. Administrators can use the Integrations > Enrichment page to manage rules for a given saved query, entity type, and integration data sources. Veza will label entities that match the query parameters as "NHI" or "Human" when parsing the specified data sources.
EAC-35096 Query Builder Enabling Show Destinations now includes Last Activity At columns, when the source and destination entity types support Activity Monitoring.
Two new settings can now be configured by the Veza support team:
EAC-34035 Approve and Sign-off: It is now possible to control whether Approve and Sign-off appears as an action in the reviewer interface. When enabled, reviewers can approve and sign-off on applicable rows with one click, using an in-row action or bulk action on selected rows. Please contact the Veza support team to manage this customization setting.
EAC-35733 Column Customization: Default columns in the reviewer interface can now be defined on a per-Configuration basis, and apply to all Reviews created for the specified workflow_id
.
EAC-34537 Azure Custom Properties: Added support for extracting custom OnPremisesExtensionAttributes
for Azure AD Users. To specify extension attributes in an integration configuration, use the full name, e.g. ExtensionAttribute12
.
EAC-36008 SharePoint Folders Inherited and Direct Permissions: In Graph search and Query Builder System Permissions filters, Read
/Write
/Owner
permissions on SharePoint Folders now have an inherited
or direct
prefix. The prefix indicates whether permission is inherited from the Folder's parent, or assigned directly to the Folder.
EAC-35474 Open Authorization API The custom application template now supports an AccessCreds
entity type for modeling API keys and other credentials assigned to users to provide roles and permissions to resources.
EAC-35515: Prevented Workday extraction failing when fetching security group membership times out. Workday API client timeout is now set to 5 minutes.
EAC-36050: Fixed an issue where the integrations list showed a maximum of 100 providers even with more configured.
Changes in Veza release v2024.5.6
EAC-34204, EAC-34422 Dormant Entities: This report summarizes users, groups, and roles that have not accessed resources they have permissions on. It is now included in Veza's main dashboards with Activity Monitoring enabled. The Dormant Entities report now features new out-of-the-box queries for AWS Activity Monitoring (such as Okta users with dormant access to AWS Secrets Manager secrets).
EAC-34422 Identity and Privilege Access Insights: Offering visibility into least privilege violations and trends, this built-in report is now available as a single-tile dashboard.
EAC-34497. EAC-34540, EAC-34178 Query Builder: Optimized performance for large queries with summary entities enabled.
EAC-34067 Provisioning Rules: To inspect the users or groups affected by a user mapping or group membership rule, you can now hover over a rule and click Open in Query Builder* to view the matching Graph entities.
EAC-32017 BitBucket Data Center: New integration for discovering Workspaces, Users, Projects, and Repositories.
EAC-34006 Open Authorization API: The Custom Application template now supports a native_id
property on entities in the payload, which can contain a predictable and provider-specific unique ID. This supplements the Veza-generated ID
property (which combines the full provider/datasource path).
EAC-35053 Snowflake Export: Tables of now include the last_activity_at
attribute.
EAC-31080 Graph Visualization for Pipeline Queries: You can now open queries that include in Authorization Graph.
EAC-34925 Snowflake: Added support for discovering additional usage attributes: Table: last altered
, last accessed at
View: last altered
, last accessed at
Database: last altered
, last accessed at
Local User: owner
. If using an for the Snowflake integration, an administrator will need to drop and re-create the views to include this metadata.
EAC-34973, EAC-34238 User Management APIs: Added new v1 operations: Update User PATCH /api/v1/users/{value.id}
, and List Roles GET /api/v1/roles
, used to retrieve IDs when assigning user team roles.
FR-1970 Query Pipeline Filters: You can now use the NOT
operator when adding a . This will cause the main query to exclude any results in the output of the sub-query.
EAC-34646 Export to Snowflake (Early Access): The Query Builder options dropdown now includes the option to directly to Snowflake.
EAC-35584 Added a GET "/api/v1/users/self"
, returning details about the calling user without requiring an ID.
EAC-34181 Explain Assume Role: In Authorization Graph, you can now understand and investigate how policies, policy statements, and group memberships allow one IAM role to assume another role, inheriting its permissions. Select an AWS IAM role and choose the sidebar action to inspect how different roles are assumable by a given role, with the option to save the view as a PNG.
Changes in Veza release v2024.3.25
EAC-33189: Improved readability within the Row Details drawer. It is now easier to see which table cell value belongs to which entity group for a result.
EAC-15565: Improved performance of the Access Reviews certification table, especially when selecting table rows.
EAC-33311: Fixed an issue where some system permissions were not included in the Effective Permissions shown for users on Google Cloud projects.
EAC-32936 Salesforce: Veza now supports Permission Set Groups used to assign sets of permissions to teams of users. These can be related to a single Muting Permission Set entity, used to disable some or all permissions in a Permission Set Group.
EAC-32660 AWS Unsupported Condition List Property: AWS entities with the Unsupported Condition
boolean property now also have an Unsupported Condition List
showing any policy condition operators and keys which are not parsed by Veza.
EAC-33279 Concur: Added support for gathering user email addresses (requires additional API scope identity.user.coresensitive.read
).
EAC-33282 Atlassian: Fixed an issue causing incorrect mappings for Atlassian Cloud principals and identity provider groups.
EAC-33279 Concur: Fixed an issue resulting in incorrect attributes for Concur users.
EAC-32586 AWS Role Assumption Permission Boundary Conditions: Veza now evaluates AWS policy conditions in permissions boundaries when parsing assumed roles.
EAC-32727: When adding a team, administrators can now use an All Providers checkbox to include all integrations in the team scope.
EAC-31317: The Events page now shows logins for SSO users.
Changes in Veza release v2024.3.11
EAC-32924: Activity Monitoring for AWS now supports CloudTrail organization trails owned by a different account than the one configured for Activity Monitoring. You can now specify an organization trail by ARN when configuring the integration.
EAC-28286 New Review Builder: The modal for creating a Review is now a full-page editor, shown when clicking New Review on the Review Configurations page. This provides a unified view for picking the base Review Configuration, due date, reviewers, automation, and snapshot options.
EAC-32054: Email orchestration actions can now trigger on sign-off of an approved or rejected review row.
EAC-30477 Enriched Results for Local Users with IdP Metadata (Early Access): In the Review interface, access reviews involving local users that are associated with an external user in an identity provider can now feature an IDP USER column group. This group includes, by default, the name and unique ID of the federated identity for the local user. Reviewers can use the column picker to show additional attributes for the IdP user, such as risk score or activity status. These columns will be empty for local users without a related IdP user detected by Veza.
To enable this feature, edit the Review Configuration and choose Advanced Options > Enrich with IdP data. Select from the list of supported IdP entity types to enable result enrichment.
EAC-32822: Fixed an issue causing some users to see Reviews marked as "incomplete" with all results signed off.
EAC-32982: Fixed an issue resulting in errors on approve or reject with a Jira Orchestration Action configured on rejected row sign-off.
EAC-31672 Filter Combinations: Filters that use saved query results to constrain the output can now also include attribute filters.
EAC-30419: For improved performance when using the Time Machine to view results for a past date or over time, results are now paginated with an option to set the maximum page size.
FR-1824 Coupa: Users now have an additional attribute, API User, set to true
if the user is flagged as an API User in Coupa.
FR-1889 Workday: Fixed an issue where timestamp attributes (such as Security Group Updated At) were incorrectly shown as empty.
EAC-32884 Workday: Fixed an issue where the Exists filters applied to the Workday user Email attribute did not correctly constrain the search results as expected.
EAC-32992 Webhook and Email Domain Filtering: Administrators can now configure a list of approved domains for email and webhook Orchestration Actions. Messages are not sent to unapproved domains when this option is enabled on the System Settings page.
EAC-33030: Fixed a redirect loop that could occur when logging in with Single Sign-On.
Changes in Veza release v2024.3.18
EAC-33256: The Salesforce Governance dashboard no longer appears on the home page when the integration is not enabled.
EAC-32438: Improved performance when executing queries with many results, which could cause application freezes due to memory issues.
EAC-31296: Activity is now sorted by timestamp when viewing the action log for an individual result.
EAC-33251: Fixed an issue that could result in reviewers using single sign-on to not see all assigned Reviews.
EAC-33108 Box: Added an option to prevent the discovery of all Box folders. This offers improved performance for gathering user and role metadata when there are too many folders for timely extraction.
EAC-33109 Box: You can now specify the maximum depth of folders to extract when configuring the integration.
EAC-33195 Egnyte The Egnyte integration now creates local role entities to represent the user type, such as admin
, power
, or standard
.
FR-1803 Jenkins: The Jenkins integration now supports Project-based Matrix Authorization Strategy, where user and group access controls are defined on the project level,
EAC-32154 Microsoft Azure: Added caching for improved performance parsing role-based access controls. This enhancement must be enabled by our support team and should reduce pipeline delays when connecting to environments with complex RBAC hierarchy.
FR-1820 Snowflake: Snowflake Local Roles now have the last used at
attribute.
FR-1888 Workday: Added the option to Use Preferred Names as an alternative to legal names when configuring the Workday integration. When enabled, worker entities are labeled with the worker's preferred name if available, or the email address or workerID if unavailable.
Changes in Veza release v2024.3.4
EAC-29795 Reviewers can now use the Decision By
filter to find results acted on by any user. Before, only reviewers directly assigned to rows appeared on the list of options.
EAC-32931 Fixed an issue where Reviews with no remaining decisions were not hidden as expected in mobile view.
EAC-32822 Fixed an issue with the number of completed assigned rows in an Access Review not updating correctly after applying decisions.
EAC-31965 Oracle EPM: New integration for discovering users, groups, and roles on Oracle Enterprise Performance Management (EPM).
EAC-32743 Active Directory Manager Principal Name
: Veza now shows the Manager Principal Name
property for Users where the Manager ID
property is a manager distinguished name (DN). The added field shows the manager's User Principal Name (UPN).
EAC-32634 Sign-in Settings: For simplified Single Sign-On configuration, Veza's Single Sign On URL (ACS) and Audience URI (Entity ID) are now shown in the Configure SSO wizard and no longer must be retrieved from the provider metadata.
Changes in Veza release v2024.4.29
EAC-33640 Enhanced Saved Query Details (Early Access): We've re-envisioned the Query Details page to provide an easier way to analyze results, visualize trends, and understand risk and query details. The new experience, shown for saved queries and dashboard tiles, will be available over the coming weeks:
Risk Insights: Use extended query and risk descriptions for additional insight into why the results matter.
Trend Analysis: Visualize changes over time for patterns and anomalies or export for use outside Veza.
Results Overview: Review the latest results and entity details, with familiar options to filter on any attribute and show or hide columns.
EAC-34173 Single-tile dashboards (Early Access): The design of the Salesforce and Snowflake governance dashboards is refreshed for improved visual clarity. The updated layout featuring smaller tiles will be enabled over the next few weeks.
EAC-32573 Enhanced Reviewer Experience: An updated access reviewer interface is now available in Early Access. The refreshed UI includes:
Enhanced Review Mode: To streamline the review process, signed-off rows and those assigned to other reviewers are now hidden by default, helping reviewers concentrate on pending tasks. Reviewers can easily restore these hidden rows whenever needed.
Improved Bulk Actions: Reviewers can now run bulk actions on all the rows visible on the page, or all rows in the review. Combined with filters, this offers an intuitive way to update rows based on specific criteria. This replaces the old “Smart Action” experience.
Sign-off UX Enhancements: We have simplified the sign-off process. Instead of signing off rows individually, reviewers can now select many rows and apply decisions with a single click. This change saves screen space and reduces the likelihood of users forgetting to sign off on decisions.
Stats Display: Reviewer statistics and progress indicators are displayed more concisely and clearly.
Visual Interface Improvements: Cosmetic modifications to clean up the interface for a sleeker presentation overall.
EAC-33553: The behavior of swipe behavior in mobile view is now configurable by the Veza support team. Left and right swipes can now map to actions: APPROVE
, APPROVE_AND_SIGN_OFF
, REJECT
, and REJECT_AND_SIGN_OFF
.
FR-1725, FR-1727 Mobile Enhancements: The "swipe" mode shown for reviewers on mobile devices is now more flexible and requires fewer actions overall:
The default swipe can combine actions such as "approve and sign off," based on the support-enabled mapping.
By default, swiping left or right in mobile swipe mode immediately updates the current card.
Fixed an issue with smart action notifications appearing for single-card actions.
Only 1 card is shown at a time.
Improved the animation that happens after swipe.
EAC-33801 Review Exports: Exporting a review now includes columns for the user who marked any row as "Fixed": marked_fixed_by_id
, marked_fixed_by_name
, marked_fixed_by_email
(instead of a single JSON object).
EAC-18804: Fixed an issue where email addresses with capital letters were not ordered correctly in lists of reviewers.
EAC-34356 Saved Query Export: You can now cancel long-running query exports from the actions menu.
EAC-34198 Salesforce roles hierarchy: Veza now shows parent-child relationships for Salesforce User Roles in Authorization Graph:
An icon next to the entity name indicates when a role has hierarchical relationships to other roles.
Click on a Salesforce User Role to select it and click View Hierarchy on the graph actions sidebar to see all related roles and the order of the hierarchy.
EAC-34042 Administration APIs: Added public APIs for team and user management. Teams: create, get, delete, list, Users: create, get, delete.
FR-1015 Events: Password and multi-factor authentication resets are now shown on the Events page (before, these were only available in audit logs).
EAC-34208 SAML Single Log-out: Administrators can now copy the Veza single log-out URL when enabling SAML.
FR-2048, EAC-34131 User Management: You can now filter the list of users by team or role. The users list now includes their assigned roles and creation date.
Changes in Veza release v2024.4.15
EAC-33470: For improved visual clarity, the Snowflake Data Governance and SFDC Access Security Dashboards now show individual tiles for each featured query. You can click any tile for an expanded view of the results over time, or open the results in Query Builder.
EAC-33540: You can now view risk changes over the last quarter by setting 90 days
as the time range on the Risks page.
EAC-33906: Added "All Local Users" as an aggregate option when defining the source/destination in the Access Review Query Builder (replaces "LocalUser").
EAC-33804: Fixed an issue that could result in the sign-off of rows with no decision.
EAC-33519: Renamed “User / Group / Resource” to “User Name / Group Name / Resource Name” in the Access Review Certification UI to make wording more consistent.
EAC-33936: Row actions are now prevented during row updates.
EAC-33935: Entity type groupings such as Custom Users
now correctly appear in the Relationship dropdown when creating queries for Access Reviews.
FR-1891, EAC-33852: All entities now have a Datasource Last Extraction Time
attribute indicating when metadata was last refreshed for the host data source.
EAC-28076 Authorization Graph: The option to show or hide indirect relationships is now generally available. Use Advanced Options > Include Assumed [Entity Type] to filter on source entities with direct access to the chosen destination entity type, and exclude any relationships where a nested group or role grants access.
EAC-33770 Query Builder: Attributes containing lists now support filters with Exists
and Not Exists
operators, to find results where these attributes contain any data, or no data.
EAC-33922: Pagination is now automatically enabled to reduce graph visualization rendering memory requirements and duration when there are many related entities. A warning indicates when the current page cannot be loaded.
EAC-33670 Jira Data Center: Added support for authenticating using a self-generated CA certificate, uploaded when configuring the Jira Data Center integration.
EAC-33903 Anaplan: Added support for directly discovering Anaplan model users. This is optional due to increased API calls required for extraction (>= 1 call per model instead of a single call per workspace).
EAC-33633 Workday: An error message now indicates when configuring an invalid custom property.
EAC-33782: Teams and roles are now listed in an additional column when exporting the Users list to CSV.
EAC-33829: Sections on the Sign-in Settings page are now grouped in categories to separate general, SSO, and local user authentication settings.
Changes in Veza release v2024.4.8
EAC-33392 Enrich with IdP/HRIS data: Reviews can now include information about the HRIS profiles that correspond to identities in the query results. For example, you can use this option to show details about Workday Workers that correlate to Okta Users when reviewing Okta User > Application access.
EAC-33368 Digest Emails Lifecycle Management events are now summarized in a scheduled email notification, including the successful and failed event count for the day, week, or month. Admin users can opt into Provisioning Digests on the Profile page.
EAC-33301 Concur: Added support for permissions delegated from one user to another. Veza now creates a Delegate resource for any user with delegates, showing permissions between the original user and the resource.
EAC-33754 Engyte: Added API rate limiting to prevent exceeding API quotas. Extraction will now pause after using 80% of available daily calls.
EAC-33800: Fixed an issue causing pages to reload unexpectedly after logging in with Single Sign-On.
Changes in Veza release v2024.4.1
EAC-32794 Risks usability: You can now filter and sort the Risks page by label or integration, and search by risk name or query name. The list of risks is now paginated for improved performance.
EAC-33272 Last activity details: Query Builder now shows a Last Activity with Resource At column indicating when a principal last interacted with a resource.
EAC-33401 Share links for filtered views: Reviewers now have the option to copy a shareable link to the current filtered set of results. Opening a review now applies the filter specified in the URL. This feature is now generally available.
EAC-33399 Tags in Access Reviews: The option to show tags on source or destination entities in additional columns is now generally available.
EAC-33174 AWS Unsupported condition icons: AWS entities in Graph search now have an icon to indicate if the Unsupported Condition
property is True
.
EAC-33369 Filter events for changes: The provisioning activity log now includes a Changes Only toggle to filter only actions that resulted in a change to the target system.
FR-1915 Contained Resources for Okta Admin Roles: The Okta integration now creates Okta Constrained Resource and Constrained Resource Set entities indicating the resources associated with each admin role. Additionally, Okta Role Assignments now connect users and admin roles. This enables search and access reviews on relationships such as User > Role Assignment > Role, Role Assignment > Resource Set > Constrained Resource, and Role Assignment > Constrained Resource.
EAC-33609: Added an option to delete local accounts associated with single sign-on users on the Administration > User Management page.
EAC-32880: When enabling SSO, you can now download a public certificate used by Veza to sign single log-out (SLO) requests.
Changes in Veza release v2024.2.12
EAC-32265 - Okta Group Parsing Errors: After upgrading, you might experience failures in Okta parse jobs due to unsupported condition expressions in Group Rules. We have identified this issue and plan to address it in a patch release scheduled for later this week.
Snowflake Data Governance Dashboard: Now generally available for customers using the Snowflake integration for insights into inert users and superusers, roles and super roles, role access, and least-privilege anti-patterns.
Salesforce Access Security: A dashboard of dedicated insights to complement the Veza integration for Salesforce. This page displays pre-configured queries for improved visibility on:
Salesforce Users & Their Mapping to Identity Providers
Users with Privileged Access
SFDC Profile and PermissionSet Analysis
Top Profiles mapped to Users, and top Profiles with privileged PermissionSets connected to users
EAC-31785: When opening a Query Builder result in Authorization Graph, the loading indicator now persists until results are available, instead of showing an empty search.
EAC-31971: Fixed an issue resulting in saved queries involving HRIS-type integrations not appearing on the Saved Queries page.
EAC-32006 Actions for Expired and Completed Reviews: You can now use the View Action Log and See Row Details actions for additional information when viewing completed or expired Reviews.
FR-1782 Review Export: When exporting Reviews to PDF, the snapshot time for certification data is now indicated on the first page.
FR-1785, EAC-32050: Results now include an optional Is Active
column for Access Review queries involving supertypes (such as All Top Level Principals
to a resource).
EAC-31727 Pending Tasks: Added a section under Lifecycle Management showing jobs queued for execution at a future date based on a provisioning policy, including the scheduled time, job type, and provisioning source and target.
EAC-30745 Jira Data Center: New on-platform integration for discovering Jira Data Center Projects, Users, Groups, and Roles.
To gather this metadata when the feature is enabled, enter an Access Token when configuring the GitHub integration. This should be a Personal Access token created for a GitHub user with enterprise-level permissions. The token must have read:enterprise
scope.
EAC-31923: Jira Custom Field Number and Text Issues: Fixed a bug where Jira issues were not created when they included Number and Text custom fields.
Changes in Veza release v2024.2.26
FR-1828: On the Access Intelligence > Risks > Queries with Risks page, you can now click on the small graph next to each query to open an expanded view showing changes in results over time.
EAC-32234 Action Log in PDF Exports: The history of decision activity for each row is now provided as an optional column when exporting Reviews to PDF.
EAC-29795 Decision Details: Reviews now include optional, filterable columns showing the user who made the decision (Decision By
) and Decision Time
.
FR-1323 Okta App Status: Okta App entities now have the status
attribute, indicating if an app is active.
EAC-32414 Azure Role Assignment Details: Azure Role Assignment entities now have additional attributes showing assignable_scopes
, actions
, not_actions
, data_actions
, and not_data_actions
for the assignment.
EAC-31643 AWS Cross-Account Assume Role Condition Evaluation: Veza now evaluates policy conditions using both the assuming principal's attached IAM Policies and the assumed Role's Trust Policy when determining cross-account role assumption capability.
EAC-30905 API keys for Non-Root Teams: Users on any team can now create API Keys scoped to their team role. The Administration > API Keys page now lists all keys for the user's active team.
Changes in Veza release v2024.2.19
EAC-31673 Edit Review Configuration: Administrators and operators can now edit an existing Review Configuration to update the original query, or customize reminders and orchestration actions. To modify a Configuration, click its name on the Review Configurations page to view details, then click Edit.
EAC-32007: Fixed an issue where the full information was not shown when hovering over cells in Reviews containing long strings of text.
EAC-32488: Fixed a "Resource Not Found" error that could occur when attempting to load a Review.
Box Effective Permissions: Veza now shows effective permissions for Box roles directly to resources. Before, these were shown only for User > Resource. Relationships between users and home folders are now shown only in System query mode.
EAC-32089 AWS Identity Center Account-level Permission Sets and Role Trust Policy Evaluation: The AWS Identity Center integration now supports account-level granularity for Permission Set assignments. Principals assigned to a Permission Set are now connected to a new AWS IAM Identity Center Permission Set Account entity for each account, reflecting specific assignments. Additionally, Veza evaluates the Trust Policy of corresponding provisioned IAM Roles in each account, which can limit an Identity Center principal's ability to assume the role. This will result in more accurate Effective Mode queries involving Identity Center principals and IAM Roles.
Note 1: On upgrade, Veza will re-parse all AWS Identity Center data sources to apply the new Permission Set Account nodes. Until this process is complete, Authorization Graph or Query results involving AWS Identity Center may be temporarily invalid.
Note 2: Queries involving the old AWS IAM Identity Center Permission Set entity type are updated to use the new type. Some queries may no longer be valid due to schema changes and will return an error upon execution.
EAC-21030 AWS Unsupported Condition Property: Added a boolean property Unsupported Condition
to AWS Policy Statement entities indicating when the Policy Statement includes an unsupported condition, possibly impacting the accuracy of access shown in Veza.
EAC-31991: Fixed an issue causing some integrations (such as UKG Pro) to not appear on the list of filterable provider types
Changes in Veza release v2024.1.29
Total inert users and superusers
Inert roles and super roles
Role access to data objects (schema, database, table)
Deactivated IdP users with Snowflake Access
Vulnerabilities and least-privilege anti-patterns
EAC-31099 Enhanced List Filters: Filters on list-type attributes now support additional operators to enable matching based on the contents of an element in the list. For these attributes (such as Okta User MFA Factors
or GitHub User Emails
), you can now conditionally filter results where one list item (Contains
/ Does Not Contain
/ Starts With
/ Ends With
) the input string or matches a regular expression. This enhancement complements the existing Equals
and Not Equals
operators, which filter for exact matches across any list element.
EAC-31634: Fixed an issue causing the Query Builder Entity Type dropdown to contain values when searching for a source entity type.
EAC-28284 Workflow Builder: The Access Reviews workflow creation modal now uses a step-by-step wizard. The new design provides a more intuitive flow for adding a description, specifying the query, and configuring email notifications and orchestration actions.
EAC-31458 Workflow Query Enhancements: Entity type groupings, used to specify combinations of entity types for workflow queries involving custom applications, are renamed for clarity when constructing queries with the Workflow builder:
All Idp Users for All Apps -> Custom Idp Users
All Applications for All Apps -> Custom Applications
All SubResources for All Apps -> Custom SubResources
All Resources for All Apps -> Custom Resources
All Users for All Apps -> Custom Users
All Roles for All Apps -> Custom Roles
All Role Assignments for All Apps -> Custom Role Assignments
All Idp Domains for All Apps -> Custom Idp Domains
All Idp Groups for All Apps -> Custom Idp Groups
All Groups for All Apps -> Custom Groups
All Permissions for All Apps -> Custom Permissions
EAC-31595 Date-based Provisioning Rules: User Mapping Rules now support date-based operators to enable conditions based on attributes containing timestamps. You can now use On or After
, On or Before
, After
, or Before
to create rules that only (for example) provision users hired after a certain date.
EAC-31598 Jira Default Assignee: The Jira Orchestration Action no longer requires a Default Assignee to enable the integration. Leaving this value blank will set Unassigned
on created issues.
EAC-31642 AWS Condition Parsing: Veza now evaluates when aws:userid
IAM policy condition keys restrict access to resources, and shows the appropriate effective permissions for the authorization path.
Changes in Veza release v2024.2.5
EAC-28195 Access Reviews Terminology Changes: Veza Access Reviews are designed to enable repeatable certifications using an underlying Veza Graph query and common settings. Based on customer feedback, we've updated the legacy term for the original query and settings from Workflow to Review Configuration. A single instance of access review for that configuration (previously a Certification) is now a Review. On the main Veza navigation, these are now located under Access Reviews > Configurations, and Access Reviews > Access Reviews.
EAC-31907: Fixed a regression causing custom property columns for OAA-based integrations to not appear as expected.
EAC-31905 Fixed an issue preventing display of the natural language summary of the access relationship when hovering over rows involving OAA-based integrations.
EAC-31990: Fixed an issue where disabling Include Assumed Groups/Roles to only show principals with direct access did not filter results as expected.
FR-17772 Event Log Filtering: Added the option to filter the list of provisioning events by user name and event type.
EAC-31778 Event Log Columns: The Timestamp column is now shown on the left and can be resized. Column width is optimized for better readability at most screen widths.
EAC-31175 Oracle Fusion Cloud: The Open Authorization API (OAA) connector for Oracle Fusion Cloud (OFC) is now available as an on-platform integration, including support for role assignments, role permissions, and Security Contexts.
EAC-34360: Veza now collects the Default Secondary Role attribute for Snowflake Users. If using an , you will need to drop and re-create the USERS
view to include the default_secondary_role
column.
EAC-33517: Optimized performance for queries with , specifically when including path summaries without specific count conditions or when the condition is >= 0.
EAC-33498 Palo Alto Networks: New integration for discovering applications, users, roles, and permissions for .
EAC-33679 Custom Identity Mappings: can now include Identity Matchers to correlate identities even if they do not match a mapping rule. Shown when editing existing integrations, the Identity Matchers section enables matching users from any two data sources (such as Azure AD and Okta), if they exist in Authorization Graph. Administrators can search for users by name, and add as many pairs of users as required.
EAC-33713 Okta: The Okta integration now supports incremental updates for faster extraction time and reduced traffic to Okta API endpoints. An Administrator will need to to enable this feature.
EAC-33862: Administrators can now grant the Veza support team temporary access by creating a limited account.
EAC-33312 Query Pipeline: You can now use to constrain the results of a query based on the output of another.
EAC-33312 AWS Activity Monitoring: Veza now generates Over Provisioned Scores for AWS IAM Users with access AWS S3 Buckets and Secret Manager Secrets, and Okta Users and Apps with access to these AWS resources. See for steps to enable audit logs for AWS. To use this feature, must be enabled by our support team.
EAC-31741 Scheduling Enhancements: When scheduling a recurring Access Review, you can now configure and specify whether to use the current Authorization Graph data or the most recent snapshot.
EAC-33714: Fixed an issue where all columns were enabled by default upon opening a Review instead of only the default or columns.
The column appears for , after enabling the Show {destination entities} option to include the destination in results.
EAC-33400 Custom help pages: are now generally available. Custom help pages are now shown when opening a review for the first time or clicking the User Guide button.
EAC-33423 HashiCorp Vault identity mapping: Added support for local users accessing Vault with the Okta authentication method. Vault aliases now have an idp_unique_id
property, which you can use to configure for Okta and Vault.
FR-1161 Salesforce Opportunities (Early Access): Veza now supports Opportunity entities, used to represent and track potential deals in Salesforce. This feature must be enabled by our support team, and requires for the Veza service principal.
This release introduced changes to the global Veza navigation to better organize products and operational areas. For more information about the changes or to submit your feedback, see
EAC-31543: now correctly prevent emails when choosing Reviewer managers to receive notifications for Access Reviews.
EAC-32008 GitHub SAML Name IDs (Early Access): Veza can now ingest and show the saml_name_id
attribute for GitHub users, which can be used to create between external users in an identity provider and local GitHub accounts.
EAC-32655 LastPass Roles: The LastPass integration now shows user roles on the LastPass application (either Admin or User). Users assigned to Shared Folders now have based on the assignment settings.
EAC-32566: Fixed an issue causing API requests to fail for configured integrations.
EAC-31842 Okta Group Rules: Veza now parses Okta used to assign permissions based on user attributes or other group memberships. A new Okta Group Rule entity connects Okta Users and Okta Groups in Authorization Graph, shown when activating Relationship Options > Advanced View.
EAC-31497 Risk Scores for Authorization Graph: When showing Risks in Graph Search, a now appears next to each entity's name for better visibility into relative risk for different entities in search results. The option to highlight risks in the Authorization Graph is renamed from Display Options > Risks to Display Options > Risk Scores.
Snowflake Data Governance Dashboard: A specialized dashboard is now available for customers using the integration. The page offers a range of out-of-the-box insights, including visibility into changes and trends for:
EAC-31410 Jira Additional Fields: The details page for now includes an Additional Fields tab, displaying the configured System Fields and Custom Fields.
EAC-31703 Okta Audit Logs: When using OAuth credentials for the , granting the okta.logs.read
scope now allows Veza to gather information about System Log entries in the Okta organization, and use activity data to enable incremental extraction.
EAC-31698 Jira Alert Details: When a Rule triggers an Alert, the event is logged on the Access Intelligence > Alerts page for tracking and remediation. For Alerts associated with a , an Actions column now includes the issue key and a clickable link to open the ticket in Jira. You can now click on actions of any type for more details about the rule that triggered the alert.
EAC-30559 Automation Details: Access Reviews using now include an optional column to help identify results accepted or rejected when the Review was created. For any rows where a decision applied automatically, this will indicate Matched (x automations)
. Clicking the value shows more information about the automation applied, and the resulting decision. You can toggle this column with the column selector, under Metadata > Matching Automations.
Coupa User Attributes: The integration now discovers additional properties: email
, invoice_approval_limit_amount
, requisition_approval_limit_amount
, requisition_self_approval_limit_amount
.
Changes in Veza release v2024.1.8
EAC-29824 Attribute Filter Enhancements: Attributes that contain lists of values can now use the "Not Contains" filter option.
EAC-29789 Export Decision Columns: You can now include decision-related columns when exporting a certification, including the ID, Name, and Email of the user who made the action, and the Decision Date.
EAC-31038: Fixed an issue where custom attributes on Active Directory Users were not available as columns in Certification view.
EAC-28087 Workflow Queries: When All Resources is specified as a Workflow source or destination, you can no longer choose All Principals, All Top Level Principals, or All Resources as the related entity type. When All Principals or All Top Level Principals is chosen, you cannot select All Principals, All Top Level Principals, or All Resources as the related type. Previously, these combinations could result in invalid queries.
EAC-30261 BambooHR: New integration for discovering users and groups on the BambooHR platform.
EAC-30011 LastPass: New integration for discovering LastPass shared folders, users, groups, and roles.
FR-1677: Okta Apps are now included in Graph views when connected to an Okta user in search results (previously, these were hidden unless explicitly searching for Okta Apps).
EAC-30958 Google Drive: Added an integration option to use OAuth 2.0 credentials for a Google Workspace user, enabling the discovery of drives with external sharing disabled or that cannot be shared with the integration service account.
EAC-30953: Fixed an issue where the Destination Data Source Type field could appear empty in saved Identity Mapping configurations.
Changes in Veza release v2023.12.11
EAC-28821: Users can now add custom notes to entities on the Risks > Risks tab, and add a suppression reason when marking an exception. These fields can provide extra context for a decision or track the remediation status for a particular entity.
EAC-30245: Out-of-the-box assessments with a critical or warning risk level now include descriptions, shown when clicking Show Explanation on the Risks page.
EAC-29978 Review Access for Unique Users (Early Access): Added an option to automatically open the Show Users list to filter results for a single identity when opening a certification.
EAC-12684: Access Reviews APIs and webhook payloads now return summary entities in a path_summary_nodes
array, when specified by a Workflow query.
EAC-30426: Clicking a risk score in Query Builder now opens a modal explaining how scores are calculated.
EAC-30255: Optimized performance for Query Builder exports.
EAC-30447: Fixed an issue with single-entity Query Builder search for Workday Security Group
not opening in Authorization Graph.
EAC-30377: Provisioning rules can now be deleted.
EAC-28553 Confluent: New integration for gathering Confluent Cloud Users, Groups, and Roles.
EAC-29036 1Password: New integration for gathering Users and Groups from 1Password.
EAC-28142 Privacera: New integration for gathering Privacera Users, Roles, and Groups.
FR-1638, EAC-30378 Okta MFA Types: Okta Users now have an MFA Factors
attribute listing the types of multi-factor authentication enabled for their account.
EAC-29239 Reduced AWS Resource-based "Deny"-All Policy Statement Connections: AWS resource-based policy statements with a "Deny" Effect on all (*) principals are now connected to individual principals in the Veza Graph only if the statement overrides an "Allow" effect on the same resource from another policy.
EAC-30080: Administrators can now assign teams and roles for individual users on the User Management page.
Changes in Veza release v2023.11.20
EAC-29446 Decision columns: Certifications now have optional columns Decision At
and Decision By
for better visibility into row decisions, and enabling the option to filter on these values.
EAC-28135 Improved column naming logic for intermediate entity types: When enabled, columns showing an Intermediate Entity are no longer always named Intermediate Role <property-key>
.
Intermediate column titles now default to Intermediate Node <property>
.
Local User name columns are titled Local User ID
.
Role intermediate type columns are titled Intermediate Role
.
FR-1335 Active Directory: Added support for cross-domain user and group relationships involving sub-domains (before, this was only supported for external domains).
EAC-29614 Box: Increased user extraction speeds and decreased extraction interval for improved efficiency and lower API costs.
EAC-29679 Concur: To enable custom mapping for external identities, Concur Users now have an Identities
attribute containing the local username.
EAC-27117 Kubernetes: Added support for connecting to Microsoft Azure AKS managed Kubernetes service. Added built-in assessments Azure AD Users with AKS Managed Cluster write permissions
and Azure AD Users with AKS Managed Cluster delete permissions
.
EAC-28767 Open Authorization API: Custom Role Assignments can now have developer-defined attributes specified in custom_property_definition.role_assignment_properties
. Role Assignments now inherit any custom properties on assigned Roles.
EAC-27458 Product name changes: Outbound integrations and Webhooks are now managed under Orchestration Actions (renamed from Collaborations).
EAC-28492 Product usability: The Add Integration button is now hidden when choosing the integration to create (and clicking Next is the only option). After completing the form, you can now click Create Integration at the top right to save the configuration.
EAC-29621 AWS S3: Fixed a regression resulting in missing Authorization Graph relationships for some Bucket Policy Statements and previously-connected Buckets.
EAC-29456 OneLogin: Renamed One Login Group
to OneLogin Group
for consistency with other OneLogin entities.
EAC-28596 Slack: Fixed a validation error that prevented saving a Slack integration.
Changes in Veza release v2023.11.27
EAC-28274 Row details: Reviewers can now click Certification Actions > See Row Details to open the result in a sidebar, with support for keyboard navigation and filtering on any attribute or value. Users can approve, reject, and sign off directly from the details panel.
EAC-29809: Added a Filtered Permissions column group when viewing related entities for a Query Builder result.
EAC-29830: The Query Builder option "Show [Destination Entities]" now only appears when a single related entity type is selected.
EAC-26228 Microsoft Dynamics 365 (Early Access): The Azure integration now supports Dynamics 365, including Business Units, Users, Teams, Application Uses, and Security Roles. When enabled, you can specify one or more environments to discover when adding or editing an Azure configuration.
EAC-28561 UKGPro (Early Access): A built-in OAA connector is now available for gathering Users and Roles on the UKG HRIS platform.
FR-1058 User session timeouts (Early Access): Added an option to the System Settings page for controlling when users are logged out after a period of inactivity. Session idle timeout is now configurable between a minimum of 10 minutes and a maximum of 2 hours.
Changes in Veza release v2023.11.6
EAC-29017 Reports can now contain up to 150 queries.
EAC-28455 Query exports now include a tags column when using Advanced Options > Include Source Tags.
EAC-27058 Operators can now pick Time Machine snapshots when creating Certifications to source results from the most recent snapshot, an earlier date, or the current graph data.
EAC-28294 Opening the mobile interface for the first time now shows hints for swipe mode.
EAC-29177 Fixed an issue with some results having the wrong resource icons.
EAC-28049 Fixed an issue with the Role
and other entity type groupings not appearing in Query Builder dropdowns.
EAC-28489 Users with more than one root team role no longer see duplicate entries in the "Teams" dropdown list when creating API keys.
Changes in Veza release v2024.1.22
EAC-23820 Improved Usability For Authorization Entities Sourced From OAA Integrations: Entities created with Open Authorization API (OAA) no longer have generic types such as Custom User
or Custom Group
. You can now create Access Reviews involving these entities as though they were sourced from a built-in integration (e.g. ZenDesk User
, Trello User
).
Note: As part of this release, Workflow queries are converted to use the new entity types. For any custom applications that cannot be migrated, the Workflow query will change from Custom Resource for <Custom App>
to Custom Resources
(For All Apps). If this occurs and the updated query does not meet your use case, you should recreate the impacted Workflows or contact Veza customer support.
EAC-30509 Graph Optimizations: Significantly improved performance for Graph searches on Workday Security Group
> Workday Domain Security Policy
.
EAC-31170 Blackline: New integration for discovering Users, Teams, and Roles on the Blackline financial automation platform.
EAC-30551 Jira Configurable Fields: Jira orchestration actions can now create issues with additional system and custom fields. These optional, additional fields are enabled in a new tab when configuring the orchestration action. Tickets can be created with user-defined values for a limited set of System Fields (e.g. Component
), and custom fields based on the specified field, type, and value. Please contact support if your use case requires additional system fields or field types.
EAC-31441 BambooHR: Integration configurations can now include the IdP types for connecting employees to authorization providers. This should be a comma-separated list of providers, e.g. okta, onelogin
.
EAC-30883: Notifications sent when performing the Test function on an Orchestration Action no longer include the legacy term Cookie
, and instead now use the company name Veza
.
EAC-31406: Fixed an issue where the Test function in the Edit Orchestration Action flow failed to perform the test when any configured secrets (password, token, etc.) were left unmodified.
FR-1745 Microsoft Azure Management Group IAM Permissions: Veza now shows role assignments and their effective permissions for Azure Management Groups. This provides a more accurate visualization of access when granted by either a Management Group assignment or an assignment on the Azure Subscription, in System and Effective search mode.
EAC-30661 System Settings: Added an option to toggle redirection of visitors on the Veza home page to your Single Sign-On provider for log-in. This option currently appears only when SSO Auto-Redirect is enabled as an optional feature.
EAC-31496 Sign-In Settings Authorization namespace configurations (Early Access) are now on the Sign-In Settings page, instead of under System Settings.
Changes in Veza release v2023.12.18
EAC-30743: Dashboard views for 6 months and 1 year now show a single value for each week, instead of a value for each day.
EAC-30711: Fixed an issue with report PDF export causing long descriptions to overlap query results.
EAC-28061: Fixed an issue with long workflow names not wrapping correctly on mobile devices.
EAC-30627: Fixed an issue applying filters from the UI for workflow queries with multiple destination entities from OAA providers.
EAC-30173: Improved display of attributes with long string values in the result details sidebar.
EAC-39631 GitHub: Integration configurations now have repository allow and deny lists to customize which resources Veza will add to the Authorization Graph. The integration now implements concurrency for improved extraction times.
EAC-30629 GitHub: Added support for custom repository roles for Enterprise Server environments (before, these were only available in Enterprise Cloud). GitHub configurations now have a checkbox to enable or disable gathering external repository collaborators.
EAC-30562 Microsoft Active Directory: Veza now shows additional user attributes: City
, Company
, CountryCode
, Description
, DisplayName
, PhysicalDeliveryOfficeName
, PostalCode
, StateOrProvinceName
, SurName
, GivenName
, and Title
.
EAC-30202: Added support for assigning teams and roles based on an incoming SAML groups
claim when users log in with Single Sign-On.
EAC-30602: Teams can now have SSO aliases, used to map Veza teams to an Identity Provider role or group in SAML assertions.
EAC-21648: Administrators can now delete unused Insight Points with no associated integrations.
EAC-30182: When creating a local user on the User Management page, the root team is now automatically selected when it is the only available team. Administrators must now confirm before creating a user with no team assigned.
Changes in Veza release v2024.1.15
EAC-31119: Fixed an issue resulting in errors when loading the Entities page with a BitBucket integration configured.
EAC-27416 Access Reviews Management: The Workflows landing pages have been updated and modularized to make it easier to create, view, and manage Access Reviews. The new UX includes a Certifications dashboard similar to the previous access reviewer panel showing all active and completed certifications the active user can access. A new Workflows dashboard replaces the main page listing all configured workflows. Opening a Workflow now opens the Workflow Details page for managing certifications for a specific workflow, similar to the old View Certifications interface.
EAC-31148: Using the Dry Run option to preview changes based on the active Lifecycle Management policies now shows the changed attributes and the applicable provisioning rules.
EAC-29030 iManage: New integration for discovering iManage libraries, users, groups, and roles.
EAC-30658 PagerDuty: New integration for discovering PagerDuty teams, users, and roles.
EAC-30655 ZenDesk: New integration for discovering ZenDesk users, groups, and roles.
EAC-31121 Audit Log API: The maximum page size when exporting events is now 10,000 (increased from 1,000 events per page).
Changes in Veza release v2024.1.1
EAC-30780: For improved readability, dashboards now use a 2-column view when the Duration is one year.
EAC-30415: Added an internal setting to optionally hide risk levels for query results, for improved performance when searching across large environments.
EAC-30593: Added support for sorting Certification results based on the contents of the Summary Entities column.
EAC-30501 AWS: The local user for AWS database discovery no longer needs to have the same username as the AWS IAM user configured for the AWS integration. Administrators can specify any Redshift DB User
, RDS MySQL DB User
, or RDS PostgreSQL DB User
when configuring an AWS integration.
EAC-30162 Okta: Added an option for authenticating with Okta using OAuth 2.0 client credentials (private keys), as an alternative to API tokens.
FR-1673 Salesforce: Salesforce users now have the department
attribute.
EAC-30199: Access Intelligence: Non-root teams can now access the Overview page and Analysis section, restricted to integrations in the team scope.
Changes in Veza release v2023.11.13
FR-1587: The Risks page and exported lists of risks now include entity IDs to help differentiate between entities with the same name.
EAC-22739 An optimized Access Reviews Certification view is now available for all customers.
EAC-28147 Terraform: Added a new OAA-on-Veza connector for discovering Terraform users, groups, and roles.
EAC-28659 Grouped AWS S3 Bucket Policy Statements: AWS S3 Bucket Policy Statements are now represented as grouped entities; Statements with the same Effect
, Action
, NotAction
, Principal
, and Condition
properties across separate Bucket Policies are now parsed as a single graph entity representing the same statement.
FR-1612: Salesforce profiles and permission sets now include the description
attribute.
FR-1335 Microsoft Active Directory Foreign Security Principals: The AD integration now supports related users and groups from different domains when each domain is integrated with Veza. Active Directory Users and Groups now have a SID
attribute, which Veza uses to compute cross-domain connections.
EAC-27998: Added a Timestamp (Windows AD Format)
type for custom properties and updated all AD property configurations to indicate that timestamps use this format.
EAC-21390: You can now type to search for users when adding them to Teams. The list of users is now sorted alphabetically.
EAC-28036: Improved redirect logic for logged-out users and fixed an issue with deep links not redirecting as expected when enabling the option to always log in with SSO.
Changes in Veza release v2023.10.30
EAC-28663: Operators can now choose any nestable source or destination entity type as Summary Entities for Access Review queries. This allows reviewers to inspect intermediate relationships in scenarios where roles can assume other roles, or groups can belong to groups (such as intermediate groups between AD Users and AD Groups).
EAC-28523: Refined the timezone selection dropdown for easier certification scheduling.
EAC-28794: Fixed an issue causing unexpected results when multi-selecting query destinations including OAA entity types.
EAC-28883: Improved query performance for Snowflake Over Provisioned Scores.
EAC-27577 NetSuite insights: Added built-in queries for NetSuite to find identities such as deactivated users, administrators, and deactivated Okta or Azure AD users with NetSuite permissions.
EAC-28597 Okta timestamps: Okta timestamp attributes now include hours, minutes, and seconds (previously these rounded to the nearest day).
Changes in Veza release v2023.11.4
EAC-29067: Report summaries on dashboards can now include descriptions for better context.
EAC-29539: Fixed an issue where adding queries or sections could reset the report builder.
EAC-28270 Certification Column Grouping (Early Access): Introduced grouped columns for certifications, organizing source and destination entity attributes and result metadata for enhanced readability.
FR-1562, FR-1568 Intermediate Entity Attributes in Certifications: Certifications for Workflows that use Advanced Options > Relationship to show intermediate entity columns now include all waypoint entity attributes. Reviewers can toggle visibility using the columns dropdown to assist in decision-making.
EAC-28827 Attribute Filter Combinations: Workflow queries now support groups of attribute filters with AND
or OR
operators to better define the scope of Access Reviews.
EAC-29447: Exporting Certifications now includes decision columns decision_by_name
, decision_by_id
, and decision_by_email
.
EAC-29803: Draft Certifications can no longer expire, preventing confusion.
EAC-30076: Fixed an issue with incorrect sign-off timestamps in PDF exports of Certifications.
EAC-26618: The View Datasource Snapshot Status action on the Certification Details sidebar is now hidden when no snapshots are present.
EAC-23758, EAC-26603 Attribute Filter Group Enhancements: Attribute filters for Query Builder and Authorization Graph can now use two levels of AND
and OR
operators. Before, all operators had to be at a single level.
EAC-30155 Identity Provider IDs: To better support environments with more than one instance of the same authorization provider, the parent Datasource ID
is now shown when hovering over the following entity types:
Okta User
Okta Group
Active Directory User
Active Directory Group
One Login User
One Login Group
FR-1637 Enhanced Identity Mapping for Custom Providers: Identity mapping configurations can now use the Custom User email
attribute to correlate accounts within two providers (such as Okta and NetSuite).
EAC-29566 Grouped AWS KMS Policy Statements: AWS KMS Policy Statements are now grouped by common attributes, consolidating identical statements across different policies into a single graph node.
EAC-14019: Users logging in with Single Sign On can now be assigned roles based on authorization provider group assignments. Veza administrators can now change the default role for SSO users under Sign In Settings > Configure SSO.
EAC-30081: Administrators can now easily add team members directly from the Settings > Teams page.
EAC-31118 Custom Identity Mapping for OAA Apps: for specifying relationships between local accounts on different platforms or apps can now use for Open Authorization API-based integrations.
EAC-31048 Improved Formatting for Jira Alerts: Jira issues created by now have an improved Description format intended for easier human readability. The original JSON is now included as a file attachment to these issues.
EAC-30693: AWS entities now appear on the Activity Monitoring dashboard, when the Early Access feature is enabled. See for more details.
EAC-30550 Jira Data Center Support: The now supports both the Atlassian Cloud (SaaS) and Atlassian Data Center (on-premise) products. This is configurable by selecting the Atlassian Product property when configuring the integration.
EAC-31035 Set Resource Managers for Any Entity Type: All entities can now have Resource Managers that can be . The option to Set Resource Managers is now available on the graph actions sidebar, regardless of entity type. Previously, only resource-type entities could be assigned "Owners."
EAC-30805 Sign-off on rejected rows can now trigger Jira ticket creation using .
EAC-28927: All customers can now manage users with and the read-only viewer
role.
EAC-27423 Expanded SharePoint Online API permissions: Permissions on SharePoint Sites and Lists now can be extracted when granting the additional Sites.FullControl.All
.
EAC-28609 Snowflake role types: Added support for Snowflake Role types to help differentiate between custom, inherited, and system roles. Veza collects this role attribute automatically unless you use an alternative database for the integration. If this is the case, see to update integration permissions.
FR-1615 Enhanced Risk Details: Clicking a risk scores in Query Builder results now reveals all queries with risk levels that contributed to the . Users can optionally run any contributing queries or view them on the Risks page. Risks in the Authorization Graph sidebar now show risk levels as Warning or Critical.
EAC-29144, EAC-29145 CSV Import Improvements: Enhanced flexibility in , including versatile user naming, more activity status options, and searchable email
user attribute.
Changes in Veza release v2023.9.18
EAC-27352: Added built-in assessments for Microsoft Azure Private Links: Azure AD Users with Private Link Service write or delete permissions
and Azure AD Users with Private Endpoint write or delete permissions
.
EAC-27354: Added built-in assessments for Microsoft Azure AKS: Azure AD Users with AKS Managed Cluster write permissions
and Azure AD Users with AKS Managed Cluster delete permissions
.
FR-955 Certification action log: Administrators and operators can now review the complete history for any certification item, including changes to reviewer assignments, notes, and decisions. When enabled, the functionality is available under result Actions > View Action Log, with the option to search for events by keyword or type. This early access feature will be enabled for customers over the coming weeks.
EAC-22278 Single-action Approve and Sign Off: Reviewers can now approve and sign off on certification results with a single action. Users can apply the combined decision using a Smart Action, the row actions dropdown, or a Bulk Action on selected results. This feature is now enabled for all customers.
EAC-27079: Fixed an issue where the certification Export button was disabled until columns were selected.
EAC-27133: Approve and Sign Off Smart Actions are now listed correctly on the Action History tab.
EAC-27138: Fixed an issue where the Smart Action History modal closed suddenly when a running action was completed.
EAC-27360: Fixed an issue with failing API calls to /api/preview/awf/access_graph
EAC-27395: Fixed an issue where some columns could not be selected when exporting certifications.
EAC-27182: Summary Entity types and count filters are now enabled on the left search bar under Advanced Options. It’s now possible to specify Summary Entities and filters on Summary Entity count for all Query Builder output formats, which can be:
Source entities (with destination count)
Source and destination pairs (without path summary)
Source to destination pairs (with path summary)
EAC-27438: Fixed an issue with failing Query Builder exports.
EAC-26898 Configurations v2 (Early Access): The Veza Configuration pages have been completely overhauled for more streamlined integration management and improved visibility into the status of your integrations. The enhanced user experience will be enabled for select customers over the coming weeks. To participate in the early rollout, you can request to have Configurations v2 enabled for your platform.
EAC-27171 SharePoint Site Details: Veza now collects additional SharePoint Site details, enabling attribute filters on: Owner Display Name, Is Deleted, Storage Used, and Storage Allocated.
EAC-27268 Snowflake Tags: Tag discovery is now optional for Snowflake integrations. Note that the integration role requires some additional permissions if using an . You can enable tag extraction for a new or existing Snowflake integration by editing the configuration.
Changes in Veza release v2023.10.23
EAC-28454: Fixed an issue preventing Okta users from appearing in dropdown menus on the Comparison page.
EAC-28179: Exports now include additional columns: decision_by_id
, decision_by_name
, decision_by_email
, and decision_at
.
EAC-27286: Enhanced Query Builder to allow selection of any nestable source or destination entity type as Summary Entities. This enables advanced search in scenarios where groups can belong to other groups, or when one role can assume another (such as showing intermediate roles between Snowflake Users and Snowflake Roles).
EAC-27195: Added relative date filters to Query Builder, such as hours or days in the future.
EAC-28335: Query Builder exports now maintain custom column ordering.
EAC-26006 Azure PIM: Added support for Azure Privileged Identity Management (PIM), revealing temporary role assumptions based on scheduling rules. New "Role Eligibility Schedule Schema" entities can now connect Users and Roles. You can filter on properties such as scope, status, or start and end time of eligibility. To collect PIM metadata, you must enable the option by editing the Azure integration and choosing Extract PIM Eligibility.
Early Access connectors for Ramp, Google Drive, and DocuSign are now available on the Veza platform.
EAC-27895: Extended AWS RDS MySQL discovery to include system schemas such as 'sys', 'performance_schema', and 'mysql'. To enable, choose Gather System Tables when configuring an AWS integration.
EAC-28265: Renamed Ping Identity entities to Ping One.
EAC-28446: Fixed a Databricks extraction error related to users without email addresses.
EAC-28599: Fixed a login loop issue for unauthenticated Okta users when using Single Sign-On.
Changes in Veza release v2023.9.25
FR-1435 Mobile swipe mode: When viewing a certification on a mobile device, you can now reject or accept results one at a time by flicking cards left or right. Reviewers are prompted to sign off after making a decision on each batch of 10 results. To access this feature, click the options (…) dropdown and toggle Swipe Mode.
FR-1536 Mobile Smart Actions: After applying a filter, reviewers can now approve, reject, sign off, reassign reviewers, or add a note to the filtered set of results by clicking the Smart Action icon.
The following SaaS integrations are now available in early access. Please contact our customer success team to learn more:
EAC-26911 NetSuite (Early Access): Integration for discovering NetSuite User, Roles, and Subsidiary Resources.
EAC-26909 Coupa (Early Access): Integration for discovering Coupa users, groups, and role membership information.
EAC-26796 Slack (Early Access): Integration for discovering Slack users, roles, and permissions.
EAC-27293 Crowdstrike (Early Access): Integration for discovering Cloudstrike Falcon users, roles, and permissions.
EAC-27579: The option to show or hide indirect relationships (Include assumed) now correctly applies when showing destination entities.
Changes in Veza release v2023.10.2
FR-1504: Dashboards now show trends over time as the default view, instead of total result counts.
EAC-27496 Assessment Queries for Snowflake: Out-of-the-box Saved Queries now include Snowflake Users with Database Access
, Snowflake Inert Users
, Snowflake Super Users
, Snowflake Users with Default Roles
, Snowflake Users with Privileged Access
, Snowflake Users with Privileged Role as Default Role
, Snowflake Inert Roles
.
EAC-26127: Admins and operators can now choose a combination of several destination entity types when creating a workflow.
EAC-23049: Filters on notification status can only use the eq
(equals) operator. Filters on notes can only use the co
(contains) operator. Other operators are now disabled when applying a filter on one of these columns.
FR-1535: Certification view for mobile devices now supports landscape mode and is compatible with iPhone 12 Pro.
FR-1429 PingOne (Early Access): A Veza-built integration is now available for discovering Users, Groups, and Roles, along with Populations, Applications, and external Identity Providers.
EAC-26898: An enhanced Integrations page for managing Veza integrations is now enabled for all customers.
Changes in Veza release v2023.10.16
EAC-27199 Access Review Scheduling: It's now possible to automate Access Reviews with scheduling rules. To enable, go to Access Reviews, find a workflow, and click Actions > Create Schedule. Veza will start new certifications at the specified times on a weekly basis using the latest Authorization Graph data.
EAC-27454 Access Review Intelligence: You can now use historical decision data to automatically approve or reject results in when creating certifications. For example, you can set automations to auto-approve previously approved or auto-reject previously rejected items.
The executed automations are shown in each certification's status banner for users with Administrator and Operator roles.
Veza uses the most recent completed or expired certification for determining prior states.
A Preview API is available for Administrators to manage these automations, and enable them for specific workflows.
EAC-22278 Approve & Sign Off: This action is now universally available for certification reviewers.
EAC-28182: Disabled the Smart Action button for multi-row selection, to indicate when a Bulk Action should be used instead.
EAC-28121: Fixed an issue where exporting to CSV in certification view did not include the selected columns.
EAC-27985 Tags in Query Builder: You can now review entity tags applied to results using Include all source tags and Include all destination tags search options.
EAC-27390: Added relative date filters for hours or days in the future in Query Builder.
EAC-28123: Added the option to select entity type groupings like "User" as Query Builder source entity type.
EAC-28088: Added Query Builder columns showing System Permissions and Effective Permissions.
EAC-28002: Fixed issues where Summary Entities and their counts were incorrectly applied in filtered queries.
EAC-28065, EAC-27632: Fixed issues affecting query constraints on nested Active Directory Groups.
EAC-27169 SharePoint User Details: Veza now gathers additional SharePoint User details, searchable through attribute filters: Is Guest, Is Site Admin, User Principal Name, Is Deleted, Deleted Date, Last Activity Date, Viewed Or Edited File Count, Synced File Count, Shared Internally File Count, Shared Externally File Count, Visited Page Count, Assigned Products.
EAC-28318: Prevented an error occurring when connecting to Google Cloud projects with Cloud Run Admin API disabled.
EAC-28127: Exporting Risks to CSV now consistently includes all results, regardless of the selected date range.
EAC-28128: Fixed an issue where Risk exports sometimes omitted certain query names.
FR-1525 A preview API is now available for exporting .
EAC-27716 Entity Risk Scores: All entities now have a Risk Score
attribute of 0-100, which is based on the number of queries with a critical or warning risk level that the entity is in the results of. You can create queries and rules to detect and alert when change or exceed a threshold.
EAC-25562 MFA for local users: Users can now enable for an additional layer of security when not using Single Sign On.
EAC-28207 API Keys for Teams: Introduced optional scoping of API keys to , allowing for non-root, read-only API access. Users can now choose from available teams when creating API keys. Administrators can view team scopes on the API Keys page.
Changes in Veza release v2023.9.11
EAC-27079 When exporting certifications to CSV, you can now immediately Export all columns, or pick individual columns to rename and export.
EAC-26995 When configuring Workflow notifications and reminders, you now must enable recipients before you can pick an event. This prevents an issue with changes not persisting after clicking Save.
EAC-27050: For users with the access reviewer role, the Show Users button now correctly filters the list based on the reviewer's assigned rows. An optional column now shows the type of user.
EAC-11728 Improved usability for Authorization Entities sourced from OAA integrations: Entities created with Open Authorization API (OAA) no longer have generic types such as Custom User
or Custom Group
. You can now search for these entities in the same manner as entities created by a built-in integration (e.g. ZenDesk User
, Trello User
). This change currently applies to Authorization Graph and Query Builder.
When an OAA integration and built-in integration are enabled for the same provider (such as GitHub), custom application entity types will have OAA
as a prefix. (GitHub User
and OAA GitHub User
).
EAC-27031 Exporting Query Builder results now includes all of the source entity attributes that are currently enabled and visible.
Note that exporting all enabled columns for the destination entity is not yet supported.
FR-1473 Azure Private Links:The Azure Integration now discovers Azure Private Links and Private Endpoints.
EAC-26912 Fixed an issue where AWS RDS databases could be removed from the Authorization Graph when in a "backing up" state.
EAC-27025 Prevented an error during OAA payload submission due to null custom property values.
EAC-27041 Prevented Snowflake extraction errors when encountering unexpected characters in resource names.
EAC-27205 Snowflake tag extraction is temporarily disabled.
EAC-26764 Fixed an issue where digest emails could reference Salesforce Misconfigurations even when the integration was not enabled.
EAC-27080: In mobile view, the User Guide button now appears at the top of the page, and is no longer contained within the Certification Review Status dropdown. This change applies to any certifications for workflows with .
FR-1313 Azure PostgreSQL: The Azure integration now supports .
Changes in Veza release v2023.8.28
EAC-18135 Dashboard report customization: Users can now directly customize the Dashboards home page by clicking the Add Reports button and selecting from a list of all built-in and user-created reports.
EAC-26676 Query Details view: Clicking View Details for a saved query now opens a comprehensive overview with tabs for creating rules and managing risk exceptions, visualizing trends over time, and reviewing the original query description and parameters. This extended query details view is now generally available for all customers, replacing the old details modal.
EAC-26174 Summary entities — count filters: It is now possible to constrain Query Builder results based on the number of summary entities (for example, show roles with >= 4 levels of child roles). A Summary Entity Options section will appear in the left search sidebar when this setting is available.
EAC-26272 Related entities — % filters (Early Access): It is now possible to filter on the percentage of related entities (for example, show any users with access to more than 33% of all potential roles). When activating this Query Builder option, a column shows the total percent of possible destinations each result relates to.
EAC-23839 Link to filtered certifications (Early Access): When enabled, Certifications include a button to copy a link to the current filtered view. Opening a Certification now applies the filter specified in the URL.
EAC-12403 When customizing webhooks and other workflow Orchestration Actions, descriptions now clarify that actions will trigger on row sign-off (and not immediately when a result is accepted or rejected).
EAC-17338 When applying smart actions, typing to search for a field is no longer case-sensitive.
FR-1457 The Access Intelligence, Access Monitoring, and Workflows sections are renamed to Access Intelligence, Access Monitoring, and Access Reviews.
Changes in Veza release v2023.10.9
Snowflake Data Governance Dashboard (Early Access): Veza introduces a specialized dashboard for customers using the Snowflake integration, providing a range of out-of-the-box insights, including:
Inert Snowflake Users and Roles
Snowflake Super Users and Super Roles
Users with Default Roles
Users with Privileged Access
Snowflake Users with Privileged Role as Default Role These insights can be accessed on the main Dashboards page under the Snowflake tab. You can customize the featured queries by editing the Snowflake Data Governance Dashboard report.
FR-1431: The maximum length for saved query descriptions is now extended to 16,383 characters.
EAC-27562: To prevent errors, enabling Over Provisioned Scores in Query Builder is no longer available when showing Destination Entities or Summary Entities.
EAC-28126: Fixed an issue with suggestions not appearing when clicking to pick entity types in Query Builder.
EAC-27881: Swipe mode is now enabled by default when opening certifications on a mobile device.
EAC-27923: Resolved an issue where custom entity types were not shown as valid destination entity types during Workflow creation.
EAC-28035: Fixed an issue where exporting results from the certification view did not include all columns (such as decision or sign-off state) by default.
FR-1089, FR-1158 Entity Type Visibility in Authorization Graph: To improve Graph readability, "Service"-type entities are now hidden by default, along with some other entities such as Organizational Units, Accounts, and Domains. These entities are now shown by enabling Relationship Options > Advanced View.
EAC-27976: Optimized loading of time machine snapshots during query creation.
EAC-27172 SharePoint Sharing Capabilities: SharePoint Online entities now have the Sharing Capability property. This property can be queried by attribute filter, indicating the maximum-permitted sharing settings available to all children of the given tenant. To extract this property, the SharePointTenantSettings.Read.All
permission must be added to the integration capabilities.
EAC-27995 SharePoint Lists: SharePoint Lists are now supported by default.
EAC-26926 SharePoint Folder Library Type: SharePoint Folders now inherit the Library Type property from their parent Library. This property can have the following values:
personal
(OneDrive Personal Drive)
business
(OneDrive Business Drive)
documentLibrary
(SharePoint Library)
EAC-27170 SharePoint Folder - Sharing Links: Sharing Links are now listed as properties on SharePoint Folders. Folders with any Links are denoted by a boolean IsShared property, allowing users to easily query for shared Folders. Links are reported in the format <scope>|<type>|<url>
.
EAC-27502: When configuring integrations, you can now deselect all non-required services on the Limit Services tab. For customers using Azure AD and no other Azure services, this prevents extraction of all resources outside of Azure AD.
Changes in Veza release v2023.9.4
FR-1189 Azure AKS: The Azure integration now includes support for Azure AKS Services, Resources, and Managed Clusters.
MongoDB Atlas Users with permission to create database deployments
MongoDB Users with delete permissions
EAC-26268 It is now possible to edit and save existing Analysis > Segregation of Duties queries from a new Save Query actions menu. This provides the same options as provided in the Query Builder, such as copying the specification, opening the Query Details view, or cloning the query.
FR-1408 Review access for unique users (Early Access): It is now possible to view each user involved in a certification, and quickly open a new tab containing just the results involving that specific identity. When enabled, you can open the list of unique users and view their individual result rows by clicking Certification > Show Users > View Details.
EAC-24734 Export custom column names: You can now change the column display names after selecting up to 12 columns to include in exported PDFs. To do so, open an existing certification, click the Export button, and choose the columns to export and rename.
EAC-26184 - Fixed an issue with unusual selection states after applying bulk actions from the mobile UI.
Changes in Veza release v2023.8.21
Insights Overview (Early Access): When enabled, you can now see all relevant assessments for any type of entity from a new Access Intelligence > Overview page. You can apply additional filters based on risk level, creator, or query labels, and quickly access the details view for any related Saved Query (EAC-20488). Trends for Dashboard Reports (Early Access): When enabled, you can toggle between a visualization of trends over time and the current number of results for each Dashboard Report on the Home page. It is also now possible to download any trend chart by opening the action menu and choosing Expand > Export to PNG (EAC-20519).
Attribute filter sorting: The list of possible attributes is now ordered alphabetically when adding a filter. Typing to search now filters the list. Common properties for all entities, such as Name and ID, appear at the top. (FR-1477).
Saved Query usability: Choosing the Clone Query action now opens the Save Query flow with options to change the name and details, create rules, or add the query to reports (EAC-22530).
Graph: Fixed an issue causing the text "0 Identities are connected to Resource" to appear when using the Show Identities advanced action (FR-1469).
Query Builder: To better match values in the UI, exported CSV files now indicate the related entity type in the "Relates To" column header, instead of prepending it to names in each row (EAC-26217).
Snowflake Tags: The Snowflake integration now discovers native tags applied to securable objects within Snowflake. You can review tags by inspecting an entity’s details, or by opening the Data Catalog > Tags page (FR-626).
Azure Cognitive Services: The Azure integration now automatically discovers permissions on Azure Cognitive Services, including Azure Open AI (EAC-25871).
Active Directory: AD Users now have the timestamp attributes Account Expires
and User Password Expiration
(EAC-26389, EAC-26397).
GitHub Enterprise: Added support for the GitHub Deploy Key entity type, enabling search for repositories with configured SSH deployment keys, and the roles those keys can assume (EAC-25918).
The View Documentation icon is now labeled Help (EAC-26345).
The Access Search section on the navigation menu is now Access Search (EAC-26009).
FR-943 CSV Import (Early Access): Administrators can now create custom providers and populate data sources directly from CSV files. Use the to upload user, group, and role metadata and create OAA integrations with no command-line interaction required.
FR-874 MongoDB Atlas: A new enables discovery of the MongoDB Atlas DBaaS platform, including Atlas Organizations, Projects, Users, Roles, Teams, and Clusters. Saved queries are available to show:
EAC-23841 Smart Actions API: can use the apply_to_all_rows
option to explicitly run the action on all certification results. This option will apply only when no other filter is specified.
Multi-Factor Authentication (Early Access): When enabled, local users (such as system administrators) can now configure a by opening their user profile. Users logging in with single sign-on will continue to use MFA from the identity provider (EAC-22237).
The Administration > Events page now supports filtering on all possible (EAC-26138).
Changes in Veza release v2023.7.24
Groups of entity types, such as all Users, Resources, Identities, or Service Accounts, are now an option when picking the source or related entity in Query Builder.
Attribute filter groups: Using the Query Builder, you can now specify complex constraints by adding several constraints with AND
or OR
operators. For instance, it is now possible to query for Okta Users with recent activity AND no multi-factor authentication, with permissions on Snowflake databases named ABC
or XYZ
.
Queries constructed with the v1 API may now specify constraints with a condition_expression
, deprecating the original conditions
array.
Full details on the Access Intelligence > Analysis page: You can now open a modal showing all entity attributes by clicking on a result name.
Comparison: For improved readability when comparing identity permissions on resources (e.g., Okta Users to Snowflake Databases), clicking any row value now opens a detailed comparison for that resource in a modal.
Saved Queries: Updated tabs on the Saved Queries page to clarify that users are switching between Query View and Rules View.
The left sidebar on the Reports page is now collapsible.
EAC-24047: Fixed an issue causing federated users to not appear in role analysis results.
Changes in Veza release v2023.8.7
SCIM integration (Early Access): Providers with System for Cross-domain Identity Management (SCIM) APIs can now be integrated with Veza to discover users and groups. To add an SCIM integration directly from the Configuration page, the OAA on Veza feature must be enabled.
OpenAI integration: A new integration is now available for discovering users that are members of an organization, and their assigned roles.
Workday integration: Worker entities now have the additional attributes TerminationDate
,WorkdayID
, and IsActive
.
Some pages are renamed to better differentiate Query Builder and Graph search:
Access Search > Graph
Saved Searches > Saved Graphs
EAC-16246 Improved error handling for invalid graph search requests.
Improved performance for bulk actions and result loading.
FR-998 Preview APIs are now available for listing and exporting events.
Changes in Veza release v2023.8.14
S3 Buckets now have the Default KMS Master Key IDs attribute, indicating which (if any) keys are applied to the bucket.
OAA integrations can now use the Uncategorized
permission type, intended when custom application permissions are unknown or not mapped, and existing permissions like NonData
are inaccurate.
EAC-26114 Google Cloud: Fixed an issue causing queries for Compute Virtual Machine > GCP Project relationships not to return the expected results.
FR-1280 Veza Email Digests: Users now receive an email digest containing critical Veza information all in one place, including changes to Risks and Reports, Rules and Alerts, and Integrations. You can change email frequency to Daily
, Weekly
, Monthly
, or Never
by opening your user profile from the main navigation menu.
FR-927 Always log in with SSO (Early Access): When enabled, after configuring single sign-on (SSO), visitors to the Veza login page will be redirected to the configured identity provider for authentication. When this feature is not enabled, users will see the option to log in with a local account or continue with SSO. Users can bypass the redirection and log in with local account credentials by adding the no_redirect
URL parameter, for example: http://<your-org>.vezacloud.com/login?no_redirect
.
FR-1417 Improved Report Exports: When exporting reports in PDF format, you now have the option to show destination nodes for results, and include columns for source entity properties and summary entities. This early access capability is now available for all users.
Improved Tagged Entity Search (Early Access): Clicking any entry on the Tags page now opens a tags details view, including a searchable list of all entities with that tag. You can export the results, or search for the entities in Query Builder. Tag details are also available when viewing entity details in Graph or Query Builder.
Segregation of Duty queries constructed with the Access Intelligence > Analysis page now open in the appropriate builder.
Visitors are no longer shown a selection of Quick Links when navigating to Access Search > Graph.
EAC-26232 Users with the administrator role now correctly see the Mark as Fixed option for rejected and signed-off certification rows.
EAC-26167 Improved performance when modifying the Over Provisioned Score (OPS) threshold for saved queries.
Changes in Veza release v2023.7.10
Rules can now trigger alerts when entity attributes change. When adding conditions for a rule, you can choose Query Properties to receive alerts when Veza detects a change in the entity attribute, such as User activity status or Policy statement count.
You can now mark queries as Public or Private when saving them. Additionally, you can view and filter Saved Queries by the new Visibility column. Private queries, like private reports, are visible only to owners.
Editing an entry on the Rules page now opens the original assessment to add, remove, or edit rules in Query Builder.
FR-1392: To provide the same details as notifications sent using the Slack integration, email notifications for triggered alerts now include the rule description, severity, threshold, and node count.
You can now filter the Alerts page by query name.
EAC-22644: Alert Rules: Fixed an issue where email notification bodies incorrectly contained header information (MIME-version and Content-Type).
EAC-23829: Query Builder: Fixed an issue where the Export button was hidden after selecting a related entity type.
The option to display 200 certification results per page is no longer available. In some cases, showing 200 results resulted in a poor user experience due to slow page rendering. Users can still choose to show 10, 30, 50, or 100 results per page.
EAC-22803: Fixed an issue where the Bulk Action dropdown was incorrectly enabled when comparing certifications.
EAC-23876: Improved performance when loading the main Workflows page, preventing Failed to fetch certifications
errors.
Changes in Veza release v2023.7.31
Enhanced Query Details (Early Access): When enabled, a new interface for reviewing Risks, Reports, and Alerts for the chosen query will replace the saved query details modal. You can use the query details view to manage exceptions or create rules, visualize trends over time, and access the original query description and parameters.
Improved Save and Edit Query: You can now access all possible actions for a saved query from a new Save dropdown menu. Options include editing query rules, exporting results, or cloning the query.
Export Summary Entities: When Summary Entities are selected, Query Builder exports will now include a column containing the chosen entity types in the path from result source to destination.
FR-1276 JSON query specifications: When creating a query, you can now view or copy the request for use with the Query Builder API. To do so, click the Save button and choose View or Copy Query Spec.
EAC-24856 Analysis: Improved responsiveness when selecting permissions in the Segregation of Duties builder.
EAC-25541 Query Builder: Fixed an issue that could cause the Relates To dropdown to not include all valid destinations when the source was a Custom Role
or another OAA entity type.
All direct links to Heatmaps are now removed. Users who have bookmarked the page will no longer be able to access heatmaps from that URL. Heatmaps are still available as an option within Query Builder.
Workday Integration (Early Access): A new integration for Workday Human Capital Management (HCM) enables Veza to discover Workday identities, security groups, and policies.
Confluence Server: A Veza-built OAA integration is now available for gathering users, groups, spaces, and permissions for Confluence Server on MySQL and PostgreSQL.
OAA on Veza (Early Access): To make it easier to run and configure Open Authorization API-based integrations, it is now possible to enable supported Veza-built integrations directly from the Configuration page, with no additional deployments or command-line customizations. For Early Access, OAA on Veza can be used to add and manage the GitLab integration.
Access Monitoring (Early Access): Over Provisioned Scores are now calculated for users and groups with Snowflake Schema permissions (before, this information was available for Databases, Views, and Tables).
Improved performance when auto-assigning reviewers, during certification creation and when applying Smart Actions.
EAC-23881 When managing reviewers on a mobile device, clicking the X next to a reviewer name now un-assigns them.
Integrations for , , , ServiceNow, and [Databrick../integrations/databricks/databricks-single-workspace.md.md) are now generally available on the Veza platform.
Changes in Veza release v2023.7.17
Entity Comparison (Early Access): A new Access Intelligence > Compare page can show variations in permissions to resources and group memberships for different users. For example, you can use this feature to compare Google Project permissions for two Google Users, or Microsoft Azure AD Group assignments for two Okta Users.
Dynamic reports: When creating a report, you can now add queries individually or pick the dynamic report type. Dynamic reports include all queries with the chosen labels and integrations, and update automatically when queries meeting the criteria are added or removed.
Configurations v2 (Early Access): The Configuration pages have been completely overhauled to offer more streamlined integration management and improved visibility into the status of your integrations. Please contact our support team to preview the new user experience before it is generally available.
Google Cloud Cross Organization Permissions (Early Access): Veza now displays cross-account connections for Google users, groups, service accounts, and role bindings in system query mode.
FR-1388 Salesforce permission set names: For improved readability, Salesforce Permission Sets are now labeled with the name <profile name> Permission Set
, instead of by unique ID.
EAC-22587 Teams (Early Access): Fixed an issue where team provider icons could overlap, making them unreadable. The providers assigned to a team are now grouped under a single icon for each integration type, which can be hovered over to view details.
Changes in Veza release v2023.6.26
AWS Secrets Manager: Veza now supports searching and monitoring User and Role permissions on AWS Secrets.
The AWS integration now discovers new entity types Secrets Manager Service
and Secrets Manager Secret
, and Secret attributes such as last rotated and last accessed dates.
New out-of-the-box assessment queries: AWS Secrets Manager secrets that haven't been rotated for 90 days and AWS IAM Users with permission to delete Secrets Manager secrets.
Improved error handling for the Box integration.
When saving a query, you can now apply an existing label or create a new one.
When saving a query and adding it to a report, you can now choose a report section for the query.
Fixed an issue with queries that could cause alerts to trigger incorrectly.
Early Access: Reviewers on mobile devices can now use the Approve and Sign-Off action.
Improved performance when creating certifications and when loading certification results.
The grace period for marking expired certification results as Fixed after a certification has expired (default 7 days) is now configurable by the Veza support team.
Changes in Veza release v2023.7.3
SaaS Misconfigurations for GitHub: The GitHub integration now offers additional assessment queries to monitor repository security risks. The new queries include:
GitHub Repositories without branch protection rules
GitHub Repositories that allow default branch deletion
GitHub Repositories that allow force push on default branches
GitHub Repositories that allow merges to default branches without pull request approval
GitHub Public Repositories that allow forking
GitHub Organizations with disabled MFA
GitHub Repositories with secret scanning disabled
GitHub Repositories with vulnerability alerts disabled
GitHub Security Advisories
Repositories now have the attributes allow_forking
, secret_scanning_enabled
, default_allow_delete
, default_allow_force_push
and default_require_pull_request_approval
, and has_branch_protection_rules
.
Show destination entities in Query Builder: Query Builder now has the option to display pairs of source and destination nodes as results, similar to Workflow queries.
For example, when executing the query Google User
to Google Cloud Project
, you can choose to Show Google Cloud Projects related to each user in the results. The results will contain additional columns showing the Project name and any other destination entity attributes.
Report export enhancements (Early Access): When exporting reports in PDF format, you now have the option to show destination nodes for results, and include columns for source entity properties and summary entities.
Note that all queries in the report to export must specify the same source and destination entity types to support these options.
FR-1380 AWS Elastic Container Repositories (ECR): The AWS integration now supports the discovery of public and private ECR registries and repositories. New out-of-the-box insights are available to identify:
AWS IAM Users with permission to create ECR Private Repositories
AWS IAM Users with permission to create ECR Public Repositories
AWS IAM Users with permission to put images into ECR Public Repositories
AWS ECR Public Repositories
Cross-Account Effective Permissions (Early Access): When enabled, the Google Cloud integration now shows cross-account access for users in one GCP organization assigned to groups in an external organization.
Custom datasource payloads in integration details: You can now view the most recent custom provider push payload in JSON format by clicking on an integration name and selecting Show Schema Definition.
Changes in Veza release v2023.6.19
Box integration: Added retry logic for 503 status errors and improved parsing to handle additional error cases.
Segregation of Duty (SoD) Analysis (Early Access): The Access Intelligence > Analysis page now includes an additional section for creating queries with complex "and"/"or" statements and condition groupings. This query mode can identify users that belong to one or more groups. This query mode can also identify users that can assume different roles (such as conflicting roles that violate certain SoD business rules). This query mode can also identify users that can have different effective permissions to different resources.
Report creators can now share reports and enable other Veza users to edit them by adding or removing owners in Edit Mode. Owners are now listed next to report titles on the Reports page. Note that reports set to private visibility are only visible to owners.
When using the Manage Exceptions action to add or remove several exceptions for a risk query at a time, a type
column now indicates whether each result is currently an exception or a risk.
You can now always filter for effective or system permissions from the PERMISSIONS section of the Workflows, Graph, or Query Builder search bar. Before this update, this sometimes required adding an attribute filter on an intermediate "permission"-type entity.
Filtered and paginated Certification views now indicate the total number of results.
Improved performance when listing and updating Workflow results.
Reviewers accessing Certifications on mobile devices can now Re-assign Reviewers and use the (early access) Approve and Sign-Off action.
Attempting to exclude more than one tag with a key but no value now correctly selects all tags instead of clearing the tag selection.
Fixed an issue with incorrect result counts when applying filters in mobile view.
Improved column naming logic for intermediate entity types. Before this update, some queries resulted in intermediate columns incorrectly named Intermediate Role <property-key>
when the intermediate node was not a Role.
Intermediate column titles now default to Intermediate Node <property>
.
Intermediate Local User name columns are now titled Local User ID
.
Intermediate Role columns are now titled Intermediate Role
.
Note that the now includes the secretsmanager:ListSecrets
action. You should update your policy within AWS to avoid warnings, or edit the integration and choose Limit AWS Services > Secrets Manager.
, used to report, track, and discuss security-related issues for software projects, are now shown as an entity type.
Please note that the requires the additional permission scope repository_advisories:read
to gather the relevant information.
Summary entities for Query Builder: Queries showing destination entities can show the authorization path for each result in a Summary Entities column. When building a query, you can select the intermediate entity types displayed in the summary, providing visibility into the Roles, Policies, Groups, or other intermediate entities connecting a result source and destination. For sample searches with path summaries, refer to the and documentation.
Please note that additional permission scope is required for the integration. To prevent warnings, you should update the Veza to include the ECR
SID, or prevent extraction for the ECR service by editing the integration configuration.
Fixed an issue where failed to run if they included a mutable_filter
Changes in Veza release v2023.6.12
Veza integration (Early Access): Administrators can now configure a Veza integration for search and access review of Veza user roles and team assignments. Adding the integration from the Integrations page in the Integrations section will create Authorization Graph entities for the Veza domain, teams, roles, and users. Saved queries are now available to identify deactivated and inactive Veza users and empty Veza teams.
Open Authorization API: Improved performance when parsing large custom provider payloads.
GitHub integration: Added logic to avoid "API rate limit exceeded" errors during extraction.
Permissions filters for Workflows, Graph, and Query Builder: All Veza search interfaces now use the same permissions filter to constrain results based on their effective or system-level permissions. Attribute filters are no longer used to filter individual permissions.
Unified Saved Queries and Rules: The Saved Queries page now includes a tab for creating and managing Rules based on their underlying saved queries. You can use this view to see whether a query has rules associated with it, add rules, and review the condition and severity of any active rules.
Fixed an issue preventing users from updating saved query filters on attributes with boolean values.
Fixed an issue with webhook notification batching when using Smart Actions to update many results simultaneously.
Fixed an issue preventing some columns from being included in PDF exports.
The certification status banner is now collapsed by default on mobile or tablet. The expanded or collapsed state is now stored in the browser and applies to all certifications.
Users with the “Access Reviewer” role can no longer mark a certification Completed when all rows have a decision and they are the final user to sign-off.
Changes in Veza release v2023.6.5
New filter operators: Attribute filters now support the Exists and Not Exists operators, enabling matches based on the presence or absence of a value for a specified property.
Collapsible search sidebar: You can now click to show or hide the left sidebar in Graph Search, Query Builder, and when creating a Workflow.
Improved Graph visualization for "deny" relationships: Paths connecting entities resulting from policies that prevent access are now highlighted in red in Graph search results. Before, these relationships were only color-coded in Explain Effective Permissions mode.
Query Builder: Show or Hide Nested Relationships (Early Access): It is now possible to hide results that are indirectly accessible because of hierarchical relationships, such as AWS IAM Roles assumed by another role or Azure AD Groups belonging to a parent group. The toggle to hide indirect access appears under Advanced Options > Relationship Options > Show Assumed when the query source or destination supports nesting.
Fixed an issue where users with the operator role could not manage risk levels for Veza-created queries.
Fixed an issue preventing successful deletion of some provider integrations.
Signed-off certification results can now only change status from rejected to fixed. Changing a signed-off result from fixed to rejected is no longer possible.
After running a smart action, the total count of changed rows no longer includes skipped results that were already signed-off.
Users now get a specific notification instead of a generic error when accessing certifications they cannot access (for example, when the recipient of an email reminder opens a certification they cannot take actions on).
Changes in Veza release v2023.5.29
Early Access: Veza users can now quickly inspect individual identities, groups, and roles from the Access Intelligence > Analysis streamlined search interface. The results can be opened in Query Builder to modify parameters, add rules, or set risk levels. Depending on the chosen entity, Analysis offers the following functionalities:
Finding the groups a single user belongs to or the roles a single user can assume.
Searching for users and other groups that belong to a group.
Identifying all users and other roles that can assume a role.
When marking risks as exceptions, you can now add context and details with an optional note. Notes for exceptions appear in an additional column when browsing lists of risks.
Okta: Added support for Okta Roles to enable search and certification of built-in and custom administrator roles for Okta users. Note that to gather admin role assignments, the integration now requires a token with the super admin
role (upgraded from read-only admin
).
AWS: To align with current AWS product terms, AWS SSO is now AWS IAM Identity Center Service in Authorization Graph. AWS IAM Identity Center Groups, Permission Sets, and Users also now refer to the current service name (instead of "AWS SSO").
Box: Improved error handling and fixed a bug gathering nested fields for empty Orchestration Actions.
Google Cloud: Fixed an issue where Workspace and IAM extraction could be disabled inadvertently when modifying a saved provider configuration. To fix any impacted integrations, an administrator should save the integration configuration after re-selecting the services to limit.
Teams (Early Access): When provisioning users with single sign-on, users are now auto-assigned to the root team by default.
A collapsible banner now provides a visual summary of certification progress stats. Depending on whether the viewer has results assigned to them, progress indicators now show:
The status of all assigned rows (for reviewers with assignments).
The status of all signed-off (completed) rows (for operators with no assignments).
The number of days since the certification started, or time remaining until the due date (for certifications with a deadline).
The initial list of filters in the Access Reviewer mobile experience will now match the desktop experience, instead of listing all available filters.
Workflow queries: When applying attribute filters on AWS account ID, you can now specify one or more AWS accounts from a dropdown menu. Attribute filters on AWS account ID now always use the in
operator.
Changes in Veza release v2023.5.22-1
When applying filters to date fields such as Created, operators now have an appropriate description (such as "On or Before" or "On or After").
When adding or cloning a report, users are now presented with a new Create Report wizard, offering an improved UX for selecting queries and replacing the old Edit Report interface.
Reduced and simplified some Access Reviews terminology:
(Main navigation) Renamed Governance to Workflows for clarity and alignment with functions.
(Workflow settings) Renamed Reminders to Reminders: Action Needed and Escalations to Final Reminders: Action Needed to better describe each email notification category.
(Workflow settings) Renamed Notifications to Collaborations to better reflect the collaborative nature and potential use cases for outbound integrations.
Administrators can now define pre-configured Smart Actions for reviewers using a .
Added a preview API operation UpdateAwfHelpPageTemplate
for modifying .
Changes in Veza release v2023.5.8
You can now view data for the Past 6 Months
and Past Year
when visualizing trends over time on the Risks page.
Active Directory Users now have the email
attribute, enabling filters on the email address associated with each user.
Added retry logic and rate limit handling for the GitHub integration.
Fixed an issue with timeouts when viewing summaries for Veza Workflows with many certifications.
Team Management (Early Access): Administrators can now create and add users to , granting access to a limited range of integrated providers with a read-only viewer role. We look forward to your feedback as we continue to refine and improve collaboration and productivity for Veza users.
API preview: A new operation returns a filtered list of Veza platform events.
Changes in Veza release v2023.5.8
Administrators can now disable default IdP User > Local User mapping by email when adding a custom mapping for an integration.
Administrators can now configure up to four property matchers for custom identity mapping based on possible combinations of user name and email. If any matcher is valid, Veza connects the IdP and local identities.
AzureAD Groups now have additional filterable attributes:
allowExternalSenders
, classification
, description
, groupTypes
, mail
, mailEnabled
, onPremisesLastSyncDateTime
, preferredDataLocation
, preferredLanguage
, hasMembersWithLicenseErrors
, hideFromOutlookClients
visibility
.
The properties allowExternalSenders
, hideFromAddressLists
& hideFromOutlookClients
are also collected for groups where securityEnabled
is "true."
Added retry logic and improved error handling for the Box integration.
Last login dates are no longer populated for Salesforce and Google users who have never logged in.
"Raw" or "Configured" permission labels (as shown when explaining Effective Permissions) now reference "System permissions." Some search terms are also renamed or relocated:
Query modes (Early Access): "Raw" query mode is now "System" query mode
Path constraints: The Include Intermediate Entities and Exclude Intermediate Entities are now options to Include Entities or Exclude Entities
The Time Machine, used to pick a snapshot date for the search, is now part of the left Graph sidebar.
Previously un-logged "certification started" email notifications are now logged with the total recipient count.
Clicking Export on the User Management page now exports the user account details table instead of starting a full audit log download.
Fixed an issue with empty Last Login dates on the User Management page.
Built-in report names no longer refer to "Risks"
Two additional report categories are created for new user accounts: Privileged Access Dashboard and Cloud IAM Dashboard.
now cover more scenarios where users from an integrated identity provider can assume local user accounts in other integrations:
To differentiate entities with the same name that exist in more than one integrated data source, entities added with now have the Datasource Name
filterable attribute.
Early Access: Custom help pages: Administrators can now configure splash pages and instructions for certification reviewers with a .
Changes in Veza release v2023.4.24
You can now sort risks based on conditions such as time triggered, risk level, total risks, or percent change.
To enable managing exceptions at scale, lists of Risks and Exceptions now include an option to select or deselect all entries.
You can now pick the number of risks shown on each page.
You can now hide queries on the Risks page with zero results.
When editing a report, you can now reorganize sections by selecting queries and clicking Move.
Filters on the Risks page now clarify that they apply to the list of risks or risk queries (and not the summary of active risks over time).
Opening a risk in Query Builder now adds a constraint to show only that entity.
You can now click and drag to reorder reports within categories on the main Reports page.
Edit report buttons now have icons and descriptions.
The Reports Library is now All Reports
My Reports are now My Bookmarked Reports
Report categories are now Collections
Authorization Graph Search now highlights risks by default.
The Query Builder now highlights risks by default, with a Warning
or Critical
tag.
Clicking on the risk level of an entity in Query Builder now opens the Risks page with that entity preselected.
Exported certifications now include columns for Signed Off By ID, Signed Off By Name, and Signed Off By Email, instead of a single column for all values.
General minor performance improvements and Smart Action performance improvements.
Filter menus can no longer extend beyond the edge of the screen.
Fixed an issue that could cause a browser failure when applying filters during workflow creation.
no longer apply to unpublished (draft) certifications.
Reviewers can now pick from Saved Filters created with a .
Changes in Veza release v2023.5.1
AWS IAM Users with EKS permissions
AWS IAM Roles with EKS permissions
AWS EKS Clusters with public endpoint access
Additional entity types are now supported when connecting to OneLogin:
OneLogin Groups
OneLogin Roles
OneLogin Apps
Insight Point Configuration page:
Administrators can now initialize a new Insight Point by clicking Create (changed from Generate New Key).
The list of Insight Points now instantly refreshes after creating a provisioning key.
An expiration date for the provisioning key is no longer specified when creating an Insight Point.
Early Access: The Google Cloud integration can now show cross-account access where identities in one organization have access to resources in another organization integrated with Veza. Cross organization permission mapping can be configured in the following ways:
At the Google Workspace and Cloud IAM level (such as Groups in one Google Organization with Project roles in another Organization).
At all levels, including cross-organization access granted by a policy applied at the resource level.
Contact your support team to enable the most appropriate setting for your environment.
Salesforce: Integrating a sandbox environment containing a full replica of an integrated production environment no longer causes entity duplication and collision errors.
Fixed an issue where queries for Snowflake could appear even when an integration was not configured.
A description is now shown when hovering over possible Smart Actions.
Certification PDF exports correctly include the Signed Off By ID, Signed Off By Name, and Signed Off By Email columns.
Fixed an issue with CSV and PDF exports missing file extensions.
Prevented unexpected error messages when switching Smart Actions and selecting reviewers to assign.
Fixed an issue that could prevent nested roles from appearing in certification results.
To ensure performance, filter operators on certification result decision
, signed_off_state
, and reviewers
are temporarily restricted to eq
.
When configuring a Google Cloud integration, administrators can now set allow and deny lists to limit KMS extraction by .
The AWS integration now gathers metadata for EKS Services and EKS Clusters. You will need to apply an updated that allows eks:ListClusters
and eks:DescribeCluster
. New Saved Queries identify:
Changes in Veza release v2023.4.3
Review all Risk Queries and filter by Risk Level, Integrations, or Labels.
See trending changes over the past week or past month.
Inspect Risk results for any Risk Query, or review all current Risks.
Open Risks in Graph or Query Builder.
Set Exceptions for specific Risk results.
Built-in Saved Queries now have the Created By: Veza attribute.
Azure AD Users are now mapped to Snowflake Local Users they can assume, based on AD Enterprise App assignments.
Fixed an issue where "Used Permissions" were not shown for Snowflake users with recent activity.
Workflows for mobile devices now support custom and built-in filters on Certification result attributes, permissions, and decisions.
Access reviewers signing off on more than one result are now prompted to confirm the actual amount, instead of "all" results.
Email notifications are no longer sent to reviewers when they can take no action on the Certification.
Fixed an issue causing Bulk Actions to fail when a Certification filter was active.
Simplified the notification message when acting on a single Certification result.
Instead of marking queries as Violations, users can now set a Risk Level (Critical
or Warning
) for any Saved Query. The page enables tracking and remediation of entities that appear in the results of Queries with a Risk Level (Risk Queries), with options to:
Changes in Veza release v2023.4.17
Clicking a risk on the Veza dashboard now opens the Risk Queries page.
The Saved Queries page now includes the System Created: True and Created By: Veza columns, enabling filters on built-in queries.
To highlight the most recent changes, the Risk Queries page and list of all Risks are now sorted by date triggered.
Users with the operator
role are no longer shown the unavailable option to remove integrations.
Removed the option to disable the required IAM and Workspace services when configuring a Google Cloud integration.
Fixed an issue with AWS IAM Policy evaluation causing some search results to appear with more access than actually allowed.
Fixed a duplicate connected data source
error when gathering Okta apps for Salesforce.
Fixed an issue with Open Authorization API push operations timing out unexpectedly.
Email reminders are now logged in Veza Events with the NOTIFICATION
event type.
Show tags for certification results (Early Access): Workflow creators can now include extra certification columns showing tags on source or destination entities. When enabled, reviewers can filter results by tag key and click on a tag key to see the value.
Approve and Sign Off (Early Access): When enabled, reviewers have an additional option to approve and sign off on certification results with a single action. Users can apply the combined with a Smart Action, from the row actions dropdown, or with a Bulk Action on a selection of results.
Acting on a single row with several results selected no longer resets the multi-selection.
Inactive Okta users are no longer suggested when assigning certification reviewers with a configured.
When picking certification reviewers, users with a assigned to them are now suggested as possible candidates (rather than hidden).
Changes in Veza release v2023.4.10
SaaS Misconfigurations for Salesforce: A new Salesforce Misconfigurations report offers insight into common identity risks for SFDC. The queries in this report can be customized or used out-of-the-box, including:
Salesforce Users not tied to an identity provider
Salesforce Organizations without organization-wide MFA enabled
Salesforce profiles that bypass organization-wide MFA
Salesforce Organizations with Security Health Check Score marked poor or worse
Salesforce security health check risks rated as high or medium risk
Salesforce Organizations without Setup Audit Trail enabled
Built-in Saved Queries for GitHub are now provided for customization and use in reports.
Corrected an issue when attempting to gather Active Directory custom attributes containing timestamps.
Risks dashboard: The Veza dashboard now includes an Access Risks section with a trend chart and summary of active risks, and a shortcut to the main Access Intelligence > Risks overview page.
Risks enhancements: For improved clarity when risks have similar names, the Access Intelligence > Risks page now includes the name of the original query each risk is a result of, along with the risk's entity type.
You can now filter to show risks marked as Exceptions
A new column shows risk Exception status
The Risk Queries section is renamed to Queries with Risks
The Queries with Risks section now includes the option to manage exceptions, set query risk levels, or start a Graph or Query Builder search.
The Home page is now Dashboards. Access Intelligence > Reporting is now Reports. Built-in report names are simplified for readability.
Changes to built-in Report names are no longer reverted after platform upgrades.
a custom template
an existing template.id
the current template for any template.usage
the Veza-provided default
template for any template.usage
Corrected an issue where certification results were not as expected when applying filters on nested entity types.
Use of the misconfigurations report requires that the has the View Health Check
permission.
GitHub Integration (Early Access): A new Veza-built integration enables the discovery of user, repository, team, and role entities and attributes for , with support for GitHub Enterprise Cloud and Server.
The integration includes automatic cross-service connections for Okta and AzureAD, with the option to add for other external identity providers.
Added a preview API operation POST /api/preview/notifications/email_templates:test_template
for testing . The endpoint enables sending a preview email with:
Dashboard Reports now show increases or decreases over time, customizable by setting the Time Range to the past week or month. The current total results for each section are shown alongside the percent change and trend for the chosen time period.
Reviewers can now quickly apply pre-configured filters to "Show Undecided Items" and "Only show Signed Off Items." These built-in options are now found under Filter > Saved Filters.
When acting on multiple selected Certification items with Bulk Actions, Reviewers can now apply any action, whether or not the action applies to the selected rows. Any items the action cannot apply to are now skipped.
Workflow creators can now always add Fallback Reviewers, used when rules prevent the assignment of the original user, or when a manager does not exist for a certification result row.
Early Access: Workflow creators can now include or exclude indirect and nested relationships (such as roles assumed by other roles, or groups that are members of other groups) from certification results. When enabled, Show assumed entities is an option under Advanced Options > Relationship Options when the query source or destination entity type can be nested (such as Snowflake Group or AWS IAM Role).
The AWS integration now supports Lambda Functions as Authorization Graph entities, enabling Search, Tags, Workflows, and Rules for:
AWS Users and Roles with the ability to create or edit Lambda functions.
AWS services and resources Lambda Functions can access.
AWS IAM roles assumed to access those services and resources.
AWS IAM Users with Lambda permissions
and AWS IAM Roles with Lambda permissions
are now provided in Saved Queries.
Attribute filters for Graph search are now correctly updated after applying changes.
Entity type names in certification details are now correctly formatted with spaces.
Fixed an issue where Over Provisioned Scores for users and groups appeared incorrectly for Snowflake integrations with audit log extraction disabled.
Note that an Azure AD Premium P1/P2 license is also required to gather sign-in activity and custom security attributes for Azure AD users.
Fixed an issue where following external links to Veza Alerts did not correctly redirect users who weren't already signed in.
An icon next to the Data Source status now indicates when more details can be obtained by clicking on an "In Progress" or "Error" label. Data Sources with pending jobs now show the previous status ("Success" or the error), instead of "Pending."
Custom attributes for Active Directory entities can be gathered by specifying the property names and types when configuring an AD integration. Once discovered, the attributes will be added to entities and can be used to filter and sort search results.
Password Last Set is now supported as a default attribute for Active Directory User entities, containing the timestamp when a password was last set.
Certifications on mobile devices have been enhanced for better parity with desktop mode. Reviewers can now act on the full pages of results or pick one or more results to approve, reject, or sign off with a single action.
Clicking on Permissions, Concrete Permissions, or Reviewers for a Certification result row now opens a list of all the values.
You can now choose an exact time when selecting Certification deadlines (in addition to the calendar date).
(Early Access) You can now filter Certification rows based on the contents of the Path Summary column, including Path Summary Entity Name, ID, or Entity Type.
Fixed an issue where Custom User was not listed as a possible intermediate entity type when creating Workflows.
Fixed an issue where nested destination entities could appear unexpectedly when creating a Workflow with constraints.
are now managed as a global setting, defining assignment behavior when the deny list or self-review prevention blocks a requested reviewer.
The required permissions for are updated to enable listing Lambda functions and tags.
The now correctly include the AuditLog.Read.All
MS Graph permission, needed to collect last login dates.
You can now filter on inactive or active resources and toggle between Effective and Raw permission types when viewing Over Provisioned Score details for entities that support (Early Access).
Dashboard Insights on the primary Veza landing page have had a visual refresh. Each tile now shows results and changes for all report sections, instead of showing details in tabs.
Early Access:
Users can now create Rules directly from Veza Saved Queries. When enabled, the Rules page is replaced by an enhanced Saved Queries page, which includes rule details for each query and a streamlined Create Rule wizard.
When saving queries, users will be able optionally add it to reports or create a rule.
When enabled, saved queries will have an additional option Actions > Configure Alert Rule
Recently-triggered rules are still shown on the Alerts page.
Integrations and Data Source on the Configurations page now have separate "State" and "Status" columns for clarity and improved filtering.
Veza can now discover and show any comment
used to add optional descriptions for Snowflake Role, User, Database, Schema, Table, and View entities. The required permissions for the Snowflake Integration have been updated to include the additional columns, for configurations using an alternate database name.
Early Access:
Audit Box users with administrative privileges on a Box tenant.
Find local-only users without a corresponding IdP identity.
Review folders with internal and external guest collaborators.
Search: Fixed an issue with tag filters not applying correctly.
SharePoint: Folder>Sub-folder relationships are now represented incorrectly in Graph search.
Query Builder: Fixed a "Resource Exhausted" error when sorting by Snowflake table with Access Monitoring enabled.
Workflows: Email reminders are now sent in batches to prevent a "Too Many Recipients" error when notifying reviewers. Our Customer Success team can customize the maximum number of email recipients for your Veza platform.
Workflows: Improved performance when loading possible reviewers for certification results.
The AWS integration can now discover AWS Cognito Identity Pools (federated identities), used to grant temporary privileges to other AWS services.
cognito-identity:ListIdentityPools
cognito-identity:DescribeIdentityPool
cognito-identity:GetIdentityPoolRoles
Added new saved queries AWS Cognito Identity Pools that allow unauthenticated identities
and AWS IAM Roles that can be assumed by AWS Cognito Identity Pool identities
.
Integrations on the Configurations page now indicate the running sync or parse job status (such as "Waiting for Parsing"). Integration status details now show the completed and current job steps (such as "Gathering Users" or "Gathering Roles"), and the total number of gathered entities.
Early Access A new Veza-built integration for ServiceNow enables the discovery of Users, Groups, ACL Rules, and Roles from ServiceNow SaaS deployments.
The Access Search > Saved Queries page now offers query search by keyword, label, or integration. You can now mark any saved query as a violation using the improved Actions dropdown menu.
For better visualization of resource-type entities acting as principals, AWS EC2 Instances are now shown on the left when searching relationships to other resource entity types (such as AWS S3 Bucket) in Authorization Graph.
You can now pick from related entity types in the Query Builder Relates to dropdown after selecting a primary entity type to search. Before, you needed to start typing into the Relates to field to see possible options.
Early Access Advanced search options now include toggles to show or hide graph relationships that involve hierarchical or nested entity types such as IAM Roles and local Groups.
For example, when searching for entity types such as AWS IAM Role
to Redshift Postgres Database
, you can now opt to show or hide relationships that involve an assumed IAM Role. Hiding assumed roles will show only paths where roles grant permissions directly to the resource, instead of by assuming a secondary role.
Similarly, for User > Local Group searches, hiding assumed groups will conceal any groups that are members of groups the user is a direct member of. If a user belongs to a Local Group whose members include other Local Groups, hiding assumed groups will only show paths where users are directly assigned to groups, rather than all paths including indirect assignments and nested groups.
Fixed an issue where the On Premises Sync
attribute was blank (instead of False
) for AzureAD-only users not synced with on-premises AD.
Fixed an issue where policy conditions were ignored when evaluating trusted principals for AWS IAM Roles.
Fixed an issue where test emails for Notifications were not delivered.
A new Veza Built integration for supports gathering Users, Groups, Roles, and Folders from the cloud storage platform, with identity mapping for Okta, Azure AD, and other identity providers. Search, Insights, and Workflows for Box offer ways to:
Graph, Workflow, and Query Builder now support Regular Expressions in attribute filters. can be used to find results with properties that match one or more possible text patterns, and enable complex "OR" conditions for search filters.
Additional are needed to connect to AWS Cognito:
Early Access Rule conditions can now apply to changes for individual query results. Alerts for these rules will show details for the changed entity, including the OPS changes.
Veza Reports have an improved landing page, replacing the old Reporting page. You can now view reports by expanding a category, and click a report to open it. Reports can be filtered by label and integration. Categories on the Reports page can be rearranged and customized.
The Report Library now includes creation dates and the option to Clone reports.
The Dashboard Reports summary can now contain additional risk tiles.
Risk tiles are paginated when more than six reports are in the Dashboard reports category.
Dashboard Reports can now be removed directly from the main dashboard.
You can now add one or more queries to a report using an improved Add Query interface
Reports now include only the Changed value, instead of Min/Max/Change.
When customizing filters for certifications and other table views, parameters are now contained in fly-out menus. You can now enable several filters before clicking Apply to refresh the results.
Table filters can now use operators (such as contains
, equals
, or not equals
) when filtering columns with string or single-selection values.
Configuration columns now implement a more sensible default width. Names and IDs are no longer truncated when hovering for more details.
Disabled users are now referred to throughout the product as deactivated users.
Clicking a tile on the Entities page now opens the table of results in Query Builder.
Certifications can now be auto-published or created as drafts, allowing creators to validate the output and assign reviewers before alerting reviewers. Notifications are not sent for draft certifications, and drafts are not visible to their assigned reviewers. New certifications are auto-published by default.
Drafts are highlighted when viewing workflow certifications, with the option to Publish.
The Smart Action Log is now merged with the Smart Action menu. Earlier actions can now be reviewed using Smart Action > History. Applying a Smart Action no longer opens the action log.
Workflows: Fixed an issue causing certification reviewers to receive inactivity notifications after all assigned results were signed off.
Push API Keys (a deprecated authentication option for Open Authorization API infrastructure) are no longer supported. Standard should be for all OAA integrations.
A new Edit Report mode provides a significantly improved experience for customizing built-in and user-created reports. Using this mode, you can:
Update report names and descriptions
Add, remove, and edit queries in a report
Customize sections and section titles
Change report visibility settings
Reports have been re-categorized to reduce the overall number of sections and make insights easier to find. Many built-in queries have been renamed for consistency and readability.
The Recipes page is now Remediation > Recommendations.
Added support for additional Google Group attributes: AllowExternalMembers
, WhoCanModerateMembers
, WhoCanJoin
. Filters on these properties enable identification of groups configured to grant access to users from outside of the organization.
The Configuration panel now provides a more streamlined experience for managing Veza integrations. All integrations are now shown on a single page, with the option to filter, view additional details and pause extractions at the discoverer or data source level. The Add New button now offers the option to add integrations of any type.
When selecting a filter to apply (for example, when reviewing certification results or the Integrations page), filters for the current columns are now shown by default, instead of all possible columns. You can click show more to reveal all possible attributes for a filter.
Any certification items assigned to the original reviewer are also assigned to the delegated reviewer.
Delegate reviewers are notified of the assignment and receive notifications in place of the original reviewer. They can review and sign-off on any results assigned to the original reviewer.
The original reviewer can still act on results, but will not receive assignment or reminder emails.
You can now open entity details by double-clicking the node in Authorization Graph.
OneLogin Users are now correctly marked mfa_active=true
when they have at least one authentication factor (before, two factors were needed).
Hide Zero Values now correctly filters results based on the value column (the most recent query result).
The Veza integration requires the additional scope https://www.googleapis.com/auth/apps.groups.settings
to gather this metadata. You must also enable the for any projects to discover.
Added the option to delete unused , revoking and removing them from the list of all keys.
It is now possible to manage delegate reviewers for assigned to certification results. Configuring a delegate reviewer for another user enables them to fulfill the responsibilities of that user — for example, if the original manager is on leave, out-of-office, or otherwise unavailable.
This option is supported by API operations .
Added a preview API to get all reviewers and their progress stats for a certification.
New out-of-the-box data access assessments for Snowflake, AWS, Google, GitHub, Salesforce, and Azure / Azure SharePoint have been added to Saved Queries (Azure AD Users with update permissions on Azure Keys
, Google Users with update permissions on BigQuery tables
, Okta Users with delete permissions on Google storage bucket
, and others).
Assessment queries with no results are now hidden by default in reports. You can toggle the Hide Zero Value Results option to show all queries.
Improved performance when loading workflows and viewing certification details.
Workflow notification and integration options are now shown beneath the query filters.
The certifications overview for access reviewers no longer includes the Last Modified and Notes columns.
Workflows: Fixed an issue where the current running Smart Action sometimes was not shown when opening the Smart Action log.
Workflows: Fixed an issue causing unexpected behaviors when selecting certification columns to export (reviewers can no longer export certifications while results are still loading).
Workflows: To reduce confusion, row-level actions are now disabled when any row is selected (bulk actions should be used to act on multiple rows).
Path Summary Entities for Veza Workflows is a new feature that enhances and modifies the contents of a certification, complementing the existing Effective Permission and Intermediate Entity options. When enabled, the certification results will include all connections from one entity type to the other and show a summary of the path that made the connection.
This path summary is created by only showing the entity types specified in Path Summary Entities. For example, a query from User to Bucket with a path summary including Group and Role will return all the unique rows of Users connected to Buckets. The summarized path might look like GroupA->Role1
, or Role2
(if no groups are in the path), or be empty for users with direct bucket access (not through a group or role).
Choosing Path Summary Entities is similar to an Intermediate entity selection, except that several types can be selected at a time. Adding a path summary can aid in reviewer decision-making and offers visibility into:
Whether access is granted by group or role membership, or direct assignment
The name of the group or role granting permissions
The type of group membership (owner, manager, member)
The resource a policy is attached to, which could be the destination resource (for directly-applied policies) or an upper-level entity in the resource hierarchy (for inherited policies)
Configuration mode for Veza Workflows, Authorization Graph, and Query Builder enables visualization and filters on the hierarchy of Role-Based Access Control (RBAC) entities connecting identities and resources. Using configuration mode can add additional context to understand and map privileges within providers such as Google Cloud and Microsoft Azure. Configuration mode can also enable granular workflows and rules based on intermediate authorization entities such as role binding, group membership, and IAM policy.
Please contact the Veza customer success team to learn more about enabling Early Access features.
Dormant identity provider (IdP) accounts and local users with no recent activity (such as Okta Users with no recent activity but assigned Okta apps
)
Local accounts without a corresponding IdP user (such as Salesforce Users with no mapped Azure AD Users
)
Google Cloud and Workspace: Google Workspace Users who are granted Google Service Account Role
, Google Workspace Groups who are granted Google Cloud Roles
, Google Service Accounts which get access to resources via Google Workspace Group
AWS: AWS Service Principals with S3 delete permissions
, and AWS Service Principals with S3 delete permissions
The Reports Library default page size is increased from 10 to 20
Resolved an issue causing unreasonably long extraction times for Salesforce
New built-in assessments are now available as and included in [Reports]../../features/insights/):
Insight Points for Veza integrations can now be run as Oracle Virtual Appliances. For more information and download links, see the instructions for
Additional auto-assignment options are available when assigning and reassigning reviewers to certification rows:
Auto-assign to resource manager will assign the row to the users associated with the row’s resource.
Auto-assign to user manager will assign the row to the manager of the user associate with the row’s user.
Fallback reviewers can be specified. These users are assigned to rows when auto-assign by resource’s manager and auto-assign by user’s manager cannot find a reviewer.
Collapsible search bar sections now show a "changed" icon when they contain modified settings. Constraints on entity properties are now referred to as Attribute Filters.
A new Google Workspace Membership entity now represents the group assignment and membership type (Owner, Manager, or Member) connecting Google Users and Google Groups.
The Entities page has been updated for improved usability and enhanced overall performance.
Clicking an entity name now shows additional details.
You can now search for specific entities and browse pages of results or export a full list.
The list of providers and apps is now always consistent with currently-configured data sources.
Properties containing true or false values and string lists are now formatted for improved readability.
You can now bookmark the current selection and open view.
The Salesforce integration now supports the built-in group types AllCustomerPortal
and Queue
.
You can now change the Insight Point associated with a saved Active Directory or Snowflake integration.
Fixed an issue with self-review prevention causing actions on some certification results to fail.
These new options are presented 1) when selecting reviewers for a new review, 2) when taking a “Resign” action on a single row or multiple selected rows, 3) when using the new “Reassign” Smart Action. Autoassignment is only available when are configured.
Disabled users in certification results can now be highlighted using customizable . When enabled, matching rows are marked in red and indicated as inactive in the row hover summary.
Reports
As part of an ongoing effort to improve actionability and time to value of Veza Insights, Reports now use a redesigned tiles layout for better readability and easier customization. It's now easier to show only the most relevant insights, and quickly pivot from Veza Reports to Authorization Graph or Query Builder.
Clicking a result value (min/max/change) opens a trend chart for the assessment query.
Clicking edit opens the assessment query for customization in the Query Builder.
You can now expand or collapse each section in a report and filter by providers, AWS accounts, and Azure tenants.
Authorization Risks Dashboard
Administrators can now tailor the Insight Reports shown on the Veza dashboard, which is now driven by the customizable Authorization Risks Report category. Administrators can remove queries from these reports to hide them on the main landing page, and exclude false positives by adding filters to the original out-of-the-box (OOTB) query.
Clicking an authorization risk tile on the main dashboard now opens the corresponding report.
Administrators can edit Authorization Risks dashboard reports to hide individual assessment queries for all users.
Report and Saved Query privacy settings
For improved collaboration and security in multi-user environments, user-created reports are now private by default (visible only to owners). Setting a report to public publishes it for all users. A new Reports Library provides an overview of all built-in and custom reports and their privacy settings.
Changing a report to Public is permanent.
Reports can only be edited by their owners.
Veza admins are the default owners of system queries and reports. Users own any queries and report they create.
New Critical Risk Assessments
A range of built-in IdP Analysis assessment queries are now provided out-of-the-box. These assessments are now included in Authorization Risks reports for insight into:
Disabled IdP identities with cross-service permissions (such as disabled Azure AD Users with Snowflake access)
Disabled accounts with system-wide access and high-risk roles (such as disabled Azure AD Admins & Enterprise Admins)
Identities assigned Okta Groups with names containing '"VPN"'
IdP identities with MFA disabled
Added a new AWS IAM assessment External AWS AssumeRole relationship without setting ExternalID
. The query returns AWS accounts that are not integrated with (external to) Veza, yet able to assume temporary credentials in an integrated AWS account. AWS Accounts configured to use a trusted external ID (as is best practice) are excluded from the results.
Reports have been reorganized to offer more relevant insights. The Dormant Entities
and Guest users with any access
reports are now named Disabled users with excessive permissions
, and Guest users with excessive permissions
The Salesforce integration now discovers cross-service connections for Azure AD. A custom identity mapping is no longer needed to correlate AD principals with the local accounts they can assume.
The Salesforce integration now includes the option to Gather Non-Standard Users. By default, Veza will only gather users with license types in the "standard" category (including Salesforce Platform and Salesforce Platform One).
You can now change the Insight Point used for discovery when editing a saved SQL Server or Okta integration.
All assessment queries in reports now support Open in Authorization Graph. Note that a unique filter label indicates when opening a query with unsupported parameters (particularly Related Entity Limits). In such cases, results can drift over time and are not compatible with graph snapshots.
Opening an assessment query in Authorization Graph now carries over filters on the provider AWS account or Azure tenant.
You can now specify required intermediate entity types in Authorization Graph (alongside the current excludes intermediate entity types advanced option). This will constrain relationships shown to only those that traverse the required entity types.
Operators creating a workflow can now set path requirements on excluded and required intermediate entity types. Doing so will constrain results based on whether the selected entity type (such as group, role, or IAM policy) exists in the authorization path between the query source and destination.
Improved performance when filtering certification results by reviewer.
To prevent unintentional removal of reviewers, a reviewer must now be selected to run a re-assign reviewers Smart Action. A fallback reviewer is now required when using auto-assignment.
Query Builder: Fixed an issue where table view failed to render when searching "Custom" entity types.
Workflows: Fixed an issue where creating several certifications in parallel (using auto-assignment) resulted in errors.
Workflows: Using a checkbox to select a certification result now longer resets any changes to column order.
Improved loading speed for the main Workflows landing page, in addition to overall workflows performance enhancements. A progress indicator is now shown when additional certifications are loading in the background.
Inactive (disabled) users are no longer included in the total count of Identities that can circumvent MFA.
The Alerts panel is now located under the Remediation section on the main navigation menu.
The Rules panel now shows the email address of each rule's creator.
New Veza-distributed OAA integrations are now available for sourcing users and roles from Oracle Fusion Cloud and Coupa.
Authorization Graph searches can now specify excluded entity types (only return results without a relationship to the chosen entity).
For improved Authorization Graph readability, the Object column is no longer shown when searching relationships for Salesforce Accounts.
Google Cloud KMS and BigQuery role bindings have an additional property listing the role permissions (visible when querying user->role binding).
Partial results are now returned when a search returns more data than Authorization Graph can render (before, this resulted in an error message). Users are now reminded to apply filters to constrain the search to a manageable size when viewing incomplete results.
Violations are re-enabled as an Authorization Graph search option. Fewer built-in assessments are now marked as violations by default.
When using Explain Effective Permissions, you can now change the selected principal (the Explain modal may not always open on the expected source or destination).
Query Builder: Fixed an issue where adding a Grouping Entity Limit could cause the search to return no results.
Integrations: Added |
to allowed characters in AWS account names (previously this resulted in an error when adding the account to Veza).
As an alternative to temporarily disabling , unused tokens can now be permanently removed with DELETE /api/preview/keys/{id}
.