Schedule a demo
Open mobile menu
Back
CompanyProduct

Veza Product Updates – May

Veza

Welcome to the latest Veza product update! We’re eager to share this latest summary of new features, enhancements, and usability improvements introduced in recent platform updates.

Veza’s 2025.5 release includes enhancements for access governance, lifecycle management, and non-human identity security, helping you strengthen organizational security posture while streamlining identity operations and improving audit readiness.

Business Benefits

  • Enhanced Access Review Operations: New alerting options for reviewers, auto-assignment for NHI, role, and resource owners, and reviewer usability improvements help streamline review operations while making the review process more seamless for reviewers.
  • Enterprise Grade Lifecycle Management: New provisioning targets, enhanced attribute transformers, and configuration options for flexible and reliable identity lifecycle automation.
  • Expanded and Enriched Integration Coverage: New support for Atlassian provisioning, Zip platform integration, and enhanced cloud platform integrations to broaden your enterprise identity governance reach.
  • Improved Administrative Controls: Full Separation of Duties (SoD) exporting capabilities, and improved notification management provide administrators with greater operational visibility and control.
  • NHI Visibility and Lifecycle for the Enterprise: Identify sources of NHI risks across your environment with a new NHI overview and improved integration details view, along with enriched visibility for AWS KMS Keys (including discovery of key origin and rotation metadata).

Specific capability enhancements:

  • Access Reviews: Urgent digest notifications, enhanced email templates, and bulk decision management for improved reviewer efficiency.
  • Lifecycle Management: Atlassian provisioning, advanced date formatters, and transformer functions for more flexible identity management.
  • Access Requests: Secure requests with SSO re-authentication requirements and enhanced Access Profile management.
  • Separation of Duties (SoD): New SOC 1 and SOX compliance dashboards, full export capabilities for improved audit compliance and reporting.
  • Access Intelligence: Slack and Jira for Veza Actions, enhanced Veza Actions for ServiceNow, and easier Risk Score editing.
  • Veza Integrations: New Zip integration, enhanced Snowflake Row Access Policies support, and enterprise Windows Server deployment options, along with numerous integration enhancements.
  • Veza Access Visibility: New “Any” supertype for showing all access relationships for a user, and improved performance using Time Machine in Query Builder. You can now save queries that are currently executing.
  • Veza Access Platform: SCIM provisioning support, enterprise customization options, enhanced first-time user onboarding notifications, improved data pipeline performance, and Insight Point proxy capabilities for access in disconnected environments.
  • Consumer-Grade Product Design: New design updates for Dashboards, Query tiles, table views, Settings, and Access Hub in preparation for future design system, navigation, and search improvements.

Access Reviews

New Features

Alerts with Digest Notifications

Administrators can now enable immediate reviewer alerts alongside periodic digest notifications to ensure reviewers receive critical review notifications on a timely basis.

How to use it: Navigate to Access Reviews > Settings > Notifications and enable “Immediately notify reviewers about newly assigned reviews” when configuring Alerts. When enabled, reviewers will receive notifications within 1 hour for:

  • Any newly created reviews where rows are assigned to that reviewer.
  • Any reviews (regardless of the age of the review) where rows have been recently reassigned to the reviewer in the past hour.

Enable this setting when you have high-priority access reviews with critical completion  deadlines or scenarios where standard digest notification timing might delay reviewer actions. This feature complements existing review-level notifications settings so review your current review configurations to avoid redundant alerts.

Clear Decisions Across Multiple Rows

When working on assigned reviews, reviewers can now clear unsigned decisions for multiple rows at once. This provides greater flexibility when managing large review sets or correcting decision errors in bulk.

How to use it: Select multiple rows in a review where a decision has been made, but has not been signed-off. Then, choose the Clear decisions option to reset the decision on multiple rows at once. This can streamline review corrections when business requirements change mid-review or when bulk decisions need revision based on new information.

Enhancements

New Placeholder Options for Email Notification Templates

New placeholder options are available for improved readability and reduced clutter in notification emails. The following new placeholders will list all accepted and rejected rows, while excluding the full unique identifier for source and destination entities.

  • Available placeholders: {{REVIEW_ACCEPTED_REJECTED_ROWS_DATA_EXCLUDE_NODE_IDS}} and {{REVIEW_ACCEPTED_REJECTED_ROWS_DATA_WITH_NOTES_EXCLUDE_NODE_IDS}}

Use these to provide cleaner, more user-friendly notification content that focuses on business-relevant information while omitting node IDs. You can use the original placeholder in scenarios when multiple results can have the same name, and additional context is needed for differentiation.

Auto-Assignment for Entity Owners

Review auto-assignment now supports Entity Owners configured through the NHI interface, Query Builder, or Graph search, providing more flexible mechanisms for reviewer identification.

  • How it works: The system prioritizes Entity Owners when available, falling back to the legacy SYSTEM_resource_managers tag when no Entity Owner is assigned.
  • Assignment methods:
    • NHI Accounts Page: Select accounts from NHI > Accounts, click Assign Owner, and search for users
    • Query Builder: Run queries, select entities, and use Assign Entity Owners
    • Graph Search: Click entity nodes and use Set Entity Owners in the details sidebar

This enables automatic reviewer assignment based on actual resource ownership patterns rather than relying solely on tags. Entity Owners integrate with other Veza features and provide cleaner management than legacy tag-based approaches.

Lifecycle Management

New Features

Atlassian Provisioning

The Atlassian integration now supports full SCIM 2.0-compliant provisioning and deprovisioning capabilities, enabling enterprise-grade identity governance for Atlassian Cloud environments. The Atlassian Cloud supports the following applications:

Core Atlassian Cloud Applications:

  • Jira Cloud: A project management and issue tracking tool
  • Confluence Cloud: A collaboration and knowledge base platform
  • Bitbucket: A Git repository hosting service
  • Atlassian Cloud Admin: An administrator to manage multiple Atlassian cloud products and sites, centrally

Supported lifecycle actions:

  • Sync Identities for user creation and updates
  • Manage Relationships for group membership management
  • Deprovision Identity for secure account deactivation

Integration Requirements: Atlassian Cloud organization with SCIM enabled, admin API key, SCIM token with directory scopes, and product API tokens for Jira, Confluence, and Bitbucket

Enhanced DATE_FORMAT Transformer

An improved DATE_FORMAT attribute transformer now offers greater flexibility in formatting dates during identity synchronization. This enhancement allows for transformations such as:

  • Date arithmetic operations: Apply a specific duration to an existing date-based attribute, such as calculating the resulting date from adding 30 days to a user’s Workday hire date and subsequently writing it into an Extension Attribute on the user’s Active Directory account.
  • Format conversion: Converting standard date formats to specialized formats like the LDAP Z time/date format.

Like any other transformed attribute value, transformed dates using the DATE_FORMAT transformer can be written into target user account fields.

Use this transformer to ensure consistency across systems with different date formatting requirements. This feature can be particularly valuable for directory integrations that require UTC timestamps and integrate with other transformers using pipelines for complex workflows.

Transformer Functions for Trigger Conditions

Lifecycle Management now supports using transformer functions within SCIM filter conditions for both Workflow triggers and Action conditions.

  • Enhanced conditional logic: You can now apply transformers directly in SCIM filter expressions – {department | UPPER} eq “ENGINEERING” or {hire_date | DATE_FORMAT, “2006-01-02”} gt “2024-01-01”
  • Complex provisioning rules: Trigger conditions can implement decision trees based on transformed attribute values, such as conditional group assignments using {cost_center | SUB_STRING, 0, 2} eq “IT”
  • Dynamic workflow triggers: Enable workflows based on formatted data – {employment_status | TRIM | UPPER} eq “ACTIVE” for normalized status comparisons
  • Nested condition support: Use transformers in both root workflow conditions and sub-action conditions for multi-level decision logic

This enables dynamic provisioning decisions based on transformed attribute values, such as creating different account types based on formatted department codes, conditional group assignments using substring operations, or triggering workflows with normalized date comparisons for time-based automation.

Enhancements

Configurable Unique Identifiers

Administrators can now choose which attributes serve as unique identifiers for entities in Lifecycle Management operations (such as identity name or employee ID), ensuring that the intended entities are updated when creating and updating accounts.

  • Action-level configuration: Select unique identifier attributes in Sync Identity and Deprovision Identity actions, or within Common Transformers, to control how target users are located during Lifecycle Management workflows
  • Custom property support: When configuring custom property extraction for supported integrations, you can now designate custom properties as unique identifiers during integration configuration (e.g., organizational attributes like employee_id)

This flexibility accommodates organizations that use non-standard naming conventions, custom employee identifiers, or specialized directory schemas, without requiring data migration or attribute standardization.

Enhanced Target Attribute Autocompletion

The Edit Policy function now supports autocompletion for $target prefix references, making it easier to configure complex transformation chains and handle attribute dependencies. Real-time suggestions show available target attributes as you type, reducing syntax errors and improving discovery.

  • Cross-attribute referencing: Use $target.attribute_name syntax to reference previously transformed target attributes within the same workflow execution
  • Multi-step transformations: Create complex provisioning logic where later attribute transformations depend on earlier results – {$target.account_name | LOWER}@domain.com for email generation based on transformed account names
  • Workflow execution order: Attributes are processed in dependency order automatically, ensuring target references are available when needed during policy execution

This improvement streamlines the creation of provisioning workflows where attributes build upon each other, such as generating email addresses from transformed usernames, creating distinguished names from processed organizational units, or building complex identifiers from multiple target attribute results.

Access Requests

Enhancements

Access Profile Types without Entitlements

Administrators can now create a custom Access Profile Type that focuses solely on local user account creation, without the requirement to define specific entitlements, such as groups or roles.

  • How to use it: Use the Limit to a Single Integration > Create local user/account only checkbox when configuring an Access Profile Type.

This capability streamlines scenarios where the primary need is account provisioning rather than specific permission grants, such as basic system access or identity establishment workflows.

SSO Reauthentication for Sensitive Actions

Access Request actions can now require single sign-on reauthentication, adding an extra authentication layer for high-privilege or sensitive access provisioning decisions.

  • How to use it: Administrators can configure SSO reauthentication requirements in Access Request settings to require users to re-login with SSO before completing sensitive requests.

Note: Veza recommends implementing SSO reauthentication for requests involving administrative privileges, critical resource access, or other high-risk entitlements to prevent unauthorized access through compromised sessions.

Separation of Duties (SoD)

New Features

Summary Export Capability: The Separation of Duties overview page now supports Excel export functionality for the full list of SoD queries, allowing for offline analysis and improved reporting. This includes support for exporting either a summary report of all SoD queries, or a summary and full details for a selection of SoD queries.

  • Administrators and operators can now export the whole table view of all configured SoD queries, including last update details, risk levels, results, and SoD manager assignments for each query.
  • How to use it: Click Export Summary on the Separation of Duties overview page to generate the report.

Use exported SoD summaries for compliance documentation, executive reporting, and offline analysis of segregation patterns across your organization. Excel export can help support audit requirements and enable external analysis.

Access Intelligence

Enhancements

Configurable Rule-Based Review Launch Modes: Access Reviews triggered by Rules  now support flexible launch configurations to accommodate different review scenarios. When configuring the rule, you  can now choose to launch a single Access Review for the entire result set, or launch individual reviews for each entity in the query results. See the documentation for On-Demand Reviews for more details.

ServiceNow Actions Configuration: When configuring Veza Actions for ServiceNow integration, administrators can now specify Assignment Group and Configuration Item details for the tickets created. This enhancement improves integration between Veza risk identification and ServiceNow remediation processes, ensuring proper ticket routing and faster resolution times.

Use these fields to ensure tickets are properly routed and categorized within ServiceNow workflows, based on the systems and owners for this Veza Action.

SOC 1 Model Dashboard: We’ve introduced a comprehensive SOC 1 (Service Organization Control 1) model dashboard within Access Intelligence, providing a customizable framework for monitoring compliance across specific in-scope systems.

This template includes specialized assessment queries that organizations can adapt to their unique SOC 1 audit requirements, including:

  • Potential violations: Call-to-action queries for SSO bypass detection across Azure AD, Workday, Salesforce, Oracle Fusion Cloud, and Azure Blob Container; MFA policy violations; and password security gaps including DisablePasswordExpiration policy violations
  • Insights: User and access monitoring including privileged access patterns in Workday security groups, Oracle Fusion administrative roles, and GitHub repository security with risk-level classifications for branch protection violations​​

Organizations can leverage this model dashboard to build tailored compliance monitoring solutions that align with their actual SOC 1 audit scope, enabling continuous oversight of access controls and change management processes.

SOX Model Dashboard: A new Sarbanes-Oxley (SOX) model dashboard within Access Intelligence provides a framework for financial controls monitoring that organizations can customize based on SOX in-scope systems. This template includes customizable queries addressing SOX compliance requirements for publicly-traded companies, featuring:

  • Potential violations: Multi-platform SSO bypass detection across Okta, Workday, NetSuite, Coupa, and AWS; MFA policy violations; and password security gap identification requiring immediate attention
  • Insights: Privileged access pattern analysis, service account usage monitoring, change management controls validation, and financial application security assessments tailored for SOX Section 404 requirements

Veza Actions for Jira and Slack: Added support for triggering Jira and Slack notifications through Veza Actions and Alerts, enabling automated ticket creation and real-time alerts for security workflows.

Risk Score Editing: You can now adjust risk scores for individual entities by opening the risk details sidebar and choosing to either edit a contribution query’s risk level or omit the query from the entity risk score entirely.

“Any” Access Visibility: Query Builder search can now use the “Any” Entity Type Grouping, enabling more flexible queries showing the full range of user access.

Non-Human Identity (NHI) Visibility and Lifecycle

Enhancements

New NHI Overview Tab

The Non-Human Identity Security interface now features an improved Overview section, offering comprehensive summaries of priority integrations and discovered NHIs. Additionally, the details view for any integration now includes the total number of discovered NHIs per integration, count of entities with owners, count of entities without an owner, relationships to keys & secrets, and information about each entity type.

Use this enhanced overview to quickly identify sources of NHI risks across your environment and navigate directly to relevant entities for review and remediation.

Improved visibility: The new summary view includes top integration types with clickable tiles that open the Accounts tab to show specific entities, risk scores, assign owners, and initiate Veza Actions.

Veza Integrations

New Integrations

Zip: New integration for discovering users (including email, active status, managers, department), groups, and roles within the Zip procurement orchestration platform. Required permissions: ReadOnlyUsers, ReadOnlyGroups, ReadOnlyRoles, API access. Follow the Zip integration documentation to create an API key with read-only access.

Integration Enhancements

  • Jira for Veza Actions: Added backend support for triggering Jira notifications through Veza Actions, enabling automated ticket creation for compliance workflows.
  • Slack for Veza Actions: Added backend support for triggering Slack notifications through Veza Actions, enabling real-time alerts and communication for security events.
  • Snowflake: The Snowflake integration now supports discovery of Row Access Policies, providing visibility into fine-grained access controls within Snowflake environments. Row Access Policies are a Snowflake Enterprise Edition feature for dynamic row filtering based on user roles and privileges. Integrations using alternate system databases will need to update views to include required metadata for Row Access Policy discovery.
    • Supported functions: CURRENT_ROLE(), CURRENT_USER(), IS_APPLICATION_ROLE_IN_SESSION(), IS_ROLE_IN_SESSION()
    • Supported operators: =, <>, IN, NOT IN
    • Graph relationships: The integration now creates RECEIVES_UNMASKED_DATA_FROM_ROW_ACCESS_POLICY edges between users/roles and policies in Snowflake
  • Windows Server: Improved enterprise deployment capabilities, including shared configurations, silent MSI installation, and deployment guidelines for per-machine Team API keys with a narrower scope than standard API keys.
  • Google Cloud Platform: Veza now extracts and displays Google Workspace Roles in the Access Graph, providing enhanced visibility into Google Cloud IAM patterns. Google Workspace administrative and custom roles are now available for analysis, access reviews, and governance workflows.
  • HiBob: The HiBob integration now supports custom property extraction and custom identity mapping configurations. You can enable custom identity attributes when configuring the integration for use in search and Lifecycle Management workflows, and custom mappings to external identity systems.
  • Concur: The Concur integration now supports Role Groups as scoping mechanisms, providing visibility into role application limitations. Role groups appear as custom properties on role assignments, with global roles marked for identification.
  • Salesforce: The Salesforce integration now allows the extraction of only IAM data, eliminating the need for additional object type selection. Set the “Enabled Salesforce Object Types” in the integration configuration to focus on identity and access data when additional business objects aren’t required.
  • AWS KMS Enhanced Attributes: Added support for additional AWS KMS key attributes, including `Origin`, `KeyManager`, `KeySpec`, `KeyUsage`, `Next Rotation Date`, and `Rotation Period`. This searchable KMS key metadata enables queries for key lifecycle management and rotation compliance monitoring.
  • Teleport: The Teleport integration now extracts SAML group-to-role mappings, providing visibility into federated access patterns. Understanding SAML group mappings enables better governance of federated access and role assignment patterns.

Table of Contents

    Related Posts