Welcome to the latest Veza product update! This document offers a summary of the latest features, enhancements, and usability improvements across the platform, with highlights including:
NHI Security: Credential rotation visibility and NHI detection for security teams managing service accounts, access credentials, and other machine identities.
Access Intelligence: Improved governance controls, analytical capabilities, and overall usability.
Access Reviews: Improvements to reviewer experience, new administrative options, and system performance for large-scale reviews.
Access Requests: New design for the Catalog in the Access Hub, improvements to request approval workflows, and custom properties for profiles and entitlements.
Lifecycle Management: New Dashboard page, granular control for access management, and expanded integration support.
Separation of Duties (SoD): Targeted improvements for SoD owner assignments and query lifecycle management.
Integrations: Improved depth and quality of discovered metadata across cloud providers, identity systems, and business applications.
See the sections below for more details about specific changes in each product area, and please contact your Veza representative with any questions or your valued feedback.
This month's Separation of Duties updates bring targeted improvements for SoD owner assignments and query lifecycle management.
We've introduced several improvements to ownership management for Separation of Duties queries:
Multiple Manager Assignment: You can now assign multiple SoD managers to a single query, enabling shared responsibility and ensuring continuous oversight.
Bulk Assignment Capability: You can now select multiple SoD queries simultaneously and assign one or more managers to all selected queries, reducing administrative effort.
Terminology Update: The term "SoD Manager" now replaces "Owner" for SoD queries, providing a better distinction between query creators and those responsible for managing SoD policies.
You can now track when SoD queries were last updated using a new Edit History sidebar in Query Details. This can provide detailed historical context about who made changes and when they occurred.
Open a query to view details, and choose View Edit History to access the full change log:
A sidebar will chronologically show all changes to date, including creation of the query and modification to query name, description, label, risk levels, risk explanation, risk remediation, SoD manager, query visibility and query parameters.
This month, we've introduced a new Dashboard page for Lifecycle Management, granular control for access management, and expanded integration support.
A Lifecycle Management Dashboard view now provides comprehensive insight into your Lifecycle Management deployment. The new page includes at-a-glance information about policies, Access Profiles, identities, integrations, and more.
Mover Grace Period: The "Manage Relationships" action now supports grace periods before removing entitlements from movers for business continuity during role transitions. When an employee changes positions, you can now ensure they retain access to entitlements from their previous role for a specified duration.
Password Reset: Workflows now support the "Reset Password" action. This allows the ability to create identities in advance and automatically initiating password reset flows on start dates, for reduced day-one friction while maintaining security controls.
Active Directory: Active Directory is now supported as a source of identity for both Lifecycle Management and Access Requests, enabling a unified approach for hybrid environments.
Azure AD Guest Invitations: Sync Identities actions now support creating Azure AD guest user invitations for external collaboration.
M365 License Management: The Azure integration now supports automatic assignment of Microsoft 365 licenses to users for appropriate software access.
Access Profile Version History: Administrators can now view retired or draft versions of Access Profiles when versioning is enabled, providing better audit capabilities and change tracking.
Email Notifications: Administrators can now customize notifications to include any attribute provisioned within a Lifecycle Management workflow, for more informative and context-rich communications.
This month's updates include a new design for the Catalog in the Access Hub, improvements to request approval workflows, and metadata enrichment.
Reimagined Catalog View: The Catalog in the Access Hub has been fully redesigned for more intuitive navigation and an easier request process, making it easier for end users to find and request application bundles and entitlements.
Rich Access Profile Presentation: Administrators can now customize Access Profiles to help users quickly identify appropriate access. Enhanced Access Profiles now support rich text descriptions, custom icons, and recommendations to control how Access Profiles appear in the catalog.
Profile Custom Properties: Administrators can now add organization-specific metadata to Access Profiles with custom-defined properties. These can be applied to create more granular categorizations of bundles and entitlements in the Catalog by tagging Access Profiles with business-relevant context.
Entitlement-Level Custom Properties: For more detailed classification and improved governance, you can now assign custom property values directly to created entitlements. Entitlement properties are separate from any custom properties on a parent Access Profile.
Custom Property Constraints: Administrators can now define specific allowable values for custom properties for standardized metadata across integrations.
Group-Based Approvals: You can now automate approval workflows by designating a Veza Group as a request approver.
Owner Approvals: Requests can now be routed to application owners or Access Profile owners for approval, for access decisions involving reviewers with direct knowledge of applications' security requirements.
Digest Notifications: Administrators can now enable summary notifications to provide users with consolidated information about their created and completed access requests over a selected period.
This month's Access Reviews updates deliver improvements aimed at accelerating review cycles, improving decision quality, and system performance for large-scale reviews.
Customizable Default Columns: Administrators can now use the column actions dropdown to personalize column names, order, and visibility in the reviewer interface and publish these settings for all reviewers. This can help reviewers see the most relevant review information in a format that aligns with your organization's terminology and review types.
Visual Permission Indicators: Reviewers can now quickly identify access permission differences with new visual indicators for variations in Effective Permissions since the last review. These color-coded icons make pattern recognition across multiple rows faster, reducing review time while improving accuracy.
Simplified Group Sign-Off: You can now use single-click sign-off to apply decisions to all rows in a group. A Signed-Off badge now shows when all rows in a group are final.
Improved Interface Controls: Reviewers can now access important display options through a "View" dropdown menu, with options like "Include Other Reviewers' Decisions". In-column actions are now enabled by default for all reviewers, providing direct access to rename, hide, filter, sort, or group by columns.
Managed Predefined Decision Notes in UI: Administrators can now enable predefined approval, rejection, and custom decision notes directly in the Veza UI. Reviewers can choose from their own standardized decision rationales to maintain consistency across the review process.
Controlled Reviewer Reassignment: Administrators can now choose to prevent individual reviewers from reassigning review rows in a review. This setting can be configured globally or per-configuration when additional control is needed to maintain review integrity and accountability.
Auto-Assignment with Secondary Identity Provider: Reviewer auto-assignment now supports an alternate lookup using a secondary identity provider. This enhancement can help assign the correct reviewers if you have more than one source of user identities, such as when managers in one system will review contractors in another system.
Improved PDF Exports: PDF exports now include completed, approved, rejected, and unactioned row percentages, providing additional review status metrics for compliance reporting.
This month's Non-Human Identity (NHI) Security updates focus on improving credential rotation visibility, platform navigation, and NHI detection for security teams managing service accounts, access credentials, and other machine identities.
GitHub: GitHub Keys and GitHub Secrets now support the "Last Rotated" and "Versioned" attributes, enabling better security hygiene for developer credentials.
Google: Secret Manager Secrets now support filtering by "Last Rotated", "Status", and "Secret Type" attributes, for improved tracking in Google Cloud environments.
Account Overviews: You can now quickly assess your non-human identity landscape with a new summary banner on the NHI Security > Accounts page. Use this element to review the total number of NHI accounts detected across your environment and identify which integrations these accounts originate from.
Account Classification: Account types are now easier to identify with a new "Type" column on the NHI Accounts page. You can sort or filter to immediately distinguish between different entity types for faster analysis and prioritization of security efforts.
Improved Filters: It's now possible to target specific segments of your non-human identity population by integration type, owner, created date, or risk level.
Investigation Workflows: You can now get detailed information about specific accounts with a single click using the "View Details" action for each account. This direct path to the filtered query details view reduces navigation steps during incident response and security investigation.
Enrichment Capabilities: You can now apply and prioritize enrichment rules for any integrations that use custom application templates, including Terraform, DocuSign, PagerDuty, and Zoom. This extension can help standardize metadata across the entire NHI ecosystem, improving classification, reporting, and policy enforcement for previously unsupported integrations.
Open Authorization API (OAA): It's now possible to designate identities as either human or non-human directly within the Custom Identity Provider template, enabling NHI categorization for any source of identity not natively supported by Veza.
This month's Access Intelligence updates include improvements to governance controls, analytical capabilities, and overall usability.
Prioritized Enrichment Rules: Administrators can now control how entity enrichment rules interact with each other with a new "Priority" setting. Priority can range from 0.0 to 10.0, with higher priority rules executing later in sequence and overriding values set by lower priority rules. This can provide greater precision when identifying human or non-human identities, classifying privileged access, or setting resource criticality levels.
Personalized Access Graph: For a more personalized experience, your organization's name is now shown in Graph search, enabling a distinction between environments for organizations managing multiple deployments. Your Veza support team can help customize this setting for your tenant.
Automatic Filtering of Private Queries for Public Reports: When making a dashboard public (changing the visibility status from private), any private queries in the dashboard are automatically filtered without any effort on the user's part. This behavior now works consistently for both query-based as well as dynamic (label-based) dashboards.
Alert Notifications: Email notifications now display friendly entity names instead of entity unique IDs, for better understanding without additional lookups.
Clearer Terminology: "Veza Actions" is now used as standard terminology throughout the interface, replacing the previous "Orchestration Actions" designation for webhooks, email notifications, and Access Review automation.
Improved Error Handling: Error indicators now provide clear feedback and retry options when API errors occur during report generation.
Share Links: Fixed an issue where scheduled export links could expire prematurely, ensuring exports remain accessible for their full 28-day lifespan.
This month's updates focus on improved depth and quality of discovered metadata across cloud providers, identity systems, and business applications.
Coupa Contingent Workforce: New integration for Coupa Contingent Workforce (CCW), enabling comprehensive governance over contractor identities and access rights.
Dynamics 365 ERP: New integration for discovering Users, Groups, Application Users, and Security Roles for Microsoft Dynamics 365 ERP, bringing critical business systems into your access governance framework.
GitHub: Keys and Secrets now include the Last Rotated and Versioned attributes.
Google Cloud Secret Manager: Secrets now include the attributes Last Rotated, Status, and Secret type.
Snowflake: Snowflake Users with network policies can now be identified through the new Network Policy Exists attribute (true or false).
Azure: The integration now supports additional resources and permission discovery for better visibility into groups and role-based access controls:
Exchange Online Role Groups
Azure Entra ID group assignments to roles
Azure AD Role descriptions with "privileged role" indicators
Support for custom roles and role assignments
Microsoft 365 Licenses: M365 licenses are now represented as searchable entitlement entities related to users, for improved visibility into software access rights.
SharePoint: Added support for skipping sites with identical GUIDs, reducing redundant processing.
Oracle EBS: Human-readable names are now shown alongside technical IDs in search results, including application names, menu names, and request group names.
Active Directory: The integration now supports secure connections with Kerberos authentication support for LDAPS bindings.
Active Directory: The integration now supports excluding disabled users from extractions.
Integrations Overview: Improved entity categorization on the integration overview page, grouping types into "Identities," "Resources," and "IAM Entities" for improved readability.
Integration Names: When adding integrations, names now support a more complete range of additional characters (such as parentheses and hyphens).
Administrators can now enable or disable programmatic access with the option to block Veza API keys in Administration > Sign-in settings. When API Keys are disabled through the user interface, all API key access is immediately blocked, and the API Keys management page is hidden from all users.