We are pleased to announce the release of EmpowerID Build 7.211.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

Connectors

GCP Connector

In this latest release, GCP Connector has evolved and provides more advanced capabilities, ensuring an unparalleled experience in managing your Google Cloud Platform (GCP) resources.

The GCP Connector currently offers the following features:

• Inventory of standard, service, and guest accounts with incremental and full inventory support.

• Inventory of groups with incremental and full inventory support.

• Inventory of group memberships for all account types with incremental and full inventory support.

• Inventory of nested groups under a parent group.

• Create, update, disable, and delete standard accounts.

• Enable, disable, and delete service accounts.

• Create, update, and delete groups.

• Provisioning accounts through EmpowerID Resource Entitlements.

• Resetting passwords for GCP accounts.

• Handling group membership additions, removals, and ownership changes for all account types.

• Assigning group memberships to accounts with management role (RBAC) assignment.

Microservices

EmpowerID Announcements (Notifications)

We have implemented a notification system across all our microservices to inform end-users about important updates and events related to EmpowerID. This system is designed to provide personalized notifications based on user preferences and predefined policies. Users will receive notifications for important events such as planned maintenance, changes in system status, and custom events.

To manage the notifications, administrators will use the EID Announcements Workflow Wizard. This tool allows them to create, edit, and delete notifications and policies, ensuring efficient user communication. Administrators can create announcements with titles, bodies, and banners/popups, which can be scheduled and may require acknowledgment or serve as one-time messages. These announcements are visible across all registered applications and tailored to target audiences. The Announcement component centralizes date ranges, content, tracking, and prioritization and supports localization.

Open

IAM SHOP

Person Search Functionality

Users can now search for a person using different criteria, such as email, first name, last name, full name, and login credentials, during the Shopping for Someone Else process from IAM Shop. When using this shopping mode, an expanded search box will appear, making it easier for users to enter and search for the necessary details to find the correct person. This update provides more flexible and efficient search capabilities.

Open

Activate Now for Applications in Request Access Screen

The Request Access and Manage Access screens have been enhanced to display an ActivateNow button for pre-approved application roles (appRoles), role definitions (RoleDefs), and management roles (ManagementRoles) when the policy SkipBRIfPreApproved is set to true, allowing users to activate these roles without additional approval steps. Additionally, the Manage Access screen will now show all pre-approved roles assigned to the user, regardless of the application's eligibility status.

Open

A new EnableEligibility property has been added to indicate that if an application is pre-approved or eligible, all granular roles under it will also be considered pre-approved/eligible and displayed accordingly. This update streamlines the activation process, improves user experience, and provides greater transparency of access rights.

Process Steps with Descriptive Information

Now, users can easily understand the purpose of each step by viewing its descriptive information, which is derived from the 'LocalizedBusinessRequestItemTypeActionFriendlyName' field in the database. When designing the NO Code Flows, administrators can provide detailed descriptions to ensure that users are well-informed and can proceed with confidence, knowing exactly what each step does.

Open

Added Instructions while Requesting Access to an Application

We have added a feature that lets users view instructions when requesting access to an application through IAM Shop. Users can now find helpful instructions regarding appRoles, appRights, and appManagementRoles while shopping for access.

Open

Enhanced Visibility to Credential Type of the Azure App Secret

With the addition of a 'Credential Type' column and a filter, users can now easily identify and differentiate between various types of credentials. This information empowers users to make more informed decisions when managing their app secrets, ensuring they have clear visibility into the specific types of credentials.

Open

Split Business Request by Field Type Value of AZLocalRight

If the Split Business Request by Field Type Value setting is enabled at the AZLocalRight level, routing approvals will be required based on each field type value. This means that there will be a separate item in the business request for each field type value, and as a result, the shopping cart will have as many items as there are field type values.

OnboardAZ Global Function Workflow

In this release, we have introduced a new workflow for managing global functions. Users can now select ‘Global Rights,’ create new global functions, and map rights accordingly. This enhancement streamlines the process of managing global permissions, making it more efficient and user-friendly.

Open

Generate Local Function Mapping Policy Workflow

In this release, we introduced a workflow, GenerateLocalFunctionMappingPolicy, designed to simplify the creation of Local Functions and Rights Mapping Policies. This workflow automatically generates Local Functions for each resource system type based on Global Functions and their mapped rights. Users can configure whether to consolidate all rights into one policy per Local Function or create separate policies for each right.

Open

Onboard Az Local Function Policies Workflow

In this release, we're introducing the "OnboardAzLocalFunctionPolicy" workflow, aimed at simplifying the generation of Rights Mapping Policies for selected rights, particularly suited for systems like Azure. This workflow allows users to choose multiple rights and either consolidate them into one Rights Mapping Policy or create individual policies for each right. This workflow does not yet support the selection of field-type values for rights. It's designed to streamline policy creation within Azure and similar systems, enhancing usability and efficiency for users.

Open

Added a Pre-Approved Filter for AzureRoles

We've introduced a new filter for Pre-Approved in both the Request and Manage Access screens specifically tailored for AzureRoles. This enhancement empowers users to swiftly identify and manage pre-approved AzureRoles, further optimizing access management workflows. This new filter allows users to easily navigate their roles, ensuring smoother and more efficient searching.

Open

FreeTextMultiValue Control Type for PBAC Field Type

We have added the FreeTextMultiValue SelectionRule/Control type for the PBAC field, which lets users and administrators add any key/value pairs. This is helpful when there's no predefined list of options and a sequential range doesn't fit. For example, it allows users to specify company codes for which they have the ApprovePurchase order permission without needing a predefined list of company codes.

Resource Admin

We are pleased to inform you about the recent updates to the Resource Admin microservice. These updates are designed to improve user experience by providing better control, flexibility, and efficiency in managing resources. We believe that these enhancements will significantly enhance user experience. For further details on these updates, please refer to the information below.

Improved Caching Mechanism for Faster Retrieval of Locations Data for Groups/Management Roles

Implemented an enhanced caching mechanism to optimize data retrieval for Locations associated with Groups/Management Roles. This improvement significantly improves the speed of fetching data, enhancing user experience.

Field Type Management for PBAC Application

We have added the ability for Resource Admins to directly add, edit, and delete field types within the application details interface for PBAC-supported applications.

Open

Enhanced PBAC Approver Resolution for AzLocalRole Assignments

This update introduces an enhancement to the PBAC system, extending the rule for resolving approvers from PBAC Right assignments to AzLocalRole assignments. By mapping approval rights to AzLocalRight and AzLocalRole, the system automatically identifies approvers based on specified criteria, such as possessing the approval right for the local right or role specified in the Business Request Item. This streamlined approach ensures that only direct assignees with the necessary qualifications are considered approvers, simplifying the approval process and enhancing user experience.

Easier Management of App Right With Field Type for PBAC Applications

In this release, we have made some improvements to simplify application rights management for PBAC Applications. We have added a new functionality allowing you to easily add and assign app rights. By clicking the "Assign App Right" button, you will trigger a workflow where you can select the app right you want to grant and to whom, along with the relevant field type values. Additionally, you can use the "Edit" button to update the app rights and the selected field type values. This addition has made it easier for users to access and modify application rights directly.

Open

Easier Management of Role Definition Assignments With Field Type for PBAC Applications

We have introduced a new update simplifying assigning role definitions within PBAC Applications. A key feature of this update is the "Assign Role Definition" functionality, which makes the assignment process more efficient. Users can easily assign role definitions and Field Types to specific individuals or groups using the Assign role definition button. This triggers a wizard workflow that facilitates the assignment process. Additionally, users can effortlessly adjust role definitions and associated parameters thanks to the "Edit" button.

Open

More Visibility and Easier Management of the Field Types from App Rights

By simplifying the interface, we have made managing and viewing Field Types easier within app rights. Field Types can now be accessed through a dedicated tab, which increases their visibility and makes them more user-friendly. Users can edit or delete existing field types effortlessly using this tab. Adding a new field type is also made easy through the self-service workflow called "ConfigureApplicationAuthorizationFieldType." To add a new field type, simply click the Add Field Type button, and the workflow will guide you through seamlessly integrating it into your app rights.

Open

Visibility of Inventoried Permissions for Shared Folders

All inventoried permissions for shared folders are conveniently displayed within the resource admin UI. Previously, this feature was only accessible through the legacy application. With this update, users can easily access and manage inventoried permissions.

Open

AzLocalRole Time Constraint Enhancements

The Assign AzLocalRole operation now adheres to the time limits set by the Access Request Policy. If the start and end dates are not specified (null), the system sets the start date to the current date and the end date to the current date plus the maximum time duration allowed for access (CurrentDatetime + TimeAccessMaximumDuration).

If the start and end dates are specified, the system validates the end date against the maximum allowed duration (AssignAzLocalRightScope.End > CurrentDatetime + TimeAccessMaximumDuration). It is set if the end date exceeds the maximum duration (CurrentDatetime + TimeAccessMaximumDuration).

My Tasks

My Tasks has been updated with new capabilities to improve the user experience when managing business requests. These updates streamline the review and response process, making it more efficient and user-friendly.

• Process Steps with Descriptive Information: Users can now easily understand the purpose of each process step by viewing its descriptive information. This information is pulled from the 'LocalizedBusinessRequestItemTypeActionFriendlyName' field in the database, providing clarity and guidance at each workflow stage.
  
  

  Open

  

   

• Enhanced Visibility into Task Start Times: With this update, users can now view the expected start times for task completion. If a process step is configured with a "Start After X Hours" setting and is scheduled to run after a specific time, the fulfillment date for that step will be displayed within the business request details. This improvement ensures that users are informed about task progress and timing, resolving previous issues where task start times were unclear.

Process Steps with Descriptive Information

Users can now easily understand each step's purpose by viewing its descriptive information. The description is sourced from the 'LocalizedBusinessRequestItemTypeActionFriendlyName' field in the database.

Enhanced Visibility into Task Start Times from Business Request

With the latest update, users can now access information about the expected start time for task completion. If a process step has a Start After X Hours setting specified and is scheduled to run only after a specific time, the fulfillment date for that step will be provided in the details of the business request. This enhancement ensures that users know when tasks will begin, addressing previous instances where users were left uninformed about the progress of process steps.

Open

No Code Flows

Send Email Flow Item

The Send Email Flow Item, available in No Code Flows, offers an automated solution for seamlessly integrating email communication into various processes, eliminating the need for manual intervention. This flow item lets users send customized email notifications based on specific workflow conditions. For example, when an employee exits a designated organizational zone, a notification can be sent to the regional administrator. In other scenarios, notifications can be directed to global administrators. This flexibility allows users to configure the flow item to meet their unique notification requirements.

For more detailed information, refer to the following article: Send Email Flow Item

Security Enhancements

We've introduced several key security improvements in this release to ensure the safety and integrity of your system and data:

• SAP Library Upgrade: The SAP integration library has been upgraded to SAP .NET Connector 3.1 (SNO), improving performance and compatibility.

• Certificate-Based SNC Authentication: We’ve added support for test certificate-based SNC authentication, enhancing the security of user authentication processes.

• S/MIME Signing for Outgoing Emails: We now support S/MIME signing for outgoing emails to strengthen email security. This feature ensures that all emails sent from EmpowerID are digitally signed using S/MIME certificates, providing additional security and trustworthiness to your communications.

SAP Library Upgrade and Certificate-Based Authentication

The SAP integration library has been upgraded from ERPConnect to SAP .NET Connector 3.1 (SNO), offering improved performance and compatibility. Additionally, the introduction of test certificate-based SNC authentication enhances the authentication process's security.

S/MIME Encryption for Outgoing Emails

We’ve enhanced the email encryption capabilities by introducing S/MIME signing for emails sent from EmpowerID. This feature ensures that all outgoing emails are digitally signed with S/MIME certificates, providing an added layer of security and guaranteeing the authenticity of your communications.

Enhanced Tree Loading and Search Functionality

We are pleased to announce a major enhancement that significantly improves performance. We've significantly improved the tree loading and search capabilities across location trees with the following changes:

Open

Dynamic On-Demand Tree Loading

• The system now loads tree nodes dynamically as needed instead of loading the entire tree at once

• Only the nodes required for display are loaded, significantly improving performance

• When expanding a node, the system might load one or a few levels depending on the context

• This approach dramatically reduces the initial loading time for large hierarchical structures

Improved Search Capabilities

• Server-Side Full Text Search: Search now operates on the database level rather than client-side, delivering more accurate and comprehensive results

• When performing a search:

  • The system retrieves all matches for your search terms

  • All parent nodes in the path to the root are automatically loaded

  • Search results highlight all matching nodes

  • The tree expands to display the complete path to each match

Implementation Scope

• These improvements have been implemented in:

  • Location trees

  • Business role trees

  • External location trees

  • External business role trees

Unchanged Trees

• The following trees continue to use the previous implementation as they don't require these enhancements due to their size:

  • Application trees

  • Company trees

  • Catalog trees

Important Changes to Mapping Functionality

When mapping external entities (roles or locations) to internal ones, there's an important update to how selection works:

• Selection Behavior:

  • The system still automatically selects all visible children when you check a parent node

  • Important Note: Only currently loaded/expanded nodes will be selected

• Required User Action:

  • To select all descendants under a node, you must first expand that node to display its children

  • Nodes with a "+" indicator contain unexpanded children that will not be automatically selected unless expanded

  • Make sure to expand all relevant nodes before making your selections

These changes significantly improve performance for users with large hierarchical structures that previously required extensive loading time. This change affects the Business Role Mapper, External Business Role Mapper, and External Location Mapper. To learn more about the tree functionality, see the Location Mapper Tree guide.

System Optimization and Performance Enhancements

RBAC Performance Enhancements

This release introduces a series of critical improvements to EmpowerID's RBAC system, focusing on enhanced stability, performance, and flexibility.

• Index Views Replaced by Compiled Tables: A significant architectural enhancement replaces index views with compiled tables. This change improves system stability and boosts overall performance.

• Resolved Crashes in ResourceTypeRole and Location Delegations: We have resolved an issue that caused system crashes when creating new ResourceTypeRole or Location delegations. These delegations can now be created without any interruptions.

• RBAC Enhancements Using GUIDs: All RBAC processes now use GUIDs for compiled processes while continuing to use INTs for reference within compiled tables. Synchronization methods have been implemented to maintain consistent ID assignments during migrations or updates.

• Simplified Inheritance Handling: The block inheritance table has been removed, simplifying the inheritance handling process and streamlining system management.

• Performance Improvement with Assignee Comparison: Performance has been significantly improved by implementing the AssigneeHash mechanism for assignee comparisons.

• RBAC Refactor and Progress Updates: We have refactored all session tables and methods within the RBAC system. Compilation processes are now prefixed with Rbac_Compile_, providing constant progress updates during operations.

• Dynamic Compilation for ResourceTypeRoles and Operations: Introducing the IsCompiledOperation and IsCompiledResourceTypeRole columns allows for on-demand compilation, eliminating the need for pre-generated indexed views and methods. This dynamic feature enhances both efficiency and flexibility.

Bulk Update of Business Request Items

We have optimized the BusinessRequest and BusinessRequestItem systems with a new bulk update capability. Multiple records can now be updated in a single operation, reducing database transaction overhead and improving execution times.

Improved Caching Mechanism for Faster Location Data Retrieval

A new caching mechanism has been implemented to accelerate location data retrieval for Groups and Management Roles. This enhancement greatly improves the speed and efficiency of data access, delivering a smoother user experience.

General Product Improvements

Email Template Enhancements

We've enhanced our email templates in this release to provide more flexibility and customization options.

• Recipient Name in Task Delegation Emails: The “MyTasks_BusinessRequestItem_AddApprovers_FormerApprover" email notification template has been improved to address recipients by name when delegating tasks or adding additional approvers. This enhancement ensures clarity in communication, helping users manage tasks more efficiently.

• Business Request Links in Email Templates: The email templates "EmailTemplateNameForAnyoneWithUnfinishedTasks" and "EmailTemplateNameForAllAuditParticipants" have been updated to include direct links to specific business request items. This improvement simplifies navigation during business request approval processes, enhancing the user experience.

• Account Store Name for Audit Notifications: Notifications sent to Line Managers (Approvers) for audit processes now include the account store name associated with the group being recertified. This added context helps managers better understand the scope of the audit and improves the recertification process.

Added Resource System Search in Grant Actor Access Page

The Grant Actor Access page now includes the option to search by Resource System. Users can filter search results by selecting a specific system from the dropdown menu. This provides greater flexibility when managing access across multiple systems, such as SAP instances where group names may overlap.

Open

Enhanced Person Overview for Admins

This release introduces improvements to the Person Overview page, providing administrators and managers with access to additional user attributes, such as last login date and last password change. These enhancements enable more efficient user management and stronger security oversight. Additionally, system settings now offer greater flexibility, allowing organizations to configure which user details are displayed, ensuring the information aligns with their specific needs. This supports better decision-making, an enhanced user experience, and improved compliance with security standards.

Open

Fixed Issues

Resolved MFA Issue in Privileged Session Management (PSM) Workflow

An issue in the PSM workflow was causing users to be repeatedly prompted for Multi-Factor Authentication (MFA) each time they initiated the workflow, even when their session had already been authenticated with sufficient points. Additionally, the workflow failed to automatically detect and apply the registered authentication method, requiring users to manually select a verification option and re-enter their contact number.

This issue has been resolved. Based on session points, users will now only be prompted for MFA when necessary. The workflow will also automatically recognize and apply the registered authentication method, streamlining the process and improving the overall user experience.

Fixed Issue with Failed to Set Password Message in Master Login

Previously, users encountered a bug where a "Failed to set password" message would appear after entering a valid password while setting the master password in the UI master login. This issue has been resolved.