- Created by Dev Raj Gautam, last modified by Phillip Hanegan on Feb 05, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 7 Next »
Release Date: 01/XX/2024
We are pleased to announce the release of EmpowerID Version X.X,X,X, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:
New and Improved Connectors
Google Cloud Connector
With this release, EmpowerID adds the Google Cloud Platform (GCP) connector to its out-of-the-box connector library. This new connector adds to our library and provides optimized identity management for GCP through EmpowerID. With seamless integration with Google Cloud Platform, the GCP Connector offers significant benefits for IT administrators. Organizations can now efficiently manage identities within the GCP environment, aligning with our commitment to delivering cutting-edge solutions for robust and secure identity governance.
The GCP Connector offers the following features:
User and group management: Create, update, and delete operations.
Service account actions: Create, update, and delete service accounts.
Group membership scenarios: Handle additions, removals, ownership changes, and cross-group memberships.
Role changes: Flexible management of role assignments.
GCP guest accounts: Addition to and removal from groups.
Inventory Management: Support for both incremental and full inventory.
Enhanced Azure B2C Connector
The Azure B2C Connector has undergone an upgrade, which now allows for the inventorying of application objects. This new feature presents a more comprehensive approach to managing and overseeing applications within the Azure B2C environment. With this upgrade, users can now effectively track and manage their application objects, which greatly enhances their resource management capabilities. We are confident that this upgrade will provide our users with a positive and productive experience.
Updated Microservices
Resource Admin
In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. This enhanced feature offers users increased control and flexibility in managing resources.
To provide a more detailed picture of the enhancements, here's what you can expect:
More Actions for Easier Application Management
We have enhanced the Applications Resource page to include a range of actions that streamline application management workflows. These updates are designed to provide users with quick and direct access to key functionalities, allowing for efficient and context-free execution of various tasks. Here's an overview of the application actions now available on the Applications Resource page:
Create Azure Claims Mapping Policy
Action: Users can create Azure claims mapping policies, customizing identity claims for Azure AD tokens.
Purpose: Enhances security and compliance for Azure-integrated applications.
Assign an Application Role Definition
Action: Assign specific role definitions within applications.
Purpose: Facilitates precise role-based access control within applications.
Assign Application Right
Action: Administer rights to applications, controlling user and group access levels.
Purpose: Ensures secure and appropriate application access.
Configure Field Types for Rights
Action: Define and configure field types for application rights.
Purpose: Increases accuracy and flexibility in rights definitions.
Managing App Right and Role Settings
Action: Oversee and adjust application right and role settings.
Purpose: Simplifies management of application permissions and roles.
Application Management Wizards
Actions:
Launch the Manage Application Wizard for general application management.
Utilize the Manage Azure Application Wizard for specific Azure application configurations.
Initiate Onboarding Non-Azure Applications and Onboarding Azure Applications workflows.
Purpose: Provides structured, user-friendly processes for managing and integrating applications.
Quicker Access for Managing API Permissions
The API Permissions page for applications has been updated to include a new button for adding API permissions to applications. With this new button, the process of managing API permissions is more straightforward. It allows administrators to quickly and easily modify or extend the API access for applications, contributing to improved functionality and security management.
Enhanced Time Constraint Options
Time Constraints in Assigning Role Definitions
With this release, we have introduced the ability for users to specify time constraints when assigning Role Definitions to people. This feature, accessible from both the Application and Person pages, offers increased control and flexibility. It significantly enhances the way access is managed within applications, allowing for more precise timing in role assignments.
Time Constraints in Assigning App Management Roles
Additionally, we've extended the capability to specify time constraints to the assignment of App Management Roles. Similar to Role Definitions, this can be done through the Application or Person pages. This enhancement aims to improve the management of access within applications, granting users the ability to define specific time frames for assigned roles.
Streamlined Eligibility Configuration for Applications
Users can now directly view and manage the eligibility configurations for an application from its overview page. This enhancement simplifies the process of modifying application eligibility settings, making it more straightforward and user-friendly. With this change, managing access and eligibility within applications becomes more efficient and accessible.
More Robust Group Management
With this update, we are introducing several enhancements to improve group management within Resource Admin. These updates are aimed at providing administrators more control and flexibility when managing groups, nested group memberships, and access permissions. Here’s an overview of the new features and benefits:
Additional Membership Changes Fields
We have updated the Membership Changes grid for groups to include additional fields that provide more detailed information about changes in group memberships. New fields include the Source of Change field and the Source Assignment for Membership field. These new fields are designed to enhance the understanding and tracking of membership modifications.
Nested Group Membership Management
Users now have the capability to add, remove, and view nested group members within a group. This feature is designed to provide more detailed control over group hierarchies and membership and simplify the management of nested groups.
Eligibility Configuration on Group Overview Page
The group overview page now includes the functionality to view and configure eligibility for groups. This allows for easier management of group eligibility directly from the overview page and streamlines the process of configuring and viewing group eligibility.
RBAC Assignments for Groups
Group owners now have the ability to view and manage RBAC assignments for groups. This provides users with the tools for direct and efficient management of access controls linked to various groups, enhancing the overall administration of group permissions and access rights.
RBAC Assignment Previews
Group owners can now preview the number of memberships that will be affected by selected RBAC assignments before finalizing them. This enhancement allows group owners to see how many members will be added to a group based on their pending assignments, providing a clearer understanding and better control over group composition changes. This update aims to improve decision-making and accuracy in RBAC management.
Improved Management Role Management
With this release, we are introducing updates to managing Management Roles aimed at providing a more intuitive and efficient experience for administrators and users. These enhancements include more versatile options for role membership and streamlined actions on the Management Roles Resource page. Here's a closer look at what's new:
New Management Roles as Members Tab
Users now have the ability to view and manage the Management Role membership of a given Management Role.
Enhanced Membership Options for Management Roles
Users can now add groups, SetGroups, and Business Role and Location Combinations as “Other Types of Management Role members.” This enhancement allows for more versatile and comprehensive role configurations, catering to complex organizational structures and access needs.
New Direct Access Granted Tab
Users now have the ability to view and manage the remove the direct access assignments of a target Management Role.
The tab includes an ‘Add New Access Assignment’ button, which initiates the ‘Grant Actor Access’ workflow. The workflow guides users through the process of selecting the type of access and the resources for which to grant access to the Management Role.
New Total Access Granted Tab
Users can now view the total access granted to a Management Role by accessing this tab. The tab displays all the access rights that have been granted to a particular Management Role. It includes detailed information on the types of access, the specific resources involved, and the scope of each access right.
Management Roles Granted as Access Tab
Users can now assign additional Management Roles to an existing Management Role. This effectively means that individuals with the primary Management Role automatically gain the access rights and privileges of the additional roles assigned to it.
More Management Role Actions
We have updated the Management Roles Resource page with new actions to simplify managing Management Roles by providing easier access to key functionalities. Below is an overview of the new actions available:
Manage Management Role Wizard:
Functionality: A new action to launch the Manage Management Role Wizard has been added. This wizard is tailored to make the configuring and updating of Management Roles more straightforward.
Purpose: The wizard guides users through each step of managing Management Roles, making the process more user-friendly and efficient.
Onboard Management Role Workflows:
Functionality: The page now includes an action for initiating the Onboard Management Role workflow.
Purpose: This workflow provides a structured method for setting up new Management Roles, ensuring a consistent and efficient onboarding process.
IAM Shop
The IAM Shop has been updated to enhance functionality and user experience, refining the process of requesting IT resources and simplifying user interactions. Here’s an overview of what’s new in the IAM Shop:
EmpowerID Announcements
EmpowerID has rolled out a new feature, "Announcement," to ensure users stay updated with essential and timely information about the product. This feature integrates notifications across all EmpowerID applications, guaranteeing that users are always aware of significant updates. The core goal of the Announcement feature is to improve user engagement and awareness within the platform.
Key aspects of the Announcement feature include:
Creation of Customized Messages:
Administrators can craft tailored announcements for EmpowerID application users, featuring a specific title and detailed content.
Scheduling and Timing Control:
There's flexibility in scheduling these announcements, allowing administrators to set the duration of their visibility, ensuring timely relevance.
User Acknowledgment Option:
Administrators have the choice to require user acknowledgment for certain announcements, enhancing the interaction with critical updates.
One-Time Message Capability:
For less critical information, administrators can opt for one-time messages that don't require user acknowledgment.
Enhanced User Shopping Experience
Activate Button Added for Preapproved Resources
An "Activate" button has been added for users preapproved for resources through Eligibility policies in EmpowerID. This feature, visible in the Request Access and Manage Access grids for each given resource, enables users with preapproval to gain immediate access to resources. Upon clicking the "Activate" button, access is granted directly without the need for further approvals or business request creation. This streamlines the process, allowing EmpowerID to fulfill the assignment promptly and efficiently.
Enhanced Visibility of Functions for Azure Roles
Users shopping for Azure Roles can now view the functions included with those roles before requesting access to those roles or activating them if preapproved. This allows users to know whether the functions granted are suitable for their needs before submitting the request.
Shop Reference Person Access
A new feature, "Shopping By Reference Person," has been added to the IAM Shop to streamline the process of requesting access for new hires or employees in similar roles. This feature allows for the replication of access and rights from an existing employee's profile to a new one, making the process more straightforward. By selecting "Show Reference Person Access," the IAM Shop displays the current access of a chosen reference person. This can then be mirrored for the new individual.
My Tasks
My Tasks has been updated with several features to improve the user experience in handling business requests. These enhancements are designed to streamline the review and response process, making it more efficient and user-friendly.
Predefined Approval Comments
Users now have the option to choose from a set of predefined comments when approving a business request. This addition simplifies the approval process by providing quick, standardized responses that can be used to communicate decisions effectively. This feature not only saves time but also ensures consistency in communication across different approvals.
Enhanced Functional Access Information
The latest update to the My Tasks app brings a significant enhancement in the form of detailed functional access information. With this new feature, approvers are now equipped to view the current functional access of a user when considering approval for additional requested access. This added layer of visibility enables approvers to make more informed and intelligent decisions, assessing whether the new access is necessary or redundant. This enhancement streamlines the approval workflow by providing approvers with comprehensive information, facilitating efficient and effective management of business requests in the system.
Wizard Workflows
This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.
Onboard Account Workflow
EmpowerID's latest update introduces the "Onboard Account" Wizard Workflow, a new feature designed to facilitate the manual onboarding of user accounts. This workflow represents a significant addition to EmpowerID, aiming to enhance the process of account creation in several key ways.
Detailed Features of the New Onboard Account Wizard Workflow:
Diverse Account Creation Options:
Individual and Technical Accounts: Users can create accounts not only for individuals but also for technical purposes like service accounts, which are crucial for automated processes and are not associated with any individual user.
Suitable for Various Environments: The workflow is adaptable for various environments, including creating local user accounts on Windows or Linux servers and user accounts in directories like LDAP, Active Directory, Azure, and ServiceNow.
Efficiency and User-Friendliness:
Streamlined Process: The wizard simplifies the onboarding process, making it more straightforward and less time-consuming.
Intuitive User Interface: With a focus on user experience, the workflow features an intuitive interface that guides users through each step of account creation.
Capabilities for Different Scenarios:
The wizard can handle a range of scenarios, from creating a single account for a new user to setting up multiple accounts for different services or platforms.
It provides options to customize account settings based on the specific needs of the user or the technical requirements of the account.
Attribute Management:
The workflow includes the ability to manage and assign attributes to new accounts, ensuring that all necessary information is accurately captured and associated with each account.
Manage Person Wizard Workflow
The introduction of the Manage Person Wizard provides efficient and user-friendly management of Person objects in EmpowerID. The wizard workflow provides the following options for managing Person objects:
Disable a person
Modify and update specific attributes associated with a person
Enable a previously disabled person
Initiate the Leaver Events for a Person leaving the organization, ensuring proper workflows are followed.
Initiate Mover Event for Person
Unjoin Person Core Identity
Manage Management Role Wizard Workflow
The Manage Management Role workflow has undergone several improvements to enhance its functionality and usability. Key enhancements include:
Enhanced Role Function Assignment:
We have introduced the capability to assign and unassign local functions directly to and from Management Roles. This enhancement provides greater flexibility and precision in defining the scope and responsibilities of Management Roles.
Updated Ownership and Responsible Party Requirements:
The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.
Onboard Management Role Wizard Workflow
The Onboard Management Role workflow has been enhanced to provide users with a more efficient and versatile experience when onboarding new Management Roles. Here’s an overview of what’s new:
Management Role Bundling:
Role creators now have the ability to assign other Management Roles as members of the new role. This feature facilitates the creation of 'Management Role bundles', allowing for a more organized and cohesive management of roles within complex organizational structures.
Inclusion of Business Roles and Locations:
The workflow has been expanded to include Business Roles and Locations as members of a Management Role during the onboarding process. This addition enhances role customization, allowing organizations to grant role members specific Business Role and Location combinations during the role assignment process.
Updated Ownership and Responsible Party Requirements:
The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.
Additional Improvements
Enhanced PSM Support
Added Support of Telnet Session for CISCO
The EmpowerID Privileged Session Management (PSM) feature now supports Telnet sessions for Cisco devices, expanding its compatibility with devices and ensuring reliable PSM session connectivity and communication.
Added Support for VNC Protocol
The Privileged Session Management (PSM) tool has been updated to include support for the Virtual Network Computing (VNC) protocol. This means that users can now easily select the VNC protocol during the computer onboarding process and initiate PSM sessions with computers that use the VNC protocol.
New Feature for Key Logging
A new feature has been added to enable keylogging to gain detailed visibility into privileged sessions. It's important to note that the keylogging feature has been designed with privacy in mind, ensuring that sensitive user data and credentials are not logged. This feature provides an added layer of security and auditability by capturing keystrokes during sessions, offering valuable insights into user activities.
Encrypted PSM Recordings
All PSM session recordings are now encrypted by default for enhanced security. Additionally, to maintain strict control over who can access the recorded content, explicit authorization is required for the playback of these recordings. Users have the option to encrypt specific recordings with a non-default key, which will ensure that they are not only secure when at rest but also watchable only if authorized.
UI Enhancements for Microservices
We've implemented several UI enhancements across our microservices, aiming to elevate the overall user experience. These improvements include more intuitive layouts optimized for ease of use and efficiency. Users will notice cleaner interfaces with better-organized elements, ensuring quicker access to necessary features. Among these improvements is the introduction of flyout menus. When users hover their mouse over menu items, they will now see an expanded flyout, providing immediate access to additional options and features. The updates are designed to make interactions with our microservices more seamless and visually appealing, reflecting our commitment to providing a user-centric platform.
New Permanent Workflow for Out Of Office
In this release, we introduce a new permanent workflow feature that automatically updates the OutOfOffice flag for individuals in our system. This workflow is triggered when the OutOfOffice Start Date (OofStartDate
) is reached, and the OutOfOffice flag is currently set to false for a person. Upon activation, the workflow sets the OutOfOffice flag to true, ensuring that the person's status is accurately reflected in the system without manual intervention. This feature enhances the accuracy and efficiency of status updates for users going out of the office.
Security Enhancement: Transition from SHA-512 to PBKDF2 for Hashing and Encryption Functions
In response to a medium-risk vulnerability identified as "Use of a Broken or Risky Cryptographic Algorithm" (OWASP A02:2021 Cryptographic Failures), our latest release addresses the susceptibility of hashing operations to brute force attacks due to a single SHA-512 iteration. The vulnerability could compromise hashed passwords, potentially leading to unauthorized access to user passwords if the server is compromised. To fortify our system against such threats, we have replaced SHA-512 with PBKDF2 for password encryption, recommending thousands of hashing iterations (600,000 for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512). This proactive measure significantly bolsters cryptographic security, mitigating the risk of brute force attacks and ensuring a more robust defense for user data.
Resolved Issues
Improved Session Management in IAM Shop
We have addressed the issue of frequent session timeouts that users experienced in the IAM Shop, particularly during cart-related activities. Previously, users encountered interruptions while adding or editing items in the cart or during the cart submission process. This update ensures a smoother, uninterrupted experience in the IAM Shop, enhancing user efficiency and convenience.
Invalid Logout Request Error in EmpowerID
The problem of 'invalid logout request' errors in EmpowerID has been successfully resolved. This issue primarily occurred when users had multiple tabs of EmpowerID open and left the system idle for a certain period. With this fix, users can expect more stable sessions, especially in multi-tab usage scenarios, reducing interruptions and improving the overall user experience in EmpowerID.
OTP Authentication Failures
With this release, a significant improvement has been made to the One-Time Password (OTP) authentication process. Users previously faced challenges logging in using the Microsoft Authenticator app when the OTP code included spaces, whether at the beginning, end or between characters. This issue has now been resolved. With this update, users can successfully authenticate their login regardless of spaces in the OTP code, ensuring a more reliable and user-friendly experience during the authentication process.
Renaming Attributes in Dynamic Hierarchy Policies
This release addresses a specific issue concerning the renaming of attributes within dynamic hierarchy policies. Before this fix, altering the case of an attribute name (for example, changing "dublin" to "Dublin") resulted in the inadvertent creation of two distinct groups by the dynamic hierarchy policy, which in turn caused errors in LDAP calculations. This issue has now been rectified. The dynamic hierarchy policy has been enhanced to accurately handle changes in attribute cases, ensuring a smooth and error-free process in LDAP calculations.
Group-to-group assignments data import
We have addressed and resolved an issue in the 'MassUploadGroupToGroupAssignments' workflow. Previously, users encountered an error when attempting to upload CSV files with two missing header titles, which disrupted the workflow process. With this update, the workflow has been enhanced to allow the uploading of CSV files, even if they are missing two header titles. This fix ensures a smoother and more reliable experience in mass uploading group-to-group assignments, improving the overall functionality of this workflow.
IN THIS ARTICLE
- No labels