Back

Veza Product Updates – September 2024

Welcome to the September product update! The past month featured a range of enhancements and new features across Veza’s products with highlights including:

  • Advanced Access Intelligence: Enhanced enrichment rules (privilege permissions, non-human identity entities, and more).
  • Access Portal: A new details tab shows user access and permissions to individual resources. This is part of the Advanced Access Intelligence product.
  • Access Reviews: New Quick Builder for fast and simplified review configuration, digest notifications, multi-level review and sign-off support, and new role and group analytics for reviewers.
  • Lifecycle Management (LCM): Additional actions for workflows including removing personal devices from Intune and initiating email and webhook-based actions as part of a workflow to trigger external onboarding or offboarding processes, and improved logging and event exports.
  • Veza Integrations: New integrations for Oracle JD Edwards EnterpriseOne (JDE), Oracle E-Business Suite (EBS), Teleport, Microsoft Intune, and Microsoft Power BI bring the total Veza integrations to 250+.
  • Veza Platform: Introduced team-based API keys and the ability to map federated identities and roles for Veza teams during single sign-on.

Please read on for more details about specific changes in each product area, and please reach out to your Veza representative with any questions or invaluable feedback.

Advanced Access Intelligence

Major Enhancements to Enrichment Rules

  • Enrichment rules allow you to identify important entities, such as privileged roles, critical resources, and non-human identities by applying special attributes, which you can use to create queries, define rules and risks, and scope access reviews. The criteria for enrichment can include attributes (such as a naming convention for non-human service accounts), specific access granted by a role, or a particular relationship between entities.
  • Now Available for Critical Resources: Administrators can define enrichment rules to distinguish resources by criticality level using the Integrations > Enrichment page. Based on these rules, resource-type entities will now have the built-in attribute Criticality Level set to low, medium, high, or critical.
  • Now Available for Custom Integrations: Enrichment rules for identifying privileged roles, critical resources, and non-human identities now support custom integrations built with Open Authorization API (OAA).
  • Improved Enrichment Rule Administration: It’s now possible to disable enrichment on a per-rule basis. Once you disable a rule, the enriched entity attributes are removed. For example, if an enrichment rule marks a particular Snowflake Role as privileged by setting the Is Privileged attribute to True, the attribute will be empty if the rule is disabled.

On-Demand Reviews

Users can now set up Rules using saved queries to trigger one or more on-demand reviews, using the specified review configuration, duration, reviewers, and optional second-level reviewers and review intelligence rules. You can enable on-demand reviews for an existing query on the Save Query > Create Rule tab.

Access Intelligence

  • Scheduled CSV Export via Email: You can now schedule query exports with the option to Export to CSV in Email with Secure Link (supplementing the original option to export query results to an external database). The recipient will receive an email at the scheduled intervals, containing a link to log in to Veza and download the table of results.
  • Access Portal – Resource Details View: When viewing access for a direct report, managers can now use the My Access > Resources tab to see the individual resources and details, including the effective permissions for each resource. Selecting a resource type on the My Access > Overview summary now opens the Resources tab filtered on that resource type.

Access Visibility

  • Intermediate Group/Role Attributes in Query Builder: For queries using the Summary Entities option to show relationships between intermediate roles, groups, or other entity types in the path connecting a query source and destination, results now include columns showing the attributes of each intermediate entity. You can show or hide these column groups using the column selection dropdown menu, with any visible columns included in query exports.
  • Improvements for Entity Type Groupings: Queries that use an entity type grouping (such as User or Resource) as the source or destination now return all properties on entities within the selected grouping (before, only name, id, and type were included in results). Tag filters can now be applied to entity type groupings, and will apply to entities of all types with a matching tag.
  • Enhanced Tags in Query Builder: You can now choose individual source or destination tag keys to show and export in dedicated columns, supplementing the original Include Source/Destination Tags option to return all tags in a single column.
  • Performance Enhancements: Improved performance when loading dashboards and selecting related entity types for users from custom applications.

Access Reviews

  • Review Digest Notifications: Digest notifications can now be enabled for Access Reviews. When enabled, reviewers will get a single, consolidated notification message reminding them of outstanding reviews to complete. Administrators can control the frequency at which reviewers receive digest notifications.
  • Review Configuration Quick Builder: Administrators can now quickly define the scope of a review configuration using a simplified Quick Builder to choose from a list of applications and common review scenarios. The builder currently supports Active Directory, Entra ID (formerly known as Azure AD), SharePoint, Okta, Salesforce, Snowflake, AWS, and NetSuite.
  • Result Enrichment for Access Review Rows: When enabled in a review configuration, enrichment metadata from an IdP or HRIS provider is now included in API responses and webhook payloads. Any tags on source and destination entities are also included if the Show Tags option is enabled.

Advanced Access Reviews

  • Multi-Level Approval and Sign-Off: Administrators can now configure multiple levels of review when creating new access reviews. When enabled, two levels of review and sign-off must finish before decisions for rows in the review are considered final.
  • Role and Group Analytics: Access Reviews now support analyzing the entitlements granted by destination groups/roles when reviewing user-to-group and user-to-role assignments. In the reviewer’s interface, you can now inspect each accessible resource, including the risk level, any permissions, and recent access status, by expanding a row in the sidebar and opening the Details tab.
  • Review Intelligence Rules: Administrators can now configure rules to highlight rows or suggest default approve or reject decisions using a new `display_style` action for the Automations API.

Lifecycle Management (LCM)

  • De-Provisioning Actions: Added support for removing Intune personal devices when de-provisioning Azure AD users.
  • Notifications and Webhooks: Administrators can now configure email notifications and webhooks for individual actions in a workflow, in addition to email and webhook settings for the parent policy.
  • Identities: The Identities table for viewing details and events for individuals is now part of the top navigation and is no longer shown within the policy view.
  • Event Logs: Administrators can now use the Workflow Tasks table to view full details for workflows executed on an identity.
  • Event Export: Events shown in the Activity Log can now be exported to CSV or PDF.

Veza Platform

  • Team API Keys: Added support for API keys for non-root teams.
  • Sign-in Settings: Added support for configuring team-role mappings for SAML single sign-on (SSO).

Veza Integrations

New Integrations

  • Oracle JD Edwards EnterpriseOne (JDE): New integration for gathering Oracle JDE users and roles.
  • Oracle E-Business Suite (EBS): New integration for visibility into IAM entities (users and responsibilities), Actions (functions and concurrent programs), and Resources (such as ledgers and operating units) within EBS.
  • Adobe Creative Cloud: New integration for gathering users and groups in Adobe Creative Cloud Enterprise accounts.
  • Teleport: New integration for gathering Teleport users and their assigned roles, providing visibility into which users can take privileged actions in Teleport such as accessing cluster resources, administering trusted devices, or reviewing access requests.
  • Microsoft Intune: The Microsoft Azure integration now supports Microsoft Intune as an optional service. Veza will discover and map Managed Devices and Role Assignments to corresponding Azure AD (Entra ID) identities, with support for retiring Intune-managed devices during Lifecycle Management workflows.
  • Microsoft Power BI: New integration providing visibility to Users, Roles, Permissions, Groups, and Workspaces for Power BI.

Enhancements

  • Open Authorization API (OAA): Applications modeled using the HRIS OAA Template now support Custom Identity Mappings to correlate employee records with application users.
  • Jamf: Administrators can now configure the Jamf integration using a custom URL and port for connectivity.
  • Privacera: The Privacera integration now supports configuring a signed CA certificate and a custom Privacera instance URL.
  • Workday: Administrators can now enable the option to skip extraction of inactive Workday Workers.
  • Microsoft SharePoint: Added support for limiting extracted SharePoint Sites.
  • Google Cloud: Added support for configuring Workload Identity Federation for integration connectivity, as an alternative to using service account keys.

Product Design and Usability Enhancements

Global Navigation Enhancements (Early Access)

You can now browse Veza products and features from a new global sidebar on the left side of the screen, which can be collapsed to focus on the current task, and features updated visuals to better align with Veza’s public branding.

  • Clicking an updated navigation icon opens the primary landing page for Integrations, Access Intelligence, Access Reviews, and other top-level products, with the option to open individual sections and features from links in the top bar.
  • These changes are part of our ongoing initiatives to enhance the Veza user experience. Please reach out to our support team to enable the new user experience, which will be rolling out to select customers over the coming weeks.

Access Visibility Improvements

  • Graph Zoom In/Out with Keyboard & Mouse Gestures: Graph search now supports zooming in and out by holding CMD/CTRL and scrolling, using Pinch Zoom, and keyboard +/ – keys (press 0 to reset). Scrolling the results view is now possible using keyboard arrows.
  • Enhanced Saved Queries Browsing Experience: After paginating to the 3rd page of Saved Queries and clicking into a query on that page, the browser’s back button now opens the last visited page (instead of directing back to the first page of saved queries).
  • Descriptions for Entity Type Groupings: Users can now get a description of the selected entity type grouping by hovering over an info icon.

Access Intelligence

  • New Home Page for Access Intelligence: The Analytics overview is now the default landing page when navigating to Access Intelligence. Use this page to review a summary of all the entities Veza has discovered, get insight into top data sources, and review total risks, rules, and alerts for each integration.
  • Remediations Details on the Risks Page: The Queries With Risks page now has a Remediation column indicating Yes when the risk has a remediation available. Clicking on the link opens the remediation details in a sidebar.
  • Risk Score Details in Access Search: Risk Scores shown in Graph search are now clickable, opening the risk score details for more information about the associated risks.

Table of Contents