Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please note that these release notes are for a future release and are currently in progress. The information contained within may change before the final release. As such, the final release notes will be prepared closer to the official launch date.

Sep 2 - Sep 13


  • Major upgrade transitions all microservices from .NET 6.0 to .NET 8.0. The update addresses the upcoming end-of-support for .NET 6.0, ensuring continued security and support by leveraging the latest .NET framework enhancements. This upgrade does not affect current functionality or performance but is crucial for maintaining future compatibility and receiving ongoing support.


  • Enhancements and Fixes in Azure AD B2C Connecter:

    • Multiple enhancements have been introduced to the Azure B2C Connector to address issues with updates on newly retrieved instances of the resource system and account store. The b2cInboxProcessor class has been added to streamline processing. These changes resolve failures with SAP groups and improve the handling of activation requests and fulfillment workflows. The fix ensures proper functionality for Azure B2C tenants.

    • A fix has been applied to the Azure B2C Connector to address an issue where deleted applications were repeatedly re-inventoried, resulting in multiple duplicates. The update ensures that the correct skip token flag is used to prevent this duplication. This fix impacts the Azure B2C tenant inventory, eliminating unnecessary re-inventory of deleted applications

    • A fix was implemented to address issues with parallel execution of normal and deleted inventory processes using local variables instead of global ones. This change ensures that using the next highest token and related variables is thread-safe, preventing conflicts during inventory operations. This update only impacts the Azure B2C tenant inventory.

  • A fix addressing an issue in the AzureGroupInventoryProvider of Azure SCIM Connector where AzureAD inventory failed due to a mismatch between GroupGUID and SystemIdentifier for existing groups. Changes were made to the SyncToEntity method to ensure that the GroupGUID is set only when the GroupID is greater than 0.

  • ZScaler

    • The Application Segment tab and data grid column names on the Zscaler Access Policy page within the legacy UI have been corrected to reflect the Application Segment.

    • A fix has been applied to address an issue with the Zscaler inventory. The process was exiting abnormally due to a missing end date. This fix ensures the inventory run completes correctly by properly handling the end date.

  • An enhancement was applied to the SAP connector's ASIEProvider to enable dynamic synchronization of new account attributes from Account mapping in ASIE. This update ensures that account attributes created through the Create Account workflow or via code are synched correctly. Accounts provisioned by RET are not affected. This enhancement supports the dynamic data flow for accounts created through specific workflows.

IAM Shop

  • An enhancement has been applied to add the System Identifier Attribute to the application overview details. This update will enable users to view it on the overview details screen.

  • Addressed the issue in the Assign App Right to Person functionality by ensuring eligibility checks from PBAC Definitions are applied before making assignments. Previously, assignments could be made without validating against PBAC criteria. This fix enhances the security and integrity of the system by validating eligibility according to PBAC Definitions.

  • A new feature has been introduced that enables the assignment of App rights to Business Roles and Locations (BRLs), Groups, and SetGroups from PBAC assignments and PBAC Definitions. This enhancement allows managing rights assignments more efficiently. Additionally, users can add field types to new assignments when applicable, with the flexibility of making them optional. This update streamlines managing app rights across BRLs, Groups, and SetGroups without requiring mandatory field types.

  • A new feature has been added to the OnboardGroup process, introducing support for configuring the ParentID for location settings. The update includes the following RWF parameters:

    • DefaultParentLocationID: Allows setting an OrgZoneID to restrict group creation to a specific location and its children.

    • SelectALocation_IsVisible: Controls the visibility of the "Select a location" selector in the Group Information step.

    • SelectALocation_IsRequired: Makes the "Select a location" selector mandatory in the Group Information step.

  • The IsDeletable property has been exposed on the FieldType model in the Resource Admin. This enhancement includes adding a new property in the Model FieldType, a new mapper for the IsDeletable property in the Resource Admin Backend, and updates to the AzFieldTypeView at the database level.


  • A security fix has been implemented for the PSM session to ensure that the Session Events tab is only visible to users with the appropriate access. This update prevents unauthorized access by hiding the tab for users without the required permissions.

  • The issue causing a 500 error in the PSM workflow when connecting to a Linux computer via SSH key credentials has been resolved. Previously, the workflow failed if the credentials had an invalid or null account. With this fix, users can connect successfully even if the credential does not have an account.


  • Changes were made to the ProcessAccountInboxBulk workflow to prevent the insertion of duplicate AttributeInboxes when AccountJoined and AccountsProvisioned are not cleared on subsequent runs. This fix addresses the issue of creating duplicate entries after the joiner process or the provision of a person is completed.

  • Updated the ManageAzFieldType workflow by handling the ApplicationResourceID in SelectedResourceID and upgrading the workflow to a wizard flow. This includes a new step to select the application first and improved navigation. The customer impact includes a more intuitive workflow with back-and-forth navigation options.

Resolved Issues

  • Multiple enhancements have been introduced to fix issues with directly assigned locations. The incorrect success message displayed when removing a location has been corrected, and the error handling for adding an already assigned location has been improved. Now, users are properly notified about location removals and existing assignments. This update addresses usability issues without affecting system functionality.

  • Resolved an issue where the UserPrincipalName (UPN) was not populated during provisioning through RET. Additionally, a CSS bug affecting the Start Date and End Date fields was identified, where the calendar icon was missing, preventing users from easily selecting dates. The only way to load the calendar was to click at the end of the field. This fix addresses the UPN bug and the CSS issue to ensure proper functionality.

  • A bug fix has been implemented to correct the workflow configuration for Mailboxes. The Configure Eligibility workflow has been updated from the ManageGroupWizard to the ManageMailboxWizard. Additionally, the Configure Eligibility button has been removed from Shared Folders, as it incorrectly pointed to the ManageGroup workflow. This fix ensures users no longer see the configured eligibility option for shared folders.

  • A fix is applied to correct the class name in the Workflow template to accurately reference BRequestItemFulfillmentTemplate. Without this change, the Business Request Fulfillment Workflow created from the template in Workflow Studio would not compile.

  • A fix has been implemented for the access request policy in the IAM Shop, addressing an issue where the maximum allowed duration was enforced even when the policy was not time-restricted. This UI change ensures that the maximum allowed duration is only applied when the policy is time-restricted. Users can now select any end date for policies not subject to time restrictions.

  • Resolved an issue of the PBAC label incorrectly appearing for non-PBAC resource types in the UI. The fix ensures that the PBAC label is only displayed for PBAC resources, eliminating user confusion and improving resource type classification in the UI.

  • The issue where Azure role access duration was not displayed in the IAM Shop has been fixed. Now, when an Azure role is requested with time duration, users will see this information in the manage access listing.

  • Fixed the issues with submitting valid start and end dates in business requests. Updated the default end date in requestDataEndTime, corrected the invalid date errors, and formatted the updated end date time. Additionally, handled the toggle value and resolved related comments.

Aug 26 - Aug 30


  • A new feature has been introduced to extend the EmpowerID schema by inventorizing additional Active Directory (AD) attributes in the Azure AD SCIM Connector. The update now includes the following AD attributes for inventory in EmpowerID: dcxCostCenter, dcxObjectOwner (read-only), and dcxSiteCode.

  • A new feature has been introduced to extend Azure native authentication by supporting Azure B2C tenant connecter authentication. This enhancement enables EID to federate with Azure B2C, allowing users from B2C tenants to log in and interact with EID UI microservices. Unlike Azure AD, Azure AD B2C does not directly support the UserInfo endpoint. Following Microsoft's setup instructions, custom policies have been configured to return data in the UserInfo Endpoint to accommodate this. This feature will not impact clients until activated and will benefit clients requiring B2C tenant federation.


  • The cache expiry time for all microservices APIs has been changed from a day to fifteen minutes. Previously, a one-day expiry led to delays in cache updates. Reducing the expiry to minutes improves the refresh rate and ensures more current settings.

  • A new enhancement has been introduced to display the Service Principal Object ID on the overview page of Azure applications in the Resadmin UI.


  • A fix has been implemented to address an issue with the RemoveGroupsFromGroupMembershipBulkOperation, where nested groups were causing a "Key not present in the dictionary" error during fulfillment. The update includes modifications to ensure that member groups are added to the GroupDictionary, resolve the issue, and prevent errors related to missing keys. This fix will ensure smoother operation without impacting the current setup.


  • A new feature has been introduced to enhance the management of roles by adding a form that allows users to update various attributes of a management role. This enhancement will be utilized by all workflows that include the EditManagementRoleOperation activity, ensuring a more consistent and effective management process across the system. The new form supports the following operations: Enable Requestable, Disable Requestable, Edit Description, Edit FriendlyName, Edit Instructions, Edit Custom Attributes, Edit Extension Attributes, Edit Email, and Edit KeyEntryInstructionsName. This update aims to streamline the process and improve functionality by replacing individual operations with a more efficient RBACObjectAttribute and ResourceTypeOperation mapping approach.

  • A fix has been implemented to address an issue with the RemoveGroupsFromGroupMembershipBulkOperation, where nested groups were causing a Key not present in the dictionary error during fulfillment. The update includes modifications to ensure that member groups are added to the GroupDictionary, resolve the issue, and prevent errors related to missing keys. This fix will ensure smoother operation without impacting current setups.

  • A new feature has been introduced in the workflow MassMaintainenceManagemetRoleWF to allow users to import approvers by adding Approvers in the CSV file column. This enhancement enables the inclusion of approvers' data during the import process. The feature is designed to simplify the management of approvers and ensure they are properly imported with the necessary data. This update provides users with greater flexibility in handling approver information.

  • A new feature has been added to enhance the flexibility of configuring access request policies. Users can now set access request policy selection as either optional or required across various workflows. This feature was requested to allow different clients to tailor the policy settings according to their specific needs. Modified workflows are ManageAzLocalRightWizard, ManageAzLocalRoleWizard, ManageAzureAppRoleWizard, ManageAzureAppWizard, ManageCredentialWizard, ManageGroupWizard, ManageManagementRoleWizard, ManageComputerWizard.

Resolved Issues


A fix has been implemented to address an issue where unpublished resources could be added to the cart in the IT Shop despite being hidden from the user interface. This fix ensures that when users attempt to submit a cart containing unpublished resources, the system properly blocks the action and displays an appropriate error message on the UI.


An issue was resolved where the wrong Assignee ID was assigned while fetching dynamic field type values. Previously, the ID of the person logged in was used instead of the ID of the person to whom the field type was assigned. This update passes the correct Assignee ID, ensuring the intended person's dynamic field type values are accurately fetched.


A fix has been implemented for the OnboardManagementRole to address an issue where the Policy Assignment Request (PAR) was not preselected correctly when SelectedApplicationID or SelectedResourceID was provided. This update ensures that the PAR is accurately preselected based on the given IDs, enhancing the system's functionality and ensuring that users receive the correct preselection when these parameters are used.


A fix has been implemented to resolve a sorting issue in the ZscalerAccessPolicyGrid. Previously, the Priority column sorted the grid, but it is now correctly sorted by the RuleOrder. The change ensures that the grid reflects the correct order.

Aug 19 - Aug 23


  • In the IAMShop application, a new feature has been added to improve the user experience when requesting access to applications. A Select All button has been implemented for multi-select FieldType controls, specifically for the MultiSelectCheckBoxList field type. This enhancement allows users to select all values associated with a FieldType in one action, streamlining the selection process and reducing manual entry time. Additionally, functionality has been added to force users to select at least one value when the EnforceFieldTypeSelection flag is true, and the isFieldTypes flag is also true. This will prevent users from adding to the cart without meeting the selection criteria. The EnforceFieldTypeSelection flag is available in OnboardAzLocalRight WF advanced settings.

  • A new feature has been introduced to display deputies for App Rights and Role Definitions based on configurable ResourceTypeRoles. The configuration is managed via the ResourceSystemConfigSetting with the name ResAdminDeputiesResourceTypeRolesIds, where you can define the ResourceType and its associated ResourceTypeRoleID for deputies. This update lets you see deputies assigned to App Rights and Role Definitions according to the configured ResourceTypeRoles.


  • The MassMaintenancePersonManagementRoleWF workflow has been enhanced to support additional parameters in CSV uploads for managing role memberships. The new fields include ValidFrom, ValidTo, and Justification. The ValidFrom and ValidTo fields manage time constraints, while the Justification field will be recorded in the audit log for both the management role and the person. Existing fields such as the management role name, person login or GUID, and actions like Add and Delete were already incorporated.

  • The OnboardAzLocalRole workflow has been enhanced to include the capability to set the PBAC Approval Right with a dropdown menu on the form. This enhancement provides additional functionality and better visibility options for PBAC Approval Rights.

  • Multiple UX functionality has been introduced for the ManageApplicationWizard.

    • The PBAC App checkbox and associated controls have been removed from the form.

    • The description field has been updated to a multiline format.

    • Help text has been added for the authorization model and checkboxes.

    • Additionally, the Cancel button has been renamed to Back, and issues with Back and Next steps have been fixed.

    • The Edit App Settings list data item value has been renamed to Edit Application Settings.

    • Missing labels, including those for managing application settings, rights, roles, and help texts, have been added.

  • New functionality has been added to the ManageAzLocalRoleWizard workflow:

    • New Action: Added Edit Role Definitions Settings to Multi Actions with a disclaimer indicating that changes affect all selected role definitions.

    • PBAC Approval Right: Added a dropdown similar to the OnboardAzLocalRight workflow, with changes applied only upon selection.

    • Visibility Control: Introduced Multi_PBACApprovalRight_IsVisible to control field visibility in multi-action cases.

    • Field Population: Ensured that the selected AzLocalRightID was populated in the AzLocalRole table’s ApprovalAzLocalRightID column.

    • Single Action: Added Edit Role Definition Settings to Single Actions, including a form to edit Name, Friendly Name, Description, Instructions, and PBAC Approval Right dropdown.

    • New Menu Items: New items for Multi Actions and Single Actions were added in the ManageAzLocalRoleWizard.

    • Included changes from Manage IAM shop multi-settings and a bug fix related to the approval flow policy.

  • Multiple enhancements have been introduced in the ManageAzLocalRightWizard workflow:

    • Local Right Settings for Multiple Selection: Added the capability to configure local right settings when multiple rights are selected simultaneously.

    • Edit Owners and Deputies for Multiple Rights: The wizard now includes the option to edit owners and deputies for multiple local rights.

    • EnforceFieldTypeSelection: Added the EnforceFieldTypeSelection field for both single and multiple selection scenarios.

    • Deprecation of "Assign Responsible Party": Deprecated the "Assign Responsible Party" action for multi-selection, streamlining the process.

    • These updates enhance the flexibility and functionality of the ManageAzLocalRightWizard, allowing for more efficient management of local rights.

Resolved Issues

  • A fix has been implemented to correct the handling of management role grant access in the business request process. The issue was that the OnboardManagementRole workflow incorrectly added the management role as a member instead of under the Grant Access section. To resolve this, the CreateBRManagementRoleOnboarding activity and onboardManagementRoleApproval workflow have been updated to ensure the role is added correctly under Grant Access.

  • A fix has been implemented to address an issue where the IsInherited flag was missing from the API response. This prevented the UI from performing certain operations, such as disabling and unassigning options in the right list box.

  • A fix has been applied to correct the display of start and end dates in the Role Definitions listings screen. Previously, the dates were not being displayed accurately, which caused confusion in the listings. This fix resolves the issue, ensuring that start and end dates are represented correctly.

  • Updated the email-sending functionality to exclude recipients who do not have a locale set when sending emails to multiple people. The previous implementation attempted to send emails to all recipients, regardless of whether they had a locale set, which could cause issues. This fix ensures that only recipients with a set locale receive the email.

  • Fixes in ManageApplicationWizard Workflow

    Multiple issues have been addressed in the ManageApplicationWizard workflow to enhance the user experience:

    • Cancel/Back Button Missing: The Cancel and Back buttons on the Select Application page have been added, allowing users to abort the workflow if needed.

    • Executive Summary Page: After editing any settings within the Edit Application Settings option, the workflow now correctly displays an Executive Summary page instead of just a confirmation message. The user will no longer be redirected directly to the Select Workflow page.

    • Multiple Application Selection Issues: Several issues related to selecting multiple applications have been fixed:

      • Only the last selected application was previously shown in the "You selected this Application to manage" section. Now, all selected applications are correctly displayed.

      • The count of selected applications was incorrectly displayed as 0. This issue has been corrected.

      • Locale-related issues with the displayed application count have been fixed.

    These fixes ensure a smoother and more intuitive workflow experience for users.

  • A critical issue affecting the assignment of rights to management roles in the UI has been resolved. Previously, users could only assign app rights to management roles for the first seven app rights in the native UI. When attempting to assign rights from a certain number of app rights onwards, the respective app rights would not appear in the "Assign Rights to Management Role" modal. This was due to pagination, which filtered only the first seven fetched elements. The fix ensures that all app rights, regardless of their position in the list, are now available for management role assignments in the native UI. This fix restores full functionality to the role assignment process, allowing users to manage app rights effectively without any limitations.

Aug 12 - Aug 16


  • CyberArkSCIM Connector:

    • A fix has been applied to resolve the CyberArkSCIM connector's account inventory issues. Specifically, it addresses problems matching logon names for CyberArk accounts, ensuring accurate and consistent inventory management.

  • Zscaler Connector:

    • A fix has been applied to the Zscaler application segments view, correcting the View One Page functionality. The issue was due to the GetAllSearch method being called with incorrect parameters. This fix adjusts the parameters to ensure proper functionality.

    • A fix has been implemented to address issues with the Zscaler inventory and additional resource system jobs. This update ensures that SCIM groups are properly inventoried under the Zscaler account store and that SCIM groups sync with other object types under specific conditions. The fix aims to display Zscaler groups in one of the workflows and ensures the additional job syncs the entire conditions collection without overriding other objects.

    • A fix has been implemented to address issues with the Zscaler connector's inventory management. The update includes logic to handle rate limit issues by checking and retrying requests as necessary.

  • PBAC Universal Connector

    • A new feature has been introduced to Add PBAC Inventory to the Account Store view details for systems where the AccountStore System Type is set to PBAC Universal Connector. This update allows users to enable or disable PBAC Inventory and modify the schedule.

Security Fixes

  • A fix has been implemented to improve the detection and suppression of XSS (Cross-Site Scripting) attacks on the Query (also known as Set) details page. This update enhances the security of the Queries (Sets) functionality by strengthening measures to prevent the injection of potentially harmful scripts. As a result, the application is better protected against security vulnerabilities related to XSS attacks.


  • A fix has been implemented for the Management Role Grant Access business request item. The update corrects the handling of management role access by ensuring it is categorized under Grant Access rather than as a member. This fix applies to the CreateBRManagementRoleOnboarding activity and the onboardManagementRoleApproval workflow, resolving the issue and improving request processing accuracy.

Resolved Issues


A fix has been implemented to address issues assigning rights to management roles. The dropdown label Select Management Role was incorrectly displaying as Select a Person, causing confusion. Additionally, expected application rights were not being displayed. This update corrects the label and ensures the appropriate application rights are displayed, improving user experience and functionality.


A fix has been implemented to enhance the Business Request Overview by expanding the Description field. Previously, the Description was truncated if it exceeded 250 characters. This update re-designs the section to avoid truncation, addresses the issue of empty space, and improves how information is presented. Now, if the Description is longer than 250 characters, a Show More button will be available, allowing users to view the complete text. This improvement will benefit users by providing a more comprehensive view of the Description field.


A fix has been implemented to address issues with email sending in the Notification Queue and Notification Report Subscription compiler. The update introduces new settings to enable synchronous email sending and add a delay between processing records, improving reliability.

Configuration Settings:

  • NotificationQueueOrReport-SendEmailSynchronously: Enables synchronous email sending when set to true.

  • NotificationQueueOrReport-SuccessiveEmailsDelay: Specifies the delay (in milliseconds) between successive email notifications.


We are pleased to announce the release of EmpowerID Build, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:


GCP Connector

  • We have added and implemented full and delta inventory features for GCP users. The enhancements include:

    • Full Inventory for Users

    • Delta Inventory for Users

    • Delta Inventory for Users in the Connector

    • Full Inventory for Guest Accounts in the Connector

  • We have implemented full and delta inventory features for GCP groups and memberships. The enhancements include:

    • Full Inventory Endpoints for Groups and Memberships

    • Delta Inventory Endpoints for Groups and Members in the Microservice

Zscaler Connector

  • The functionality for Reconciliation of SCIM groups with Azure AD groups has been added. This functionality retrieves SCIM groups provisioned in Zscaler, matches them with the Zscaler group IDs and Azure system identifiers stored in Azure Blob, and performs a reconciliation process to ensure both systems are aligned. This enhancement streamlines group management and synchronization across both platforms.

  • Inventory of Zscaler Segment Groupsis now available. This feature follows the JSON inbox method, where JSON data is retrieved and imported into EID. The stored procedure Custom_ZScalerJSONInbox_ProcessResourceSystem handles the processing of JSON inbox entries for each resource system. The processed data is then stored in the EID segment group tables: ZscalerSegmentGroup and ZscalerSegmentGroupAccessPolicy. The JSON inbox data is stored in ZScalerJSONInbox and zscalerjsondoctype, ensuring seamless integration and synchronization across the system.

  • We have introduced the capability to inventory Application Segments from ZScaler using the JSON inbox method. This process retrieves JSON data and imports it into the EID system, where it is processed using the stored procedure Custom_ZScalerJSONInbox_ProcessResourceSystem. The JSON inbox entries are synchronized with the EID components, and the application segments and associated data are stored in the relevant EID tables. This ensures a seamless and automated method for managing application segments.

  • The feature to inventory Server Groups from ZScaler using the JSON inbox method allows seamless import of JSON data into the EID system. The stored procedure Custom_ZScalerJSONInbox_ProcessResourceSystem processes the JSON inbox entries for each resource system.

  • Managing Access Policies in Zscaler is now available from EmpowerID. This integration allows users to seamlessly define and manage access policies within the Zscaler environment directly from EmpowerID. Users can create, delete, and update access policies using a self-service wizard workflow, simplifying the management process and enhancing user experience.


  • Major upgrade transitions all microservices from .NET 6.0 to .NET 8.0. The update addresses the upcoming end-of-support for .NET 6.0, ensuring continued security and support by leveraging the latest .NET framework enhancements. This upgrade does not affect current functionality or performance but is crucial for maintaining future compatibility and receiving ongoing support.

  • A new enhancement has been introduced to display the Service Principal Object ID on the overview page of Azure applications in the Resource Admin UI.

  • This update introduces the ability to assign application rights to individual users and groups. This enhancement allows for more efficient management of app rights assignments, enabling administrators to streamline permissions across multiple users simultaneously. This feature aims to simplify the user management process and improve operational efficiency.

IAM Shop

  • In the IAMShop application window, a new feature has been added to improve the user experience when requesting access to applications. A Select All button has been implemented for multi-select FieldType controls, specifically for the MultiSelectCheckBoxList field type. This enhancement allows users to select all values associated with a FieldType in one action, streamlining the selection process and reducing manual entry time. Additionally, functionality has been added to force users to select at least one value when the EnforceFieldTypeSelection flag is true and the isFieldTypes flag is also true. This will ensure users can add to the cart by meeting the selection criteria. The EnforceFieldTypeSelection flag is available in OnboardAzLocalRight WF advanced settings.

  • The IAM shop has implemented an enhancement to enforce a minimum character length of three in the search box on listing screens. This update addresses issues of database timeouts caused by excessive load when search API calls were made with fewer than three characters. With this enhancement, the search functionality will only trigger if at least three characters are entered, improving performance and reducing the likelihood of timeouts.

  • Resource Admin and IAM Shop have added a new configuration option, making the BusinessRequestName field mandatory or optional.

  • A new encrypted media streaming infrastructure has been implemented to enhance the security and efficient streaming of PSM session recordings. This approach ensures that all recordings are encrypted by default to protect data at rest, while specific recordings can be encrypted with unique keys, restricting access unless authorized.

    The new solution employs HTTP Live Streaming (HLS) protocol with AES-128 encryption, dividing videos into smaller segments and generating a manifest file for adaptive streaming. This method improves start times and allows seamless playback by dynamically loading segments based on connection strength, minimizing buffering.

    Encrypted segments prevent unauthorized playback, even if downloaded locally. The infrastructure utilizes a streaming server to serve encrypted segments, and the VideoJS player decrypts these on the fly, ensuring secure, on-demand access to recordings without impacting performance.

Resource Admin

  • A new Pre-Approved Members grid has been added to the Groups overview. This feature provides a convenient view of members who have pre-approved access, enhancing visibility and streamlining group management by allowing admins to quickly review and manage pre-approved memberships directly from the Groups overview page.

  • A new update introduces menu links to enhance navigation across standard functionalities within the Resource Admin. Access to Access Managers (RBAC Owners), Direct Assigned Locations, and Access Request Policy settings is streamlined and available across resources, including Applications, Groups, Management Roles, and Mailboxes. This addition simplifies the management experience, making it easier for users to access these critical functions from any relevant resource.

  • The Resource Admin now provides access to inventoried permissions for Shared Folders. This enhancement allows users to view and manage permissions for Shared Folders directly within the Resource Admin.

  • The Application Details interface now includes the ProtectedApplicationResourceUsageTypeFriendlyName property, displayed under the App Authorization Model.

  • This update introduces the ability to assign app rights to groups in Application-> App Right Assignments. This enhancement allows for more efficient management of app rights assignments, enabling administrators to streamline permissions across groups.

  • Introduced new assignment capabilities within the PBAC Role Definition Assignments section, allowing users to assign Role Definitions to various entities within an application. With this update, users can now assign Role Definitions to Groups, Business Roles and Locations, and SetGroups. These new functionalities include options to view, add, or remove assignments, enhancing flexibility and control over role definition assignments.

  • Introduced the "Assign to Person" feature in the PBAC Assignments -> Role Definition Assignments section. This functionality allows users to assign Role Definitions to eligible individuals within the application, streamlining role management by fetching eligible persons, retrieving their roles, and displaying current assignments. Implemented the "Assign to Management Role" functionality within the PBAC Definitions -> Details -> Assignments. Section. This feature will allow users to assign Role Definitions to management roles within an application, including the ability to view, add, or remove assignments.

  • New assignment functionalities were added to the PBAC Definitions -> Details -> Assignments section, allowing users to assign Role Definitions to SetGroups, Groups, and Business Roles and Locations within an application. These enhancements provide a comprehensive set of options to view, add, or remove assignments, giving users greater flexibility and control over managing PBAC definitions.

  • Added the ability to manage global field types under Applications, allowing users to view, create, and delete field types. This enhancement provides greater flexibility and control over field type management, similar to the functionality available for app-owned field types. Global Field Types will now be listed in the left-side menu, similar to Claim Mapping policies, making it easier for users to maintain and organize field data. This feature benefits customers by improving the management of field types under applications.


  • This update introduces the detection, reporting, and recertification of stale Azure applications, streamlining the identification and management of inactive applications. The integration leverages the Azure AD Graph API to retrieve application activity data, now recorded in the LastActivityDate field in the ProtectedApplicationResource table. Applications identified as inactive based on this date are automatically flagged and sent for recertification. This enhancement ensures that stale applications are actively monitored, with any gaps in logging promptly addressed to maintain accurate tracking and reporting for recertification workflows.

  • A new permanent workflow, AzureCredentialExpirationNotification, has been implemented to automatically detect and manage expired Azure client secrets and certificates across all Azure tenants within the system. This workflow checks all registered tenants, identifies expired credentials, and executes the following actions for each expired item:

    • Deletes the expired secret or certificate directly in Azure.

    • If the deletion is successful in Azure, remove the corresponding external credential in EmpowerID.

    Additionally, for applications with multiple expired credentials, the workflow sends individual notification emails to app owners and credential owners for each expired item, ensuring prompt awareness and action.

  • The functionality to view and manage API permission assignments for managed identities and service principals has been enhanced. Previously, only a read-only grid of rights was available on the ViewOne page. CRUD operations have now been added, enabling full management capabilities for API permissions.


  • A new setting now enables splitting business request items by field type values, broadening the applicability of the approval splitting feature. The setting, configured as a pointer column (AzFieldTypeIDToSplitBy) on the AzLocalRight name, allows the designation of a specific FieldType for splitting requests. When this is set, business requests are split per unique value of the specified field type, while other field type values in the assignment are copied to each split item.


  • Implemented enhancements for the OnboardMailbox workflow, including adding a popup grid search for the Responsible Party and introducing IsRequired parameters for Responsible Party, Owner, and Deputy fields. The lookup now targets a more flexible configuration, allowing customization for the desired audience. Adjustments were made to use GetSearchAdvanced for Owner selection, enhancing accuracy in the selection process. These updates improve the onboarding experience for mailboxes.

  • A fix has been implemented for the DisableMultiplePeopleWF, EnableMultiplePeopleWF, and ResetPassword workflows to address an issue where the advanced search options were not displaying when expanding the search box after selecting No for user selection. This update shows the appropriate attributes, ensuring users can efficiently perform advanced searches within these workflows.

  • The latest enhancement in the ManageAzLocalRightWizard workflow introduces the capability to set SplitBusinessRequestApprovalPerFieldTypeValue and ApprovalAzLocalRightID for multiple AzLocalRights selections. The Edit Settings for Right label has been renamed to Edit Local Right Settings, and this option has been added to both single and multi-actions within the wizard. A disclaimer regarding setting overwrites has been implemented, and radio buttons are now used for specific checkboxes to ensure changes are made only upon selection. Additionally, the PBAC approval right is now a dropdown, reflecting changes only when a selection is made. This update also allows owners and deputies to be set for multiple AzLocalRights selections, aligning with existing activities in the ManageAzureAppRoleWizard workflow. Finally, the Assign Responsible Party action for multi-selection has been deprecated.

  • The Role Definition Information form for onboarding local roles has a new optional dropdown field for selecting the fulfillment group and aligning it with the setup in the OnboardAzLocalRight workflow. Additionally, the section previously labeled App Right Options has been renamed Advanced Settings to provide a more intuitive interface. This enhancement allows users to assign fulfillment groups to roles during onboarding, improving flexibility in role management.

  • The ManageComputerWizard workflow has been updated to include support for configuring RDP (Remote Desktop Protocol) and SSH (Secure Shell) connections for computers. This feature enables users to set up RDP and SSH access options directly within the workflow, along with other configurations such as hostname, Telnet, and VNC access. The updated workflow can be accessed through ITShop → Computers → Workflows → Manage Computer Wizard, providing streamlined setup and enhanced control over computer access configurations.

Security and Performance Enhancements

  • This release introduces a crucial enhancement to the MyIdentity feature, addressing data privacy concerns by implementing the SearchToLoad configuration parameter. Users can no longer view a full, unfiltered list of identities under the All Users, Internal Users, and External Users tabs without entering a search query. By default, these identity lists will display nothing until a search is performed, ensuring compliance with privacy regulations and preventing unauthorized access to potentially exportable user information.

  • A fix has been implemented to prevent token refresh calls from being made after session expiration. Previously, token refresh requests continued post-session expiration, leading to unnecessary calls.

Enhanced Tree Loading and Search Functionality

We are pleased to announce a major enhancement that significantly improves performance. We've significantly improved the tree loading and search capabilities across location trees with the following changes:

211.pngImage Added

Dynamic On-Demand Tree Loading

  • The system now loads tree nodes dynamically as needed instead of loading the entire tree at once

  • Only the nodes required for display are loaded, significantly improving performance

  • When expanding a node, the system might load one or a few levels depending on the context

  • This approach dramatically reduces the initial loading time for large hierarchical structures

Improved Search Capabilities

  • Server-Side Full Text Search: Search now operates on the database level rather than client-side, delivering more accurate and comprehensive results

  • When performing a search:

    • The system retrieves all matches for your search terms

    • All parent nodes in the path to the root are automatically loaded

    • Search results highlight all matching nodes

    • The tree expands to display the complete path to each match

Implementation Scope

  • These improvements have been implemented in:

    • Location trees

    • Business role trees

    • External location trees

    • External business role trees

Unchanged Trees

  • The following trees continue to use the previous implementation as they don't require these enhancements due to their size:

    • Application trees

    • Company trees

    • Catalog trees

Important Changes to Mapping Functionality

When mapping external entities (roles or locations) to internal ones, there's an important update to how selection works:

  • Selection Behavior:

    • The system still automatically selects all visible children when you check a parent node

    • Important Note: Only currently loaded/expanded nodes will be selected

  • Required User Action:

    • To select all descendants under a node, you must first expand that node to display its children

    • Nodes with a "+" indicator contain unexpanded children that will not be automatically selected unless expanded

    • Make sure to expand all relevant nodes before making your selections

These changes significantly improve performance for users with large hierarchical structures that previously required extensive loading time. This change affects the Business Role Mapper, External Business Role Mapper, and External Location Mapper. To know more about how the changes work in role and location mapping; refer to the Role and Location Mapper documentation. To learn more about the tree functionality, see the /wiki/spaces/EAGV7212/pages/4184211631 guide.

Resolved Issues & UI Fixes

  • A fix was applied to the PBAC App Details page regarding the fulfillment time displayed under process steps. Previously, the fulfillment time incorrectly reflected the same date and time as the request.

  • Resolved an issue where users could not set the duration for more than three days while requesting resources (except Business Roles) in the IAM Shop, despite the Restricts Length of Access setting being set to No. This fix ensures users can select any end date for resources as expected.

  • A bug fix has been implemented to address a horizontal scroll UI issue that affected the functionality of the Role and Location Mapper and Role Mapper tabs. This issue caused the scrollbar to display extra spacing, disrupting the user experience. Additionally, the sorting of the columns was not functioning on the same page, but this issue has been resolved.

  • Resolved a UI overlap issue by fixing the alignment and position of hide/show buttons in the Business and Location. This bug was particularly noticeable when accessing the Role and Location Mapper and clicking the Map selected to new button without any selection, causing text to overlay in the classification section and an unclickable button to appear near the save button.

  • A fix has been implemented to address the issue of duplicate shopping cart icons in the Resource Admin and IAM Shop. This problem arose due to a UI issue where the app did not utilize the full available width on larger screens or when zoomed out, leading to the cart drawer opening from the far right and creating the appearance of a second cart icon. The fix ensures that the app content now takes the full width, eliminating the duplication of the cart icon when the cart drawer is opened.

  • The issue where Azure role access duration was not displayed in the IAM Shop has been fixed. Now, when an Azure role is requested with time duration, users will see this information in the manage access listing.

  • A fix has been applied to address an issue where application rights assigned to group members via ResAdmin do not appear in the IT Shop. When a user assigns the application right Group through PBAC Assignments → App Right Assignments, the assignment correctly displays in ResAdmin. However, it is currently missing from the IT Shop under Applications → Manage Access for the user. The expected behavior is that assigned application rights should be visible to all group members in the IT Shop.

  • A bug fix has been implemented in the ConfigureApplicationAuthorizationFieldType Workflow to resolve incorrect configuration behavior for specific field types. The following field types—FreeTextRange, FreeTextSingleValue, SingleSelectAutocomplete, and SingleSelectLookupControl—are now correctly displayed in the UI.

  • Resolved an issue where the application name was missing from the cart when assigning role definitions without any field type values. This fix ensures that the application name is consistently displayed in the cart, regardless of the presence of field type values.

  • The recent update addresses an issue in the Business Request overview where the fulfillment schedule date was displayed twice. This redundant property has been removed. By streamlining the information presented, users can view a single, accurate fulfillment schedule date, improving their overall experience when managing business requests.

  • Resolved an issue where the UserPrincipalName (UPN) was not populated during provisioning through RET. Additionally, a CSS bug affecting the Start Date and End Date fields was identified, where the calendar icon was missing, preventing users from easily selecting dates. The only way to load the calendar was to click at the end of the field. This fix addresses the UPN bug and the CSS issue to ensure proper functionality.

  • Resolved an issue where the Requestable setting was not saved for multiple selections in the ManageComputerWizard. This fix addresses a specific case within the recently added Multi IAMShopSettings feature.

  • The issue with selecting a tenant when onboarding an Azure application has been resolved. Users can now successfully select a tenant from the available list, ensuring a smooth integration process. This fix enhances usability by restoring the expected functionality in the onboarding workflow for Azure applications.

  • A new fix has been implemented to ensure that app right-friendly names are consistently reflected in process steps. This update addresses an issue where changes to the AzLocalRight-friendly name were not reflected in the resource-friendly name, resulting in outdated information in requests. The updated logic will apply to future entries by modifying the trigger to automatically update the resource-friendly name when changes occur in the AzLocalRight. Existing entries will not be corrected, but this will work for any created in the future.

stylefloat: left; position: fixed;


Table of Contents