1 of 100

Veza User Guide

Veza Documentation

Secure and understand your environment with Veza integrations and products.

Platform Overview

Veza's Authorization Graph integrates with cloud identity providers, cloud IAM, cloud services, apps, and data systems to discover authorization metadata, translating the complexity into a simple language of effective permissions.

Veza then provides insights into the relationships between entities such as identities, policies, roles, and resources, and enables users to create reports, queries, access reviews, and more using the latest data or a historical snapshot. Risk, compliance, security, and IT teams use Veza for visibility into which people and automated services can access sensitive data assets.

Veza answers the questions "Who has access to what," and "How do they have access?" With Veza, you'll pass your audits faster with less pain, be empowered to lock down data to only those who need it, and securely migrate cloud assets.

Product Documentation

The documentation includes guides, reference material, and release updates for the Veza authorization platform. Use the information within to configure and administer Veza, and learn about core features.

Getting Started

Getting Help

Getting Started

First steps with the core authorization platform

Welcome to Veza, your unified access control platform for data governance, data access management, cloud entitlements, privileged access, and much more.

This page introduces important features to help you implement and operationalize Veza for your organization and teams. You will learn how to enable external integrations and begin leveraging Access Intelligence, Access Search, and Access Reviews.

See the following sections for details:

Configure Veza to discover enterprise resources
Explore your entity catalog
Leverage built-in and customized Access Intelligence
Search and query for who has access to any resource
Conduct ongoing Access Reviews
Operationalize Veza for your users and teams

Configure Veza to discover enterprise resources

To fully make use of Veza, you will need to integrate the Identity, Cloud, and application providers used by your organization. Veza periodically connects to these application providers and data sources to populate the Authorization Graph and build your Entity Catalog.

Explore your entity catalog

Veza builds a catalog of all your entities across identity providers, cloud providers, apps, and data systems. You can review all of these on the Dashboards > Home page. Choose data sources from the menu to view all the entity types Veza has discovered, and click an entity type to bring up a list of those entities in the Query Builder, where you can view additional attributes and details.

The metadata Veza discovers includes Tags from cloud providers (such as AWS tags or GCP labels) You can also create and apply Veza tags to identify sensitive cloud data assets across multiple providers and applications. Open the Access Intelligence > Tags page to see the tags Veza has already discovered.

Leverage built-in and customized Access Intelligence

Veza ships with hundreds of out-of-the-box assessment queries to provide rapid insight into risks, anomalies, and the overall state of authorization within integrated systems.

The main Dashboards page showcases some of these top risks and important insights, with the option to open any query to inspect the detailed results. Use the Access Intelligence > Reports page to review all the built-in reports. Then, try creating a custom report to capture data access trends and track risks for your organization.

Search and query for who has access to any resource

Veza discovers the connections between entities in the Authorization Graph and makes these relationships searchable with a visual Graph search and flexible Query Builder.

You can use these Access Visibility features to explore the different types of entities in the Data Catalog. To get started, go to the Saved Queries page, and try opening some out-of-the-box assessments in the Query Builder to fine-tune them based on your organization's priorities and unique environments.

Search for a single entity (such as an Okta User or Snowflake Database) using the Graph search bar to show all the connections Veza has found.
Specify a source and destination entity in Query Builder to find all entities of the source type with a relationship to entities of the destination type.
Apply filters on any of the entity attributes Veza has discovered to narrow your search using rich metadata such as user department, manager, or last activity date.

Conduct ongoing Access Reviews

Veza Access Reviews enable repeatable, granular, and integrated certification campaigns. These can be conducted by a single auditor, or involve collaborators automatically assigned from many departments and teams. Open the Access Reviews page to create and manage configurations for user access reviews, privileged access reviews, entitlement management, role management, identity lifecycle, and more.

Depending on the business and compliance requirements, Access Reviews can audit user access to data, resource entitlements, roles, groups, and policies, or any other source -> destination relationship discovered by Veza.
After creating a configuration that defines the scope of a review, administrators and operators can create and schedule new reviews, and assign each result row to individual managers or resource managers for review and attestation.

Operationalize Veza for your users and teams

Veza is designed to support collaboration between users and teams and integrate with external systems and workflows. Once you've familiarized yourself with the platform, you can invite your team, enable outbound actions and alerts, and enable advanced functionality:

Veza Glossary

Definitions and explanations for key terms and concepts used within Veza.

📖 Veza Glossary

As Veza evolves and integrates more advanced functionalities, the terminology can sometimes be intricate. The Veza glossary serves as a reference for terms and related topics. Whether you're a new user getting acquainted with the platform, or just seeking a refresher, this glossary can help you learn the essential terms.

Browse the categories to explore, or search to find a specific term.

Core Concepts

Authorization Graph

A time-bound snapshot of entities, relationships, and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.

Cloud Service Provider

A Cloud Service Provider (CSP), such as AWS or Microsoft Azure, offers a platform for infrastructure, applications, storage, and other services such as Identity and Access Management or data warehousing.

Effective and System Permissions

Permissions are the individual rights and authorizations that a user has to perform actions on resources. In modern IAM, “effective permissions” are the actual permissions a user is authorized to perform after applying all the constructs of IAM, including deny, service control policy, permission boundary, or other access controls. “System permissions” are the permissions that are directly assigned or granted to a principal (e.g., user, group, or role) on a specific resource (e.g., file, folder, or object). These permissions are typically defined and managed within the security system and set the basic level of access.

In Veza, Effective Permissions can be Data (C)reate, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata.
In Graph search, (S)ub indicates when a principal has permissions on sub-resources within a service. Examples of effective permissions and corresponding capabilities
MetadataWrite, MetadataRead, MetadataCreate, MetadataDelete - Permission to create a Redshift Database table, or change an S3 bucket policy.
DataRead, DataWrite, DataCreate, DataDelete - A data read, write, create, or delete permission, such as reading database tables, or pushing to a repository.
NonData - All other permissions that do not apply to data, such as permission to cancel a Redshift query or reboot a Redshift cluster.

Group

A group is a collection of users sharing the same set of permissions.

IAM

Identity and Access Management (IAM) is a security framework that helps organizations manage and control access to their resources and applications.

Identity Provider

An Identity Provider (IdP), such as Okta or AWS SSO, is a service that stores and verifies user identity. IdPs are typically cloud-hosted and enable single sign-on to other systems.

Local Role

A set of permissions that are local to a single data system, computer, or device within an organization.

Local User

An account created on a single system (data systems, an app, etc.), computer, or device within an organization. Local accounts cannot be used on other data systems, computers, or devices.

RBAC

Role-Based Access Control (RBAC) is a method of managing access to resources and applications based on the roles of individual users.

Role

In Role-based Access Control (RBAC), a role is a collection of permissions that define the actions a user is authorized to perform for resources within an organization’s IT environment.

Search

Veza Search features include Graph, Query Builder, and Tagged Entity Search. Veza Access Reviews leverage graph queries and entity metadata for access and entitlement review.

Service Account

Service accounts are non-human accounts that log into servers, run batch jobs and scripts. Machine identities are similar but connote devices and IOT principals. Meanwhile, bots are similar but focused on automation. All these are sometimes summarized as non-human identities.

Webhook

A webhook is a way for an application to provide other applications with real-time information. It is a simple HTTP callback that allows a sender to provide information to a receiver when a particular event occurs.

Veza Integrations

Custom Properties

When configuring an integration, use this tab to specify additional attributes on entities to collect, by providing the name and type of attribute Veza will gather. For example, if an organization uses custom security attributes for Azure AD or Okta (such as deskNumber), these custom properties can be enabled when adding the integration, and used to filter results for search and access reviews.

Data Source

Data Sources are the individual resources (SaaS apps, data lakes, databases, etc.) from which Veza extracts authorization metadata.

Integration

A connector built directly into Veza, for ingesting data from external systems. Each inbound integration represents an inbound connection to a cloud provider, identity provider, or external application. Some integrations support activity monitoring, audit logs, and lifecycle Management (when granted additional permissions). Each integration may have multiple child discoverers and data sources representing services and resources. Veza Actions are outbound integrations for triggering actions in external systems.

Limit Integration Services

Option to globally prevent discovery of all resources for a provider service (for example, AWS EC2).

Mapping Configuration

Option when configuring an Identity Provider integration, allowing users to define cross-service connections between Identity Provider accounts and local accounts in other integrated systems (if Veza cannot automatically detect the connection).

Monitoring

Veza Activity Monitoring features provide insight into resource and privilege utilization for your users. These include Overprovisioned Access Scores and special reports leveraging cloud provider audit logs.

OAA Integration (Community)

An Open Authorization API integration built by Veza, a customer, or the open-source community that is available in our community GitHub repository.

OAA Integration (Customer)

An Open Authorization API integration built by a customer for one of their proprietary systems that is not published to the public repository.

Open Authorization API

An Open Source framework for adding off-the-shelf or in-house-developed proprietary applications and identity providers to the Veza graph.

Veza Action

An integration built directly into Veza for sending data to external systems and enabling downstream processes around Veza alerts and access reviewer actions. You can configure generic webhooks, create Jira issues, or ServiceNow tickets with Veza Actions, or enable Slack and email notifications.

Resource inclusion and exclusion lists

Option when configuring an integration, setting limits on the individual resources Veza will attempt to extract and parse (for example, AWS S3 Bucket).

Veza Cloud Connector

A Veza-provided VM image or docker container to enable connections to systems without APIs, or without publicly reachable APIs.

Worker

Workers are the components that find and catalog the authorization metadata and Data Source components of the integration.

Access Intelligence

Activity Monitoring Timeframe

A customizable period used to calculate Over Provisioned Scores for users and roles, based on entitlement usage within a set period of time. To change the range, go to the System Settings page and pick 1, 7, 30, 60, 90, or 120 days as the value. The default value (Auto) is 30 days.

Alerts

Alerts activate when a built-in or custom rule condition is met. Each alert includes a summary of changed entities since the last rule evaluation. Alerts are published via notifications, which include a summary of the original query. Notification delivery methods include email and outbound integrations or webhooks.

Dashboards

The primary Veza landing page features customizable dashboards and report summaries. The dashboard provides a high-level overview of access risks and out-of-the-box insights, with options to quickly act on any tile. You can add or remove reports to Dashboards by adding them to the Dashboard Reports report category.

Exception

An entity to ignore as a Risky Entity, due to matching a condition or being individually marked as an exception. Constraints on the query can mark entities as "Exceptions" based on a filter rule (for example, all resources in a test environment, or system roles that are not reasonably actionable).

Insights

Veza Insights provide tools to understand and act on risky entities and relationships using the Authorization Graph. Veza Insights include customizable Reporting, the Access Risks Dashboard, Rules, and Alerts.

Over Provisioned Access Score

OPAS represents the percentage of resources an identity is granted permission to access, but has not utilized recently. For example, if a user reads on 3 tables, but is entitled to read from 10, they are over-provisioned by 70%. The OPAS can change depending on the resources and permissions selected by the original query.

Query Integrations

A system-provided attribute listing all integrations involved in a query. You can filter by integration when searching for queries to add to Reports, or on the Saved Queries page.

Query Labels

A customer or system-provided attribute, intended for risk categorization and query organization.

Report

A collection of queries, organized into sections for actionable insights on Authorization Graph data. Reports can be built-in or user-created, and private or public.

Report Category

Report categories are used to group reports on the Reporting > Reports page. Access Risk tiles are based on reports in the Dashboard report category.

Report Section

Sections in reports contain groups of saved queries, based on the provider, type or risk, or other customizable criteria.

Risk

Any entity that appears in the results of a saved query with a risk level is considered a Risk. Marking a query as a Risk can define security baseline, misconfiguration, common access risk, or other anomalies, enabling alerts and recommendations. You can mark a Risk as an Exception to prevent it from appearing as a risk.

Risk Level

Level of risks if the query result contains non-zero results. Risk level can be 'critical' or 'warning'.

Rules

A rule consists of a baseline query, thresholds of conditions, and notification settings, delivered when conditions are met. The default action is to send an Alert to the Alerts page.

Veza Events

A Page with a complete list of system events as well as events related to Integrations and Rules

Access Search

Account Filter

Predefined filter that narrows down search results to specific parent Azure tenants or AWS accounts. Particularly useful in multi-environment setups.

Authorization Graph

Display Options

Advanced Graph visualization options for labeling entities by provider account or tenant, and highlighting relationships of interest such as assume role paths, disabled users, or risky entities. Display options will vary based on the entity types in your search.

Does not relate to

Option to only return results of the source type with NO relationship to entities of the destination type

Entities

Entities represent the authorization, data, and identity objects discovered by Veza, as shown in search results or on the Entities page. Entities can be data services or resources, identity domains, users or groups, and IAM or RBAC elements such as policies and roles. Entities have properties to contain attribute metadata such as manager, is_active, or encryption_enabled. Queries typically will specify both source and destination entity types, such as Okta User to AWS S3 Bucket or Google User to Google Group. Higher-level entity type groupings such as All Users and All Resources can be used to search for several entity types at once.

Entity Attributes

Entity Attributes are the rich metadata associated with an entity, to enable granular filters based on a range of possible properties. These attributes may be added by Veza during parsing (such as name, is human, or full admin), or ingested directly from the provider (mfa_enabled, is_encrypted, and so on)

Exclude Entities

Search option to only return results where source and destination are NOT connected by a particular entity type (for example, to show access granted without an assigned group). This can be used to show only access granted in a way that bypasses a user's intended groups, and filter results that aren't related to particular groups, roles, or policies.

Explain Effective Permission

Advanced Action in Effective graph search mode to show raw permissions and IAM relationships resulting in an effective permission calculation (represented by an EP node).

Filters - Attributes

Filters which constrain query results based on the source, destination, or intermediate entity''s attributes (such as Name, ID, or Is Active).

Attribute filters can always apply to source and destination entities, or any entity type in a graph search result.

Filters - Permissions

Option to filter query results by raw or effective permissions, such as s3:DeleteBucket or Data Delete.

Filters - Tags

Condition to filter results based on a Veza Tag or native provider tag applied to the source, destination, or intermediate entity. Filters can always apply to source and destination entities. The query must define Required intermediate entities to filter by tags on intermediate entity types.

Graph

Graph search shows the relationships between entities and resulting effective permissions, based on the latest Authorization Graph or Time Machine snapshot. Actions and filters provide utilities for traversing the graph and understanding and remediating risky access.

Query

A search against the Veza graph. Queries can be built-in or created using the Query Builder. Saved Queries are shown in Veza Reports and on the Saved Queries page. Queries can -have labels and be assigned a risk level. Integrations associated with entities in the query are saved as query attributes, for easier retrieval and organization.

Query Mode

Search option to either show Effective Permissions from source to destination entities OR additional intermediate entity types such as IAM/RBAC roles and policy bindings.

Effective mode calculates and shows all possible actions, after accounting for any potential restrictions (such as policy deny statements and other controls). Effective Permissions represent all the metadata and non-data actions the principal can take on a resource.
System mode shows the configured permissions and access path, before processing potentially overriding policies such as deny statements, SCPs, and network policies. Configuration mode is useful for understanding, certifying, and enforcing rules based on User > Role relationships and role-based permissions for CSPs like Google and Azure.
Depending on the query mode, reviewers will sign off on the combined Permissions for each result, or the Path Summary and Concrete Permissions for each result.

Query Builder option to filter results based on the number of related destination entities. The count operator can be <, =, >, etc.

Relates to

The final entity type for a query. By default, each result will include the effective permissions between the source and destination entities.

Relationship Options

Advanced Graph visualization options to show or hide graph columns (layers/entity types) and relationships. Depending on the search, the Advanced View toggle shows additional intermediate entities such as local user accounts between principal identities and data resources.

Require Entities

Parameter to only return results where an entity of the selected type (such as a local group) connects the source and destination nodes. Requiring an intermediate entity enables filters on the intermediate entity's attributes

See More

Graph search option indicating that pages of results are shown instead of all results. Pagination will be enabled by default for graph searches that return more results than Veza can render at once.

Show assumed entities

Parameter to include or exclude indirect and nested relationships (such as roles that are assumed by other roles, or groups that are members of other groups) from search and in the reviewer interface. The option to Show assumed [entity type] appears under Advanced Options > Relationship Options when the query source or destination is nestable (such as Snowflake Group or AWS IAM Role).

Source Entity Type

The initial node for a query. Entities of the Source type are included in a review scope for review and attestation if a relationship exists between that entity and another entity of the Destination type. If no destination is specified, the query will return all entities of the source entity type.

Option to select a single entity of the selected source or destination entity type, and only return relationships for that unique identity, IAM/RBAC entity, or resource.

System Permissions

An individual privilege defined in the provider-native terms, such as s3:BucketDelete in AWS Identity and Access Management (IAM). System permissions are the basic building blocks of access control, and are typically assigned directly to principals (users, groups, or roles) on resources (files, folders, or objects).

Tagged Entities

The Tagged Entities page provides a way to view and search all entities that have matching Tags.

Time Machine

Option indicating the Authorization Graph snapshot to execute the query against.

Access Reviews can use a time machine snapshot or use the most recent one when a review is created.
Use the Authorization Graph Time Machine to search against a snapshot of relationships and entities at a specific point in time.

Access Reviews

Access Review Scope

A query including a source entity type, destination entity type, and other search parameters defining the access under review. Individual reviews will show the query results as rows for review and sign-off, based on a historical snapshot or the current graph data.

Queries can be very broad (All Users to All Resources) or very specific, including filters on tags, property-based constraints, and intermediate node requirements.
Each query has a source and optionally a destination node. Entities of the Source type are included in the results for review and attestation if a relationship exists between that entity and another entity of the Destination type.
Results shown in the reviewer interface include source and destination entity details, the effective permissions for that relationship, and optionally, a summary of the path that made the connection.

Access Reviews

Features for user access and entitlement review. Access Reviews provide a framework for repeatable, multi-user review processes with a full audit trail, using the power of Veza graph search.

Complete

Status indicating that all review rows were signed off by the due date.

Default Reviewer

Individuals explicitly specified as Reviewers (for all results) when creating a review.

Delegate Reviewer

An alternate user assigned to carry out the responsibilities of an original user who would be auto-assigned as a reviewer but is unavailable.

Expired

Status indicating that not all rows were signed off in a review. by the due date.

Fallback Reviewers

Fallback Reviewers are specified when creating a review and assigned when rules prevent the assignment of the original user, or when a manager does not exist for a row.

Filter

In the context of an access review scope, graph, or query builder search, filters apply constraints based on attributes, tags, or permissions. When reviewing access, filters limit the number of results shown at one time and can be used to act on many results with the same attribute at once.

Filters can apply to the source or destination entity, or an intermediate entity property (such as Last Login).
In the reviewer interface, filters can apply to result properties such as decision state (Signed Off).
Bulk actions can be used to act on all review rows matching a filter.

Global IdP Settings

System-wide setting to enable reviewer recommendation and manager auto-assignment using an integrated Identity Provider. This enables any user in your organization to log in with Single Sign-On and review their assigned rows.

Managers

In the context of an access review, a manager is another user from your identity provider, specified as in the manager attribute of the source entity. When this metadata is available, managers can be suggested or auto-assigned to each row.

Managers and Resource Owners

Managers or owners of resources, assigned as reviewers for an access review. Veza can identify potential reviewers using metadata from an identity provider, or with Veza Tags. Resource owners can be assigned as reviewers using auto-assignment.

Mark as Fixed

Operator action to indicate that the recommendation has been carried out for a row. Rejected and Signed-off items can be Marked as Fixed to log that remediation took place.

Notifications and Reminders

Emails sent to update users involved in an access review, including notifications when rows are reassigned, and reminders about inactivity and deadlines.

Pending

Status for reviews that are not expired, and still have items pending sign-off.

Presentation Rule

Support-enabled option to highlight special rows such as disabled users, based on filter criteria.

Reassign

Reviewer or operator action assigning one or more rows to another reviewer, after a review has begun.

Reminder

Type of email notification sent to remind reviewers and stakeholders that action is needed due to inactivity or approaching deadlines. Final reminders can also be configured to escalate remaining tasks.

Reviews

A review is a scheduled instance of access or entitlement review, with unique deadlines and reviewers.

Each review has an underlying configuration, which defines:

A query defining the entities and relationships under review.
Default notification and integration settings, inherited by reviews for the configuration.
Attributes such as a name and description, for identification and internal reference.
Reviewer assignments, defining the initial reviewers and fallback reviewers.

Reviewers can open a review instance to see the results of the query, and sign off on each row.

Reviewers can accept, reject, or delegate items.
Rejected items can be marked as "fixed" by operators after remediation
Reviews are based on immutable graph snapshots and an underlying query.

Review Actions

When reviewing their assigned rows, reviewers will:

Accept: Reviewer decision to approve the access specified in the row (as legitimate access).
Reject: Reviewer decision to refute the current access as illegitimate. Reject actions can trigger remediation processes using webhooks integrations.
Sign Off: Action to finalize the decision for a row, making it immutable. Signed-off items can be marked as fixed by operators.

Reviewers can also re-assign rows to another user, add a note, or view more details.

Review row

A row in an access review describes a source entity, and typically its permissions on a destination entity. Depending on the review scope, rows can describe a single entity, a relationship between two entities, or include a summary of intermediate entities such as groups, roles, or projects.

Reviewer Auto-Assignment

Option to assign managers and resource owners as reviewers using metadata Veza has discovered, with fallback reviewers if a match can't be found or a rule prevents review. Auto-assignment enables review owners to assign many reviewers at once, either to specific reviewers, or to resource or team managers using metadata from an identity provider, or Veza Tags. The identity provider must be integrated with Veza and Global IdP Settings must be enabled.

Reviewer Deny List

Global list of users who are blocked from being assigned as reviewers.

Show Relationship

Review scope option, enabling visibility into a single connecting entity and its properties, existing between the source and destination nodes. The reviewer interface will include optional columns for each intermediate attribute, such as the name and type of the connecting group or role.

Summary Entities

Review scope option, enabling visibility into the RBAC configuration granting access to the destination entity. When configured, reviews will include a default Summary Entities column, showing the names and sequence of selected entities when they connect the source and destination. For example, when a group is selected as a summary entity, the column will contain either:

Group 1 (indicating access is granted directly by that group)
Group 1 > Group 2 (indicating that the first group allows access to the second)'

Uncertified

Status for pending reviews with no signed-off items.

Administration

Access Reviewer

Role that enables users to review and certify items within their assigned access reviews. Allows access solely to the Access Reviews panel and assigned reviews.

Administrator

Highest-level user role with full control over settings, integrations, and privileges. Inherits all capabilities of Operator and Access Reviewer roles.

Integration Configuration

Integration configurations are saved settings for connecting to an external platform, including the credentials and optional settings for the connection. Integrations are added and managed on the Integrations page.

Operator

Role allowing users to create configurations and initiate reviews, as well as review all items in reviews they create. Operators can access all Veza features such as Search and public Reports, but cannot manage other users or integrations.

Sign-in Settings is a Veza Administration panel for managing Multi-factor authentication (MFA), Single Sign-On (SSO), and configuring local account (non-SSO) access for your Veza tenant

User Management

The page where users can be added, removed, or edited and have roles assigned.

Veza Webhook

Webhooks are automated messages containing a payload of instructions that are sent to a specific URL when the conditions associated with the webhook are met.

Product FAQ

Questions and answers about the Veza cloud platform, features, and policies

Authorization Graph

Q: Veza's is a multi-cloud platform powered by an authorization metadata graph. What are the core features of this graph?

“Authorization metadata graph” provides an end to end visualization of authorization relationships between users (including non-human identities and service accounts), applications, and data sources. This includes the cloud identity providers (users, groups, and roles) and access management services (such as AWS IAM, GCP IAM, and Azure RBAC.) making a user's access possible. By presenting effective permissions (read, write, delete...) in a single control plane for any enterprise identity and data source, the Veza graph simplifies the complexity of interwoven authorization structures and enterprise data systems.

Q: How does Veza provide access to identity and authorization data – does it use APIs provided by the public cloud providers and IdPs? Or is the identity and authorization data imported manually into Veza?

Veza Cloud Platform can analyze identity and authorization data from public cloud providers and external identity providers (IDPs), along with non-cloud-native data sources like MySQL or Active Directory.

Yes, Veza utilizes the publicly available APIs published by identity providers and cloud providers to analyze these providers automatically. The nature of the API access is read-only, scoped to only essential metadata, and collected out-of-band.

Q: What are the size limitations for the Veza environment?

Graph Scale and Performance: Veza is built to manage complex authorization metadata efficiently using advanced graph technology. Our architecture includes a robust data model, a persistence model ensuring crash-consistent metadata management, and an object model capable of handling billions of small objects. Veza is available in both SaaS and On-Premises deployment models.

Our testing indicates that the Veza platform can support up to 100 million nodes (including identities, groups, roles, policies, and resources) and 500 million edges (which represent relationships and connections among these entities). While the platform maintains functionality beyond these thresholds, some features may experience performance impacts. For optimal performance when exceeding these limits, contact support@veza.com.

Separation of Duties (SoD)

Q: Is the process of defining SoD violations for individual applications manual or automated?

After adding a built-in integration, you can use out-of-the-box queries defining common Separation of Duties (SoD) violations. You can edit these queries or define your own violations using the Access Intelligence > Separation of Duties page. SoD rules can apply to custom data sources, such as users ingested from CSV or SCIM.

Q: Are toxic combinations for SoD violations identified automatically?

Veza evaluates effective and system-level permissions when parsing integrated data sources. Violations are identified when executing an SoD query, either manually or as part of risk assessment.

Q: What remediation actions are available for SoD?

By creating a rule for queries that are SoD violations, you can send announcements or create issues in systems like Jira, Slack, or ServiceNow when new violations are detected. Rules can also trigger automation using custom webhooks.

Q: What integrations are supported for SoD?

Veza integrates with 250+ systems natively and supports many more via our Open Authorization API framework. As soon as the user access data is ingested into the platform, Veza will identify toxic combinations of access based on configured SoD policies.

Access Reviews

Q: What are common issues that occur with Access Reviews?

When a snapshot doesn't contain the specified relationship, creating a review will result in "No Data Available" error. Note that the snapshot are taken on a daily basis.
Upon saving a Review Configuration and starting a new Review, it's possible that there are no results due to data not existing in the environment for the query parameters. To check if this is the case, search with Query Builder or Authorization Graph using the same search conditions.

Q: Can I change the query for an Access Review after saving it?

While it's possible to edit some parameters such as notification settings after saving a Review Configuration, the original query cannot be altered. This is by design, and to maintain the integrity of the certification as a permanent record.

Q: Is it possible to create Access Reviews scoped to certain resources and permissions?

When creating a Review Configuration, you can select a specific source or destination entity type, and apply attribute filters on a value such as Datasource ID.

Q: We use AWS tags to identify resource managers, departments, and operational function. Can we incorporate these in Access Review scopes?

When creating a Review Configuration, you can filter on any tag Veza has discovered, as well as native Veza Tags. To do so, select the desired entity types and apply a tag-based filter.

Q: We need to perform certification on our custom apps, is this possible?

Yes, custom apps configured using OAA are selectable as an entity type, just like the built-in configuration sources. You can either select an individual "Custom Application" or "Custom IdP" entity, or query "All Users" or "All Custom Applications".

Q: We would like the facilitator and reviewer to get notifications based on certain milestones, can we do this?

You can set customized notifications when adding a Review Configuration, or configure them for each Review. Veza Actions will trigger based on reviewer actions (assignment, creation, decision, owner change) and certification states. Veza Actions can trigger webhooks, create ServiceNow tickets, and send alerts to Slack channels. Operators can also configure email reminders based on certification events and deadlines.

Q: Can we assign team-wide Access Reviews to individual managers?

To create a single certification for one manager, apply a constraint on the identity's manager field, and choose the resource(s) the certification applies to. You can also identify managers for any entity type using tags.

Create a new certification, and assign the manager. To ensures the manager can view and certify only their assigned Reviews (and not access other Veza functionality), you can assign the manager's Veza account the access_reviewer role.

Q: Most of our Access Reviews involve more than one reviewer, is this supported?

Certifications can have one or more "default" reviewers, assigned when starting the certification. These default reviewers can request other reviewers from your organization, for any result they decide they aren't an appropriate reviewer for. These assigned reviewers can only view and act on the results they're assigned to.

Veza can use metadata such as manager_id from your Identity Provider or Veza Tags, and use this to automatically assign reviewers when creating a certification.

Q: We want to schedule certification campaigns to occur automatically (as part of a quarterly or annual review cadence). Can we do this?

You can set due dates on certifications, and automatically send reminders by email to the owners, participants, and optional creators/facilitators. The functionality to schedule certification campaigns is planned for a future release.

Q: We need to ensure that an owner can only mark a certification as complete once all items have been "approved" or "rejected/" Is this validation done by Veza?

You can configure a variety of certification completion options, including enforcing that all rows must have a decision before a certification can complete.

Q: How is the integrity of an Access Review protected after completion?

To ensure that the Review represents a point-of-time state, Veza utilizes immutable snapshots of your environment at the point of certification. Once complete, it isn't possible to delete a Review, or the Review Configuration that contains it.

Q: As part of certifications, we need to be able to retrieve reject decisions from Veza and feed them into governance and ticketing systems. Can we accomplish this?

Q: Our reviewers need to be able to see the context of how identities gain access to resources, not just the access that exists. How do I accomplish this?

Q: How can I customize and sort a Review?

You can show attributes for any source, destination, or intermediate node that Veza has discovered, using the column selector. Columns can also show approval status, assigned reviewers, and notes. From the Certifications view, you can apply filters to narrow broad sets of results down to actionable groups. You can apply decisions to more than one page of filtered results by choosing an action above the list of results.

Q: We need the ability to group users/systems together in the tables to approve all access for a specific user, is this possible?

We recognize the need to group rows by column in the certifications and the option is planned for a future release. You can use filters to focus on results (for example, an individual user name or resource id).

Insights and Reports

Q: What images/visualizations can be exported using Veza, and what will they contain?

Q: Does this mean that reports can be viewed within Veza?

Veza includes predefined reports that provide users with insights into their environment. These can be viewed within the platform.

Veza Platform

Supported Browsers

Veza is tested and optimized for use with Chromium-based web browsers. For the best experience and full functionality, we recommend using the latest versions of the following browsers:

Google Chrome
Microsoft Edge

Veza uses browser cookies to authenticate users to the platform. If you see an error when attempting to log in after a password change, try clearing out browser cookies before signing in again.

Security FAQ

At Veza, security is an integral aspect of the product, from the initial design to implementation, deployment, and daily operation. We embrace industry best practices including data-at-rest and inflight encryption, strict role-based access controls, and tenant isolation with zero external access.

Veza is committed to maintaining the confidentiality, integrity, and availability of customer data.
Veza is prepared to explain and demonstrate safeguards and compliance, and help meet customer security obligations.
Technology, regulations, and business change quickly. Veza will always adapt and improve safeguards to ensure entrusted data is always protected.

FAQ

How is communication between Veza and customer systems protected, and is all data encrypted? Veza implements industry-standard techniques to secure data at rest and in transit. All network traffic uses SSL/TLS certificates (HTTPS). All customer data and backups use disk-level encryption.

Are user passwords encrypted in transit and during storage? Yes. Veza local user credentials are encrypted using the Argon2 cryptographic algorithm during transit and secured with AES-256 encryption at rest.

How are integration credentials secured? Integration credentials are encrypted using RSA-4096. All other credentials, such as for Jira webhooks, are encrypted using AES-256. All platform communications use TLS.

Does Veza regularly undergo penetration testing by an independent party? 3rd-party scans for network and application vulnerabilities are part of Veza's cloud, application, and network security practices. The results of these tests are available under NDA.

What metadata does Veza collect from connected systems? Veza gathers metadata such as resource names and user IDs to generate the authorization graph and map relationships between identities and resources. Veza also collects attributes, such as last activity date or bucket encryption state, for use in search and insights. Veza retains this information for the duration of a customer account. Customer data is deleted within 30 days of service termination.

Does Veza have a Business Continuity and Disaster Recovery (BCDR) plan? Yes. Veza's incident response strategy is reviewed and tested annually.

Access controls

To maintain the integrity and confidentiality of customer data, strict access controls and principles of least privilege are diligently applied across all production and development environments.

Access to production and staging environments is limited to authorized Veza personnel only.
Multi-Factor authentication (MFA) is required to access all production environments and business applications
Dedicated VPN endpoint per cluster with granular access to each customer namespace
The Veza platform monitors and verifies access granted to critical systems

Cloud, application, and network security

Veza is a 100% cloud-based solution, using native AWS security controls to provide a layer of infrastructure protection for every customer environment. Key controls include:

Dedicated Kubernetes namespace for each customer
Application Load Balancer (ALB) with Web Application Firewall (WAF) for all inbound traffic
AWS Shield for protection against DDoS attacks
Private subnet where Veza software (including control, management, and analytics) open only to incoming traffic through environment-specific WAF and ALB.
VPN endpoint and bastion host for upgrades and maintenance only accessible by authorized Veza personnel using MFA

In addition to internal scanning and testing programs, Veza implements broad penetration tests by third-party security experts on an annual basis. Your Veza account executive can provide the penetration test report.

Compliance reports and certifications

Veza maintains SOC 2 Type II certification, demonstrating compliance in core trust service areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Additionally, Veza complies with the ISO 27001 standard for information security.

The SOC 2 Type 2 certification and report is available for all customers. Additional documents (such as Data Protection Policy, Data Security Exhibit, and summaries) are available on request.

Data encryption

Data is encrypted by default across the Veza platform, both at rest and in transit:

Communication between the Veza Control Plane and the Veza Insights Plane is always encrypted using SSL/TLS 1.2+ and AES-256 encryption.
Every Veza Insights Plane instance has a unique key pair. A public key encrypts all credentials uploaded by the customer in the Veza platform, ensuring that only the customer’s Veza Insights Plane can decrypt the credentials for that customer environment.
Disk encryption is enabled by default on all EKS compute instances, all databases, and all messaging subsystems.
Local user passwords are encrypted in transit and at rest.

Metadata collection and retention

Veza collects two kinds of information from customer systems: user identity information (such as first name, last name, and email) from identity providers, and resource metadata, enabling visibility and insight into privileged access.

Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.

Reports and data export

Veza users with the admin or operator role can generate reports in a range of formats, including PNG, CSV, and JSON. Veza administrators and operators can elect to publish Veza notifications to email addresses or other external systems.

Secure development practices

Veza adheres to industry standards and follows all best practices for secure software development, including:

Annual 3rd-party penetration testing
Code versioning and branching practices follow OWASP standards
Strong guidelines for error handling, availability, and security during the system design phase
For platform enhancements, Quality Assurance Engineering maintains a strong focus on automated unit testing, integration testing, and approved test plans.
All code merged to the production environment is peer-reviewed
Continuous security scanning as part of code developer flow
Separation of duties for staff who develop code and staff who push code to production
Design reviews conducted with engineering and product leadership during development and release cycles

Third-party vendor security

Veza minimizes third-party vendor risks by conducting security reviews on all vendors with any level of access to systems or data.

Advanced Security FAQ

Questions and answers for enterprise customers and security teams

This document addresses advanced topics on Veza platform security. These include questions about authentication, encryption and key management, access controls, network security, and other procedures ensuring the security of our SaaS and cloud-premise deployments.

SaaS Architecture

Veza's SaaS production environment runs on AWS. Our architecture emphasizes security, scalability, and efficient resource management with a multi-VPC structure. Key components include Amazon EKS for container orchestration, AWS WAF for web application security, and integrated monitoring tools.

Supported Authentication Methods

What authentication methods does Veza support?

Interactive Users: Local User Accounts, SAML Single Sign-On, OpenID Connect (Early Access).
Non-Interactive Access: API Keys

Security Measures in SAML-Based Authentication

For SAML-based authentication, do you handle user-provided XML? Do you validate XML to protect from malformed XML?

Veza accepts user-provided XML for SAML configuration. We validate the input to protect against malformed XML input.

For API authentication, do you support access tokens instead of API keys? If so, what tokens are supported?

Not at present.

Do you check if MFA is performed on the IdP side for single sign-on?

No. The desire that MFA is performed for session creation can be configured via ACR Values with OpenID Connect (OIDC). The configuration is specific your identity provider and the IdP configuration. It does not guarantee that the MFA was performed.

How long are access tokens valid? Is the duration of access tokens configurable?

The valid duration of regular session/access tokens is 20 hours (non-configurable). Session tokens must refresh every 15 minutes or will expire.
API keys do not expire.
The customer can configure session idle time on the Veza Sign-in Settings page.

Do you use cookies? How are your cookies defined?

Yes. We use cookies, including a session token, for session tracking. We assign our cookies as HTTPOnly and Secure.

Are all human users accessing Veza’s EKS backend required to use MFA?

All access to Veza's EKS backend is limited to a select few SRE individuals and requires multiple layers of MFA.

How does Veza avoid spoofing attacks, where an attacker impersonates the Veza application to gain unauthorized access?

Veza can prevent spoofing attacks. Here are the details:
- Using a single SAML-based IdP (e.g., Okta) as the SSO provider.
- Customers can disable local accounts.
- Customers can allow a Super Admin user, managed by the customer, access for break-glass situations. This user's activity can be audited for any actions the user performs.

Encryption and Key Management

How does in-transit and at-rest encryption for data ingested into Veza work?

For in-transit data, we support TLS 1.3 (default) with ECDSA, RSA, and TLS 1.2; for at-rest data encryption, we use AES-256-GCM. We use GPG to encrypt the secrets for all integrations.
Encryption and storage: All storage is encrypted at rest (EBS Volumes, S3 buckets, Database storage).

How are keys managed?

We use AWS KMS to manage and secure keys.

Does Veza implement chains of trust?

We use AWS Certificate Manager (ACM) to issue our public TLS certificates. Internally, we use our own certificate authority (CA) and self-signed certificates for mTLS between services to prevent a supply chain compromise of internal communications security.

How are keys rotated? How often are keys rotated?

We rotate AWS and Veza KMS keys yearly
Certificates are rotated every 6 months

How is communication between the Insight Point and Veza platform secured?

All communication between the Veza Platform and the Insight Point is performed via TLS (Transport Layer Security). All requests are also signed to provide data authenticity and integrity.

Access Controls

Access Control Infrastructure: At the infrastructure level (Kubernetes cluster, tenant), what access control does Veza enforce to ensure infrastructure security?

Only specific personnel have access to production environments.
We perform quarterly access reviews to audit production environment access.
Authorized personnel can only access customer-managed clusters through a designated bastion host.
Bastion host activities are monitored and audited via SysDig.
We require SSO and MFA for all production systems.
All cluster traffic is encrypted.
All internal communications use mTLS.
All access is tracked in audit logs.

Network Security

Is the network where customer data resides segmented from other networks, with only necessary ports and protocols allowed? Does Veza disable Public/Remote Access to EKS Cluster Endpoints?

Network policies isolate the tenant network. All external (incoming and outgoing) traffic is limited to the components that need it.
EKS access is only enabled from the Bastion host and limited to access from the private VPC. Public access is disabled.

Firewall and Intrusion Prevention: Does Veza Deploy Web Application Firewalls (WAFs) and intrusion prevention systems (IPS) to detect and block malicious traffic? Does Veza Regularly update signatures and rules? Is remote access to EKS cluster node groups disabled from the internet?

All external traffic must go through AWS WAF.
VPC traffic is analyzed and scanned to detect anomalies.
Signatures are updated automatically.
We restrict EKS node access to the private VPC from the bastion host.

Account Review

Does Veza routinely review accounts with access to production tenants and the EKS backend to ensure no stale or unauthorized accounts exist? Do you ensure that Cluster Node Group IAM Policies are maintained? Is the worker node IAM user for cluster EKS Namespaces segmented?

Veza performs regular quarterly access reviews.
Veza maintains least-privilege IAM policies/permissions.
IAM policy integrity is maintained by regularly reconciling infrastructure-as-code configured policy against the running policy.
Tenants have strong access isolation through the IAM policy and Kubernetes Role-Based Access Controls (RBAC).

Do you support multi-tenancy? If so, can you describe how accesses are isolated among tenants?

Yes, Veza supports multi-tenancy:
- Each tenant is an isolated deployment in a separate namespace
- Tenant data and permissions are isolated, with controls to prevent cross-tenant data access.

Access Control / Authorization in Product

Do you support RBAC for customer users in the same tenant? What roles are supported? What isolation is provided?

Veza supports four static roles:
- Administrator (user management, provider management, and system settings)
- Operator (access to all platform capabilities, like reports, rules, access workflows, etc.)
- Access Reviewer (a specialized role for participating in access reviews)
Two additional roles are available in Early Access:
- Viewer (Subset of operator role, preventing any changes or modifications)
- Re-assigner (Subset of operator role, allowing re-assignment of any result in an Access Review)
Veza also supports Teams to limit access to specific integrations: users in a Team can only see data for integrations assigned to that Team.

Other Capabilities

How does Veza avoid repudiation (the inability to prove the occurrence of events or actions leading to disputes)?

Veza implements logging and monitoring to maintain an immutable record of all service activity:
- Logs include the timestamp, the pod name that initiates the call, and all other operation details (which function, which line, etc.)
- Logs are protected against tampering and stored immutably
- We forward logs using TLS to our logging utility.
- AWS CloudTrail is also used to monitor and audit access to AWS assets through the command line or console.

How does Veza avoid Denial of Services for supported integrations?

Veza implements rate limiting for all integrations.
Veza also monitors and allocates resources appropriately to handle spikes:
- Default extraction intervals vary depending on the integration and can vary from 1 hour to 24 hours depending on target data source capabilities. Customers may set this to a larger time interval as desired.
- Our EKS backend uses auto-scaling groups to achieve elasticity based on usage.
- Resource usage is monitored and alerted on CPU, memory, and storage thresholds.

How does Veza avoid exploiting vulnerabilities to gain elevated privileges?

Veza uses strict permissions to ensure we use minimum necessary read permissions for each integration.
We audit Veza permissions and roles regularly.
Vulnerability Assessment and Patching:
- Veza EKS backend must undergo regular vulnerability assessments.
- Veza performs regular ECR image scans and patch images.
- Veza assesses discovered vulnerabilities and patches them per CISA standards.
- Veza automatically scans code dependencies continuously.
- Veza keeps all system components up-to-date with a regular upgrade cadence.
- Veza uses images with minimal dependencies necessary for each service.

Data Governance - Data Retention and Deletion

How does Veza define data retention policies for metadata stored in the EKS backend and ensure secure deletion methods that comply with industry standards (e.g., NIST's Guidelines for Media Sanitization)?

Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.
All metadata is stored in encrypted S3 buckets and encrypted EBS volumes. AWS deletion policies and procedures comply with NIST guidelines for media sanitization.

Monitoring & Incident Response

Anomaly Detection: Does Veza implement behavioral analytics to detect unusual patterns in data access or system behavior, which might indicate a breach or other security incident? Does Veza maintain a detailed incident response plan and conduct regular threat isolation and mitigation drills?

Veza uses behavioral analytics to detect anomalies in CloudTrail and VPC flow logs.
Incident response plans are created and routinely reviewed.
We perform incident response drills at least annually.

Continuous Monitoring: Does Veza implement solutions like Security Information and Event Management (SIEM) systems to gather, correlate, and analyze logs from all parts of the environment? Does Veza ensure CIS controls are met for the EKS and AWS resources used to store and manage customer data? Is a CSPM used to track CIS controls?

We use GuardDuty to continuously monitor Production AWS accounts, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Kubernetes Service (Amazon EKS) clusters, and data stored in Amazon Simple Storage Service (Amazon S3) for malicious activity.
We use Sysdig to continuously monitor bastion host activities. Only authorized Veza personnel can use the host to access EKS and related AWS resources for the production AWS accounts.

Release Notes

All the latest Veza features and enhancements

Version Information

Veza releases are named according to the deployment date and patch increment (e.g. v2024.9.23-1). You can find your current version by clicking the profile icon in the main Veza navigation menu.

For questions about specific versions or changes, please contact our support team at support@veza.com.

Bi-weekly Release Notes

Platform news, features, enhancements, and bug fixes in recent releases:

Historical Release Notes

Release Notes: 2025-05-28

Changes in Veza releases v2025.5.12-1 - v2025.5.26-1

Access Reviews

Enhancements

EAC-47127 Bulk Decision Clearing: Added the ability to clear decisions in bulk select mode, giving reviewers more flexibility when managing multiple review rows at once.
FR-3259 On-Demand Review Launch Options: Added configurable launch modes for Access Reviews triggered by Rules, enabling a wider range of review scenarios. Rule-based reviews now support Consolidated mode (single review for all triggered results) and Individual mode (separate reviews per result entity, up to 20 results). Consolidated reviews are automatically used for large result sets (>1000 results) to maintain performance.

Bug Fixes

EAC-47854: Fixed an issue where administrators couldn't see the Edit and Create Review buttons in Access Review configuration details screens.
EAC-48000: Fixed an issue where creating a review with disabled IdP settings would result in a CERT_STATE_ERROR state.

Lifecycle Management

New Features

FR-3418 Atlassian Provisioning: The Atlassian integration now supports SCIM-based provisioning and deprovisioning capabilities, enabling identity governance workflows for Atlassian Cloud environments. Organizations can now automatically manage user accounts and group memberships through Lifecycle Management policies and workflows.

Enhancements

EAC-48055 Date Format Transformer: Added a new DATE_FORMAT transformer for flexible date formatting during identity synchronization. Example: {hire_date | DATE_FORMAT, "2006-01-02"} converts dates to yyyy-mm-dd format.
FR-3651 Transformer Functions in SCIM Conditions: Lifecycle Management now supports using transformer functions within SCIM conditions for both Workflow trigger conditions and Action conditions.
EAC-47991 Policies: Autocomplete for Target Attributes: The Lifecycle Management Policy UI now supports autocompletion for the $target prefix on attribute transformers. You can now reference previously transformed attributes using $target. syntax to streamline complex transformation chains and reduce configuration errors.
EAC-47666 Configurable Unique Identifiers: You can now configure the attributes that will be unique identifiers within Sync Identity and Deprovision Identity actions, as well as Common Transformers. This enables administrators to specify the attributes that will be used to look up target users in supported integrations (currently Active Directory account_name).

Bug Fixes

EAC-48030 Notification Settings Management: The Lifecycle Management Policy builder now enables direct modification of notification settings without creating or publishing the policy.
EAC-48298 Common Transformer Blank Formatter Consistency: Fixed inconsistent behavior where blank formatters were disallowed in Common Transformers but permitted in Action Sync Attributes. Both functions now consistently handle empty values.
Azure Integration Fixes:
- EAC-48193: Fixed an issue preventing the reactivation of previously deactivated guest users. The system now correctly distinguishes between creating new guest accounts and reactivating existing blocked accounts.
- EAC-47734: Fixed an issue where the invited_user_email_address attribute was not being populated correctly when creating guest accounts via webhook notifications.

Non-Human Identity (NHI) Security

Bug Fixes

EAC-48177 NHI Display Issue: Fixed a tenant-specific issue where Non-Human Identity entities were not properly displayed in the NHI overview.

Access Intelligence

Enhancements

EAC-48303 ServiceNow Actions: When configuring Veza Actions for ServiceNow, you can now choose the Assignment Group and Configuration Item for created tickets.

Veza Integrations

Enhancements

EAC-47872 Salesforce: Updated the Salesforce integration to make the Enabled Salesforce Object Types field optional, allowing extraction of only IAM data if desired, without requiring additional object type selection.
EAC-47725 HiBob Custom Properties: Added custom property support for HiBob integration, enabling customers to extract and utilize additional identity attributes in search and Lifecycle Management workflows.
EAC-47965 Teleport: Added support for extracting SAML groups to role mappings.
AWS KMS Enhancements: Added support for additional AWS KMS key attributes:
- EAC-48255: Added support for Origin, KeyManager, KeySpec, and KeyUsage attributes
- EAC-48307: Added Next Rotation Date and Rotation Period attributes

Bug Fixes

EAC-48198 Active Directory: Fixed a syntax error that could cause failures during integration configuration.
EAC-47881 Beeline: Fixed an issue where Beeline report IDs were incorrectly flagged as secret values, causing them to appear blank after saving configurations.
EAC-48096 Privacera: Fixed incorrect role assignments for Privacera Portal Users.
EAC-48188 Snowflake: Network policy extraction is now optional and can be disabled if errors are encountered during integration.
EAC-47753 Workday: Improved extraction reliability and performance for large custom reports.
EAC-47743 Custom Identity Mapping: Fixed an issue with property matchers with multiple destinations where the dropdown for selecting attributes wasn't appearing properly.

Veza Platform

Bug Fixes

EAC-48058 Time Machine Historical Data: Fixed an issue in Time Machine where historical snapshots were missing. For SaaS tenants, this repair addresses potential data gaps from April 22, 2025, to May 22, 2025.
PLT-1788 MFA Login: Fixed an issue that prevented local users from successfully logging in with previously enrolled MFA.

Release Notes: 2025-05-14

Changes in Veza releases v2025.5.5 - v2025.5.12

Access Reviews

Enhancements

FR-3211 Urgent Digest Notifications for New Reviews: When configuring Digest Notifications, administrators can now enable "Immediately notify reviewers about newly assigned reviews" in Alerts settings. This provides an option for urgent notifications alongside the configured delivery frequency.
FR-3117 Improved Notification Email Templates: Two new placeholders are available for improved readability of accepted and rejected row summaries in notification emails:
```
{{REVIEW_ACCEPTED_REJECTED_ROWS_DATA_EXCLUDE_NODE_IDS}}
{{REVIEW_ACCEPTED_REJECTED_ROWS_DATA_WITH_NOTES_EXCLUDE_NODE_IDS}}
```
These placeholders print a list of row details with or without notes (e.g., [Result Id 1] From User "User 1" to Role "Role 2" because "reason"). Unlike their existing counterparts, the unique node ID is omitted.

Bug Fixes

EAC-47379: Fixed an issue where grouping by "status" in Access Workflow could sometimes lead to returning zero results.
EAC-47107: Fixed an issue where tag details were not displayed properly in the Review Configuration details.
EAC-46609: Fixed an issue resulting in internal server errors due to duplicate views in the database. This release includes a migration to remove any duplicate access review views.

Separation of Duties (SoD)

Enhancements

EAC-45865 Summary Export: You can now export the table view of the Separation of Duties overview page. Click Export Summary to generate a CSV including details such as last update time and user, risk level, results, and SoD manager for each query.

Non-Human Identity (NHI) Security

Enhancements

EAC-47467 Enhanced NHI Overview Tab: Non-Human Identity Security now features an improved Overview tab, providing a summary of priority integrations and discovered non-human identities across top integration types. Clicking any tile opens the Accounts tab to show specific NHI entities and risk scores, with options to assign entity owners, and run Veza Actions.

Access Hub

Bug Fixes

EAC-47676: Fixed an issue with the URL string appearing as the Manager name in Access Hub.
EAC-46999: Fixed an issue with deleted Access Profiles and profiles not in group membership appearing on the My Access page.
EAC-47618: Refreshing the manager's Access Hub also now refreshes Access Profiles and Top Roles shown on the right sidebar.

Access Request

Enhancements

EAC-46224 SSO Authentication for Sensitive Actions: Added ability to require Single Sign-On (SSO) re-authentication for Access Request actions, requiring users to re-login with SSO to complete the request.
EAC-47325 Access Profile Types: Added support for creating Access Profile Types with no entitlements with a new Limit to a Single Integration > Create local user/account only checkbox. This enables simpler local user account creation when specific entitlements aren't needed.
EAC-47486 Access Profile Pause Confirmation: A confirmation prompt is now shown when pausing an Access Profile, warning users that pausing the Access Profile will remove its entitlements for all members.

Lifecycle Management

Enhancements

EAC-47617 Direct Reports for Identities: Added a new Direct Reports tab to the Identities > Details screen. You can now use this page to get information about subordinate identities for any employee, with the same column options as the top-level identity table.
EAC-47831 Password Reset: Added an option to Enforce Password Change on Login for supported Sync Identity actions and Reset Password actions (Early Access).
EAC-47778 Password Complexity: Added complexity enforcement during password reset to meet Active Directory guidelines, including length, case variations, and non-alphanumeric character requirements.
EAC-47835/47657 Custom Properties as Unique Identifiers: Added ability to designate custom properties as unique identifiers for Lifecycle Management when configuring an integration, with initial support for Active Directory.
EAC-47350 Improved Filtering with Secondary SOIs: Enhanced filtering capabilities with secondary Sources of Identity (SOI), including proper handling of "eq null" comparisons. This allows workflow conditions to check attributes across primary and secondary identity sources with the system now examining the primary source first before checking secondary sources. When an attribute doesn't exist, "attribute eq null" now properly returns true.

Bug Fixes

EAC-4769 Correctly Displaying Attributes from Secondary SOI under Mover Properties: Fixed issue when selecting mover properties in Policy settings to now correctly display attributes from secondary sources of identity in dropdown selections.
EAC-47752 Ignore Dynamic Group Membership on Deprovisioning: Fixed Azure AD/Entra ID integration allow Lifecycle Management to ignore dynamic group memberships, preventing failures when attempting to deprovision users with dynamic group assignments.
EAC-47511 Correctly Filtered List of Access Profile Owners: When assigning Access Profile owners, the list of possible owners is now filtered to only include allowed users and groups.
EAC-47560 Removed Manual Profile Synchronization for Paused or Initial State Access Profiles: Removed the Manual Sync option for Access Profiles that are in Paused or Initial state.
EAC-47348 Mover Properties from Secondary SOI: Fixed an issue where mover properties in Lifecycle Management policies only displayed attributes from the primary Source of Identity (SOI). The selection dropdown now properly includes attributes from both primary and secondary sources, allowing attributes that exist only on secondary SOIs to be monitored for changes.
EAC-47087 Attribute Transformer String Handling: Fixed an issue in Lifecycle Management policy attribute transformers where pipe characters (|) inside quoted strings were incorrectly parsed as delimiters. This enables proper formatting of expressions like {attribute | SPLIT, "|", 0} when configuring transformers in Lifecycle Management policies.

Integrations

Enhancements

EAC-47116 Concur: The integration now supports the concept of "Role Groups" as scoping mechanisms that limit where roles can be applied for users. Role groups appear as a string list custom property (role_groups) on role assignments. Roles with no group limitations are marked as "*Global" for clarity.
EAC-47037 Google: Veza now extracts and shows Google Workspace Roles in Access Graph.
EAC-46035 Zip: New integration for discovering users, groups, and roles for the Zip procurement orchestration platform.

Bug Fixes

EAC-47708 Local State Synchronization Issue: Fixed an issue where graph nodes could be incorrectly removed when create operations failed. Previously, Veza would attempt to roll back these failed creations by removing the node, causing data inconsistency between read and write partitions. This fix implements a more robust rollback strategy using "clone" instead of "remove" operations.
EAC-47048 Azure and Active Directory: Fixed an issue when filtering Active Directory and Azure AD Group owners. To prevent conflicts, the owners attribute in AD/Azure AD is now renamed to managed_by in Veza.
EAC-47585 CSV Uploader: Fixed issue when creating custom number properties caused an error for invalid custom property types.
EAC-47445 LDAP: Fixed an issue with missing app assignments in custom LDAP integrations.
EAC-47397 Google Cloud: The denylist now fully iterates until the end if it doesn't match the value.
EAC-47143 MySQL: Fix for Empty Database after integration success.
EAC-46241 Active Directory: The Common Name property is now correctly populated for AD users.
EAC-45806 AWS RDS MySQL: Corrected RDS MySQL to not report unnecessary errors on a successful job.

Release Notes: 2025-04-30

Changes in Veza releases v2025.4.21-1 - v2025.4.28-1

Access Requests

New Features

EAC-46221 Entitlement Sync: Veza can now synchronize entitlements to enforce group assignments for Active Directory users.
This ensures that Access Profiles remain the authoritative source for linked Active Directory group membership, automatically re-adding removed users, removing unauthorized out-of-band additions, and recreating accidentally deleted groups.
- You can now enable continuous sync and configure the time between sync checks when creating Access Profiles that grant entitlements. In the Profile Type settings, configure a Time Before Sync Check in Seconds to enable synchronization for an Access Profile Type.
- When synchronization is enabled, Veza will periodically:
  - Verify target entitlements still exist with correct properties
  - Verify all profile members have proper relationships with entitlements
  - Remove relationships for non-members of the Access Profile
  - Recreate any missing Active Directory groups
  - Track the Lifecycle Management identity that created the profile
EAC-45946 Delegation and Deny Lists: Administrators can now configure delegate approvers, approver deny lists, and requestor deny lists in Access Request Settings.
EAC-47014 About This App Instructions: Custom "About This App" instructions can now be configured for any Access Profile directly via a sidebar, table, or row details action, with support for rich text via markdown.

Enhancements

EAC-46790 Automatic Profile Type Selection: If only one Access Profile Type is available, the type is now pre-selected when creating new Access Profiles.
EAC-46621 Manual Synchronization: Added support for manually triggering entitlement synchronization directly from Access Profile actions.
EAC-46439 Default Access Request Policies: Default Access Request Policies can now be defined per Access Profile Type.
Profile Type Settings now include the option to select a default profile, and enable or disable using alternate policies when creating profiles of that type.
EAC-46692 Profile Integration Limits: When creating a new Access Profile Type, integration options show a checkbox for the Limit to a single integration option. It can now be enabled concurrently with the options to "Limit to a single integration type" or "Allow multiple integration types" for profiles of that type.
EAC-46669 Pre-Set Integration: Profile creators are no longer prompted to choose a target integration when this setting is pre-determined by the Access Profile Type.
EAC-46655 Active Directory Account Name Support: Added support for account name as a transformer on Create Entitlement actions.
EAC-46576 Profile Creation Permissions: Administrators can now configure Veza users and groups allowed to create profiles using the Access Profile Settings > Manage Permissions menu.
EAC-46892 Profile Type Visibility: Administrators can now restrict Access Profile Type visibility for specific Veza users or groups using the Manage Permissions action on the Profile Types settings page.
EAC-46801 Profile Member Management: Administrators can now directly add or remove Access Profile members using the Access Profiles > Manage Members action.

Bug Fixes

EAC-46656: Fixed an issue where "Active Directory User not found" was displayed for users with graph mappings after Access Profile Owners add new members.
EAC-46566: Added feature checking for Access Request Settings and Access Request Policies. These tabs are no longer shown unless Access Requests is supported for the tenant.
EAC-46679: Naming validation is now performed during initial profile creation, preventing errors due to transformations exceeding character limits in provisioning targets.

Lifecycle Management

New Features

EAC-45078 Policy Safety Limits: Provisioning Policies can now include Safety Limits, blocking changes that impact more than a specified number of identities, and optionally triggering email notifications.
- When the safety limit is exceeded, further processing is halted. A warning will appear in the Policies UI, with options to view details, process the pending changes, or ignore and re-enable the policy.
- The Activity Log now shows a "SAFETY_LIMIT_REACHED" event, and policies that have encountered a limit have a warning shown next to their name on the Policies list.
EAC-45877 Policy Write Back Mode: Sync Identity Actions can now explicitly enable or disable Write Back Mode, preventing any changes to policy identity sources. When enabled, the action can include steps to update or create attributes in the identity source based on values in the target application.
EAC-46313 Coupa CCW: Added support for Coupa CCW as a source of identity.

Enhancements

EAC-46762 Policy Draft Mode: Administrators can now toggle Enable Policy Draft Mode on the Lifecycle Management Settings > Policy Settings page.
- When disabled, users can only save or edit the latest published version of any policy.
- When enabled, users can view version information and history using the See Version History action in the policy editor.
EAC-46919 Lookup Table Export: Added support for exporting lookup tables to CSV for troubleshooting purposes.
EAC-46940 Entitlement Type Selection: To prevent confusion when adding entitlements to an Access Profile, users now choose a single Entitlement Type before choosing one or more Entitlements of that type. You can add relationships to other entity types by adding new sets of entitlements.
EAC-46723 Fallback Transformers: Common Transformers can now include fallback formatters, used if the default transformation fails during attribute creation.
EAC-46578 Azure AD Guest Options: Azure AD Create Guest Account actions now support creating accounts with or without an invitation email.

Bug Fixes

EAC-46490 Active Directory: Fixed an issue with Lifecycle Management requests failing due to escaped commas in CNs.
EAC-46735 Okta: Fixed user status checking when activating users in Okta, resulting in hanging Sync Identities actions.

Access Reviews

Enhancements

EAC-46174 No Reviewer Filter: You can now filter the Reviewers column by Does not exist to find rows with no assigned reviewers.
EAC-45491 Group By Controls: When using the "Group By" option, reviewers can now quickly expand or collapse all groups.

Access Hub

Bug Fixes

EAC-47000 Paused Profile Visibility: Fixed an issue where Access Profiles could unexpectedly remain visible in the Catalog when the Access Profile was paused.
EAC-46658 Active Directory Group Entitlement Creation: Fixed an issue where Access Profiles could fail to create group entitlements for Active Directory.
EAC-46701 Performance Improvement: Improved performance when opening the My Access overview and Resources pages, and fixed an issue where empty pages did not load.
EAC-46657 My Access Visibility: Fixed an issue where certain users couldn't see the "My Access" option in the Access Hub side menu. All users with the following roles now see this option: Administrator, Operator, Viewer, and Reviewer.
EAC-46567 Access Profiles Menu Fix: Fixed an issue where the Access Profiles page within Access Hub appeared as a menu option while Lifecycle Management was disabled. The Access Profiles page is no longer available for customers without the Lifecycle Management product.
EAC-46852 Access Hub Identity Setting: Added a support-enabled setting to use either 1) the Global Identity Provider or 2) Lifecycle Management Identities to link Veza users logging in to Access Hub with their associated external identity.

Non-Human Identity Security

Enhancements

EAC-42804 Workday Integration System Users: Workday Accounts now include the Is Integration User property, indicating if the Account is an Integration System User (application or service principal). Two rules are now applied to identify NHIs:
- Accounts for Integration System Users have the nonhuman identity type, enabling NHI management and search for workloads using Integration System Users to access downstream resources.
- Accounts with UI access disabled (indicated by the Do Not Allow UI Sessions property) have the nonhuman identity type, even if they are not an Integration System User.
EAC-42806 Google Cloud Secret Manager: Added support for discovering Google Secret Manager Secrets and filtering by attributes last_rotated, status, and secret_type. The integration also now extracts and shows these attributes for KMS Keys.
- This enables review creation using an existing Review Configuration (typically scoping the generated access reviews to the target NHI entity types).

Separation of Duties

New Features

EAC-45202 View SoD Conflicts: You can now view the exact conflicting entitlements (e.g., groups, roles, or permission sets) from the Separation of Duties query details with a new View Conflicts action. Clicking Open In Analysis on the SoD landing page now shows this option to open a sidebar with the conflicting entitlements for each record.

Access Intelligence

New Features

EAC-45967 "Affected Entities" for Risks: The Risks page now includes an Affected Entities tab for searching entities in the results of Risks by node type, integration, and risk level. You can use row actions on this page to manage risk levels or view entities in Graph or Query Builder, and use row actions or bulk actions to add or remove exceptions.
EAC-45316 Redesigned Alerts UI: The Alerts page now has a redesigned Query Alerts and Rules tabs for reviewing triggered alerts and all configured rules. The Rules tab includes a new sidebar for viewing details, opening saved query details, and editing rule details and conditions.

Enhancements

EAC-46651 Query Export Secondary Emails: Users can now select secondary email addresses when scheduling query exports, and export emails will be sent to those addresses as well.
EAC-46403 Dashboard Exports: Exporting dashboards to CSV now includes a column for minimum and maximum risks during the selected time range.
EAC-46317 Query Details: Query explanations in Query Details view are updated to better communicate saved query conditions.

Bug Fixes

EAC-46847: Fixed an issue preventing access recommendations from running on the Recommend page.

Access Monitoring

New Features

EAC-46316 Google Activity Monitoring: Added support for generating activity monitoring events when a Google Workspace User accesses resources by impersonating a Service Account.

Enhancements

EAC-45134 Last Activity Filtering: In Query Builder, you can now filter results on the "Last Activity At" and "Last Activity With Resource At" columns. These filters enable tracking both:
- Last time of any activity for a particular entity/resource
- Last activity from a particular identity on a particular resource
Note that these filters are only enabled for services that support Activity Monitoring.

Veza Integrations

New Features

Enhancements

EAC-46960 Okta: Added support for the WORKFLOWS_ADMIN built-in Okta role.
EAC-46907 Open Authorization API: The Custom Identity Provider template now supports setting an external identity on IDP Groups for identity mapping purposes.
EAC-46619 Salesforce: Added RecordTypeId attribute to Account and Opportunity Salesforce objects
EAC-46532 Workday: Added support for gathering Workday Workers Custom Reports using an OAuth token.

Bug Fixes

EAC-46241 Active Directory: CommonName attribute is now correctly populated for Active Directory Users.
EAC-46896 AWS: Fixed datasource removal for AWS IAM.
EAC-46362 Exchange Online: Fixed Exchange Online errors when extracting mailbox folders for non-enabled users.
EAC-46571 GitHub: Fixed a typo for GitHub role permission delete_tag_protection_rule.
EAC-46667 MySQL: Fixed MySQL database error: cannot extract proxies_priv.
EAC-46690 Okta: Improved handling of X-Rate-Limit-Limit header for Okta.
EAC-46645 Oracle EBS: Fixed unmarshalling of float menu entry sequences for Oracle EBS.
EAC-47075 Salesforce Commerce Cloud: Trim trailing slash from config hostname for Commerce Cloud.
EAC-46630 Snowflake: Added check for Snowflake if the optional secrets view exists before extracting from it.
EAC-46649 SQL: Removed port validation for SQL server.
EAC-46898 Veza: Fixed Veza (self) integration to properly initialize.
EAC-46875: Fixed an issue causing extractions to hang in the Pending Parsing state.
EAC-46715: Fixed extraction failures with multiple sources of identity enabled.

Veza Platform

New Features

Release Notes: 2025-04-16

Changes in Veza releases v2025.4.7-1 - v2025.4.14-1

Access Reviews

Enhancements

EAC-46051 Reviewer Reassignment Control: Administrators now have the ability to restrict individual reviewers from reassigning their review rows. This setting can be enabled within individual Review Configurations (toggle Enable Reviewer Reassignment) or globally under Access Reviews > Settings > Reviews > Enable Reviewer Reassignment.
EAC-45064 Email Notification Template Enhancements: Administrators can now create multiple notification templates for the same event type and assign them to specific review configurations under Access Reviews Settings > Notifications > Notification Templates. Custom notification templates can now be used to:
- Create one default message template per event type (applied to all configurations)
- Create unlimited additional templates for each event type
- Assign specific templates to individual review configurations
- Previously, only one template could exist per event type, which applied to all configurations.
  This allows organizations to tailor notification language to specific teams or departments while maintaining consistent messaging elsewhere.
  Additionally, the workflow for adding templates is improved for more streamlined mapping of different event types to custom notification templates. Users cannot assign multiple templates to the same review configuration and event type.
EAC-44977 Improved CSV Export Formatting: When exporting the list of access reviews to a CSV file, the certification state is now displayed in a human-readable format (e.g., "Expired" instead of "CERT_STATE_EXPIRED"). Available states include: In Progress, Expired, Errored, and Completed.

Bug Fixes

EAC-46207 1-Step Review UI Fix: Fixed an issue where the option to launch a 1-step Review was shown when the feature was unavailable, resulting in unexpected UI behavior.
EAC-45765 Create Access Review Action Fix: Fixed an issue where no access review is created when an administrator manually triggers a Lifecycle Management workflow where "Create Access Review" was configured as an action.

Access Requests

Enhancements

EAC-46366 Access Profile Types: It's now possible to create multiple conditional entitlement rules within a single Access Profile Type. This can streamline administration by defining entitlement creation logic based on specific conditions within a single configuration.
- Administrators can now define one or more rules with string conditions or any-match criteria when adding profile types.
- Each rule can trigger different entitlement creation based on your business requirements, reducing the need to maintain separate profile types for similar scenarios.
- For example, you could define a single profile type that creates different entitlements for developers based on their department or location.
EAC-45944 Access Profiles: For more precise control over how user attributes are transformed during provisioning, you can now choose specific sync identity actions to use when creating entitlements through Access Profiles.
- This enables different formatting rules to apply based on the entitlement granted.
- For example, you can configure one group to use a standard username format while another uses an administrative format when the same user needs accounts in both contexts.
EAC-45030 Slack Notifications: You can now integrate Access Requests with Slack notifications to send messages when an access request changes state.

Lifecycle Management

Enhancements

EAC-46262 ASCII Transformer for Identity Attributes: Lifecycle Management policies now support an ASCII transformer for handling international character sets. This transformer:
- Removes non-printable characters
- Converts non-ASCII characters to their closest ASCII equivalents to prevent provisioning errors for systems with character limitations such as Active Directory sAMAccountName restrictions.
EAC-42675 "Additional Formatters" in Lifecycle Management Policy Workflows: It's now possible to add additional formatters for attributes in the Sync Identities action of a workflow. These fallback formatters will be used when there is a conflict due to a unique ID attribute already being in use.

Bug Fixes

EAC-46297 Access Profile Member Search: Fixed a visibility issue that prevented Access Profile owners from seeing all available users when adding new members to an Access Profile.
EAC-46002 Access Hub Navigation: Fixed an issue in the Manager's Access Dashboard where the browser's Back button wouldn't properly return users to the Overview tab when viewing a user's specific resources.

Non-Human Identity Security

Enhancements

EAC-46382 Azure Managed Identities Classification: Azure Managed Identities now automatically have the "nonhuman" identity type, enabling NHI management and search for Azure workloads using managed identities to access downstream resources.

Access Intelligence

Enhancements

EAC-46502: The "Save As New" action is now available for uneditable queries, allowing users to create copies of system or reference queries they couldn't modify directly.
EAC-46076: Added a universal search bar from the Dashboards > Favorites page for all dashboard pages.
EAC-45868: By default, Dynamic Dashboard/Report sections with the same name are now merged when fetched. The skip_section_merge parameter is available on the List and Get API methods to display the separate sections.
EAC-45721: Risks and daily Risk aggregate counts may now be filtered by integration type:
- Newly detected Risks now include their integration type.
- Pre-existing Risks will have their integration types populated via a background job.
- Daily aggregate counts for previous dates cannot be updated, but new aggregates will begin including the necessary data for filtering by integration type.
- During the background update process, there may be temporary discrepancies in new daily aggregate counts filtered by integration type, but these will resolve once processing completes. All existing filter views remain fully accurate.
EAC-45328: Tables that show large numbers of tags now use a smart tag display system that shows a limited number of tags with a "+X more" indicator.
- You can now view the complete list of tags in a slideout panel by clicking on the cell.
- This change should significantly improve page load times and overall application stability for searches involving extensive tag data.

Bug Fixes

EAC-46306 AWS Policy Processing: AWS policies with ARN principals using StringSliceMatch conditions are now properly evaluated, preventing potential permission evaluation errors.

Veza Integrations

Enhancements

EAC-46376 Okta "Sync Users Only" Option: When configuring an Okta integration, administrators can now limit extractions to user entities, skipping groups, apps, roles, role assignments, app users, and app groups. When using this option, only okta.users.read permission is required for the integration.
EAC-46276 CSV Upload Enhancements: An improved CSV upload flow for creating integrations is now generally available. The new integration supports modeling custom applications and HRIS systems using imported data, and mapping CSV columns to custom or built-in entity attributes.
EAC-46094 Active Directory Kerberos Authentication: Added the ability to specify an explicit Service Principal Name (SPN) when using Kerberos authentication for Active Directory integration. This optional field defaults to ldap/<domain_controller_hostname> if not provided.
EAC-45883 Workday: Optimized performance when saving a Workday integration by reducing the number of reports fetched.
EAC-45410 CSV Upload: When creating an HRIS integration from CSV, you can now specify a list of columns for mapping local users to associated IdP identities.
EAC-46235 Salesforce: Supported extraction of additional attributes on Salesforce objects:
- CreatedById
- CreatedDate
- LastActivityDate
- LastModifiedDate
- LastModifiedById
- OwnerId
- SystemModStamp
- Account: Type
- Opportunity: Type, StageName

Bug Fixes

EAC-34457 Active Directory: Fixed AD integration not working when Insight Point is changed.
EAC-44482 Oracle EBS: Fix for missing menu bindings in effective mode when a menu tree could contain the same submenu at different parts of the menu tree.
EAC-45123 Oracle EBS: Fix for missing functions on AZN Menus when the function belongs to a submenu that was not an AZN menu.
EAC-45307 Oracle EBS: Fixed a connection issue that could result in SESSIONS_PER_USER limit errors.
EAC-45370 Privacera: Added support for Privacera portal roles.
EAC-45492 Active Directory: Corrected typo in AD sync status.
EAC-45543 Windows: Fixed Windows File Share folder id generation to retain folder tags.
EAC-45901 Dropbox: Fixed "Error getting Dropbox credentials from environment" message.
EAC-45998: Fixed form validation for integrations.
EAC-46043 Azure: Fixed parsing of AzureAdLicense entities.
EAC-46098 Artifactory: Fixed a bug forcing the usage of http prefix in URL.
EAC-46168 Salesforce: Fixed Commerce Cloud parsing to not fail on missing effective permission mapping.
EAC-46206 Azure: Fixed an issue where the Manager attribute field couldn't be selected when filtering Azure AD Users.
EAC-46357 Azure: Fixed pagination for MS Dynamics client.
EAC-46365 Oracle EBS: Fixed an error that could occur when attempting to change the integration Insight Point.
EAC-46414 CSV Upload: Fix for user-role mapping with CSV upload.
EAC-46459 Okta: Supported extracting Okta users with only email field.

Release Notes: 2025-04-02

Changes in Veza releases v2025.3.17-1 - v2025.3.31-1

Access Intelligence

New Features

EAC-44833 Query Change Logs: You can now review a complete change history for any query using the Show Edit History option when viewing Query Details. A sidebar now shows all changes to date, including modifications to risk level, query permissions, or query parameters.
EAC-44131 Manager Assignments for Separation of Duties: For improved governance, ownership and better delegation of Separation of Duties (SoD) queries, we've introduced new functionality and terminology specifically for delegating and managing SoD queries.
- New SoD Managers: The term "SoD Manager" now replaces "Owner", creating a clear distinction between query creators and those responsible for managing SoD policies
- You can now assign and change SoD Managers.
- Multiple SoD managers can be assigned
- You can now select multiple SoD queries and assign one or multiple managers to all items.
SoD Manager assignment options are available on the Separation of Duties overview page. Look for the new "Assign SoD Manager" button.

Enhancements

EAC-45672 Veza Actions: To provide greater clarity when configuring outbound actions (such as webhooks for alert rules, email notifications, and Access Review automation), Orchestration Actions are now referred to as Veza Actions throughout the product interface. The new terminology should more intuitively communicate that these are actions originating from the Veza platform.
EAC-45501 Email Alerts: Emails sent for alert notifications now show the friendly entity name instead of the entity unique id.
EAC-45096 Enrichment Rules: Enrichment rules now have a Priority field. This defaults to 0.0 and has a maximum of 10.0. The higher the priority, the later it will run, meaning that higher priority rules will override values set by lower priority rules.
EAC-39274 VQL Autocomplete: The VQL editor now provides autocomplete suggestions, for improved user experience with faster and more accurate query completion.

Non-Human Identity Security

Enhancements

EAC-45008 NHI Account Summaries: There is now a banner above the NHI Security > Accounts page, indicating how many total NHI accounts are detected, and which integrations they come from.

Access Requests

New Features

EAC-45655 Access Request Approvals with Veza Groups: Veza Groups can now be added to an Access Request Policy when selecting other approvers, in addition to individual users.
EAC-45028 Application/Integration Owner Approvals: It is now possible for the Application/Integration Owner to be designated as an approver within an Access Requests Policy.
EAC-45027 Access Requests Digest Notification: Access Request digest notifications are now available, showing the recipient user a summary of requests created and completed during the selected time range.

Enhancements

EAC-45534 Custom Property Value Constraints: Specific values can be defined in Access Profile Settings as constraints for custom property values. When these specific values are set, the value of a custom property is limited to the preconfigured value.
EAC-45533 Custom Properties for Entitlements: Entitlements can now have custom property values applied to them, differing from custom properties associated with the Access Profile.

Access Reviews

Enhancements

EAC-45059 Prevent Reviewer Reassignment: Administrators can now prevent individual reviewers from reassigning review rows. This setting can now be configured globally on the Access Reviews > Settings page or per Review Configuration (via API).
EAC-44730 Integration Parsing Warning for Reviews on Active Graph Data: When creating an access review, a warning message has been added to the "From the moment the review is created" option to illustrate that it will temporarily pause all active data source parsing jobs until the review creation completes.

Bug Fixes

EAC-45179 Auto-Assignment to User Managers Fix: Fixed an issue preventing certain managers from being correctly identified during auto-assignment.
EAC-46001 Current User Lookups Enhancement: When looking up the current user in the Access Graph, Veza now uses the idp_unique_id property of identity provider users as a fallback if there is no matching email property. Previously, lookups would fail if the email property didn't match.

Lifecycle Management

New Features

EAC-39491 New Lifecycle Management Landing Page: A new Lifecycle Management landing page was released and is being progressively enabled for customers. Among the highlights of this new landing page are:
- An overview, status, and statistics for Lifecycle Management policies
- An overview and statistics for Access Profiles
- Identity metrics for active/inactive identities
- An overview, health status, and statistics for Integrations
- An overview of pending and completed access requests by status
- A summary of recent provisioning errors
- A summary of recent provisioning activity

Enhancements

EAC-45701 Active Directory as Identity Source: Active Directory can now be used as an identity source for both Lifecycle Management and Access Requests.
EAC-45093 Azure AD Guest Invitation Creation: The option to create an Azure AD guest user invitation has been added to Sync Identities actions for Azure AD.
EAC-45086 Azure/M365 License Management: Lifecycle Management can now add and remove M365 licenses for Azure AD users with the Manage Relationships action in a Lifecycle Management workflow.
EAC-45083 Identity Attributes in Email Templates: Any attributes provisioned by Lifecycle Management can now be piped into Lifecycle Management email notification templates.

Bug Fixes

EAC-45765 Lifecycle Management Access Review Creation Fix: Fixed an issue where no access review was created when an administrator manually triggered a Lifecycle Management workflow where Create Access Review was configured as an action.
EAC-45495 Access Reviewer Pagination Fix: Prior to the fix, only the first page of reviewers was shown in the Reviewer dropdown when creating the action.
EAC-44801 API Response Missing Value Fix: Prior to the fix, the value for access_profile_ids was missing after POST /api/private/lifecycle_management/policies/<policy_id>:dry_run.

Veza Integrations

New Features

EAC-45752 Dynamics ERP Integration: The Azure integration can now discover Users, Groups, Application Users, and Security Roles for Microsoft Dynamics 365 ERP.
EAC-44077 Coupa CCW Integration: New Integration for Coupa Continent Workforce (CCW).

Enhancements

EAC-45700 Integration Overviews Categorization: When viewing the summary of discovered entities on the integration overview page, entities are now grouped into three categories for better readability:
- Identities (principals accessing resources)
- Resources (entities on which a principal can take actions)
- IAM Entities (entities that specify and assign permissions such as roles, groups, role bindings, and permission sets).
EAC-42806 Google Cloud Enhancements: Added support for discovering Google Secret Manager Secrets and filtering by attributes last_rotated, status, and secret_type. The integration also now extracts and shows these attributes for KMS Keys.
EAC-45085 Microsoft Azure License Entities: Azure/Microsoft 365 Licenses are now represented as searchable entitlement entities that can be related to one or more users. Previously, license information was only available as a user property.
EAC-43469 Microsoft Azure Role Attributes: Azure AD Roles now include attributes to show the full role Description and indicate if the role is Privileged.
EAC-45419 Open Authorization API Identity Type Support: The oaaclient SDK now supports setting identity type (human or nonhuman) for Custom IdP Users.
EAC-44051 Snowflake Network Policy Attribute: Snowflake Users now have the Network Policy Exists attribute, set to true when a Network Policy has been added to the user.

Bug Fixes

EAC-45690 Azure Custom Roles Fix: Added handling for custom roles and custom role assignments.
EAC-45631 OAA Custom Identity Mappings Fix: Fixed an issue with custom identity mappings between Okta and Users created with the "Custom Principle" OAA template.
EAC-45883 Workday Integration Performance: Optimized performance when saving a Workday integration by reducing the number of reports fetched.
EAC-45548 Workday Identity Mapping Fix: Fixed an issue where Workday identity mapping configurations did not include all relevant node type properties.
EAC-32570 Windows Server Task IDs: Changed Windows Server Scheduled Task unique IDs to match the task's fully qualified path.

Veza Platform

Enhancements

PLT-1050 API Keys Management: Veza API keys can be blocked by customers via the Enable API Keys option found within Administration > Sign-in settings.
PLT-1309 API Keys Disable Behavior: When API Keys are disabled from the UI, all API key access is disabled. The API keys management page is hidden for all users.

Release Notes: 2025-03-19

Changes in Veza releases v2025.3.10-1 - v2025.3.17-1

Non-Human Identity Security

Enhancements

EAC-45004, EAC-44959: The NHI Accounts page now includes the "Type" column to indicate what entity is listed and options to filter by integration and integration type.
EAC-44949: The NHI accounts page now contains a "view details" button for each line item which brings you to a query details page for the specific result.
EAC-43200: Enrichment rules are now supported for all integrations that use custom application templates (e.g., Terraform, DocuSign, PagerDuty, and Zoom).

Access Intelligence

Enhancements

EAC-28997: The Graph search home page now includes your customer name, e.g., "Welcome to Evergreen Trucks Access Graph." Contact your Veza Customer Success Manager to customize this setting for your tenant.

Bug Fixes

EAC-44927: Fixed an issue where scheduled export links could appear as expired before reaching their 28-day limit.
EAC-44219: Some legacy reports could contain private queries despite being a public report, a condition that is no longer permitted. Veza now filters out all private queries from public reports to unify this behavior.
EAC-34937: Fixed an issue where the user was unable to attach a webhook when editing an existing rule.

Access Reviews

Enhancements

EAC-45381: In the reviewer interface, display options to Include Other Reviewers' Decisions, Include Signed-Off Rows, and Compare With Prior Review are now contained in the View dropdown menu above the results. These were previously under the "Filters" menu, which has been relocated for better visibility.
EAC-45426: A "help" link is now shown when configuring digest notifications.
EAC-44466 New Iconography for Effective Permissions: Reviewers can now more easily scan reviews to identify access permission differences with new visual indicators that highlight variations in Effective Permissions. These indicators use color and icons to distinguish permission states, making pattern recognition across multiple rows faster. This Early Access feature is now enabled by default.
EAC-44467: In-column actions are now enabled by default in the reviewer interface, providing an easier way to rename, hide, filter, sort, or group by individual columns.
EAC-43560: Administrators and Operators can now customize column names, order, and visibility in the reviewer interface and publish these settings for all reviewers. A new "Admin" button allows administrators to set the current column settings as the default for all reviewers, manage renamed columns, or edit the review configuration. Any customizations made will apply to all reviews using the same configuration.
EAC-40094: Administrators can now configure predefined approval, rejection, and custom decision notes directly in the Veza UI. This ensures consistency in the review process by providing standard note options for reviewers.
EAC-43220: When using alternate lookup settings for review auto-assignment, auto-assignment now functions for rows that include users in the main IdP.
EAC-42732: PDF exports now include completed, approved, rejected, and unactioned row percentages.
EAC-45240: When using the Group By option in access reviews, reviewers can now sign off with a single click once all rows in a group have a decision. Additionally, reviewers can use the Clear Decision row action to reset any item that has not yet been signed off. A Signed Off badge now indicates when all rows in a group are final.

Lifecycle Management

Enhancements

EAC-44703 In a "Mover" Lifecycle Management Policy workflow, it is now possible to configure a grace period before removing entitlements: When a user changes job roles the organization may want to allow them continued access to the previous job role's entitlements for some time. You can now configure this in a Lifecycle Management Workflow in the "Manage Relationships" action.
EAC-44063 Retired and Draft Access Profile Versions: If Access Profile versioning is enabled, it's now possible to view retired or draft versions of the Access Profile in addition to the currently published version.
EAC-45090: Workflows now support "Password Reset" actions, enabling you to create identities in advance of an employee's start date and then automatically set their password on an actual start date.

Bug Fixes

EAC-44674: Fixed an issue with custom property validation in attribute formatters.

Access Requests

Enhancements

EAC-45025: You can now select how user identities are uniquely identified when logging into the Access Hub using SSO, either by email address (default) or employee ID.
EAC-44386: Access Profiles now allow adding customer-defined properties to add more metadata to the Access Profile. This enhancement also includes the ability to search on the customer-defined properties and their values.

Veza Integrations

Enhancements

EAC-44726 Microsoft Azure: The integration now discovers groups assigned to Azure AD (Entra ID) roles, and supports search for users within those groups.
EAC-45125 Active Directory: Adds support for Kerberos authentication when binding to LDAPS.
EAC-45299 Active Directory: You can now choose to exclude disabled users from extractions when configuring the integration.
EAC-44076 Exchange Online: The Azure integration can now discover Exchange Online Role Groups.
EAC-45418 Open Authorization API (OAA): The Custom Identity Provider template now supports setting the identity_type property during user submission, allowing identities to be designated as either human or non-human within the payload.
EAC-45138 Okta: Both STAGED and PROVISIONED user statuses are now considered as isActive = false (no activity).

Bug Fixes

EAC-45144 SharePoint: Adds support for skipping discovery of SharePoint sites with identical GUIDs.
EAC-45234 Active Directory: Fixed handling of surname attribute in Active Directory integration.
EAC-44993 Teleport: Fixed a "Connection Refused" error when configuring the Teleport integration.
EAC-44858 AWS KMS: Adds error handling for UnsupportedOperationException.
EAC-44395 AWS Redshift: Invalid database names are now skipped during extraction.
EAC-43517: Integration names in Veza now support additional characters (such as (), -).

2024.9.23

Changes in Veza release v2024.9.23

Access Intelligence

Enhancements

EAC-39081 Risk Remediation: You can now see if a risk has remediation details, directly from the main Queries With Risks overview. A new column indicates if remediation is available, with a link to open the details in a sidebar.
EAC-39082 Saved Queries: After paginating the Saved Queries overview and navigating to another page, the browser's back or forward functionality now opens the last visited page.
EAC-36286 Enrichment Rules for Open Authorization API: Enrichment rules for marking entities as privileged roles, critical resources, or non-human identities now support OAA integrations.
EAC-38510 Enrichment Rules Configuration: Added a private API for disabling specific enrichment rules.

Access Monitoring

New Features

EAC-38647 Cohort API: Added a private API to get a common least privileged role from a list of Snowflake users.

Bug Fixes

EAC-39172 Okta: Activity Monitoring for Okta now supports agentless Desktop SSO.

Access Visibility

Enhancements

EAC-39054 Access Search: Clicking a risk score in graph search now opens the risk score details.
EAC-38159 Open Authorization API: Improved performance when calculating "Relates To" entity types.

Veza Integrations

New Features

Enhancements

EAC-38902 Open Authorization API: The HRIS OAA Template now supports full identity mapping configurations.

Bug Fixes

EAC-38916 Confluence: Truncated resource description length to the current max length of 256 characters.
EAC-37356 Oracle Fusion Cloud: Fixed a timeout for Oracle Fusion Cloud integration.

2024.9.16

Changes in Veza release v2024.9.16

Access Intelligence

New Features

EAC-37942 Query Builder: Users can now see a description of the selected entity type grouping by hovering over the info icon when such a description is available.

Enhancements

EAC-38321 Manager Dashboard Overview: Managers can now view and filter resources grouped by integrations on the Overview tab. Clicking on a specific resource name or count opens the new Resources tab for more details.
EAC-38090 Role Recommendation: Added support for role substitution for Snowflake.

Access Reviews

Enhancements

EAC-36545 Access Review Digest Notifications: Access Reviews now support digest emails for informing reviewers of work they have left to do.

Access Visibility

Enhancements

EAC-37949 Dashboard Performance: Enhanced dashboard loading performance.
EAC-36713 Graph Visualization: Added keyboard and mouse movements for easier usability.

Lifecycle Management

Enhancements

EAC-38827 Identities: Moved Identities to the top navigation, instead of under a policy
EAC-38689 Azure: Added an option to remove personal devices from Intune when de-provisioning users.
EAC-38558 Policies: Added the ability to set notifications on individual actions, as well as global notifications for the policy.

Veza Integrations

New Features

EAC-38222 Power BI Connector: New integration supporting Power BI for visibility to Users, Roles, Permissions, Groups, and Workspaces.
EAC-37362: Support for Oracle JDE in-platform connector

Bug Fixes

EAC-38670 Integrations Page: Renamed column from "Team" to "Team Owner."
EAC-38916 Confluence: Truncated resource description length to the current max length of 256 characters.
EAC-38730 Swiftconnect: Omitted collection of Swiftconnect access credentials.
EAC-38603 Workday: Added LIMIT Clause with 1000000 value
EAC-37512 Okta: Handle imported group events incrementally
EAC-35963 Integration Events: Renamed data source "warning" filter label, now included in "error" filtered results

Veza Platform

New Features

Global Navigation Enhancements (Early Access): You can now browse Veza products and features from a new global sidebar on the left side of the screen, which can be collapsed to focus on the current task, and features updated visuals to better align with Veza's public branding. Clicking an updated navigation icon opens the primary landing page for Integrations, Access Intelligence, Access Reviews, and other top-level products, with the option to open individual sections and features from links in the top bar. These changes are part of a larger design overhaul; please reach out to our support team to enable the new user experience.

Enhancements

2024.9.9

Changes in Veza Release v2024.9.9

Access Intelligence

Enhancements

EAC-38418 Scheduled Exports: Scheduling exports for a saved query now includes the option to Export to CSV in Email with Secure Link, supplementing the original option to export query results to Snowflake. You can configure these exports by choosing a frequency and target email from configured Orchestration Actions. Veza will email a secure link at the scheduled intervals that recipients can use to download the results.
EAC-38166 Access Intelligence: The Analytics page is now the default landing page when navigating to Access Intelligence.
EAC-36447 Enrichment Rules for Critical Resources: Administrators can now define enrichment rules to mark resource-type entities as "critical" on the Integrations > Enrichment page. Depending on the configured enrichment rules, these resources now have the built-in attribute Criticality Level set to LOW, MEDIUM, HIGH, or CRITICAL.
EAC-38321 Manager Dashboard: Managers can now view and filter resources grouped by integrations on the Overview tab. Clicking on a specific resource name or count opens the new Resources tab for more details.

Bug Fixes

EAC-37251 Dashboards: Filtering by type on the Analysis page now shows correct results.
EAC-36780 Query Builder: The relationship between a selected destination node and resource node in Graph search is now shown when opening a destination entity in Query Builder table results.

Access Reviews

Enhancements

EAC-37782 Quick Query Builder: When creating a new review configuration, you can now use a simplified builder to choose from applications, resource types, and review scopes based on common access review queries.
EAC-34897 Multi-Level Approval and Sign-Off: You can now enable second-level reviewers when creating a new access review.

Access Visibility

Enhancements

EAC-38290, EAC-38347 Path Summary Details and Export: When summary entities are enabled to show intermediate roles, groups, or other entities in the path connecting a source and destination, attributes for each selected entity type are now presented in dedicated column groups. Summary entity attributes can be shown or hidden using the column selector, and visible columns are included when exporting query results.
EAC-38446, EAC-38320 Tags in Query Builder: You can now choose one or more source or destination tag keys to show and export dedicated columns for each one, supplementing the original Include Source/Destination Tags option to include all tags in a single column. The Query Builder API now supports an array of tags_to_get.
EAC-38652, EAC-38271, EAC-38266 Entity Type Groupings: Searches that use an entity type grouping to query multiple entity types (such as User) can now show columns for any properties on entities within the selected grouping (before, only name, id, and type were supported). You can hide or show these columns using the column selector. When queries specify individual entity types within a grouping, the column selector now shows attributes just for those entities.

Lifecycle Management

Enhancements

EAC-38246 Activity Log: Added a Workflow Tasks table to show more information about workflows executed on an identity.
EAC-38161 Event Export: Events in the Activity Log can now be exported to CSV or PDF.

Veza Integrations

Enhancements

Bug Fixes

EAC-37943 Jamf Pro: Fixed missing permission creation and invalid site assignment errors.

Veza Platform

Enhancements

EAC-38148 Events: You can now use the time range selector to filter events by Past Hour.

Bug Fixes

EAC-38275 Email Digests: Fixed an edge case for disabled Veza users receiving digest emails.

2024.9.2

Changes in Veza release v2024.9.2

Access Intelligence

New Features

EAC-38322 Manager Dashboard Resources Page: A new Resources section on the manager dashboard now enables managers to inspect all resources of a specific type in a paginated table view.

Access Reviews

Enhancements

EAC-38251 Preview API and Webhooks: When enabled in the review configuration, enrichment data from an IdP or HRIS provider as well as tags on source and destination entities are now included in API responses and webhook payloads.

Access Visibility

Enhancements

EAC-38272 Query Builder: To enable constraints on several entities of different types, tag filters can now be applied to entity type groupings such as "User."

Lifecycle Management

Enhancements

EAC-38161 Activity Log: Lifecycle Management events can now be exported to CSV or PDF.
EAC-38160 Identities: Added a full screen table view for viewing details and events for specific identities.

Bug Fixes

EAC-38123: Fixed an issue with AD manager attribute sync during de-provisioning.

Veza Integrations

New Features

Enhancements

EAC-38369 Workday: A configuration option Gather Inactive Workers is now available for Workday integrations. Disabling this option will skip inactive workers from Workday extractions.
EAC-38291 Jamf: Added an optional URL parameter to integration configuration, used for API connectivity (including an alternate port if necessary).
EAC-37814 Privacera: You can now specify an optional CA Cert and Privacera instance URL when configuring the integration.

Bug Fixes

EAC-37943 Jamf Pro: Fixed missing permission creation and invalid site assignment errors.
EAC-37913 BitBucket: Fixed project pagination logic to prevent an infinite loop scenario

Veza Platform

Enhancements

EAC-38262 Veza Navigation: Added a hover animation to the Veza logo on the left navigation.

2024.8.26

Changes in Veza release v2024.8.26

Access Intelligence

Enhancements

EAC-38053 Quick Filters: You can now click the filter icon at the top of any Query Builder column to apply a filter on that source or destination attribute.
EAC-36708 Open in Graph: When Summary Entities are selected in Query Builder, the Open in Graph action now enables opening all results in Authorization Graph, or an individual entity (from the entity details view). Note that summary entities are not included in the Graph query when using this option.

Bug Fixes

EAC-37518 Segregation of Duties (SoD) : Fixed an issue with using breadcrumbs to navigate to the previous page after using Open in Analysis option to edit a saved query using the SoD builder.

Access Reviews

Enhancements

EAC-38052 Manager Portal: The Direct Report filter on the Quick Review page now uses auto-complete to suggest users.

Lifecycle Management

Enhancements

EAC-38078 SCIM: Added support for OAA-based SCIM integrations as provisioning and deprovisioning targets.
EAC-38004 Access Profiles: LCM Access Profiles can now be created and viewed by non-root teams.
EAC-37809 Graph Navigation: From the Identity page, you can now navigate directly to graph to show that entity's relationships.

Bug Fixes

EAC-38123 Attribute Syntax: Fixed an issue with AD manager attribute sync during deprovisioning.

Veza Integrations

Enhancements

EAC-38165 HiBob: New integration for the HiBob HRIS provider, with the option to enable as a Lifecycle Management identity source.
EAC-37814 Privacera: You can now specify an optional CA Cert and URL when configuring the Privacera integration.
EAC-37929 SwiftConnect: Veza now assigns Access Levels (roles) to Access Profiles (users), instead of directly assigning Access Credentials.
EAC-37924 SQL Server: Veza now gathers and shows permissions on system databases such as master, model, msdb, tempDB, and resourceDB.

Veza Platform

New Features

EAC-38036 API Keys: Added a programmatic_key_manager role for programmatic API key generation (Early Access).

2024.8.19

Changes in Veza release v2024.8.19

Access Intelligence

Enhancements

EAC-36856 Saved Query Filters: In Query Builder, you can now choose to filter results based on the output of a saved query, selected by risk level, integration, or label.

Bug Fixes

EAC-37917 PDF Export: Exporting queries with count conditions to PDF can now include source and destination node details.
EAC-37909 Saved Query Filters: Fixed an issue where some pipeline queries could result in the display of percentages over 100%.

Access Reviews

New Features

Lifecycle Management

Enhancements

EAC-37402 Notifications: Added support for configuring email and webhook notifications directly from the Lifecycle Management UI.

Veza Integrations

Enhancements

EAC-37055 Azure: Azure AD Users now have the attribute last_successful_login.
EAC-37977 Delinea: Added token expiration tracking and renewal checks to prevent errors during long extractions.
EAC-38018 SCIM: Added support for uploading a self-signed/non-root cert when configuring the SCIM OAuth2 connector.

2024.8.12

Changes in Veza release v2024.8.12

Access Intelligence

Enhancements

EAC-37683 Effective Permission Details: In Graph search, the Explain Effective Permissions sidebar action now shows individual effective permission nodes and their mapping to system permissions.

Access Monitoring

New Features

EAC-37772 Microsoft SharePoint: Activity monitoring for SharePoint now supports monitoring folder actions.

Access Reviews

Enhancements

EAC-32066 On-demand Reviews: Added a Creation Source column for On-demand reviews.

Veza Integrations

New Features

EAC-32698 Beeline: New integration for gathering employees within the Beeline HRIS platform (Early Access).

Enhancements

EAC-33536 Orchestration Actions: Jira Orchestration Action configurations can now reuse existing hostnames.

Bug Fixes

EAC-37860 AWS RDS: Updated legacy RDS cert to use the latest truststore link
EAC-37684 AWS RDS: Implemented support for table-level permissions in AWS RDS PostgreSQL.
EAC-37492 Tableau: Added support for Tableau 3.22 API version.

2024.8.5

Changes in Veza release v2024.8.5

Access Intelligence

Enhancements

EAC-35113 Inherited tags: Added the Veza Inherited tag type, used to identify Veza tags that are inherited from another entity (e.g. role tags inherited by role bindings).

Bug Fixes

EAC-37581: Fixed issue with Query Builder exports downloading multiple times.

EAC-37546: Fixed an issue where running queries were not correctly polled for completion.

EAC-37545: Increased performance when selecting related entities in Query Builder search.

EAC-37450: Entity risk scores now appear red when the risk score exceeds 90.

EAC-37515: Prevented excessive icon loading that could cause performance issues in Graph and Query Builder.

Access Reviews

Bug Fixes

EAC-37544 Fixed an issue with PDF exports failing to open.

Lifecycle Management

Enhancements

EAC-37442: A toggle on the Integrations page now enables Lifecycle Management for any OAA-based integration (Early Access).

EAC-37560: Attribute transformers now support adding pipeline functions to the entire transformation.

EAC-37434: Lifecycle management workflows now support changing the order of conditions.

Veza Integrations

New Features

EAC-37423 AWS RDS: Added support for Aurora PostgreSQL on AWS RDS.

EAC-37260 Open Authorization API: The Custom Application template now supports a Configured Permission entity (Early Access). These can be used to model the individual permissions configured for each Local Role in the application.

Enhancements

EAC-37386 Workday: Added support for omitting specific built-in Worker attributes during extraction by specifying them in the Properties to Redact field when configuring the integration. The listed attributes appear as REDACTED in columns and Worker details.

EAC-36930: Oracle Database (standalone) and Apache Cassandra integrations now support assuming an AWS IAM role to connect to AWS Secrets Manager for database extraction credentials. This capability is currently provided in Early Access.

Extraction secrets for these integrations can now specify an aws_assume_role_name and aws_assume_role_external_id.
The resource_id for these secrets must be a URL-encoded <server_address>:<server_port>/<db_name> (for Oracle Database), or the <host>:<port> (for Cassandra).

EAC-36344 SCIM: Added support for authenticating with OAuth 2.0 Client Credentials (Early Access).

Bug Fixes

EAC-37514 Open Authorization API: Improved push performance whenever there are many OAA data sources.

EAC-37488 AWS RDS: Prevented integration failures due to non-unique names when discovering instances and clusters. Datasource paths now use the ARN instead of the database/cluster name.

EAC-37464 BitBucket: Fixed a credentials validation error when configuring the BitBucket Data Center integration. Global permission assignments are now skipped for users excluded from the localUsers map.

EAC-35905 AWS: The NotPrincipal field is now supported in AWS Resource Policies for S3 and KMS.

2024.7.29

Changes in Veza release v2024.7.29

Access Intelligence

New Features

EAC-35968 Manager Dashboard Insights (Early Access): A new dashboard designed for managers enables review of resources categorized by provider type for users reporting to them, with the option to filter on specific provider types. The page highlights the top roles and resources for each reporting user, and user details such as email, job title, manager, organization, division, department, and cost center.

Access Reviews

Enhancements

EAC-36792: Fixed auto-assignment and query creation errors for reviews from saved queries involving saved query filters. There is a known issue causing review creation to fail if the query used as a filter returns enough results to require pagination.

Bug Fixes

EAC-37303: Fixed a bug where some attribute constraints resulted in an "Oops!! Something went wrong" error.

Access Visibility

Enhancements

EAC-37090: Improved performance when searching for node types in Query Builder, Authorization Graph, and throughout the product.

Lifecycle Management

Enhancements

EAC-36684 Azure: Added support for syncing custom Azure properties.

EAC-36600: A pause action is now available to halt lifecycle management workflows for a set duration.

Veza Integrations

New Features

EAC-36151 Fastly: New integration for discovering users, roles, and services for the Fastly Edge Cloud Platform.

EAC-36390 HubSpot: New integration for discovering HubSpot users, roles, permissions, and teams.

Enhancements

EAC-33330 AWS: Added an option to limit RDS extractions to the database level, skipping lower-level entities such as Schemes and Tables.

Bug Fixes

EAC-37356 Oracle Fusion Cloud: Fix timeout for Oracle Fusion Cloud integration.

EAC-37137 Workday: Workday Domain Security Policies now have a new attribute Using Parent Permissions, indicating if the policy inherits from its parent policy. In Effective query mode, non-inheriting policies no longer show access from entities able to access the parent policy.

2024.7.22

Changes in Veza release v2024.7.22

Access Reviews

Bug Fixes

EAC-35340: Fixed an issue where the chosen notification options could be deselected when editing a review configuration.

EAC-36792: Fixed auto-assignment and query creation for reviews for saved queries using saved query filters.

Access Visibility

Enhancements

EAC-37025: Improved UI and query performance for customers with many Open Authorization API integrations.

Lifecycle Management

New Features

EAC-37122: Okta is now a supported identity source for Lifecycle Management Policies.

EAC-36683: Added support for configuring webhooks alongside email notifications when LCM events trigger.

Enhancements

EAC-36598: From the identities tab, you can now trigger a workflow manually even if the identity doesn't meet the trigger conditions.

Veza Integrations

New Features

EAC-36418 Snowflake: The Snowflake integration now supports the discovery of Snowflake Secrets and attributes owner, owner_role_type, and secret_type. If you are using an alternate system database for the integration, you will need to add the following view:

create view VEZA_SNOWFLAKE_DB.ACCOUNT_USAGE.SECRETS
  as SELECT created_on, database, name, owner, owner_role_type, schema, secret_type, comment FROM SNOWFLAKE.ACCOUNT_USAGE.SECRETS;

With Activity Monitoring enabled, search results can now include Over-Provisioned Scores and last usage times for Snowflake Secrets.

EAC-35044 AWS: Added support for configuring AWS Secrets Manager Secrets to authenticate with AWS RDS Oracle Database instances (Early Access).

Enhancements

EAC-36345 Azure: The Azure integration now discovers Azure Entra ID Devices. Customers will need to grant the Device.Read.All Microsoft Graph permission to the Veza app registration to extract devices.

Bug Fixes

EAC-37052 Identity Mapping: Added search functionality to the dropdown menu, and fixed an issue where duplicate entries appeared in the "Destination Data Source Type" dropdown when editing an integration Mapping Configuration.

2024.7.15

Changes in Veza release v2024.7.15

Access Intelligence

Enhancements

EAC-36374: When a user saves a query with Show Destination Nodes checked, the Show Destination Nodes option is now enabled when re-opening the saved query.

Bug Fixes

EAC-36206: Fix for "% entity count" column.

Access Visibility

Bug Fixes

EAC-36119: Improved Authorization Graph browser rendering behavior for large results.

Lifecycle Management

Enhancements

EAC-36640: Added support for hiding emails from the exchange GAL via AD property msExchHideFromAddressLists.

EAC-36597: Added ability to manually run a workflow on any identity.

EAC-36382: Change password emails no longer contain the user's name.

Bug Fixes

Veza Integrations

Enhancements

EAC-35044 Oracle Database (AWS RDS): Added support for using AWS Secrets Manager Secrets to authenticate with AWS RDS Oracle Database instances (Early Access).

EAC-36745 Snowflake: Added support for Snowflake application roles.

EAC-36473 HashiCorp Vault: Added Veza queries for the HashiCorp Vault integration. Customers can now review these on the Saved Queries page after configuring a HashiCorp Vault integration.

EAC-35888 Oracle Database: Added support for data contained in the CDB Root, such as common users and roles. The graph will now show connections between common users and roles, and their local representations in each database.

EAC-27998 Active Directory: Added a new "Timestamp (Windows AD Format)" option for custom properties. Updated all AD property configurations to show they are parsed in this format.

Bug Fixes

EAC-36851 AWS: Fixed an Internal Server Error impacting AWS IAM Volatile extractions.

EAC-36726 Snowflake: The Snowflake integration correctly extracts account roles and does not treat instance and application roles as account roles.

EAC-36725 SCIM: Added support for SCIM vendor implementations using numbers for user and group IDs.

EAC-36723 SCIM: The SCIM integration now handles cases where the meta field for group objects is unset.

EAC-35969 Okta: Fixed a bug on empty Okta custom properties with the "string list" type. These can contain no values, and still be defined in Veza.

Veza Platform

Enhancements

EAC-36626: Local Veza usernames can now be updated on the User Management page.

EAC-36302: Starting an extraction now informs the user that a currently running job will be canceled.

2024.7.1

Changes in Veza release v2024.7.1

Access Reviews

Enhancements

EAC-35581, EAC-35734 Column Customization: The Veza support team can now help you define default columns for all reviews for a particular configuration. Default columns can now include metadata about a related entity, when IdP/HRIS enrichment is enabled in the review configuration.
EAC-34309 PDF Export: Exporting a single review now includes additional reviewer and row completion statistics. The title page now features the publish date, completion date, and the user who completed the review. Exports now also include pages containing the review details, configuration details, reviewer list, and data source status for the exported review.
FR-2302, EAC-36355 Review Intelligence Policies: Rows with automatically-applied decisions are no longer hidden by default. Before, the "Include rows with decisions by other reviewers" filter had to be active to show these rows.

Veza Integrations

Enhancements

EAC-35406 iManage: Added URL as an optional config parameter for connecting to self-managed deployments (default: https://cloudimanage.com).
EAC-35486 Snowflake: Veza now adds the has_masking_policy attribute to Snowflake tables and views, denoting which ones have masking policies applied to them.
Policy references will be queried from the POLICY_REFERENCES view in the ACCOUNT_USAGE schema.
If you have configured the integration to use an alternative system database, you will need to create the POLICY_REFERENCES view in that database and grant access to the configured role:
FR-1935, EAC-36359 Integration Extraction Intervals: On the System Settings page, you can now customize extraction interval for OAA-based integration on a per-integration basis (e.g. individual frequencies for SCIM, Anaplan, Jira Data Center, etc.). Original options to set extraction intervals globally or by template type are also available.
EAC-35808 SCIM Integration: Added an option to upload a CA certificate when creating a SCIM integration, used for authentication when the SCIM service requires an SSL connection.
EAC-35447 Non-Human Identities "Key"-type entities now always have common filterable attributes: is_active, created_at, last_used_at, and last_rotated_at.
FR-1895, EAC-36122 Workday: When adding a Workday integration via API, you can now omit the extraction of certain built-in Worker attributes by listing them in the properties_to_redact field (string list).
EAC-35865 Coupa: Added a configuration option to upload permission to role mappings using an exported Coupa report in CSV format. The expected CSV headers are Controller,Action,Description,Roles.

Bug Fixes

EAC-36307 Salesforce: Fixed an "index out of range" error that could occur during integration parsing.

Veza Platform

Enhancements

EAC-35712 Team API Keys (Early Access): Introduced separate management for personal and team API keys on the API Keys page, with team key creation and administration now done on a dedicated tab.

Bug Fixes

EAC-36339 SAML SSO: Fixed an issue where editing an SSO configuration showed the default request protocol binding, instead of the saved value.

Access Intelligence

New Features

EAC-35449 Non-Human Identities: New out-of-the-box queries are available to help track and manage non-human identities such as access keys, secrets, and credentials. These queries search across multiple entity types to enable risks and alert rules on access keys, secrets, and credentials in the Veza graph. Use them for insight into total inventory, inactive identities with access, last-used keys and secrets, and human and non-human identities associated with keys, secrets, and credentials.
EAC-35710 Enrichment Rules for Non-Human Identities: An administrator can now automatically label identities as "non-human" at parse time using a saved query on the Integrations > Enrichment page.

Enhancements

FR-2067, EAC-35892 Query Builder: The columns dropdown menu now includes a "Select All" option to show or hide all columns within a group.
EAC-35553 Access Intelligence Navigation: Breadcrumbs now preserve workflow history and are shown consistently when traversing the Access Intelligence section. For example, when browsing from the Access Visibility > Queries page to Analyze a single query, and then opening it in Query Builder, a sequence of links provides easy access to each recently-visited page.

2024.6.24

Changes in Veza release v2024.6.24

Access Intelligence

New Features

EAC-35653 Access Risks: You can now quickly view a risk's explanation and remediation instructions by hovering over it on the Queries with Risks page and opening the details sidebar.
EAC-35321 Non-Human Identities: Added support for automatically labeling human and non-human identities with Enrichment Rules. Administrators can use the Integrations > Enrichment page to manage rules for a given saved query, entity type, and integration data sources. Veza will label entities that match the query parameters as "NHI" or "Human" when parsing the specified data sources.

Access Monitoring

Enhancements

EAC-35096 Query Builder Enabling Show Destinations now includes Last Activity At columns, when the source and destination entity types support Activity Monitoring.

Access Reviews

Enhancements

Two new settings can now be configured by the Veza support team:

EAC-34035 Approve and Sign-off: It is now possible to control whether Approve and Sign-off appears as an action in the reviewer interface. When enabled, reviewers can approve and sign-off on applicable rows with one click, using an in-row action or bulk action on selected rows. Please contact the Veza support team to manage this customization setting.
EAC-35733 Column Customization: Default columns in the reviewer interface can now be defined on a per-Configuration basis, and apply to all Reviews created for the specified workflow_id.

Veza Integrations

Enhancements

EAC-34537 Azure Custom Properties: Added support for extracting custom OnPremisesExtensionAttributes for Azure AD Users. To specify extension attributes in an integration configuration, use the full name, e.g. ExtensionAttribute12.
EAC-36008 SharePoint Folders Inherited and Direct Permissions: In Graph search and Query Builder System Permissions filters, Read/Write/Owner permissions on SharePoint Folders now have an inherited or direct prefix. The prefix indicates whether permission is inherited from the Folder's parent, or assigned directly to the Folder.
EAC-35474 Open Authorization API The custom application template now supports an AccessCreds entity type for modeling API keys and other credentials assigned to users to provide roles and permissions to resources.

Bug Fixes

EAC-35515: Prevented Workday extraction failing when fetching security group membership times out. Workday API client timeout is now set to 5 minutes.
EAC-36050: Fixed an issue where the integrations list showed a maximum of 100 providers even with more configured.

Veza Platform

Enhancements

2024.6.17

Changes in Veza release v2024.6.17

Access Intelligence

Enhancements

EAC-35343, EAC-35317, EAC-35549 Access Analytics Overview: The Access Analytics overview is now the default Access Intelligence landing page, shown when logging in to Veza.
Access Analytics replaces the Entities page, providing an at-a-glance summary of discovered entities and the associated Risks, Alerts, and Rules for each integrated data source. It replaces the original overview dashboard, and now includes extra detail about identity, resources, and role counts for top integrations.
From this overview page, you can Export to PDF or Share a link to coordinate on findings with other Veza users or external stakeholders.

Access Reviews

Enhancements

EAC-34309 PDF Exports: PDF exports for individual Reviews now have an additional page with reviewer and row completion statistics. The title page now features the publish date, completion date, and the user who completed the review.

Bug Fixes

EAC-35353 Reviewer Re-Assignment: The confirmation window now accurately shows the total impacted rows when reassigning reviewers across several pages.
EAC-35815 Review Scheduling: Fixed an issue with incorrect "Next Run On" dates for biweekly frequencies.

Access Visibility

Enhancements

EAC-35875 Query Export: Exported query results now include a destination_tags column listing tag keys and values for the related entity.
EAC-35873 Query Builder Export: Users can now cancel long-running exports directly from the Query Builder.
EAC-35548 Query Builder Filters: Queries using a supertype (such as Identity or Resource) as the source or destination now support attribute filters on specific entity types within that supertype (e.g. Okta User or S3 Bucket).

Bug Fixes

EAC-35717: Fixed an issue where opening an entity on the Risks page showed "No Results".
EAC-29403: Fixed an issue with saved queries and reports not indicating the related integrations if they used an Open Authorization API (OAA) template.

Veza Integrations

Enhancements

EAC-35334 CSV Import:
- Importing a custom application from CSV now supports the full range of OAA user properties, including password_last_changed_at and last_login_at.
- Roles and Groups can now be assigned by creating additional rows for a user.
- Improved encoding support to support CSV files generated with a wider range of applications.
EAC-35485 Google Cloud Platform: Veza now shows Service Account Keys for a parent Service Account, and their effective permissions on resources assigned to the Service Account.

Bug Fixes

EAC-35978 Workday Custom identity mappings for identity provider integrations now correctly show Workday Worker as a destination data source, enabling correlation and manual mapping of IdP Users to Workday Workers based on Employee ID or another attribute.
EAC-35515 Workday: Increased Workday API client timeout to prevent inconsistent errors during extraction.

Veza Platform

Enhancements

EAC-33610 User Management: Increased password complexity requirements for local accounts.
EAC-35971 Events: Added logging on the Events page when an Insight Point is unavailable.

2024.6.10

Changes in Veza release v2024.6.10

Access Intelligence

Enhancements

EAC-35213 Non-Human Identities: Added support for NHI entity type groupings in Query Builder and Graph search. When used as a query source or destination, these enable search across all entities with the Identity, Access Creds, Keys, or Secrets supertypes.

Access Reviews

Enhancements

FR-2171 Row Annotation: The row actions dropdown now includes the option to Add a Note for a single row.
EAC-35623 Row Details: In the reviewer interface, the icon to open the full row details in a sidebar now appears only on hover.
EAC-35626, EAC-35568 Terminology Updates: Improved consistency of titles and button labels throughout the Access Reviews UI.

Veza Integrations

Enhancements

EAC-35473 Workday Custom Reports and Worker Attributes (Early Access): Added the ability to get custom reports and add fields as custom properties for Workday Workers. To enable this, the Workday integration must include the custom reports URL and a password for basic HTTP authentication.
EAC-35534 HashiCorp Vault Nested Secrets: The HashiCorp Vault integration now supports gathering nested secrets, which can exist within secrets engines such as KV2. Any nested secrets now appear as sub-resources of the parent secret in Authorization Graph.
EAC-35302 Integrations Usability: It is now significantly easier to filter the list of Integrations by provider name, type, or status.

Bug Fixes

EAC-34354 Errors in Google Cloud Integration: When required APIs are not enabled for GCP Cloud Run and Kubernetes Engine, the Veza integration now creates empty data sources for these services and suppresses further errors. This prevents issues when a service is enabled for some, but not all projects in a GCP organization.

Veza Platform

Enhancements

2024.6.3

Changes in Veza release v2024.5.27

Access Intelligence

Enhancements

EAC-35178 Dashboard Risk Levels: Dashboards now include icons to filter on queries for specific integrations. Each tile now shows the risk level (for queries with risks).
EAC-35161 Dashboard Trend Charts: Added an option to show the total Y-axis instead of just the changes over time.
EAC-35405 Human/Non-Human Identity Queries: Added new out-of-the-box queries to track total Human Identities and Non-Human Identities, based on the identity_type attribute for all identities discovered by Veza.
EAC-35120 Dashboard Export: Dashboards now include an Export button for saving the current view as a PDF.
EAC-35277 Menu Bar Reorganization: Navigation options under Access Intelligence are re-organized:
- Risks > Access Risks
- Analysis > Access Analyzer
- Comparison > Access Comparison
- Segregation of Duties (SoD) > now a top-level nav section

Access Reviews

Bug Fixes

EAC-35340 Review Configuration Details: Fixed an issue where the chosen notification options could be de-selected when editing a review configuration.

Access Visibility

EAC-35418 Query Builder Enhancements: When using the Show option to get results as source-destination pairs, columns now enable filtering and visualizing each destination node attribute.
EAC-35343 Improved Query Details: Opening a query to view details or clicking a dashboard tile now opens a redesigned details page featuring a spreadsheet-like view of the results.
EAC-34940 API Keys and Secrets: Entities representing authentication credentials are now labeled with the Secret and Key supertypes. You can specify a supertype as a query source or destination to select all entity types with that label:
- AWS Secrets Manager Secret: Secret, Key
- Azure Key: Key
- Azure Secret: Secret, Key
- Hashicorp Vault Secrets Engine Subresource: Secret, Key
- Google Cloud KMS Key: Key

Veza Integrations

New Features

EAC-35026 GitHub PATs: Veza now discovers GitHub Personal Access Tokens and their effective repository permissions. The integration needs the additional scope Personal Access Tokens (Read Only) to discover permissions and metadata for these entities, used for programmatic access to GitHub resources.
EAC-34017 AWS Access Keys: Added support for discovering AWS Access Keys and their attributes, such as Name, Active, CreatedAt, LastUsedAt, LastUsedService, and LastUsedRegion.

Enhancements

EAC-35440 Credential Expiration Distinction: Adds the can_expire attribute to GitHub Personal Access Tokens and AWS Access Keys to distinguish access credentials supporting expiry dates from those that do not.
EAC-35421 PTC Windchill: Added support for using self-signed certificates to configure the PTC Windchill integration.

Bug Fixes

EAC-35400 Snowflake Role Type Correction: Local roles with the type DATABASE_ROLE no longer appear in search results. These roles are now skipped during extraction and will be supported in a future release.

2024.5.27

Changes in Veza release v2024.5.27

Access Intelligence

New Features

EAC-34486 Dashboard Customization (Early Access): Users can now add any report as a dashboard on the home page from the left navigation menu, or by adding reports to the Dashboard Reports category. Users can edit and re-order dashboards using the sidebar.
EAC-35254 Dashboard Reports: Three new reports are now included on home page dashboards: Okta Insights, Active Directory and Azure AD Insights, and Identity Protection Risks.
Non-Human Identities: The Identity supertype for selecting multiple entities at a time now includes machine identities for major cloud platforms: AWS: EC2 Instance, EKS Cluster, EMR Cluster, Lambda Function, Azure: AD Enterprise Application, AKS Cluster, Azure VM Google Cloud: Compute VM, Run Service Instance, Kubernetes Engine Cluster.

Enhancements

EAC-34482 Dashboard Actions: The dropdown menu next to each tile now offers a full range of query actions: Open In QB, Expand, Analyze, Share, Open In Graph, Alert On Change, or Create Rule. Dashboards now show additional customization options to Export, Share, Edit, Clone, or Delete the dashboard report.
EAC-35162 Rules Usability: When creating an alert from a dashboard tile, the rule wizard pre-fills with useful default values, or shows the existing dashboard action rule
EAC-34924 Risks Usability: To make the list of Risks easier to scan, explainer labels on the Queries with Risks tab are now shown above the list of queries.

Access Reviews

Bug Fixes

EAC-35047: Fixed an issue with missing destination entities when creating Access Reviews from saved queries.
EAC-35217: Improved performance when loading a user's assigned Access Reviews.
EAC-35166: Fixed an issue causing incorrect "Decision was made by someone else" indicators for reviewers with both local and SAML user accounts.

Access Visibility

Enhancements

EAC-35055 Last Usage Date in Query Builder: When usage metadata is available, a "Last Used" column now shows the last activity timestamp for the source and destination entities.

Bug Fixes

Veza Integrations

New Features

FR-2150 PTC Windchill: New integration for discovering Users, Groups, and Projects.

Enhancements

FR-2138 Workday: Added support for additional custom property types: Self-referencing instance, Currency, Rich Text, Date Time, and Time Zone.
EAC-35076 Oracle EPM: Added support for skipping discovery of Identity Domain Administrator (IDM) roles. Extracted IDM roles are now identified with the attribute is_idm_role.
EAC-34516 Salesforce: Optimized effective permissions model for improved parse and query speed for large environments.

Bug Fixes

EAC-35163 DocuSign: Fixed an extraction error when encountering users without a security profile.
EAC-35191 DocuSign: Fixed a credential validation issue that could occur when editing an integration.
EAC-34485 GitLab: Veza now correctly evaluates permissions for projects shared between groups, and no longer shows duplicated project resources.

Veza Platform

New Features

Enhancements

EAC-35116 API Keys: API tokens now have a type property indicating the type of API key: personal or service.
EAC-34314 Platform Look and Feel: Updated fonts and colors throughout the Veza UI to consistently match our current branding.

2024.5.20

Changes in Veza release v2024.5.20

Access Intelligence

Enhancements

EAC-35011 Snowflake Export: Additional statistics are now included as columns when exporting query results to Snowflake, indicating the last extraction and parse time for the source and destination entities.
EAC-34651, EAC-34483 Snowflake Export: Veza administrators can now use the Saved Queries > Query Export page to view the status and schedule for exports created by any user.

Access Reviews

Bug Fixes

EAC-34868: Fixed an issue where the Help button did not open the configured instructions page.
EAC-35035: The AWS Account Name column no longer incorrectly shows permission set names.

Activity Monitoring

Enhancements

EAC-34969 Snowflake: Veza now tracks events that involve inherited roles, and marks them as used when evaluating over-provisioned access.

Veza Integrations

Enhancements

EAC-34333 Identity Mapping Filtering: Custom Identity Mappings can now apply to individual custom applications. Before, mappings needed to apply all integrations created with an Open Authorization API template.
EAC-30660 Salesforce: Improved performance and accuracy in Salesforce permissions calculation, reducing integration pipeline delays.
EAC-34746 Snowflake: Fixed an issue that could cause parsing to fail after a successful sync.
EAC-34983 GitHub: Fixed a retry loop when gathering GitHub security advisory metadata.
EAC-35002 Open Authorization API: Fixed an issue where Role Assignment entities shown in Graph had the same name even when their properties differed. Role assignment names now include a hash of the entity attributes to ensure uniqueness.

Veza Platform

Enhancements

EAC-34882 OpenID Connect: Added an option to set a Resource parameter when configuring sign-on using OIDC with Microsoft Azure.
EAC-34430 Password Strength Enforcement: Users are prevented from setting insecure passwords by default. When enabled, Veza checks if the password has been compromised in a known data breach. This setting can be disabled for tenants with networking restrictions.

2024.5.13

Changes in Veza release v2024.5.13

Access Intelligence

New Features

EAC-34392, EAC-34855, EAC-34386 Dashboards: A new SaaS Security Posture Management (SSPM) Identity Risks dashboard provides trends and insights for identity risks, based on built-in queries. The AWS IAM Insights and Google Cloud IAM Insights built-in reports are now featured as dashboards, shown when users log in to Veza.

Enhancements

EAC-34392 Rules and Alerts: You can now configure Rules to trigger more than one orchestration action, enabling notifications to several integrated systems when query results meet a rule.

Access Monitoring

Enhancements

EAC-34361: Veza now accounts for access granted by secondary roles when generating Over Provisioned Scores for Snowflake users.
EAC-34719: Veza now supports the FAIL and objects_modified events when evaluating over-provisioned access. Activity time is now based on the beginning of the hour, and no longer rounded to the closest hour.

Access Reviews

New Features

EAC-33348 Access Reviews from Saved Queries: When creating a Review Configuration, you can now use a saved query to specify the access relationships to review. You can use this to review any users that meet risk criteria, or define more complex conditions using saved query filters.
EAC-33559 Access Reviews for Single Entity Types: Access Reviews no longer require both a source and related entity type. You can now create Review Configurations with only a source entity type (such as groups, users, or roles) to approve, reject, and sign off.
FR-1598 Access Reviews Scheduling: Review scheduling frequency is now more customizable, enabling recurring review campaigns on a biweekly, monthly, every other month, or quarterly basis. When creating a schedule, you can now preview the upcoming dates when the review will trigger.

Enhancements

EAC-33921: To indicate the draft or publication status of an Access Review, the publication date is now shown on the "Review Actions" page and the review details sidebar.
EAC-33920: Exporting the list of Reviews now includes additional metadata for all items: name, remaining work, last modified at, last modified by, description, expired at, published at, published by, and total rows rejected, approved, and fixed.

Access Visibility

Enhancements

Veza Integrations

New Features

EAC-34185 Tableau: New integration for discovering Users, Groups, and Projects on the Tableau Cloud business intelligence platform.

Enhancements

FR-2098 AWS: For visibility into actual AWS account names instead of the Veza-assigned name, new attributes assigned_aws_account_name and assigned_aws_account_id are now available in optional columns. To enable this field, AWS integration data will be re-parsed when upgrading.
EAC-34803 Open Authorization API: Custom Application Local Users now have a built-in email attribute. For compatibility with existing connectors, user.email is set to user.custom_properties.email on payload push. Graph search on the email attribute is always case-insensitive, providing a more consistent query experience for apps that store addresses in a different format than expected.
EAC-34728 Salesforce Entity Names: The more user-friendly Label attribute is now shown as the Salesforce Permission Set name. The Name attribute is shown if there is no label. Permission sets now have the label attribute, which always equals the Label field, and permission_set_name, containing the original Name. Permission Set Groups now use MasterLabel as the default display name.

Bug Fixes

EAC-34675 Manual Identity Mappings: For easier selection of individual identities, the name is now shown before the entity ID when configuring manual identity mappings.
EAC-34723 SCIM: The SCIM integration now supports target systems that do not implement a Groups endpoint (before, this caused extraction to fail).
EAC-34797 Snowflake: Fixed an extraction failure when encountering a ROLE_TYPE column with NULL values.

Veza Platform

Enhancements

EAC-34542 OIDC (Early Access): Added support for selecting an authentication type Secret or Private Key JWT.
EAC-34681 Concurrent Exports: Query exports to CSV and Snowflake can now run in parallel. When the concurrency limit is reached, Veza will queue exports and process them as capacity is available. Export requests will remain CREATED until they can be processed.

Bug Fixes

EAC-34790 Single Sign-On: Fixed an issue where users had to re-authenticate before the maximum user session time expired (20hrs).
EAC-34890: Fixed login issues when the IdP SAML claim contained duplicate groups.

2024.5.6

Changes in Veza release v2024.5.6

Access Intelligence

Enhancements

EAC-34204, EAC-34422 Dormant Entities: This report summarizes users, groups, and roles that have not accessed resources they have permissions on. It is now included in Veza's main dashboards with Activity Monitoring enabled. The Dormant Entities report now features new out-of-the-box queries for AWS Activity Monitoring (such as Okta users with dormant access to AWS Secrets Manager secrets).
EAC-34422 Identity and Privilege Access Insights: Offering visibility into least privilege violations and trends, this built-in report is now available as a single-tile dashboard.

Bug Fixes

EAC-34497. EAC-34540, EAC-34178 Query Builder: Optimized performance for large queries with summary entities enabled.

Access Visibility

New Features

Lifecycle Management

New Features

Enhancements

EAC-34067 Provisioning Rules: To inspect the users or groups affected by a user mapping or group membership rule, you can now hover over a rule and click Open in Query Builder* to view the matching Graph entities.

Veza Integrations

New Features

EAC-32017 BitBucket Data Center: New integration for discovering Workspaces, Users, Projects, and Repositories.

Enhancements

EAC-34006 Open Authorization API: The Custom Application template now supports a native_id property on entities in the payload, which can contain a predictable and provider-specific unique ID. This supplements the Veza-generated ID property (which combines the full provider/datasource path).

2024.4.29

Changes in Veza release v2024.4.29

Access Intelligence

Enhancements

EAC-33640 Enhanced Saved Query Details (Early Access): We've re-envisioned the Query Details page to provide an easier way to analyze results, visualize trends, and understand risk and query details. The new experience, shown for saved queries and dashboard tiles, will be available over the coming weeks:
- Risk Insights: Use extended query and risk descriptions for additional insight into why the results matter.
- Trend Analysis: Visualize changes over time for patterns and anomalies or export for use outside Veza.
- Results Overview: Review the latest results and entity details, with familiar options to filter on any attribute and show or hide columns.
EAC-34173 Single-tile dashboards (Early Access): The design of the Salesforce and Snowflake governance dashboards is refreshed for improved visual clarity. The updated layout featuring smaller tiles will be enabled over the next few weeks.

Access Reviews

New Features

EAC-32573 Enhanced Reviewer Experience: An updated access reviewer interface is now available in Early Access. The refreshed UI includes:
- Enhanced Review Mode: To streamline the review process, signed-off rows and those assigned to other reviewers are now hidden by default, helping reviewers concentrate on pending tasks. Reviewers can easily restore these hidden rows whenever needed.
- Improved Bulk Actions: Reviewers can now run bulk actions on all the rows visible on the page, or all rows in the review. Combined with filters, this offers an intuitive way to update rows based on specific criteria. This replaces the old “Smart Action” experience.
- Sign-off UX Enhancements: We have simplified the sign-off process. Instead of signing off rows individually, reviewers can now select many rows and apply decisions with a single click. This change saves screen space and reduces the likelihood of users forgetting to sign off on decisions.
- Stats Display: Reviewer statistics and progress indicators are displayed more concisely and clearly.
- Visual Interface Improvements: Cosmetic modifications to clean up the interface for a sleeker presentation overall.

Enhancements

EAC-33553: The behavior of swipe behavior in mobile view is now configurable by the Veza support team. Left and right swipes can now map to actions: APPROVE, APPROVE_AND_SIGN_OFF, REJECT, and REJECT_AND_SIGN_OFF.
FR-1725, FR-1727 Mobile Enhancements: The "swipe" mode shown for reviewers on mobile devices is now more flexible and requires fewer actions overall:
- The default swipe can combine actions such as "approve and sign off," based on the support-enabled mapping.
- By default, swiping left or right in mobile swipe mode immediately updates the current card.
- Fixed an issue with smart action notifications appearing for single-card actions.
- Only 1 card is shown at a time.
- Improved the animation that happens after swipe.
EAC-33801 Review Exports: Exporting a review now includes columns for the user who marked any row as "Fixed": marked_fixed_by_id, marked_fixed_by_name, marked_fixed_by_email (instead of a single JSON object).

Bug Fixes

EAC-18804: Fixed an issue where email addresses with capital letters were not ordered correctly in lists of reviewers.

Access Visibility

Enhancements

EAC-34356 Saved Query Export: You can now cancel long-running query exports from the actions menu.

Veza Integrations

Enhancements

EAC-34198 Salesforce roles hierarchy: Veza now shows parent-child relationships for Salesforce User Roles in Authorization Graph:
- An icon next to the entity name indicates when a role has hierarchical relationships to other roles.
- Click on a Salesforce User Role to select it and click View Hierarchy on the graph actions sidebar to see all related roles and the order of the hierarchy.

Veza Platform

New Features

EAC-34042 Administration APIs: Added public APIs for team and user management. Teams: create, get, delete, list, Users: create, get, delete.

Enhancements

FR-1015 Events: Password and multi-factor authentication resets are now shown on the Events page (before, these were only available in audit logs).
EAC-34208 SAML Single Log-out: Administrators can now copy the Veza single log-out URL when enabling SAML.
FR-2048, EAC-34131 User Management: You can now filter the list of users by team or role. The users list now includes their assigned roles and creation date.

2024.4.22

Changes in Veza release v2024.4.22

Access Intelligence

Enhancements

EAC-34056 Entity Comparison: You can now quickly compare differences in attributes for any two users or roles on the Access Intelligence > Comparison page:
- Open the Users or Roles section, and use the dropdown menus to pick two entities.
- Pick Entity Diff as the Comparison Type.
- Optionally, use the search box on top of the result table to only show a specific attribute.
- Use the Access Matching dropdown to filter by partial, full, or no matches.
- The Access Matching column shows the difference in values for each attribute.
EAC-34087 Comparison for OAA-based integrations: You can now compare entities from custom applications or identity providers (Early Access).

Bug Fixes

EAC-34126: Fixed an issue where result counts could be 0 on the Saved Queries page when more results appeared in Query Builder. When evaluating a recently-saved query and no results are available, the count is now shown as -.

Access Reviews

Enhancements

EAC-33952: Reviewers can now filter results in an Access Review using multi-valued OR expressions (such as Username is Value1 or Value2 or Value3). Specify additional filter values by clicking Add More or pasting multiple values at once.
- This option appears for columns that contain attributes (such as entity name, region, or other properties). Mutable fields such Decision, Notes, and Signed-off state currently only support single-value filters.

Bug Fixes

EAC-34046: Fixed an issue that prevented entity type groupings such as Custom User from appearing in the Relationship dropdown when creating a review configuration.

Access Visibility

Enhancements

EAC-34032: Entity type groupings for OAA-based integrations (e.g. Custom Resource) now support filters on Last Pushed At time. This enabled queries and alerting based on the last time authorization metadata was updated for a custom application or identity provider.

Bug Fixes

EAC-34113: Improved performance for queries with Summary Entities enabled.
EAC-33853, EAC-33943: Attributes Last Activity With Resource At for related entities and data source Last Extraction Time are now included when exporting saved queries to Snowflake (Early Access).
EAC-34047: Fixed an issue where summary entities were not handled properly with pagination enabled. Veza now shows placeholder nodes as substitutes when path summaries exceed the maximum.

Veza Integrations

New Features

EAC-32013 BitBucket Cloud: New integration for discovering Bitbucket Cloud Workspace Projects, Repositories, Groups, Users, Roles, and Permissions.

Enhancements

Bug Fixes

EAC-33070: Optimized credential validation when configuring the Snowflake integration, which could lag when connecting to large environments.
EAC-33863: You can now choose whether to connect to a production or development environment when configuring the DocuSign integration (before, only developer URLs were supported.)

Veza Platform

Enhancements

EAC-33946: Enabled single logout support after migrating to the updated SAML provider. An administrator can download the signing certificate and specify a sign out URL when configuring SAML single sign-on.

Bug Fixes

EAC-34244: Prevented SAML login failures due to case-sensitive user email matching.

2024.4.15

Changes in Veza release v2024.4.15

Access Intelligence

Enhancements

EAC-33470: For improved visual clarity, the Snowflake Data Governance and SFDC Access Security Dashboards now show individual tiles for each featured query. You can click any tile for an expanded view of the results over time, or open the results in Query Builder.
EAC-33540: You can now view risk changes over the last quarter by setting 90 days as the time range on the Risks page.

Access Reviews

Enhancements

EAC-33906: Added "All Local Users" as an aggregate option when defining the source/destination in the Access Review Query Builder (replaces "LocalUser").

Bug Fixes

EAC-33804: Fixed an issue that could result in the sign-off of rows with no decision.
EAC-33519: Renamed “User / Group / Resource” to “User Name / Group Name / Resource Name” in the Access Review Certification UI to make wording more consistent.
EAC-33936: Row actions are now prevented during row updates.
EAC-33935: Entity type groupings such as Custom Users now correctly appear in the Relationship dropdown when creating queries for Access Reviews.

Access Visibility

New Features

FR-1891, EAC-33852: All entities now have a Datasource Last Extraction Time attribute indicating when metadata was last refreshed for the host data source.
EAC-28076 Authorization Graph: The option to show or hide indirect relationships is now generally available. Use Advanced Options > Include Assumed [Entity Type] to filter on source entities with direct access to the chosen destination entity type, and exclude any relationships where a nested group or role grants access.

Enhancements

EAC-33770 Query Builder: Attributes containing lists now support filters with Exists and Not Exists operators, to find results where these attributes contain any data, or no data.

Bug Fixes

EAC-33922: Pagination is now automatically enabled to reduce graph visualization rendering memory requirements and duration when there are many related entities. A warning indicates when the current page cannot be loaded.

Veza Integrations

New Features

Enhancements

EAC-33670 Jira Data Center: Added support for authenticating using a self-generated CA certificate, uploaded when configuring the Jira Data Center integration.
EAC-33903 Anaplan: Added support for directly discovering Anaplan model users. This is optional due to increased API calls required for extraction (>= 1 call per model instead of a single call per workspace).

Bug Fixes

EAC-33633 Workday: An error message now indicates when configuring an invalid custom property.

Veza Platform

New Features

Enhancements

EAC-33782: Teams and roles are now listed in an additional column when exporting the Users list to CSV.
EAC-33829: Sections on the Sign-in Settings page are now grouped in categories to separate general, SSO, and local user authentication settings.

2024.4.8

Changes in Veza release v2024.4.8

Access Intelligence

New Features

Access Reviews

New Features

EAC-33392 Enrich with IdP/HRIS data: Reviews can now include information about the HRIS profiles that correspond to identities in the query results. For example, you can use this option to show details about Workday Workers that correlate to Okta Users when reviewing Okta User > Application access.

Enhancements

Bug Fixes

Lifecycle Management

New Features

EAC-33368 Digest Emails Lifecycle Management events are now summarized in a scheduled email notification, including the successful and failed event count for the day, week, or month. Admin users can opt into Provisioning Digests on the Profile page.

Veza Integrations

Enhancements

EAC-33301 Concur: Added support for permissions delegated from one user to another. Veza now creates a Delegate resource for any user with delegates, showing permissions between the original user and the resource.
EAC-33754 Engyte: Added API rate limiting to prevent exceeding API quotas. Extraction will now pause after using 80% of available daily calls.

Veza Platform

Bug Fixes

EAC-33800: Fixed an issue causing pages to reload unexpectedly after logging in with Single Sign-On.

2024.4.1

Changes in Veza release v2024.4.1

Access Intelligence

New Features

Enhancements

EAC-32794 Risks usability: You can now filter and sort the Risks page by label or integration, and search by risk name or query name. The list of risks is now paginated for improved performance.

Access Monitoring (Early Access)

Enhancements

EAC-33272 Last activity details: Query Builder now shows a Last Activity with Resource At column indicating when a principal last interacted with a resource.

Access Reviews

Enhancements

EAC-33401 Share links for filtered views: Reviewers now have the option to copy a shareable link to the current filtered set of results. Opening a review now applies the filter specified in the URL. This feature is now generally available.
EAC-33399 Tags in Access Reviews: The option to show tags on source or destination entities in additional columns is now generally available.

Access Visibility

Enhancements

EAC-33174 AWS Unsupported condition icons: AWS entities in Graph search now have an icon to indicate if the Unsupported Condition property is True.

Bug Fixes

Lifecycle Management

Enhancements

EAC-33369 Filter events for changes: The provisioning activity log now includes a Changes Only toggle to filter only actions that resulted in a change to the target system.

Veza Integrations

Enhancements

FR-1915 Contained Resources for Okta Admin Roles: The Okta integration now creates Okta Constrained Resource and Constrained Resource Set entities indicating the resources associated with each admin role. Additionally, Okta Role Assignments now connect users and admin roles. This enables search and access reviews on relationships such as User > Role Assignment > Role, Role Assignment > Resource Set > Constrained Resource, and Role Assignment > Constrained Resource.

Bug Fixes

Veza Platform

Enhancements

EAC-33609: Added an option to delete local accounts associated with single sign-on users on the Administration > User Management page.
EAC-32880: When enabling SSO, you can now download a public certificate used by Veza to sign single log-out (SLO) requests.

2024.3.25

Changes in Veza release v2024.3.25

Access Reviews

Enhancements

EAC-33189: Improved readability within the Row Details drawer. It is now easier to see which table cell value belongs to which entity group for a result.
EAC-15565: Improved performance of the Access Reviews certification table, especially when selecting table rows.

Access Visibility

Bug Fixes

EAC-33311: Fixed an issue where some system permissions were not included in the Effective Permissions shown for users on Google Cloud projects.

Veza Integrations

Enhancements

EAC-32936 Salesforce: Veza now supports Permission Set Groups used to assign sets of permissions to teams of users. These can be related to a single Muting Permission Set entity, used to disable some or all permissions in a Permission Set Group.
EAC-32660 AWS Unsupported Condition List Property: AWS entities with the Unsupported Condition boolean property now also have an Unsupported Condition List showing any policy condition operators and keys which are not parsed by Veza.
EAC-33279 Concur: Added support for gathering user email addresses (requires additional API scope identity.user.coresensitive.read).

Bug Fixes

EAC-33282 Atlassian: Fixed an issue causing incorrect mappings for Atlassian Cloud principals and identity provider groups.
EAC-33279 Concur: Fixed an issue resulting in incorrect attributes for Concur users.
EAC-32586 AWS Role Assumption Permission Boundary Conditions: Veza now evaluates AWS policy conditions in permissions boundaries when parsing assumed roles.

Veza Platform

Enhancements

EAC-32727: When adding a team, administrators can now use an All Providers checkbox to include all integrations in the team scope.
EAC-31317: The Events page now shows logins for SSO users.

2024.3.18

Changes in Veza release v2024.3.18

Access Intelligence

Bug Fixes

EAC-33256: The Salesforce Governance dashboard no longer appears on the home page when the integration is not enabled.
EAC-32438: Improved performance when executing queries with many results, which could cause application freezes due to memory issues.

Access Reviews

Enhancements

EAC-31296: Activity is now sorted by timestamp when viewing the action log for an individual result.

Bug Fixes

EAC-33251: Fixed an issue that could result in reviewers using single sign-on to not see all assigned Reviews.

Veza Integrations

Enhancements

EAC-33108 Box: Added an option to prevent the discovery of all Box folders. This offers improved performance for gathering user and role metadata when there are too many folders for timely extraction.
EAC-33109 Box: You can now specify the maximum depth of folders to extract when configuring the integration.
EAC-33195 Egnyte The Egnyte integration now creates local role entities to represent the user type, such as admin, power, or standard.
FR-1803 Jenkins: The Jenkins integration now supports Project-based Matrix Authorization Strategy, where user and group access controls are defined on the project level,
EAC-32154 Microsoft Azure: Added caching for improved performance parsing role-based access controls. This enhancement must be enabled by our support team and should reduce pipeline delays when connecting to environments with complex RBAC hierarchy.
FR-1820 Snowflake: Snowflake Local Roles now have the last used at attribute.
FR-1888 Workday: Added the option to Use Preferred Names as an alternative to legal names when configuring the Workday integration. When enabled, worker entities are labeled with the worker's preferred name if available, or the email address or workerID if unavailable.

2024.3.11

Changes in Veza release v2024.3.11

Access Monitoring

Enhancements

EAC-32924: Activity Monitoring for AWS now supports CloudTrail organization trails owned by a different account than the one configured for Activity Monitoring. You can now specify an organization trail by ARN when configuring the integration.

Bug Fixes

Access Reviews

EAC-28286 New Review Builder: The modal for creating a Review is now a full-page editor, shown when clicking New Review on the Review Configurations page. This provides a unified view for picking the base Review Configuration, due date, reviewers, automation, and snapshot options.
EAC-32054: Email orchestration actions can now trigger on sign-off of an approved or rejected review row.
EAC-30477 Enriched Results for Local Users with IdP Metadata (Early Access): In the Review interface, access reviews involving local users that are associated with an external user in an identity provider can now feature an IDP USER column group. This group includes, by default, the name and unique ID of the federated identity for the local user. Reviewers can use the column picker to show additional attributes for the IdP user, such as risk score or activity status. These columns will be empty for local users without a related IdP user detected by Veza.
- To enable this feature, edit the Review Configuration and choose Advanced Options > Enrich with IdP data. Select from the list of supported IdP entity types to enable result enrichment.

Bug Fixes

EAC-32822: Fixed an issue causing some users to see Reviews marked as "incomplete" with all results signed off.
EAC-32982: Fixed an issue resulting in errors on approve or reject with a Jira Orchestration Action configured on rejected row sign-off.

Access Visibility

Enhancements

EAC-31672 Filter Combinations: Filters that use saved query results to constrain the output can now also include attribute filters.

Bug Fixes

EAC-30419: For improved performance when using the Time Machine to view results for a past date or over time, results are now paginated with an option to set the maximum page size.

Veza Integrations

Enhancements

FR-1824 Coupa: Users now have an additional attribute, API User, set to true if the user is flagged as an API User in Coupa.

Bug Fixes

FR-1889 Workday: Fixed an issue where timestamp attributes (such as Security Group Updated At) were incorrectly shown as empty.
EAC-32884 Workday: Fixed an issue where the Exists filters applied to the Workday user Email attribute did not correctly constrain the search results as expected.

Veza Platform

New Features

EAC-32992 Webhook and Email Domain Filtering: Administrators can now configure a list of approved domains for email and webhook Orchestration Actions. Messages are not sent to unapproved domains when this option is enabled on the System Settings page.

Bug Fixes

EAC-33030: Fixed a redirect loop that could occur when logging in with Single Sign-On.

2024.3.4

Changes in Veza release v2024.3.4

Access Reviews

Enhancements

EAC-29795 Reviewers can now use the Decision By filter to find results acted on by any user. Before, only reviewers directly assigned to rows appeared on the list of options.

Bug Fixes

EAC-32931 Fixed an issue where Reviews with no remaining decisions were not hidden as expected in mobile view.
EAC-32822 Fixed an issue with the number of completed assigned rows in an Access Review not updating correctly after applying decisions.

Veza Integrations

New Features

EAC-31965 Oracle EPM: New integration for discovering users, groups, and roles on Oracle Enterprise Performance Management (EPM).

Enhancements

EAC-32743 Active Directory Manager Principal Name: Veza now shows the Manager Principal Name property for Users where the Manager ID property is a manager distinguished name (DN). The added field shows the manager's User Principal Name (UPN).

Veza Platform

Enhancements

EAC-32634 Sign-in Settings: For simplified Single Sign-On configuration, Veza's Single Sign On URL (ACS) and Audience URI (Entity ID) are now shown in the Configure SSO wizard and no longer must be retrieved from the provider metadata.

2024.2.26

Changes in Veza release v2024.2.26

Access Intelligence

Enhancements

FR-1828: On the Access Intelligence > Risks > Queries with Risks page, you can now click on the small graph next to each query to open an expanded view showing changes in results over time.

Access Reviews

Enhancements

EAC-32234 Action Log in PDF Exports: The history of decision activity for each row is now provided as an optional column when exporting Reviews to PDF.
EAC-29795 Decision Details: Reviews now include optional, filterable columns showing the user who made the decision (Decision By) and Decision Time.

Veza Integrations

Enhancements

FR-1323 Okta App Status: Okta App entities now have the status attribute, indicating if an app is active.
EAC-32414 Azure Role Assignment Details: Azure Role Assignment entities now have additional attributes showing assignable_scopes, actions, not_actions, data_actions, and not_data_actions for the assignment.
EAC-31643 AWS Cross-Account Assume Role Condition Evaluation: Veza now evaluates policy conditions using both the assuming principal's attached IAM Policies and the assumed Role's Trust Policy when determining cross-account role assumption capability.

Bug Fixes

Veza Platform

New Features

EAC-30905 API keys for Non-Root Teams: Users on any team can now create API Keys scoped to their team role. The Administration > API Keys page now lists all keys for the user's active team.

2024.2.19

Changes in Veza release v2024.2.19

Access Reviews

New Features

EAC-31673 Edit Review Configuration: Administrators and operators can now edit an existing Review Configuration to update the original query, or customize reminders and orchestration actions. To modify a Configuration, click its name on the Review Configurations page to view details, then click Edit.

Bug Fixes

EAC-32007: Fixed an issue where the full information was not shown when hovering over cells in Reviews containing long strings of text.
EAC-32488: Fixed a "Resource Not Found" error that could occur when attempting to load a Review.

Veza Integrations

Enhancements

Box Effective Permissions: Veza now shows effective permissions for Box roles directly to resources. Before, these were shown only for User > Resource. Relationships between users and home folders are now shown only in System query mode.
EAC-32089 AWS Identity Center Account-level Permission Sets and Role Trust Policy Evaluation: The AWS Identity Center integration now supports account-level granularity for Permission Set assignments. Principals assigned to a Permission Set are now connected to a new AWS IAM Identity Center Permission Set Account entity for each account, reflecting specific assignments. Additionally, Veza evaluates the Trust Policy of corresponding provisioned IAM Roles in each account, which can limit an Identity Center principal's ability to assume the role. This will result in more accurate Effective Mode queries involving Identity Center principals and IAM Roles.
- Note 1: On upgrade, Veza will re-parse all AWS Identity Center data sources to apply the new Permission Set Account nodes. Until this process is complete, Authorization Graph or Query results involving AWS Identity Center may be temporarily invalid.
- Note 2: Queries involving the old AWS IAM Identity Center Permission Set entity type are updated to use the new type. Some queries may no longer be valid due to schema changes and will return an error upon execution.
EAC-21030 AWS Unsupported Condition Property: Added a boolean property Unsupported Condition to AWS Policy Statement entities indicating when the Policy Statement includes an unsupported condition, possibly impacting the accuracy of access shown in Veza.

Bug Fixes

EAC-31991: Fixed an issue causing some integrations (such as UKG Pro) to not appear on the list of filterable provider types

2024.2.12

Changes in Veza release v2024.2.12

EAC-32265 - Okta Group Parsing Errors: After upgrading, you might experience failures in Okta parse jobs due to unsupported condition expressions in Group Rules. We have identified this issue and plan to address it in a patch release scheduled for later this week.

Access Intelligence

New Features

Snowflake Data Governance Dashboard: Now generally available for customers using the Snowflake integration for insights into inert users and superusers, roles and super roles, role access, and least-privilege anti-patterns.
Salesforce Access Security: A dashboard of dedicated insights to complement the Veza integration for Salesforce. This page displays pre-configured queries for improved visibility on:
- Salesforce Users & Their Mapping to Identity Providers
- Users with Privileged Access
- SFDC Profile and PermissionSet Analysis
- Top Profiles mapped to Users, and top Profiles with privileged PermissionSets connected to users

Bug Fixes

EAC-31785: When opening a Query Builder result in Authorization Graph, the loading indicator now persists until results are available, instead of showing an empty search.
EAC-31971: Fixed an issue resulting in saved queries involving HRIS-type integrations not appearing on the Saved Queries page.

Access Reviews

Enhancements

EAC-32006 Actions for Expired and Completed Reviews: You can now use the View Action Log and See Row Details actions for additional information when viewing completed or expired Reviews.
FR-1782 Review Export: When exporting Reviews to PDF, the snapshot time for certification data is now indicated on the first page.
FR-1785, EAC-32050: Results now include an optional Is Active column for Access Review queries involving supertypes (such as All Top Level Principals to a resource).

Bug Fixes

Lifecycle Management (Early Access)

Enhancements

EAC-31727 Pending Tasks: Added a section under Lifecycle Management showing jobs queued for execution at a future date based on a provisioning policy, including the scheduled time, job type, and provisioning source and target.

Veza Integrations

New Integrations

EAC-30745 Jira Data Center: New on-platform integration for discovering Jira Data Center Projects, Users, Groups, and Roles.

Enhancements

- To gather this metadata when the feature is enabled, enter an Access Token when configuring the GitHub integration. This should be a Personal Access token created for a GitHub user with enterprise-level permissions. The token must have read:enterprise scope.

Bug Fixes

EAC-31923: Jira Custom Field Number and Text Issues: Fixed a bug where Jira issues were not created when they included Number and Text custom fields.

2024.2.5

Changes in Veza release v2024.2.5

Access Intelligence

Enhancements

Access Reviews

Enhancements

EAC-28195 Access Reviews Terminology Changes: Veza Access Reviews are designed to enable repeatable certifications using an underlying Veza Graph query and common settings. Based on customer feedback, we've updated the legacy term for the original query and settings from Workflow to Review Configuration. A single instance of access review for that configuration (previously a Certification) is now a Review. On the main Veza navigation, these are now located under Access Reviews > Configurations, and Access Reviews > Access Reviews.

Bug Fixes

EAC-31907: Fixed a regression causing custom property columns for OAA-based integrations to not appear as expected.
EAC-31905 Fixed an issue preventing display of the natural language summary of the access relationship when hovering over rows involving OAA-based integrations.
EAC-31990: Fixed an issue where disabling Include Assumed Groups/Roles to only show principals with direct access did not filter results as expected.

Lifecycle Management

Enhancements

FR-17772 Event Log Filtering: Added the option to filter the list of provisioning events by user name and event type.
EAC-31778 Event Log Columns: The Timestamp column is now shown on the left and can be resized. Column width is optimized for better readability at most screen widths.

Veza Integrations

New Features

EAC-31175 Oracle Fusion Cloud: The Open Authorization API (OAA) connector for Oracle Fusion Cloud (OFC) is now available as an on-platform integration, including support for role assignments, role permissions, and Security Contexts.

2024.1.29

Changes in Veza release v2024.1.29

Access Intelligence

New Features

- Total inert users and superusers
- Inert roles and super roles
- Role access to data objects (schema, database, table)
- Deactivated IdP users with Snowflake Access
- Vulnerabilities and least-privilege anti-patterns

Enhancements

EAC-31099 Enhanced List Filters: Filters on list-type attributes now support additional operators to enable matching based on the contents of an element in the list. For these attributes (such as Okta User MFA Factors or GitHub User Emails), you can now conditionally filter results where one list item (Contains / Does Not Contain / Starts With / Ends With) the input string or matches a regular expression. This enhancement complements the existing Equals and Not Equals operators, which filter for exact matches across any list element.

Bug Fixes

EAC-31634: Fixed an issue causing the Query Builder Entity Type dropdown to contain values when searching for a source entity type.

Access Reviews

Enhancements

EAC-28284 Workflow Builder: The Access Reviews workflow creation modal now uses a step-by-step wizard. The new design provides a more intuitive flow for adding a description, specifying the query, and configuring email notifications and orchestration actions.
EAC-31458 Workflow Query Enhancements: Entity type groupings, used to specify combinations of entity types for workflow queries involving custom applications, are renamed for clarity when constructing queries with the Workflow builder:
- All Idp Users for All Apps -> Custom Idp Users
- All Applications for All Apps -> Custom Applications
- All SubResources for All Apps -> Custom SubResources
- All Resources for All Apps -> Custom Resources
- All Users for All Apps -> Custom Users
- All Roles for All Apps -> Custom Roles
- All Role Assignments for All Apps -> Custom Role Assignments
- All Idp Domains for All Apps -> Custom Idp Domains
- All Idp Groups for All Apps -> Custom Idp Groups
- All Groups for All Apps -> Custom Groups
- All Permissions for All Apps -> Custom Permissions

Lifecycle Management

Enhancements

EAC-31595 Date-based Provisioning Rules: User Mapping Rules now support date-based operators to enable conditions based on attributes containing timestamps. You can now use On or After, On or Before, After, or Before to create rules that only (for example) provision users hired after a certain date.

Veza Integrations

Enhancements

EAC-31598 Jira Default Assignee: The Jira Orchestration Action no longer requires a Default Assignee to enable the integration. Leaving this value blank will set Unassigned on created issues.
EAC-31642 AWS Condition Parsing: Veza now evaluates when aws:userid IAM policy condition keys restrict access to resources, and shows the appropriate effective permissions for the authorization path.

Veza User Guide

Veza Documentation

Platform Overview

Product Documentation

Getting Started

Getting Help

Getting Started

Configure Veza to discover enterprise resources

Explore your entity catalog

Leverage built-in and customized Access Intelligence

Search and query for who has access to any resource

Conduct ongoing Access Reviews

Operationalize Veza for your users and teams

Veza Glossary

📖 Veza Glossary

Table of Contents

Core Concepts

Authorization Graph

Cloud Service Provider

Effective and System Permissions

Group

IAM

Identity Provider

Local Role

Local User

RBAC

Role

Search

Service Account

Webhook

Veza Integrations

Custom Properties

Data Source

Integration

Limit Integration Services

Mapping Configuration

Monitoring

OAA Integration (Community)

OAA Integration (Customer)

Open Authorization API

Veza Action

Resource inclusion and exclusion lists

Veza Cloud Connector

Worker

Access Intelligence

Activity Monitoring Timeframe

Alerts

Dashboards

Exception

Insights

Over Provisioned Access Score

Query Integrations

Query Labels

Report

Report Category

Report Section

Risk

Risk Level

Rules

Veza Events

Access Search

Account Filter

Authorization Graph

Display Options

Does not relate to

Entities

Entity Attributes

Exclude Entities

Explain Effective Permission

Filters - Attributes

Filters - Permissions

Filters - Tags

Graph

Query

Query Mode

Related Entity Limit

Relates to

Relationship Options

Require Entities

See More