Release Doc Draft

We are pleased to announce the release of EmpowerID Version X.X,X,X, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

Google Cloud Platform Connector

We are pleased to announce the release of the Google Cloud Platform (GCP) Connector. This new connector adds to our library and provides optimized identity management for GCP through EmpowerID. With seamless integration with Google Cloud Platform, the GCP Connector offers significant benefits for IT administrators. Organizations can now efficiently manage identities within the GCP environment, aligning with our commitment to delivering cutting-edge solutions for robust and secure identity governance.

The GCP Connector offers the following features:

• User and group management: Create, update, and delete operations.

• Service account actions: Create, update, and delete service accounts.

• Group membership scenarios: Handle additions, removals, ownership changes, and cross-group memberships.

• Role changes: Flexible management of role assignments.

• GCP guest accounts: Addition to and removal from groups.

• Inventory Management: Support for both incremental and full inventory.

New and Enhanced Wizard Workflows

This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.

Onboard Account Workflow

EmpowerID's latest update introduces the "Onboard Account" Wizard Workflow, a new feature designed to facilitate the manual onboarding of user accounts. This workflow represents a significant addition to EmpowerID, aiming to enhance the process of account creation in several key ways.

Detailed Features of the New Onboard Account Wizard Workflow:

1. Diverse Account Creation Options:

   • Individual and Technical Accounts: Users can create accounts not only for individuals but also for technical purposes like service accounts, which are crucial for automated processes and are not associated with any individual user.

   • Suitable for Various Environments: The workflow is adaptable for various environments, including creating local user accounts on Windows or Linux servers and user accounts in directories like LDAP, Active Directory, Azure, and ServiceNow.

2. Efficiency and User-Friendliness:

   • Streamlined Process: The wizard simplifies the onboarding process, making it more straightforward and less time-consuming.

   • Intuitive User Interface: With a focus on user experience, the workflow features an intuitive interface that guides users through each step of account creation.

3. Capabilities for Different Scenarios:

   • The wizard can handle a range of scenarios, from creating a single account for a new user to setting up multiple accounts for different services or platforms.

   • It provides options to customize account settings based on the specific needs of the user or the technical requirements of the account.

4. Attribute Management:

   • The workflow includes the ability to manage and assign attributes to new accounts, ensuring that all necessary information is accurately captured and associated with each account.

The process of creating new accounts for existing individuals has been improved by refining the onboarding account workflow. The enhanced workflow offers flexibility and customization options, and it addresses specific scenarios where users need to generate new accounts linked to existing persons. This ensures a smooth and efficient onboarding experience for all users to create accounts as computer users, local users on Windows or Linux servers, and user accounts in directories like LDAP, Active Directory, Azure, and ServiceNow. The wizard workflow now has the following capabilities:

• Create an account and also a Person object in EmpowerID.

• Create an account for the existing Person object in EmpowerID.

• Creation of service accounts shared technical accounts, and application identities.

• The workflow intelligently copies attributes like first name, last name, company, division, and other attributes from the source onto the new account.
  

Manage Credential Wizard Workflow

The new ManageCredentialWizard is a major addition to credential management. With this wizard, users can easily navigate through the interface to perform a variety of actions on selected credentials. These actions include deleting credentials, editing credential details, adjusting IAM shop settings, and modifying ownership and deputy assignments. The wizard is designed to streamline the process, providing a user-friendly interface with customizable options for efficient management of credentials. Users can select one or more credentials and proceed to execute specific actions tailored to their needs, offering an intuitive and comprehensive solution for effective credential administration.

ManagePersonWizard workflow (EMPOWERID-5442)

The introduction of the ManagePersonWizard provides efficient and user-friendly management of Person objects in EmpowerID. The wizard workflow now has the following capabilities:

• Disable a person.

• Modify and update specific attributes associated with a person.

• Enable a previously disabled person, restoring access.

• Initiate the Leaver Events for a Person leaving the organization, ensuring proper workflows are followed.

• Initiate Mover Event for Person

• Unjoin Person Core Identity

ManageManagementRole workflow (EMPOWERID-5459)

The ManageManagementRole workflow now allows assigning and unassigning local functions. To add or remove local functions assigned to management roles, select the option to Edit Local Function Assignments in the workflow.

Person access Summary Recertification Policy Type enhancements (EMPOWERID-5489 )

There have been recent enhancements made to the Person Access Summary Recertification Policy Type, which aim to improve the security and efficiency of the access recertification process. The Person Access Summary type now supports additional data types, such as:

• A data type that facilitates the recertification of a person's direct eligibility assignments, including pre-approval.

• An added item data type for recertifying AzAssigneeLocalRightScopes for direct assignments.

• An added item data type for recertifying AzAssigneeLocalRoleScopes for direct assignments.

Input of OTP code enhancements (EMPOWERID-5765)

We've resolved an issue with the OTP authentication process in our latest release. Previously, users would encounter problems when trying to log in using the Microsoft Authenticator app if the One-Time Password (OTP) code contained spaces. However, with this update, users can now successfully log in even if the OTP code has spaces, whether they are leading, trailing, or in between characters.

LDAP calculation bug fixed (EMPOWERID-5771)

We have fixed a bug related to renaming attributes in the dynamic hierarchy policy with this latest release. Previously, when an attribute name changed due to a case change (such as from "dublin" to "Dublin"), the dynamic hierarchy policy would unintentionally create two separate groups, leading to an error in LDAP calculation. With this bug fix, the dynamic hierarchy policy now handles attribute case changes properly, ensuring a seamless and error-free LDAP calculation process.

Recertification Workflow for Azure AD Role Assignments with AzAssigneeLocalRightScope (EMPOWERID-5772)

We are excited to announce the completion of the Recertification Policy Type "AzAssigneeLocalRightScope Entries," a feature dedicated to the thorough recertification of individuals or groups assigned Azure AD roles within Azure accounts. This enhancement ensures that when a role is assigned to a group, the recertification process is intelligently triggered for each member of the group individually, promoting a comprehensive review. The introduction of a new approval flow policy brings efficiency to the process with a 2-3 step approval system. The first step involves line manager approval, followed by approval from the maintained responsible party of the Azure AD Role in the second step. For roles categorized as highly privileged (configurable through a list), a third step ensures approval from a designated group, such as CISO_APPROVAL_IIT_CENTRAL. This configurable and streamlined recertification process aims to provide organizations with a secure and precise method for managing Azure AD role assignments.

Recertification Policies for Azure RBAC Roles at Subscription and Management Group Levels (EMPOWERID-5773)

In this release, we are excited to announce the completion of the Recertification Policy Type "AzAssigneeLocalRoleScope Entries" feature. This enhancement is specifically designed for recertifying individuals or groups assigned Azure RBAC roles on both subscription and management group levels for Azure accounts.

For recertification at the subscription level, we have implemented a streamlined approval flow policy featuring a single-step approval process. The first step involves verifying and approving the maintained responsible party of the subscription.

Similarly, for recertification at the management group level, the new approval flow policy also employs a simplified one-step approval process. In this case, the first step requires the approval of one member from a configurable group of individuals. This approach enhances the efficiency of the recertification process, providing users with a more straightforward and user-friendly experience.

Group-to-group assignments data import bug fixed (EMPOWERID-5851 ,EMPOWERID-5848)

We fixed a bug that was affecting the 'MassUploadGroupToGroupAssignments' workflow. Previously, an error occurred when users tried to upload a CSV file that had two missing header titles. This was causing disruption in the process. However, we have now resolved this problem, and users can upload CSV files even when headers have two missing titles.

Security Enhancement: Transition from SHA-512 to PBKDF2 for Hashing and Encryption Functions (EMPOWERID-6097)

In response to a medium-risk vulnerability identified as "Use of a Broken or Risky Cryptographic Algorithm" (OWASP A02:2021 Cryptographic Failures), our latest release addresses the susceptibility of hashing operations to brute force attacks due to a single SHA-512 iteration. The vulnerability could compromise hashed passwords, potentially leading to unauthorized access to user passwords if the server is compromised. To fortify our system against such threats, we have replaced SHA-512 with PBKDF2 for password encryption, recommending thousands of hashing iterations (600,000 for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512). This proactive measure significantly bolsters cryptographic security, mitigating the risk of brute force attacks and ensuring a more robust defense for user data.

This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.

Credential Workflows

• Manage Credential Workflow: Update and easily modify credentials through a user-friendly wizard interface. This includes individual and bulk edit/delete options for credentials.

Management Role Workflows

• Onboard Management Role Workflow: Navigate the creation of Management Roles with a step-by-step wizard, choosing from predefined role types and setting hierarchical relationships like the parent Management Role Definition, nesting, and IAM Shop publication.

• Manage Management Role Workflow: Simplify Management Role administration with features like role deletion, IAM Shop settings modification, and responsible party assignment. The wizard can assist with both single and multiple operations.

  

Group Workflows

• Onboard Group Workflow: We've improved the group onboarding experience with a comprehensive and intuitive wizard workflow. This feature guides users through the manual process of onboarding new groups within the system. Users can now accomplish multiple group-related tasks within the same workflow, including configuring responsible parties, owners and deputies, IAM Shop settings, and group members from a single easy-to-follow wizard interface. For more information, see Onboard Groups

• Manage Group Workflow: Perform various group management tasks, including viewing group details, editing group attributes, deleting groups, assigning responsible persons, and managing group membership.

Azure Application Workflows

• Create Azure Application: This workflow simplifies creating a new Azure application, guiding users through each step to ensure accurate configuration. For more information, see /wiki/spaces/EAGV23R3/pages/3269986310

• Create Azure Application Certificates: This workflow allows users to upload and assign self-signed certificates to Azure applications managed by EmpowerID. For more information, see https://dotnetworkflow.jira.com/wiki/pages/createpage.action?spaceKey=EAGV23R3&title=Create%20Certificates%20for%20Azure%20Applications&linkCreation=true&fromPageId=3160900024

• Create Azure Application Client Secret: This workflow helps users create and upload client secrets for Azure applications managed by EmpowerID. For more information, see https://dotnetworkflow.jira.com/wiki/pages/createpage.action?spaceKey=EAGV23R3&title=Create%20Azure%20Application%20Client%20Secrets&linkCreation=true&fromPageId=3160900024

• Create Azure Application Scopes: Wizard workflow for creating scopes for Azure applications managed by EmpowerID. For more information, see https://dotnetworkflow.jira.com/wiki/pages/createpage.action?spaceKey=EAGV23R3&title=Add%20Scopes%20to%20Azure%20Applications&linkCreation=true&fromPageId=3160900024

• Create Azure Application Roles: Wizard workflow for creating app roles for Azure applications managed by EmpowerID. For more information, see https://dotnetworkflow.jira.com/wiki/pages/createpage.action?spaceKey=EAGV23R3&title=Add%20App%20Roles%20to%20Azure%20Applications&linkCreation=true&fromPageId=3160900024

• Update Azure App API Permissions: New wizard workflow for efficient API permissions management for Azure applications integrated with EmpowerID. For more information, see https://dotnetworkflow.jira.com/wiki/pages/createpage.action?spaceKey=EAGV23R3&title=Update%20API%20Permissions%20of%20Azure%20Applications&linkCreation=true&fromPageId=3160900024

Person and Account Workflows

• Manage Person: Wizard workflow for onboarding people with different options (Simple, Advanced, and From Another Mode), allowing users to tailor the process according to their needs. For more information, see Onboard People

• Manage Account: The Manage Account Wizard is a new workflow designed to simplify account management by offering a guided, step-by-step process for key actions such as enabling or disabling accounts, deleting accounts, and editing account attributes. Further, it facilitates the assignment of responsible parties and enables the addition of accounts to various groups.

Updated Microservices

My Tasks

In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. This enhanced feature offers users increased control and flexibility in managing resources.

To provide a more detailed picture of the enhancements, here's what you can expect:

Resource Admin

In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. This enhanced feature offers users increased control and flexibility in managing resources.

To provide a more detailed picture of the enhancements, here's what you can expect:

Easier Application Management

Application Actions Available on the Applications Resource Page

We have enhanced the Applications Resource page to include a range of actions that streamline application management workflows. These updates are designed to provide users with quick and direct access to key functionalities, allowing for efficient and context-free execution of various tasks. Here's an overview of the application actions now available on the Applications Resource page:

1. Create Azure Claims Mapping Policy

   • Action: Users can create Azure claims mapping policies, customizing identity claims for Azure AD tokens.

   • Purpose: Enhances security and compliance for Azure-integrated applications.

2. Assign an Application Role Definition

   • Action: Assign specific role definitions within applications.

   • Purpose: Facilitates precise role-based access control within applications.

3. Assign Application Right

   • Action: Administer rights to applications, controlling user and group access levels.

   • Purpose: Ensures secure and appropriate application access.

4. Configure Field Types for Rights

   • Action: Define and configure field types for application rights.

   • Purpose: Increases accuracy and flexibility in rights definitions.

5. Managing App Right and Role Settings

   • Action: Oversee and adjust application right and role settings.

   • Purpose: Simplifies management of application permissions and roles.

6. Application Management Wizards

   • Actions:

     • Launch the Manage Application Wizard for general application management.

     • Utilize the Manage Azure Application Wizard for specific Azure application configurations.

     • Initiate Onboarding Non-Azure Applications and Onboarding Azure Applications workflows.

   • Purpose: Provides structured, user-friendly processes for managing and integrating applications.
     

     

API Permissions Page Enhancements

The API Permissions page for applications has been updated to include a new button for adding API permissions to applications. With this new button, the process of managing API permissions is more straightforward. It allows administrators to quickly and easily modify or extend the API access for applications, contributing to improved functionality and security management.

Time Constraints when Assigning Role Definitions to People

With this release, we have introduced the ability for users to specify time constraints when assigning Role Definitions to people. This can be accomplished via the Application page (as shown below) or on the Person page. This enhancement focuses on providing greater control and flexibility in managing access within applications.

Time Constraints when Adding People As Members of App Management Roles

Now users can specify time constraints when assigning App Management Roles to people. This can be accomplished via the Application page (as shown below) or on the Person page. This enhancement focuses on providing greater control and flexibility in managing access within applications.

New Grid for Viewing and Managing Application Eligibility

Users can now view and manage eligibility for an application via the application’s overview page.

More Robust Group Management

In our latest update, we are introducing several enhancements to improve group management within Resource Admin. These updates are aimed at providing administrators with more control and flexibility when managing groups, nested group memberships, and access permissions. Here’s an overview of the new features and benefits:

Additional Membership Changes Fields

We have updated the Membership Changes grid for groups to include additional fields that provide more detailed information about changes in group memberships. New fields include the Source of Change field and the Source Assignment for Membership field. These new fields are designed to enhance the understanding and tracking of membership modifications.

Nested Group Membership Management

Users now have the capability to add, remove, and view nested group members within a group. This feature is designed to provide more detailed control over group hierarchies and membership and simplify the management of nested groups.

Eligibility Configuration on Group Overview Page

The group overview page now includes the functionality to view and configure eligibility for groups. This allows for easier management of group eligibility directly from the overview page and streamlines the process of configuring and viewing group eligibility.

RBAC Assignments for Groups

Users now have the ability to view and manage RBAC assignments for groups. This feature allows for direct management of access controls associated with different groups.

Improved Management Role Management

With this release, we are introducing updates to managing Management Roles aimed at providing a more intuitive and efficient experience for administrators and users. These enhancements include more versatile options for role membership and streamlined actions on the Management Roles Resource page. Here's a closer look at what's new:

New Management Roles as Members Tab

Users now have the ability to view and manage the Management Role membership of a given Management Role.

Enhanced Membership Options for Management Roles

Users can now add groups, SetGroups, and Business Role and Location Combinations as “Other Types of Management Role members.” This enhancement allows for more versatile and comprehensive role configurations, catering to complex organizational structures and access needs.

New Direct Access Granted Tab

Users now have the ability to view and manage the remove the direct access assignments of a target Management Role.

The tab includes an ‘Add New Access Assignment’ button, which initiates the ‘Grant Actor Access’ workflow. The workflow guides users through the process of selecting the type of access and the resources for which to grant access to the Management Role.

New Total Access Granted Tab

Users can now view the total access granted to a Management Role by accessing this tab. The tab displays all the access rights that have been granted to a particular Management Role. It includes detailed information on the types of access, the specific resources involved, and the scope of each access right.

Management Roles Granted as Access Tab

Users can now assign additional Management Roles to an existing Management Role. This effectively means that individuals with the primary Management Role automatically gain the access rights and privileges of the additional roles assigned to it.

Management Role Actions Available on the Management Roles Resource Page

We have updated the Management Roles Resource page with new actions to simplify managing Management Roles by providing easier access to key functionalities. Below is an overview of the new actions available:

1. Manage Management Role Wizard:

   • Functionality: A new action to launch the Manage Management Role Wizard has been added. This wizard is tailored to make the configuring and updating of Management Roles more straightforward.

   • Purpose: The wizard guides users through each step of managing Management Roles, making the process more user-friendly and efficient.

2. Onboard Management Role Workflows:

   • Functionality: The page now includes an action for initiating the Onboard Management Role workflow.

   • Purpose: This workflow provides a structured method for setting up new Management Roles, ensuring a consistent and efficient onboarding process.
     

     

IAM Shop

The IAM Shop has been updated to enhance functionality and user experience, refining the process of requesting IT resources and simplifying user interactions. Here’s an overview of what’s new in the IAM Shop:

EmpowerID Announcements

EmpowerID has rolled out a new feature, "Announcement," to ensure users stay updated with essential and timely information about the product. This feature integrates notifications across all EmpowerID applications, guaranteeing that users are always aware of significant updates. The core goal of the Announcement feature is to improve user engagement and awareness within the platform.

Key aspects of the Announcement feature include:

1. Creation of Customized Messages:

   • Administrators can craft tailored announcements for EmpowerID application users, featuring a specific title and detailed content.

2. Scheduling and Timing Control:

   • There's flexibility in scheduling these announcements, allowing administrators to set the duration of their visibility, ensuring timely relevance.

3. User Acknowledgment Option:

   • Administrators have the choice to require user acknowledgment for certain announcements, enhancing the interaction with critical updates.

4. One-Time Message Capability:

   • For less critical information, administrators can opt for one-time messages that don't require user acknowledgment.

EmpowerID has introduced a new feature called Announcement, which is designed to keep users informed about important and timely information about the product. With this feature, users will receive notifications across all EmpowerID applications, ensuring that they never miss any important updates. This feature is aimed at enhancing the overall user experience with the platform. Administrators can now create messages for users of EmpowerID applications, complete with a title, a detailed message, and the flexibility to schedule its appearance over a set period. Administrators can also decide if an announcement requires user acknowledgment or if it's a one-time message.

Enhanced User Shopping Experience

New Activate Feature in the Request / Manage Access Screen

We have introduced an "Activate" button in the IAM shop, specifically on the Request / Manage Access screen. This feature is designed to facilitate a more efficient process for users who have pre-approval for certain roles and rights.

Features of the Activate Button:

1. Immediate Access Activation:

   • Users with pre-approval for AzLocalRoles, AzLocalRights, or management roles can now instantly activate their access by simply clicking the "Activate" button next to the desired role. This action immediately adds the user to the selected role.

2. Extended to BusinessRole, Mailbox, and Shared Folder Screens:

   • BusinessRole Screen: On selecting a role and its corresponding locations, the "Activate" button will dynamically appear for pre-approved locations, replacing the traditional "Add to Cart" option. This streamlines the process of activating Business Roles.

   • Mailbox Screen: Users can activate access levels for mailboxes that are pre-approved and not yet assigned. This simplification aids in quicker activation of mailbox access.

   • Shared Folder Screen: Similarly, for shared folders, users can activate access levels if the folders are pre-approved.

Operational Impact:

• Streamlined Process: The "Activate" feature reduces the number of steps required to gain access, making the process faster and more user-friendly.

• Enhanced Efficiency: It eliminates the need to navigate through multiple steps traditionally involved in requesting and approving access.

• Consistency and Clarity: This feature provides a clear and straightforward path for users with pre-approved access, enhancing their experience in the IAM shop.

Enhanced Azure Roles Visibility in Request and Manage Access

An enhancement has been made to the AzureRoles in both Request Access and Manage Access functionalities, providing users with a more detailed view. With this update, users can now access information about functions and their respective owners, which offers a comprehensive overview of AzureRoles.

Shopping for Lookup - Manager-Specific Visibility Restriction

IAM shop now has enhanced shopping and lookup features that are limited to displaying only the subordinates of the user. This allows managers to focus solely on the resources relevant to them when searching for someone else. The mechanism for configuring this visibility restriction is separate from global visibility policies and uses a dedicated Visibility data filter with an independent mode.

Shop Reference Person Access

A new feature, "Shopping By Reference Person," has been added to the IAM Shop to streamline the process of requesting access for new hires or employees in similar roles. This feature allows for the replication of access and rights from an existing employee's profile to a new one, making the process more straightforward.

Functionality Details:

1. Use Case:

   • Useful in scenarios where a new employee shares a business role and location with an existing employee.

2. Access Replication Process:

   • By selecting "Show Reference Person Access," the IAM Shop displays the current access of a chosen reference person. This can then be mirrored for the new individual.

3. Supported Access Types:

   • The feature can be used to request:

     • Credentials: Assign similar credentials as the reference person.

     • Azure Roles and Licenses: Allocate appropriate Azure roles and licenses.

     • Applications: Provide access to necessary applications.

Operational Benefits:

• Efficiency: Reduces the time and effort needed for provisioning access for new or transitioning employees.

• Consistency: Helps maintain uniformity in permissions for employees in similar roles.

• User Experience: Offers a more straightforward approach to access provisioning, minimizing the potential for errors.

Additional Improvements

Enhanced PSM Support

Added Support of Telnet Session for CISCO

The EmpowerID Privileged Session Management (PSM) feature now supports Telnet sessions for Cisco devices, expanding its compatibility with devices and ensuring reliable PSM session connectivity and communication.

Added Support for VNC Protocol

The Privileged Session Management (PSM) tool has been updated to include support for the Virtual Network Computing (VNC) protocol. This means that users can now easily select the VNC protocol during the computer onboarding process and initiate PSM sessions with computers that use the VNC protocol.

New Feature for Key Logging

A new feature has been added to enable keylogging to gain detailed visibility into privileged sessions. It's important to note that the keylogging feature has been designed with privacy in mind, ensuring that sensitive user data and credentials are not logged. This feature provides an added layer of security and auditability by capturing keystrokes during sessions, offering valuable insights into user activities.

Encrypted PSM Recordings

All PSM session recordings are now encrypted by default for enhanced security. Additionally, to maintain strict control over who can access the recorded content, explicit authorization is required for the playback of these recordings. Users have the option to encrypt specific recordings with a non-default key, which will ensure that they are not only secure when at rest but also watchable only if authorized.

UI Enhancements for Microservices

We've implemented several UI enhancements across our microservices, aiming to elevate the overall user experience. These improvements include more intuitive layouts optimized for ease of use and efficiency. Users will notice cleaner interfaces with better-organized elements, ensuring quicker access to necessary features. Among these improvements is the introduction of flyout menus. When users hover their mouse over menu items, they will now see an expanded flyout, providing immediate access to additional options and features. The updates are designed to make interactions with our microservices more seamless and visually appealing, reflecting our commitment to providing a user-centric platform.

Resolved Issues

Improved Session Management in IAM Shop

We have addressed the issue of frequent session timeouts that users experienced in the IAM Shop, particularly during cart-related activities. Previously, users encountered interruptions while adding or editing items in the cart or during the cart submission process. This update ensures a smoother, uninterrupted experience in the IAM Shop, enhancing user efficiency and convenience.

Resolution of Invalid Logout Request Error in EmpowerID

The problem of 'invalid logout request' errors in EmpowerID has been successfully resolved. This issue primarily occurred when users had multiple tabs of EmpowerID open and left the system idle for a certain period. With this fix, users can expect more stable sessions, especially in multi-tab usage scenarios, reducing interruptions and improving the overall user experience in EmpowerID.