You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Release Notes: EmpowerID 2020 R1

EmpowerID 2020 adds several new product features and usability enhancements.

New Features

EmpowerID Mobile App for MFA

The EmpowerID Mobile App provides multi-factor authentication (MFA) and chatbot help. The authentication feature provides both push and passcode authentication. You can download the app from the Google Play Store and the Apple App Store for Android and iOS, respectively. You can register multiple devices to your EmpowerID account and you can register multiple accounts to the same device.

 

Customizable Navbar

The object-focused navbar in previous releases of EmpowerID has been simplified and reordered to present users with a less technical, more modular interface. Organizations can further enhance the user experience and completely customize the navbar without needing to write any code or maintain a complicated overrides structure. Simply enable one or more of the NavBarSection EmpowerID system settings, localize the text for that section and define the appropriate Noun and Verb. And if you prefer the old object-focused navbar, you can bring it back by toggling a single system setting.

For more information, see Customizing the Navbar.

 

Passwordless Login

In EmpowerID, Passwordless login is a type of multi-factor authentication (MFA) that you can apply to Password Manager Policies to allow users with the policy to skip the password and login using only their EmpowerID user names or email addresses. This simplifies the login process for users by not requiring them to remember their passwords, while making their accounts more secure through multi-factor authentication.

To login using Passwordless login, users click the Passwordless Login link on the login page. This initiates the Passwordless Login MFA workflow, which asks the users to submit either their user names or passwords. The workflow looks at the Password Manager Policy associated with those users—and based on the Passwordless Login MFA settings of that policy—asks each user to authenticate using one or more of the MFA types set for the policy until they reach the required number of MFA points to login.

 

T-RBAC Management Roles

The old Management Role model, which included roles that granted broader access to resources—such as the Enterprise IT Administrator Management Role—has been replaced with a more granular and functional set of Management Roles known as T-RBAC or Task-Based RBAC. In this new model, roles are prefixed by their function in EmpowerID and include the following:

  • UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role is the UI-Computer-PAM-User-Full-Access Management Role. This role grants access to the user interfaces and workflows for requesting PSM access to computers. The Management Role Definitions for these UI- workflows grant access to call the API endpoints used by the user interfaces.

  • VIS — Management Roles prefixed with VIS grant users the ability to see specific objects (Object level visibility) in EmpowerID. An example of this type of role is the VIS-Computer-MyLocations Management Role. This role grants access to see computers that belong to same location as the person with the role. Most security sensitive objects are now not visible by default. Default visibility filter policies assign “No Access” requiring access to be granted (secure by default).

  • ACT — Management Roles prefixed wtih ACT grant users the ability to manage specific objects (perform activities) in EmpowerID. An example of this type of role is the ACT-Computer-Shared-Credential-Assigner-MyLocations Management Role. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.

These types of roles extend to every resource type protected by EmpowerID, allowing administrators to tightly delegate what users can and cannot do in the system.

 

New and Improved Integrations

Enhancements for Office 365 Hybrid Mode

The EmpowerID Office 365 connector provides support for organizations migrating user mailboxes from on-premise Exchange to Office 365 using DirSync. In those situations, EmpowerID uses RET policies to provision Active Directory accounts synced to Office 365 user accounts and sets Remote Mailbox Enabled for those AD accounts. In this way, EmpowerID prevents Active Directory from creating on-premise Exchange mailboxes for those users.

Support for Remote Integrations (Requires Cloud Gateway)

All account stores with local directories, such as Active Directory, LDAP, SAP, etc., can be inventoried and synchronized with EmpowerID via the cloud by enabling the Is Remote (Requires Cloud Gateway) setting for those account stores. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store.

 

EmpowerID Orchestration Pack for ServiceNow

The EmpowerID Orchestration Pack for ServiceNow provides ServiceNow process designers with workflow activities, web services, and example workflows to embed EmpowerID capabilities within their ServiceNow business processes. Example workflows included in the orchestration pack include those listed below. These example workflows can be used as is in production, but are intended to be leveraged by ServiceNow process designers in existing and future workflows.

  • New Hire — Allows for the creation of a new ServiceNow user account and a corresponding EmpowerID Person linked to that account

  • Add User to Group — Allows for adding and removing ServiceNow users to and from AD groups.

  • Request Management Role — Allows for adding and removing ServiceNow users to and from EmpowerID Management Roles.

  • Reset Password — Grants users the ability to reset their EmpowerID passwords in ServiceNow. Password resets originating in ServiceNow are synchronized to the EmpowerID Person and any AD user accounts linked to that ServiceNow user.

In addition, the Orchestration Pack provides the ability to integrate an AI-powered chat bot virtual assistant, the EmpowerID Bot (shown in the below image), into ServiceNow. With the bot, users can perform secure self-service, such as resetting their passwords, at any time within the ServiceNow portal.

 

VMWare ESXI Servers

The ESXi connector allows organizations to bring the user, permissions, and roles data in their stand-alone VMware ESXi systems to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Create new users

  • Edit user attributes

  • Delete users

  • Create new roles and permissions

  • Manage roles and permissions membership

  • Delete roles and permissions

For more information, see Connecting to VMWare EXSi.

Web Page Designer

Workflow Studio include a new Page Designer that allows you to design your own web pages using the same objects used in many existing EmpowerID pages:

Design Elements

  • Grids

  • Tabs

Data

  • Stored Procedures (Methods)

  • Parameters

User Input Controls

  • Advanced Search Panels

  • Trees

Each offers choices that you can customize to create exactly the page that you need. For more information, see Page Designer Overview.

Workflow Studio Enhancements

GIT Source Control

All workflow binaries have been migrated from database format to file format as Workflow Studio now uses GIT for source control. This change increases performance for the EmpowerID SQL Server-based Identity Warehouse, as well as gives organizations the ability to take advantage of the modern DevOps model and practices, which include continuous delivery, frequent deployments and automation. Workflow Studio developers can make file changes and immediately share those changes with other team members, where they can be tested and integrated into the production environment more quickly and efficiently than was possible using SQL Server as source control.

Azure Blob Support

Workflow instance data can now be stored in Azure blob instead of the EmpowerID Identity Warehouse. This reduces the amount of data being stored in the database, which provides much faster response times—especially when using EmpowerID hosted in Azure. This build includes two new configuration settings that allow you to make the switch.

  • WorkflowDataFactory — This setting specifies the storage location for workflow instance data. There are two possible values, SQL and Azure.

  • AzureWFDataConnectionString — This setting is for specifying the Azure Storage connection string.

Workflow Studio Items Can Now Be Edited in Visual Studio

All Workflow Studio class libraries can now be edited in either Workflow Studio (WFS) or Visual Studio (VS). This allows Workflow Studio developers who prefer Visual Studio to use the whole functionality of Visual Studio when writing a class library. Changes made to class libraries in Visual Studio appear when those same libraries are opened in Workflow Studio and vice-versa.

For more information, see Editing Class Libraries in Visual Studio.

Custom REST API Endpoints

Developers can now create secure custom REST API endpoints in Workflow Studio. For more information, see Creating Custom REST API Endpoints.

Easier Access to Important Aggregate Data

Many of the pages in the EmpowerID application have been modified to include new tabs and accordions to provide admins with easier access to relevant aggregate information. For example, managers and other delegated users can click the Report tab on the Person View page to view detailed resource ownership and access information for that person.

 

Enhanced Cloud Gateway Client for SaaS

The EmpowerID Cloud Gateway enables your EmpowerID Cloud SaaS tenant to inventory and manage your on-premise systems without requiring ports to be opened on your firewall. The Cloud Gateway is a lightweight client that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance.


Additional Features or Enhancements

 Expand to view more features and enhancements included with this release

Feature or Enhancement

Description

Feature or Enhancement

Description

Security Enhancements

EmpowerID-1808

As a security admin, I want it to be clear which operations are required to check out a cred for PSM to a computer and to allow approvers to approve without having this same access. For more information, see PAM Management Roles.

EmpowerID-1774

As a security Admin, I would like to identify groups that contain only disabled or expired users so I can clean them up.

EmpowerID-1989

Bot: As an end user I would like to be able to share and unshare a secret with others.

EmpowerID-1819

As an end user, I would like an easy to use interface for checking out vaulted passwords.

EmpowerID-1670

As a security admin, I would like to view any/all user agreements a person has agreed to and the version number.

EmpowerID-1612

As a security admin, I would like to easily assign Business Roles and Locations to Management Roles.

EmpowerID-1192

As a security admin, I would like a simple report grid showing all RBAC assignments to a Management Role.

EmpowerID-961

As a security architect, I would like to control who may make REST API calls for which EmpowerID components and views using RBAC security.

EmpowerID-933

As a security admin, I would like to run the EmpowerID Windows Services and App Pools as Group Managed service Accounts.

EmpowerID-928

As a security architect, I would like to be secure by default not allowing computer objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-927

As a security architect, I would like to be secure by default not allowing group objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-926

As a security architect, I would like to be secure by default not allowing account objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-849

As a security admin, I would like to ensure that passwords for Windows Services and app pools are rotated on a scheduled basis and updated/recycled automatically.

EmpowerID-511

As a security admin, I would like to grant the RBAC Actor set as the OwnerAssigneeID for a resource an RBAC Access Level for that resource.

EmpowerID-465

As a security admin, I want to ensure that each application using the login framework is recognized as its own OAuth application.

EmpowerID-304

As a security admin, I would like EmpowerID to run in a least privilege secure configuration.

EmpowerID-277

As an admin, I would like to schedule a password reset for an account and have it update all Services and App Pools with the new password.

SSO and Login Enhancements

EmpowerID-1950

As a customer, I would like to login using my Azure AD as the IdP.

EmpowerID-1994

As an SSO Admin, I would like to see and manage MFA Devices.

EmpowerID-1990

As an end user, I would like to use the passwordless login when logging in through the Oath IdP.

EmpowerID-1748

As a privileged user, I would like to be able to edit my own email address in EmpowerID.

EmpowerID-1713

As an EmpowerID Admin, I would like to see all relevant configuration information in one page for an account store and its associated resource system.

Integration Enhancements

EmpowerID-1199

As an EmpowerID Admin, I would like to create a Linux account store connection in the web.

EmpowerID-838

As an EmpowerID Admin, I want to create an LDAP account store.

EmpowerID-438

As an EmpowerID Admin, I would like to create a Custom Connector account store connection in the web.

EmpowerID-129

As an EmpowerID admin, I want to inventory and manage my on-premise Active Directory from a Cloud or off network EmpowerID instance.

EmpowerID-91

As an EmpowerID admin, I would like to create a Salesforce.com account store connection in the web.

EmpowerID-87

As an EmpowerID admin, I would like to create a Universal Connector account store connection in the web.

Workflow Studio Enhancements

EmpowerID-1336

As an EmpowerID Admin, I would like Workflow Studio to write-out design data of items to files/folders, allowing me to integrate with any source control system.

EmpowerID-1330

As an EmpowerID developer, I would like to be able to display data on forms using a radio button control.

EmpowerID-1312

As an EmpowerID developer, I would like to know how to dynamically add activities to my workflow via code at runtime to simplify it and allow it to be fast

EmpowerID-382

As an EmpowerID workflow developer, I would like the mobile app to display messages I send to the user when approving a signing request.

EmpowerID-381

As an EmpowerID developer, I would like to easily generate push signing requests and use the response in my operations.

EmpowerID-379

As an EmpowerID developer, I would like to easily be able to generate a push notification in workflows, jobs, etc., for signing approval.

EmpowerID-374

As an EmpowerID developer, I would like to develop back-end workflows to perform the fulfillment for front-end workflows that write to a queue.

EmpowerID-373

As an EmpowerID developer, I would like to process workflows on a back-end system retrieved from a queue.

EmpowerID-372

As an EmpowerID developer, I would like my workflow operations to write to a queue for back-end system processing.

EmpowerID-371

As an EmpowerID developer, I would like an easy to use framework for developing queue-based workflows and jobs.

EmpowerID-362

As an EmpowerID Developer, I would like to ensure the authenticity of workflow requests that I'm passing to back-end services and queues by signing them using a server/application certificate.

EmpowerID-309

As an EmpowerID developer, I would like to create custom WF activities with pre-defined line rules to make it easier to use my activity in workflows.

EmpowerID-286

As an EmpowerID developer, I would like to easily add MFA to any workflow process. For more information, see Adding Multifactor Authentication to Workflow Processes.

User Interface Enhancements

EmpowerID-939

As an EmpowerID Admin, I would like to be able to edit the language-specific translations interactively within the EmpowerID user interface

EmpowerID-912

As an EmpowerID installation engineer, I would like to configure the Core Identity Inbox settings. For more information, see Setting up Core Identities.

EmpowerID-863

As a system admin, I would like to see the extension attributes for a computer on its View One page

EmpowerID-369

As an EmpowerID project engineer, I would like better reporting of any data migration

EmpowerID-303

As an admin, I would like to see all the user accounts owned by a person on their View One page, even those from their other Person objects that are linked to the same core identity

PAM / PSM Enhancements

EmpowerID-274

As an admin, I would like to create a new account and link to an existing computer for privileged session management

EmpowerID-273

As an admin, I would like to create a new shared credential and linked computer object in a single process

EmpowerID-271

As an admin, I would like to convert multiple accounts to be managed as shared credentials

EmpowerID-77

As an EmpowerID system admin, I would like to easily deploy my PSM solution as a set of Docker containers.

Additional Changes for Version 7.151.0.7799 and later

SAP Connector

  1. Inventory behavior has changed to use overlapping-pagination instead of retrieving all table data at once for each SAP table. This change has led to overall optimization of memory and greater stability in large environments

  2. Trailing and leading white spaces in usernames are now ignored, as these sort of data-entry errors violate security best-practices (by making the erroneous username indistinguishable from its valid record in the EmpowerID UI).

It is highly encouraged that these type of data-issues be cleaned-up to prevent indistinguishable entries and inaccurate reporting.

Deprecated Features

The EmpowerID Management Console has been removed. All configuration settings can now be set in the Web application.