EmpowerID 2019 has many new features, numerous enhancements, and multiple fixed issues to make the EmpowerID user experience better than ever.
Enhanced Privileged Session Manager
Privileged Session Manager (PSM) is updated to record and monitor privileged sessions, and to be hosted as a Docker Swarm on local or cloud service locations. You can configure PSM to record session activity when users check out credentials for a managed computer, allowing Access Managers and other administrators to view what users do on the computer during a session, and to terminate a session if necessary. It is also updated to comply with new European Union GDPR laws. For more information, see the following topics:
More Core Functionality Moved to the Web Application
More functionality is moving to the web application so that you can configure EmpowerID without using the EmpowerID Management Console. The Management Console retains some functionality in 2018, but now you can also perform many new functions in the web application, including:
The ESXi connector allows organizations to bring the user, permissions, and roles data in their stand-alone VMware ESXi systems to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. See VMware ESXi for more information.
Once connected, you can manage this data from EmpowerID in the following ways:
Create new users
Edit user attributes
Create new roles and permissions
Manage roles and permissions membership
Delete roles and permissions
EmpowerID includes an SAP connector capable of connecting with the two main SAP modules used for managing identity information: ECC and HCM.
The ECC module stores information for accessing SAP, and the means for authorizing to SAP, which includes:
individual authorization objects.
The HCM module manages employees and often serves as the authoritative source for employee information, including employment status, location, roles and responsibilities. When EmpowerID connects to any one of these SAP modules, it creates a singular account store object for that module with configurable settings for specifying how EmpowerID is to manage the identity information. The Process SAP Group Owners permanent workflow monitors SAP action groups and processes SAP group owners.
The ServiceNow connector lets you create, synchronize, and manage ServiceNow users, groups, roles, locations, companies, user roles, and group membership within EmpowerID. Once you connect to ServiceNow, your ServiceNow developers can configure service catalog requests to allow your ServiceNow users to request groups, memberships, et cetera, and have them go for approval in EmpowerID.
With the EmpowerID ServiceNow Connector, you can manage all of the following functions in ServiceNow.
Inventory ServiceNow users as EmpowerID accounts
Create, update, and delete users
Enable, disable, and change passwords of users
Inventory ServiceNow groups as EmpowerID groups
Inventory ServiceNow group memberships as EmpowerID GroupAccounts
Create, update, and delete groups
Add and remove members of groups
Locations and Companies
Inventory ServiceNow locations as EmpowerID ExternalOrgZones
Inventory ServiceNow companies within the locations as EmpowerID ExternalOrgZones
Inventory ServiceNow roles as EmpowerID ExternalOrgRoles
The Webex Enterprise connector allows organizations to manage and synchronize Webex Enterprise user data. Once connected, you can manage this data from EmpowerID in the following ways:
Provision new users with Provisioning policies or workflows
Enable or disable users
Reset user passwords
Reverse Proxy NGINX Module
The EmpowerID Reverse Proxy or microservices gateway is a dockerized NGINX module that is a key component of any Zero Trust or microservices security architecture. As a component of the EmpowerID WAM System, the Reverse Proxy stands in front of protected Web applications and Docker containers, restricting access to the resources served by those applications by intercepting all HTTP traffic bound for those applications, evaluating and processing each request using EmpowerID's hybrid RBAC / ABAC engine.
As a WAM component, the EmpowerID reverse proxy provides web environments with seamless access to all of the identity management facilities of EmpowerID. This means that organizations can use the EmpowerID reverse proxy to provide the same level of security for the resources that live on their web servers as they provide for the resources that live in their directories and other such similar resource systems.
The EmpowerID Reverse Proxy controls access to web applications and APIs without requiring the installation of an agent. To configure the reverse Proxy, an OpenID Connect OAuth application record is created in EmpowerID, with an associated SAML connection linked to it for use in defining attribute statements. The Reverse Proxy uses this OAuth connection when making API calls to the EmpowerID REST endpoints to retrieve its configuration and for making real-time ABAC access checks. Web applications protected by the Reverse Proxy are created in EmpowerID as web applications with their protected URLs and paths registered as "Application Subcomponents." RBAC and ABAC policies can be applied to determine who may have access to these subcomponents/URL paths. After creating the appropriate reverse proxy components in the EmpowerID Web interface, you configure the reverse proxy application files with the appropriate information for your environment.
The below diagram shows all the components and configuration files associated with the EmpowerID reverse proxy. Click the image for an expanded view.
EmpowerID now supports assigning and tracking responsible parties for key objects like accounts, groups, computers, management roles, locations, and shared credentials. This responsibility relationship differs from that of a Person owning an account. An account owned by a Person represents that person and serves as their personal account. Responsible parties are assigned to signify who is responsible for an IT object from a security and audit perspective. For more information, see Responsible Parties.
Any EmpowerID RBAC Actor Type can be assigned as the responsible party, but most organizations configure EmpowerID to only allow the assignment of a Person. The field that stores this assignment is called OwnerAssigneeID, and you can find it in each supported object's table.
You can assign responsibility for EmpowerID objects using the Responsible Party property on the Details page for the object, or you can bulk assign responsibility for a number of the same type of objects using an action found on the object type's View Many page. Once assigned, you can transfer responsibility from one party to another.
When a person is leaving or changing positions, you can transfer all of their responsibilities to another party. You can either do this manually, using the Transfer Responsibilities workflow, or automate the process in a Planned Leaver Event.
The following new request workflows support these new features:
EmpowerID now supports the concept of a Core identity so that you can log in with different Person identities that are all linked to the same Core ID. Just as a person can have multiple user accounts in different external directories, so a core identity can have more than one persona. You can enable EmpowerID to create core identities when more than one person is discovered during inventory that shares the same name, birth date, or any attributes that you specify in the system settings. A person that is attached to a core identity is presented at login with a selection of personas to log in as, and once logged in, can switch between personas. The new ProvisionCoreIdentityBulk permanent workflow monitors the ProcessAccountInbox request workflow and provisions core identities as necessary. For more information, see Core Identities.
Two new permanent workflows automate group membership processes to ensure that sensitive groups always have the right members.
The new ContinouousRecertification permanent workflow constantly monitors membership changes in groups and generates recertification tasks for group owners. This ensures that access changes to sensitive groups comply with security policy.
The GroupMembershipExpirationNotification permanent workflow monitors group membership expiration dates, and notifies group owners of expired memberships.
New Audit and Clean-Up Features
Several new permanent workflows help your organization to stay up-to-date on audits and expired items.
The Unreviewed Recertification Task Notification permanent workflow monitors unreviewed audit tasks, and notifies assigned reviewers of their unreviewed tasks.
The Create Scheduled Certification Audit permanent workflow creates and runs any scheduled certification audits.
The Close Revoke Re-certification Unreview Tasks After Due Date permanent workflow closes any revoke tasks that remain unreviewed beyond the recertification due date.
The Check in Shared Credential permanent workflow monitors shared credential check-outs, and automatically checks them in when the requested time has expired.
The ScheduledCredentialPasswordReset permanent workflow monitors password reset schedules for shared credentials and resets passwords at the specified times.
The DeleteTemporaryPeopleCreatedDuringSignup permanent workflow monitors temporary people created during signup and deletes them after 60 minutes.
See the Workflow Library for a full listing of permanent workflows and request workflows.
You can now use HTML to attractively style user agreements (two are included out of the box) to display to users when they sign in. For more information, see Setting Up Password Manager Policies.
Safely Remove Group Memberships Flagged as CreatedFromAccountStore When an RBAC Policy Is Removed
When there is an RBAC policy for group enforcement (other than full enforcement), a flag marks any affected group accounts as RBACAssigned. If the group account later loses the policy, the RBACAssigned flag gets set back to false but the group membership remains in place to prevent the accidental removal of valid memberships when someone is testing policies and then removing them.
Since many companiesdowant to remove the membership once policies are removed, we added a new date field called RbacAssignmentConfirmationDate. This date is only set for group accounts that are flagged as CreatedFromAccountStore and are subsequently flagged as RBACAssigned. The date field is set to seven days after the RBACAssigned flag is set to true, and it represents the time until the RBAC-assigned group account becomes fully managed by EmpowerID.
If the RBAC policy that flags the group account as RBACAssigned is rolled backbeforethe seven days expires, then the RBACAssigned flag is set to false, the date is cleared, and the group account remains.
If the RBAC policy that flags the group account as RBACAssigned is rolled backafterthe confirmation date, then the group account is removed, the same as any other policy assignment.
Single Login Experience When Using the EmpowerID Reverse Proxy
The OAuth Identity Provider (IdP) login page now provides the same user experience as other login pages. The following changes make for a more user-friendly experience:
Removed all OAuth authentication cookie references.
Changed handling of IdP authentication cookies so that logging in twice is not required.
Updated OAuth browser flows to support external IdP authentication.
Added IdP tiles such as Facebook, GitHub, Salesforce, et cetera, to appear on the OAuth login page based on the IPDomain settings.
EmpowerID 2018 includes numerous security updates in response to evolving changes in security needs.
The theme of the EmpowerID web application has been redesigned, and many new pages have been added.
The IT Shop has a new theme.
EmpowerID 2018 has a new ServiceNow Manager page.
All Features and Enhancements
As a system administrator, I want to be able to retrieve vaulted privileged credentials from EmpowerID for use in my PowerShell interactive sessions so that I can run PowerShell actions as an admin even though I am not an admin to support least privilege
As a security admin, I want to view a Person and see all of the Resources (Accounts, Groups, Management Roles, Shared Credentials, Computers) for which they are the responsible person (OwnerAssigneeID Direct)
EmpowerID freely provides hotfixes to address known issues. We also offer upgrades with new functionality in the form of new builds. When installing a hotfix or a newer version of EmpowerID, you can add the enhancements to your environment without losing preexisting data and configuration models.
Save any customizations to EmpowerID workflows in a custom package to avoid having the restoration process overwrite your custom workflows.
When upgrading EmpowerID, you must be logged in as a user with rights to alter the EmpowerID database on the target SQL server.
Install Microsoft IIS CORS and URL Rewrite modules on each server. (Detailed in the installation topic.)
EmpowerID provides support to all customers who have a trial version of an EmpowerID product or who have purchased a commercial version with a valid Software and Maintenance support contract. By purchasing Software Maintenance and Support, you have access to any upgrades that are released within a 12-month period and have email access to our product team to resolve any issues that may arise.
For further information on Software Maintenance and Support, please contact us by email at sales@empowerID.com.
Registered users may submit cases online and track their status. If you are a registered user, you may submit and view the status of cases at any time.
To contact a support representative, you may send an email to support@empowerID.com or contact us by phone at +1 (877) 996-4276.
EmpowerID offers support for the most recently released version of the Software Program and one version prior. This means that with the release of EmpowerID 2018, support is offered for EmpowerID 2016 and EmpowerID 2018.