Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Welcome to the latest Veza product update! This document offers a summary of the latest features, enhancements, and usability improvements across the platform, with highlights including:
NHI Security: Credential rotation visibility and NHI detection for security teams managing service accounts, access credentials, and other machine identities.
Access Intelligence: Improved governance controls, analytical capabilities, and overall usability.
Access Reviews: Improvements to reviewer experience, new administrative options, and system performance for large-scale reviews.
Access Requests: New design for the Catalog in the Access Hub, improvements to request approval workflows, and custom properties for profiles and entitlements.
Lifecycle Management: New Dashboard page, granular control for access management, and expanded integration support.
Separation of Duties (SoD): Targeted improvements for SoD owner assignments and query lifecycle management.
Integrations: Improved depth and quality of discovered metadata across cloud providers, identity systems, and business applications.
See the sections below for more details about specific changes in each product area, and please contact your Veza representative with any questions or your valued feedback.
This month's Separation of Duties updates bring targeted improvements for SoD owner assignments and query lifecycle management.
We've introduced several improvements to ownership management for Separation of Duties queries:
Multiple Manager Assignment: You can now assign multiple SoD managers to a single query, enabling shared responsibility and ensuring continuous oversight.
Bulk Assignment Capability: You can now select multiple SoD queries simultaneously and assign one or more managers to all selected queries, reducing administrative effort.
Terminology Update: The term "SoD Manager" now replaces "Owner" for SoD queries, providing a better distinction between query creators and those responsible for managing SoD policies.
You can now track when SoD queries were last updated using a new Edit History sidebar in Query Details. This can provide detailed historical context about who made changes and when they occurred.
Open a query to view details, and choose View Edit History to access the full change log:
A sidebar will chronologically show all changes to date, including creation of the query and modification to query name, description, label, risk levels, risk explanation, risk remediation, SoD manager, query visibility and query parameters.
This month, we've introduced a new Dashboard page for Lifecycle Management, granular control for access management, and expanded integration support.
A Lifecycle Management Dashboard view now provides comprehensive insight into your Lifecycle Management deployment. The new page includes at-a-glance information about policies, Access Profiles, identities, integrations, and more.
Mover Grace Period: The "Manage Relationships" action now supports grace periods before removing entitlements from movers for business continuity during role transitions. When an employee changes positions, you can now ensure they retain access to entitlements from their previous role for a specified duration.
Password Reset: Workflows now support the "Reset Password" action. This allows the ability to create identities in advance and automatically initiating password reset flows on start dates, for reduced day-one friction while maintaining security controls.
Active Directory: Active Directory is now supported as a source of identity for both Lifecycle Management and Access Requests, enabling a unified approach for hybrid environments.
Azure AD Guest Invitations: Sync Identities actions now support creating Azure AD guest user invitations for external collaboration.
M365 License Management: The Azure integration now supports automatic assignment of Microsoft 365 licenses to users for appropriate software access.
Access Profile Version History: Administrators can now view retired or draft versions of Access Profiles when versioning is enabled, providing better audit capabilities and change tracking.
Email Notifications: Administrators can now customize notifications to include any attribute provisioned within a Lifecycle Management workflow, for more informative and context-rich communications.
This month's updates include a new design for the Catalog in the Access Hub, improvements to request approval workflows, and metadata enrichment.
Reimagined Catalog View: The Catalog in the Access Hub has been fully redesigned for more intuitive navigation and an easier request process, making it easier for end users to find and request application bundles and entitlements.
Rich Access Profile Presentation: Administrators can now customize Access Profiles to help users quickly identify appropriate access. Enhanced Access Profiles now support rich text descriptions, custom icons, and recommendations to control how Access Profiles appear in the catalog.
Profile Custom Properties: Administrators can now add organization-specific metadata to Access Profiles with custom-defined properties. These can be applied to create more granular categorizations of bundles and entitlements in the Catalog by tagging Access Profiles with business-relevant context.
Entitlement-Level Custom Properties: For more detailed classification and improved governance, you can now assign custom property values directly to created entitlements. Entitlement properties are separate from any custom properties on a parent Access Profile.
Custom Property Constraints: Administrators can now define specific allowable values for custom properties for standardized metadata across integrations.
Group-Based Approvals: You can now automate approval workflows by designating a Veza Group as a request approver.
Owner Approvals: Requests can now be routed to application owners or Access Profile owners for approval, for access decisions involving reviewers with direct knowledge of applications' security requirements.
Digest Notifications: Administrators can now enable summary notifications to provide users with consolidated information about their created and completed access requests over a selected period.
This month's Access Reviews updates deliver improvements aimed at accelerating review cycles, improving decision quality, and system performance for large-scale reviews.
Customizable Default Columns: Administrators can now use the column actions dropdown to personalize column names, order, and visibility in the reviewer interface and publish these settings for all reviewers. This can help reviewers see the most relevant review information in a format that aligns with your organization's terminology and review types.
Visual Permission Indicators: Reviewers can now quickly identify access permission differences with new visual indicators for variations in Effective Permissions since the last review. These color-coded icons make pattern recognition across multiple rows faster, reducing review time while improving accuracy.
Simplified Group Sign-Off: You can now use single-click sign-off to apply decisions to all rows in a group. A Signed-Off badge now shows when all rows in a group are final.
Improved Interface Controls: Reviewers can now access important display options through a "View" dropdown menu, with options like "Include Other Reviewers' Decisions". In-column actions are now enabled by default for all reviewers, providing direct access to rename, hide, filter, sort, or group by columns.
Managed Predefined Decision Notes in UI: Administrators can now enable predefined approval, rejection, and custom decision notes directly in the Veza UI. Reviewers can choose from their own standardized decision rationales to maintain consistency across the review process.
Controlled Reviewer Reassignment: Administrators can now choose to prevent individual reviewers from reassigning review rows in a review. This setting can be configured globally or per-configuration when additional control is needed to maintain review integrity and accountability.
Auto-Assignment with Secondary Identity Provider: Reviewer auto-assignment now supports an alternate lookup using a secondary identity provider. This enhancement can help assign the correct reviewers if you have more than one source of user identities, such as when managers in one system will review contractors in another system.
Improved PDF Exports: PDF exports now include completed, approved, rejected, and unactioned row percentages, providing additional review status metrics for compliance reporting.
This month's Non-Human Identity (NHI) Security updates focus on improving credential rotation visibility, platform navigation, and NHI detection for security teams managing service accounts, access credentials, and other machine identities.
GitHub: GitHub Keys and GitHub Secrets now support the "Last Rotated" and "Versioned" attributes, enabling better security hygiene for developer credentials.
Google: Secret Manager Secrets now support filtering by "Last Rotated", "Status", and "Secret Type" attributes, for improved tracking in Google Cloud environments.
Account Overviews: You can now quickly assess your non-human identity landscape with a new summary banner on the NHI Security > Accounts page. Use this element to review the total number of NHI accounts detected across your environment and identify which integrations these accounts originate from.
Account Classification: Account types are now easier to identify with a new "Type" column on the NHI Accounts page. You can sort or filter to immediately distinguish between different entity types for faster analysis and prioritization of security efforts.
Improved Filters: It's now possible to target specific segments of your non-human identity population by integration type, owner, created date, or risk level.
Investigation Workflows: You can now get detailed information about specific accounts with a single click using the "View Details" action for each account. This direct path to the filtered query details view reduces navigation steps during incident response and security investigation.
Enrichment Capabilities: You can now apply and prioritize enrichment rules for any integrations that use custom application templates, including Terraform, DocuSign, PagerDuty, and Zoom. This extension can help standardize metadata across the entire NHI ecosystem, improving classification, reporting, and policy enforcement for previously unsupported integrations.
Open Authorization API (OAA): It's now possible to designate identities as either human or non-human directly within the Custom Identity Provider template, enabling NHI categorization for any source of identity not natively supported by Veza.
This month's Access Intelligence updates include improvements to governance controls, analytical capabilities, and overall usability.
Prioritized Enrichment Rules: Administrators can now control how entity enrichment rules interact with each other with a new "Priority" setting. Priority can range from 0.0 to 10.0, with higher priority rules executing later in sequence and overriding values set by lower priority rules. This can provide greater precision when identifying human or non-human identities, classifying privileged access, or setting resource criticality levels.
Personalized Access Graph: For a more personalized experience, your organization's name is now shown in Graph search, enabling a distinction between environments for organizations managing multiple deployments. Your Veza support team can help customize this setting for your tenant.
Automatic Filtering of Private Queries for Public Reports: When making a dashboard public (changing the visibility status from private), any private queries in the dashboard are automatically filtered without any effort on the user's part. This behavior now works consistently for both query-based as well as dynamic (label-based) dashboards.
Alert Notifications: Email notifications now display friendly entity names instead of entity unique IDs, for better understanding without additional lookups.
Clearer Terminology: "Veza Actions" is now used as standard terminology throughout the interface, replacing the previous "Orchestration Actions" designation for webhooks, email notifications, and Access Review automation.
Improved Error Handling: Error indicators now provide clear feedback and retry options when API errors occur during report generation.
Share Links: Fixed an issue where scheduled export links could expire prematurely, ensuring exports remain accessible for their full 28-day lifespan.
This month's updates focus on improved depth and quality of discovered metadata across cloud providers, identity systems, and business applications.
Coupa Contingent Workforce: New integration for Coupa Contingent Workforce (CCW), enabling comprehensive governance over contractor identities and access rights.
Dynamics 365 ERP: New integration for discovering Users, Groups, Application Users, and Security Roles for Microsoft Dynamics 365 ERP, bringing critical business systems into your access governance framework.
GitHub: Keys and Secrets now include the Last Rotated and Versioned attributes.
Google Cloud Secret Manager: Secrets now include the attributes Last Rotated, Status, and Secret type.
Snowflake: Snowflake Users with network policies can now be identified through the new Network Policy Exists attribute (true or false).
Azure: The integration now supports additional resources and permission discovery for better visibility into groups and role-based access controls:
Exchange Online Role Groups
Azure Entra ID group assignments to roles
Azure AD Role descriptions with "privileged role" indicators
Support for custom roles and role assignments
Microsoft 365 Licenses: M365 licenses are now represented as searchable entitlement entities related to users, for improved visibility into software access rights.
SharePoint: Added support for skipping sites with identical GUIDs, reducing redundant processing.
Oracle EBS: Human-readable names are now shown alongside technical IDs in search results, including application names, menu names, and request group names.
Active Directory: The integration now supports secure connections with Kerberos authentication support for LDAPS bindings.
Active Directory: The integration now supports excluding disabled users from extractions.
Integrations Overview: Improved entity categorization on the integration overview page, grouping types into "Identities," "Resources," and "IAM Entities" for improved readability.
Integration Names: When adding integrations, names now support a more complete range of additional characters (such as parentheses and hyphens).
Administrators can now enable or disable programmatic access with the option to block Veza API keys in Administration > Sign-in settings. When API Keys are disabled through the user interface, all API key access is immediately blocked, and the API Keys management page is hidden from all users.
Highlights and major changes in Veza 2024.12.x releases
Welcome to the December product update! Releases this month included significant changes across the platform, including:
Access Intelligence: Scheduled report exports, enhanced report filtering, and design and usability improvements for NHI, Query Builder, and Separation of Duties.
Access Reviews: Digest notification customization and improved review exports.
Lifecycle Management: Support for Azure Directory Extensions, Schema Extensions, and Distribution Lists, draft mode for Access Profiles and Policies.
Integrations: New Artifactory integration, Azure enhancements including support for Secure Scores, Azure Identity Protection, and Entra ID Conditional Access Policies, and extended support for Privacera, Oracle Fusion Cloud, and Oracle JDE.
Open Authorization API: The Custom Identity Provider template now supports modeling IdP application assignments for IdP users and groups.
Veza Platform: Administrators can now configure event subscriptions and alerts for some or all platform activity.
Please read on for more details about specific changes in each product area, and contact your Veza representative with any questions or feedback.
Report Export Scheduling: You can now export any custom or built-in report on a schedule in PDF or CSV format. When enabled, the recipient will receive a secure link to access Veza and download the file.
To schedule exports, open a report to view details. Click Export > Schedule export for later, and choose the recipient, date, and time for recurring emails.
Veza administrators can manage allowed recipients by configuring the email domain whitelist on the Administration > System Settings page.
Report Filtering with AWS Account Groups: Account Groups now offer advanced options for filtering reports by AWS accounts to analyze and monitor specific segments within your organization. By defining groups of accounts with saved queries, you can streamline the process of analyzing data across large-scale AWS environments.
Users can create and save custom queries to define sets of AWS accounts by applying the report_account_group label. Filter queries can use regex patterns, relationships, and account properties to define account groups.
When viewing a report, you can now apply account filters using the Account Groups dropdown.
Links to filtered report views are shareable to help manage AWS accounts across different teams.
Design and Usability Enhancements
NHI and Entity Owners: Improved support for assigning owners for non-human identities (NHI):
You can now add owners in bulk on the NHI overview page by selecting multiple rows.
Veza can now suggest owners from those with the largest set of effective permissions on a resource.
Clicking an owner in Query Builder or on the NHI overview page shows user details, including a shortcut to open in Graph to search relationships.
Summary Entities: When using the Summary Entities option to show intermediate entities in the path between a source and destination node, the column is now resizable and has a more readable default width.
Enhanced Navigation: You can now quickly access Graph search or the overview of All Dashboards using a link on the Integrations page.
Dashboard Filters: The All Dashboards overview now supports improved filtering by name, integrations, dashboard owner, or type.
Separation of Duties: The last update time is now shown when reviewing queries on the Separation of Duties overview page.
Digest Notification Templates: Administrators can now customize the contents of Access Review digest notifications using the Notification Templates API. These recurring emails provide consolidated notifications for all assigned reviews, with direct links to active reviews and an overview of the current status. Administrators can supplement digest emails with additional notifications by configuring notifications and reminders for individual reviews.
Export Customization: When exporting a review to CSV or PDF, the default export includes your currently selected and visible table columns (up to 12 columns for PDFs). You can now quickly add all columns to CSV exports using a Select All checkbox. When no columns are selected, the visible columns are exported by default.
Blank Attribute Filters: When filtering rows in the reviewer interface, you can now use Exists and Does Not Exist operators to show rows where the specified attribute has a value or is empty. This change helps identify identities or resources with missing or populated fields, including custom attributes.
Row Grouping (Early Access): In the reviewer interface, reviewers can now consolidate and organize rows in collapsible groups using the Group By option. This preview feature supports grouping by user (source ID), destination (resource ID), and status (rows changed since the last review).
Risk Scores in Access Reviews: Access Intelligence integration with Access Reviews now provides a more intuitive experience for risk scores in the reviewer interface. New review configurations have Access Intelligence enabled by default, automatically displaying Risk Score and Risk Level columns for rows under review. When disabled, risk columns are available but hidden by default.
Azure: Directory and Schema Extensions: The Azure integration now supports Directory Extensions and Schema Extensions, providing both read and write capabilities for custom attributes in Azure AD environments. To gather these attributes and use them in Lifecycle Management workflows, review and update your Azure integration settings to specify custom properties to discover.
Azure: Distribution Lists: Access Profiles can now define entitlements on Office 365 Distribution Lists.
Draft Mode for Access Profiles and Policies (Early Access): Access Profiles and Policies now support draft mode for staging unpublished changes. When enabled, teams can create and review draft versions before publishing to validate updates and maintain a record of configurations.
When editing a profile or policy, the editor shows when there are unpublished changes, with options to save, publish, or revert the current draft.
Profile and policy details views include the publication date, most recent draft, and details about the user who made the changes.
Administrators can control whether draft mode is enabled on the Lifecycle Management > Settings page.
Each policy can have one active published version and one draft version, with retired versions automatically archived and retrievable via API.
Lifecycle Management Policies and Workflows: Administrators can now configure policies to sync only when there are changes in the source of identity. This option is enabled by default for new policies.
Artifactory: New integration with support for repositories and projects, users and groups, and role-based access controls in JFrog Artifactory.
Azure Identity Protection: The Azure integration now supports monitoring security baselines with Azure Secure Score tracking and Azure Identity Protection. The latest current and maximum Azure Secure Score is now shown as a searchable attribute on Azure AD Users. You can also filter Azure AD Users by new attributes for risk level, risk state, risk details, and last update time based on Microsoft's threat intelligence sources.
Entra ID Conditional Access Policies: The Microsoft Azure integration now supports Conditional Access Policies for Entra ID, providing visibility into both raw system configurations and effective access:
System query mode shows the full relationships between users and CAPs, including direct user, group, and role-based inclusions/exclusions.
Effective query mode calculates permission paths by aggregating all inclusion/exclusion paths defined in Conditional Access Policies.
CAP evaluation requires the additional Graph API permission Policy.Read.All for the Veza integration.
Privacera: Improved integration performance and added support for policy IDs on Policy and Resource Definition entities. Unknown policy permissions are now processed as "Uncategorized."
Oracle Fusion Cloud: The Oracle Fusion Cloud integration now supports gathering the Person Number attribute as a local user custom property.
Oracle JDE: Added support for JDE deployments using Microsoft SQL as the backend database. You can now choose a non-Oracle database when configuring the integration.
Open Authorization API: The Custom Identity Provider template for the Open Authorization API now supports defining a set of applications available within the IdP. Users and groups can be assigned to apps for more precise modeling of entitlements.
Event Subscription and Alerting: Administrators can now configure alert subscriptions for specific events using filters for severity, category, and event type.
Veza evaluates events during the subscription interval and sends email alerts when events match your filters.
You can manage subscriptions on the Administration > Subscription Management page.
Note: Individual releases can include additional bug fixes and performance improvements that are not detailed in these notes. For more information about any features or bug fixes, please contact your Veza representative.
Highlights and major changes in Veza 2024.10.x releases
Welcome to the October product update! Our recent weekly releases have included a range of enhancements and new features across Veza's products, including:
Access Intelligence: New support for managing risk assignees, improved dashboard actionability, and Access Portal enhancements for all users.
Access Reviews: Historic decision visualization, risk scores and resource usage attributes, scheduled review exports, and templates for pre-set approval and rejection notes.
Lifecycle Management: Oracle HCM as a source of identity, new actions for ServiceNow, dry run capabilities for previewing the results of Lifecycle Management policies, support for Webhooks in Orchestration Actions, and options for triggering workflows based on an identity’s existing entitlements.
Veza Integrations: New integrations for Privacera, Cisco Duo, Device42, and enhancements for Snowflake, SharePoint Online, PostgreSQL, and MySQL.
Please read on for more details about specific changes in each product area, and contact your Veza representative with any questions or valued feedback.
Risk Assignees: Organizations can now assign users to specific risks detected in their environment, ensuring that the right individuals own those risks and mitigation tasks. You can assign an owner to any risk on the Access Risks page by expanding the Actions menu and choosing Add Risk Assignee. This is the first of planned risk lifecycle enhancements for improved risk remediation and tracking.
Access Portal (Early Access): The Access Portal > My Access page now provides a streamlined interface for all users to review their current access to apps and resources. This enhancement extends visibility beyond managers and access review participants to include all users.
Actionability Improvements for Dashboard Tiles & Query Details: You can now schedule automated email exports of query results directly from dashboard tiles and the query details view. The query details view also now supports link sharing, simplified change-based alert creation, rule configuration, and the option to assign resource owners in bulk.
Background Queries: You can now configure the time before queries move to background processing, with support for up to 5 concurrent background queries. While a background query is running, users can navigate away from Query Builder, and will receive a notification when results are ready on the Background Queries page. Note that query results are persisted for a limited time, which can be adjusted by your support team if required.
Query Exports: Saved query exports now include natural language explanations of results and the Last Activity At timestamp.
Review History: The reviewer interface can now provide at-a-glance insight into how access has changed since the last review. Visual indicators now show whether a row represents new access, modified access, or access that remains unchanged since the last completed review based on the same configuration (now available in Early Access).
Review Administration: The Access Reviews page now supports additional actions:
Completed and expired reviews can now be exported via the Export as CSV action.
Operators can use the View Configuration Details action to inspect the review settings, scope, and other reviews for that configuration.
Scheduled Review Exports: Administrators can now schedule recurring exports on the Access Reviews page. Administrators can configure the frequency and email recipient with the Export All > Edit Schedule option. The recipient will receive a link to log in and download a CSV containing the list of all reviews, including full metadata such as start and publish time, due date, and completion status. The Access Reviews > Export All menu also now supports exporting all expired certification details.
Default Note Templates for Approve/Reject Decisions: When adding notes with decisions, reviewers can now pick predefined notes from a dropdown, in addition to using the text box to add a custom note. Templates for notes can be configured for all reviews or for individual configurations with Global Settings APIs.
UX Enhancements: Increased the maximum number of rows displayed per page in the reviewer interface (up to 500, default 50 rows). You can also now skip to the first or last page of certification results.
Export Permissions: Administrators can now control whether reviewers can export their assigned rows (configured with Global Settings APIs).
Risk and Access Monitoring for Advanced Access Reviews: Reviewers can now sort and filter by optional Risk Level and Last Activity With Resource At columns in the reviewer interface. Exported reviews now contain entity risk levels and resource usage details for queries that support Activity Monitoring.
Identity Details: Administrators can now review Access Profile details for individual employees from the Identities details view.
Identity Sources: Oracle Human Capital Management (HCM) Cloud can serve as a source of identity for lifecycle management operations.
Orchestration Actions: You can now configure webhook notifications using existing configurations on the Integrations > Orchestration Actions page or by creating a new configuration within a policy or action.
Open Authorization API: In-platform OAA integrations now have a configuration option to enable as a source of identity for Lifecycle Management policies.
Policy Conditions: Condition strings now support filtering based on an identity's current relationships (such as group memberships or role assignments). This enables more precise targeting of actions based on an identity's existing entitlements.
Policies Dry Run: Administrators can now use the Dry Run feature to preview how an existing Lifecycle Management policy would apply to an existing identity. This helps validate workflow configurations and test how a policy will affect a specific identity and/or combination of attributes before implementing it in production.
Workflow Actions: Added support for writing Active Directory user profile parameters (or other source identity attributes) to ServiceNow Staging tables.
Cisco Duo: New integration for discovering users, roles, and access credentials.
Device42: New integration for discovering Device42 users and groups.
Ivanti: New integration for the Ivanti Neurons HRIS platform, with support for using employee metadata as a source of truth for Lifecycle Management.
Privacera: New integration with support for Resource Policies, Hive Databases, and Hive Tables in Privacera Cloud.
SharePoint Online
SharePoint Subsites: The Azure integration can now discover Sharepoint Subsites, including support for recursively retrieving child subsites up to any level. Administrators can now configure limits on which SharePoint sites are discovered.
SharePoint Role Effective Permissions: Added support for SharePoint Role Definitions, Role Assignments, and their effective permissions (requires Sites.FullControl.All SharePoint API permission for the Azure integration)
Snowflake
Private Links: The integration can now be configured to use AWS or Azure private cloud links.
Snowflake Roles: Added support for role-to-role relationships involving both USAGE and OWNERSHIP grant types
Performance Enhancements: When Audit Log Extraction is enabled for a Snowflake integration, Veza now only connects to the database when there are changes, and only extracts metadata that has been updated since the last sync. This will typically result in fewer and faster extractions and reduced warehouse usage overall.
Database Connectivity
PostgreSQL and MySQL: These integrations can now fetch credentials from AWS Secrets Manager (instead of configuring an integration username and password).
PostgreSQL: Added support for PostgreSQL system-level permissions and new out-of-the-box assessment queries.
SQL Server: Added support for integrations using dynamic ports.
Coupa: Configured Permissions now have a Description attribute extracted from an imported roles report.
Github: Integration details now show Personal Access Token extraction progress.
Microsoft Azure: Added support for enabling or disabling discovery of Azure SQL Server and SharePoint Online.
Oracle EBS: Effective RF Binding entities now have a Menu Names attribute.
Redactable Attributes for Workday and Active Directory: Administrators can now specify a list of properties to ignore and mark as REDACTED when configuring these integrations.
Salesforce: Added support for SFDC Product objects (requires object read permission for the integration)
ServiceNow: Added support for extracting specified custom attributes for ServiceNow users. Veza now automatically discovers the Employee Number and Source attributes.
Team Navigation: Users can now switch their active team using a dropdown menu on the main Veza navigation. The Profile menu and team selector are now accessible by clicking on your user name at the bottom left.
Dashboards: You can now collapse the Dashboard selection menu.
Enrichment Rules: When adding an enrichment rule to identify NHI entities, privileged roles, or critical resources, you can now click Edit to view the query parameters and the latest results. Clicking a rule name on the Integrations > Enrichment Rules page also now opens the related query to view details or make changes.
Lifecycle Management: The Activity Log now includes summaries of Policy actions and can be sorted and filtered by event start time.
Query Builder: Most relevant tags now appear first when searching for tags.
Access Reviews - Permissions Visualization: The reviewer interface now offers better visualization of effective permissions, clarifying functional capabilities of each row. (C) create, (R) read, (W) write, and (M) metadata permissions are now shown in a condensed and color-coded Permissions column, alongside their corresponding System Permissions (currently available in Early Access).
Access Reviews - Quick Filters: Reviewers can now quickly apply filters to any visible column using a new dropdown menu in the table header. Column actions include the options to sort, group by, or hide the field (currently available in Early Access).
Monthly announcements from the Veza product team.
At Veza, we continuously iterate to deliver improved performance, a refined user experience, and platform capabilities to meet customer needs in an evolving landscape of cloud platforms and data systems.
The Product Team provides monthly updates summarizing major enhancements, new features, and ongoing developments. These monthly updates have replaced our previous weekly release notes to provide a more digestible and comprehensive view of recent changes.
Please contact our team with any questions, or to share any of your much-appreciated feedback. We could not do this without you, and are always here to help!
Learn about Veza's improved integration management experience for better organization, searchability, and entity visibility across multiple integrations.
Early Access: General availability is planned for a future release. Contact the Veza support team for more information and to enable the new user experience.
Administrators can use the Veza Integrations page to add, monitor, and edit configurations for connected cloud providers, identity providers, and applications. This month, we are introducing several small but impactful changes to improve usability for organizations managing many integrations with Veza and provide easier access to information about the entity types Veza has discovered within each data source.
Here is what is changing:
The main Integrations view is now grouped into expandable sections for each integration type. You can collapse sections to focus on specific sets of integrations (such as all CSV integrations, all AWS integrations, or all Custom OAA applications).
We've also upgraded the search bar to enable quick search by integration name or type. The original pills for filtering by integration type, status, lifecycle management state, and owner team remain unchanged.
Enabling additional features such as Audit Log Extraction
Veza 2025.2: Identity Security Platform Advancements
Welcome to the monthly Veza product update! Recent releases have included a range of new and enhanced capabilities for access visibility and access intelligence products, enriched user experience, and enterprise-scale access governance across your environments. This document offers a summary of the latest features, enhancements, and usability improvements across the platform, with highlights including:
Non-Human Identities (NHI): New product module with actionable dashboards, owner accountability features, and extended monitoring across AWS, Azure, and Salesforce to identify and remediate NHI security risks.
Access Visibility: Improved resource ownership tracking with attribute filters and saved queries, enhanced conditional access filtering, and Query Builder improvements for exposing critical access relationships.
Access Intelligence: Operationalized dashboards with new “Veza Actions” options, enhanced query filters for ownership tracking, and improved SoD risk management with owner assignment capabilities.
Access Reviews: Improved administrative interfaces, the ability for Access Intelligence to launch 1-step reviews, and new integration with Lifecycle Management - launch reviews on-demand as part of Lifecycle Management workflows.
Lifecycle Management: Automated identity governance with draft Access Profiles, property overrides for special cases, and integrated access reviews for personnel transitions.
Access Request: Multi-level approvals and a redesigned and more intuitive catalog experience for requesting access.
Integrations: Improved management and integration insights with redesigned integration pages, visual entity breakdowns, and expanded support for MongoDB, Kubernetes, Dropbox, and other key platforms.
See the sections below for more details about specific changes in each product area, and contact your Veza representative with any questions or your valued feedback.
Expanded NHI Insights: The NHI Security page now includes new tabs featuring actionable dashboards for NHI management:
Keys and Secrets: All keys, secrets, and access credentials, and associated risks.
Inventory: NHI entities arranged by integration type, like workloads (AWS EC2 instances, Microsoft Azure virtual machines, and Google Kubernetes Engine clusters), keys and secrets, and non-human local users across a wide range of systems.
Risks: NHI risk insights, including dormant keys/accounts, unrotated keys, and NHIs with privileged permissions
Owners for NHI Accounts: You can now assign users responsible for NHI entities directly from the Accounts overview, using the "Assign Entity Owners" row action for individual entities, or with a bulk selection.
Rules and Alerts for NHI Account Owners: You can now use alerts to trigger notifications and actions on NHI account owner status changes, such as when an owner is de-provisioned in your identity provider.
Enhanced Integrations:
Amazon Web Services:
Activity Monitoring now supports AWS Key Management Service keys. In addition to the "Last Activity At" property, KMS keys now support a "Last Viewed" property, which records any activity consuming the key material for a cryptographic operation, such as Decrypt.
The AWS IAM User "Last Activity At" property now shows activity for all events where the User is the principal (regardless of whether the resource/service is supported for Activity Monitoring). For example, an AWS IAM User performing RunInstances in EC2 will still have this activity counted towards its Last Activity At timestamp.
Microsoft Azure: Keys and Secrets now have the "Last Rotated" and "Versioned" attributes.
Salesforce: The integration now discovers Connected Applications in Salesforce and automatically categorizes them as non-human identities, providing visibility into OAuth applications with access to Salesforce data.
Design and Usability Enhancements:
The NHI Security > Accounts page now supports exporting the table of results to CSV or PDF.
Columns on the NHI Security > Accounts page are now renamed from their source attributes to clarify their meaning:
"Authentication Method" is now "Linked Keys & Secrets"
"Created At" is now "Age"
Clicking an NHI risk score now opens the risk score details, with the option to view all contributing risks in Query Builder.
Added icons for each NHI entity type
Tooltips are now shown when hovering over filters
NHI table actions now include the option to "Open in Graph"
Enhanced Dashboard Operationalization:
For better insight into data freshness, each dashboard tile shows the last time results were updated, with an option to refresh single tiles or the full dashboard.
When editing a dashboard, users can now choose to publish it and notify all users about its availability.
Veza actions are now more consistent across every tile and every dashboard (Create Rule, Alert on Change, Launch Access Review, etc.)
When configuring webhooks Orchestration Actions, you can now configure which query result attributes to include in the JSON payload when alerts trigger.
When using the "Launch Access Review" action, the review builder is now populated with default values for faster 1-step review creation.
The behavior of static reports is now aligned with dynamic reports. When marking the visibility of a report as "Public", any private queries will be automatically removed from the report.
Improved visibility of Created By info, Public/Private status, and tooltips on integration icons shown in Veza Dashboards.
APIs for Snowflake Least Privilege Implementation: Four new assessment APIs are now available in early access for advanced role analysis, permission, comparisons, and least-privilege access management in Snowflake environments.
Okta Activity Dashboard: Updated the Okta Activity report to include new out-of-the-box queries: Okta apps that have not been accessed by 75% or more of the users assigned to them, Okta Users that are under-utilizing their App Access, and Okta Super Admins that have never Logged In.
Traceability for API-based Query Changes: For improved audit compliance and change management, queries updated via API are now clearly distinguished with "(via API)" indicators in the "Updated By" field.
Attribute Filters for Owners: You can now use attribute filters to detect entities where the list of owners is empty, has any values, or includes a specific user.
Saved Query Filters for Owners: You can now use saved query filters to find resources such as NHI accounts owned by specific users (e.g., AWS KMS Keys owned by users deactivated in Okta, or S3 Buckets owned by users in high-risk departments), and get alerts when there are owner status changes. To do so, save a query that identifies a set of users, then use it to filter a query that identifies the NHI type. After applying the filter, results will only include resources owned by users in the results of the first query.
Search for Unsupported IAM Conditions: Added support for filtering on conditional access within AWS granted by a policy condition that Veza cannot fully evaluate. In "Effective" query mode, you can now apply permission filters to show or hide relationships that involve some or all of the conditional permissions. By default, results will include all access relationships, including those granted by unsupported conditions.
Design and Usability Enhancements:
Query Explanations now include information about any saved query filters (pipeline queries).
Clicking a query on the Queries page now opens the query details view instead of Query Builder.
The "Show [relates to entities]" option in Query Builder is now preserved on page refresh.
Launch Access Reviews from Access Intelligence: When 1-step access reviews are enabled, you can now create reviews directly from any saved query, dashboard tile, or SoD rule with the "Launch Access Review" action.
Access Reviews with Lifecycle Management: Access Reviews now support instantiating on-demand reviews triggered by Lifecycle Management workflows, enabling automatic reviews as part of joiner, mover, and leaver workflows.
Improved Review Administration:
"Mark as Fixed" Behavior: Rows can now only be marked as fixed if they are rejected and signed off.
Orchestration Actions: Webhook orchestration actions can now trigger when rows are marked as fixed or notes are edited and include the full row details in the payload.
Event Details: Access Review events now capture changes to review configurations, to better meet audit requirements.
Info-level "Access Review Configuration Modified" events now include the previous and new values for changed configuration metadata, including the review scope, snapshot, and configuration name/description.
Administrators can review configuration changes in Veza by opening the Administration > Events page and clicking "Show Details" to the right of an event.
Review Auto-Expiration: Administrators can now configure auto-expiration settings of past due reviews per individual review configurations (previously this setting impacted all reviews).
Custom Comments for Auto-Rejected Items: Administrators can now improve audit documentation by configuring custom comments that automatically apply to rows rejected due to review expiration.
Individual reviews can now be renamed.
Review exports now show updated_by information in three columns: updated_by_id, name, and email.
Product Design and Usability:
Access Review Settings: Global settings for Access Reviews are now organized in tabs and have an improved layout for better management.
Completed Reviews: Enhanced review tracking in the Access Reviews > Completed Reviews tab. You will now find columns showing the total rows completed, remaining work, last modified, last modified by status, and percentage completed indicator.
Improved List Details: When opening a row in the sidebar to view access details, attributes that contain lists (e.g. "Managers") now show each list element on a new line.
Reviewer Interface Enhancements: When comparing historical decisions for the same review configuration, the "previous decision" column now appears next to the "status" column for better visibility.
Access Profile Drafts (Early Access): Administrators can now create and publish draft versions of Access Profiles. A draft version will not be used by Lifecycle Management or Access Request until it has been published.
Override Properties for Identities: It is now possible for administrators to override identity property values that were originally set at the source of identity. This override ability gives administrators greater control over provisioning, de-provisioning, and other identity-related actions. Note: This override does not affect the identity in Access Visibility or Access Intelligence; it only applies within Lifecycle Management.
History for Identity Property Changes: A history of identity property changes is now viewable, allowing administrators to track modifications over time. Note: Historical data will only be available from the introduction of this feature onward.
Mover Workflows: Added support for triggering workflows with a user-defined system attribute to identify the movers where the workflow will apply, e.g., sys_attr__is_mover eq true.
Access Reviews Integration: Lifecycle Management policy and workflows can now trigger automated access reviews using the "Create Access Review" workflow action. Note: The resulting access review will be dynamically constrained to just the identity being processed through the workflow.
Access Request Approvals: Policies for Access Requests can now require one or more levels of approval before access is granted.
Access Requests support assigning a beneficiary's manager as the request approver.
Approvers can now reassign requests to another approver.
Catalog Customization: Access Profiles can now appear in the Catalog with a rich-text description and custom icon, and be marked as "recommended." Administrators can update catalog settings when editing a profile using the "Set Catalog Item Info" action.
Request Lifecycle and Integrations:
Access Requests Policies now can enforce Just-In-Time (JIT) settings (min and max duration for an allowed request) per access profile.
Requests can now be revoked in the "completed" state.
Administrators can now start and pause policies under Lifecycle Management Settings > Access Request Policies.
A history of all request actions is now available.
Added API-level support for 3rd party ITSM integration, where the actual request is completed by the external tool.
Catalog UX Enhancements: The Catalog in the Access Hub is fully redesigned for a more intuitive ability to search for Catalog items as well as improved request and approval workflow processes:
The Catalog now shows request forms in a grid view.
In the Catalog, the Requests table is now split into dedicated "Requests" and "Approvals" sections.
Login Activity Anomaly Detection: Added support for showing Okta user activity and anomalies based on login timestamps, as an Early Access feature in Access Hub. The Manager Dashboard now includes a heatmap of recent user logins, making it easier to spot unusual patterns.
Integrations Overview: The main Veza Integrations page is now grouped into collapsible sections for each integration type, making it easier to add, monitor, and edit configurations when you have many connected data sources. A search bar now enables quick search by integration name or type.
Integration Details: A new Overview tab in Integration Details offers a breakdown and summary of node counts across entity categories, with a visual chart for better data representation and analysis.
You can get more information about any configured integration by clicking its name on the Integrations page to view details.
The details page now includes a bar chart showing all the entities of different types that Veza has discovered within each data source.
Click the name of any entity type to open a search in Query Builder and show the full entity attributes, search for relationships, or apply additional filters.
Salesforce: The Salesforce integration can now discover extension package objects from Conga Apptus. For existing configurations, you will need to update the permission set for the Salesforce integration user to include the new object types, and enable the non-default objects when configuring the integration.
Docusign: Added support for multiple Docusign accounts as a data source.
Privacera: Added support for Security Zone Admins and Privacera Portal Users.
Workday: The integration no longer gathers the "Gender" attribute for Workday Workers.
Active Directory: Added support for gathering AD User "Service Principal Name" attribute.
Open Authorization API (OAA): Added support for identity mapping from OAA Custom HRIS employees to OAA Custom IdP Users.
The following integrations are now generally available: MongoDB, MongoDB Atlas, Kubernetes on EKS, Dropbox, and SCIM (OAuth2).
You can see more information about any integration by clicking its name on the Integrations page to show the integration details. The details overview now features a bar chart showing the total of different types that Veza has discovered in the data source.
Click on the name of any entity type to open a search in to view all discovered entity attributes, search for relationships, or apply additional filters.
See for more about each tab in the integration details view, and information about managing data sources added to Veza, including:
Setting
Enabling to identify non-human identities, privileged roles, and critical resources in integrated systems
Assigning as integration owners
Highlights and major changes in Veza 2024.11.x releases
Welcome to the November product update! Our recent releases have delivered significant enhancements across Veza's product suite, with highlights including:
Access Intelligence: New risk mitigation burndown charts for tracking resolution trends, and comprehensive dashboard improvements including AWS Risks, Azure AD Risks, and Identity Security Posture Management (ISPM).
Access Reviews: Major usability improvements to the reviewer interface, enhanced orchestration capabilities, and new configuration options for review expiration and due dates.
Separation of Duties (SoD): Now accessible from the main navigation menu, new overview page, and enhanced SoD query visualization capabilities.
Lifecycle Management: Access Profile Intelligence for automated and improved Access Profile creation, lookup tables for attribute transformation, and integration support for Oracle HCM, Exchange Online, Ivanti Neurons, and Oracle Fusion Cloud.
Veza Integrations: New integrations for Ivanti Neurons, Device42, Cisco Duo, Zoom, and Exchange Online, plus enhancements to existing integrations including support for Dynamic Data Masking in Snowflake.
Please read on for more details about specific changes in each product area, and contact your Veza representative with any questions or valued feedback.
Last month, we introduced support for assigning owners to individual risks for remediation. Now, you can use Veza to track the resolution of risks over time using burndown charts on the Access Risks page. These new trend charts track both new and resolved risks over the chosen time range.
New and improved dashboards are now enabled by default, including:
AWS Risks: Monitoring IAM privileges, access keys, MFA status, and resource access.
Azure AD Risks: Tracking privileged users, MFA status, dormant accounts, and global admin risks.
Active Directory Risks: Domain admin monitoring, password compliance, service accounts, and group analysis.
Identity Security Posture Management (ISPM): Password metrics, MFA adoption, access blast radius, and cross-platform identity mapping.
GitHub Security: GitHub Security insights around Access, NHI, and Hygiene.
Salesforce, Snowflake, and Okta Risks: Platform-specific security dashboards organized by priority and risk criticality.
As part of our ongoing work to make Dashboards easier to use and take action on, recent releases have included several changes to improve navigation, customization, and risk visibility:
Tabbed Dashboard Navigation: You can now switch between views using new tabs, including favorited dashboards and an overview of all available dashboards:
Home tab for primary dashboard
Favorites tab for quick access to preferred dashboards
All Dashboards tab listing all available dashboards
Top Risks: Dashboards that contain queries with risks now include a section at the top of the page showing the top 3 risks from the dashboard tiles, calculated based on risk level and change in the specified time range.
Custom Reports and Dashboards: Dashboards based on custom Reports now support a full range of filter options, including risk level, labels, and integrations. You can now title individual sections in dynamic reports.
Tile Actions: Dashboard tiles now support the action to Schedule PDF Exports via Email.
The SoD feature is now available directly from the main navigation menu, providing easy access to both out-of-the-box queries for detecting SoD violations and a flexible interface for defining combinations of potentially dangerous actions across business processes, roles, and systems.
A new SoD overview page shows all queries on a single page, with options to sort and filter by Last Update, Risk Level, Results, User Type, Relationships, and Owners.
Queries created using the SoD builder can now be opened in the full Query Details view, including:
Trend visualization with risk level, explanations, and remediation details
Results view of users in conflict, including filtering capabilities
Integration with standard Query Details actions (Share Link, Schedule PDF Exports via Email, Alert on Change, etc.)
Swap Entity Selection in QB: A Swap button has been added to QB, enabling switching between source and related entity types with a single click.
Pipeline Query Filter Enhancements: If you are using another query (pipeline query) in a query filter, you can now click the name of the query in the Filters section to view that pipeline query's results in a new tab. This helps in quickly evaluating the query and checking its relevance for the query that you are developing.
Graph Search: A natural language explanation of the selected path is now shown in Graph Search.
Immediate Tag Visibility: Graph actions such as tagging and owner assignment now take place immediately.
IdP/HRIS Enrichment for Query Builder: Results can now include information about the human resource information system (HRIS) employee profiles or identity provider (IdP) user identities mapped to users in the query. If enabled for a query, additional columns containing IdP/HRIS data are visible using the Show Destinations option. You can also sort and filter using column groups for the enrichment node type in the table of results.
Graph Search Performance: Improved performance when visualizing relationships between authorization entities in Graph Search.
Integrations: Extended Lifecycle Management support for Veza integrations:
Oracle HCM: Added support for writing back user email addresses.
Exchange Online: Added support for creating email addresses and adding relationships to Distribution Lists.
Oracle Fusion Cloud: Now available as a provision/de-provisioning target for Lifecycle Management policies.
Ivanti Neurons: Added support for Lifecycle Management workflows using Ivanti as a source of identity.
Access Profile Intelligence: Access Profile Intelligence now automates the process of setting entitlements on Access Profiles. By taking advantage of the Veza Access Graph, you can now quickly build Access Profiles based on entitlements belonging to an existing "typical" user.
Transform Attributes Using a Lookup Table: When configuring attribute transformations, Lifecycle Management now supports referencing a CSV file for transforming one attribute to a corresponding value defined in the lookup table. This is useful for scenarios where attribute transformations cannot be defined algorithmically.
Enhanced Access Profiles: The Access Profiles overview page and details view is updated for better readability when mapping application entitlements for users.
Policies and Workflows Usability Enhancements: Many usability and look-and-feel improvements have been added to the Lifecycle Management workflow editor. These changes are currently available in Early Access and require a feature flag to be enabled to use.
Enhanced Row Details: The Row Details sidebar has been enhanced for a more efficient and organized review process. The sidebar has been visually refined overall for an improved mobile layout, with changes including:
New collapsible column groups help organize related information more clearly, with your preferred view saved for future sessions
Simplified labels and a cleaner layout make information easier to scan. Empty attributes are now automatically hidden by default, with an option to show or hide all empty non-metadata fields.
You can now close the sidebar using the Escape key
Orchestration Actions: Administrators can now configure multiple Orchestration Actions for each trigger type (Approve/Reject/Complete).
Enhanced Decision History: Reviewers can now get at-a-glance insight into how user access under review has changed since the last access review, with new visual indicators when rows represent new access or modified access. It's also now possible to see the last decision made on a given row, and when access previously existed but has since been revoked. Any changes in effective permissions since the last review are also now visualized per row.
Help Pages in PDF Exports: If a custom help page template is enabled for a configuration, the content is now included when exporting associated reviews.
Access Review Settings: Review expiration behavior can now be configured directly from the Access Reviews > Settings page. These global options control whether A) overdue reviews expire immediately once the due time has passed, and B) if incomplete rows are auto-rejected on expiration. Expired reviews are read-only for all users.
Review Configurations: Reviews created using saved queries now support the option to enrich results with additional user metadata from an integrated IdP/HRIS system.
Time Zone Support: You can now specify a time zone when selecting the review due date.
Review Intelligence Policies: Rules for automating row decisions using prior certification data or filter conditions are now consistently labeled as Review Intelligence Policies.
Access Reviews API: A preview endpoint is now available for updating review configurations.
Ivanti Neurons: Our new integration for the Ivanti Neurons HRIS platform synchronizes employee data to enrich search results with up-to-date employee information and streamline access reviews with accurate organizational context.
Device42: Discover and analyze users, groups, and permissions within your Device42 environment, for insights into IT asset management and data center infrastructure.
Cisco Duo: Visibility into your organization's multi-factor authentication (MFA) infrastructure, including users, access credentials, and administrative roles for Duo Security.
Zoom: New integration for gathering authorization metadata from the Zoom collaboration platform, including users, groups, system roles, and their associated permissions.
Exchange Online: The Microsoft Azure integration now offers visibility into Exchange Online mailboxes, permissions, and distribution groups, providing insights into mail-related permissions and access controls within Microsoft 365. This includes mapping Exchange Online users to Azure AD identities, mailbox delegations, folder-level permissions, distribution group configurations and shared mailbox access.
HashiCorp Vault, Oracle Database, Databricks Unity Catalog: These integrations are now generally available.
Snowflake: Dynamic Data Masking is a Snowflake Enterprise Edition feature that protects sensitive data by selectively masking information at query time based on user roles and access privileges. Veza can now help teams evaluate and visualize these masking policies, and determine which users and roles can access unmasked data. The Snowflake integration now supports relationships between masking policies and the tables, views, and columns they protect, and connects these policies to the Snowflake users, roles, and application roles that can access unmasked values.
Beeline: Added support for configuring custom identity mappings for Beeline users.
Okta: Okta Applications now support the additional attributes Features, Status, Visibility.hide.iOS, Visibility.hide.web, SignOnMode, OauthClient.application_type, and ImplicitAssignment.
Privacera: Added support for self-managed Privacera integration using basic http authentication.
Salesforce: Salesforce Users now have the Created At attribute.
Workday: Added support for ignoring specific Worker data using string matching.
Note: Releases can include additional bug fixes and performance improvements that are not detailed in these notes. For more information about any features or bug fixes, please contact your Veza representative.
Highlights and major changes in Veza 2024.5.x releases
Welcome to the May 2024 Veza Product Update! As always, we’ve been hard at work developing new features and products and incremental changes over weekly releases. We’re excited to share some highlights to help you make the best use of our latest capabilities.
Some of these changes include improved visibility into non-human identities (NHI), fully redesigned and customizable dashboards on the Veza home page, and advanced export to Snowflake. We’ve also improved programmatic user management, enabled access reviews from saved queries, and added and enhanced integrations to support a wider range of SaaS applications.
The product team is committed to continuously improving your experience with Veza and would love your feedback on the changes. Please read on to explore all the newest improvements, designed to empower your identity security and access management practices.
Built-In Dashboards: A range of new Dashboards now offer visibility and actionable intelligence across integrated systems:
Dormant Entities Report: This report summarizes users, groups, and roles that have not accessed resources they have permissions on. It is now included in Veza's main dashboards when Activity Monitoring is enabled, including new out-of-the-box queries such as Okta users with dormant access to AWS Secrets Manager secrets.
Identity and Privilege Access Insights: For visibility into least privilege violations and trends for users, groups, and service accounts across integrations, this built-in report is now available as a single-tile dashboard.
SaaS Security Posture Management (SSPM) Dashboard: Trends and insights for identity risks in SaaS applications, based on out-of-the-box Veza queries you can customize for your environment.
The AWS IAM Insights and Google Cloud IAM Insights reports are now featured dashboards, shown when users log in to Veza when the integration is enabled.
Customizable Dashboards: Individual users can now choose and re-order dashboards to include on the Veza home page using a dropdown menu.
Snowflake Export: Additional statistics are now included as columns when exporting query results to Snowflake, indicating the last extraction and parse time for the source and destination entities. Veza administrators can now use the Saved Queries > Query Export tab to view the status and schedule for exports created by any user.
Alert Rules Support Multiple Rules & Multiple Actions: You can now configure more than one rule for a single query. This is useful for triggering actions and alerts at different thresholds, representing the increasing severity of the risk. You can also now configure multiple actions for any given rule, for example, to both send an email and file a Jira ticket.
Dashboard Actions: Users can now directly run a wider range of actions for any query in a report: Open In QB, Expand, Analyze - to slice-and-dice data easily, Share, Open In Graph, Alert On Change, or Create Rule. Dashboards now show additional customization options to Export, Share, Edit, Clone, or Delete the dashboard report.
Access Comparison for Users and Roles: You can now compare any two users or roles to see if they have similar attributes, or have the same access assignments to another entity such as a local user, resource, or group. Comparison is typically used to check if a newly added group or role is equivalent to a pre-existing entity used as a baseline.
Explain Assumed Roles: In Graph search, you can now better understand and investigate how policies, policy statements, and group memberships allow one IAM role to assume another role and inherit its permissions. Click on an AWS IAM Role to open the sidebar and use the Explain Assume Role action to inspect how different roles are assumable by a given role, with the option to save the view as a PNG.
Query Pipeline Filters: You can now use the NOT operator when adding a saved query filter. This will cause the main query to exclude any results in the output of the sub-query.
Graph Supertypes: In Veza search, supertypes are entity types that group multiple similar entities. For example, the User supertype includes AWS IAM Users, Okta Users, Snowflake Local Users, and others. Similarly, the Key supertype encompasses AWS Secrets Manager Secrets, Microsoft Azure Keys, etc. You can now use supertypes in search to construct advanced queries that include specific types of entities. When selecting a supertype in the query builder, you can apply a subfilter to restrict the query to specific sub-types (such as only Okta User and AWS IAM User entities within the User supertype).
Non-Human Identities: A new attribute named “Identity Type” is available for all entities with the Identity supertype. This suggests whether the entity is HUMAN or NON-HUMAN, determined by Veza’s algorithms for auto-detecting Human/Non-Human Identities. Entities that can be non-human identities include:
AWS: EC2 Instance, EKS Cluster, EMR Cluster, Lambda Function
Microsoft Azure: AD Enterprise Application, AKS Cluster, Azure VM
Google Cloud: Compute VM, Run Service Instance, Kubernetes Engine Cluster.
Last Usage Date in Query Builder: When available, a Last Used column indicates the last activity date for a source and destination pair.
Access Reviews from Saved Queries: When creating a Review Configuration, you can now use a saved query to specify the access relationships to review. You can use this to review any users that meet risk criteria or define more complex conditions using saved query filters.
Access Review Scheduling: Review scheduling frequency is now more customizable, enabling recurring review campaigns on a biweekly, monthly, every other month, or quarterly basis. When creating a schedule, you can now preview the upcoming dates when the review will trigger.
Source-Only Access Reviews: Access review queries no longer require a destination entity type, so you can now specify a single source entity type (such as groups, users, or roles) to approve, reject, and sign off.
Access Review Enrichment: Access reviews for local users can now show enriched user details with additional metadata from the related Identity Provider identity or HRIS profile. For example, this provides visibility into attributes such as Title or Department alongside local user details in an access review. When auto-assigning reviewers, Veza will use the linked IdP or HRIS user's Manager attribute to identify a reviewer for that row.
Reviewer Interface Filters: For improved flexibility when selecting rows in an access review, filters on decisions can now use the Not Equal operator (for example, show rows not Rejected)
Access Review Export: Exporting the list of Reviews now includes additional metadata including the remaining work, last modification date, and remaining rows for all items
Usability Improvements: To indicate the draft or publication status of an Access Review, the publication date is now shown on the Access Reviews overview page and the review details sidebar. We’ve also generally improved performance for reviewers when loading assigned Access Reviews.
BitBucket Data Center: Previously available as an OAA connector, a new built-in integration for self-managed BitBucket editions now enables the discovery of workspaces, users, projects, and repositories.
Jamf: New integration for discovering users, groups, and sites within Jamf Pro.
PTC Windchill: Discovers users, groups, and projects for the Windchill Product Lifecycle Management (PLM) system.
Tableau: Discovers users, groups, and projects on the Tableau Cloud business intelligence platform.
Snowflake: Added support for discovering additional entity usage attributes. An administrator will need to update the integration permissions to collect new metadata:
Table: last altered, last accessed at.
View: last altered, last accessed at.
Database: last altered, last accessed at.
Local User: owner.
Oracle EPM: Added support for skipping discovery of Identity Domain Administrator (IDM) roles. Extracted IDM roles are now identified with the attribute is_idm_role.
Workday: Added support for custom property types: Self-referencing instance, Currency, Rich Text, Date Time, and Time Zone.
GitHub and GitLab: Improved visualization of projects shared between groups.
Salesforce: Enhanced support for Salesforce Permission Sets and optimized our effective permissions model for improved parsing times and query performance.
Identity Mapping for OAA Apps: Custom Identity Mappings can now apply to individual custom applications. Before, mappings needed to apply all integrations created with an Open Authorization API template.
Comparison for OAA-based integrations: You can now compare entities from Custom Applications and Custom Identity Providers.
Custom Application Native IDs: The Custom Application template now supports a native_id property for all entities, for entering a predictable and provider-specific unique ID. This enables a provider-defined and queryable ID as an alternative to the Veza-generated ID property.
Email attributes: Custom Application Local Users now have a built-in email attribute, which is always case-insensitive for search purposes. This should provide a consistent field for apps that store addresses in a different format than expected.
Added preliminary support for Google Workspace and AWS Identity Center as provisioning targets.
Added new v1 User Management APIs for managing users and updating team and role assignments: Update User, and List Roles.
Highlights and major changes in Veza 2024.6.x releases
This update includes enhancements in risk management, query builder functionality, and access review usability. As always, we have enhanced and added integrations to expand your ability to secure and manage a range of possible environments, including Oracle Database on AWS RDS.
Read the highlights and major changes to empower your identity security and access management practices with Veza:
Non-Human Identity Dashboards: Added two new dashboards for monitoring and understanding the access of non-human identities in various environments, and how they interact with critical resources using keys, secrets, and access credentials.
NHI Access Security: Highlights non-human identities accessing secrets and using access credentials, helping identify trends and potential security gaps.
NHI Insights: Visibility into identity sprawl and capabilities, such as AWS EC2 instances that can list and read bucket objects, or Microsoft Azure AD Service Principals connected to VMs.
Risk Details: You can now quickly view the detailed explanations and get remediation instructions by opening a details sidebar on the Queries with Risks page.
Non-Human Identities: Added support for automatically labeling human and non-human identities with Enrichment Rules, configured in the Integrations section. Administrators can use these rules to label entities as "NHI" or "Human" automatically.
Dashboard Export: Dashboards now include an Export button to save the current view as a PDF.
Entity Type Groupings for Non-Human Identities: You can now use “Access Creds,” “Keys,” or “Secrets” as the source or destination to search across all included entity types
Credential Expiration Distinction: Veza now adds the Can Expire attribute to GitHub Personal Access Tokens and AWS Access Keys to distinguish access credentials supporting expiry dates from those that do not.
Query Builder: When using an entity type grouping (such as “Identity” or “Access Creds”) as the query source or destination, you can now use the Filter by Type menu to select specific entity types in the grouping.
Query Details: Opening a query to view details or clicking on a dashboard tile now opens a redesigned details page featuring a spreadsheet-like view of the results.
Query Export: Query exports now include any tags applied to destination entities.
Query Builder: When using the Show Destinations option to get results as source-destination pairs, you can now filter and visualize all destination entity attributes using additional columns.
Query Builder Enabling Show Destinations now includes Last Activity At and Last Activity With Resource At columns, when the source and destination entity types support Activity Monitoring.
PDF Exports: PDF exports for individual reviews now include additional pages with review metadata, reviewer details, data source details, and row completion statistics. The title page now features the review publication date, completion date, and the user who completed the review.
Approve and Sign-off: It is now possible to control whether the Approve and Sign-off action is shown in the reviewer interface. When enabled, reviewers can approve and sign off on applicable rows with one click, using an in-row action or bulk action on selected rows.
Column Customization: Default columns in the reviewer interface can now be defined for individual configurations, enabling customized reviewer experiences for all reviews using the specified configuration.
GitHub: Added preliminary support for GitHub as a provisioning target.
Policies: Attribute transformations can now use nested IF/THEN/ELSE statements.
Custom Attributes: Policies can now define custom attributes for provisioning targets such as Okta and Microsoft Azure AD users.
Manual Workflows: Added support for manually running workflows for identities with no matches.
Provisioning Sources: Added support for selecting more than one human resources information system (HRIS) integration as a possible source when syncing identities.
SwiftConnect: New integration for discovering profiles, badges, and access on the SwiftConnect platform (Early Access).
Oracle Database (AWS RDS): New integration for discovering resources and access controls for Oracle Database on AWS RDS.
AWS Access Keys: Added support for discovering AWS Access Keys and their attributes, such as Name, Active, Created At, Last Used At, Last Used Service, and Last Used Region.
Microsoft Azure: Added support for extracting custom On Premises Extension Attributes for Azure AD Users. To specify extension attributes in an integration configuration, use the full name, e.g., ExtensionAttribute12.
CSV Import: Added several requested enhancements for importing users, groups, and roles from CSV:
Importing a custom application from CSV now supports the full range of custom user attributes, including Password Last Changed At and Last Login At.
Roles and Groups can now be assigned by creating additional rows for a user.
Improved encoding support to support CSV files generated with a wider range of applications.
GitHub: Veza now discovers GitHub Personal Access Tokens and their effective repository permissions, used for programmatic access to GitHub resources.
Google Cloud: Veza now shows Service Account Keys for a parent Service Account, and their effective permissions on resources assigned to that Service Account.
HashiCorp Vault: Added support for gathering nested secrets for secret engines such as KV2. Nested secrets are shown as sub-resources of the parent secret in Graph search.
Okta: Veza now gathers additional attributes for Okta Users: Password Changed, User Type ID, User Type, Recovery Question Exists, Credentials Provider Type, and Credentials Provider Name.
SharePoint: When applying System Permissions filters in Graph search or Query Builder, Read/Write/Owner permissions on SharePoint Folders now have an inherited or direct prefix. The prefix indicates whether permission is inherited from the Folder's parent, or assigned directly to the Folder.
Snowflake: Veza now extracts and parses Snowflake Database Roles.
Workday: Added the ability to get custom reports and add fields as custom properties for Workday Workers.
Access Credentials for Custom Applications: The custom application template now supports an array of AccessCreds for modeling API keys and other credentials assigned to users to grant roles and permissions on resources.
Added a v1 API operation GET "/api/v1/users/self", returning details about the calling user without requiring an ID.
Improved logging on the Events page when an Insight Point is unavailable.
Access Intelligence
The Access Analytics overview is now the default Access Intelligence landing page, shown when logging in to Veza.
Dashboards now include shortcut icons to filter queries by integration. Tiles now show include the risk level, if the featured query has one.
Dashboard trend charts can now show the total Y-axis in addition to changes over time.
Access Visibility
Users can now cancel long-running exports directly from the Query Builder.
Access Reviews
The row actions dropdown now includes the option to Add a Note for a single row.
In the reviewer interface, the icon to open the full row details in a sidebar now appears only on hover.
Improved consistency of titles and button labels throughout the product.
Lifecycle Management
New interfaces for Policy and Access Profile management, Identity centric-view, and Event view.
Integrations:
Improved UI for easily filtering the list of integrations by provider name, type, or status.
Data source errors are now indicated by a warning status on the integration overview. You can now filter the Integrations page to show events for recently created integrations.
Welcome to the June 2024 Veza Product Update! We're excited to share the latest enhancements and new features from the latest weekly releases. Our team has been diligently working to improve your experience on the platform, especially around understanding and monitoring risks associated with . This includes expanded support for machine access credentials such as tokens and API keys.
Highlights and major changes in Veza 2024.7.x releases
Our July 2024 releases featured improvements across Access Intelligence, Access Reviews, and Lifecycle Management and introduced the Veza Access Portal for managers to gain visibility into their direct reports’ access. Some notable changes, all designed to help you improve your control and visibility over your access landscape, include expanded dashboards for tracking non-human identities, the introduction of granular risk levels, and enhanced support for access keys and other machine credentials.
We've also added early access features aimed at simplifying team access management. Redesigned overviews and a new reviewer experience provide tools for managers to oversee and review direct reports' access. Additionally, we've continued to build and enhance integrations to expand Veza's support for modern data systems and SaaS applications.
Read on for more details about specific changes by product and please reach out to our team with your questions and invaluable feedback:
Non-Human Identities: Last month, we introduced a series of dashboards focused on managing non-human identities (NHI), now augmented by new out-of-the-box assessment queries. You can modify these queries to meet specific needs for visibility across integrated data sources, including:
Inactive identities that can access keys and secrets.
Non-human identities that are not active and can use access credentials.
New keys, secrets, and access credentials.
Keys and secrets that have not been rotated.
Expanded Risk Levels: For more flexible risk management and compatibility with external systems, saved queries now support the following risk levels: LOW, MEDIUM, HIGH, or CRITICAL. Risk scores now take into account the updated risk levels and dashboards are now filtered to focus on critical and high-risk entities. You may want to review and adjust existing queries, alerting rules, and reports to align with the new risk score thresholds (changed from CRITICAL, WARNING).
Remediation Details: Queries with a risk level can now include specific remediation details and instructions, editable when saving or editing a query. Any other user can reference this information on the Risks page by clicking the expand icon to view risk details. Veza now provides this context out-of-the-box for all CRITICAL risks. We plan to add more remediation details for current and upcoming integrations.
Access Key Attributes: All entities with the “Key” type now always have common filterable attributes: Is Active, Created At, Last Used At, and Last Rotated At.
Enrichment Rules for Non-Human Identities: Administrators can now configure saved queries to automatically mark identities as “human” or "non-human" at parse time on the Integrations > Enrichment page.
This month, we're excited to release our newest features intended to help managers understand and review access for members of their team. Initially integrating with Access Intelligence and Access Reviews, the Veza Access Portal provides a centralized hub for non-technical people managers to complete important access-related tasks.
Manager-Centric Access Reviews: A fully re-imagined Access Review experience designed for managers is now available in Early Access. This experience enables faster review of direct reports’ access, better visibility into outstanding review tasks, and the ability to review and sign off on all access for a direct report – across all applications under review, on a single page.
My Team: This landing page, powered by Access Intelligence, offers quick insights for managers into the level of access for their direct reports. Managers can use this overview to inspect the top roles and resource types for each of their direct reports and filter on specific data sources.
Please reach out to our customer success team to learn more about enabling Access Portal, now available in Early Access for evaluation and feedback.
Display Column Customization: Custom default display columns can now be configured via API for all reviews of a particular configuration. Default display columns can now include metadata about a related identity provider (IdP) user or employee profile in a connected human resources information system (HRIS) when enrichment is enabled in the review configuration.
Review Exports: The complete review and configuration details, data source status, completion statistics, and reviewer information are now included when exporting active or completed reviews to PDF, along with the row and relationship metadata.
GitHub: Added support for GitHub as a provisioning target.
Okta: Added support for Okta as a Lifecycle Management source.
Email Notification Customization: Email notifications triggered by Lifecycle Management workflows can now be customized using an API.
Orchestration Actions: Lifecycle Management workflows can now trigger events in downstream systems such as Slack or Jira, using a built-in orchestration action or a custom webhook.
Policies: Added support for pausing and resuming Lifecycle Management policies.
Manual Workflows: It is now possible for administrators to manually run a workflow for any identity.
Attribute Transformers: Additional transformers are available when syncing attributes.
Azure: Added support for setting custom attributes on provisioning targets, and revoking access to SharePoint Online and OneDrive on termination.
Active Directory: Added support for removing users from the Global Address List.
New integrations
Data Systems: Apache Cassandra, Oracle Database
SaaS Apps: Fastly, HubSpot, Smartsheet, Boomi
Enhancements
AWS RDS: AWS integration configurations can now limit RDS extractions to the database level, skipping lower-level entities such as Schemes and Tables. Added support for using AWS Secret Manager to integrate with Oracle Database on RDS.
Coupa: Integration configuration now includes an option to directly map permissions to roles using an exported Coupa report.
Microsoft Azure: The Azure integration now supports Azure Entra ID Devices and Storage Account Access Keys.
Salesforce: Improved parse times for large Salesforce environments.
SCIM: Added support for authenticating with OAuth 2.0 Client Credentials.
SharePoint: Max folder depth is now configurable by your Veza support team (default 2).
Snowflake: The Snowflake integration can now discover Snowflake Application Roles granted to account roles and other application roles, and supports access monitoring for Snowflake Secrets.
Snowflake: Snowflake tables and views now have a Has Masking Policy attribute denoting which have masking policies applied to them.
Windows Server: Upgraded to support .NET 8.0.
Workday: Workday Workers now have an attribute showing their Management Level ID. Workday Domain Security Policies now have a new attribute Using Parent Permissions, indicating if the policy inherits from its parent policy.
Workday: Administrators can now specify built-in Worker attributes in the Properties to Redact field when configuring the Workday integration. These attributes are skipped during extraction and appear as REDACTED in search results and Worker details.
New saved queries are now provided out-of-the-box for popular integrations: HashiCorp Vault, Blackline, 1Password, Crowdstrike, Egnyte, Jenkins, Zscalar, Confluent, and Delinea.
Audit and Event Log Export: Administrators can now configure a recurring export of audit logs and platform events to an external Snowflake database for continuous synchronization. When scheduled exports are enabled, audit and/or event data is exported in a tabular format for analysis and storage.
Integration Extraction Intervals: On the System Settings page, admins can now customize extraction intervals for OAA-based integrations on a per-integration basis (such as individual frequencies for SCIM, Anaplan, or Jira Data Center). The original options to set extraction intervals globally or by template type are also available.
Role Mappings: Administrators can now directly map SAML groups to non-root teams and roles when configuring single sign-on. This option eliminates the need to remap claims within your identity provider and is now in Early Access for customers using Entra ID.
Access Intelligence: Breadcrumbs now preserve workflow history and are shown consistently when traversing the Access Intelligence section. For example, when browsing from the Saved Queries page to Analyze a single query, and then opening it in Query Builder, shortcuts provide easy access to each recently-visited page.
Access Visibility: The Query Builder column picker now includes a "Select All" option to show or hide all columns within a group. When a user saves a query with Show Destination Nodes checked, the Show Destination Nodes option is now enabled when re-opening the saved query.
Access Reviews: Rows with decisions auto-applied due to a Review Intelligence Policy are no longer hidden by default. Before, the Include rows with decisions by other reviewers filter had to be active to show these rows.
Lifecycle Management: Administrators can now more easily understand and make changes to Lifecycle Management configuration, with a series of enhancements for improved access profile and policy management, especially around workflows, identities, transformers, and notifications.
Integrations: Starting an extraction now requires a confirmation, informing the user that a currently running job will be canceled. When adding custom identity mappings for an Identity Provider, you can now type to search the dropdown menu.
Platform: Introduced separate management for personal and team API keys on the API Keys page, with team key creation and administration now done on a dedicated tab (Early Access).
Highlights and major changes in Veza 2025.1.x releases
Welcome to the January product update. Our recent releases have focused on improvements to dashboard functionality, enhanced monitoring capabilities, and streamlined workflows across the platform, including:
Access Intelligence: New out-of-the-box dashboards for privileged access, service account governance, and identity insights, plus enhanced dashboard actions and improved alert management.
Access Monitoring: New BigQuery activity monitoring with Over Provisioned Access Score calculations for users and service accounts.
Access Reviews: Introduction of 1-Step Access Reviews (Early Access), customizable email templates, and improved notification management.
Access Visibility: New Path Selection feature in Graph search for precise relationship exploration and filtering.
Lifecycle Management: Enhanced policy version history with restore capabilities and new action grace periods.
Integrations: New Qualys and Microsoft Teams integrations, plus enhanced support for Azure AD, Coupa, GitHub, and Oracle EBS.
Veza Platform: Introduction of the CSV Manager Role and improved event subscription management.
See each section for more details about specific changes in each product, and please contact your Veza representative with any questions or feedback.
New out-of-the-box dashboards: New dashboards are available featuring curated detection queries, designed to be shared across teams for visibility into important trends:
Privileged Access Dashboard: Privileged Access Insights across cloud environments, SaaS, IdP, and integrated databases.
Service Account Governance: Insights into Service Accounts across Active Directory, AWS, Microsoft Azure, GCP, Okta, Salesforce, and ServiceNow
IDP Identity Insights: Identity insights across identity provider identities and groups, and local identities.
Okta Activity Report: Insights into Okta User, Admin, and App activity (requires Activity Monitoring).
Dashboard Actions and Enhancements: We've continued to improve the usability of favorite dashboards, and make dashboard insights more actionable and easy to interpret.
You can now use dashboard tile actions to schedule query results export to PDF, CSV, or Snowflake.
Dashboard tile actions now include a shortcut to trigger on-demand Access Reviews for the query results with Alert Rules.
New out-of-the-box dashboards are now labeled for easier identification, and are now included on the list of favorite dashboards by default.
When viewing a dashboard in the Dashboard view, the header now includes labels showing if the dashboard is system-created and the last edit date.
You can now search across all favorite dashboards and quickly add or remove favorites by clicking the star icon next to the active dashboard's name.
Dashboard tiles are now color-coded to indicate the risk severity level (none, low, high, medium, or critical).
You can now use the Export menu to download the active dashboard in CSV format or schedule recurring exports to an allowed email recipient.
Improved Alerts and Webhooks: You can now retry failed actions for alert events using the Rules and Alerts > Alert Details view. Each event now shows the triggered action, indicates if the event succeeded or failed, and includes the full error message if available.
Design and Usability Enhancements
The layout on the Query Details > Results tab now has a more consistent look and feel.
The Access Intelligence landing page now provides a streamlined overview of configured integrations and entity types, with options to export, share, or view details in Query Builder.
The Dashboards favorites tab is now shown by default when logging in to Veza.
The Tagged Entities page for tag-based search is now located with other search features in the Access Visibility section.
Menu and tab names have been shortened for better readability throughout the Access Intelligence section.
Burndown charts have been removed from the Risks overview.
Access Intelligence views now have a standardized color scheme and more consistent filter organization across pages.
Access Monitoring for Google BigQuery: The Google Cloud integration now supports activity monitoring, including Over Provisioned Access Score calculations for users and service accounts with unused permissions on BigQuery datasets and tables.
The NHI Accounts overview now includes a Share button for copying a link to the current filtered view.
The NHI Accounts page now includes columns to show the Account Created date and total Authentication relationships, with a link to open the related entities in Query Builder.
Bulk Export for SoD Queries: The Separation of Duties overview page now supports exporting query results in bulk, with up to 10 simultaneous CSV exports.
Design and Usability Enhancements:
When viewing details for queries with a risk level, any details or mitigating controls documented in the Risk Explanation and Risk Remediation fields now appear above other query metadata.
The Separation of Duties overview page now includes a Last Updated By column for visibility into changes across all configured SoD rules.
Path Selection and Filtering: Graph search now features a Path Selection sidebar for exploring and filtering entity relationships with greater precision. When hovering over a node to see its connections and clicking the circle indicator on its edge, the graph locks that path and opens the new sidebar. From there, you can use a step-based builder to select specific incoming or outgoing connections, progressively filtering the view to focus on particular relationships with the original root node as an anchor point. You can use the sidebar to inspect specific permissions and relationships within the locked path, and open detailed attributes for any entity.
Query Builder percentage filters now support the use of AND and OR operators.
Query Builder CSV export now always includes all results in a single file.
In Graph search, you can now change the page size of the column details modal.
Graph Explain Effective Permissions view now has scrollbars for better usability.
1-Step Access Reviews (Early Access): Administrators can now create access reviews in a single step. Although still supported, it is now no longer necessary for administrators to complete the preliminary step of creating a review configuration. When this feature is enabled, the primary Access Reviews > Reviews page now offers two options to create a review: "1-Step" or "Use Configuration". The 1-Step review builder offers a simplified workflow for selecting a review scope using the quick builder (covering common review scenarios for integrations such as Active Directory, Microsoft Azure AD, SharePoint, Okta, NetSuite, Salesforce, AWS, and more) or using a saved query.
Email Template Customization: Administrators can now customize the content of email notifications using HTML templates on the Access Reviews > Settings page. This provides a convenient way to customize default messages sent to reviewers and other stakeholders, previously configurable via API.
Streamlined Notification Settings: Reminder and escalation notifications are now enabled under the Advanced Notifications menu when creating a review configuration. Administrators are now encouraged to use Digest Notifications to prevent excessive notifications to reviewers with the option to use review-specific notifications when needed.
Enhanced Group By (Early Access): When using the Group By option to organize rows in the reviewer interface, you can now group by Risk Level, Role, Group, and Status (rows changed since the last review).
Review Export Enhancements:
Exports now include a column indicating the "% Completed" of total rows.
PDF exports now include the query description.
Exports now show the signed off and decision states with human-readable labels: "Signed Off", "Not Signed Off" / "Accepted", "Rejected", "Fixed", or "No Decision".
PDF exports now include additional row completion details for each reviewer, including the total number of signed-off approved or rejected rows, total rows not acted on, and reviewer details.
New Filter Operators "Exists" and "Does not exist" are now supported for most fields to filter by empty or any value. Example: Show all rows where Manager DOES NOT EXIST.
SharePoint: Folder name rejection notification messages now show the full SharePoint folder path (Parent Path + Name).
Orchestration Actions: "Reviewer Change" events now include the full row details in the JSON payload.
Added a global and per-review configuration setting to enable Access Intelligence. When enabled, the Risk Score and Risk Level columns are shown by default in the reviewer interface. When disabled, these columns are available but must be enabled optionally.
The reviewer interface now respects column name overrides set at the workflow level. These column_name_overrides are currently customizable via API, with general availability planned for a future release.
Reviewer Notes: When configuring pre-defined decision notes, you can now choose to show or hide the other option. This can be used to prompt users to always add a predefined note instead of allowing both choices.
Design and Usability Enhancements:
The primary Access Reviews landing page is now the Access Reviews > Reviews overview (instead of the Access Reviews > Configurations list).
The Configurations page has been simplified and redesigned to use the latest Veza Design System components for searching and editing configurations and scheduling reviews.
Exporting the current column selection now defaults to selecting all displayed columns in the reviewer interface, and the Decision and Signed Off columns.
A tooltip now provides naming guidelines when creating configurations.
Qualys: New integration for visibility into resources, users, roles, and permissions on the Qualys platform.
Microsoft Teams: The Azure integration now supports discovering teams, channels, and guest users in Microsoft Teams.
Azure AD Users now have the "Guest" attribute.
Coupa Users now have the "Supply Chain User" attribute.
GitHub Repositories now have the "Owner" attribute.
The Oracle EBS integration now supports Menu Binding entities.
Added support for custom identity mappings to OAA HRIS and custom identity provider integrations.
Added out-of-the-box assessment queries for Microsoft Teams.
Policy lifecycle management for Lifecycle Management policies: Lifecycle Management policies now include the full version history, enabling better visibility into previous policy configurations and the ability to restore prior versions. The full history is now available using Actions > See Version History in the policy editor. You can use this view to inspect earlier versions, set an older version as the current draft, and publish or discard the current draft.
Access Profile Intelligence: Supports the ability to specify multiple users or entire groups of users (i.e., all users in a common department) to determine overlapping entitlements when creating or editing Access Profiles. This helps accelerate the process of creating Access Profiles as well as ensuring that entitlements are properly set for the given cohort of users. Filtering by percent overlap is also supported.
Action Grace Periods: Policies now support configuring a grace period to delay individual actions in a workflow.
Multiple Policy Drafts: You can now restore, create, and save draft versions directly from the Policy Detail view. Previously, only the most recent draft was shown in the user interface.
Design and Usability Enhancements
All tables now have updated row styling for better consistency when navigating between Lifecycle Management pages.
When opening rows to show the details sidebar (such as for an identity on the Identities page or a profile on the Access Profiles page), the selected row is now highlighted for clarity.
Long text strings are now shown in full when hovering in the Access Profile details view.
Access Profiles that are inherited by another profile can no longer be deleted.
When creating a policy and choosing an integration, integrations associated with existing policies are now grayed out to indicate they cannot be selected.
You can now get detailed data source information for troubleshooting purposes (such as Lifecycle Management Data Source IDs) by clicking the magnifying glass icon next to the "Lifecycle Management: Enabled" badge in integration details.
Ability to create guest accounts in Microsoft Entra ID via API adds support for programmatically initiating the creation of guest accounts in Microsoft Entra ID (formerly known as Azure AD) using a guest email address.
Ability to auto-create entitlements for supported IDPs Administrators can now create Access Profiles for use by either/or Access Requests and Lifecycle Management to auto-create entitlements in various IDPs, including:
Azure AD (Groups, Roles, and Exchange Distribution Groups)
Okta (Groups)
AWS (AWS SSO Group)
Google Cloud (Groups)
Note: The ability to automatically create groups in Active Directory was previously supported.
Create Entitlement: Support max length for attributes allows enforcing a limit on a resulting group name to a max number of characters, such as 64 characters for Active Directory groups.
Create Entitlements: Lookup identities attributes supports using the attributes of the user who is creating an Access Profile to set Access Profile field values.
Access Profile on Access Hub changes for improved management of Access Profiles on the Access Hub, including:
Preventing editing of the Access Profile name if the Access Profile Type has "Create Entitlement" selected
Columns in the Access Hub Access Profile table now indicate the Name, Description, Integration Types, and Status
In Use and Last Published date now appear in sidebars and detail pages.
If the Access Profile Type does not allow inheritance, it no longer shows the "Inherited Profiles" tab.
Support for Access Request approver policies including defining users who can or cannot approve or revoke access requests.
Active Directory group entitlement creation updates including splitting the Distinguished Name into Name and BaseDN and adding new, non-required attributes, including Description, IsSecurityGroup, GroupScope (Domain, Global, Universal), and MemberOf (parent group).
Added support for creating a new entitlement if none exists when creating a new Access Profile Type.
More graceful management of Access Profiles for more than 2 Access Profile Types. Note: All customer tenants running Lifecycle Management and/or Access Requests all start by supporting only the following Access Profiles Types: Profiles and Business Roles (by default).
Access Request UX enhancements
Added support for all access request states
Now shows the Action History tab under Details
Now shows the Access Plan tab under Details
Now shows the Events tab under Details
Access Profile owners are listed as Owners in the graph: When viewing an Access Profile in the graph, the Owner property lists the owner(s) of the Access Profile.
Access Catalog view in the Access Hub split into Assigned vs Requestable items: The Access Catalog is now logically separated between catalog items already assigned to the user and catalog items available for request.
Pending access request banner now displayed in the Access Hub: When a user has a pending access request to approve, a notification banner is now displayed in the Access Hub after the user logs in.
Updated Notification settings: Allows administrators ability to configure how Lifecycle Management/Access Requests emits notifications for different settings
CSV Manager Role: Administrators can now assign a new role with minimum permissions for managing CSV integrations, restricted to creating, configuring, and updating CSV-based integrations assigned to the user's team.
Event Subscriptions and Email Alerts: You can now use the Administration > Event Subscriptions & Alerts page to configure email notifications for Veza platform events by severity and category. Alerts can be configured to send a summary of events within the specified interval (e.g., all matching alerts within 15 minutes to 24 hours).
Note: Individual releases can include additional bug fixes and performance improvements that are not detailed in these notes. For more information about any features or bug fixes, please contact your Veza representative.
Highlights and major changes in Veza 2024.8.x releases
Welcome to the August 2024 product update! Last month's releases featured a range of improvements across Access Visibility, Access Intelligence, and Lifecycle Management. These include Query Builder enhancements, support for new types of enrichment rules, and the introduction of role mining insights to identify potential security risks in AWS and Snowflake roles.
For Access Reviews, customizable notifications are now available to provide specific instructions when starting a review, as well as to prompt reviewers for confirmation when signing off on decisions. New integrations with popular systems like HiBob, ClickHouse, and Beeline, and improvements to existing integrations strengthen Veza’s support for modern infrastructure and applications. Additionally, we've implemented meaningful usability enhancements throughout the platform, all intended to make your tasks with Veza more efficient and intuitive.
See the sections below for more details about the changes, and please contact our team with your valued feedback and questions.
Role Mining: Role mining is now available as a dedicated section of the Access Intelligence product. Currently provided for AWS and Snowflake, Role Mining provides quick insights into roles with the greatest blast radius, unused and rarely-used roles, deeply nested roles, and other potential risks. You can use these new insights for use cases including:
Tracking roles with high blast radius, and preventing assignment of users to those roles.
Cleaning up unused or rarely-used roles.
Flattening roles hierarchy to reduce complexity and improve performance (particularly for Snowflake).
Enrichment Rules for Privileged Access: You can now define specific combinations of permissions or resource access as “privileged,” by adding rules on the Integrations > Enrichment page. Veza now sets the built-in role attribute Is Privileged to True for entities that meet the conditions defined by these rules. Incorporating filters on this attribute enables insights, search, and access reviews focused just on high-priority roles, excluding roles that aren’t marked as privileged.
Custom Review Disclaimers & Sign-Off Statements: Administrators can now customize optional prompts shown to reviewers, including messages shown when reviewers start a review or when they sign off on decisions. These messages might include review instructions, disclaimers, sign-off statements, attestations, or other guidance. The Custom Help Pages preview API has been extended to support these new message types, which can be enabled globally or for individual review configurations using markdown templates.
Review Expiration Settings: Administrators can now elect to auto-reject unsigned off rows when a review expires, as a global setting or per review configuration.
Reviewer Deny List and Delegate Reviewer Settings: Administrators can now manage reviewer deny lists and delegate reviewers directly from the Access Reviews > Settings page. Before, these settings were manageable only by API. API-based management of these settings remains unchanged.
Query Builder: When applying a saved query filter (effectively using a subquery to filter an existing query), you can now search for potential candidates by risk level, integration, or query label. Click Filter Queries when adding a filter group to help find relevant user-created or out-of-the-box assessments, and use them to filter the current query results.
Inherited Tags: Role binding entities and custom role assignments for Open Authorization API integrations can now inherit tags applied to their associated roles, enabling tag filters for integrations where users are not directly attached to roles. These Veza tags have the Veza Inherited tag type, used to identify tags derived from another entity.
Access Profiles: Users on non-root teams can now create and view Access Profiles.
SCIM Support: SCIM integrations can now be enabled as provisioning or de-provisioning targets.
Notifications: You can now configure email and webhook actions directly from the Notifications tab when creating or editing a policy.
Policies: Lifecycle Management workflows now support changing the order of conditions when an action applies.
Synced Attributes: When specifying the attributes to update for a target entity, you can now combine multiple transformations using pipeline functions.
Activity Log Export: Lifecycle Management events can now be exported to CSV or PDF.
New integrations
Data Systems: Amazon Aurora PostgreSQL, ClickHouse
SaaS Apps: HiBob, Beeline
Enhancements
AWS Secrets Manager: Oracle Database and Apache Cassandra integrations now support assuming an AWS IAM role to connect to AWS Secrets Manager to retrieve credentials for database-level extraction.
Microsoft Azure: Azure AD Users now have the Last Successful Login attribute.
SCIM: Added support for authentication using OAuth 2.0 client credentials for SCIM integrations.
SQL Server: Now gathers and shows user permissions on system databases such as master, model, and tempdb.
Workday: Added support for hiding sensitive built-in Worker attributes by specifying Properties to Redact when configuring the integration. Hidden attributes appear as REDACTED in search result columns and Worker details.
Orchestration Actions: You can now configure multiple Jira Orchestration Actions for the same host.
SwiftConnect: Now indicates how Access Credentials are assigned by mapping Access Levels (roles) to Access Profiles (users).
Open Authorization API: The Custom Application template now supports a Configured Permission entity, used to model the individual permissions configured for each local role in the application.
Privacera: Added support for self-managed Privacera instances using a custom CA certificate and local URL.
Integrations: You can now edit an integration directly from the integration details view.
Integrations: The last time a data source was updated is now shown in a column on the Integrations page.
Manager Portal: The Direct Report dropdown on the Quick Review page now uses auto-complete to suggest users to filter by.
Global Navigation Enhancements: You can now browse Veza products and features from a new global sidebar, which can be collapsed to focus on the current task. Clicking the navigation icon for each feature opens the primary landing page for Access Visibility, Access Intelligence, etc., with the option to open individual sections and features from links in the top bar.
Graph Search: In Graph search, the Explain Effective Permissions sidebar action now shows the individual effective permission node and its mapping to corresponding system permissions.
Lifecycle Management: From the Identity tab, you can now navigate directly to Graph search to show that entity's relationships.
Lifecycle Management: A toggle on the Integrations page can now be used to enable Lifecycle Management for any Open Authorization API-based integration.
Query Builder: You can now apply a filter on any source or destination attribute by clicking the filter icon at the top of any Query Builder column.
Query Builder: You can now use the Open in Graph option to search for destination entities when Show <Destinations> is enabled. Open in Graph is also now supported when Summary Entities are specified for the query and enabled in the results view.
Query Details: Risk explanations can now use markdown for rich text formatting.
Risks: Entity risk scores now appear red when the risk score exceeds 90.
Overview of platform enhancements from August-December 2023
The latter half of 2023 at Veza has been a journey of continuous innovation marked by a series of 25+ integrations and 40+ new features and capabilities. All these aim to fortify our Identity Security Platform for enterprise-wide access governance and introduce industry-leading features and functionality across product areas.
New integrations for Azure Cognitive Services, GitLab, OpenAI, New Relic, Solarwinds, YouTrack, and Rollbar.
Introduction of Dashboard Trends View with exports.
New Query Details page for saved assessments.
Enhanced Report Export to include all related entities and attributes.
Comprehensive Veza Analytics.
Access Reviews: option to filter by individual users and link to filtered views.
Major performance improvements in bulk actions and certification results.
Preview API operations for creating Workflows and Certifications.
Smart Actions API enhancements for Access Reviews.
Query Pipeline feature for complex filter construction.
Enhanced Tagged Entity Search with detailed views and export capabilities.
Snowflake Tags discovery and extended attribute support for Microsoft AD and AWS.
SCIM connector for user and group discovery.
Introduction of Audit Log APIs.
Launch of Veza Email Digests for critical information aggregation.
Multi-factor Authentication available for local users.
New integrations for MongoDB, NetSuite, Coupa, Slack, and Crowdstrike Falcon.
Introduction of Certification Action Log for detailed history tracking.
Mobile enhancements for Access Reviews, including swipe mode and Smart Actions.
Enhanced Certification Export for custom column selection and renaming.
Improved search for entities from Open Authorization API integrations.
Extended Microsoft Azure integrations with support for PostgreSQL, AKS, and Private Links.
Preview API for exporting Veza platform events.
New Integrations for Azure Privileged Identity Management (PIM) and PingOne.
Risk Scores: Introduction of Risk Scores enabling users to effectively sort and compare risks with fast time to value on risk reduction.
Tags in Query Builder: Enhanced filtering and review capabilities for entities with tags.
Query Builder and Graph Search enhancements:
Flexible selection of source entity types in Query Builder.
Introduction of relative date filters for future dates in Query Builder.
New Query Builder columns for System and Effective Permissions.
Advanced search capabilities in scenarios involving nested entity types.
Improved Graph readability with optional visibility of certain entity types.
Query Builder exports now reflect changes in column ordering.
Extended maximum length for saved query descriptions.
Multiple Destinations for UAR: Enhanced flexibility when defining Access Review scope across multiple systems.
UAR / Access Certification Scheduling: Support for automated access review using scheduling rules.
Automated Intelligence: Use historical data to automate approvals or rejections for Access Reviews.
Veza Lifecycle Management: Policy-based provisioning and de-provisioning engine for Workday, Microsoft Active Directory, and custom identity providers / HRIS systems.
CSV Import: Ability to create custom providers and populate data sources from CSV files.
Extended support for Microsoft SharePoint Online Lists, Snowflake role types, AWS RDS MySQL system tables, and NetSuite insights.
API Keys for Teams: Introduction of non-root, read-only API access scoped to teams.
New integrations for Microsoft Dynamics 365,** Terraform**, Google Cloud SQL, and UKGPro.
Time Machine for UARs: Introduction of Access Certifications based on historical Authorization Graph data.
Details Sidebar: New sidebar for efficient navigation and decision-making during reviews.
Attribute Filter Combinations: Access Review queries can now use combinations of attribute filters with AND or OR operators.
Nested constraints: Added support for two levels of AND and OR operators for attribute filters, enabling more complex queries.
Filtered Permissions columns for Segregation of Duty (SoD) violation remediation.
Support for Kubernetes services on Google Cloud (GKE) and Microsoft Azure (AKS).
Active Directory support for cross-domain relationships.
Teams for role-based access control to Veza (now generally available).
New identity mapping configurations for correlating accounts across providers.
New integrations for Confluent Cloud, 1Password, and Privacera.
Notes for Risks: Ability to annotate risks and exceptions with custom notes and suppression reasons.
Risk Descriptions: Full explanations for built-in “critical” and “warning” risk assessments.
Access Review for individual users: Option to automatically open the Show Users list for filtering certifications on a single identity.
Risk Score Details: New modal explaining risk score calculations in Query Builder.
Support for gathering Okta MFA Factor Types.
Role Assignment Based on SSO Group Assignments: Ability to assign roles in Veza based on authorization provider group assignments for SSO users.
Access Reviews APIs and webhook payloads enhancements into intermediate entities.
Optimized Query Builder export performance.
Access Reviews:
Streamlined mobile experiences for access reviewers including swipe mode, filtering, and bulk actions.
Single Approve & Sign Off action for faster Access Certifications.
Added Grouped columns in certifications for better organization and readability.
Attributes for waypoint entities in Certifications for enhanced decision-making.
Certification exports now include additional decision-related columns.
Veza Search Improvements:
Continued unification across Query Builder, Access Reviews, and Authorization Graph search interfaces.
Enhanced the Save Query wizard for easier query management.
Improved Graph visualization of equivalent AWS Policy Statements and “Deny” relationships.
More entity types are now hidden by default for improved Graph readability.
Added alphabetical ordering when adding search constraints and enhanced filters for timestamp-type attributes.
Search sidebars are now collapsible when reviewing the search results.
Navigation and Usability Enhancements:
Revamped main Veza navigation for easier access to features and integrations.
New dashboard visualizations for critical integrations.
Added Identity Provider IDs in tooltips to support environments with multiple instances of the same integration type.
Clicking a tag (Veza Tags, AWS Tags, GCP Tags, etc.) now opens a tag overview page.
The Risks tab now includes entity IDs, suppression reasons, and notes.
Reports can now be modified directly from the Dashboards they appear on.
User Design Improvements:
Increased consistency across the UI for major components like creation wizards, tables, tabs, and dropdowns.
Refreshed and improved Integration Management experience on Configuration pages.
Simplified process for adding team members and roles on the User Management and Teams pages.
Renamed product sections and navigation for enhanced clarity.
Introducing a revised and simplified workflow for adding and managing Veza integrations.
We're excited to share some upcoming improvements to Veza Integrations, with a fully overhauled user interface for integration management soon to be released for all customers. While fundamental concepts are the same, the steps to set up an integration are streamlined and simplified. We've also modernized and updated many aspects of the experience, aimed to improve the first interactions that many users have with the Veza platform.
Highlights of the changes include:
New table view for managing existing integrations
Enhanced search capabilities and quick filter cards for the Integrations list
“View Dashboard” quick links for each integration type
New catalog view with categories to help admins find integrations quickly
Full-screen layout for configuring specific integrations
New Integration details view
We hope you enjoy the latest changes and would appreciate your input and questions. Please reach out to the Veza support team with your feedback, and thank you for your ongoing partnership.
We've significantly improved the overall flow for adding new integrations. Basic concepts are unchanged, but the steps to set up an integration are streamlined and use a modern UX. We've also grouped integrations to make them easier to locate.
Adding an integration now involves fewer clicks overall, with a new overview page showing all the integrations that can be enabled on Veza. You can choose from integrations by type, choose a popular integration, or quickly search for the integration you're looking for.
You can now configure integrations from a single page, with no switching between tabs. Required fields and hints are provided for easier configuration. A single-page workflow is now available for choosing individual services to discover, adding custom mapping configurations, and defining any optional properties to extract:
It's now easier to get a full overview of all integrations, or zero in on the most important ones. You can use new controls to filter the list of added integrations by name, type, or status with improved dropdown menus:
Some of the options on this page are reorganized to make common actions more accessible, with more choices available under the Actions dropdown. Clicking View Dashboard now opens the integration on the analytics page for more details about the discovered entities.
Learn more about the latest changes to improve the reviewer interface for Veza Access Reviews.
An updated reviewer UX is now available for all customers using Veza for Access Reviews. We’ve responded to your feedback and simplified the interface to save reviewer time and simplify decision-making when rejecting or approving rows.
To make it easier for reviewers to focus on actionable items, rows that aren’t assigned to the current reviewer are now hidden, along with rows that are signed off. You can now optionally show these relationships using the Filters menu:
Users with the Access Reviewer role can still only see rows they are assigned as a reviewer.
In the original design, reviewers could sign off on multiple rows using a Smart Action, which applied to all rows matching the filter criteria. We’ve removed this additional step, so reviewers can now approve, reject, add a note, or re-assign reviewers by applying a filter and selecting some or all rows to apply a change to:
It is now possible for reviewers to select all items in a review - even across multiple pages. This is useful if users want to perform a bulk action on a large quantity of items across pages.
Reviewers can now finalize decisions in bulk using the Sign-off button above the results, which can apply to all rows with decisions or the current selection. Reviewers no longer need to sign off on individual rows, saving time and reducing screen clutter.
You can now quickly open the row details in a sidebar to inspect attributes and apply a decision using keyboard shortcuts:
Additionally, progress indicators and review details now take up less screen real estate. We've cleaned up the interface for a sleeker presentation overall, and improved responsiveness and consistency when selecting and acting on rows.
Summary of usability and design enhancements from `2024.2.x` releases.
Recent Veza releases feature a range of improvements for product usability and changes in product design. We've heard your feedback, and our design team is committed to improving your experience, making features more intuitive to use, and boosting efficiency and productivity across the Veza platform.
This month's updates focus on improved navigation, deeper insights, and refined Access Reviews and Lifecycle Management features. We hope that these improvements will empower you with better tools and a streamlined interface for understanding and managing access controls with Veza.
As always, your guidance is welcome as we incorporate your insights into our iterative development efforts. See the rest of this update to learn about recent improvements, and please reach out with your feedback and questions.
Veza Platform
Access Search and Intelligence
Details for Queries with Risks: On the Access Intelligence > Risks > Queries with Risks page, you can now click on the small graph next to each query to open an expanded view of changes in results over time.
Snowflake Data Governance and Salesforce Access Security Dashboards: Two new dashboards are now available, providing tailored insights into inert users, roles and role access, and least-privilege anti-patterns.
Access Reviews
Access Reviews Terminology Changes: Based on customer feedback, we've updated the legacy term for the original query and settings from Workflow to Review Configuration. A single instance of access review for that configuration (previously a Certification) is now a Review.
Access Review Builder: The Access Reviews workflow creation modal now uses a step-by-step wizard for adding a description, specifying the query, and configuring email notifications and orchestration actions.
The full text is now consistently shown when hovering over results in Access Reviews containing long strings.
Expired and completed Reviews now support the row actions View Action Log and See Row Details, providing additional information about results in past Access Reviews.
Lifecycle Management
Pending Tasks: Added a new page showing jobs queued for future execution based on a provisioning policy, including the scheduled time, job type, and provisioning source and target.
Event Log Filtering and Column Improvements: Added the option to filter the list of completed provisioning events by user name and event type. The Timestamp column is now shown on the left and can be resized. Column width is optimized for better readability.
Welcome to the April product update! It's been a busy spring for Veza as we welcome a new design team and grow the engineering and product teams to better respond to your needs.
This month includes several significant changes, including a refreshed experience for access reviewers, a detailed saved query view, new integration capabilities, and a range of enhancements across product areas. These are all intended to provide visibility and control over more potential scenarios, risks, and integrated systems, and improve the overall experience for new and experienced users.
We humbly welcome your feedback and are excited to share a summary of the latest changes. Please read on to learn more about the latest improvements for each product area:
Enhanced Dashboards Design: For improved visual clarity, the Snowflake Data Governance and SFDC Access Security Dashboards now show individual tiles for each featured query. You can click any tile for an expanded view of the results over time or open the results in Query Builder.
Risks Usability: You can now filter and sort the Risks page by label or integration, and search by risk name or query name.
Enhanced Query Details View: Details for dashboard tiles and saved queries provide a streamlined view to analyze results, visualize trends, and understand risk and query details (Early Access).
Risk Insights: Refer to extended query and risk descriptions for additional insight into why the results matter.
Trend Analysis: Visualize changes over time for patterns and anomalies or export for use outside Veza.
Detailed Results View: Review the latest results and entity details, with familiar options to filter on any attribute and show or hide columns.
Authorization Graph - Show or Hide Indirect Access: You can now filter relationships where access is granted indirectly, such as by role assumption or membership in a child group. Use Advanced Options > Include Assumed [Intermediate Entity Type] to filter on source entities with direct access to the chosen entity type and exclude any relationships where a nested group or role is in the path between source and destination.
Authorization Graph - AWS Unsupported Condition Icons: AWS entities in Graph search now have an icon to indicate if the Unsupported Condition property is True. This attribute shows when the relationship involves a policy statement unsupported by Veza’s effective permissions parser.
Integration Last Extraction Time: All entities now have a Datasource Last Extraction Time attribute indicating when Veza last refreshed metadata for the host data source.
Last Push Date for OAA Integrations: To enable queries and alerts based on the last metadata refresh for a custom application or identity provider, entity type groupings for OAA-based integrations (such as Custom Resource) now support filters on the Last Pushed At attribute.
Query Builder - Filters: Attributes containing lists now support filters with Exists and Not Exists operators to identify results where these attributes contain any data or no data.
Enhanced Access Reviewer Experience: An updated access reviewer UX is now available in Early Access. We’ve responded to your feedback and simplified the interface to save time and simplify decision-making when rejecting or approving rows:
Simplified Review: We now hide any rows that are signed off or not assigned to the current receiver, making it easier to concentrate on pending tasks. Reviewers can switch modes to show unassigned rows whenever needed.
Improved Bulk Actions: Reviewers can now run bulk actions on the current filtered view or all of the rows in the review. Combined with filters, this offers an intuitive way to update rows based on specific criteria, replacing the old “Smart Action” experience.
Simplified Sign-off: Instead of signing off rows individually, reviewers can now select many rows and apply decisions with a single click. This change saves screen space and reduces the likelihood of users forgetting to sign off on decisions.
Visual Interface Improvements and Stats Display: Reviewer statistics and progress indicators are displayed more concisely, and we've cleaned up the interface for a sleeker presentation overall.
Enrich with IdP/HRIS metadata: Reviews can now include information about the human resource information system (HRIS) employee profiles or identity provider (IdP user identities mapped to local users in the query results. For example, you can use this option to show details about Workday Workers associated with Okta Users when reviewing Okta User > Okta Application access (Early Access).
Filter Enhancements: Reviewers can filter rows by attribute using multi-valued OR statements (such as Username is Value1 OR Value2 OR Value3).
Link to Filtered Views: Reviewers can now copy a share link that includes the active filter settings, which apply when loading the URL.
Tags in Access Reviews: For visibility into both provider-native tags and tags created in Veza, review configurations can include optional columns showing the tags applied to source and destination entities.
Digest Emails: For better visibility into lifecycle management actions, admin users can opt into Provisioning Digests on their Profile page. These scheduled email notifications summarize successful and failed events for the day, week, or month.
Provisioning Events: The Lifecycle Management activity log now includes a Changes Only toggle to filter on actions that resulted in changes in the target system.
Action Scheduling: You can now configure provisioning and de-provisioning actions to trigger based on a target field such as “Hire Date” or “Termination Date.”
Provisioning Targets: Added preliminary support for Salesforce and SCIM as targets for lifecycle management.
BitBucket Cloud: New integration for discovering Bitbucket Cloud Workspace Projects, Repositories, Groups, Users, Roles, and Permissions.
Palo Alto Networks: New integration for discovering applications, users, roles, and permissions for Palo Alto Networks Prisma SASE.
Salesforce Roles: Improved visibility and added support for parent-child relationships between Salesforce User Roles in Graph search. An icon next to the entity name indicates when a role has hierarchical connections to other roles. Clicking a Salesforce User Role to View Hierarchy on the graph actions sidebar shows all related roles and the order of the hierarchy.
Contained Resources for Okta Admin Roles: The Okta integration now creates Okta Constrained Resource and Constrained Resource Set entities to indicate the resources associated with each admin role.
Snowflake Secondary Roles: Veza now collects the Default Secondary Role attribute for Snowflake Users. If using an alternate system database, you must drop and re-create the USERS to include the default_secondary_role column.
Google Cloud Deny Policies: Effective permissions for Google Cloud Platform now account for Deny Policies, which prevent specified principals from using the denied permissions, regardless of other assigned roles. To support this capability, the GCP integration role requires new API scopes iam.denypolicies.get and iam.denypolicies.list.
Administration APIs: Added new endpoints for creating and managing veza users and teams.
User Management: You can now export the list of users and filter by team or role. The users list now shows assigned roles and user creation dates.
Events: Password and multi-factor authentication resets now appear on the Veza Events page.
SAML Single Log-out: Administrators can now copy the Veza single log-out URL when enabling SAML.
Our design team is growing, and we have big plans for the months ahead. Key focus areas include a better new user experience, an improved integrations view, better dashboards, and improvements to Access Reviews and Lifecycle Management. Our latest work aims to improve navigation, design consistency, and usability throughout the product.
Access Reviewer Experience: The new access reviewer UX simplifies the review process by focusing on pending tasks and enabling bulk actions. We’re also planning improvements for manager-oriented views and making it easier to view all access for a single user.
Query Details: We've added a streamlined view for analyzing results in the Query Details view. This includes better visualization of trends and a simplified table view for inspecting and filtering entities in the results.
Enhanced Dashboards: Redesigned home page Dashboards now feature individual tiles for each query. Users can expand these tiles to view detailed results over time, view details and results, or edit in the Query Builder.
Upcoming: Revised design for Veza Integrations and Lifecycle Management
Highlights and major changes in Veza 2024.9.x releases
Welcome to the September product update! The past month featured a range of enhancements and new features across Veza's products with highlights including:
Advanced Access Intelligence: Enhanced enrichment rules (privilege permissions, non-human identity entities, and more).
Access Portal: A new details tab shows user access and permissions to individual resources. This is part of the Advanced Access Intelligence product.
Access Reviews: New Quick Builder for fast and simplified review configuration, digest notifications, multi-level review and sign-off support, and new role and group analytics for reviewers.
Lifecycle Management (LCM): Additional actions for workflows including removing personal devices from Intune and initiating email and webhook-based actions as part of a workflow to trigger external onboarding or offboarding processes, and improved logging and event exports.
Veza Integrations: New integrations for Oracle JD Edwards EnterpriseOne (JDE), Oracle E-Business Suite (EBS), Teleport, Microsoft Intune, and Microsoft Power BI bring the total Veza integrations to 250+.
Veza Platform: Introduced team-based API keys and the ability to map federated identities and roles for Veza teams during single sign-on.
Please read on for more details about specific changes in each product area, and please reach out to your Veza representative with any questions or invaluable feedback.
Major Enhancements to Enrichment Rules:
Enrichment rules allow you to identify important entities, such as privileged roles, critical resources, and non-human identities by applying special attributes, which you can use to create queries, define rules and risks, and scope access reviews. The criteria for enrichment can include attributes (such as a naming convention for non-human service accounts), specific access granted by a role, or a particular relationship between entities.
Now Available for Critical Resources: Administrators can define enrichment rules to distinguish resources by criticality level using the Integrations > Enrichment page. Based on these rules, resource-type entities will now have the built-in attribute Criticality Level set to low, medium, high, or critical.
Now Available for Custom Integrations: Enrichment rules for identifying privileged roles, critical resources, and non-human identities now support custom integrations built with Open Authorization API (OAA).
Improved Enrichment Rule Administration: It’s now possible to disable enrichment on a per-rule basis. Once you disable a rule, the enriched entity attributes are removed. For example, if an enrichment rule marks a particular Snowflake Role as privileged by setting the Is Privileged attribute to True, the attribute will be empty if the rule is disabled.
On-Demand Reviews: Users can now set up Rules using saved queries to trigger one or more on-demand reviews, using the specified review configuration, duration, reviewers, and optional second-level reviewers and Review Intelligence Policies. You can enable on-demand reviews for an existing query on the Save Query > Create Rule tab.
Scheduled CSV Export via Email: You can now schedule query exports with the option to Export to CSV in Email with Secure Link (supplementing the original option to export query results to an external database). The recipient will receive an email at the scheduled intervals, containing a link to log in to Veza and download the table of results.
Access Portal – Resource Details View: When viewing access for a direct report, managers can now use the My Access > Resources tab to see the individual resources and details, including the effective permissions for each resource. Selecting a resource type on the My Access > Overview summary now opens the Resources tab filtered on that resource type.
Intermediate Group/Role Attributes in Query Builder: For queries using the Summary Entities option to show relationships between intermediate roles, groups, or other entity types in the path connecting a query source and destination, results now include columns showing the attributes of each intermediate entity. You can show or hide these column groups using the column selection dropdown menu, with any visible columns included in query exports.
Improvements for Entity Type Groupings: Queries that use an entity type grouping (such as User or Resource) as the source or destination now return all properties on entities within the selected grouping (before, only name, id, and type were included in results). Tag filters can now be applied to entity type groupings, and will apply to entities of all types with a matching tag.
Enhanced Tags in Query Builder: You can now choose individual source or destination tag keys to show and export in dedicated columns, supplementing the original Include Source/Destination Tags option to return all tags in a single column.
Performance Enhancements: Improved performance when loading dashboards and selecting related entity types for users from custom applications.
Review Digest Notifications: Digest notifications can now be enabled for Access Reviews. When enabled, reviewers will get a single, consolidated notification message reminding them of outstanding reviews to complete. Administrators can control the frequency at which reviewers receive digest notifications.
Review Configuration Quick Builder: Administrators can now quickly define the scope of a review configuration using a simplified Quick Builder to choose from a list of applications and common review scenarios. The builder currently supports Active Directory, Entra ID (formerly known as Azure AD), SharePoint, Okta, Salesforce, Snowflake, AWS, and NetSuite.
Result Enrichment for Access Review Rows: When enabled in a review configuration, enrichment metadata from an IdP or HRIS provider is now included in API responses and webhook payloads. Any tags on source and destination entities are also included if the Show Tags option is enabled.
Multi-Level Approval and Sign-Off: Administrators can now configure multiple levels of review when creating new access reviews. When enabled, two levels of review and sign-off must finish before decisions for rows in the review are considered final.
Role and Group Analytics: Access Reviews now support analyzing the entitlements granted by destination groups/roles when reviewing user-to-group and user-to-role assignments. In the reviewer's interface, you can now inspect each accessible resource, including the risk level, any permissions, and recent access status, by expanding a row in the sidebar and opening the Details tab.
Review Intelligence Policies: Administrators can now configure rules to highlight rows or suggest default approve or reject decisions using a new `display_style` action for the Automations API.
De-Provisioning Actions: Added support for removing Intune personal devices when de-provisioning Azure AD users.
Notifications and Webhooks: Administrators can now configure email notifications and webhooks for individual actions in a workflow, in addition to email and webhook settings for the parent policy.
Identities: The Identities table for viewing details and events for individuals is now part of the top navigation and is no longer shown within the policy view.
Event Logs: Administrators can now use the Workflow Tasks table to view full details for workflows executed on an identity.
Event Export: Events shown in the Activity Log can now be exported to CSV or PDF.
Adobe Creative Cloud: New integration for gathering users and groups in Adobe Creative Cloud Enterprise accounts.
Jamf: Administrators can now configure the Jamf integration using a custom URL and port for connectivity.
Privacera: The Privacera integration now supports configuring a signed CA certificate and a custom Privacera instance URL.
Workday: Administrators can now enable the option to skip extraction of inactive Workday Workers.
Microsoft SharePoint: Added support for limiting extracted SharePoint Sites.
Google Cloud: Added support for configuring Workload Identity Federation for integration connectivity, as an alternative to using service account keys.
Global Navigation Enhancements (Early Access): You can now browse Veza products and features from a new global sidebar on the left side of the screen, which can be collapsed to focus on the current task, and features updated visuals to better align with Veza's public branding.
Clicking an updated navigation icon opens the primary landing page for Integrations, Access Intelligence, Access Reviews, and other top-level products, with the option to open individual sections and features from links in the top bar.
These changes are part of our ongoing initiatives to enhance the Veza user experience. Please reach out to our support team to enable the new user experience, which will be rolling out to select customers over the coming weeks.
Access Visibility Improvements
Graph Zoom In/Out with Keyboard & Mouse Gestures: Graph search now supports zooming in and out by holding CMD/CTRL and scrolling, using Pinch Zoom, and keyboard +/ - keys (press 0 to reset). Scrolling the results view is now possible using keyboard arrows.
Enhanced Saved Queries Browsing Experience: After paginating to the 3rd page of Saved Queries and clicking into a query on that page, the browser's back button now opens the last visited page (instead of directing back to the first page of saved queries).
Descriptions for Entity Type Groupings: Users can now get a description of the selected entity type grouping by hovering over an info icon.
Access Intelligence
New Home Page for Access Intelligence: The Analytics overview is now the default landing page when navigating to Access Intelligence. Use this page to review a summary of all the entities Veza has discovered, get insight into top data sources, and review total risks, rules, and alerts for each integration.
Remediations Details on the Risks Page: The Queries With Risks page now has a Remediation column indicating Yes when the risk has a remediation available. Clicking on the link opens the remediation details in a sidebar.
Risk Score Details in Access Search: Risk Scores shown in Graph search are now clickable, opening the risk score details for more information about the associated risks.
The Veza User’s Guide includes product documentation for all our products, platform, integrations, and enhancements:
Survey of major features and product enhancements across `2024.2.x` releases.
We’re excited to present the latest product update. Our engineering, product, and design teams have worked relentlessly to introduce features and enhancements to all our products, including Access Intelligence, Access Reviews, and Lifecycle Management. We've also added integrations and hardened existing integrations to support a growing range of customer environments and use cases.
At a glance, the changes include:
Access Reviews: Usability enhancements, including enhanced terminology, better visibility into access review decision history, and support for editing saved Access Review configurations.
Access Intelligence: Faster time-to-value with new Out-Of-The-Box(OOTB) dashboards for tailored insights into Snowflake and Salesforce authorization.
Lifecycle Management: Enhanced ability to review past event logs and pending provisioning or de-provisioning actions.
Platform: Added support for creating team-scoped API keys for programmatic access by non-root team members.
Below are detailed updates for each product area:
Access Intelligence
Snowflake Data Governance Dashboard: OOTB Snowflake insights are now available, including inert users, roles, role access, and least-privilege anti-patterns.
Salesforce Access Security Dashboard: A new OOTB dashboard for Salesforce is added, including analysises of Salesforce users, privileged access, and profile/permission set.
Jira Alert Details: Direct issue links for associated Jira Orchestration Actions now appear on the Alerts page for improved tracking and remediation.
Expanded View of Per-Query Risk Trend Line: You can now click for an expanded view of change trend line over time on the Risks > Queries with Risks page.
Access Reviews
Terminology Changes: Updated terms from Workflow to Review Configuration and from Certification to Review for clarity and consistency.
Edit Review Configuration: Access Review owners can now edit existing Review Configurations to update the query, orchestration actions, and settings for reminder email and notification.
Action Log in PDF Exports: You can now include decision history for each row as an optional column when exporting a Review to PDF.
Decision Details: Reviews now include optional columns indicating the reviewer who made the decision and the decision time.
Lifecycle Management
Event Log Filtering: You can now filter the list of provisioning or de-provisioning events by user name and event type.
Pending Tasks: You can now preview jobs queued for execution based on provisioning policies.
Veza Integrations
Oracle Fusion Cloud: New integration where Veza discovers users, role assignments, permissions, and Security Contexts.
Jira Data Center: New integration where Veza discovers projects, users, groups, and roles for Jira Software Data Center.
Okta Group Rules: Added support for Okta group rules which grant permissions based on user attributes or group memberships.
Box Effective Permissions: Improved visibility into effective permissions for Box roles.
AWS Identity Center Account-level Permission Sets and Role Trust Policy Evaluation: Improved the evaluation of IAM Role trust policy for AWS Permission Set assignments and cross-account role assumption.
LastPass Roles: Added support for user and folder roles based on sharing settings in LastPass.
Coupa User Attributes: Added more filterable attributes for Coupa users.
GitHub SAML Name IDs: Added support for the saml_name_id user attribute for Custom Identity Mappings.
Okta App Status: Added the status attribute for Okta App entities, indicating if an app is active.
Microsoft Azure Role Assignment Details: Added additional scope attributes for Role Assignment entities in System query mode for Microsoft Azure.
Veza Platform
API keys for Non-Root Teams: Users can now create API Keys scoped to their non-root team role. In the API Keys page, one can see a list of all keys available for the user’s active teams.
By Tarun Thakur, Co-Founder & CEO, Veza
At Veza, we are building The Identity Security Platform for Enterprise-Wide Access Governance. Identity is a business problem and the beyond IAM era is here. Organizations have lots of business initiatives with IGA, PAM, IAM, SaaS Access Security, Unstructured Data Governance, Machine Identity Management, and more - all rooted to help them secure identity access to data across the enterprise. The key is helping organizations understand - who can take what action on what data. We believe just like SSO and MFA became the standards of authentication, now is the time to take RBAC, the purest form of identity data to secure access to data everywhere.
In the first half of 2023, we launched 50+ new features, 50+ new integrations, and tons of product usability focused enhancements. Huge push on product design, and we are barely getting started. These new features and capabilities across the entire identity access fabric of - graph, search, visibility, monitoring, request, and access lifecycle. THANK YOU to our engineering teams that are hard at work to deliver product requirements and innovations at a breakneck speed, and most importantly thank you to our customers and partners who are pushing us on this pace of product innovations. To all Cookie Monsters, LET’S GO!
Integrations: Bitbucket, Jira Server, Box, ServiceNow
Built-in insights for OAA integrations, Snowflake, AWS, Salesforce, and more
Fully customizable Reports (Public/Private), New dashboards
Access Reviews: Certifications can be drafts or in-progress
Integrations: AWS Lambda, AWS Cognito
Search: improved graph visualization of hierarchical relationships (Snowflake)
Search: improved graph visualization of Deny permissions, and AWS Permission Boundary
Search: “AND” of multiple paths to the same resource
Search: Cross-Entity filters (e.g., show me all AWS IAM roles which can assumeRole into a different AWS account)
Insights: Filter saved queries by keyword / label / integration
Access Monitoring: create rule triggers based on OPAS change (over privileged access score)
Access Reviews: Review direct/indirect access (love the nested roles!)
Access Reviews: Reviewer usability enhancements
Integrations: GitHub Enterprise, NetSuite
SaaS Misconfigurations: New Salesforce Misconfigurations dashboard
Search: Risks now available in Search and Query Builder results
Search: search for the relationships of entities with the same entity type (e.g., Role to Role)
Insights: Access Risks dashboard summary
Access Reviews: show tags in Certification / Attestation results
Integrations: AWS EKS, Veza, Workato, OneLogin (Groups, Roles, and Apps)
Integrations: Support identity correlations with more mapping transformations
Integrations: Support cross-organization permissions for Google Cloud (GCP)
Integrations: Extended attribute support for Active Directory (AD)
Search: Graph search now allows to find the users who have certain entitlements to more than one enterprise systems (e.g. understand all the Okta users who can delete S3 buckets and AWS EC2 instances)
Search: Path summary query in Query Builder
Insights: new report collections - Privileged Access Dashboard and Cloud IAM Dashboard
Access Monitoring: create rule triggers based on attribute changes
Integrations: AWS Secrets Manager, Confluence Cloud, Windows Server
Search: Show or hide indirect access in query builder
Search: Improved Graph visualization for AWS IAM "deny" relationships
Insights: Native Segregation of Duty (SoD) Builder
Insights: Add and manage rules for Saved Queries
Access Reviews: Reassign reviewers, approve and sign off on mobile
Product Design and Usability: Consistent permissions filters for Access Reviews, Graph, and Query Builder
Native Integrations: AWS Elastic Container Repositories (ECR), Workday HCM
OAA Integrations: Trello, Hubspot, Tableau Cloud, and Windows File System, Egnyte, IronClad, FiveTran, Celonis, Sigma Computing, Zapier, Envoy, Twingate, Harness.IO, and ThousandEyes.
Search: All Users, Resources, Identities, or Service Accounts as searchable entities.
Search: Support AND/OR for attribute filters
Search: Show destination entities and summary entities
Insights: New User Comparison for Permissions
Insights: New Query Details view
Insights: New SaaS misconfigurations reports for GitHub, Jira Cloud, and Bitbucket Cloud
Access Reviews: Access Reviews and Entitlement Certifications at enterprise scale
Significant operator and review experience enhancements for certifications through data visualizations and charts to show certification progress and status.
Mobile experiences for access reviewers now include filtering and bulk actions with intuitive buttons and less clicks.
Search is hard. The art is to make search beautiful, intuitive, and valuable.
Unification across sidebars for Query Builder, Access Reviews and Authorization Graph and a newly added ability to collapse the sidebar.
Intuitive charts in Dashboard to show critical insights of important integrations (Github, Snowflake, Salesforce, AWS, GCP, etc).
Trend charts on Risks landing page to show the overall risk trend for critical risks and warning-level risks.
Alerting rules can now be created with user-friendly wizards.
Insights Analysis now has a query build on the top of the landing page that allows customers to manipulate the query more easily.
Revamped Navigation for Configurations which now provides a quick way to search, filter, and actions on enterprise integrations.
Tags (Veza Tags, AWS Tags, GCP Tags, etc.) are now clickable throughout the product which will lead to a tag detail page where you can focus on details of an individual tag.
Increased consistency through the UI for major components (creation wizards, table, tabs, and dropdowns).
Ability to add labels, create rules, and add a query to a report directly from the Save Query wizard.
A universal navigation bar is now available in Early Access. We’re excited to share the changes and deeply appreciate your feedback on our latest designs.
We're excited to announce a fully overhauled approach to navigating the Veza platform, currently available in Early Access. Our new global navigation at Veza is intended to make it easier and faster to find what you're looking for while preparing the way for additional thoughtful product improvements in the future.
We understand this is a significant change for those of you who’ve worked with our platform for so long. We thank you and hope you enjoy the latest work from the Veza design team, which we hope will provide a more intuitive experience for new and old users alike.
Veza features are now available via a new top navigation bar for navigating between product areas, and a simplified left sidebar for accessing individual features.
Some old menu items are recategorized and placed in stricter product verticals. Important changes include:
The Integrations section for adding and managing data sources and providers is included on the top nav bar, and is no longer found under Configuration.
Entity Catalog, Tags, preconfigured Remediations, and user-generated Proposals are now part of Access Intelligence.
Administration pages such as Sign In Settings and User Management are now available under the System Settings section. Click the gear icon ⚙ to manage users, teams, and API keys, review Veza events, or configure SSO and tunable settings for your Veza platform.
Click the user icon 👤 on the rightmost side to open User Settings (previously your “Profile”). Here, you can update your password, enable authentication factors, or change your current team.
You can collapse the left navigation bar to create more room for the current dashboard, access review, or graph visualization.
Page URLs have not changed; bookmarks saved before activating the feature will continue to work.
Navigating between all products and features using a single sidebar could become overwhelming, especially after several years of continual feature development. Now, Veza’s sidebar only contains features and views for the selected product area. While developing the UX, we found that this helped users focus on the most relevant tools for their use case while retaining the option to easily transition between Access Reviews, Lifecycle Management, and Access Visibility and Intelligence functionality.
The new navigation UX is now active for select customers in early access. Please contact our support team to be part of the initial rollout. The new navigation will be enabled for all customers after we have gathered your feedback, with general availability planned for 2/15/2024.
Every month, the product team prepares a summary of major changes in recent releases. Below are some of the highlights from our 2024.1.x updates since the start of the new year.
We are always iterating to enhance our identity security tools and expand support across a wide range of software ecosystems. Additionally, we're focused on improving usability across the platform to provide a more intuitive experience for all users.
Please contact the Veza support team for more information, or to submit your invaluable feedback and feature requests.
Risk Scores for Authorization Graph: When showing Risks in Graph Search, a Risk Score now appears next to each entity's name for better visibility into relative risk across different entities in search results. The option to highlight risks in the Authorization Graph is renamed from Display Options > Risks to Display Options > Risk Scores.
Enhanced Filters for Lists: Filters on list-type attributes now support additional operators for matching based on the contents of any element in the list. For these attributes (such as Okta User MFA Factors or GitHub User Emails), you can now conditionally filter results where one list item Contains / Does Not Contain / Starts With / Ends With the input string or matches a regular expression. This enhancement complements the pre-existing Equals and Not Equals operators, which filter for exact matches across any list element.
Snowflake Data Governance Dashboard: A specialized dashboard is now available for customers using the Snowflake integration. The page offers a range of out-of-the-box insights, including visibility into changes and trends for:
Total inert users and superusers
Inert roles and super roles
Role access to data objects (schema, database, table)
Deactivated IdP users with Snowflake Access
Vulnerabilities and least-privilege anti-patterns
Salesforce Users & Their Mapping to Identity Providers
Users with Privileged Access
SFDC Profile and PermissionSet Analysis
Top Profiles mapped to Users, and top Profiles with privileged PermissionSets connected to users
New Workflow Builder: The Access Review creation modal is now a step-by-step wizard for adding a description, specifying the query, and configuring email notifications and orchestration actions.
New Pages for Access Review Management: The landing pages are updated and modularized to simplify creating, viewing, and administering Access Reviews. The new UX includes a Review Actions dashboard similar to the previous access reviewer landing page, containing all active and completed certifications the active user can access. A new Reviews Configurations dashboard replaces the main page listing all configured Access Review Configurations. Opening a Configuration now shows a details page for managing individual Reviews, similar to the old View Certifications interface.
Attribute Filter Enhancements: You can now apply the Not Contains filter operator on attributes containing lists of values.
Export Decision Columns: You can now include decision-related columns when exporting a review, including the ID, Name, and Email of the user who made the update and the Decision Date.
You can now sort Reviews based on the contents of the Summary Entities column.
Improved Usability For Authorization Entities Sourced From OAA Integrations: Entities created with Open Authorization API (OAA) no longer have generic types such as Custom User or Custom Group. You can now create Access Reviews involving these entities as though they were sourced from a built-in integration (e.g. ZenDesk User, Trello User).
Dry Run Enhancements: Using the Dry Run option to preview changes based on the active Lifecycle Management policies now shows the changed attributes and the applicable provisioning rules.
Date-Based Provisioning Rules: User Mapping Rules now support new operators to enable conditions based on attributes containing timestamps, for triggering actions in relationship to a date. You can now use On or After, On or Before, After, or Before to create rules that only (for example) provision users hired after a certain time.
Jira Enhancements: The outbound for Jira now provides more flexibility when creating tickets due to an Alert Rule or Access Reviews decision:
Default Assignee: The Jira Orchestration Action no longer requires a Default Assignee to enable the integration. Leaving this value blank will set Unassigned on created issues.
Configurable Fields: Jira orchestration actions can now create issues with additional system and custom fields. Tickets can have user-defined values for a limited set of System Fields (e.g. Component) and custom fields based on the specified field, type, and value.
Okta: Okta Apps are now included in Graph views when connected to an Okta user in search results (previously, these were hidden unless explicitly searching for Okta Apps).
Teams: Non-root teams can now access the Overview page and Analysis section, restricted to integrations in the team scope.
Audit Log API: The maximum page size when exporting events is now 10,000 (increased from 1,000 events per page).
System Settings: Added a user-managed option to toggle visitor redirection from the Veza home page to your Single Sign-On provider for log-in. This option appears when using SSO Auto-Redirect (Early Access).
New Access Reviews Builder and Landing Pages: Re-designed landing pages and wizards simplify the creation of Access Reviews, providing more natural flows for administrators, operators, and access reviewers.
New Governance Dashboards: We've introduced built-in landing pages with new queries and visualizations for better out-of-the-box insights, providing intuitive access to information without the need for custom search.
Dry Run Enhancements in Lifecycle Management: Additional details for Dry Runs help Administrators better anticipate and understand the impact of changes while planning and configuring provisioning rules.
Enhanced Filters for Lists in Access Intelligence: New operators for list-type attributes improve user ability to precisely filter search results, enhancing usability by allowing more granular control over data views.
Dashboard View Enhancements: Dashboards now use a 2-column view for year-long durations, making it easier to digest and analyze data over longer time periods.
Access Workflow Landing Page Improvements
Our latest release includes some changes to Access Review management with updated overview pages for managing Workflows and Certifications. The change to a multi-page layout makes the experience more modular, reduces menu-diving, and refreshes some old UI elements.
We hope the dedicated dashboards offer a more intuitive and organized approach to creating and managing Access Reviews, and look forward to your feedback while we continue our focus on Veza product designs.
Two dashboards and a Workflow Detail view replace the original landing page:
The primary landing page for operators and administrators, listing all saved Workflows. From here, authorized users can create Workflows, manage schedules, or view details and Certifications for a Workflow.
Replaces the old View Certifications modal, for creating, opening, and managing individual access review instances. Use this page to view the original query and description, configure settings that apply to all Certifications, and start or manage Certifications.
Similar to the old landing page for individual access reviewers, this page shows active and completed Certifications for all Workflows the current user can access, in a tabular layout. Clicking on the number of in-progress, draft, or completed Certifications will filter the list accordingly.
Admins and Operators can use this page to manage due dates, clone, or delete pending Certifications.
Summary of major changes and enhancements from our December'23 releases.
Additional note types for Risks: Until now, while suppressing a risk, users could optionally add a reason for suppression. However, many customers requested the option to add general comments to a risk. To that end, we’ve added an extra field for keeping notes on any entity shown on the Risks page.
You can add notes to individual risks by browsing to the Access Intelligence > Risks page and opening the _Risks_tab. Expand the actions menu next to a risk and click Add Note. Adding a note will overwrite an existing one.
Any notes appear in a column on the Risks tab.
Suppression reasons persist until a risk is unsuppressed. General notes are shared and can be updated by any user.
Workflow Query Improvements: Workflow queries can now use combinations of AND or OR statements in attribute filters to additionally limit the scope of an access review.
Intermediate Entity Attributes: Reviewers can now view and filter on any waypoint entity attribute Veza has discovered (such as metadata for a group or role connecting users and resources). This applies to any Workflow that uses Advanced Options > Relationship to show a waypoint entity in Certification results.
New integrations for gathering Confluent, 1Password, and Privacera groups, roles, and users. On-prem Jira Cloud deployments are now supported targets for Orchestration Actions.
GitHub and Microsoft AD Enhancements: Added support for discovering GitHub custom repository roles, and additional filterable attributes for Microsoft AD users.
Okta MFA types: Okta Users now have an MFA Factors attribute listing the types of multi-factor authentication enabled for their account.
CSV Import Enhancements: Improved flexibility and additional attributes when creating custom providers from CSV files.
See below for a full summary of all the enhancements in the latest releases:
Enhanced Risk Details: Clicking a risk score in Query Builder results now reveals all queries with risk levels contributing to the risk score. Users can optionally run any contributing queries or view them on the Risks page. Risks in the Authorization Graph sidebar now show risk levels as Warning or Critical.
Activity Monitoring for AWS: Supported AWS entities and access monitoring queries are now shown on the Activity Monitoring dashboard when the Early Access feature is enabled. See [Activity Monitoring for AWS] for more details on enabling the integration.
Notes for Risks: Users can now add custom Notes to entities on the Risks > Risks tab, and add a Suppression Reason when marking an exception. These fields can provide extra context for a decision or track the remediation status for a particular entity.
Risk Descriptions: Out-of-the-box assessments with a critical or warning risk level now include descriptions, shown when clicking Show Explanation on the Risks page. Additionally, users can add their own descriptions to risk queries that they write themselves.
Attribute Filter Group Enhancements: Attribute filters for Query Builder and Authorization Graph can now use two levels of AND and OR operators. Before, all operators had to be at a single level.
Simplified dashboard views for 6-month and 1-year periods: Dashboard views for long time ranges now show a single value for each week, instead of a value for each day.
Intermediate Entity Attributes in Certifications: Certifications for Workflows that use the Relationship advanced option to show columns for intermediate entities now include all waypoint entity attributes Veza has discovered. Reviewers can toggle column visibility using the dropdown to assist in decision-making.
Attribute Filter Combinations: Workflow queries now support groups of attribute filters with AND or OR operators, enabling reviewers to place more complex conditions on which entities to include in an Access Review.
Confluent Integration: New integration for gathering Confluent Cloud Users, Groups, and Roles.
1Password Integration: New integration for gathering Users and Groups from 1Password.
Privacera Integration: New integration for gathering Privacera Users, Roles, and Groups.
Okta MFA Types: Okta Users now have an MFA Factors attribute listing the types of multi-factor authentication enabled for their account.
GitHub extraction settings: Integration configurations now have repository allow and deny lists to customize which resources Veza will add to the Authorization Graph. The integration now implements concurrency for improved extraction times.
GitHub custom repository roles: Added support for custom repository roles within Enterprise Server environments (before, these were only available in Enterprise Cloud). GitHub configurations now have a checkbox to enable or disable gathering external repository collaborators.
Microsoft Active Directory Users: Veza now gathers additional user attributes: City, Company, CountryCode, Description, DisplayName, PhysicalDeliveryOfficeName, PostalCode, StateOrProvinceName, SurName, GivenName, and Title.
To simplify understanding of graph views involving more than one instance of the same authorization provider, the parent Datasource ID is now shown when hovering over Okta, OneLogin, and AD users and groups.
AWS KMS Policy Statements are now grouped by common attributes, consolidating identical statements across different policies into a single graph node.
AWS resource-based policy statements with a "Deny" Effect on all (*) principals are now connected to individual principals in the Veza Graph only if the statement overrides an "Allow" effect on the same resource from another policy.
Introduced column grouping for Certifications, now available in Early Access. When enabled, parent columns are used to organize permissions, entity attributes, and result metadata for better readability.
Administrators can now delete unused Insight Points with no associated integrations.
Administrators can now easily add team members directly from the Settings > Teams page.
Administrators can now assign teams and roles for individual users on the User Management page.
Survey of major features and product enhancements across `2024.3.x` releases.
We’re excited to share the latest monthly product update, highlighting major changes highlighting major changes in March'24. In addition to new features and usability enhancements across Veza products, we've added integrations and enhanced existing ones to support a wider range of potential configurations, environments, and use cases.
Access Intelligence and Visibility
Enhancements
Select All Permissions: When picking permissions to filter by, you can now quickly enable all effective or system permissions with a Select All option.
Query Performance: Significantly improved query speed for searches returning large amounts of results.
Access Monitoring
Enhancements
“Last Activity With Resource” Time: Query Builder now shows a Last Activity with Resource At column indicating when a principal last interacted with a resource.
Snowflake Role Usage: Snowflake Local Roles now have the Last Used At attribute that shows when was this role used by any user to access a resource.
Access Reviews
Enhancements
Review Creation: Starting a new Review now opens a full-page wizard for choosing the base Review Configuration, due date, reviewers, automation, and snapshot options.
Orchestration Actions: Email notifications can now be configured to trigger when an approved or rejected row is signed off.
Enriched Access Review Rows: Reviews can now include an extra column group showing details about the IdP user or HRIS profile associated with each query result. Reviewers can use the column selector to choose the metadata to show in this group. By default, enabling Enrich with IdP/HRIS data shows the name and unique ID of related entities in the chosen IdP or Human Resource Information System.
Access Review Product Design Improvements:
Reviewers can now use the Decision By filter to find rows acted on by a specified access reviewer.
Action history logs are now sorted by timestamp when viewing the action log for an individual row.
Improved readability within the Row Details drawer. It is now easier to see which table cell value belongs to which entity group for each row.
Improved performance of the Review table, especially when selecting more than one row.
Veza Integrations
New Features
Enhancements
Active Directory: Veza now shows the Manager Principal Name attribute for AD Users whose Manager ID attribute is a distinguished name (DN). For such entities, the Manager Principal Name is the manager's User Principal Name (UPN).
AWS: To indicate when AWS entities are affected by a policy containing conditions not supported by Veza, these entities now have the attributes Unsupported Condition and Unsupported Condition List, showing any condition operators and keys Veza does not yet support.
Box: Added an option to prevent the discovery of all Box folders to enable faster user and role metadata extraction in large environments. Administrators can also now set the maximum depth of folders to extract when configuring the integration.
Concur: Users now have the Email attribute. The Concur integration must have the additional API scope identity.user.coresensitive.read to ingest this metadata.
Coupa: Users now have an additional API User attribute, true for identities marked as API Users in Coupa.
Egnyte: Veza now creates Egnyte Local Role entities to represent user types, such as admin, power, or standard.
Jenkins: Added support for Project-based Matrix Authorization Strategy, enabling Veza to show user and group access controls defined at the project level in Jenkins.
Microsoft Azure: Improved performance when ingesting role-based access controls. Our support team can enable this enhancement to reduce pipeline delays when connecting to environments with complex RBAC hierarchies.
Salesforce: Veza now supports Permission Set Groups used to assign sets of permissions to teams of users. A Permission Set Group can relate to a single Muting Permission Set entity, which disables specific permissions in that Permission Set Group.
Snowflake: Snowflake Local Roles now have the Last Used At attribute.
Workday: Added a configuration option to Use preferred names instead of legal names as Worker display names.
Veza Platform
Enhancements
Single Sign-On Configuration: When enabling a SAML identity provider for user login, administrators can now copy Veza's Single Sign-On URL (ACS) and Audience URI (Entity ID) directly from the Configure SSO wizard.
SSO Event Logs: SSO user logins are now shown on the Events page.
Team Integration Scope: Administrators can now quickly approve all integrations by clicking the All Providers when creating or editing the team.
Webhook and Email Domain Filtering: Administrators can now configure a list of approved domains for email and webhook Orchestration Actions. Messages are not sent to unapproved domains when this option is enabled on the System Settings page.
Lifecycle Management
Enhancements
Added support for Microsoft Entra ID (formerly known as Microsoft Azure Active Directory), Workday, and Snowflake as provisioning targets for Lifecycle Management. This extends the range of enterprise systems where Veza can manage local users and assign groups or roles based on configured provisioning policies and access profiles.
Welcome to the latest monthly summary of the many changes in recent releases, intended to improve your experience on the platform and deliver additional product features and capabilities. Some highlights include:
Access Intelligence and Visibility
Search results now have Risk Scores enabling users to sort and compare risks and focus on the most important ones.
Access Reviews
Operators can now create more flexible Workflow queries with several destination entity types.
Operators can now periodically create Certifications with Access Review Scheduling.
Operators can now enable Access Review Intelligence to automatically act on results based on result attributes or prior certification data.
Veza Integrations
New integrations
New PingOne identity provider integration.
CSV Import for creating custom providers and publishing authorization metadata in a standard format.
The Microsoft Azure integration now supports Azure PIM.
Enhanced integrations
On-platform setup for Ramp, Google Drive, and DocuSign.
Improved capabilities for Okta, Microsoft SharePoint, Snowflake, and AWS RDS MySQL.
Veza Platform
Administrators can now create read-only API keys by scoping them to teams.
Please get in touch with your feedback and questions, and see the following sections for more details:
Tags in Query Builder: For improved filtering and review of entities with tags applied to them, you can now show tags in columns using Include all source tags and Include all destination tags options.
When selecting a Query Builder source entity type, you can now specify entities of multiple types with grouping types such as User. You can now specify relative date filters for hours or days in the future in Query Builder.
New Query Builder columns now show the System Permissions and the Effective Permissions equivalent for each result.
You can now select any nestable source or destination entity type as Summary Entities in Query Builder. This enables advanced search in scenarios where groups can belong to other groups, or when one role can assume another (such as showing intermediate roles between Snowflake Users and Snowflake Roles).
For improved Graph readability, "Service"-type entities are now hidden by default, along with some other entities such as Organizational Units, Accounts, and Domains. These are now optionally visible by enabling Relationship Options > Advanced View.
Query Builder exports now reflect any changes made to column ordering. The maximum length for saved query descriptions is now extended to 16,383 characters.
Multiple destinations in Workflow Queries: You can now choose a combination of several related entity types when creating a Workflow.
Scheduling: Access Reviews now support scheduling rules for automated Certification creation. To enable, go to Access Reviews, find a Workflow, and click Actions > Create Schedule. Veza will start new Certifications at the specified times weekly using the latest Authorization Graph data.
Certification exports now include additional columns: decision_by_id, decision_by_name, decision_by_email, and decision_at.
Approve & Sign Off: This action is now universally available for certification reviewers.
Swipe mode is now enabled by default when opening Certifications on a mobile device.
Enhanced mobile support for Review interface, including landscape mode compatibility and iPhone 12 Pro support.
Azure PIM: Added support for Azure Privileged Identity Management (PIM), revealing temporary role assumptions based on scheduling rules.
New "Role Eligibility Schedule Schema" entities can now connect Users and Roles.
You can filter on properties such as scope, status, or start and end time of eligibility.
To collect PIM metadata, you must enable the option by editing the Azure integration and choosing Extract PIM Eligibility.
Connectors for Ramp, Google Drive, and DocuSign are now available on Veza in Early Access.
Microsoft SharePoint Online:
Added support for SharePoint Lists: These are now represented by a new entity type created by the SharePoint integration. -Added support for Sharing Capability: SharePoint Online entities now have the Sharing Capability property indicating the maximum-permitted sharing settings available to all children of the given tenant.
SharePoint Folder Library Type: SharePoint Folders now inherit the Library Type property from their parent Library: personal, business, or documentLibrary.
SharePoint Folder Sharing Links: Sharing Links are now listed as properties on SharePoint Folders in the format <scope>|<type>|<url>.
User Details: Veza now gathers additional attributes: Is Guest, Is Site Admin, User Principal Name, Is Deleted, Deleted Date, Last Activity Date, Viewed Or Edited File Count, Synced File Count, Shared Internally File Count, Shared Externally File Count, Visited Page Count, Assigned Products.
Snowflake role types: Added support for Snowflake Role types to help differentiate between custom, inherited, and system roles.
Okta timestamps: Timestamp-type entity attributes now include hours, minutes, and seconds (before, these rounded to the nearest day).
The global Veza navigation is updated to better organize features and typical operational areas. For more information about the changes or to submit your feedback, see .
Risk Scores for Authorization Graph: When enabling Display Options > Risk Scores to highlight risks in the Authorization Graph, now appear next to each entity's name for better visibility into relative risk across different entities in search results.
Alert Details: When a Rule triggers an Alert, events are logged on the Access Intelligence > Alerts page for tracking and remediation. For Alerts associated with a , an Actions column now includes the issue key and a clickable link to open the ticket in Jira. You can now click on actions of any type for more details about the rule that triggered the alert.
Automation Details: Access Reviews using now include an optional column to help identify results accepted or rejected when the Review was created. Clicking the value shows more information about the automation rule that was applied, and the resulting decision.
Query Pipeline: You can now use to filter matching entities in the results of another query. Use combinations of attribute filters and saved query filters to create searches that can't be specified using a single query, or to simplify a complex query by breaking it into sub-queries.
Activity Monitoring for AWS: now supports overprovisioned scores for AWS IAM Users and Roles based on actual utilization of S3 Buckets and Secrets Manager Secrets. Veza also shows overprovisioned access for Okta Users to not only Okta Apps but also AWS-supported resources. See for steps to enable audit log extraction.
Activity Monitoring - Last Activity w/ Resources Details: Query Builder now shows a Last Activity with Resource At column indicating when a principal last interacted with a resource. This optional column appears for after enabling the Show {destination entities} option.
Scheduling Enhancements: When scheduling a recurring Access Review, you can now configure and specify whether to use the current Authorization Graph data or the most recent snapshot.
Custom Help Pages: Administrators can now create specific instructions for reviewers using . This instructional text appears when opening a review for the first time or after clicking the User Guide button.
Custom Identity Mappings: You can now define relationships between federated identities and local accounts they can assume, on an individual basis. now support Identity Matchers to correlate identities even if they do not match a mapping rule.
Okta Incremental Updates: The Okta integration now supports incremental updates for faster extraction time and reduced traffic to Okta API endpoints. An Administrator will need to to activate this capability.
Salesforce Opportunities: Veza now supports Opportunity entities, representing potential deals in Salesforce. Our support team must enable this feature, which requires for the Veza service principal.
Support User Access: Administrators can now grant the Veza support team temporary access by creating a limited account.
Team API Keys: Added support for .
Sign-in Settings: Added support for configuring .
Oracle JD Edwards EnterpriseOne (JDE): New integration for gathering users and roles.
Oracle E-Business Suite (EBS): New integration for visibility into IAM entities (users and responsibilities), Actions (functions and concurrent programs), and Resources (such as ledgers and operating units) within .
Teleport: New integration for gathering users and their assigned roles, providing visibility into which users can take privileged actions in Teleport such as accessing cluster resources, administering trusted devices, or reviewing access requests.
Microsoft Intune: The integration now supports Microsoft Intune as an optional service. Veza will discover and map Managed Devices and Role Assignments to corresponding Azure AD (Entra ID) identities, with support for retiring Intune-managed devices during Lifecycle Management workflows.
Microsoft Power BI: New integration providing visibility to Users, Roles, Permissions, Groups, and Workspaces for .
Open Authorization API (OAA): Applications modeled using the now support Custom Identity Mappings to correlate employee records with application users.
capture the specific updates for our weekly releases.
overview for the full list of Veza integrations and configuration guides.
How-to guides with steps to enable , add [Veza Integratio../integrations/configurationion/), create , and define rules and risk levels for .
Access Monitoring for Okta: is now available for the Okta integration. You can use the Access Monitoring page or Query Builder to review dormant access and unused entitlements for Okta users, based on their actual access of Okta apps, AWS S3 buckets, or AWS Secrets Manager secrets.
Saved Query Filter and Attribute-based Filter Combinations: Query Builder search can now use combinations of attribute-based filters and .
Automation Details: Added informational columns for visibility into accepted or rejected decisions based on .
Your feedback is invaluable, and we'd love to hear from you at .
Access Reviews: Auto-assignment supports
Search: in attribute filters
Insights: Introduce and Risk Levels for saved queries
Access Reviews: API, and API
Insights: Native for users, groups, and roles
Veza Platform:
Access Reviews:
Configurations: Improved
This is the first step towards many additional improvements planned this year, including further enhancements to sidebars in Graph search interfaces. Your feedback is invaluable as we refine this integral part of the Veza platform experience. Please contact our team at to let us know what you think.
Salesforce Access Security: Customers using the can now access a dashboard of dedicated insights. The page contains pre-configured queries showing:
Set Resource Managers for Any Entity Type: All entities can now be assigned Resource Managers that can be . The option to Set Resource Managers is now available on the graph actions sidebar, regardless of entity type. Previously, only resource-type entities could be assigned "Owners."
Sign-off on rejected rows can now trigger Jira ticket creation using .
New Integrations: , , and .
These optional, additional fields are enabled in a new tab when configuring the . The orchestration action detail page now includes an Additional Fields tab, displaying the configured System Fields and Custom Fields. Please contact our team if your use case requires additional system fields or field types.
Custom Identity Mapping for OAA Apps: for specifying relationships between local accounts on different platforms or apps can now use for Open Authorization API-based integrations.
Okta: Added support for integrating with Okta using , as a more secure alternative to user API keys.
Google Drive: Added an integration option to use for a Google Workspace user, enabling the discovery of drives with external sharing disabled or that cannot be shared with the integration service account.
Activity Monitoring for AWS: The AWS integration is now supported for , now available in Early Access for right-sizing permissions, identifying underutilized permissions, and detecting suspicious activity. When enabled, Veza generates and shows for AWS IAM Users based on the S3 Buckets and Secret Manager Secrets they have utilized their permissions on. Dormant AWS entities and queries related to Overprovisioned Access Scores appear on the Activity Monitoring dashboard.
Enhanced Risk Scores: are numeric values ranging from 0-100 to indicate the count and levels of all the risks associated with a given node. Now, clicking on a Risk Score shows all the contributing queries that led to the particular Risk Score value.
CSV Import Improvements: Enhanced flexibility in , including more user name and status options and a searchable email user attribute.
Jira Orchestration Actions: The now supports both Atlassian Cloud (SaaS) and Atlassian Data Center (on-premise) products. Jira can now be chosen as a destination for Access Reviews, as an action when a rejected row is signed-off.
Please read on for details on the March'24 updates. Your feedback is invaluable, and we'd love to hear from you at .
Activity Monitoring for AWS: You can now configure an organization CloudTrail owned by an AWS account other than the AWS account configured for Activity Monitoring. The trail must be specified by ARN when .
New integrations: , , , , , , Appian.
Entity Risk Scores: You can now compare and sort potentially risky users or other entities by their importance using Risk Scores for more granular comparison of Critical or Warning risks. All entities now have a Risk Score attribute of 0-100, which is based on the number of queries with a critical or warning risk level that the entity is in the results of. You can create queries and rules to detect and alert when change or exceed a threshold.
Automated Intelligence: You can now use historical decision data to automatically approve or reject results when creating Certifications. For example, you can run to auto-approve previously approved or auto-reject previously rejected items.
Operators can now choose any nestable source or destination entity type as for Access Review queries. This allows reviewers to inspect intermediate relationships in scenarios where roles can assume other roles, or groups can belong to groups (such as intermediate groups between AD Users and AD Groups).
CSV Import: Administrators can now create custom providers and populate data sources directly from CSV files. Use the to upload user, group, and role metadata and create OAA integrations with no command-line interaction required.
PingOne (Early Access): A Veza-built is now available for discovering Users, Groups, and Roles, along with Populations, Applications, and external Identity Providers.
Sharing Capability and List discovery require additional .
Veza collects this role attribute automatically unless using an alternative database for the integration. If this is the case, see to update integration permissions.
AWS RDS MySQL system schema: Extended discovery to include system schemas such as 'sys', 'performance_schema', and 'mysql'. To enable, choose Gather System Tables when configuring an AWS integration.
NetSuite insights: Added built-in queries for to find identities such as deactivated users, administrators, and deactivated Okta or Microsoft Azure AD users with NetSuite permissions.
API Keys for Teams: Introduced optional scoping of API keys to , allowing for non-root, read-only API access. Administrators can now choose from available teams when creating keys and view team scopes on the API Keys page.
MFA for local users: Users can now enable for an additional security layer when not using Single Sign-On.
Overview of major changes and enhancements in 2023.7.x releases
At Veza, we continuously deliver new features and enhancements to meet customer needs and bring you our latest product innovations. To help keep track of the many changes over the past month, we’ve compiled a summary of all the latest improvements from our most recent releases.
User Comparison (Early Access): A new Access Intelligence > Compare page reveals how permissions to resources and group memberships vary for two different users of the same entity type. After creating access profiles for different personas, you can quickly evaluate how other users align with an established baseline.
Dynamic reports: You can now add queries individually or pick the dynamic report type during report creation. Dynamic reports include all queries with the chosen labels and integrations, and update automatically when queries meeting the criteria are added or removed.
Rules for entity attribute changes: When adding conditions for a rule, you can choose Query Properties to receive alerts when Veza detects a change in the entity attribute, such as User activity status or Policy statement count.
Saved query visibility: You can now mark queries as Public or Private when saving them. Additionally, you can view and filter the Saved Queries page by the new Visibility column. Private queries, like private reports, are visible only to owners.
Report export enhancements (Early Access): When exporting reports in PDF format, you now have the option to add expanded details for results, and include columns for source entity properties and summary entities.
Access Monitoring for Snowflake now supports “Schema” (Early Access): Over-Provisioned Scores (OPS) are now calculated for users and groups with Snowflake Schema permissions (previously, this information was available for Databases, Views, and Tables).
AWS Elastic Container Repositories (ECR): The AWS integration now automatically discovers public and private ECR registries and repositories. You should update the integration policy to include the ECR SID, or limit extraction for the ECR service to prevent warnings.
SaaS Misconfigurations for GitHub: The GitHub integration now offers additional assessment queries to monitor repository security risks. Please note that the integration requires the additional permission scope repository_advisories:read to gather the relevant metadata.
GitHub Repositories now have the attributes allow_forking, secret_scanning_enabled, default_allow_delete, default_allow_force_push and default_require_pull_request_approval, and has_branch_protection_rules.
GitHub Security Advisories, used to report, track, and discuss security-related issues for software projects, are now shown as an entity type.
The integrations for Oracle Cloud Infrastructure, GitHub Enterprise, Box, ServiceNow, and Databricks have graduated from Early Access and are now generally available on the Veza platform.
The Jira Cloud and Bitbucket Cloud OAA integrations now include built-in misconfiguration reports.
New Veza-built OAA integrations are available for Confluence Server, Trello, Hubspot, Tableau Cloud, and Windows File System.
Custom datasource payloads in integration details: You can now view the most recent custom provider push payload in JSON format by clicking on an integration name and selecting Show Schema Definition.
10 new SaaS applications are supported using our generic SCIM integration: Egnyte, IronClad, FiveTran, Celonis, Sigma Computing, Zapier, Envoy, Twingate, Harness, and ThousandEyes.
Improved Configurations Usability (Early Access): The Configuration pages have been completely overhauled to offer more streamlined integration management and improved visibility into the status of your integrations.
Google Cloud Cross Organization Permissions (Early Access): When enabled, the Google Cloud integration calculates effective permissions for users in one GCP organization assigned to groups in another GCP organization. In System query mode, Veza shows full cross-account connections for Google users, groups, service accounts, and role bindings.
OAA on Veza (Early Access): To make it easier to run and configure Open Authorization API-based integrations, it is now possible to enable supported Veza-built OAA integrations directly from the Configuration page, with no additional deployments or command-line customizations.
Workday Integration (Early Access): A new integration for Workday Human Capital Management (HCM) enables Veza to discover Workday identities, security groups, and policies for our core products of Search, Workflows, and Insights.
Query Builder — entity type groupings: To enable queries that return multiple entity types, you can now select all Users, Resources, Identities, or Service Accounts as a Query Builder source or destination.
Query Builder — attribute filter enhancements: You can now create complex constraints by adding several attribute filters with AND or OR operators.
Query Builder — destination entities: Query Builder now has the option to return pairs of source and destination entities as results, similar to Workflow queries.
Query Builder — summary entities: Queries using destination entities can include a Summary Entities column showing the authorization path for each result. When building a query, you can select entity types to include in the summary for visibility into the Roles, Policies, Groups, or other intermediate entities connecting the source and destination.
JSON query specifications: When creating a query, you can now export the query parameters for use with the Query Builder API. To do so, click the Save button and choose View or Copy Query Spec.
Enhanced query details (Early Access): When enabled, the details modal for saved queries is replaced by a comprehensive overview of query results, details, and actions. You can use this view to inspect Trends, Rules, Reports, and Alerts for a query, review its parameters, and make customizations using the actions menu.
Faster reviewer auto-assignment and Certification creation.
Improved Smart Actions performance when re-assigning reviewers.
Improved Create Certification performance when generating multiple certifications.
All possible query actions are now available from the Query Builder, with a new actions dropdown next to the Save button.
The left sidebar on the Reports page is now collapsible.
On the Insights > Analysis page, clicking on a result name shows entity attributes.
Tabs on the Saved Queries page now clarify that users are switching between Query View and Rules View.
For improved readability, Salesforce Permission Sets are now labeled with the name <profile name> Permission Set, instead of by unique ID.
The providers assigned to a team are now grouped under a single icon for each integration type, which can be hovered over to view details.
Editing an entry on the Rules page now opens the query in Query Builder.
Email notifications for triggered alerts now include the rule description, severity, threshold, and node count.
You can now filter the Alerts page by query name. \
Welcome to the latest monthly summary of the many changes in recent releases, intended to improve your experience on the platform and deliver additional product features and capabilities. Some highlights include:
Access Reviews:
Time Machine: Operators can now create Certifications based on Authorization Graph snapshot data to review access at a specific point in time.
Details Sidebar: Reviewers can now open a sidebar to view result details and actions, and quickly navigate between Certification rows using the arrow keys to inspect and approve or reject results.
Access Intelligence:
Filtered Permissions: New columns for better visibility into SoD violations and remediation of conflicting permissions.
Veza Integrations:
Microsoft Dynamics 365 (Early Access)
UKGPro (Early Access)
Terraform
Microsoft Azure Kubernetes Service (AKS)
Google Kubernetes Engine (GKE)
Google Cloud SQL
Platform:
Administrators can now control read-only access to Veza with Teams for user management.
Please get in touch with your feedback and questions, and see the following sections for more details:
Access Reviews for historical or current data: Operators can now pick Time Machine snapshots when creating Certifications to source results from the most recent snapshot, an earlier date, or the current graph data.
Decision columns: Certifications now have optional columns Decision At and Decision By for better visibility into row decisions, and enabling the option to filter on these values.
Result details sidebar: Reviewers can now click Certification Actions > See Row Details to open the result in a sidebar, with support for keyboard navigation and filtering on any attribute or value. Users can approve, reject, and sign off directly from the details panel and navigate between rows using the arrow keys.
An optimized Access Reviews Review interface is now available for all customers, including the option to view history for any result.
Filtered Permissions in Query Builder: New columns indicate the Filtered Effective and System Permissions for source and destination pairs. After applying an effective permissions filter and showing related entities, these columns contain the equivalent system permissions that match any applied filters, and their corresponding effective permissions.
These columns are most useful for Segregation of Duty (SoD) queries (written via Access Intelligence > Analysis > Segregation of Duties or with Query Builder APIs). For SoD queries, they make results more actionable by providing the relevant effective and system-level permissions matching each filter in the query. Users can review these columns to find the set of filtered permissions to remove in order to remediate an SoD conflict.
This enhancement provides improved visibility into principals' relevant capabilities on a resource, especially for Segregation of Duty analysis involving both permission types (for example, remediating IAM Users with s3:deletebucket and any other DATA WRITE capability).
Microsoft Dynamics 365 (Early Access): The Azure integration now supports Dynamics 365, including Business Units, Users, Teams, Application Uses, and Security Roles. When enabled, you can specify one or more environments to discover when adding or editing an Azure configuration.
UKGPro (Early Access): A built-in OAA connector is now available for gathering Users and Roles on the UKG HRIS platform.
Terraform: Added a new OAA-on-Veza connector for discovering Terraform users, groups, and roles.
Active Directory: Added support for cross-domain user and group relationships involving sub-domains (before, this was only supported for external domains).
Box: Increased user extraction speeds and decreased extraction interval for improved efficiency and lower API costs.
Google Cloud SQL: The GCP integration now supports gathering SQL Server services, instances, databases, and users.
Concur: To enable custom mapping for external identities, Concur Users now have an Identities attribute containing the local username.
Kubernetes: Added support for connecting to managed Kubernetes services on Google Cloud and Microsoft Azure.
Open Authorization API: Custom Role Assignments can now have developer-defined attributes specified in custom_property_definition.role_assignment_properties. Role Assignments now inherit any custom properties on assigned Roles.
Grouped AWS S3 Bucket Policy Statements: AWS S3 Bucket Policy Statements are now represented as grouped entities; Statements with the same Effect, Action, NotAction, Principal, and Condition properties across separate Bucket Policies are now parsed as a single graph entity representing the same statement.
Salesforce: Profiles and permission sets now include the description attribute.
Microsoft Active Directory Foreign Security Principals: The AD integration now supports related users and groups from different domains when each domain is integrated with Veza. Active Directory Users and Groups now have a SID attribute, which Veza uses to compute cross-domain connections.
Added a Timestamp (Windows AD Format) type for custom properties and updated all AD property configurations to indicate that timestamps use this format.
Reports can now contain up to 150 queries.
Query exports now include a tags column when using Advanced Options > Include Source Tags.
Teams: All customers can now manage users with Teams and the read-only viewer role. Previously this functionality was provided in Early Access.
User session timeouts (Early Access): Added an option to the System Settings page for controlling when users are logged out after a period of inactivity. Session idle timeout is now configurable between a minimum of 10 minutes and a maximum of 2 hours.
The Risks page and exported lists of risks now include entity IDs to help differentiate between entities with the same name.
Outbound integrations and Webhooks are now managed under Orchestration Actions (renamed from Collaborations).
Hints for swipe mode now appear when opening a Certification on a mobile device for the first time.
The Add Integration button is now hidden when choosing the integration to create (and clicking Next is the only option). After completing the form, click Create Integration at the top right to save the configuration.
Overview of major changes and enhancements in 2023.8.x releases
Dashboards Trends View: You can now toggle between a visualization of trends over time and the current number of results for each Dashboard Report on the Home page. It is also now possible to download any trend chart by opening the action menu and choosing Expand > Export to PNG.
Query Details view: Clicking View Details for a saved query now opens a comprehensive overview with tabs for creating rules and managing risk exceptions, visualizing trends over time, and reviewing the original query description and parameters. This extended query details page replaces the old details modal.
Dashboard report customization: Users can now directly customize which reports appear on the Dashboards home page by clicking the Add Reports button and selecting from a list of all built-in and user-created reports.
Improved Report Export: When exporting reports in PDF format, you now have the option to include destination entities, and add columns showing source entity properties and summary entities. This early access capability is now available for all users.
Insights Overview (Early Access): When enabled, you can now see all relevant assessments for any type of entity from a new Insights > Overview page. You can apply additional filters based on risk level, creator, or query labels, and quickly access the details view for any related Saved Query.
Link to filtered certifications (Early Access): When enabled, reviewers now have the option to copy a link to the current filtered view of results for improved sharing. Opening a certification now applies the filter specified in the URL.
Review access for unique users (Early Access): It’s now possible to list each user involved in a certification, and quickly open a new tab with just the results related to that specific user. When enabled, you can open the list of unique users and view their results by clicking Show Users > View Details.
Workflows API: Preview operations are now available for creating Workflows and initiating Certifications.
Smart Actions API: Custom smart action definitions can use the apply_to_all_rows option to explicitly run the action on all certification results.
Improved performance for bulk actions.
Improved performance when loading certification results.
Query Pipeline: You can now create complex queries by using the output of one query as a constraint on another query. For example, you can create one query that defines Production Resources or Resources accessible by overseas employees, and use it to filter the source or destination entities in another query. To create a query pipeline, first save a subquery that returns the entity type you want to filter on. Then, create the main query and click Add Attribute Filter Group > Query Output.
Improved Tagged Entity Search (Early Access): Clicking any entry on the Tags page now opens a tags details view, including a searchable list of all entities with that tag. You can export the results, or search for the entities in Query Builder. Tag details are also available when viewing entity details in Graph or Query Builder.
Azure Cognitive Services: The Azure integration now automatically discovers permissions on Azure Cognitive Services, including Azure OpenAI.
Snowflake Tags: The Snowflake integration now discovers native tags applied to securable objects within Snowflake. You can review tags by inspecting an entity’s details, or by opening the Data Catalog > Tags page.
Deploy Keys for GitHub Enterprise: Added support for the GitHub Deploy Key entity type, enabling search for repositories with configured SSH deployment keys, and the roles those keys can assume.
Active Directory attributes: AD Users now have the timestamp attributes Account Expires and User Password Expiration.
AWS attributes: S3 Buckets now have the Default KMS Master Key IDs attribute, indicating which (if any) keys are applied to the bucket.
Workday attributes: Worker entities now have the additional attributes Termination Date, Workday ID, and Is Active.
OAA permissions: Integrations can now use the Uncategorized permission type, intended when custom application permissions are unknown or not mapped, and existing permissions like NonData are inaccurate.
Veza-built OAA integrations are now available for OpenAI, New Relic, Solarwinds, YouTrack, and Rollbar.
The Veza-built OAA integration for GitLab can now be enabled directly from the Configuration page as part of the OAA on Veza early access feature.
SCIM integration (Early Access): Providers with System for Cross-domain Identity Management (SCIM) APIs can now be integrated with Veza to discover users and groups. To add a SCIM integration directly from the Configuration page, the OAA on Veza feature must be enabled.
Audit Log APIs: Preview APIs are now available for listing and exporting audit events.
Veza Email Digests: Users now receive an email digest containing critical Veza information all in one place, including changes to Risks and Reports, Rules and Alerts, and Integrations. You can change email frequency to Daily, Weekly, Monthly, or Never by opening your user profile from the main navigation menu.
Multi-Factor Authentication (Early Access): When enabled, local users (such as system administrators) can now configure a third-party authenticator application by opening their user profile. Users logging in with single sign-on will continue to use MFA from their identity provider. Administrators can reset authentication factors for other users from the User Management page.
The Access Search, Access Intelligence, Access Monitoring, and Workflows sections are renamed to Access Search, Access Intelligence, Access Monitoring, and Access Reviews.
Some pages are renamed to better differentiate Query Builder and Graph search:
Access Search > Graph
Saved Searches > Saved Graphs
Attribute filter sorting: The list of possible attributes is now ordered alphabetically when adding a filter. Typing to search now filters the list. Common properties for all entities, such as Name and ID, appear at the top.
Saved Query usability: Choosing the Clone Query action now opens the Save Query flow with options to change the name and details, create rules, or add the query to reports.
The Administration > Events page now supports filtering on all possible event types.
The View Documentation icon is now labeled Help.
When customizing webhooks and other Orchestration Actions, descriptions now clarify that actions will trigger on row sign-off (and not immediately when a result is accepted or rejected).
When applying smart actions, typing to search for a field is no longer case-sensitive.
Overview of major changes and enhancements in 2023.6.x releases
Segregation of Duty (SoD) Analysis (Early Access): The Access Intelligence > Analysis page now includes an additional section for creating queries with complex "and"/"or" statements and condition groupings. This query mode can identify users that can assume different roles (such as conflicting roles that violate business rules for separation of duties). This query mode can also identify users that can have conflicting effective permissions to more than one type of resource (such as SaaS apps, data systems, cloud services, infra services, or IAM systems).
Query Builder: Show or Hide Nested Relationships (Early Access): It is now possible to hide results that are indirectly accessible due to hierarchical relationships, such as AWS IAM Roles assumed by another role, or Microsoft Azure AD Groups belonging to a parent group. The toggle to show or hide indirect access appears under Advanced Options > Relationship Options > Show Assumed. This option only appears when the source or destination entity type can be nested.
Edit report owners: Report creators can now share reports and enable other Veza users (such as app, data, identity, and security teams) to edit them by adding or removing owners in Edit Mode. Owners are now listed next to report titles on the Reports page. Private reports are only visible to the creator, and any users added as owners.
Rules for Saved Queries: The Saved Queries page now includes a tab for creating and managing Rules based on their underlying saved queries. You can use this view to see whether a query has rules associated with it, create new rules, and review the condition and severity of any active rules.
New filter operators: Attribute filters can now specify Exists and Not Exists operators, allowing searches to only return results based on the presence or absence of a value for a specified property.
Saved Query Improvements: When saving a query, you are now able to apply an existing assessment label or create a new one. When saving a query and adding it to a report, you can now choose a specific report section for the query.
AWS Secrets Manager: Veza now supports User and Role permissions on secrets contained within AWS Secrets Manager. New entity types Secrets Manager Service and Secrets Manager Secret are now discovered for any integrated AWS account. Veza also discovers Secret attributes such as last rotated and last accessed dates.
Confluence Cloud: A new connector is available for discovering user and group access to Spaces in Confluence. Veza can show when Spaces allow unlicensed access or anonymous access, and when users are external collaborators.
Windows Servers: A new connector is available for discovering local users and groups, scheduled tasks, and services running on Windows servers.
Configurations v2 (Early Access): The Veza Configuration pages have been completely overhauled for more streamlined integration management and improved visibility into the status of your integrations. Please contact the Veza support team to preview the new user experience before it becomes generally available for all users.
Approve and Sign-Off (Early Access): Reviewers on mobile devices can now use the Approve and Sign-Off action to quickly make final decisions for Certification results.
Reviewers accessing Certifications on mobile devices can now Re-assign Reviewers for a result.
The grace period for marking Certification results as Fixed after the Certification is expired (default 7 days) is now configurable by the Veza support team.
Certifications now indicate the total number of result rows even when a filter is applied, or results appear across multiple pages.
Improved performance when creating certifications and loading certification results with auto-assignment and self-review prevention enabled.
Improved performance when creating 100+ certifications in parallel.
Improved performance at scale for certification reviews with millions of certification rows, thousands of access reviewers, and hundreds of concurrent access reviewers.
Improved performance when sorting certification results.
Permissions filters for Workflows, Graph, and Query Builder: Filtering by permissions is improved to offer a more uniform experience for all Veza search interfaces. You can now simply pick an effective or system level permission to filter, and no longer need to sometimes add an attribute filter on a "permission"-type entity
Improved Graph visualization for "deny" relationships: Paths between entities that represent a policy that prevents access are now highlighted in red in Graph search results. Before, these relationships were only color-coded in Explain Effective Permissions mode.
Risks usability: When using the Manage Exceptions action to add or remove several exceptions at a time for a query with a risk level, a type column now indicates whether each result is currently an exception or a risk
Collapsible search sidebar: You can now click to show or hide the left sidebar in Graph Search, Query Builder, and when creating a Workflow.
Overview of major changes and enhancements in 2023.9.x releases
At Veza, we are committed to delivering innovative features and enhancements to address our customers' needs. This summary outlines the most recent updates across the platform. Some highlights from our Fall updates include:
Operators can now review the action log for any Access Review item's history.
We've introduced smart actions and a swipe mode in Access Reviews for mobile users.
Adding and managing integrations now uses a streamlined experience on the Configuration pages.
Enhanced filters for querying attributes such as dates and timestamps.
Search for providers and entity types using more intuitive names for entities created with Open Authorization API integrations.
Veza Integrations updates:
New integrations:
MongoDB
Enhanced integrations:
Support for Microsoft Azure PostgreSQL, Kubernetes Service (AKS), and Private Links
Extended filters for Microsoft SharePoint Site attributes
On-platform availability of NetSuite, Coupa, Slack, and Crowdstrike integrations
Read on for more information, and please reach out with your questions and feedback.
Usability Improvement for OAA-sourced Authorization Entities: Entities originating from Open Authorization API (OAA) have transitioned away from generic types like 'Custom User' or 'Custom Group'. You can now search for these entities similarly to built-in integration entities (e.g., by 'ZenDesk User', 'Trello User'). This update is currently applicable to the Authorization Graph and Query Builder.
MongoDB Atlas: A built-in integration for MongoDB Atlas DBaaS platform now supports Organizations, Projects, Users, Roles, Teams, and Clusters. Use new saved queries to identify users with permissions to create or delete database deployments.
Microsoft Azure AKS: Added support for Azure AKS Services and Managed Clusters, including out-of-the-box assessments for Azure AD Users with AKS Managed Cluster write and delete permissions
Microsoft Azure Private Links: The Azure Integration now discovers Azure Private Links and Private Endpoints. Use new saved queries to identify Azure AD Users with Private Link Service write or delete permissions and Private Endpoint write or delete permissions.
Microsoft SharePoint Site attributes: Veza now collects additional Site properties, enabling attribute filters on Owner Display Name, Is Deleted, Storage Used, and Storage Allocated.
On-platform connectors: Integrations are available in Early Access for:
Certification Action Log: Administrators and operators can review any certification item's full history, including updates to reviewer assignments, notes, and decisions. Find this under Actions > View Action Log with search functionality.
Single-action Approve and Sign Off: Streamline approvals and sign-offs with a single action using a Smart Action, dropdown menu, or Bulk Action.
Mobile Enhancements:
Swipe mode: Review certification results by swiping cards left or right, signing off after every 10 decisions.
Smart Actions: Apply bulk actions to filtered certification results with the Smart Action button.
Export Custom Column Names: You can now customize column names in PDF exports. Pick up to 12 columns to include, rename as needed, and export from the certification overview.
Integration Management Overhaul: The Configuration pages have been redesigned
Enhanced filters for timestamp-type attributes: Users can now define filters for dates between a start and end time with an AND operator. Improved filtering of timestamp-type attributes across the platform using both relative and absolute formats.
You can now save and edit Analysis > Segregation of Duties queries from a new Save Query actions menu, or take additional actions such as copying the specification, opening the Query Details view, or cloning the query.
Overview of major changes and enhancements in 2023.3.x releases
AWS Users and Roles with the ability to create or edit Lambda functions.
AWS services and resources Lambda Functions can access.
IAM roles assumed by Lambda to access AWS services and resources.
AWS Cognito: The AWS integration can now discover AWS Cognito Identity Pools used to grant temporary privileges to other AWS services.
AWS Cognito Identity Pools that allow unauthenticated identities
AWS IAM Roles assumed by AWS Cognito Identity Pool identities.
Note that updated permissions for the AWS integration must be updated to enable listing Lambda functions and tags and Cognito identity pools. To gather these new entities, the must include the latest "Cognito"and "Lambda"Sids.
Once enabled, these attributes are added to entities and can be used to filter and sort search results.
Password Last Set is now supported as a default attribute for AD User entities, containing the timestamp when a password was last set.
Snowflake: Entities now include the "Comment" attribute containing optional descriptions on Snowflake Role, User, Database, Schema, Table, and View objects.
Administration: Integrations on the Configurations page now indicate the running sync or parse job status (such as "Waiting for Parsing").
Detailed status info now shows the completed and current job steps (such as "Gathering Users" or "Gathering Roles") and the total number of gathered entities.
An icon next to the Data Source status indicates when you can click a label for more details.
Rules can now trigger Alerts when there are changes to Over Provisioned Score (OPS) in the associated query's results.
Alerts will now include more details for entities with OPS changes.
Dashboards on the Home page have had a visual refresh. Each tile now shows results and changes for all sections in the report.
Dashboards show trends and change over time, customizable by setting the Time Range to the past week or month.
The Access Search > Saved Queries page now offers query search by keyword, label, or integration. Users can now mark any Saved Query as a violation from an extended Actions dropdown menu.
AWS EC2 Instances are now shown on the left when searching relationships to other resource entity types (such as AWS S3 Bucket) in Authorization Graph for improved visualization of resource-type entities acting as principals.
Early Access Users can now add Rules directly from Veza Saved Queries and the Query Builder. When enabled:
An enhanced Saved Queries page replaced the Rules page. Saved Queries now include Rule details and a streamlined Create Rule wizard. Users can now optionally add it to Reports or create a Rule when saving a query.
Saved queries will have an additional option Actions > Configure Alert Rule. The Alerts page includes an overview of recently-triggered rules.
Workflow owners can now specify an exact deadline when selecting Certification deadlines (in addition to a general calendar date).
Workflow creators can now include or exclude from certification results relationships that involve nested entities. These might include roles assumed by another role, or groups belonging to a parent group.
When enabled, Show Assumed Entities Types is an option under Advanced Options > Relationship Options when the query source or destination (such as Snowflake Group or AWS IAM Role) can be nested.
Certifications on mobile devices now allow acting on a full page of results. Reviewers can now choose several items to approve, reject, or sign off with a single action.
Reviewers can now apply pre-configured filters to Show Undecided Items and Only Show Signed Off Items found under Certification Filters > Saved Filters.
Clicking Permissions, Concrete Permissions, or Reviewers for a Certification result row lists all the values for that field.
When acting on several certification items with Bulk Actions, Reviewers can now apply any action, whether or not the action applies to the selected rows. Any result the decision can't apply to is skipped.
Unified views for Tagging: Veza Tags, AWS Tags, Google Cloud Tags, Google Cloud Labels, and Google Cloud Tag Ids now reside in the Data Catalog.
Updated color theme and palette across Veza.
Updated charts throughout the UI for improved visualization.
Overview of major changes and enhancements in 2023.5.x releases
Analysis for users, groups, and roles (Early Access): Veza users can use a new Access Intelligence > Analysis page to inspect individual identities, groups, and roles.
The streamlined search interface offers ways to build simple queries for everyday IGA tasks, by picking an entity and choosing the analysis to run. Depending on the chosen entity (e.g. User), Analysis provides the ability to:
Find all groups a user belongs to or the roles they can assume.
Find all the users or groups that are members of a group.
Find the users or other roles capable of accessing a role.
You can further alter search parameters, add rules, or set risk levels by opening the results of an analysis in Query Builder.
Extended historic data for risk trends: You now choose to visualize data for the “Past 6 Months” or “Past Year” when viewing changes for risks over time.
New built-in report collections: Two new categories are now included on the Reports page, pre-filled with relevant insights into privileged access and cloud IAM settings. The report categories Privileged Access Dashboard and Cloud IAM Dashboard will appear for new users on their first login.
Notes for risk exceptions: It’s now possible to add context and details with an optional message when setting one or more risk exceptions. Any existing notes now appear in an extra column when browsing lists of risks and exceptions.
Active Directory (AD): Users now have the email attribute, enabling filters on the email address associated with each user. Azure AD: Azure AD Groups now have a greatly-expanded range of attributes available for filters, including group Classification, Description, Mail, onPremisesLastSyncDateTime, hasMembersWithLicenseErrors. The integration also collects the properties allowExternalSenders, hideFromAddressLists, and hideFromOutlookClients for groups where securityEnabled is true.
AWS EKS: Veza can now gather metadata for EKS Services and EKS Clusters. Note that the integration now requires an updated policy that allows eks:ListClusters and eks:DescribeCluster. New saved assessment queries for AWS identify:
AWS EKS Clusters with public endpoint access
AWS IAM Roles with EKS permissions
AWS IAM Users with EKS permissions
Administrators can now specify relationships between IDP users and the local accounts those IDP users assume within an integrated system, using up to four different attributes.
Administrators can now disable the default IdP User > Local User mapping by email when adding a custom mapping for an integration.
Google Cloud (GCP): Administrators can now configure the integration to restrict KMS extraction based on service region.
Google Cloud cross-organization permissions (Early Access): The Google Cloud integration can now detect identities in one integrated Google organization with permissions on resources in another integrated Google organization. Please contact the Veza support team to enable cross-organization mapping with the most appropriate setting for your environment.
OneLogin: The integration now supports new entity types:
OneLogin Groups
OneLogin Roles
OneLogin Apps
Workato: A new OAA connector enables the discovery of Users, Roles, and Projects within a Workato Workspace.
Veza on Veza (Early Access): Admins can now configure a Veza integration from the Configuration page to enable Authorization Graph support for Veza domains, teams, roles, and users. New Saved queries are now available to identify deactivated and inactive Veza users.
Administrators can manage team and role assignments from a new Team Management page after enabling the feature.
We look forward to your feedback as we refine and improve collaboration and productivity for Veza users.
Certification progress bars: Reviewers and operators can now review key certification statistics within a collapsible summary, such as the Approved/Rejected status of all rows (or all assigned rows) and the total number of days since the certification started (or time remaining until the due date).
Access reviews for Veza platform users and permissions (Early Access): Operators can now create user access reviews on the Users, Teams, and Roles within your Veza domain using the built-in integration.
Left Sidebar consistency across Query Builder, Access Reviews, and Authorization Graph:
Collapsible search sidebar: Users can collapse the left sidebar on Graph, Query Builder, and AWF to get more width for smaller screens.
The time machine for selecting a graph snapshot is now part of the left sidebar instead the top bar.
Usability improvements for Saved Queries:
Users can add labels to newly saved queries.
Users can now add more than one Alert Rule to newly saved queries.
Users can filter saved queries by query labels, integration, risk level, and severity.
Improved attribute filter usability:
Query Builder, Access Reviews, and Authorization Graph filters for dates are easier to read and more consistent throughout the UI.
A new filter operator enables checking if a property EXISTS.
Overview of major changes and enhancements in 2023.2.x releases
Veza-built OAA integrations are now available for Bitbucket and Jira Server.
The Oracle Fusion Cloud OAA integration now supports gathering permissions to resources.
OAA SDK enhancements now enable pre-loading Reports for Veza Insights. Veza-built reports are now included for the GitHub connector.
Our integration for Box.com provides the capability to gather Users, Groups, Roles, and Folders, and correlate local accounts with external identities from an Identity Provider (IdP) such as Okta or Azure AD. You can use Workflows, Search, and Insights to understand, manage, and control least-privilege access within a Box organization. A few sample user stories include:
Find Box Accounts with deactivated IdP identities or without a matching IdP user.
Find empty Box Groups with no Box Accounts as members.
Find Box Folders by IdP account region (such as users from external regions).
Find Box Folders accessible by external collaborators.
Find Box Users with admin privileges on Box Enterprise.
A new Veza integration enables discovery of Users, Groups, ACL Rules, and Roles for ServiceNow SaaS applications. The integration can:
Correlate your corporate identities from an IDP like Okta or AzureAD with ServiceNow local accounts to ensure access complies with security policies.
Search & visualize relationships between ServiceNow Users and Groups, and Access Control Lists (ACLs) using Authorization Graph and Query Builder.
Audit ServiceNow ACL Rules by activity status, scope, date created, or allowed operation.
The Veza Dashboard now offers support for additional risk tiles, now shown across several pages when more than six reports are in the Dashboard Reports category. Access Control Risks tiles can now be removed directly from the primary Veza dashboard.
A new Access Intelligence > Reports landing page provides ways to organize into user-defined categories. A new Reports page can be filtered by label and integration type
The Report Library now includes creation dates along with the option to Clone reports and filter by report label or integration.
Configuring Reports is now significantly easier with an improved Edit Mode, with new sections and privacy settings. An improved Add Query menu makes it easy to find queries based on a search term, label, or integration.
New queries for Snowflake, AWS, Google, GitHub, Salesforce, and Azure SharePoint are added to Saved Queries and Veza reports
Certifications can now have a draft or published (in progress) status, allowing creators to validate results and settings, and assign reviewers before the certification is public. Drafts are highlighted when viewing workflow certifications, with the option to Publish.
Workflows and certifications have received significant performance improvements for all users:
For Admin & Operators:
Workflows Page: 2x faster loading speed.
Reviewer Auto-Assignments: 3x improved performance for creating certifications.
For Access Reviewers:
Single Operations: 5x faster loading times for page loading, filtering, and smart actions.
Concurrent Operations: 2x faster row updates and 20x faster loading, filtering, and smart actions with 50-100 active users.
Overview of major changes and enhancements in 2023.4.x releases
Salesforce SaaS Misconfigurations: A new Salesforce Misconfigurations report offers insight into common identity risks for SFDC. The queries in this report can be customized or used out of the box, including:
Salesforce Users not tied to an identity provider
Salesforce Organizations without organization-wide MFA enabled
Salesforce profiles that bypass organization-wide MFA
Salesforce Organizations with "poor" or worse Security Health Check Score
Salesforce security health check risks ranked high or medium risk
Salesforce Organizations without Setup Audit Trail enabled
Review all Queries with Risks and their results in Graph or Query Builder
Review all active Risks for all queries.
Sort by conditions such as time, total risks, and percent change.
Filter by query risk level, integrations, or labels.
View trending changes for the past week or past month.
Risks dashboard: The Veza landing page now includes an Access Risks Summary section with a trend chart and summary of all risks. Clicking a tile on the dashboard opens the Queries with Risks tab.
Risk exceptions: You can hide results that can't be acted on (such as built-in system roles) by adding exceptions. Marking a risk as an exception will prevent it from appearing as a risk in the future.
To manage exceptions for a single query on the Risks > Queries with Risks tab, click Manage Exceptions from the actions dropdown menu.
To manage exceptions for multiple risks, select one or more Risks and click Mark as Exception.
You can filter the Risks page to show entities marked as exceptions. A new column shows each risk's exception status.
Risks in Authorization Graph and Query Builder: Authorization Graph now highlights risks by default. Risks are highlighted yellow or red depending on the risk level.
You can toggle this setting under Display Options > Highlight Entities of Interest.
The Query Builder also now highlights risks by default. Results will have a Warning or Critical indicator next to their name to show the risk level.
Clicking on the risk level of a result in Query Builder now opens the Risks page with that entity selected.
Saved Query enhancements: You can now find built-in queries on the Saved Queries page with a filter on System Created: True or Created By: Veza.
Some pages and sections are renamed based on user feedback:
The Home page is now Dashboards.
The Access Intelligence > Reporting page is now Reports.
The Reports Library is now All Reports.
My Reports are now My Bookmarked Reports.
Report categories are now Collections.
Snowflake: Azure AD Users are now automatically mapped to Snowflake Local User accounts they can assume.
NetSuite: A new Veza-built connector enables the discovery of Users, Roles, and Role permissions for Oracle NetSuite with the Open Authorization API.
Tags in certification results (Early Access): Workflow creators can now include extra certification columns showing tags on source or destination entities. When enabled, reviewers can filter results by tag key and click on a tag key to see the value.
Single-action Approve and Sign Off (Early Access): When enabled, reviewers can now approve and sign off on certification results with a single action. Users can apply the combined decision using a Smart Action, the row actions dropdown, or a Bulk Action on a selection of results.
We're excited to announce that we are onboarding a new design team to enhance visual appeal and usability across our product. We have significant improvements planned over the coming months and want your input to ensure we are making changes to improve your experience.
We will be reaching out for user feedback sessions, user experience suggestions, and more. Your feedback is greatly appreciated, and we couldn't do this without you. Thank you for your continued support.
Overview of major changes and enhancements in 2023.1.x releases
Veza Insights has received a significant overhaul to make Veza assessments and reporting more digestible, actionable, and customizable for the needs of our key users - IAM admins, GRC teams, Security Engineering teams, and Data/App owners. Please see the latest experience at Veza Insights > Reporting.
Customizable report sections now drive the Access Risks dashboard on the primary Veza landing page. Veza users can add, remove, or customize queries in these reports, to filter and fine-tune the information shown to other users.
Veza users are now able to create private reports (only visible to owners), or publish the reports for other users and teams.
New assessment queries are added to Saved Queries and Reports for visibility into dormant users, service account access to cloud services and data systems, and many other privileged access risks.
Legacy queries now provide more relevant insights and take advantage of the newest search features.
Custom Attributes for Okta and Azure AD: Veza can now discover and search any custom security attributes organizations might use to enrich Azure AD or Okta user metadata. These Custom Properties to discover can now be specified when configuring a supported identity provider.
New Veza Built OAA integrations are now available to support Oracle Fusion Cloud and Coupa.
The Entities page is overhauled for improved navigation and performance. It's now significantly easier to review all entity types and discovered entities, including RBAC elements, such as Role Binding and Group Membership.
All search interfaces now have a more consistent layout for improved interoperability across Graph, Queries, and Workflows. Many more saved queries can now be opened in Graph.
The default date and time format is now a friendly relative description ("1 day ago", "2 hours ago"). You can click the date to view absolute timestamps for the local timezone or UTC.
Excluded and Required Entities: you can now filter results based on the existence (or absence) of related RBAC entities such as group, role, or service account. Entity types to include or exclude can additionally have attribute filters to further narrow results (for example, search all resource access that involves the 'Developers' group).
Query Builder searches (which can sort and filter results based on the number of related entities), now support the option to customize thresholds with an operator (such as greater than or less than) on grouped entity count.
You can now change the source entity when selecting an Effective Permission to _explain_in Graph. This can be helpful when the source is not as expected, or to inspect permission configurations for different source and destination pairs.
As part of our commitment to improving speed and ease of certifications, Workflows have received several enhancements around page loading, smart actions, and overall performance.
Note that the integration trust policy now includes the secretsmanager:ListSecrets action. You should update your within AWS to avoid warnings, or edit the integration and choose Limit AWS Services > Secrets Manager.
All our latest Veza integrations can be found . If you don't see an integration that meets your needs, please reach out - we are building new integrations as fast as we can and would love to hear about your priorities.
Microsoft Azure PostgreSQL: Added support for .
Users, roles, and subsidiary resources.
Users, groups, and role membership information.
Users, roles, and permissions.
: Users, roles, and permissions.
Snowflake Tags: Tag discovery is now optional for Snowflake integrations. Note that additional permissions are required if using an for the integration. You can enable tag extraction by editing a Snowflake integration configuration.
An API for exporting is now in preview. Use Audit Logs and Event endpoints to monitor system health, integrate events with other platforms, or audit user activities.
Review access for specific users (Early Access): It's now possible to list each user involved in a certification, and quickly open a new tab with just the results related to that specific user. When enabled, you can open the list of and view their results by clicking Show Users > View Details.
AWS Lambda: The now supports Lambda Functions as Authorization Graph entities, enabling Search, Tags, Workflows, and Rules for
Active Directory: Custom security attributes for AD Users are now supported and can be specified by property name and type when configuring an .
The permissions for the are updated to include the additional columns (only required if using an alternative database name for the integration).
You can now filter by inactive or active resources when viewing Over Provisioned Score (OPS) details for entities that support . It's additionally possible to toggle between viewing Effective and System permissions.
Graph, Workflow, and Query Builder now support for attribute filters. Regex enables filters on properties matching one or more possible text patterns and complex "OR" conditions.
Early Access Authorization Graph Advanced Options now include toggles to show or hide relationships that involve such as IAM Roles and Local Groups.
Workflow creators can now always add Fallback Reviewers, used when rules prevent the assignment of the original user or when a manager does not exist for a certification result row. are now available.
Filter on Summary Entities (Early Access): Reviewers can now filter Certification rows based on the contents of the column, such as the an intermediate entity Name, ID, or Type.
Custom Identity Mapping enhancements: can now apply to more scenarios in which users from an integrated identity provider can assume local user accounts in other integrations:
Open Authorization API (OAA): entities now have the Datasource Name as a filterable attribute.
Okta admin roles: The Okta integration now includes support for the Okta Role entity, enabling search and certification of built-in and custom administrator role assignments for Okta users. Please note that the now requires a token with the super admin role (upgraded from read-only admin) to collect the new entities.
Veza RBAC (Early Access): To enable federated usage of Veza for users beyond IT and Security teams, administrators can now create custom granting access to a limited scope of provider integrations and a read-only viewer role for users.
List Events (API Preview): A new operation returns a list of Veza platform events, optionally filtered by category or severity.
Custom help pages (Early Access): Administrators can now use a to add splash pages for certification reviewers containing customized instructions for the workflow.
Insight Point from Veza can now be deployed as a Virtual Machine. An with vSphere 6.5+ and Oracle VM VirtualBox 6.0+ is now provided for customers.
Administrators can now decide what insights are most relevant to their teams, and customize the Veza Dashboard with fully-customizable .
To enable alternate reviewers to fulfill responsibilities of managers who are out-of-office or otherwise unavailable, administrators can now assign with a preview API.
Note: To enable the reports, you must update the for the Salesforce integration to include the View Health Check permission.
Introducing risks and risk levels: Instead of marking queries as Violations, users can now set a Critical or Warning risk level for saved queries. Results of queries with a risk level (Queries with Risks) appear on the Access Intelligence > Risks page for tracking and remediation. With , you can now:
GitHub Enterprise (Early Access): A new Veza-built integration enables the discovery of user, repository, team, and role entities and attributes for , with support for GitHub Enterprise Cloud and Server. Built-in Saved Queries for GitHub are now provided for customization and use in reports.
Saved Filters (API Preview): Reviewers can now pick from filters created using the .
Notification Templates (API Preview): A new preview endpoint is available for testing .
It's now possible to search and filter by Google Cloud - Workspace Group Membership and KMS and BigQuery Role Binding. These entities can be visualized using Explain Effective Permissions, or by changing the .
Certification results can now be to the appropriate resource manager, user manager, or fallback reviewer after certification begins (previously, this was only possible during certification creation).
To provide reviewers with quick visibility into inactive accounts, it's now possible to highlight certification results for dormant users. These can apply to a single certification, or all certifications for a workflow.
