Rw ui tabs macro | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
EmpowerID 2021 adds several major new product features and usability enhancements. New FeaturesEmpowerID MicroservicesAs part of its ongoing platform redesign to transform EmpowerID from a single monolithic application into a loosely coupled, but well-integrated suite of small services, this release of EmpowerID offers several new microservices, My Tasks and My Identity, as well as an updated IT Shop. My Tasks MicroserviceThe My Tasks microservice provides a central location from which users can view the status of their access requests, make and respond to comments about those requests, and in situations where they are designated approvers, approve or reject access requests submitted by other users. The My Tasks interface consists of several pages of task and request related information relative to the current user presented in an easy-to-navigate single page application experience. The main pages are the My Requests page, the To Do page and the All page. Users navigate from page to page by selecting the desired page from menus prominently displayed at the top of the application. The My Requests page displays access requests submitted by the user or by another user on their behalf. From this page, users can view the status of their access requests, see who the approver is and add comments about their request. Figure 1: The My Requests page of the My Tasks application The To Do page displays access request related tasks for which the user is an approver. From this page, users with the authorization to do so can make decisions about those tasks, add comments to them, and delegate them to others. Figure 2: The To Do page of the My Tasks application The All page displays all access request related information. Figure 3: The All Requests page of the My Tasks application My Identity MicroserviceThe My Identity microservice provides a central location from which users can view relative information about themselves, create permanent delegations for business requests tasks for which they are an approver that route those tasks to others for approval, as well as allows them to personalize the number and frequency of email notifications they receive about those business tasks. The My Identity interface consists of several pages of task and request related information relative to the current user presented in an easy-to-navigate single page application experience. Users navigate from page to page by selecting the desired page from menus prominently displayed at the top of the application. Figure 4: My Identity application The My Identity interface includes a number of pages and features to include the following:
IT Shop MicroserviceThe IT Shop brings a familiar shopping cart experience to the access request process. Users simply search for the resources they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process. Figure 5: IT Shop application Eligibility PoliciesEmpowerID offers a powerful policy engine to control which users may see and request which roles and resources in the IT Shop. These policies are known as “Eligibility.” Eligibility policies may apply to users by attribute query, role, group, or other criteria, making it easy to target who receives which policies and have the assignment automated and maintained throughout their lifecycle. To further ease the administrative burden, Eligibility policies can be applied to all requestable items of a type by location in addition to one-by-one. This allows policies to be broader, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what those members may see and request in the IT Shop. Policies also apply to the role itself as a possible IT Shop item to control who may see and request it. Eligibility policies can be defined as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these are only the ones that would make sense for them to request. An application example could be rules that filter resources available for Field Sales employees and developers. The catalog of requestable roles and resources available to each of those employees should be different ensure that unwarranted access requests are not generated, creating unnecessary approval tasks. Additionally, inclusion and exclusion rules help organizations provide employees a more pleasant user shopping experience as they are shielded from Inclusion rules include the following:
Figure 6: Eligibility Policy applied to a person Approval Flow PoliciesWhen users shop for resources in the IT Shop, they put resource items for which they are eligible to receive in their shopping carts. When ready, they submit the items in their cart to the EmpowerID system. These cart submissions are known as “Business Requests.” Each Business Request can contain one or more resource items, depending on the number of items that was in a user’s cart when submitted. The Business Request, including all the items in that request, route for approval based on the configuration of Approval Flow policies. Approval Flow policies are user-defined policies that organizations can create to direct Business Requests through an approval process that can involve multiple levels of approval from numerous designated approvers before users receive the items in a Business Request, known as “fulfilment.” Organizations can craft Approval Flow polices that are as simple or as complex as their needs dictate. Approval Flow policies have a number of key components that can be configured to specify how this occurs. Figure 7: Approval Flow view for a Business Request in the IT Shop Approval Flow components include the following:
Notification PoliciesPart of the approval process involves notifications. Approvers and initiators of requests , as well as all delegated users received notifications of these events. As part of the redesign of the approval process, EmpowerID has reconfigured how notification occurs, giving organizations and users the ability to tailor the amount and type of notifications they receive to their personal preferences. Figure 8: Notification Preference settings available to users in the My Identity application How notifications now work in EmpowerID is as follows:
Full FIDO2/WebAuthN support for Passwordless and Usernameless loginFIDO2 WebAuthn is a set of Web APIs that attempts to alleviate the problems users and organizations can encounter managing an ever-growing list of passwords. The problems are obvious as passwords can become compromised and users can forget which password they use with which site. WebAuthn is a major step forward in that it uses public-key cryptography and digital signatures to enable passwordless authentication between servers, browsers and authenticators. WebAuthn can also be used as an additional MFA factor. To use FIDO2 WebAuthn with EmpowerID, you simply decide what flows you want to use, configure a few system settings, and apply the flow(s) to one or more targets. Targets can include Password Manager policies, applications, and individual users (EmpowerID Persons). EmpowerID supports the following WebAuthn flows:
New Workflow Approval Routing ModelEmpowerID has enhanced the workflow approval routing process process to give organizations more control over approvals. All workflows now have a new property called “Never Send for Approval” and most workflows have that property set to true out of the box. When set to true, EmpowerID verifies whether the current person in the workflow process has access to perform the workflow operations. If the person has access, the workflow continues; if the person does not have access, EmpowerID notifies the person that they do not have access and the workflow exits. Approval routing never occurs. There are several benefits to this, including the following:
If the setting is false, the workflow must be configured with a Business Request Type and it will always go for approval, even if the person has access to execute the workflow operations. The Business Request Type property allows workflows to be classified for the purpose of providing greater flexibility in approval routing and the grouping together of related access requests. Rather than having a default approval routing that simply routes unrelated approvals to all users with the delegations to approve requests, organizations can this property along with new Access Request and Approval Flow policies to group together related access requests into a single consolidated “approval bundle,“ specify to whom approval tasks should go, and how many approvals need to occur before fulfillment occurs. EnhancementsRedesigned Resource View PagesThe View pages that users see when looking at the details for a given resource have been completely redesigned to present users with a more visually appealing and intuitive experience. Figure 14 below shows View page for a person that users see when viewing information about a person in EmpowerID. Figure 9: Person View page Workflow Studio EnhancementsWorkflow Studio Deployment ServiceThe Workflow Studio Deployment Service is a new feature in Workflow Studio that replaces the legacy patching and batch build options that developers needed to perform previously when patching environments or compiling multiple objects. These options have been streamlined into a single deployment feature, making it easier and quicker to perform these type of operations. New deployment options include:
MS Build IntegrationMS Build is the build platform for Microsoft and Visual Studio. Workflow Studio integrates with MS Build to build any manifest items that have been developed in Visual Studio. This operation occurs behind the scenes; Visual Studio will not start up. Redesigned User InterfaceThe Workflow Studio user interface has undergone a major revision to present users with a modern, cleaner look and feel. Figure 10: Redesigned Workflow Studio New UI for Managing Application Role (Group) RBAC and Eligibility AssignmentsRBAC and eligibility assignments to Application Roles (Groups) for Business Role and Location combinations and Management Roles can now be managed on the View pages for each of those resource types. Eligibility can be set to mandatory, pre-approved, suggested and eligible. Each eligibility type can have time constraints added to limit access to specific dates and times. Figure 11: Access to Application Roles
This minor release includes several enhancements to the EmpowerID Policy-Based Access Control (PBAC) engine and the business request process to give organizations more options for controlling user access. EnhancementsPolicy-Based Access ControlPolicy-Based Access Control (PBAC) is an access control model that combines the best features of RBAC and ABAC to allow organizations to make real-time decisions on whether users can access a given resource. These decisions are made on the fly based on whether the current user has one or more required attributes. These attributes can be brought in to the system either through the inventory of PBAC rights in an external system, or manually assigned to any EmpowerID actor and application through attribute “tagging.” As any EmpowerID actor can be tagged with an attribute, the complexity behind crafting access control is simplified, auditable, and more accessible to business users. See What is Policy-Based Access Control? for a deeper discussion of PBAC in EmpowerID. PBAC Membership PoliciesPBAC Membership policies are policies you create to specify the conditions under which an EmpowerID actor, such as a person or a Business Role and Location can be added to or potentially added to Management Roles, groups, Business Roles and Locations or Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based Membership policies, which contain rules defining the field types, field type values and rights needed for the system to add users as members of policy target. When the PBAC engine compiles PBAC Membership policies it looks to see if any EmpowerID actors have the attributes specified by the policy, adding them to the target of the policy if they do. See PBAC Membership Policies for an example of how to create and apply these type of policies in EmpowerID. PBAC Enabled ApplicationsApplications created in EmpowerID now have an option to be “PBAC Rights Model Enabled.” This classifies the application as a “PBAC app,” which EmpowerID treats differently than other types of applications. PBAC apps are registered as “Resource System Modules,” which can have any number of PBAC resources attached to them like app projects, pages, contracts, invoices, and so on. Access to these resources can then be controlled by rights you create for those resources. Often these rights are inventoried in from external applications, but you can also arbitrarily create rights for each specific type of PBAC resource. These rights are then used in PBAC membership policies to control access to the resource. Figure 1: Using PBAC to control access to applications Other Enhancements
Deprecated FeaturesDeprecated Management Roles
Release Date : 08/08/2021 This release includes several enhancements to the EmpowerID. |
...