Release Notes for EmpowerID Build 2.10.0.0
We are pleased to announce the release of EmpowerID Build 2.10.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:
New and Improved Connectors
Google Cloud Connector
With this release, EmpowerID adds the Google Cloud Platform (GCP) connector to its out-of-the-box connector library. This new connector adds to our library and provides optimized identity management for GCP through EmpowerID. With seamless integration with Google Cloud Platform, the GCP Connector offers significant benefits for IT administrators. Organizations can now efficiently manage identities within the GCP environment, aligning with our commitment to delivering cutting-edge solutions for robust and secure identity governance.
The GCP Connector offers the following features:
User and group management: Create, update, and delete operations.
Service account actions: Create, update, and delete service accounts.
Group membership scenarios: Handle additions, removals, ownership changes, and cross-group memberships.
Role changes: Flexible management of role assignments.
GCP guest accounts: Addition to and removal from groups.
Inventory Management: Support for both incremental and full inventory.
Enhanced Azure B2C Connector
The Azure B2C Connector has undergone an upgrade, now allowing for the inventorying of application objects. This new feature presents a more comprehensive approach to managing and overseeing applications within the Azure B2C environment. With this upgrade, users can now effectively track and manage their application objects, greatly enhancing their resource management capabilities. We are confident that this upgrade will provide our users with a positive and productive experience.
Updated Microservices
Resource Admin
In our continual pursuit to improve user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. These enhancements bring increased control, flexibility, and efficiency to managing resources, tailored to improve user experience significantly.
To provide a more detailed picture of the enhancements, here's what you can expect:
More Options for Managing Applications
New Application Actions
We have enhanced the Applications Resource page to include a range of actions that streamline application management workflows. These updates are designed to provide users quick access to key functionalities, allowing for efficient and context-free execution of various tasks. Added actions include the following:
Create Azure Claims Mapping Policy
Assign an Application Role Definition
Assign Application Right
Configure Field Types for Rights
Manage App Rights/Role Settings
Manage Application Wizard
Manage Azure Application Wizard
Onboard a Non-Azure Application
Onboard an Azure Application
Quicker Access for Managing API Permissions
The API Permissions page for applications has been updated to include a new button for adding API permissions to applications. With this new button, the process of managing API permissions is more straightforward. It allows administrators to quickly and easily modify or extend the API access for applications, contributing to improved functionality and security management.
Enhanced Time Constraint Options
Time Constraints in Assigning Role Definitions
With this release, we have introduced the ability for users to specify time constraints when assigning Role Definitions to people. This feature, accessible from both the Application and Person pages, offers increased control and flexibility. It significantly enhances how access is managed within applications, allowing for more precise timing in role assignments.
Time Constraints in Assigning App Management Roles
Additionally, we've extended the capability to specify time constraints to the assignment of App Management Roles. Similar to Role Definitions, this can be done through the Application or Person pages. This enhancement aims to improve access management within applications, allowing users to define specific time frames for assigned roles.
Streamlined Eligibility Configuration for Applications
Users can now directly view and manage the eligibility configurations for an application from its overview page. This enhancement simplifies the process of modifying application eligibility settings, making it more straightforward and user-friendly. This change makes managing access and eligibility within applications more efficient and accessible.
Improved Application Type Interfaces
In our latest update, we have refined the Application pages within the Resource Admin to ensure a clearer differentiation between protected subcomponents specific to different application types. This refactoring prevents subcomponents unique to Azure Applications and PBAC (Policy-Based Access Control) Applications from appearing inappropriately on pages designated for other types of applications. This enhancement aids administrators in managing and configuring applications more efficiently by providing a more intuitive and context-specific interface.
Improved Group Management
With this update, we are introducing several enhancements to improve group management within Resource Admin. These updates provide administrators more control and flexibility when managing groups, nested group memberships, and access permissions. Here’s an overview of the new features and benefits:
Additional Membership Changes Fields
We have updated the Membership Changes grid for groups to include additional fields that provide more detailed information about changes in group memberships. New fields include the Source of Change field and the Source Assignment for Membership field. These new fields are designed to enhance the understanding and tracking of membership modifications.
Nested Group Membership Management
Users now have the capability to add, remove, and view nested group members within a group. This feature is designed to provide more detailed control over group hierarchies and membership and simplify the management of nested groups.
Eligibility Configuration on Group Overview Page
The group overview page now includes the functionality to view and configure group eligibility. This allows for easier management of group eligibility directly from the overview page and streamlines the process of configuring and viewing group eligibility.
RBAC Assignments for Groups
Group owners now have the ability to view and manage RBAC assignments for groups. This provides users the tools for direct and efficient management of access controls linked to various groups, enhancing the overall administration of group permissions and access rights.
RBAC Assignment Previews
Group owners can now preview the number of memberships that will be affected by selected RBAC assignments before finalizing them. This enhancement allows group owners to see how many members will be added to a group based on their pending assignments, providing a clearer understanding and better control over group composition changes. This update aims to improve decision-making and accuracy in RBAC management.
More Options for Managing Management Roles
With this release, we are introducing updates to managing Management Roles to provide a more intuitive and efficient experience for administrators and users. These enhancements include more versatile options for role membership and streamlined actions on the Management Roles Resource page. Here's a closer look at what's new:
Management Roles as Members
Users now have the ability to dynamically manage the membership of Management Roles. This new functionality is accessible through the Management Roles as Members grid interface. When a Management Role is added as a member of another (parent) Management Role, all members of the added (child) role automatically inherit the access assignments of the parent role.
Enhanced Membership Options for Management Roles
Users can now add groups, SetGroups, and Business Role and Location Combinations as “Other Types of Management Role members.” This enhancement allows for more versatile and comprehensive role configurations, catering to complex organizational structures and access needs.
View and Add Access Assignments to Management Roles
Users now have the ability to view and manage the access assignments granted to Management Roles via the Direct Access Granted tab of a target Management Role.
The tab includes an ‘Add New Access Assignment’ button, which initiates the Grant Actor Access workflow. The workflow guides users through the process of selecting the type of access and the resources for which to grant to the Management Role.
View Total Access Granted to Management Roles
Users can now view the total access granted to a Management Role from the Total Access Granted menu item. The menu item displays all the access rights granted to a particular Management Role and includes detailed information on the types of access, the specific resources involved, and the scope of each access right.
Grant Access to Additional Management Roles
Users can now assign additional Management Roles to an existing Management Role via the Management Roles Granted as Access grid. This effectively means that individuals with the primary Management Role automatically gain the access rights and privileges of the additional roles.
More Management Role Actions
We have updated the Management Roles Resource page with new actions to simplify managing Management Roles by providing easier access to key functionalities.
Manage Management Role Wizard: A new action to launch the Manage Management Role Wizard has been added. This wizard is tailored to make the configuring and updating of Management Roles more straightforward.
Onboard Management Role Workflows: The page now includes an action for initiating the Onboard Management Role workflow.
IAM Shop
The IAM Shop has been updated to enhance functionality and user experience, refining the process of requesting IT resources and simplifying user interactions. Here’s an overview of what’s new in the IAM Shop:
Announcements
EmpowerID has rolled out a new Announcement feature to ensure users stay updated with essential and timely information about the product. This feature integrates notifications across all EmpowerID applications, guaranteeing that users are always aware of significant updates. The core goal of the Announcement feature is to improve user engagement and awareness within the platform.
Key aspects of the Announcement feature include:
Creation of Customized Messages: Administrators can craft tailored announcements for EmpowerID application users, featuring a specific title and detailed content.
Scheduling and Timing Control: These announcements can be scheduled with flexibility, allowing administrators to set the duration of their visibility and ensuring timely relevance.
User Acknowledgment Option: Administrators can require user acknowledgment for certain announcements, enhancing the interaction with critical updates.
One-Time Message Capability: For less critical information, administrators can opt for one-time messages that don't require user acknowledgment.
Enhanced Shopping Experience
Activate Button Added for Preapproved Resources
An "Activate" button has been added for users preapproved for resources through Eligibility policies in EmpowerID. This feature, visible in the Request Access and Manage Access grids for each resource, enables users with preapproval to gain immediate access to resources. Upon clicking the "Activate" button, access is granted directly without needing further approvals or business request creation. This streamlines the process, allowing EmpowerID to fulfill the assignment promptly and efficiently.
Enhanced Visibility of Functions for Azure Roles
Users shopping for Azure Roles can now view the functions included with those roles before requesting access to those roles or activating them if preapproved. This lets users know whether the functions granted suit their needs before submitting the request.
Shop Reference Person Access
We are pleased to introduce the "Shopping By Reference Person" feature in the IAM Shop, which aims to simplify the access request process for new hires or employees stepping into roles similar to existing ones. This feature enables the replication of access rights and privileges, including applications, computers, Azure Licenses, Azure Roles, and credentials, directly from an existing employee's profile to that of a new employee.
By utilizing the "Show Reference Person Access" option, users can view the current access levels of a selected reference person within the IAM Shop. This access configuration can seamlessly apply to a new individual, ensuring a consistent and efficient onboarding experience. This addition is designed to make the access request process more efficient and user-friendly, particularly for roles with standard access patterns.
Enhanced Privileged Session Manager Options
Added Support of Telnet Session for CISCO
Privileged Session Manager (PSM) now supports Telnet sessions for Cisco devices, expanding its compatibility with devices and ensuring reliable PSM session connectivity and communication.
Added Support for VNC Protocol
Privileged Session Manager (PSM) has been updated to support the Virtual Network Computing (VNC) protocol. This means that users can now easily select the VNC protocol during the computer onboarding process and initiate PSM sessions with computers that use the VNC protocol.
New Feature for Key Logging
A new feature has been added to enable keylogging to gain detailed visibility into privileged sessions. It's important to note that the keylogging feature has been designed with privacy in mind, ensuring that sensitive user data and credentials are not logged. This feature provides an added layer of security and auditability by capturing keystrokes during sessions, offering valuable insights into user activities.
Encrypted PSM Recordings
All PSM session recordings are now encrypted by default for enhanced security. Additionally, to maintain strict control over who can access the recorded content, explicit authorization is required to play these recordings. Users have the option to encrypt specific recordings with a non-default key, which will ensure that they are not only secure when at rest but also watchable only if authorized.
My Tasks
My Tasks has been updated with several features to improve the user experience handling business requests. These enhancements streamline the review and response process, making it more efficient and user-friendly.
Predefined Approval Comments
Users now have the option to choose from a set of predefined comments when approving a business request. This addition simplifies the approval process by providing quick, standardized responses that can be used to communicate decisions effectively. This feature saves time and ensures consistency in communication across different approvals.
Enhanced Functional Access Information
The latest update to the My Tasks app brings a significant enhancement in the form of detailed functional access information. With this new feature, approvers are now equipped to view the current functional access of a user when considering approval for additional requested access. This added layer of visibility enables approvers to make more informed and intelligent decisions, assessing whether the new access is necessary or redundant. This enhancement streamlines the approval workflow by providing approvers with comprehensive information, facilitating efficient and effective management of business requests in the system.
Wizard Workflows
This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.
Onboard Account Workflow
EmpowerID's latest update introduces the "Onboard Account" Wizard Workflow, a new feature designed to facilitate the manual onboarding of user accounts. This workflow represents a significant addition to EmpowerID, aiming to enhance the account creation process in several ways.
Detailed Features of the New Onboard Account Wizard Workflow:
Diverse Account Creation Options:
Individual and Technical Accounts: Users can create accounts for individuals and technical purposes like service accounts, which are crucial for automated processes and are not associated with any individual user.
Suitable for Various Environments: The workflow is adaptable for various environments, including creating local user accounts on Windows or Linux servers and user accounts in directories like LDAP, Active Directory, Azure, and ServiceNow.
Efficiency and User-Friendliness:
Streamlined Process: The wizard simplifies the onboarding process, making it more straightforward and less time-consuming.
Intuitive User Interface: With a focus on user experience, the workflow features an intuitive interface that guides users through each account creation step.
Capabilities for Different Scenarios:
The wizard can handle a range of scenarios, from creating a single account for a new user to setting up multiple accounts for different services or platforms.
It provides options to customize account settings based on the user's specific needs or the account's technical requirements.
Attribute Management:
The workflow includes managing and assigning attributes to new accounts, ensuring that all necessary information is accurately captured and associated with each account.
Manage Person Wizard Workflow
The introduction of the Manage Person Wizard provides efficient and user-friendly management of Person objects in EmpowerID. The wizard workflow provides the following options for managing Person objects:
Disable a person
Modify and update specific attributes associated with a person
Enable a previously disabled person
Initiate the Leaver Events for a Person leaving the organization, ensuring proper workflows are followed.
Initiate Mover Event for Person
Unjoin Person Core Identity
Manage Management Role Wizard Workflow
The Manage Management Role workflow has undergone several improvements to enhance its functionality and usability. Key enhancements include:
Enhanced Role Function Assignment:
We have introduced the capability to assign and unassign local functions directly to and from Management Roles. This enhancement provides greater flexibility and precision in defining the scope and responsibilities of Management Roles.
Updated Ownership and Responsible Party Requirements:
The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.
Onboard Management Role Wizard Workflow
The Onboard Management Role workflow has been enhanced to provide users a more efficient and versatile experience when onboarding new Management Roles. Here’s an overview of what’s new:
Management Role Bundling:
Role creators now have the ability to assign other Management Roles as members of the new role. This feature facilitates the creation of 'Management Role bundles', allowing for a more organized and cohesive management of roles within complex organizational structures.
Inclusion of Business Roles and Locations:
The workflow has been expanded to include Business Roles and Locations as members of a Management Role during the onboarding process. This addition enhances role customization, allowing organizations to grant role members specific Business Role and Location combinations during the role assignment process.
Updated Ownership and Responsible Party Requirements:
The workflow has been updated with a new requirement that ensures the responsible party and the owner of a Management Role cannot be the same individual. This change ensures a more robust and accountable management structure, promoting better governance and oversight within Management Roles.
Additional Improvements
UI Enhancements for Microservices
We've implemented several UI enhancements across our microservices, aiming to elevate the overall user experience. These improvements include more intuitive layouts optimized for ease of use and efficiency. Users will notice cleaner interfaces with better-organized elements, ensuring quicker access to necessary features. Among these improvements is the introduction of flyout menus. When users hover their mouse over menu items, they will now see an expanded flyout, providing immediate access to additional options and features. The updates are designed to make interactions with our microservices more seamless and visually appealing, reflecting our commitment to providing a user-centric platform.
New Permanent Workflow for Out Of Office
In this release, we introduce a new permanent workflow feature that automatically updates the OutOfOffice flag for individuals in our system. This workflow is triggered when the OutOfOffice Start Date (OofStartDate
) is reached, and the OutOfOffice flag is currently set to false for a person. Upon activation, the workflow sets the OutOfOffice flag to true, ensuring that the person's status is accurately reflected in the system without manual intervention. This feature enhances the accuracy and efficiency of status updates for users leaving the office.
Security Enhancement
In response to a medium-risk vulnerability identified as "Use of a Broken or Risky Cryptographic Algorithm" (OWASP A02:2021 Cryptographic Failures), our latest release addresses the susceptibility of hashing operations to brute force attacks due to a single SHA-512 iteration. The vulnerability could compromise hashed passwords, potentially leading to unauthorized access to user passwords if the server is compromised. To fortify our system against such threats, we have replaced SHA-512 with PBKDF2 for password encryption, recommending thousands of hashing iterations (600,000 for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512). This proactive measure significantly bolsters cryptographic security, mitigating the risk of brute force attacks and ensuring a more robust defense for user data.
Resolved Issues
Improved Session Management in IAM Shop
We have addressed the issue of frequent session timeouts that users experienced in the IAM Shop, particularly during cart-related activities. Previously, users encountered interruptions while adding or editing items in the cart or during the cart submission process. This update ensures a smoother, uninterrupted experience in the IAM Shop, enhancing user efficiency and convenience.
Invalid Logout Request Error in EmpowerID
The problem of 'invalid logout request' errors in EmpowerID has been successfully resolved. This issue primarily occurred when users had multiple tabs of EmpowerID open and left the system idle for a certain period. With this fix, users can expect more stable sessions, especially in multi-tab usage scenarios, reducing interruptions and improving the overall user experience in EmpowerID.
OTP Authentication Failures
With this release, a significant improvement has been made to the One-Time Password (OTP) authentication process. Users previously faced challenges logging in using the Microsoft Authenticator app when the OTP code included spaces, whether at the beginning, end or between characters. This issue has now been resolved. With this update, users can successfully authenticate their login regardless of spaces in the OTP code, ensuring a more reliable and user-friendly experience during the authentication process.
Renaming Attributes in Dynamic Hierarchy Policies
This release addresses a specific issue concerning the renaming of attributes within dynamic hierarchy policies. Before this fix, altering the case of an attribute name (for example, changing "dublin" to "Dublin") resulted in the inadvertent creation of two distinct groups by the dynamic hierarchy policy, which in turn caused errors in LDAP calculations. This issue has now been rectified. The dynamic hierarchy policy has been enhanced to accurately handle changes in attribute cases, ensuring a smooth and error-free process in LDAP calculations.
Group-to-group assignments data import
We have addressed and resolved an issue in the 'MassUploadGroupToGroupAssignments' workflow. Previously, users encountered an error when attempting to upload CSV files with two missing header titles, which disrupted the workflow process. With this update, the workflow has been enhanced to allow the uploading of CSV files, even if they are missing two header titles. This fix ensures a smoother and more reliable experience in mass uploading group-to-group assignments, improving the overall functionality of this workflow.
IN THIS ARTICLE