Please be aware that the notes provided below are pre-release. They may not encompass all features included in build 7.208.0.0 as the documentation is still being updated. We appreciate your understanding and patience as we work to provide thorough and accurate information on all the new and enhanced features of this build.
We are pleased to announce the release of EmpowerID Version 7.208.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:
Azure AD B2C SCIM Connector
We have expanded our connector library to include the Azure AD B2C SCIM Connector. This new connector optimizes Azure AD B2C identity management via EmpowerID, providing seamless integration with Azure Active Directory B2C (Azure AD B2C) and delivering significant benefits for IT administrators. This feature update streamlines user management by automating user provisioning and deprovisioning processes in Azure AD B2C, reducing manual intervention and potential errors.
The SCIM connector supports real-time synchronization of user data between EmpowerID and Azure AD B2C, ensuring consistent and up-to-date information across both platforms. This enhancement contributes to a more secure environment and a better user experience for customers.
The SCIM connector offers flexible configuration options for IT administrators, allowing customization tailored to an organization's specific requirements. By leveraging this SCIM connector integration, admins can more effectively manage customer identities, enhance security, and provide a seamless experience across EmpowerID and Azure AD B2C platforms.
No Code Flows
In this latest release, we're excited to introduce a new feature known as No Code Flows, also referred to as Business Request Flows. This feature is designed to streamline the orchestration of business processes in response to specific events, such as a person leaving the organization (Person Leaver event). The main advantage of No Code Flows lies in its ability to empower administrators to create and execute workflows efficiently in response to various scenarios, all without the need to write a single line of code.
Key Components of No Code Flows
Flow Definitions
Flow Definitions act as containers for sequential tasks or actions called Flow Items. They define the sequence of actions that will be executed when specific events occur. For example, a Flow Definition might outline the steps to take when a person leaves the organization (Person Leaver event).
Flow Definitions Library
Flow Items
Flow Items represent individual tasks or actions within a Flow Definition. Each Flow Item has parameters such as Item Type Action (the task to be performed), Item Scope Type (where the task is to be executed), and an Item Collection Query (an SQL query that identifies the resources impacted by the task). These parameters help determine how the action will be carried out and which resources it will affect.
Flow Items Library
Flow Events
Flow Events serve as triggers that initiate the actions defined by the Flow Items in a Flow Definition. Examples of Flow Events include a new mailbox being discovered (Mailbox Discovered event) or a person leaving the organization (Person Leaver event). When a Flow Event occurs, the corresponding Flow Definition is activated, and the system executes the specified sequence of Flow Items.
Flow Events Library
Flow Policies
Flow Policies dictate which Flow Definitions should be activated in response to specific Flow Events. They connect the events with the appropriate actions, ensuring that the correct sequence of tasks is executed for each scenario. Administrators can configure multiple policies for the same event, allowing for tailored responses to different situations (e.g., internal vs. external leavers).
Process Overview
In response to a specific event (a Flow Event), the system triggers a series of actions (contained in a Flow Definition) based on the rules defined (Flow Policies). These actions (Flow Items) consist of precise tasks, each characterized by parameters like Item Type Action (task), Item Scope Type (target), and Item Collection Query (SQL query to fetch relevant data). This entire process ensures that every action is performed in the right order, at the right time, for every event – all without writing a single line of code.
Joiner, Mover, Leaver Integration with Flow Engine
Joiner, Mover, and Leaver events have been integrated with the Flow engine to allow organizations more options and greater flexibility for handling those events and how the system handles them. By altering a few configuration settings, organizations can now choose to have those events picked up by the Flow engine and processed as Flow events. These new settings include those listed below.
Joiner Settings
Advanced Leaver Flow Configuration Settings
EmpowerID includes several configuration settings for Planned Leaver Events (Advanced Termination) that can be configured to instruct the system to bypass the default termination process for planned leavers and send those Person accounts to the Business Request Flow engine for processing. When this is the case, each Person account claimed by the SubmitPersonTeminations permanent workflow is sent to the Flow Event Inbox and processed in accordance with your organization’s Person Leaver Flow policies.
These settings include the following:
Setting | Type | Purpose | Note |
|---|---|---|---|
TerminatePersonTriggerFlowEvent | Resource System Setting | Boolean that specifies whether the system bypasses the termination and reactivation process for planned leavers and uses the Business Request Flow engine to process leavers. | This is a global setting that, when enabled, overrides the |
PreTerminatePersonWithFlowEvent | Resource System Setting | Boolean that specifies whether the system should use Flow Events for the Preleaver Notification process. | If set to |
TerminatePersonWithFlowEvent | Resource System Setting | Boolean that specifies whether the system should use Flow Events for the Leaver Process. | If set to |
ReactivatePersonWithFlowEvent | Resource System Setting | Boolean that specifies whether the system should use Flow Events for the reactivation process. | If set to |
Preleaver Notification Event Type | Account Inbox Setting | Dropdown that allows users to select the Flow Event Type for Preleaver Notifications. | This setting only appears when the |
Leaver Event Type | Account Inbox Setting | Dropdown that allows users to select the Flow Event Type for leaver events. | This setting only appears when the |
Preleaver Notification Event Type | Account Inbox Setting | Dropdown that allows users to select the Flow Event Type for Preleaver Notifications. | This setting only appears when the |
New Wizard Workflows
This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.
Credential Workflows
Onboard Credential Workflow: A new wizard interface for credential creation has been added. This tool not only simplifies the onboarding of credentials but also allows for the configuration of Access Request settings. These settings help control the check-out and check-in processes. Furthermore, the wizard facilitates the setting of eligibility criteria, determining who may request the credential from the IAM Shop. For more information, see Onboard Credentials.
Manage Credential Workflow: Update and modify credentials with ease through a user-friendly wizard interface. This includes individual and bulk edit/delete options for credentials.
Management Role Workflows
Onboard Management Role Workflow: Navigate the creation of Management Roles with a step-by-step wizard, choosing from predefined role types and setting hierarchical relationships like the parent Management Role Definition, nesting, and IAM Shop publication.
Manage Management Role Workflow: Simplify Management Role administration with features like role deletion, IAM Shop settings modification, and responsible party assignment. The wizard can assist with both single and multiple operations.
Group Workflows
Onboard Group Workflow: We've improved the group onboarding experience with a comprehensive and intuitive wizard workflow. This feature guides users through the manual process of onboarding new groups within the system. Users can now accomplish multiple group-related tasks within the same workflow, including configuring responsible parties, owners and deputies, IAM Shop settings, and group members from a single easy-to-follow wizard interface. For more information, see Onboard Groups
Manage Group Workflow: Perform various group management tasks, including viewing group details, editing group attributes, deleting groups, assigning responsible persons, and managing group membership.
Azure Application Workflows
Create Azure Application: This workflow simplifies the process of creating a new Azure application, guiding users through each step to ensure accurate configuration. For more information, see Create Azure Applications
Create Azure Application Certificates: This workflow allows users to upload and assign self-signed certificates to Azure applications managed by EmpowerID. For more information, see Create Certificates for Azure Applications
Create Azure Application Client Secret: This workflow helps users create and upload client secrets for Azure applications managed by EmpowerID. For more information, see Create Azure Application Client Secrets
Create Azure Application Scopes: Wizard workflow for creating scopes for Azure applications managed by EmpowerID. For more information, see Add Scopes to Azure Applications
Create Azure Application Roles: Wizard workflow for creating app roles for Azure applications managed by EmpowerID. For more information, see Add App Roles to Azure Applications
Update Azure App API Permissions: New wizard workflow for efficient API permissions management for Azure applications integrated with EmpowerID. For more information, see Update API Permissions of Azure Applications
Person and Account Workflows
Onboard Person: Wizard workflow for onboarding people with different options (Simple, Advanced, and From Another Mode), allowing users to tailor the process according to their needs. For more information, see Onboard People
Manage Account: The Manage Account Wizard is a new workflow designed to simplify account management by offering a guided, step-by-step process for key actions such as enabling or disabling accounts, deleting accounts, and editing account attributes. Further, it facilitates the assignment of responsible parties and enables the addition of accounts to various groups.
Self-Service Workflows
Login Assistance Wizard: The Login Assistance Wizard is designed to allow users to address login-related issues independently. Accessible directly from the login screen, this user-friendly wizard simplifies various operations such as password reset/unlock and Azure Temporary Access Pass (TAP) issuance. It also provides for Azure/EmpowerID Multi-Factor Authentication (MFA) reset, unblock, and unenrollment, as well as the deletion of MFA assets/preferences.
Manage Your Identity Wizard Workflow: Users can easily manage aspects of their identity from a single, easy-to-follow wizard, including deleting MFA devices, enrolling for a Q&A password reset, changing passwords, editing profiles, and registering MFA authenticators. For more information, see User Experience - Manage Your Identity
Computer Workflows
Onboard Computer Wizard Workflow: The Onboard Computer Wizard is a new workflow that makes onboarding computers a more effortless and adaptable process. The wizard simplifies the steps of adding computers, seamlessly integrating them into the IAM Shop, and customizing eligibility settings. Plus, it brings more flexibility in managing Privileged Session Management (PSM) settings, including linking PSM credentials. For more information, see Onboard Computers
Mailbox Workflows
Onboard Mailbox: The Onboard Mailbox Wizard is a new workflow designed to streamline the process of integrating shared, room, or equipment mailboxes. This intuitive workflow allows you to effortlessly publish these mailboxes in the IAM Shop, seamlessly incorporate them into relevant groups, and easily configure eligibility criteria for users requesting access. The feature further optimizes the approval process by directing the flow when users request access.
Manage Mailbox: The Manage Mailbox Wizard is a new workflow designed to simplify mailbox management. This user-friendly wizard enables users to modify essential mailbox settings while also providing efficient control over email forwarding, policy establishment, and quota restrictions.
More Flexibility for Access Requests
We've updated EmpowerID with a new feature called "IAM Shop Permission Levels." This feature provides tailored access to important resources such as shared folders, mailboxes, computers, and Privileged Session Manager sessions. Companies can customize these settings to allow users to request certain access levels for resources, such as "read-only" for shared folders or "local admin" for computers.
When users request access to a resource through the IAM Shop, they'll see options relevant to their needs. For instance, if a user requests access to a computer, they might see "Local Admin" and "Domain Admin" as options. These levels correspond to specific groups in the native system that provide those permissions. If a user selects "Local Admin," EmpowerID will grant this access by adding them to the group that has local admin rights on that computer. This update makes it simpler and more efficient for users to get the permissions they need. For more information, please see Configure IAM Shop Permission Levels.
Enhanced Privileged Session Manager
With this release, Privileged Session Manager (PSM) has been significantly improved to support the following:
Telnet Session Support: The Privileged Session Management (PSM) feature of EmpowerID now accommodates Telnet sessions, broadening its compatibility with a variety of operating systems, including Linux, Windows, macOS, and more. This enhancement assures reliable PSM session connectivity and communication with an expanded range of devices.
Real-Time Session Monitoring: We've added a session monitoring functionality to the platform, enabling users to track and monitor the status of PSM applications, encoders, and uploaders in real time. This feature empowers users to ensure optimal performance, detect potential issues, and take proactive steps for a seamless user experience.
PSM Workflow Improvements: A range of enhancements have been implemented to streamline the PSM workflow, making it more efficient, secure, and resilient. The revised workflow includes the following steps:
Check "UseExistingAccountIfPresent" Property: The system will first check if the computer has the "UseExistingAccountIfPresent" property. If not found, it will search in the "AccessRequestPolicy."
User Account Search: If "UseExistingAccountIfPresent" is true, it will search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore. If both accounts are found (a rare occurrence), the account associated with the "JITLocalAdminGroupID" property will be selected.
Find Personal Credential: The system will locate the personal credential associated with the selected user account's account store. The credential is identified using the "AccountGUID" column in the externalCredential table.
Handling of Personal Credential: If the personal credential is not found, a temporary account will be created in the account store associated with the "JITLocalAdminGroupID" group. These accounts are considered orphan accounts and are deleted after the PSM session ends based on the "JITDeletePSMAccount" setting. If the personal credential is found, the "JITLocalAdminGroupID" group is added to the account in the ExternalCred (external credential store). The group is removed from the account, but the account itself is not deleted after the PSM session ends.
Create Temporary Account: If the "UseExistingAccountIfPresent" property is false, a temporary account is created in the account store associated with the "JITLocalAdminGroupID" group. After the PSM session ends, the created account is deleted.
ServiceNow Integration with EmpowerID Microservices
Organizations that have successfully connected EmpowerID to ServiceNow can leverage the powerful capabilities of EmpowerID's IAM Shop, Resource Admin, and Identity Manager microservices directly from the ServiceNow user interface. This is achieved by adding a widget to ServiceNow for each microservice you want to integrate. For details on how to set this up, please see Integrate EmpowerID Microservices with ServiceNow.
EmpowerID provides centralized administration, assignment, and enforcement of permissions across Azure app roles and external systems while offering improved auditing and tracking of app role assignments and changes.
EmpowerID offers new features and enhancements for Azure app roles,
Previously EID only supported the ability to assign Azure users and Azure groups to the Azure app roles, but now you have the ability to assign non-Azure objects using the projection engine. The assignment capabilities have been extended to include person, management roles, and business role locations alongside users and groups.
Bulk assignments of Azure app roles to multiple users or groups are now supported.
A new feature of Fulfillment groups is introduced, which can be automatically created by workflows or manually created by users. By linking a fulfillment group to an Azure app role, EmpowerID can project individuals into the corresponding Azure group in the tenant, enabling the enforcement of permissions in the external system. The RBAC engine in EmpowerID analyzes assignments, determines which rights or roles are mapped to fulfillment groups, and adds or removes individuals based on their membership status and assigned rights.
We have introduced the AssignAZRightScope workflow, which offers a user-friendly interface to access the above-mentioned features.
Updated Microservices
Resource Admin
In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. This enhanced feature is designed to offer users increased control and flexibility in managing resources. One of the key improvements is the expanded ability for administrators to monitor and allocate resources within the system more efficiently. This streamlines the management process and enables more precise resource administration.
To provide a more detailed picture of the enhancements, here's what you can expect:
Management Role Management: Users can now view and manage all aspects of Management Roles in Resource Admin.
Mailbox Management: To simplify mailbox management, users can now easily access and manage mailboxes within the Resource Admin interface. Resource admins can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.
Shared Folder Management: We've expanded our Resource Admin functionality to fully manage shared folders for inventoried Windows servers. This includes creating, deleting, and editing shared folders.
Claims Mapping Policies: Users can now access a comprehensive list of the Claims Mapping policies for applications and update those policies and policy assignments as needed.
People Management: The update allows users to effectively manage people within Resource Admin, improving administrative efficiency.
App Rights: Improved visibility of App Rights is now available in Resource Admin. Users can view the details of app rights from the context of a specific application and the app rights membership details for people they are allowed to see, promoting transparency and accountability.
Role Definitions: The update provides visibility into role definitions for applications within Resource Admin. Users can view the details of role definitions from the context of a specific application and the assignments of role definitions within the context of an application. , facilitating better role-based access controls.
IAM Shop
With this release, the IAM Shop has several enhancements that focus on improving the user experience and expanding functionality, offering users more control over their access rights and resource management.
Enhancements include the following:
Requesting Access Rights: End-users can now request app rights, role definitions, and app management roles for a protected application directly through the IAM Shop. This enhancement simplifies the process of obtaining necessary access permissions, thereby increasing efficiency and reducing the time spent on administrative tasks.
Improved Access Management: The latest update offers improved visibility and management of access rights. Under 'Manage Access' for applications, end-users can now see the app rights, app management roles, and role definitions to which they currently have access. The ability to manage these assignments directly from this view streamlines the process, making it easier for users to maintain control over their access rights.
Eligible Resources Visibility: To provide a more personalized and relevant experience, we've made an update that allows end-users to see only the resources they are eligible for. This means users will no longer see resources that they cannot access or utilize, reducing clutter and enhancing usability by focusing on the most relevant information.
Workflow Studio Enhancements
Enhancements to Workflow Studio include the following:
Removed dependency on Microsoft Edge for Workflow Studio login. Workflow Studio now uses modern authentication with front-channel flow for better accessibility.
Introduced a fulfillment workflow template for Business Requests, simplifying request management.
BotFlow has a new feature to pin the resources in BotFlow and facilitate easy interaction. To pin a resource means to keep it easily accessible, allowing for the execution of multiple actions or workflows without selecting or inputting the same resource multiple times. Pinning resources in bot flows can be either temporary or permanent.
Added a Workflow Activity for ChatGPT, facilitating smoother integration and communication with ChatGPT within EmpowerID.
Incorporated a new Workflow and Bot flow for interacting with ChatGPT in EmpowerID and the Bot, respectively.
Updated the user interface of Workflow Studio to give it a more modern and contemporary look.
Revamped and modernized baseline configuration and integration for AvaloniaUI, delivering an improved and contemporary user interface experience.
A new LowCode/NoCode panel utilizing the AvaloniaUI framework has been implemented, resulting in improved functionality and a more user-friendly experience.
Added support for developing workflows and integration for SAP BAPI
Introduced a new Workflow Activity that allows calling any BAPI function and executing the result, broadening the scope of workflows and integrations.
With the LowCode UI, values can be set at design time or run time from the BAPI structure, increasing customization and adaptability.
The Repeater sections in Workflow Studio forms have been updated to include Add, Edit, and Delete options in addition to displaying records in a card UI, which was already a feature. This allows for greater flexibility in design for developers and a better UI experience for the end users.
Additional Improvements
Group Membership Engine
All group membership changes for Active Directory, Azure AD, and SAP account stores are now processed by the group membership engine and can be viewed from the Membership Queue in the Audit log. This allows you to view the status of the detected membership change, the change type, the affected user account and group, and the RBAC or local right assignment responsible for the change.
Rehire Capability in Advanced Leaver
We've added rehire support to the Advanced Leaver feature. This is particularly useful when an individual rejoins the organization after a previous departure. The rehiring process involves restoring a previously deleted person object and its associated access provisions, contingent on certain criteria being fulfilled. The workflows for rehire support automatically restore the person, reapply attribute flow to all accounts, and generate a restoration task for manual approval.
Time-Based Escalation for Recertification
The recertification feature now includes a Time-Based escalation, enhancing flexibility and control in the Business Roles review process. For instance, an automatic escalation request is sent to the Digital Access Governance Manager if a review has been pending for a month. If there is no response within six months from the initial review request, the system will automatically remove the business role and initiate deprovisioning related accesses. Users can now configure settings to manage notification and escalation timing and actions.
New Relative Delegations
Administrators now have the ability to set up relative delegations for Locations within their organization. This extends the capacity to delegate visibility and responsibility to business locations at the Organization level. In response to the need for greater flexibility in configuring delegations, we have broadened delegation capabilities for administrators.
Expiring Access Notifications
Our Notifications engine now includes an option to email users about impending access assignment expiry, specifying resource details and the expiration date.
Google ReCaptcha Upgrade
We've upgraded to Google ReCaptcha V3, enhancing security and user experience. Users will no longer need to solve CAPTCHA challenges, and the system can detect risk based on user behavior.
Enhancement to Azure Group Account Membership Management
This release presents an improvement to Azure AD group account memberships management. We have transitioned to a queue-based model, a change that bolsters both efficiency and reliability. Now, you can seamlessly add and remove Management Roles, Business Role and Location combinations, and Query-Based Collections from Azure AD groups.
Exchange Mailbox Audit Settings Sync
EmpowerID now periodically retrieves and syncs audit settings from Exchange Mailbox, ensuring the consistency of audit settings between EmpowerID and Microsoft Exchange Online.
Upgraded Azure Microservices
Azure microservices have been upgraded from .NET 5 to .NET 6. This upgrade includes the following services and components:
Azure AD SCIM Microservice – The Azure AD microservice and the terraform template used for deploying the microservice have been upgraded from .NET 5 to .NET 6. Previous versions are now in maintenance support mode.
Exchange Online Web Jobs and Functions – The Exchange Online (EXO) web jobs and functions have been upgraded from .NET Core 3.1 to .NET 6. Previous versions of these jobs and functions are now in maintenance and support mode.
SharePoint Online Web Jobs and Functions – The SharePoint Online (SPO) web jobs and functions have been upgraded to .NET 6. Previous versions of these jobs and functions are now in maintenance and support mode.
Security Enhancements
MFA OTP Patch
Resolved Issues
We have addressed several issues in this release:
A problem with the Function Access report's general search functionality has been rectified, enabling search by Function Friendly Name.
Missing functionality in the My Tasks application's My Requests view has been implemented to filter My/All Requests by Request Status changed Dates.
Missing functionality in Privileged Session Management (PSM) MFA authentication has been addressed to correctly recognize SMS authentication.
Enhancements have been made to the "Owned by" filter in the IAM Shop group context to improve usability. The default value will now be "Myself" if a user doesn't have access to the filter and "anybody" if they do.
The date filter “Request Status Changed Dates” in the My Tasks application now validates that the start date is not later than the end date, ensuring accurate filtering results.
For PSM, we've resolved an issue affecting PSM video recordings, where the recording length differed by a few seconds from the actual session duration. Now, timestamps accurately mirror the correct recording length.
For PSM, we've improved the session management capabilities of the UI, which handles instances when the workflow screen times out and displays the EmpowerID login page. We've added handlers for the 'userUnloaded' event, supplementing the existing 'userSignedOut' event handler for effective session timeout management.
We've resolved an issue where users reported an intermittent loss of the CTRL key functionality during PSM sessions, preventing them from using associated key combinations. With this fix, users should no longer experience the loss of CTRL key functionality.
Deprecated Features
The EmpowerID Server Role is deprecated. All processes now execute locally except for situations where the Cloud Gateway is used.
IN THIS ARTICLE