Veza Product Updates – April 2024

Welcome to the April product update! It’s been a busy spring for Veza as we welcome a new design team and grow the engineering and product teams to better respond to your needs.

This month includes several significant changes, including a refreshed experience for access reviewers, a detailed saved query view, new integration capabilities, and a range of enhancements across product areas. These are all intended to provide visibility and control over more potential scenarios, risks, and integrated systems, and improve the overall experience for new and experienced users.

We humbly welcome your feedback and are excited to share a summary of the latest changes. Please read on to learn more about the latest improvements for each product area:

Access Intelligence

• Enhanced Dashboards Design: For improved visual clarity, the Snowflake Data Governance and SFDC Access Security Dashboards now show individual tiles for each featured query. You can click any tile for an expanded view of the results over time or open the results in Query Builder.
• Query Pipeline: You can now use saved query filters to filter matching entities in the results of another query. Use combinations of attribute filters and saved query filters to create searches that can’t be specified using a single query, or to simplify a complex query by breaking it into sub-queries.
• Activity Monitoring for AWS: Activity Monitoring now supports overprovisioned scores for AWS IAM Users and Roles based on actual utilization of S3 Buckets and Secrets Manager Secrets. Veza also shows overprovisioned access for Okta Users to not only Okta Apps but also AWS-supported resources. See Activity Monitoring for AWS for steps to enable audit log extraction.
• Activity Monitoring – Last Activity w/ Resources Details: Query Builder now shows a Last Activity with Resource At column indicating when a principal last interacted with a resource. This optional column appears for Activity Monitoring Queries after enabling the Show {destination entities} option.
• Risks Usability: You can now filter and sort the Risks page by label or integration, and search by risk name or query name.
• EnhancedQuery Details View: Details for dashboard tiles and saved queries provide a streamlined view to analyze results, visualize trends, and understand risk and query details (Early Access).
  • Risk Insights: Refer to extended query and risk descriptions for additional insight into why the results matter.
  • Trend Analysis: Visualize changes over time for patterns and anomalies or export for use outside Veza.
  • Detailed Results View: Review the latest results and entity details, with familiar options to filter on any attribute and show or hide columns.

Access Visibility

• Authorization Graph – Show or Hide Indirect Access: You can now filter relationships where access is granted indirectly, such as by role assumption or membership in a child group. Use Advanced Options > Include Assumed [Intermediate Entity Type] to filter on source entities with direct access to the chosen entity type and exclude any relationships where a nested group or role is in the path between source and destination.
• Authorization Graph – AWS Unsupported Condition Icons: AWS entities in Graph search now have an icon to indicate if the Unsupported Condition property is True. This attribute shows when the relationship involves a policy statement unsupported by Veza’s effective permissions parser.
• Integration Last Extraction Time: All entities now have a Datasource Last Extraction Time attribute indicating when Veza last refreshed metadata for the host data source.
• Last Push Date for OAA Integrations: To enable queries and alerts based on the last metadata refresh for a custom application or identity provider, entity type groupings for OAA-based integrations (such as Custom Resource) now support filters on the Last Pushed At attribute.
• Query Builder – Filters: Attributes containing lists now support filters with Exists and Not Exists operators to identify results where these attributes contain any data or no data.

Access Reviews

• Enhanced Access Reviewer Experience: An updated access reviewer UX is now available in Early Access. We’ve responded to your feedback and simplified the interface to save time and simplify decision-making when rejecting or approving rows:
  • Simplified Review: We now hide any rows that are signed off or not assigned to the current receiver, making it easier to concentrate on pending tasks. Reviewers can switch modes to show unassigned rows whenever needed.
  • Improved Bulk Actions: Reviewers can now run bulk actions on the current filtered view or all of the rows in the review. Combined with filters, this offers an intuitive way to update rows based on specific criteria, replacing the old “Smart Action” experience.
  • Simplified Sign-off: Instead of signing off rows individually, reviewers can now select many rows and apply decisions with a single click. This change saves screen space and reduces the likelihood of users forgetting to sign off on decisions.
  • Visual Interface Improvements and Stats Display: Reviewer statistics and progress indicators are displayed more concisely, and we’ve cleaned up the interface for a sleeker presentation overall.
• Enrich with IdP/HRIS metadata: Reviews can now include information about the human resource information system (HRIS) employee profiles or identity provider (IdP user identities mapped to local users in the query results. For example, you can use this option to show details about Workday Workers associated with Okta Users when reviewing Okta User > Okta Application access (Early Access).
• Filter Enhancements: Reviewers can filter rows by attribute using multi-valued OR statements (such as Username is Value1 OR Value2 OR Value3).
• Scheduling Enhancements: When scheduling a recurring Access Review, you can now configure Automations and specify whether to use the current Authorization Graph data or the most recent snapshot.
• Link to Filtered Views: Reviewers can now copy a share link that includes the active filter settings, which apply when loading the URL.
• Tags in Access Reviews: For visibility into both provider-native tags and tags created in Veza, review configurations can include optional columns showing the tags applied to source and destination entities.
• Custom Help Pages: Administrators can now create specific instructions for reviewers using Help Page Templates. This instructional text appears when opening a review for the first time or after clicking the User Guide button.

Lifecycle Management

• Digest Emails: For better visibility into lifecycle management actions, admin users can opt into Provisioning Digests on their Profile page. These scheduled email notifications summarize successful and failed events for the day, week, or month.
• Provisioning Events: The Lifecycle Management activity log now includes a Changes Only toggle to filter on actions that resulted in changes in the target system.
• Action Scheduling: You can now configure provisioning and de-provisioning actions to trigger based on a target field such as “Hire Date” or “Termination Date.”
• Provisioning Targets: Added preliminary support for Salesforce and SCIM as targets for lifecycle management.

Veza Integrations

• BitBucket Cloud: New integration for discovering Bitbucket Cloud Workspace Projects, Repositories, Groups, Users, Roles, and Permissions.
• Palo Alto Networks: New integration for discovering applications, users, roles, and permissions for Palo Alto Networks Prisma SASE.
• Salesforce Roles: Improved visibility and added support for parent-child relationships between Salesforce User Roles in Graph search. An icon next to the entity name indicates when a role has hierarchical connections to other roles. Clicking a Salesforce User Role to View Hierarchy on the graph actions sidebar shows all related roles and the order of the hierarchy.
• Custom Identity Mappings: You can now define relationships between federated identities and local accounts they can assume, on an individual basis. Custom identity mappings now support Identity Matchers to correlate identities even if they do not match a mapping rule.
• Okta Incremental Updates: The Okta integration now supports incremental updates for faster extraction time and reduced traffic to Okta API endpoints. An Administrator will need to enable audit logs to activate this capability.
• Contained Resources for Okta Admin Roles: The Okta integration now creates Okta Constrained Resource and Constrained Resource Set entities to indicate the resources associated with each admin role.
• Salesforce Opportunities: Veza now supports Opportunity entities, representing potential deals in Salesforce. Our support team must enable this feature, which requires additional permissions for the Veza service principal.
• Snowflake Secondary Roles: Veza now collects the Default Secondary Role attribute for Snowflake Users. If using an alternate system database, you must drop and re-create the USERS to include the default_secondary_role column.
• Google Cloud Deny Policies: Effective permissions for Google Cloud Platform now account for Deny Policies, which prevent specified principals from using the denied permissions, regardless of other assigned roles. To support this capability, the GCP integration role requires new API scopes iam.denypolicies.get and iam.denypolicies.list.

Veza Platform

• Support User Access: Administrators can now grant the Veza support team temporary access by creating a limited Support User account.
• Administration APIs: Added new endpoints for creating and managing veza users and teams.
• User Management: You can now export the list of users and filter by team or role. The users list now shows assigned roles and user creation dates.
• Events: Password and multi-factor authentication resets now appear on the Veza Events page.
• SAML Single Log-out: Administrators can now copy the Veza single log-out URL when enabling SAML.

Product Design and Usability

Our design team is growing, and we have big plans for the months ahead. Key focus areas include a better new user experience, an improved integrations view, better dashboards, and improvements to Access Reviews and Lifecycle Management. Our latest work aims to improve navigation, design consistency, and usability throughout the product.

• Access Reviewer Experience: The new access reviewer UX simplifies the review process by focusing on pending tasks and enabling bulk actions. We’re also planning improvements for manager-oriented views and making it easier to view all access for a single user.
• Query Details: We’ve added a streamlined view for analyzing results in the Query Details view. This includes better visualization of trends and a simplified table view for inspecting and filtering entities in the results.
• Enhanced Dashboards: Redesigned home page Dashboards now feature individual tiles for each query. Users can expand these tiles to view detailed results over time, view details and results, or edit in the Query Builder.
• Upcoming: Revised design for Veza Integrations and Lifecycle Management