Veza 2025.6: Identity Security Platform Advancements
Welcome to the latest Veza product update! We're excited to share the latest summary of new features, enhancements, and operational improvements introduced in our 2025.6 releases.
This release automates access remediation, scales lifecycle management, and expands integration support to help you govern identity security with reduced risk and greater operational visibility.
Key business benefits include:
Identity Access Governance automation
Automatic access remediation validation - Verify rejected access no longer exists
Consolidated multi-review reports - Export multiple access reviews in one consolidated report
Apply labels to access reviews for better classification - Use labels for reviews and review configurations to better organize and classify active and completed reviews
Risk score details - Visibility into the risk components that comprise exactly why users and resources are flagged high-risk
Identity Lifecycle Management for the enterprise
Password complexity rules - Reusable policies to ensure password complexity for secure and compliant provisioning
Dynamic access profiles - Auto-assignment based on user attributes (dept, role, location)
Workflow cloning - Copy existing provisioning workflows in a single click
Advanced transformers - Conditional attribute synchronization with fallbacks
Next-gen access with NHI Security
NHI Security Administrator - Dedicated role for non-human identity governance
Integrations Owner role - Isolated integration management for distributed teams
Access Hub customization - Page visibility controls per user or license level
Integrations for the enterprise
Google Cloud IAM cross-org visibility - Detect service account impersonation across organizations
GitHub secrets discovery - Repository and organization-level secrets mapping
Veza and CrowdStrike - Bidirectional risk intelligence sharing
Snowflake organization accounts - Multi-account discovery through a unified connection
Enhanced user experience and operational efficiency
Cross-team dashboard sharing - Share custom dashboards directly with specific teams for seamless collaboration
Streamlined navigation and personalized workflows - Redesigned Access Hub interface with optimized menu ordering and customizable landing pages for faster access to relevant features
Simplified management with unified design patterns across the platform, reducing configuration time and complexity.
Intuitive UX design - Improved visual indicators, navigation flows, and consistent presentation across product areas
See each section below for more information on specific updates, and please reach out to your Veza support team with your valued feedback.
Contributing Risk Score Details in Access Reviews
For enhanced understanding of contributing risks behind user and resource risk scores, Access Reviews now include risk scores broken down by contributing risk details.
How to use it: Reviewers can use the Rows Details > Risks panel to understand the contributing risks that comprise the source and destination risk scores associated with a row of access, such as the user risk score or resource risk score. These contributing risks are based on the risk queries configured in Access Intelligence.
Automatic Access Remediation Validation
Access Reviews now automatically verifies if rejected access has been properly remediated with revocation, with periodic checks against the Access Graph. If access marked as "rejected and signed off" no longer exists in the Access Graph, then the row is automatically marked as "Fixed". This reduces manual reconciliation work for identity teams and provides clear evidence to auditors that access has indeed been revoked for a rejected row.
How it works: When rejected access is no longer detected in the Access Graph, rows are automatically marked as "Fixed," and the entry "Rejected access no longer detected by Veza" is added to the row's Action Log. Administrators can configure validation behavior through new global and workflow-specific settings, including validation triggers (review due date or review completion milestones) and maximum validation duration (the default is 30 days).
Consolidated Reports Across Multiple Reviews
Administrators can now generate a consolidated report across multiple reviews in a single file, effectively consolidating a collection of distinct access reviews into a single comprehensive report.
How to use it: You can select reviews for inclusion in the consolidated report using filters including labels, date range, and review status, with support for up to 20 reviews per report. Reports include aggregated statistics (approval/rejection rates, completion percentages, Review Intelligence auto-decision metrics) and full metadata for each review (status, timelines, reviewers, approval levels).
Labels for Improved Review Organization
Reviews and Review Configurations now support labels for improved organization and management of access reviews. Labels can be used to attribute Reviews and/or Review Configurations to specific applications, compliance programs, or timeframes. This makes it significantly easier for Administrators and Operators to locate reviews associated with specific review campaigns:
Administrators can both create and manage labels centrally in Access Reviews > Settings, as well as create and apply new labels inline when creating or editing Review Configurations and Reviews.
Operators and Administrators can filter lists of Reviews and Review Configurations by labels on their respective overview pages. They can also add and remove labels from Reviews and Review Configurations as needed.
Privacy-Enhanced Individual Review Notifications
Improved privacy for Access Review notifications by placing reviewers on the BCC line instead of the To/CC lines for enhanced confidentiality. Each reviewer now receives an email where they cannot see the full list of other recipients.
Label-based exclusions for notifications
Administrators can now exclude specific reviews from digest notifications using labels. This provides more granular control over reviewer and stakeholder communications.
How to use it: Navigate to Access Reviews > Settings > Notifications and expand the Exclude Reviews section within Digest Notifications or Alerts settings. Select labels using the dropdown menu to prevent reviews with those labels from generating email notifications.
Product Design and Usability
The Reviews and Review Configurations overview pages now use a unified design with consolidated filters and simplified navigation, replacing separate tabs with integrated status- and label-based filtering.
Cross-Team Dashboard Sharing
Users can share custom Dashboards with specific teams or with a customized email message and direct link.
Shared dashboards now appear in the Favorites sidebar for easy discovery, and collaboration across teams without manual cloning or API usage.
How to use it: You can now share custom dashboards through two methods:
Direct team sharing (choosing teams from the dropdown menu to grant immediate access). When sharing dashboards, a warning indicates if any included queries or integrations are not available in the target team's scope.
Email sharing (sending links to dashboards with customizable subject lines and message contents)
Access Request Policy Expiration Handling
Administrators can now configure expiration rules within Access Request Policies to automatically handle requests that expire according to defined timeframes.
How to use it: Policies can be set to automatically approve, reject, or escalate expired requests based on configurable timeframes. When escalation is selected, requests can be routed to administrators, application owners, profile owners, manager hierarchies (Level 1 and 2), or specific users and groups.
Customizable Password Complexity Rules
Added support for password complexity rules within Lifecycle Management policies to ensure generated passwords adhere to standardized criteria according to defined password policies across automated provisioning workflows.
How to use it: Administrators can now define reusable password complexity rules to enforce requirements for password length, mandatory character types (uppercase letters, lowercase letters, numbers, and special characters), and restricted characters when generating random passwords. These rules are available for selection in Sync Identities, De-Provision Identity, and Reset Password actions when working with integrations that support complex password requirements.
Dynamic Access Profiles
The Manage Relationship action in Lifecycle Management workflows now supports dynamic access profile selection using attribute transformers for intelligent, context-aware provisioning.
How it works: Administrators can now configure access profile names that automatically resolve based on user attributes during provisioning. For instance, this allows expressions to dynamically apply access profiles by name such as {department}-profile or {location}-{role}-access. This allows a single workflow to provision users to different access profiles based on their source of identity (SOI) attributes, such as department, location, or role, without requiring separate conditions for each combination.
For example, you could use dynamic profile selection to provision access based on department and business unit combinations from your source of identity:
Create Access Profiles following a naming convention:
TEAM-QA-12345 (for QA department, business unit 12345)
TEAM-Engineering-67890 (for Engineering department, business unit 67890)
TEAM-Sales-12345 (for Sales department, business unit 12345)
In your Lifecycle Management Policy, configure the Manage Relationships action with dynamic profile expression:
dynamic_access_profiles: ["TEAM-{department}-{businessUnitCode}"]
Dynamic name resolution at runtime will assign the appropriate Access Profiles and their related entitlements:
"John Doe" with department=QA and businessUnitCode=12345 is assigned to TEAM-QA-12345
"Jane Doe" with department=Engineering and businessUnitCode=67890 is assigned to TEAM-Engineering-67890
"Richard Roe" with department=Sales and businessUnitCode=12345 is assigned to TEAM-Sales-12345
Enhanced Workflow Cloning
When editing a Lifecycle Management Policy, you can now clone existing workflows to quickly create new provisioning or deprovisioning workflows by duplicating an existing branch of trigger conditions and actions.
Cloning a workflow duplicates trigger conditions, actions, and workflow configuration, but does not validate integration connectivity. No checks are performed against SOI (Source of Identity) or Target System health during cloning.
Cloned workflows automatically have - Clone appended to their original name.
The policy editor now indicates when you are editing a cloned workflow.
Advanced Transformer Capabilities
Conditional Transformers: Added support for preview-based conditional logic using sys_attr__would_be_value and sys_attr__would_be_value_len attributes. These can be used to create intelligent attribute transformations based on what the final value would be, such as conditionally adding ".com" to email addresses only when needed, or adjusting name formats based on character length limits.
Nested Transformer Expressions: Transformer expressions now support nesting the results of one function inside another, enabling more complex data transformation workflows. For example:
{secondary.hire_date | ASSUME_TZ, "{location | LOOKUP, "table_name", "loc", "tz"}"}This example uses a location lookup table to determine the appropriate timezone, then applies that timezone to the hire date. Nested expressions can be used both in Common Transformers defined in the Lifecycle Management Policy, and within specific workflow actions.
NEXT_NUMBER in Conditional Transformers: The NEXT_NUMBER transformer can now be used within IF/ELSE conditional transformers, enabling username generation with numbered alternatives and automatic fallback strategies. This enables workflows to generate usernames that progressively truncate, or change format when length constraints are exceeded based on conditional logic.
Enhanced Date Formatting and Transformation
Workflows can now reference date attributes from secondary integration sources when configuring trigger details (execution timing), apply format transformations (including LDAP Z-time format like 20240101100000Z), and perform date calculations (such as adding days or months for contractor expiration dates).
Improved Navigation
We've redesigned Access Hub navigation to better serve all users, regardless of their role or primary use case.
This reorganization provides a more intuitive experience that serves both end users seeking self-service access visibility, and administrators and managers using My Team and Access Reviews features.
Menu Ordering: The left navigation now follows a consistent user journey: My Access → My Team → Access Reviews → Access Profiles → Catalog. All users can now explore their access landscape, while managers and reviewers can easily navigate to their specialized workflows
New Default Landing Page: Access Hub now opens to My Access (or the topmost page available in Access Hub) instead of Access Reviews, providing every user with immediate visibility into their permissions across all connected systems.
Configurable Section Visibility
Administrators now have granular control over the Access Hub experience for end users, with options to hide specific Access Hub sections (My Access, My Team, Access Profiles, etc.) from users based on organizational needs and licensing
This can be used in combination with entity type visibility settings to control the information and features available to different users and maintain a clean and focused interface.
Personalized User Experience
Users (admin and non-admin users) can now set a personal default landing page in Access Hub to match their workflow preferences:
All users can now choose a default landing page on the Access Hub > Settings menu. This landing page choice is remembered across sessions for a consistent experience
For example, managers involved in ongoing certification campaigns can set Access Reviews as their landing page, while other users might prefer My Access or Catalog.
Usability Enhancements
You can now filter the Resources tab search for a specific resource name or resource type that you or direct report can access.
The My Team is now filtered to only show active users by default.
Google Cloud Cross-Organization Service Account Impersonation
The Google Cloud integration now discovers and maps service account impersonation relationships across Google Cloud organizations. Veza now identifies when Google Workspace users or service accounts in one organization have permissions to impersonate service accounts in different organizations, providing visibility into cross-organizational access pathways.
GitHub Secrets Discovery
The GitHub integration now discovers and maps GitHub secrets at both the repository and organization levels. Repository-level secrets are directly linked to their respective repositories. Organization-level secrets are now mapped to repositories based on their visibility settings (Public, Private/Internal, or Selected repositories).
Veza and CrowdStrike Integration
The CrowdStrike integration now supports bidirectional risk score synchronization between Veza and CrowdStrike Falcon Identity Protection. When configuring the integration, you can now enable risk score import from CrowdStrike to Veza (applied as custom tags crowdstrike_risk_score and crowdstrike_risk_score_severity), export high-risk identities from Veza to CrowdStrike (identities with Veza Risk Score ≥ 50), or both.
Snowflake Integration Updates
Organization Accounts: Support for Snowflake Organization Accounts enables centralized visibility and management across multiple Snowflake accounts within a single organization. When connecting to an Organization Account, Veza automatically discovers all member accounts and creates separate data sources for each account, offering coverage of your entire Snowflake estate through a single integration configuration.
Projection Policies: New support for Snowflake Projection Policies enables visualization and analysis of column-level access controls. The integration can now discover projection policies and identify users and roles with " projection unconstrained" access to sensitive columns.
Network Policies: Added support for Snowflake network policies, including legacy network policies with direct IP allow/block lists and modern network policies utilizing network rules. The integration now discovers network policies, network rules, network rule references, and relationships between these components.
Password Policies: The Snowflake integration now discovers and maps password policies configured within Snowflake environments for visibility into password complexity requirements, aging settings, lockout controls, and password history for Snowflake Local User accounts.
Salesforce: The integration now includes support for discovering Guest User Profiles that provide public access to Salesforce Sites and communities, and shows object-level and field-level permissions for unauthenticated visitors to assess potential data exposure. To enable this feature, you will need to select the option "Gather Non-Standard Salesforce Users" in integration settings.
Coupa: The integration now supports the extraction of job candidate information alongside existing contingent worker data. Veza now gathers candidates across all valid candidate statuses (including approved, interviewing, rejected, and onboarding states) and maps them to the HRIS system with an employment type of "CANDIDATE" and an "inactive" status.
Salesforce: The Salesforce integration now supports using encrypted private keys. You can now specify a password configuration field to provide a password for decryption.
Active Directory (AD): Added support for LDAP Channel Binding in Active Directory integrations, resolving connection issues for customers with enforced LDAP channel binding in their enterprise environments.
Open Authorization API (OAA) Enhancements:
Entity Owner Assignments (Early Access): You can now configure Entity Owners directly within the custom application submission payload. This enables you to define custom applications, users, groups, roles, resources, and access credentials along with their assigned owners in a single operation, for automatic reviewer assignment, enhanced NHI governance, and risk remediation accountability.
Large Payload Support: Open Authorization API now supports handling payloads larger than the previous API limit, improving support for organizations with extensive access data in custom applications, identity providers, or HRIS platforms. Additionally, increased the maximum field length for OAA entity names from 256 to 512 characters to support organizations with longer role names and other entity identifiers.
Azure Intune Device Enrollment Type Support: Veza can now capture device enrollment type information via the Azure integration. The integration now includes a new device_enrollment_type property on Intune Managed Device entities.
NHI Security Administrator Role
Added a new NHI Security Administrator role that provides dedicated access to Non-Human Identity (NHI) security features and Access Intelligence functionality.
Integrations Owner Role
Added a new Integrations Owner role for isolated integration management. Users with this role can only see and manage integrations they own, with automatic ownership assignment for creators of new integrations.
Enhanced Role Change Event Details
Role change events in Veza Platform Events now include more detailed information about user role modifications. This provides administrators with improved visibility into role transitions, showing both the previous roles and newly assigned roles for improved security auditing and compliance tracking.
Additional Enhancements
Improved parallelism for the Veza data pipeline
OpenID Connect (OIDC) is now supported in General Availability
Updated page names in the Platform section for better consistency. Authentication configuration descriptions for SSO IdP-managed roles and SCIM provisioning have been updated for clarity.
