Welcome to the August 2024 product update! Last month’s releases featured a range of improvements across Access Visibility, Access Intelligence, and Lifecycle Management. These include Query Builder enhancements, support for new types of enrichment rules, and the introduction of role mining insights to identify potential security risks in AWS and Snowflake roles.
For Access Reviews, customizable notifications are now available to provide specific instructions when starting a review, as well as to prompt reviewers for confirmation when signing off on decisions. New integrations with popular systems like HiBob, ClickHouse, and Beeline, and improvements to existing integrations strengthen Veza’s support for modern infrastructure and applications. Additionally, we’ve implemented meaningful usability enhancements throughout the platform, all intended to make your tasks with Veza more efficient and intuitive.
See the sections below for more details about the changes, and please contact our team with your valued feedback and questions.
Access Intelligence
- Role Mining: Role mining is now available as a dedicated section of the Access Intelligence product. Currently provided for AWS and Snowflake, Role Mining provides quick insights into roles with the greatest blast radius, unused and rarely-used roles, deeply nested roles, and other potential risks. You can use these new insights for use cases including:
- Tracking roles with high blast radius, and preventing assignment of users to those roles.
- Cleaning up unused or rarely-used roles.
- Flattening roles hierarchy to reduce complexity and improve performance (particularly for Snowflake).
- Enrichment Rules for Privileged Access: You can now define specific combinations of permissions or resource access as “privileged,” by adding rules on the Integrations > Enrichment page. Veza now sets the built-in role attribute Is Privileged to True for entities that meet the conditions defined by these rules. Incorporating filters on this attribute enables insights, search, and access reviews focused just on high-priority roles, excluding roles that aren’t marked as privileged.
Access Visibility
- Query Builder: When applying a saved query filter (effectively using a subquery to filter an existing query), you can now search for potential candidates by risk level, integration, or query label. Click Filter Queries when adding a filter group to help find relevant user-created or out-of-the-box assessments, and use them to filter the current query results.
- Inherited Tags: Role binding entities and custom role assignments for Open Authorization API integrations can now inherit tags applied to their associated roles, enabling tag filters for integrations where users are not directly attached to roles. These Veza tags have the Veza Inherited tag type, used to identify tags derived from another entity.
Access Reviews
- Custom Review Disclaimers & Sign-Off Statements: Administrators can now customize optional prompts shown to reviewers, including messages shown when reviewers start a review or when they sign off on decisions. These messages might include review instructions, disclaimers, sign-off statements, attestations, or other guidance. The Custom Help Pages preview API has been extended to support these new message types, which can be enabled globally or for individual review configurations using markdown templates.
- Review Expiration Settings: Administrators can now elect to auto-reject unsigned off rows when a review expires, as a global setting or per review configuration.
- Reviewer Deny List and Delegate Reviewer Settings: Administrators can now manage reviewer deny lists and delegate reviewers directly from the Access Reviews > Settings page. Before, these settings were manageable only by API. API-based management of these settings remains unchanged.
Lifecycle Management
- Access Profiles: Users on non-root teams can now create and view Access Profiles.
- SCIM Support: SCIM integrations can now be enabled as provisioning or de-provisioning targets.
- Notifications: You can now configure email and webhook actions directly from the Notifications tab when creating or editing a policy.
- Policies: Lifecycle Management workflows now support changing the order of conditions when an action applies.
- Synced Attributes: When specifying the attributes to update for a target entity, you can now combine multiple transformations using pipeline functions.
- Activity Log Export: Lifecycle Management events can now be exported to CSV or PDF.
Integrations
New integrations
- Data Systems: Amazon Aurora PostgreSQL, ClickHouse
- SaaS Apps: HiBob, Beeline
Enhancements
- AWS Secrets Manager: Oracle Database and Apache Cassandra integrations now support assuming an AWS IAM role to connect to AWS Secrets Manager to retrieve credentials for database-level extraction.
- Microsoft Azure: Azure AD Users now have the Last Successful Login attribute.
- SCIM: Added support for authentication using OAuth 2.0 client credentials for SCIM integrations.
- SQL Server: Now gathers and shows user permissions on system databases such as
master,model, andtempdb. - Workday: Added support for hiding sensitive built-in Worker attributes by specifying Properties to Redact when configuring the integration. Hidden attributes appear as REDACTED in search result columns and Worker details.
- Orchestration Actions: You can now configure multiple Jira Orchestration Actions for the same host.
- SwiftConnect: Now indicates how Access Credentials are assigned by mapping Access Levels (roles) to Access Profiles (users).
- Open Authorization API: The Custom Application template now supports a Configured Permission entity, used to model the individual permissions configured for each local role in the application.
- Privacera: Added support for self-managed Privacera instances using a custom CA certificate and local URL.
Product Design and Usability
- Integrations: You can now edit an integration directly from the integration details view.
- Integrations: The last time a data source was updated is now shown in a column on the Integrations page.
- Manager Portal: The Direct Report dropdown on the Quick Review page now uses auto-complete to suggest users to filter by.
- Global Navigation Enhancements: You can now browse Veza products and features from a new global sidebar, which can be collapsed to focus on the current task. Clicking the navigation icon for each feature opens the primary landing page for Access Visibility, Access Intelligence, etc., with the option to open individual sections and features from links in the top bar.
- Graph Search: In Graph search, the Explain Effective Permissions sidebar action now shows the individual effective permission node and its mapping to corresponding system permissions.
- Lifecycle Management: From the Identity tab, you can now navigate directly to Graph search to show that entity’s relationships.
- Lifecycle Management: A toggle on the Integrations page can now be used to enable Lifecycle Management for any Open Authorization API-based integration.
- Query Builder: You can now apply a filter on any source or destination attribute by clicking the filter icon at the top of any Query Builder column.
- Query Builder: You can now use the Open in Graph option to search for destination entities when Show <Destinations> is enabled. Open in Graph is also now supported when Summary Entities are specified for the query and enabled in the results view.
- Query Details: Risk explanations can now use markdown for rich text formatting.
- Risks: Entity risk scores now appear red when the risk score exceeds 90.
