You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Release Notes 7.207.0.0

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

New Features

  • Introduced two new workflows that simplify the process of onboarding and managing credentials.

    • Introduced the Onboard Credential Workflow, which lets you create credentials via the wizard interface. The wizard can help to easily generate various types of credentials using the wizard, including Default, Azure Application Secret, Azure Application Certificate, Domain Admin, Domain User, and Local Admin. This wizard also lets you configure SSH-based credentials.


    • Implemented the Manage Credential Workflow, offering users a user-friendly wizard interface to modify and update their credentials effortlessly. With this feature, users gain the ability to both edit and delete individual credentials, as well as perform bulk edits and deletions.

  • Added additional workflows to optimize the handling of management roles within the system.

    • Implemented the Onboard Management Role workflow, allowing users to go through a step-by-step wizard, selecting the desired role type from a predefined list and establishing hierarchical relationships by choosing a parent role definition. Additionally, users can opt to publish their newly created roles to the IAM shop,

    • Introduced Manage Management Role wizard workflow to simplify the administration of management roles within the system. It allows administrators to perform actions such as deleting roles, editing IAM Shop settings for specific roles, and assigning responsible parties. The wizard can assist with both single and multiple operations.

  • Now the onboarding and management of the group can be easily achieved with self-service wizards. Detailed documentation about managing the groups can be found here in Manage Groups.

    • Added Onboard Group Workflow that provides step-by-step instructions for adding and configuring groups, including the basic information, responsible party, owners and deputies, group IAM shop settings, and group members. This feature aims to simplify the process of setting up groups and managing their settings efficiently.

    • Implemented the Manage Group Workflow that supports operations to manage groups and common actions to perform. The manage group wizard workflow supports viewing group details, & editing group attributes, deleting a group, assigning a responsible person, publishing a group into the IT shop, and other group management features. In addition to these group management features, it also has various common actions, like adding accounts to the group and removing accounts from the group.


  • With EmpowerID, you can efficiently manage the entire application lifecycle, from onboarding to user assignment, app role management, application modification, deletion, access management, and more. We are continuously adding new features and workflows so that the management of the azure app is easy and user friendly

    • Introduced a new wizard workflow, “UpdateAzureAppAPIPermissions, " enabling seamless API permissions management for Azure applications within EmpowerID. If your organization integrates applications with Azure Active Directory (AD), you can now leverage EmpowerID to efficiently manage and update the delegated and application permissions granted to these applications. Find the detailed instruction here Update API Permissions of Azure Applications.

    • The Manage Azure Application wizard workflow helps users to efficiently manage their Azure applications, including basic information, owners and deputies, IAM Shop settings, and other sub-components.

    • Introduced the Manage Azure AppRole Wizard workflow, which is designed specifically for managing Azure Application AppRoles. With this workflow, administrators can easily edit owners, modify IAM Shop settings, perform delete actions, and execute edit actions for Azure Application AppRoles.

  • Performing tasks related to single or multiple user accounts has been made easier with the Manage Account Wizard workflow. This workflow guides users through a step-by-step process that offers actions and operations such as enabling, disabling, deleting, and editing user account attributes. Additionally, users can assign responsible parties and add accounts to groups using this wizard.

  • Implemented various new and extended existing features for mailbox management.

    • Added the new Manage Mailbox Wizard, which provides efficient management capabilities for mailboxes. It enables users to edit mailbox settings, including name, features, regional configuration, owner, and advanced settings. Users can also manage email forwarding, policies, and quota restrictions.

    • Now EID can manage and automatically sync audit settings of Exchange Mailbox. The EID workflow will periodically retrieve the audit admin settings from the Exchange mailbox, ideally once a day. If the retrieved audit admin settings differ from the current values in EID, EID should update and overwrite the attribute values with either the values from Microsoft Exchange Online audit settings. Currently, the workflow can manage and sync the following attributes of EXO.

      • AuditAdmin

      • AuditDelegate

      • AuditEnabled

      • AuditLogAgeLimit

      • AuditOwner

  • Implemented On Board Person wizard workflow for onboarding people with different options for the onboarding process. The workflow supports the creation of a person in three modes,

    • Create Person Simple Mode – This option allows non-technical users to initiate creating a new person, requiring minimal information to be supplied, such as the new person's First Name, Last Name, and primary Business Role and Location.

    • Create Person Advanced Mode – This option requires more information and provides more configuration options, such as assigning the new person to one or more Management Roles and groups.

    • Create Person From Another Mode – This option allows you to create a person using another person as a template for the new person. The amount of information that should be cloned is set via workflow properties.

  • The Login Assistance, Self-Service Wizard workflow, is introduced to help users resolve their login issues independently by verifying their own identity without the help of IT support. If you have problems with MFA and other Identity Verification, you can even request to vouch for your identity with other authenticated users. This self-service wizard is conveniently accessible on the login screen of EmpowerID.



    The wizard is capable of

    • Reset and unlock Person and Account passwords.

    • Send Azure Temporary Access Pass (TAP).

    • Reset Azure MFA by unblocking/unenrolling.

    • Reset EID MFA by unblocking/unenrolling and deleting all associated MFA assets and preferences.

  • The Onboard Computer Wizard workflow for onboarding computers with options for publishing the computer in the IAM Shop, configuring eligibility for the computer (when published in the IAM Shop), configuring Access Request settings that control approval flow for the computer, as well as options for enabling Privileged Session Management (PSM) and linking PSM credentials to the computer.


  • EmpowerID now supports provision for rehire via the advanced leaver feature, which is useful when the person rejoins the organization after leaving it previously. The "rehire" refers to the process of restoring a once deleted person object and its access provisions when certain criteria are met. The workflows for rehiring support automatically restore the person and re-applying attribute flow for all accounts and create a restoration task, which can be approved manually.

  • Introduced the ability to trigger FlowEvents for new people within our system. This functionality automates the execution of relevant events during onboarding, improving efficiency and reducing manual effort.

    • To provide flexibility and control, a new setting for the trigger called "FlowEventsActive" has been added to the resource system. We recommend enabling this setting after completing the initial bulk-loading process so that the system doesn’t get overloaded with the firing of the events.

    • The flow events currently support the following actions

      • Enable and disable a person

      • Hide and unhide Mailbox in GAL

      • Recertify person Access

      • Remove group membership

      • Set-Mailbox Out of Office

  • In this release, we are introducing a significant enhancement to the group account membership management in Azure AD. We are transitioning to a new queue-based model, which offers improved efficiency and reliability when handling group account memberships.

  • Introduced the Onboard Person Workflow wizard, which allows for onboarding both person and non-person technical user accounts. This process provides a range of options for the account, including the creation of new accounts, the association of individuals with those accounts, the establishment of secure vaulted credentials, the management of owners and deputies, the definition of eligibility criteria, the setting of access request policies, the linking of accounts to computers for Privileged Session Management (PSM), and the assignment of identities for app pools and Windows services.

  • The Manage Your Identity Wizard workflow provides a wizard interface to access various identity management tasks from a single form, enhancing the overall user experience. Key options provided by the interface are :

    • Delete MFA devices

    • Enroll for a Q&A password reset

    • Change passwords

    • Edit profiles

    • Register MFA authenticators


  • Added Time-Based escalation in the recertification feature for roles to provide more flexibility and control in the review process for Business Roles. For e.g., After a review has been marked as pending for a month, an escalation request is automatically sent to the Digital Access Governance Manager. This escalation prompts their attention and intervention to address the pending review. If no action is taken within six months of the initial review request, the system automatically removes the business role from the IAM solution and proceeds with deprovisioning the related accesses. Now the user can configure the following settings to define the timing and actions for notifications and escalations.

    • Notify after X Days: Administrators can set the number of days after which a notification should be sent to stakeholders involved in the review process. This ensures timely reminders for pending reviews.

    • Renotify Every X Days: This setting allows administrators to specify the interval at which reminder notifications should be sent after the initial notification. It helps to ensure that stakeholders stay informed and are prompted to take action.

    • Escalate After X Days: Administrators can determine the duration after which an escalation request should be triggered if no action has been taken on a pending review. After the specified number of days, the review request is automatically escalated to higher-level approvers or decision-makers.

    • Escalation Decision/Action: Administrators have the option to specify a decision or action that should be taken when an escalation occurs. This can involve calling a workflow or executing a predefined set of steps to address the pending review effectively.

  • This release has added the ability for administrators to configure relative delegation for Locations within their organization. This feature enables administrators to delegate visibility and responsibility to business locations at the organization level relative to the user. Previously, our system supported delegation options such as "my locations" and "below/above" for specific users. However, we recognized that there was a need for more flexibility in configuring delegations for visibility, assignment, and other purposes for all the locations within and below a person's organization. With this new release, we have addressed this limitation and enhanced the delegation capabilities for administrators.

Resource Admin

  • Added new listing and details views in the resource admin view so that users have better visibility of access and rights. By navigating to the Resource Admin Micro Service's Applications, selecting any application will display the new features on the left pane.

    • App Management Role Details: Added details view for the management roles for an application that provides users with better visibility of a management role within a selected application context.

    • Claims Mapping Policies: Added listing of all claims mapping policies and details of the policies for the selected application context.

    • RoleDefinitions: The user can easily view the list of RoleDefinitions, assignments, and their details in ResAdmin from a specific ApplicationContext.

    • AppRights: Users can easily view the list of AppRights in ResAdmin and the details of the app rights from a specific ApplicationContext. Users can also view the list of the people they are allowed to see along with their AppRight membership details.

    • PBAC: Users can easily view the PBAC definitions for a selected application.

  • Users can now view additional details on their screens to enhance the visibility of data related to management roles. [Screenshot Here]

    • The AccessGranted tab has been added to the ManagementRoles section, allowing users to easily view the access granted to a management role from its details page.

    • The Eligibility tab has been added to the ManagementRoles section. This allows users to access and view the eligibility status of the management role directly from the details page.

  • Implemented UpdateAzAppClaimsMappingPolicyAssignments workflow to assign one or multiple Azure applications to a selected Claims Mapping Policy. In addition, this workflow can also remove previously assigned Azure applications from a specific Claims Mapping Policy. This workflow simplifies the administration experience and empowers Resource Administrators in effectively managing Azure application assignments within Claims Mapping Policies.

  • Added features to enable management of Windows shared folders from Resource Admin. [Screenshot Here]

  • Within the Resource Admin interface, users can now easily access and manage mailboxes. The resource admin can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.

IAM Shop

  • Now the Privileged Session Management (PSM) of EID supports Telnet sessions, making it compatible with a wide range of computer operating systems. Whether you are using Linux, Windows, macOS, or any other Telnet-capable system, our latest feature ensures PSM sessions connectivity and communication with various devices.

  • Added PSM session monitoring functionality to our platform. This feature enables users to easily track and monitor the status of the PSM application, encoder, and uploader. With real-time monitoring, users can ensure optimal performance, identify potential issues, and take proactive measures to maintain a seamless user experience.

  • Made various improvements in the PSM workflow to make it more efficient, secure, and resilient. The PSM workflow will now work in the

    • Check if the computer has the property "UseExistingAccountIfPresent."
      a. If it exists, proceed to the next step.
      b. If it doesn't exist, search for it in the "AccessRequestPolicy."

    • If "UseExistingAccountIfPresent" is true, search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore.
      a. If both accounts are found (which is rare), select the account associated with the "JITLocalAdminGroupID" property.

      Find the personal credential linked to the selected user account's AccountStore. The credential is identified using the "AccountGUID" column in the externalCredential table.

      If the personal credential is not found, create a temporary account (e.g., AD domain, Local Windows, Azure AD) in the accountStore associated with the group specified in the "JITLocalAdminGroupID" property. These accounts are considered orphan accounts.
      a. After the PSM (Privileged Session Management) session ends, delete the created account based on the "JITDeletePSMAccount" setting. However, the group membership is only removed after the PSM session ends.
      b. The next time PSM is used, the same credential that was previously created is used.

      If the personal credential is found, add the "JITLocalAdminGroupID" group to the account in the ExternalCred (external credential store).
      a. After the PSM session ends, remove the group from the account but do not delete the account itself.

      If the "UseExistingAccountIfPresent" property is false, create a temporary account (e.g., AD domain, Local Windows, Azure AD) in the accountStore associated with the group specified in the "JITLocalAdminGroupID" property. These accounts are considered orphan accounts.
      a. After the PSM session ends, delete the created account. In this scenario, the "JITDeletePSMAccount" setting is not checked.

  • Updated the manage access tab in the application context of the IAM shop to include more details regarding App Rights, App Management Roles, and Role Definitions.


Bug Fixes & Improvements

  • Fixed a bug in the general search of the Function Access report to support searching by Function FriendlyName. Previously, users were shown no results while searching from the function’s friendly name.

  • Implemented missing functionality in My Requests to filter My/All Requests by Request Status changed Dates.

  • Implemented missing functionality in PSM MFA authentication to recognize the SMS authentication properly. Previously although a contact number was registered for SMS delivery of the verification code for MFA and is functioning correctly, the PSM WF (IAM Shop) prompts the user to select the verification option and then enter the contact number again. Consequently, it appears that the PSM WF does not recognize the registered authentication method.

  • Made improvements to the "Owned by" filter in the IAM shop group context to enhance its usability. In case a user doesn't have access to the filter, the default value will now be "Myself." However, if they do have access, the default value will be anybody.

  • The date filter labeled Request Status Changed Dates in the My Tasks now enforces the validation that the start date cannot be greater than the end date. This ensures that the filtering functionality works correctly and provides accurate results.

  • Enhancements to the session management capabilities of the UI in case the workflow screen times out and displays the empower ID login page. Previously, the UI only dealt with the userSignedOut event, but now it also includes handlers for the userUnloaded event to manage session timeout effectively.

  • Made fixes in the PSM

    • Fixed an issue with PSM video recordings where the length was off by a few seconds. Now, the timestamps accurately reflect the correct recording duration.

    • To provide a seamless and enhanced video playback experience, we have updated our video player library.

  • Previously, users reported experiencing intermittent loss of the CTRL key functionality, where it would become unresponsive and fail to trigger associated key combinations. This issue has been solved, and users should no longer experience the CTRL key loss.

  • No labels