Versions Compared

Old Version 7

changes.mady.by.user Dev Raj Gautam

Saved on

compared with

New Version 8

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

New Features

Connectors

A new connector Azure AD B2C SCIM Connector, has been introduced to facilitate identity management of Azure AD B2C (AD B2C)from EID. This means the customer identity data in your AD B2C system can be inventoried and automated from EID. The connector is a microservice that has the capability of,

...

Creating and managing records of B2C group owners and members in AD B2C

...

Full inventory of group owners and members in AD B2C

Incremental inventory that captures only changes in group owners and members after the last inventory

Currently, the connector supports the following operations on AD B2C

...

Workflows

Introduced two new workflows that simplify the process of onboarding and managing credentials.

Introduced the Onboard Credential Workflow, which lets you create credentials via the wizard interface. The wizard can help to easily generate various types of credentials using the wizard, including Default, Azure Application Secret, Azure Application Certificate, Domain Admin, Domain User, and Local Admin. This wizard also lets you configure SSH-based credentials.

...

Implemented the Manage Credential Workflow, offering users a user-friendly wizard interface to modify and update their credentials effortlessly. With this feature, users gain the ability to both edit and delete individual credentials, as well as perform bulk edits and deletions.

...

Added additional workflows to optimize the handling of management roles within the system.

...

Implemented the Onboard Management Role workflow, allowing users to go through a step-by-step wizard, selecting the desired role type from a predefined list and establishing hierarchical relationships by choosing a parent role definition. Additionally, users can opt to publish their newly created roles to the IAM shop,

...

Now the onboarding and management of the group can be easily achieved with self-service wizards. Detailed documentation about managing the groups can be found here in Manage Groups.

...

Added Onboard Group Workflow that provides step-by-step instructions for adding and configuring groups, including the basic information, responsible party, owners and deputies, group IAM shop settings, and group members. This feature aims to simplify the process of setting up groups and managing their settings efficiently.

...

With EmpowerID, you can efficiently manage the entire application lifecycle, from onboarding to user assignment, app role management, application modification, deletion, access management, and more. We are continuously adding new features and workflows so that the management of the azure app is easy and user friendly

  • Introduced a new wizard workflow, “UpdateAzureAppAPIPermissions, " enabling seamless API permissions management for Azure applications within EmpowerID. If your organization integrates applications with Azure Active Directory (AD), you can now leverage EmpowerID to efficiently manage and update the delegated and application permissions granted to these applications. Find the detailed instruction here Update API Permissions of Azure Applications.

  • The Manage Azure Application wizard workflow helps users to efficiently manage their Azure applications, including basic information, owners and deputies, IAM Shop settings, and other sub-components.

  • Introduced the Manage Azure AppRole Wizard workflow, which is designed specifically for managing Azure Application AppRoles. With this workflow, administrators can easily edit owners, modify IAM Shop settings, perform delete actions, and execute edit actions for Azure Application AppRoles.

...

Performing tasks related to single or multiple user accounts has been made easier with the Manage Account Wizard workflow. This workflow guides users through a step-by-step process that offers actions and operations such as enabling, disabling, deleting, and editing user account attributes. Additionally, users can assign responsible parties and add accounts to groups using this wizard.

...

...

Implemented various new and extended existing features for mailbox management.

  • Added the new Manage Mailbox Wizard, which provides efficient management capabilities for mailboxes. It enables users to edit mailbox settings, including name, features, regional configuration, owner, and advanced settings. Users can also manage email forwarding, policies, and quota restrictions.

  • Now EID can manage and automatically sync audit settings of Exchange Mailbox. The EID workflow will periodically retrieve the audit admin settings from the Exchange mailbox, ideally once a day. If the retrieved audit admin settings differ from the current values in EID, EID should update and overwrite the attribute values with either the values from Microsoft Exchange Online audit settings. Currently, the workflow can manage and sync the following attributes of EXO.

    • AuditAdmin

    • AuditDelegate

    • AuditEnabled

    • AuditLogAgeLimit

    • AuditOwner

...

Implemented On Board Person wizard workflow for onboarding people with different options for the onboarding process. The workflow supports the creation of a person in three modes,

  • Create Person Simple Mode – This option allows non-technical users to initiate creating a new person, requiring minimal information to be supplied, such as the new person's First Name, Last Name, and primary Business Role and Location.

  • Create Person Advanced Mode – This option requires more information and provides more configuration options, such as assigning the new person to one or more Management Roles and groups.

  • Create Person From Another Mode – This option allows you to create a person using another person as a template for the new person. The amount of information that should be cloned is set via workflow properties.

The Login Assistance, Self-Service Wizard workflow, is introduced to help users resolve their login issues independently by verifying their own identity without the help of IT support. If you have problems with MFA and other Identity Verification, you can even request to vouch for your identity with other authenticated users. This self-service wizard is conveniently accessible on the login screen of EmpowerID.

...

  • Reset and unlock Person and Account passwords.

  • Send Azure Temporary Access Pass (TAP).

  • Reset Azure MFA by unblocking/unenrolling.

  • Reset EID MFA by unblocking/unenrolling and deleting all associated MFA assets and preferences.

...

EmpowerID now supports provision for rehire via the advanced leaver feature, which is useful when the person rejoins the organization after leaving it previously. The "rehire" refers to the process of restoring a once deleted person object and its access provisions when certain criteria are met. The workflows for rehiring support automatically restore the person and re-applying attribute flow for all accounts and create a restoration task, which can be approved manually.

...

Introduced the ability to trigger FlowEvents for new people within our system. This functionality automates the execution of relevant events during onboarding, improving efficiency and reducing manual effort.

  • To provide flexibility and control, a new setting for the trigger called "FlowEventsActive" has been added to the resource system. We recommend enabling this setting after completing the initial bulk-loading process so that the system doesn’t get overloaded with the firing of the events.

  • The flow events currently support the following actions

    • Enable and disable a person

    • Hide and unhide Mailbox in GAL

    • Recertify person Access

    • Remove group membership

    • Set-Mailbox Out of Office

...

In this release, we are introducing a significant enhancement to the group account membership management in Azure AD. We are transitioning to a new queue-based model, which offers improved efficiency and reliability when handling group account memberships.

...

Introduced the Onboard Person Workflow wizard, which allows for onboarding both person and non-person technical user accounts. This process provides a range of options for the account, including the creation of new accounts, the association of individuals with those accounts, the establishment of secure vaulted credentials, the management of owners and deputies, the definition of eligibility criteria, the setting of access request policies, the linking of accounts to computers for Privileged Session Management (PSM), and the assignment of identities for app pools and Windows services.

The Manage Your Identity Wizard workflow provides a wizard interface to access various identity management tasks from a single form, enhancing the overall user experience. Key options provided by the interface are :

...

Delete MFA devices

...

Enroll for a Q&A password reset

...

Change passwords

...

Edit profiles

...

Added Time-Based escalation in the recertification feature for roles to provide more flexibility and control in the review process for Business Roles. For e.g., After a review has been marked as pending for a month, an escalation request is automatically sent to the Digital Access Governance Manager. This escalation prompts their attention and intervention to address the pending review. If no action is taken within six months of the initial review request, the system automatically removes the business role from the IAM solution and proceeds with deprovisioning the related accesses. Now the user can configure the following settings to define the timing and actions for notifications and escalations.

  • Notify after X Days: Administrators can set the number of days after which a notification should be sent to stakeholders involved in the review process. This ensures timely reminders for pending reviews.

  • Renotify Every X Days: This setting allows administrators to specify the interval at which reminder notifications should be sent after the initial notification. It helps to ensure that stakeholders stay informed and are prompted to take action.

  • Escalate After X Days: Administrators can determine the duration after which an escalation request should be triggered if no action has been taken on a pending review. After the specified number of days, the review request is automatically escalated to higher-level approvers or decision-makers.

  • Escalation Decision/Action: Administrators have the option to specify a decision or action that should be taken when an escalation occurs. This can involve calling a workflow or executing a predefined set of steps to address the pending review effectively.

...

This release has added the ability for administrators to configure relative delegation for Locations within their organization. This feature enables administrators to delegate visibility and responsibility to business locations at the organization level relative to the user. Previously, our system supported delegation options such as "my locations" and "below/above" for specific users. However, we recognized that there was a need for more flexibility in configuring delegations for visibility, assignment, and other purposes for all the locations within and below a person's organization. With this new release, we have addressed this limitation and enhanced the delegation capabilities for administrators.

Resource Admin

...

  • App Management Role Details: Added details view for the management roles for an application that provides users with better visibility of a management role within a selected application context.

  • Claims Mapping Policies: Added listing of all claims mapping policies and details of the policies for the selected application context.

  • RoleDefinitions: The user can easily view the list of RoleDefinitions, assignments, and their details in ResAdmin from a specific ApplicationContext.

  • AppRights: Users can easily view the list of AppRights in ResAdmin and the details of the app rights from a specific ApplicationContext. Users can also view the list of the people they are allowed to see along with their AppRight membership details.

  • PBAC: Users can easily view the PBAC definitions for a selected application.

...

Users can now view additional details on their screens to enhance the visibility of data related to management roles. [Screenshot Here]

  • The AccessGranted tab has been added to the ManagementRoles section, allowing users to easily view the access granted to a management role from its details page.

  • The Eligibility tab has been added to the ManagementRoles section. This allows users to access and view the eligibility status of the management role directly from the details page.

...

Implemented UpdateAzAppClaimsMappingPolicyAssignments workflow to assign one or multiple Azure applications to a selected Claims Mapping Policy. In addition, this workflow can also remove previously assigned Azure applications from a specific Claims Mapping Policy. This workflow simplifies the administration experience and empowers Resource Administrators in effectively managing Azure application assignments within Claims Mapping Policies.

...

Added features to enable management of Windows shared folders from Resource Admin. [Screenshot Here]

...

Within the Resource Admin interface, users can now easily access and manage mailboxes. The resource admin can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.

IAM Shop

...

Now the Privileged Session Management (PSM) of EID supports Telnet sessions, making it compatible with a wide range of computer operating systems. Whether you are using Linux, Windows, macOS, or any other Telnet-capable system, our latest feature ensures PSM sessions connectivity and communication with various devices.

...

Added PSM session monitoring functionality to our platform. This feature enables users to easily track and monitor the status of the PSM application, encoder, and uploader. With real-time monitoring, users can ensure optimal performance, identify potential issues, and take proactive measures to maintain a seamless user experience.

...

Made various improvements in the PSM workflow to make it more efficient, secure, and resilient. The PSM workflow will now work in the

  • Check if the computer has the property "UseExistingAccountIfPresent."
    a. If it exists, proceed to the next step.
    b. If it doesn't exist, search for it in the "AccessRequestPolicy."

  • If "UseExistingAccountIfPresent" is true, search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore.
    a. If both accounts are found (which is rare), select the account associated with the "JITLocalAdminGroupID" property.

    Find the personal credential linked to the selected user account's AccountStore. The credential is identified using the "AccountGUID" column in the externalCredential table.

    If the personal credential is not found, create a temporary account (e.g., AD domain, Local Windows, Azure AD) in the accountStore associated with the group specified in the "JITLocalAdminGroupID" property. These accounts are considered orphan accounts.
    a. After the PSM (Privileged Session Management) session ends, delete the created account based on the "JITDeletePSMAccount" setting. However, the group membership is only removed after the PSM session ends.
    b. The next time PSM is used, the same credential that was previously created is used.

    If the personal credential is found, add the "JITLocalAdminGroupID" group to the account in the ExternalCred (external credential store).
    a. After the PSM session ends, remove the group from the account but do not delete the account itself.

    If the "UseExistingAccountIfPresent" property is false, create a temporary account (e.g., AD domain, Local Windows, Azure AD) in the accountStore associated with the group specified in the "JITLocalAdminGroupID" property. These accounts are considered orphan accounts.
    a. After the PSM session ends, delete the created account. In this scenario, the "JITDeletePSMAccount" setting is not checked.

...

Workflow Studio Enhancements

  1. Removed dependency on Microsoft Edge for Workflow Studio login. Now using modern authentication with front-channel flow for better accessibility.

  2. Introduced a fulfillment workflow template for Business Requests, simplifying request management.

  3. BotFlow has a new feature to pin the resources in BotFlow and facilitate easy interaction. To pin a resource means to keep it easily accessible, allowing for the execution of multiple actions or workflows without selecting or inputting the same resource multiple times. Pinning resources in bot flows can be either temporary or permanent.

  4. Added a Workflow Activity for ChatGPT, facilitating smooth integration and communication with ChatGPT within EmpowerID.

  5. Incorporated a new Workflow and Bot flow for interacting with ChatGPT in EmpowerID and the Bot, respectively.

  6. Updated the user interface of Workflow Studio to give it a more modern and contemporary look,

    1. Revamped and modernized baseline configuration and integration for AvaloniaUI, delivering an improved and contemporary user interface experience.

    2. A new LowCode/NoCode panel has been implemented utilizing the AvaloniaUI framework, resulting in improved functionality and a more user-friendly experience.

  7. Added support for developing workflows and integration for SAP BAPI

    1. Introduced a new Workflow Activity that allows calling any BAPI function and executing the result, broadening the scope of workflows and integrations.

    2. With the LowCode UI, values can be set at design time or run time from the BAPI structure, increasing customization and adaptability.

Bug Fixes & Improvements

...

Fixed a bug in the general search of the Function Access report to support searching by Function FriendlyName. Previously, users were shown no results while searching from the function’s friendly name.

...

Implemented missing functionality in My Requests to filter My/All Requests by Request Status changed Dates.

...

Implemented missing functionality in PSM MFA authentication to recognize the SMS authentication properly. Previously although a contact number was registered for SMS delivery of the verification code for MFA and is functioning correctly, the PSM WF (IAM Shop) prompts the user to select the verification option and then enter the contact number again. Consequently, it appears that the PSM WF does not recognize the registered authentication method.

...

Made improvements to the "Owned by" filter in the IAM shop group context to enhance its usability. In case a user doesn't have access to the filter, the default value will now be "Myself." However, if they do have access, the default value will be anybody.

...

The date filter labeled Request Status Changed Dates in the My Tasks now enforces the validation that the start date cannot be greater than the end date. This ensures that the filtering functionality works correctly and provides accurate results.

...

Enhancements to the session management capabilities of the UI in case the workflow screen times out and displays the empower ID login page. Previously, the UI only dealt with the userSignedOut event, but now it also includes handlers for the userUnloaded event to manage session timeout effectively.

...

Made fixes in the PSM

  • Fixed an issue with PSM video recordings where the length was off by a few seconds. Now, the timestamps accurately reflect the correct recording duration.

  • To provide a seamless and enhanced video playback experience, we have updated our video player library.

...

Previously, users reported experiencing intermittent loss of the CTRL key functionality, where it would become unresponsive and fail to trigger associated key combinations. This issue has been solved, and users should no longer experience the CTRL key loss.

...

Upgraded Google ReCaptcha to V3, which brings improvements in security and user experience. With this upgrade, users will no longer be required to solve CAPTCHA challenges, and the system can detect risk based on user actions.

...

EmpowerID users will now be notified before their access to the resources is going to be expired, which will be helpful for necessary actions like re-requesting access. The notification is sent to the user’s email address with the details of the resources and expiry date.

...

We are pleased to announce the release of EmpowerID Version 7.207.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

Azure AD B2C SCIM Connector

We have expanded our connector library to include the Azure AD B2C SCIM Connector. This new connector optimizes Azure AD B2C identity management via EmpowerID by enabling the inventory and automation of your AD B2C customer identity data directly within our platform.

No Code Flows

In this release, we introduce No Code Flows, a new feature designed to simplify the orchestration of business processes in response to specific events, like a person leaving the organization (Person Leaver event). The key advantage of No Code Flows is the ability for administrators to efficiently create and execute workflows that react to various scenarios without writing a single line of code.

Key Components of No Code Flows

  1. Flow Definitions: Flow Definitions act as containers for sequential tasks or actions called Flow Items. They define the sequence of actions that will be executed when specific events occur. For example, a Flow Definition might outline the steps to take when a person leaves the organization (Person Leaver event).

  2. Flow Items: Flow Items represent individual tasks or actions within a Flow Definition. Each Flow Item has parameters such as Item Type Action (the task to be performed), Item Scope Type (where the task is to be executed), and an Item Collection Query (an SQL query that identifies the resources impacted by the task). These parameters help determine how the action will be carried out and which resources it will affect.

  3. Flow Events: Flow Events serve as triggers that initiate the actions defined by the Flow Items in a Flow Definition. Examples of Flow Events include a new mailbox being discovered (Mailbox Discovered event) or a person leaving the organization (Person Leaver event). When a Flow Event occurs, the corresponding Flow Definition is activated, and the system executes the specified sequence of Flow Items.

    Image Added

  4. Flow Policies: Flow Policies dictate which Flow Definitions should be activated in response to specific Flow Events. They connect the events with the appropriate actions, ensuring that the correct sequence of tasks is executed for each scenario. Administrators can configure multiple policies for the same event, allowing for tailored responses to different situations (e.g., internal vs. external leavers).

Examples of Flow Definitions and Flow Events

Here are two examples of Flow Definitions and Flow Events:

  1. Mailbox Discovered Event: When a new mailbox is discovered, a Flow Definition might include Flow Items such as "Create Mailbox Account," "Assign Mailbox Permissions," and "Notify Admin."

  2. Person Leaver Event: When a person leaves the organization, a Flow Definition could contain Flow Items like "Remove Non-RBAC Assigned Group Memberships from Person," "Disable All Person Accounts," and "Disable Person."

Process Overview

In response to a specific event (a Flow Event), the system triggers a series of actions (contained in a Flow Definition) based on the rules defined (Flow Policies). These actions (Flow Items) consist of precise tasks, each characterized by parameters like Item Type Action (task), Item Scope Type (target), and Item Collection Query (SQL query to fetch relevant data). This entire process ensures that every action is performed in the right order, at the right time, for every event – all without writing a single line of code.

New Wizard Workflows

This release features new wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.

Credentials

  • Onboard Credential Workflow: A new wizard interface for credential creation has been added. This tool not only simplifies the onboarding of credentials but also allows for the configuration of Access Request settings. These settings help control the check-out and check-in processes. Furthermore, the wizard facilitates the setting of eligibility criteria, determining who may request the credential from the IAM Shop.
    For more information, see Onboard Credentials.

  • Manage Credential Workflow: Update and modify credentials with ease through a user-friendly wizard interface. This includes individual and bulk edit/delete options for credentials.

Management Roles

  • Onboard Management Role Workflow: Navigate the creation of Management Roles with a step-by-step wizard, choosing from predefined role types and setting hierarchical relationships like the parent Management Role Definition, nesting, and IAM Shop publication.

  • Manage Management Role Workflow: Simplify Management Role administration with features like role deletion, IAM Shop setting modification, and responsible party assignment. The wizard can assist with both single and multiple operations.

    Image Added

Groups

  • Onboard Group Workflow: We've improved the group onboarding experience with a comprehensive and intuitive wizard workflow. This feature guides users through the manual process of onboarding new groups within the system. Users can now accomplish multiple group-related tasks within the same workflow, including configuring responsible parties, owners and deputies, IAM Shop settings, and group members from a single easy-to-follow wizard interface.

  • Manage Group Workflow: Perform various group management tasks, including viewing group details, editing group attributes, deleting groups, assigning responsible persons, and managing group membership.

Azure Applications

  • Create Azure Application: This workflow simplifies the process of creating a new Azure application, guiding users through each step to ensure accurate configuration.
    For more information, see Create Azure Applications

  • Create Azure Application Certificates: This workflow allows users to upload and assign self-signed certificates to Azure applications managed by EmpowerID.
    For more information, see Create Certificates for Azure Applications

  • Create Azure Application Client Secret: This workflow helps users create and upload client secrets for Azure applications managed by EmpowerID.
    For more information, see Create Azure Application Client Secrets

  • Create Azure Application Scopes: Wizard workflow for creating scopes for Azure applications managed by EmpowerID.
    For more information, see Add Scopes to Azure Applications

  • Create Azure Application Roles: Wizard workflow for creating app roles for Azure applications managed by EmpowerID.
    For more information, see Add App Roles to Azure Applications

  • Update Azure App API Permissions: New wizard workflow for efficient API permissions management for Azure applications integrated with EmpowerID.
    For more information, see Update API Permissions of Azure Applications

People and Accounts

  • Onboard Person: Wizard workflow for onboarding people with different options (Simple, Advanced, and From Another Mode), allowing users to tailor the process according to their needs.
    For more information, see Onboard People

  • Manage Account: The Manage Account Wizard is a new workflow designed to simplify account management by offering a guided, step-by-step process for key actions such as enabling or disabling accounts, deleting accounts, and editing account attributes. Further, it facilitates the assignment of responsible parties and enables the addition of accounts to various groups.

Self-Service

  • Login Assistance Wizard: The Login Assistance Wizard is designed to allow users to address login-related issues independently. Accessible directly from the login screen, this user-friendly wizard simplifies various operations such as password reset/unlock and Azure Temporary Access Pass (TAP) issuance. It also provides for Azure/EmpowerID Multi-Factor Authentication (MFA) reset, unblock, and unenrollment, as well as the deletion of MFA assets/preferences.

    Image Added

  • Manage Your Identity Wizard Workflow: Users can easily manage aspects of their identity from a single, easy-to-follow wizard, including deleting MFA devices, enrolling for a Q&A password reset, changing passwords, editing profiles, and registering MFA authenticators.
    For more information, see User Experience - Manage Your Identity

Computers

  • Onboard Computer Wizard Workflow: The Onboard Computer Wizard is a new workflow that makes the onboarding of computers a more effortless and adaptable process. The wizard simplifies the steps of adding computers, seamlessly integrating them into the IAM Shop, and customizing eligibility settings. Plus, it brings more flexibility in managing Privileged Session Management (PSM) settings, including the linking of PSM credentials.
    For more information, see Onboard Computers

Mailboxes

  • Onboard Mailbox: The Onboard Mailbox Wizard is a new workflow designed to streamline the process of integrating shared, room, or equipment mailboxes. This intuitive workflow allows you to effortlessly publish these mailboxes in the IAM Shop, seamlessly incorporate them into relevant groups, and easily configure eligibility criteria for users requesting access. The feature further optimizes the approval process by directing the flow when users request access.

  • Manage Mailbox: The Manage Mailbox Wizard is a new workflow designed to simplify mailbox management. This user-friendly wizard enables users to modify essential mailbox settings while also providing efficient control over email forwarding, policy establishment, and quota restrictions.

New IAM Shop Permission Levels

IAM Shop Permission Levels in EmpowerID represent permissions for specific resources in native systems, such as shared folders, mailboxes, computers, and Privileged Session Manager sessions. Organizations can configure these permission levels to grant particular permissions to resources, like "read-only" access for a shared folder or "local admin" access for a computer.

When users request access from the IAM Shop to a resource configured with IAM Shop Permission Levels, they can now select their desired permission level, as demonstrated in the below image. This enhancement makes the access management process more transparent and efficient.

...

To illustrate, if a user requests computer access, they might see “Local Admin” and “Domain Admin” as permission level options. These levels map to specific groups in the native system that provide the related permissions. If the user chooses “Local Admin,” EmpowerID grants this access by adding the user to the group with local admin rights on the computer. This feature streamlines access requests, making it easier for users to obtain the right permissions for their needs.

Updates to Microservices

This release includes significant enhancements to EmpowerID’s microservice applications.

Enhanced Resource Admin Features

  • New Improved Views: In our ongoing efforts to improve user experience, we've added new listing and details views in the Resource Admin interface for better visibility of access and rights.

    • App Management Role Details: We've added a details view for the management roles of an application. This provides users with improved visibility of a management role within the selected application context.

Claims Mapping Policies: Users can now view a list of all claims mapping policies and their details for the selected application context.

...

Role Definitions: Users can effortlessly view a list of RoleDefinitions, assignments, and their details in Resource Admin from a specific ApplicationContext.

App Rights: Improved visibility of AppRights is now available in Resource Admin. Users can view the details of app rights from a specific ApplicationContext, as well as the people they are allowed to see and their AppRight membership details.

PBAC Definitions: We've made it easy for users to view the PBAC definitions for a selected application.

Additional Detail Viewing: Users can now view additional details on their screens to enhance the visibility of data related to Management Roles. The newly added "Access Granted" tab in the Management Roles section allows users to easily view the access granted to a Management Role from its details page. Furthermore, the new "Eligibility" tab lets users view the eligibility status of the Management Role directly from the details page.

Full Management of Shared Folders: We've expanded our Resource Admin functionality to fully manage shared folders for inventoried Windows servers. This includes creating, deleting, and editing shared folders.

Mailbox Management: To simplify mailbox management, users can now easily access and manage mailboxes within the Resource Admin interface. Resource admins can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.Within the Resource Admin interface, users can now easily access and manage mailboxes. The resource admin can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.

Privileged Session Management Improvements

With this release, Privileged Session Manager (PSM) has been significantly improved to support the following:

Telnet Session Support: The Privileged Session Management (PSM) feature of EmpowerID now accommodates Telnet sessions, broadening its compatibility with a variety of operating systems, including Linux, Windows, macOS, and more. This enhancement assures reliable PSM session connectivity and communication with an expanded range of devices.

Real-Time Session Monitoring: We've added a session monitoring functionality to the platform, enabling users to track and monitor the status of PSM applications, encoders, and uploaders in real time. This feature empowers users to ensure optimal performance, detect potential issues, and take proactive steps for a seamless user experience.

PSM Workflow Improvements: A range of enhancements have been implemented to streamline the PSM workflow, making it more efficient, secure, and resilient. The revised workflow includes the following steps:

  1. Check "UseExistingAccountIfPresent" Property: The system will first check if the computer has the "UseExistingAccountIfPresent" property. If not found, it will search in the "AccessRequestPolicy."

  2. User Account Search: If "UseExistingAccountIfPresent" is true, it will search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore. If both accounts are found (a rare occurrence), the account associated with the "JITLocalAdminGroupID" property will be selected.

  3. Find Personal Credential: The system will locate the personal credential associated with the selected user account's account store. The credential is identified using the "AccountGUID" column in the externalCredential table.

  4. Handling of Personal Credential: If the personal credential is not found, a temporary account will be created in the account store associated with the "JITLocalAdminGroupID" group. These accounts are considered orphan accounts and are deleted after the PSM session ends based on the "JITDeletePSMAccount" setting. If the personal credential is found, the "JITLocalAdminGroupID" group is added to the account in the ExternalCred (external credential store). The group is removed from the account, but the account itself is not deleted, after the PSM session ends.

  5. Create Temporary Account: If the "UseExistingAccountIfPresent" property is false, a temporary account is created in the accountStore associated with the "JITLocalAdminGroupID" group. After the PSM session ends, the created account is deleted.

  • Now the Privileged Session Management (PSM) of EID supports Telnet sessions, making it compatible with a wide range of computer operating systems. Whether you are using Linux, Windows, macOS, or any other Telnet-capable system, our latest feature ensures PSM sessions connectivity and communication with various devices.

  • Added PSM session monitoring functionality to our platform. This feature enables users to easily track and monitor the status of the PSM application, encoder, and uploader. With real-time monitoring, users can ensure optimal performance, identify potential issues, and take proactive measures to maintain a seamless user experience.

Enhanced Resource Admin Features

Improved Views: In our ongoing efforts to improve user experience, we've added new listing and details views for applications in the Resource Admin to include the following:

App Management Role Details: We've added a Details view for application Management Roles. This provides users with improved visibility about the App Management Roles associated with an application.

Claims Mapping Policies: Users can now view a list of all claims mapping policies and their details for a given application.

...

Role Definitions: Users can effortlessly view a list of Role Definitions, assignments, and their details in Resource Admin from the context of a specific application.

App Rights: Improved visibility of App Rights is now available in Resource Admin. Users can view the details of app rights from the context of a specific application, as well as the app right membership details for people they are allowed to see.

PBAC Definitions: We've made it easy for users to view the PBAC definitions for a selected application.

Additional Detail Viewing: Users can now view additional details on their screens to enhance the visibility of data related to Management Roles. The newly added "Access Granted" tab in the Management Roles section allows users to easily view the access granted to a Management Role from its details page. Furthermore, the new "Eligibility" tab lets users view the eligibility status of the Management Role directly from the details page.

Full Management of Shared Folders: We've expanded our Resource Admin functionality to fully manage shared folders for inventoried Windows servers. This includes creating, deleting, and editing shared folders.

Mailbox Management: To simplify mailbox management, users can now easily access and manage mailboxes within the Resource Admin interface. Resource admins can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.

Workflow Studio Enhancements

Enhancements to Workflow Studio include the following:

  • Removed dependency on Microsoft Edge for Workflow Studio login. Workflow Studio now uses modern authentication with front-channel flow for better accessibility.

  • Introduced a fulfillment workflow template for Business Requests, simplifying request management.

  • BotFlow has a new feature to pin the resources in BotFlow and facilitate easy interaction. To pin a resource means to keep it easily accessible, allowing for the execution of multiple actions or workflows without selecting or inputting the same resource multiple times. Pinning resources in bot flows can be either temporary or permanent.

  • Added a Workflow Activity for ChatGPT, facilitating smoother integration and communication with ChatGPT within EmpowerID.

  • Incorporated a new Workflow and Bot flow for interacting with ChatGPT in EmpowerID and the Bot, respectively.

  • Updated the user interface of Workflow Studio to give it a more modern and contemporary look.

    • Revamped and modernized baseline configuration and integration for AvaloniaUI, delivering an improved and contemporary user interface experience.

    • A new LowCode/NoCode panel has been implemented utilizing the AvaloniaUI framework, resulting in improved functionality and a more user-friendly experience.

  • Added support for developing workflows and integration for SAP BAPI

    • Introduced a new Workflow Activity that allows calling any BAPI function and executing the result, broadening the scope of workflows and integrations.

    • With the LowCode UI, values can be set at design time or run time from the BAPI structure, increasing customization and adaptability.

  • The Repeater sections in Workflow Studio forms have been updated to include Add, Edit, and Delete options in addition to displaying records in a card UI, which was already a feature. This allows for greater flexibility in design for developers and a better UI experience for the end users.

    Image Added

Additional Improvements

  • Rehire Capability in Advanced Leaver: We've added rehire support to the Advanced Leaver feature. This is particularly useful when an individual rejoins the organization after a previous departure. The rehiring process involves restoring a previously deleted person object and its associated access provisions, contingent on certain criteria being fulfilled. The workflows for rehire support automatically restore the person, reapply attribute flow to all accounts, and generate a restoration task for manual approval.

  • Time-Based Escalation for Recertification: The recertification feature now includes a Time-Based escalation, enhancing flexibility and control in the Business Roles review process. For instance, an automatic escalation request is sent to the Digital Access Governance Manager if a review has been pending for a month. If there is no response within six months from the initial review request, the system will automatically remove the business role and initiate the deprovisioning of related accesses. Users can now configure settings to manage notification and escalation timing and actions.

  • New Relative Delegations: Administrators now have the ability to set up relative delegations for Locations within their organization. This extends the capacity to delegate visibility and responsibility to business locations at the organization level. In response to the need for greater flexibility in configuring delegations, we have broadened delegation capabilities for administrators.

  • Expiring Access Notifications: Our Notifications engine now includes an option to alert users about impending access assignment expiry via email, specifying resource details and the expiration date.

    Image Added

  • Google ReCaptcha Upgrade: We've upgraded to Google ReCaptcha V3, enhancing security and user experience. Users will no longer need to solve CAPTCHA challenges, and the system can detect risk based on user behavior.

  • Azure Group Account Membership Management Enhancement: This release introduces a significant enhancement to Azure AD group account membership management with the transition to a queue-based model, increasing efficiency and reliability.

  • Exchange Mailbox Audit Settings Sync: EmpowerID now periodically retrieves and syncs audit settings from Exchange Mailbox, ensuring the consistency of audit settings between EmpowerID and Microsoft Exchange Online.


Resolved Issues

We have addressed several issues in this release:

  1. A problem with the Function Access report's general search functionality has been rectified, enabling search by Function Friendly Name.

  2. Missing functionality in the My Requests view of the My Tasks application has been implemented to filter My/All Requests by Request Status changed Dates.

  3. Missing functionality in Privileged Session Management (PSM) MFA authentication has been addressed to correctly recognize SMS authentication.

  4. Enhancements have been made to the "Owned by" filter in the IAM Shop group context to improve usability. The default value will now be "Myself" if a user doesn't have access to the filter and "anybody" if they do.

  5. The date filter “Request Status Changed Dates” in the My Tasks application now validates that the start date is not later than the end date, ensuring accurate filtering results.

  6. For PSM, we've resolved an issue affecting PSM video recordings, where the recording length differed by a few seconds from the actual session duration. Now, timestamps accurately mirror the correct recording length.

  7. For PSM, we've improved the session management capabilities of the UI, which handles instances when the workflow screen times out and displays the EmpowerID login page. We've added handlers for the 'userUnloaded' event, supplementing the existing 'userSignedOut' event handler, for effective session timeout management.

  8. We've resolved an issue where users reported an intermittent loss of the CTRL key functionality during PSM sessions, preventing them from using associated key combinations. With this fix, users should no longer experience the loss of CTRL key functionality.

IAM Shop

  • Updated the manage access tab in the application context of the IAM shop to include more details regarding App Rights, App Management Roles, and Role Definitions.

    Image Added