You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Release Notes Version 7.198.0.0

Owned by Phillip Hanegan
Last updated: Dec 05, 2022
8 min read

Release Date: 01/28/2022

This release contains several enhancements to the EmpowerID microservice applications and Workflow Studio.

This minor release includes several enhancements to the EmpowerID Policy-Based Access Control (PBAC) engine and the business request process to give organizations more options for controlling user access.

New Features

Onboard Azure Applications in EmpowerID

Added support for onboarding Azure applications in EmpowerID. If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID, including creating new applications.

For onboarding applications, EmpowerID provides two options that you can use depending on your organization’s policies

  1. You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure

  2. You can allow applications to be onboarded without requiring any approvals.

Manage Client’s Certificates for Azure Applications

Added support for managing client’s certificates for Azure applications. If someone created a certificate the following things will happen:

  1. The certificate is uploaded and added to that app in Azure

  2. It is possible to view the certificate thumbprint post creation

  3. The certificate is optionally saved by EmpowerID.

  4. An app owner is able to delete the Client Secret for an existing application

  5. An app owner is able to delete the Certificate/key for an existing application

Manage Client Secrets for Azure Applications

Added support for the app migration team to be eligible to request a new client secret for that app.

If someone created a client’s secret following things are to happen. The client secret is to be created and added for that app in Azure

  1. The person that has accomplished the task receives a one-time view of that client’s secret and its azure id and with warning

  2. It is possible to copy the client’s secret

Enhancements

EmpowerID to inventory and manage common user attributes.

Added support for inventory and managing the following common user attributes

  • EmployeeType

  • Manager

  • ExtensionAttribute1

  • OfficeLocation

  • CostCenter

  • Division

 

Recertification Policies

Added updates for the following recertification policy types:

  • Account Validity Type Recertification Policy – Account validity recertification is a method of determining whether or not accounts are still required.

  • Business Role and Location Membership Type Recertification Policy – The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose.

  • Group Membership Type Recertification Policy – The group membership recertification policy is used to certify group membership, including person resources for RBAC membership, group account, nested groups, and any type of direct assignment.

  • Group Validity Type Recertification Policy – The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required.

  • Management Role Membership Type Recertification Policy – The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location.

  • Management Role Access Assignment Type Recertification Policy – The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose.

  • Management Role Validity Type Recertification Policy – The management role validity recertification is a method of determining whether or not management roles are still required.

  • Person Validity Type Recertification Policy – The person validity recertification is a method of determining whether or not the person is still required.

Added updates for the following recertification audit types:

  • Audit with Account Validity Type Recertification Policy – Account validity recertification is a method of determining whether or not accounts are still required.

  • Audit with Business Role and Location Membership Type Recertification Policy – The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose.

  • Audit with Group Membership Type Recertification Policy – The group membership recertification policy is used to certify group membership, including person resources for RBAC membership, group account, nested groups, and any type of direct assignment.

  • Audit with Group Validity Type Recertification Policy – The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required.

  • Audit with Management Role Membership Type Recertification Policy – The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location.

  • Audit with Management Role Validity Type Recertification Policy – The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose.

  • Audit with Management Role Validity Type Recertification Policy – The management role validity recertification is a method of determining whether or not management roles are still required.

  • Audit with Person Validity Type Recertification Policy – The person validity recertification is a method of determining whether or not the person is still required.

Create schema extensions for Azure AD user extension attributes

Added support for creating schema extensions for Azure AD user extension attributes. For example, added 10 DirectoryExtensionAttribute1 to 10 for Account, Group, and Person components.

Implementation of directory extension attributes in both Azure AD SCIM MS and Azure AD SCIM connector is complete

Create and edit Management Role Types

Added support for creating and editing Management Role types for admins.

Management Role Naming Convention

Added support for the use of the NamePrefix and Suffix fields from the ManagementRoleType table.

Add hardcoded controls for common cases

Added hardcoded controls for common cases like

  • Person single autocomplete,

  • Person multi lookup autocomplete,

  • Management Role single, Management Role multi,

  • Group single, Group multi

  • Account single, Account multi

Use the assignee picker as a form control

Implemented the ability to use the assignee picker as a form control.

Resource Admin

  • Listing of owned applications (EmpowerID and Azure applications where the logged-in user is the Access Manager)

  • Application details with runnable EmpowerID actions (edit, delete, etc.)

  • Azure application onboarding workflow

  • Application "more info" box (localizable)

All microservices

  • Single sign-on/sign-out improvements (including token refresh)

  • Docker containers updated (build steps simplified, base/build images version updates)

Enhancements to Workflow Studio

  • New template for SCIM Microservices targeting .NET 5

  • New template for Azure Functions targeting .NET 5

  • New template for Microservices targeting .NET 5

  • Support .NET 6 for WFS extension/libraries

  • Ability to create lookups that allow the user to enter their own SQL query

Enhancements to the Business Request Engine

  • Added Approval Flow Step Auto Approval Rule – Allows for approvals at the step level if the current approver can make the decision without including the person who can approve it as a potential approver

  • Added Resource Owner Assignee to the approval control

Migrate the mobile app from Xamarin.Forms to .NET 6 MAUI

Migrated the existing mobile app from Xamarin.Forms to .NET 6 MAUI.

  1. Removed old dependencies & use the latest Microsoft implementation

  2. Reviewed & refactored code

  3. UI component changed

Other Enhancements and improvements

  • Added Notification Queue tab to the Find Notification pages

  • Added Functional Access cards to the Management Role View One pages

  • Added deeper integration of Workflow Studio with Visual Studio 2019

  • Added support for externalizing workflow data to the workflow engine

  • Added support for navigating back in a wizard workflow implementation whilst maintaining context

Management Role Naming Convention

  • Implemented Management Role naming convention such that it uses the prefix and suffix from the ManagementRoleType table and it is able to evaluate expressions

  • For example, if the prefix for the Management Role type is set to “ACT” then the new naming convention builds the name as ACT + whatever they enter for the name field

Filter management roles

Added support for role admin, to filter management roles by selecting a reference person as a member

Can select a person and see what they are a member of resultant, direct, and what they are not a member of yet.

Filter Groups

Added support for a role admin, to filter groups by additional advanced criteria such as member and owner.

Added Support for the ability to show more information to all resources

Similar to the applications, where we have the info pop-up where we can add links as well, we introduced this ability to all the other resources.

So an end-user has the ability to show more information to all resources

For this introduced a field in the legacy UI for each of the resources that are set.

This is implemented for Groups, Business Roles, Management roles, Protected Applications, Shared Folders, Mailboxes, Computers, AZ Local roles, and Az License Pool Service Bundle.

 

Support for view and search for computer in IT shop

Completed the changes to allow users to request two types of access to computers

  1. Login Session Access (PSM involves shared Credentials)

  2. Membership Based Access (ResourceAccessRequestAssignee)

Login Session Access includes the following parameters

  1. Users can select one-time access or Pre-approved access. On BusinessRequestItem, if the pre-approved flag is set to false, then it is one-time access and will use the start and end date for the time constraints.

  2. Personal or SharedCredential access, On BusinessRequestItem it will be stored on RequestDataExternalObjectID

Membership Based Access

  1. Users can select one-time access or Pre-approved access. On BusinessRequestItem, if pre-approved flag is set to false, then it is one-time access and will use start and end date for time constraint.

  2. A person belonging to the core identity, On BusinessRequestItem it will be stored on RequestDataAssigneeID

  3. Access Level - On BusinessRequestItem, the access level which is ResourceAccessRequestAssignee is stored on RequestDataTargetResourceTypeRoleID and group associated to the access level is stored on RequestDataAssignmentPointID, If RequestDataTargetResourceTypeRoleID is null or empty then it is login based access

 

Added support to have risks paths configurable in the UI

Added support for a way to have risks paths configurable in the UI to be able to aggregate by risk in the to-do and process steps

  1. Added support to have the decisions only one time in the UI for the to-do list for risk step at the top and have a way to collapse the paths, which will be closed by default

  2. In the process steps, we added support to have a similar way to have the aggregation of the paths for an assignee and a risk and the paths to be closed by default and have a way to collapse them.

Assign Field Types to Global Rights with Field Values

Added support for assigning field types and values to global rights/definitions errors

This is implemented for cases where values come from list data items.

 

Other Enhancements and improvements

  • Added Notification Queue tab to the Find Notification pages

  • Added Functional Access cards to the Management Role View One pages

  • Added deeper integration of Workflow Studio with Visual Studio 2019

  • Added support for externalizing workflow data to the workflow engine

  • Added support for navigating back in a wizard workflow implementation whilst maintaining context

  • Added support for Azure AD connector deployment.

  • Added support to create a simple management role access granted recertification policy type

  • Added support for aligning sorting/advanced search property names.

  • Added support for shop by applications as a requestor.

  • Added support to have managed access to credentials finalized.

  • Added support to have the ability to filter by Audit.

  • Added support for end-user to manage out-of-office status.

  • Refactored MyID microservice application.

  • Added support to test the PBAC PDP endpoints from the developer authorization example page.