We are pleased to announce the release of EmpowerID Version 2.10.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

New and Improved Connectors

Google Cloud Connector

With this release, EmpowerID adds the Google Cloud Platform (GCP) connector to its out-of-the-box connector library. This new connector adds to our library and provides optimized identity management for GCP through EmpowerID. With seamless integration with Google Cloud Platform, the GCP Connector offers significant benefits for IT administrators. Organizations can now efficiently manage identities within the GCP environment, aligning with our commitment to delivering cutting-edge solutions for robust and secure identity governance.

The GCP Connector offers the following features:

• User and group management: Create, update, and delete operations.

• Service account actions: Create, update, and delete service accounts.

• Group membership scenarios: Handle additions, removals, ownership changes, and cross-group memberships.

• Role changes: Flexible management of role assignments.

• GCP guest accounts: Addition to and removal from groups.

• Inventory Management: Support for both incremental and full inventory.

Enhanced Azure B2C Connector

The Azure B2C Connector has undergone an upgrade, now allowing for the inventorying of application objects. This new feature presents a more comprehensive approach to managing and overseeing applications within the Azure B2C environment. With this upgrade, users can now effectively track and manage their application objects, greatly enhancing their resource management capabilities. We are confident that this upgrade will provide our users with a positive and productive experience.

Updated Microservices

Resource Admin

In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. These enhancements bring increased control, flexibility, and efficiency to managing resources, tailored to improve user experience significantly.

To provide a more detailed picture of the enhancements, here's what you can expect:

More Options for Managing Applications

New Application Actions

We have enhanced the Applications Resource page to include a range of actions that streamline application management workflows. These updates are designed to provide users quick access to key functionalities, allowing for efficient and context-free execution of various tasks. Added actions include the following:

• Create Azure Claims Mapping Policy

• Assign an Application Role Definition

• Assign Application Right

• Configure Field Types for Rights

• Manage App Rights/Role Settings

• Manage Application Wizard

• Manage Azure Application Wizard

• Onboard a Non-Azure Application

• Onboard an Azure Application

Quicker Access for Managing API Permissions

The API Permissions page for applications has been updated to include a new button for adding API permissions to applications. With this new button, the process of managing API permissions is more straightforward. It allows administrators to quickly and easily modify or extend the API access for applications, contributing to improved functionality and security management.

Open

Enhanced Time Constraint Options

Time Constraints in Assigning Role Definitions

With this release, we have introduced the ability for users to specify time constraints when assigning Role Definitions to people. This feature, accessible from both the Application and Person pages, offers increased control and flexibility. It significantly enhances how access is managed within applications, allowing for more precise timing in role assignments.

Open

Time Constraints in Assigning App Management Roles

Additionally, we've extended the capability to specify time constraints to the assignment of App Management Roles. Similar to Role Definitions, this can be done through the Application or Person pages. This enhancement aims to improve access management within applications, allowing users to define specific time frames for assigned roles.

Streamlined Eligibility Configuration for Applications

Users can now directly view and manage the eligibility configurations for an application from its overview page. This enhancement simplifies the process of modifying application eligibility settings, making it more straightforward and user-friendly. This change makes managing access and eligibility within applications more efficient and accessible.

Improved Application Type Interfaces

In our latest update, we have refined the Application pages within the Resource Admin to ensure a clearer differentiation between protected subcomponents specific to different application types. This refactoring prevents subcomponents unique to Azure Applications and PBAC (Policy-Based Access Control) Applications from appearing inappropriately on pages designated for other types of applications. This enhancement aids administrators in managing and configuring applications more efficiently by providing a more intuitive and context-specific interface.

Improved Group Management

With this update, we are introducing several enhancements to improve group management within Resource Admin. These updates provide administrators more control and flexibility when managing groups, nested group memberships, and access permissions. Here’s an overview of the new features and benefits:

Additional Membership Changes Fields

We have updated the Membership Changes grid for groups to include additional fields that provide more detailed information about changes in group memberships. New fields include the Source of Change field and the Source Assignment for Membership field. These new fields are designed to enhance the understanding and tracking of membership modifications.

Nested Group Membership Management

Users now have the capability to add, remove, and view nested group members within a group. This feature is designed to provide more detailed control over group hierarchies and membership and simplify the management of nested groups.

Eligibility Configuration on Group Overview Page

The group overview page now includes the functionality to view and configure group eligibility. This allows for easier management of group eligibility directly from the overview page and streamlines the process of configuring and viewing group eligibility.

RBAC Assignments for Groups

Group owners now have the ability to view and manage RBAC assignments for groups. This provides users the tools for direct and efficient management of access controls linked to various groups, enhancing the overall administration of group permissions and access rights.

RBAC Assignment Previews

Group owners can now preview the number of memberships that will be affected by selected RBAC assignments before finalizing them. This enhancement allows group owners to see how many members will be added to a group based on their pending assignments, providing a clearer understanding and better control over group composition changes. This update aims to improve decision-making and accuracy in RBAC management.

More Options for Managing Management Roles

With this release, we are introducing updates to managing Management Roles to provide a more intuitive and efficient experience for administrators and users. These enhancements include more versatile options for role membership and streamlined actions on the Management Roles Resource page. Here's a closer look at what's new:

Management Roles as Members

Users now have the ability to dynamically manage the membership of Management Roles. This new functionality is accessible through the Management Roles as Members grid interface. When a Management Role is added as a member of another (parent) Management Role, all members of the added (child) role automatically inherit the access assignments of the parent role.

Enhanced Membership Options for Management Roles

Users can now add groups, SetGroups, and Business Role and Location Combinations as “Other Types of Management Role members.” This enhancement allows for more versatile and comprehensive role configurations, catering to complex organizational structures and access needs.

View and Add Access Assignments to Management Roles

Users now have the ability to view and manage the access assignments granted to Management Roles via the Direct Access Granted tab of a target Management Role.

The tab includes an ‘Add New Access Assignment’ button, which initiates the Grant Actor Access workflow. The workflow guides users through the process of selecting the type of access and the resources for which to grant to the Management Role.

View Total Access Granted to Management Roles

Users can now view the total access granted to a Management Role from the Total Access Granted menu item. The menu item displays all the access rights that have been granted to a particular Management Role. It includes detailed information on the types of access, the specific resources involved, and the scope of each access right.

Grant Access to Additional Management Roles

Users can now assign additional Management Roles to an existing Management Role via the Management Roles Granted as Access grid. This effectively means that individuals with the primary Management Role automatically gain the access rights and privileges of the additional roles.

More Management Role Actions

We have updated the Management Roles Resource page with new actions to simplify managing Management Roles by providing easier access to key functionalities.

• Manage Management Role Wizard: A new action to launch the Manage Management Role Wizard has been added. This wizard is tailored to make the configuring and updating of Management Roles more straightforward.

• Onboard Management Role Workflows: The page now includes an action for initiating the Onboard Management Role workflow.

   

IAM Shop

The IAM Shop has been updated to enhance functionality and user experience, refining the process of requesting IT resources and simplifying user interactions. Here’s an overview of what’s new in the IAM Shop:

Announcements

EmpowerID has rolled out a new Announcement feature to ensure users stay updated with essential and timely information about the product. This feature integrates notifications across all EmpowerID applications, guaranteeing that users are always aware of significant updates. The core goal of the Announcement feature is to improve user engagement and awareness within the platform.

Key aspects of the Announcement feature include:

• Creation of Customized Messages: Administrators can craft tailored announcements for EmpowerID application users, featuring a specific title and detailed content.

• Scheduling and Timing Control: There's flexibility in scheduling these announcements, allowing administrators to set the duration of their visibility, ensuring timely relevance.

• User Acknowledgment Option: Administrators can require user acknowledgment for certain announcements, enhancing the interaction with critical updates.

• One-Time Message Capability: For less critical information, administrators can opt for one-time messages that don't require user acknowledgment.

Enhanced Shopping Experience

Activate Button Added for Preapproved Resources

An "Activate" button has been added for users preapproved for resources through Eligibility policies in EmpowerID. This feature, visible in the Request Access and Manage Access grids for each resource, enables users with preapproval to gain immediate access to resources. Upon clicking the "Activate" button, access is granted directly without needing further approvals or business request creation. This streamlines the process, allowing EmpowerID to fulfill the assignment promptly and efficiently.

Enhanced Visibility of Functions for Azure Roles

Users shopping for Azure Roles can now view the functions included with those roles before requesting access to those roles or activating them if preapproved. This allows users to know whether the functions granted are suitable for their needs before submitting the request.

Shop Reference Person Access

We are pleased to introduce the "Shopping By Reference Person" feature in the IAM Shop, aimed at simplifying the access request process for new hires or employees stepping into roles similar to existing ones. This feature enables the replication of access rights and privileges, including applications, computers, Azure Licenses, Azure Roles, and credentials, directly from an existing employee's profile to that of a new employee.

By utilizing the "Show Reference Person Access" option, users can view the current access levels of a selected reference person within the IAM Shop. This access configuration can then seamlessly apply to a new individual, ensuring a consistent and efficient onboarding experience. This addition is designed to make the access request process more efficient and user-friendly, particularly for roles with standard access patterns.

Enhanced Privileged Session Manager Options

Added Support of Telnet Session for CISCO

Privileged Session Manager (PSM) now supports Telnet sessions for Cisco devices, expanding its compatibility with devices and ensuring reliable PSM session connectivity and communication.

Added Support for VNC Protocol

Privileged Session Manager (PSM) has been updated to support the Virtual Network Computing (VNC) protocol. This means that users can now easily select the VNC protocol during the computer onboarding process and initiate PSM sessions with computers that use the VNC protocol.

New Feature for Key Logging

A new feature has been added to enable keylogging to gain detailed visibility into privileged sessions. It's important to note that the keylogging feature has been designed with privacy in mind, ensuring that sensitive user data and credentials are not logged. This feature provides an added layer of security and auditability by capturing keystrokes during sessions, offering valuable insights into user activities.

Encrypted PSM Recordings

All PSM session recordings are now encrypted by default for enhanced security. Additionally, to maintain strict control over who can access the recorded content, explicit authorization is required to play these recordings. Users have the option to encrypt specific recordings with a non-default key, which will ensure that they are not only secure when at rest but also watchable only if authorized.

My Tasks

My Tasks has been updated with several features to improve the user experience handling business requests. These enhancements are designed to streamline the review and response process, making it more efficient and user-friendly.

Predefined Approval Comments

Users now have the option to choose from a set of predefined comments when approving a business request. This addition simplifies the approval process by providing quick, standardized responses that can be used to communicate decisions effectively. This feature not only saves time but also ensures consistency in communication across different approvals.

Enhanced Functional Access Information

The latest update to the My Tasks app brings a significant enhancement in the form of detailed functional access information. With this new feature, approvers are now equipped to view the current functional access of a user when considering approval for additional requested access. This added layer of visibility enables approvers to make more informed and intelligent decisions, assessing whether the new access is necessary or redundant. This enhancement streamlines the approval workflow by providing approvers with comprehensive information, facilitating efficient and effective management of business requests in the system.

Wizard Workflows

This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.

Onboard Account Workflow

EmpowerID's latest update introduces the "Onboard Account" Wizard Workflow, a new feature designed to facilitate the manual onboarding of user accounts. This workflow represents a significant addition to EmpowerID, aiming to enhance the account creation process in several ways.

Detailed Features of the New Onboard Account Wizard Workflow:

1. Diverse Account Creation Options:

   • Individual and Technical Accounts: Users can create accounts for individuals and technical purposes like service accounts, which are crucial for automated processes and are not associated with any individual user.

   • Suitable for Various Environments: The workflow is adaptable for various environments, including creating local user accounts on Windows or Linux servers and user accounts in directories like LDAP, Active Directory, Azure, and ServiceNow.

2. Efficiency and User-Friendliness:

   • Streamlined Process: The wizard simplifies the onboarding process, making it more straightforward and less time-consuming.

   • Intuitive User Interface: With a focus on user experience, the workflow features an intuitive interface that guides users through each account creation step.

3. Capabilities for Different Scenarios:

   • The wizard can handle a range of scenarios, from creating a single account for a new user to setting up multiple accounts for different services or platforms.

   • It provides options to customize account settings based on the user's specific needs or the account's technical requirements.

4. Attribute Management:

   • The workflow includes managing and assigning attributes to new accounts, ensuring that all necessary information is accurately captured and associated with each account.

Manage Person Wizard Workflow

The introduction of the Manage Person Wizard provides efficient and user-friendly management of Person objects in EmpowerID. The wizard workflow provides the following options for managing Person objects:

• Disable a person

• Modify and update specific attributes associated with a person

• Enable a previously disabled person

• Initiate the Leaver Events for a Person leaving the organization, ensuring proper workflows are followed.

• Initiate Mover Event for Person

• Unjoin Person Core Identity

Manage Management Role Wizard Workflow

The Manage Management Role workflow has undergone several improvements to enhance its functionality and usability. Key enhancements include:

1. Enhanced Role Function Assignment:

   • We have introduced the capability to assign and unassign local functions directly to and from Management Roles. This enhancement provides greater flexibility and precision in defining the scope and responsibilities of Management Roles.
     
     

      

2. Updated Ownership and Responsible Party Requirements:

   • The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.

Onboard Management Role Wizard Workflow

The Onboard Management Role workflow has been enhanced to provide users a more efficient and versatile experience when onboarding new Management Roles. Here’s an overview of what’s new:

1. Management Role Bundling:

   • Role creators now have the ability to assign other Management Roles as members of the new role. This feature facilitates the creation of 'Management Role bundles', allowing for a more organized and cohesive management of roles within complex organizational structures.
     
     

      

2. Inclusion of Business Roles and Locations:

   • The workflow has been expanded to include Business Roles and Locations as members of a Management Role during the onboarding process. This addition enhances role customization, allowing organizations to grant role members specific Business Role and Location combinations during the role assignment process.
     
     

      

3. Updated Ownership and Responsible Party Requirements:

   • The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.

Additional Improvements

UI Enhancements for Microservices

We've implemented several UI enhancements across our microservices, aiming to elevate the overall user experience. These improvements include more intuitive layouts optimized for ease of use and efficiency. Users will notice cleaner interfaces with better-organized elements, ensuring quicker access to necessary features. Among these improvements is the introduction of flyout menus. When users hover their mouse over menu items, they will now see an expanded flyout, providing immediate access to additional options and features. The updates are designed to make interactions with our microservices more seamless and visually appealing, reflecting our commitment to providing a user-centric platform.

New Permanent Workflow for Out Of Office

In this release, we introduce a new permanent workflow feature that automatically updates the OutOfOffice flag for individuals in our system. This workflow is triggered when the OutOfOffice Start Date (OofStartDate) is reached, and the OutOfOffice flag is currently set to false for a person. Upon activation, the workflow sets the OutOfOffice flag to true, ensuring that the person's status is accurately reflected in the system without manual intervention. This feature enhances the accuracy and efficiency of status updates for users leaving the office.

Security Enhancement

In response to a medium-risk vulnerability identified as "Use of a Broken or Risky Cryptographic Algorithm" (OWASP A02:2021 Cryptographic Failures), our latest release addresses the susceptibility of hashing operations to brute force attacks due to a single SHA-512 iteration. The vulnerability could compromise hashed passwords, potentially leading to unauthorized access to user passwords if the server is compromised. To fortify our system against such threats, we have replaced SHA-512 with PBKDF2 for password encryption, recommending thousands of hashing iterations (600,000 for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512). This proactive measure significantly bolsters cryptographic security, mitigating the risk of brute force attacks and ensuring a more robust defense for user data.

Resolved Issues

Improved Session Management in IAM Shop

We have addressed the issue of frequent session timeouts that users experienced in the IAM Shop, particularly during cart-related activities. Previously, users encountered interruptions while adding or editing items in the cart or during the cart submission process. This update ensures a smoother, uninterrupted experience in the IAM Shop, enhancing user efficiency and convenience.

Invalid Logout Request Error in EmpowerID

The problem of 'invalid logout request' errors in EmpowerID has been successfully resolved. This issue primarily occurred when users had multiple tabs of EmpowerID open and left the system idle for a certain period. With this fix, users can expect more stable sessions, especially in multi-tab usage scenarios, reducing interruptions and improving the overall user experience in EmpowerID.

OTP Authentication Failures

With this release, a significant improvement has been made to the One-Time Password (OTP) authentication process. Users previously faced challenges logging in using the Microsoft Authenticator app when the OTP code included spaces, whether at the beginning, end or between characters. This issue has now been resolved. With this update, users can successfully authenticate their login regardless of spaces in the OTP code, ensuring a more reliable and user-friendly experience during the authentication process.

Renaming Attributes in Dynamic Hierarchy Policies

This release addresses a specific issue concerning the renaming of attributes within dynamic hierarchy policies. Before this fix, altering the case of an attribute name (for example, changing "dublin" to "Dublin") resulted in the inadvertent creation of two distinct groups by the dynamic hierarchy policy, which in turn caused errors in LDAP calculations. This issue has now been rectified. The dynamic hierarchy policy has been enhanced to accurately handle changes in attribute cases, ensuring a smooth and error-free process in LDAP calculations.

Group-to-group assignments data import

We have addressed and resolved an issue in the 'MassUploadGroupToGroupAssignments' workflow. Previously, users encountered an error when attempting to upload CSV files with two missing header titles, which disrupted the workflow process. With this update, the workflow has been enhanced to allow the uploading of CSV files, even if they are missing two header titles. This fix ensures a smoother and more reliable experience in mass uploading group-to-group assignments, improving the overall functionality of this workflow.