You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Release Notes: EmpowerID 2020 R1
- Phillip Hanegan
EmpowerID 2020 adds several new product features and usability enhancements.
New Features
EmpowerID Mobile App for MFA
The EmpowerID Mobile App provides multi-factor authentication (MFA) and chatbot help. The authentication feature provides both push and passcode authentication. You can download the app from the Google Play Store and the Apple App Store for Android and iOS, respectively. You can register multiple devices to your EmpowerID account and you can register multiple accounts to the same device.
Customizable Navbar
The object-focused navbar in previous releases of EmpowerID has been simplified and reordered to present users with a less technical, more modular interface. Organizations can further enhance the user experience and completely customize the navbar without needing to write any code or maintain a complicated overrides structure. Simply enable one or more of the NavBarSection EmpowerID system settings, localize the text for that section and define the appropriate Noun and Verb. And if you prefer the old object-focused navbar, you can bring it back by toggling a single system setting.
For more information, see Customizing the Navbar.
Passwordless Login
In EmpowerID, Passwordless login is a type of multi-factor authentication (MFA) that you can apply to Password Manager Policies to allow users with the policy to skip the password and login using only their EmpowerID user names or email addresses. This simplifies the login process for users by not requiring them to remember their passwords, while making their accounts more secure through multi-factor authentication.
To login using Passwordless login, users click the Passwordless Login link on the login page. This initiates the Passwordless Login MFA workflow, which asks the users to submit either their user names or passwords. The workflow looks at the Password Manager Policy associated with those users—and based on the Passwordless Login MFA settings of that policy—asks each user to authenticate using one or more of the MFA types set for the policy until they reach the required number of MFA points to login.
T-RBAC Management Roles
The old Management Role model, which included roles that granted broader access to resources—such as the Enterprise IT Administrator Management Role—has been replaced with a more granular and functional set of Management Roles known as T-RBAC or Task-Based RBAC. In this new model, roles are prefixed by their function in EmpowerID and include the following:
UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role is the UI-Computer-PAM-User-Full-Access Management Role. This role grants access to the user interfaces and workflows for requesting PSM access to computers. The Management Role Definitions for these UI- workflows grant access to call the API endpoints used by the user interfaces.
VIS — Management Roles prefixed with VIS grant users the ability to see specific objects (Object level visibility) in EmpowerID. An example of this type of role is the VIS-Computer-MyLocations Management Role. This role grants access to see computers that belong to same location as the person with the role. Most security sensitive objects are now not visible by default. Default visibility filter policies assign “No Access” requiring access to be granted (secure by default).
ACT — Management Roles prefixed wtih ACT grant users the ability to manage specific objects (perform activities) in EmpowerID. An example of this type of role is the ACT-Computer-Shared-Credential-Assigner-MyLocations Management Role. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.
These types of roles extend to every resource type protected by EmpowerID, allowing administrators to tightly delegate what users can and cannot do in the system.
New and Improved Integrations
Enhancements for Office 365 Hybrid Mode
The EmpowerID Office 365 connector provides support for organizations migrating user mailboxes from on-premise Exchange to Office 365 using DirSync. In those situations, EmpowerID uses RET policies to provision Active Directory accounts synced to Office 365 user accounts and sets Remote Mailbox Enabled for those AD accounts. In this way, EmpowerID prevents Active Directory from creating on-premise Exchange mailboxes for those users.
Support for Remote Integrations (Requires Cloud Gateway)
All account stores with local directories, such as Active Directory, LDAP, SAP, etc., can be inventoried and synchronized with EmpowerID via the cloud by enabling the Is Remote (Requires Cloud Gateway) setting for those account stores. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store.
EmpowerID Orchestration Pack for ServiceNow
The EmpowerID Orchestration Pack for ServiceNow provides ServiceNow process designers with workflow activities, web services, and example workflows to embed EmpowerID capabilities within their ServiceNow business processes. Example workflows included in the orchestration pack include those listed below. These example workflows can be used as is in production, but are intended to be leveraged by ServiceNow process designers in existing and future workflows.
New Hire — Allows for the creation of a new ServiceNow user account and a corresponding EmpowerID Person linked to that account
Add User to Group — Allows for adding and removing ServiceNow users to and from AD groups.
Request Management Role — Allows for adding and removing ServiceNow users to and from EmpowerID Management Roles.
Reset Password — Grants users the ability to reset their EmpowerID passwords in ServiceNow. Password resets originating in ServiceNow are synchronized to the EmpowerID Person and any AD user accounts linked to that ServiceNow user.
In addition, the Orchestration Pack provides the ability to integrate an AI-powered chat bot virtual assistant, the EmpowerID Bot (shown in the below image), into ServiceNow. With the bot, users can perform secure self-service, such as resetting their passwords, at any time within the ServiceNow portal.
VMWare ESXI Servers
The ESXi connector allows organizations to bring the user, permissions, and roles data in their stand-alone VMware ESXi systems to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
Create new users
Edit user attributes
Delete users
Create new roles and permissions
Manage roles and permissions membership
Delete roles and permissions
For more information, see Connecting to VMWare EXSi.
Web Page Designer
Workflow Studio include a new Page Designer that allows you to design your own web pages using the same objects used in many existing EmpowerID pages:
Design Elements
Grids
Tabs
Data
Stored Procedures (Methods)
Parameters
User Input Controls
Advanced Search Panels
Trees
Each offers choices that you can customize to create exactly the page that you need. For more information, see Page Designer Overview.
Workflow Studio Enhancements
GIT Source Control
All workflow binaries have been migrated from database format to file format as Workflow Studio now uses GIT for source control. This change increases performance for the EmpowerID SQL Server-based Identity Warehouse, as well as gives organizations the ability to take advantage of the modern DevOps model and practices, which include continuous delivery, frequent deployments and automation. Workflow Studio developers can make file changes and immediately share those changes with other team members, where they can be tested and integrated into the production environment more quickly and efficiently than was possible using SQL Server as source control.
Azure Blob Support
Workflow instance data can now be stored in Azure blob instead of the EmpowerID Identity Warehouse. This reduces the amount of data being stored in the database, which provides much faster response times—especially when using EmpowerID hosted in Azure. This build includes two new configuration settings that allow you to make the switch.
WorkflowDataFactory — This setting specifies the storage location for workflow instance data. There are two possible values, SQL and Azure.
AzureWFDataConnectionString — This setting is for specifying the Azure Storage connection string.
Workflow Studio Items Can Now Be Edited in Visual Studio
All Workflow Studio class libraries can now be edited in either Workflow Studio (WFS) or Visual Studio (VS). This allows Workflow Studio developers who prefer Visual Studio to use the whole functionality of Visual Studio when writing a class library. Changes made to class libraries in Visual Studio appear when those same libraries are opened in Workflow Studio and vice-versa.
For more information, see Editing Class Libraries in Visual Studio.
Custom REST API Endpoints
Developers can now create secure custom REST API endpoints in Workflow Studio. For more information, see Creating Custom REST API Endpoints.
Easier Access to Important Aggregate Data
Many of the pages in the EmpowerID application have been modified to include new tabs and accordions to provide admins with easier access to relevant aggregate information. For example, managers and other delegated users can click the Report tab on the Person View page to view detailed resource ownership and access information for that person.
Enhanced Cloud Gateway Client for SaaS
The EmpowerID Cloud Gateway enables your EmpowerID Cloud SaaS tenant to inventory and manage your on-premise systems without requiring ports to be opened on your firewall. The Cloud Gateway is a lightweight client that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance.
Additional Features or Enhancements
Expand to view more features and enhancements included with this release
Feature or Enhancement | Description |
|---|---|
Security Enhancements | |
EmpowerID-1808 | As a security admin, I want it to be clear which operations are required to check out a cred for PSM to a computer and to allow approvers to approve without having this same access. For more information, see PAM Management Roles. |
EmpowerID-1774 | As a security Admin, I would like to identify groups that contain only disabled or expired users so I can clean them up. |
EmpowerID-1989 | Bot: As an end user I would like to be able to share and unshare a secret with others. |
EmpowerID-1819 | As an end user, I would like an easy to use interface for checking out vaulted passwords. |
EmpowerID-1670 | As a security admin, I would like to view any/all user agreements a person has agreed to and the version number. |
EmpowerID-1612 | As a security admin, I would like to easily assign Business Roles and Locations to Management Roles. |
EmpowerID-1192 | As a security admin, I would like a simple report grid showing all RBAC assignments to a Management Role. |
EmpowerID-961 | As a security architect, I would like to control who may make REST API calls for which EmpowerID components and views using RBAC security. |
EmpowerID-933 | As a security admin, I would like to run the EmpowerID Windows Services and App Pools as Group Managed service Accounts. |
EmpowerID-928 | As a security architect, I would like to be secure by default not allowing computer objects to be seen unless a person has a management role explicitly allowing it. |
EmpowerID-927 | As a security architect, I would like to be secure by default not allowing group objects to be seen unless a person has a management role explicitly allowing it. |
EmpowerID-926 | As a security architect, I would like to be secure by default not allowing account objects to be seen unless a person has a management role explicitly allowing it. |
EmpowerID-849 | As a security admin, I would like to ensure that passwords for Windows Services and app pools are rotated on a scheduled basis and updated/recycled automatically. |
EmpowerID-511 | As a security admin, I would like to grant the RBAC Actor set as the OwnerAssigneeID for a resource an RBAC Access Level for that resource. |
EmpowerID-465 | As a security admin, I want to ensure that each application using the login framework is recognized as its own OAuth application. |
EmpowerID-304 | As a security admin, I would like EmpowerID to run in a least privilege secure configuration. |
EmpowerID-277 | As an admin, I would like to schedule a password reset for an account and have it update all Services and App Pools with the new password. |
SSO and Login Enhancements | |
EmpowerID-1950 | As a customer, I would like to login using my Azure AD as the IdP. |
EmpowerID-1994 | As an SSO Admin, I would like to see and manage MFA Devices. |
EmpowerID-1990 | As an end user, I would like to use the passwordless login when logging in through the Oath IdP. |
EmpowerID-1748 | As a privileged user, I would like to be able to edit my own email address in EmpowerID. |
EmpowerID-1713 | As an EmpowerID Admin, I would like to see all relevant configuration information in one page for an account store and its associated resource system. |
Integration Enhancements | |
EmpowerID-1199 | As an EmpowerID Admin, I would like to create a Linux account store connection in the web. |
EmpowerID-838 | As an EmpowerID Admin, I want to create an LDAP account store. |
EmpowerID-438 | As an EmpowerID Admin, I would like to create a Custom Connector account store connection in the web. |
EmpowerID-129 | As an EmpowerID admin, I want to inventory and manage my on-premise Active Directory from a Cloud or off network EmpowerID instance. |
EmpowerID-91 | As an EmpowerID admin, I would like to create a Salesforce.com account store connection in the web. |
EmpowerID-87 | As an EmpowerID admin, I would like to create a Universal Connector account store connection in the web. |
Workflow Studio Enhancements | |
EmpowerID-1336 | As an EmpowerID Admin, I would like Workflow Studio to write-out design data of items to files/folders, allowing me to integrate with any source control system. |
EmpowerID-1330 | As an EmpowerID developer, I would like to be able to display data on forms using a radio button control. |
EmpowerID-1312 | As an EmpowerID developer, I would like to know how to dynamically add activities to my workflow via code at runtime to simplify it and allow it to be fast |
EmpowerID-382 | As an EmpowerID workflow developer, I would like the mobile app to display messages I send to the user when approving a signing request. |
EmpowerID-381 | As an EmpowerID developer, I would like to easily generate push signing requests and use the response in my operations. |
EmpowerID-379 | As an EmpowerID developer, I would like to easily be able to generate a push notification in workflows, jobs, etc., for signing approval. |
EmpowerID-374 | As an EmpowerID developer, I would like to develop back-end workflows to perform the fulfillment for front-end workflows that write to a queue. |
EmpowerID-373 | As an EmpowerID developer, I would like to process workflows on a back-end system retrieved from a queue. |
EmpowerID-372 | As an EmpowerID developer, I would like my workflow operations to write to a queue for back-end system processing. |
EmpowerID-371 | As an EmpowerID developer, I would like an easy to use framework for developing queue-based workflows and jobs. |
EmpowerID-362 | As an EmpowerID Developer, I would like to ensure the authenticity of workflow requests that I'm passing to back-end services and queues by signing them using a server/application certificate. |
EmpowerID-309 | As an EmpowerID developer, I would like to create custom WF activities with pre-defined line rules to make it easier to use my activity in workflows. |
EmpowerID-286 | As an EmpowerID developer, I would like to easily add MFA to any workflow process. For more information, see Adding Multifactor Authentication to Workflow Processes. |
User Interface Enhancements | |
EmpowerID-939 | As an EmpowerID Admin, I would like to be able to edit the language-specific translations interactively within the EmpowerID user interface |
EmpowerID-912 | As an EmpowerID installation engineer, I would like to configure the Core Identity Inbox settings. For more information, see Setting up Core Identities. |
EmpowerID-863 | As a system admin, I would like to see the extension attributes for a computer on its View One page |
EmpowerID-369 | As an EmpowerID project engineer, I would like better reporting of any data migration |
EmpowerID-303 | As an admin, I would like to see all the user accounts owned by a person on their View One page, even those from their other Person objects that are linked to the same core identity |
PAM / PSM Enhancements | |
EmpowerID-274 | As an admin, I would like to create a new account and link to an existing computer for privileged session management |
EmpowerID-273 | As an admin, I would like to create a new shared credential and linked computer object in a single process |
EmpowerID-271 | As an admin, I would like to convert multiple accounts to be managed as shared credentials |
EmpowerID-77 | As an EmpowerID system admin, I would like to easily deploy my PSM solution as a set of Docker containers. |
Additional Changes for Version 7.151.0.7799 and later
SAP Connector
Inventory behavior has changed to use overlapping-pagination instead of retrieving all table data at once for each SAP table. This change has led to overall optimization of memory and greater stability in large environments
Trailing and leading white spaces in usernames are now ignored, as these sort of data-entry errors violate security best-practices (by making the erroneous username indistinguishable from its valid record in the EmpowerID UI).
It is highly encouraged that these type of data-issues be cleaned-up to prevent indistinguishable entries and inaccurate reporting.
Deprecated Features
The EmpowerID Management Console has been removed. All configuration settings can now be set in the Web application.