Release Notes: EmpowerID 2020

EmpowerID 2020 adds several major new product features and usability enhancements.

New Features

EmpowerID Compliant Access Solution (Risk Management)

The reality for organizations today is that enterprise risks are scattered across many Cloud and on-premise systems and are often acquired by a risky combination of cross-system access. Given the growing number of enterprise level applications being made available to organizations, it is imperative organizations know the permissions models for each application they use. Otherwise, users may have more access than needed, resulting in unnecessary risks. To gain visibility and control over these risks, EmpowerID provides one of the largest IGA connector libraries available with the ability to connect and consume even the most idiosyncratic permissions models and inheritance used within your applications. In this way, the permissions in each system can be brought together into one comprehensive and business-friendly permissions model.

Compliant Risk Management

The goal of compliant risk management is to ensure that organizations deliver compliant access and that changes occurring in native system admin consoles do not create non-compliant access. To achieve this goal, current access assignments must be continually measured against a definition of non-compliant access. Therefore, to define compliant access, you must first define non-compliant access. Risks are a part of the business domain and must be defined and owned by business users as they relate to the organization’s specific industry and business processes. Defining an organization’s risk policies based on toxic combinations of technical entitlements such as application groups or roles is not a viable option. These technical objects have little meaning to business users and the activities they enable and the risks they pose are easily obscured and can change as underlying access shifts.

The new EmpowerID Compliant Access Solution simplifies risk management by giving organizations the ability to abstract technical access rights terminology from inventoried systems away from business users in favor of language more readily accessible to business users, their managers and those responsible for building effective risk management policy. Most IAM systems manage only the technical aspects of access control and, as such, fail to provide a comprehensive model that maps the entitlements in technical systems to clearly understood business processes. For example, consider the act of creating a purchase order in SAP. In that system, entitlements are designated by TCodes, and the TCode for creating a purchase order is ME21N. While application experts might instinctively know what the TCode means, most likely many business users will not. And that is one entitlement in one system. When one considers the many technical systems that could be used within the daily operations of a business — and the amount of entitlements available to users within each — it becomes easy to see how those responsible for managing access can spend an undue amount of time deciphering exactly “who can do what, where and when with their IT systems.”

Figure 1: Example of a native system entitlement

That is where EmpowerID’s Compliant Access Solution comes into the picture. EmpowerID understands that each organization has its own particular language for processes and policies and designed the solution with the flexibility to bring that process language into risk management as is. This model understands that to be truly effective, delivering compliant access requires more than just repeating “black box” speak. A system that simply repeats technical system language back to users does little to help businesses translate the technical rights in each IT system to the daily business activities necessary for accomplishing business goals.

 

How EmpowerID Compliant Access Leverages Your Business Model

The EmpowerID Compliant Access Solution starts with the premise that all businesses can be broken down into a series of business processes performed during the ongoing production and delivery of their goods or services. Each business process is itself, a series of tasks that can be performed by internal or external participants to complete that process. And each individual task in each process can be broken down into the functions that are executed in the process of completing that task. Simply put, EmpowerID defines functions as “business defined activities that a person can perform.” Using this approach, the technical term “ME21N” mentioned above could be translated simply as “Create Purchase Order.” The activities are the same, but the terminology for the latter is immediately clearer for business users.

Figure 2: Native System Entitlements VS Functions

Using functions as the building blocks of what users can do in technical systems, organizations then build their risk policies around those functions using their own business language for those functions and policies. Once functions are named, business process specialists and technical application specialists map those functions to their representative entitlements in their respective applications. Once the mapping is complete, the risk management engine can be enabled to run on a scheduled basis to return users with functions. Using “Create Purchase Order” as an example, the end result is that those responsible for risk management can quickly see who in their organization can create a purchase order and where they can do it.

Figure 3: Risk Management User Interface

 

 

EmpowerID SCIM Virtual Directory Server (VDS) for Azure Identity Management

In today’s “work from anywhere” model, cloud-based identity management solutions are becoming the norm. Nowhere is this more evident than with Microsoft’s shift away from on-premise Active Directory federating with Office 365 to Azure Active Directory (AD) as the primary identity. De-emphasizing and even eliminating ADFS and federation are the future. Microsoft makes this even more apparent with its integration of the System for Cross Domain Identity Management (SCIM) protocol into Azure. SCIM was created as a powerful means of standardizing, simplifying, and automating identity management of users, groups, and devices across cloud-based applications and services and Microsoft is betting big on it. The problem with SCIM is that it has yet to become widely adopted and many applications simply do not support it. So, if you have custom applications with repositories of identity information or use an on-premise or cloud application like SAP S/4 HANA or SAP Ariba or even a major HR system like UltiPro, you are not going to be able to integrate those systems with Azure unless you or the vendor builds a SCIM interface for each. This is no small task because while the protocol is simple, building the interface is not. EmpowerID has stepped into the gap and built a Workflow-Driven SCIM Virtual Directory Server (VDS) that can sit between Azure and your non-SCIM applications. You simply connect those applications to EmpowerID and register the EmpowerID SCIM VDS in Azure. There is no need to wait for vendors or put in the time and effort needed to build a SCIM interface. EmpowerID takes care of everything for you.

Figure 4: Solution Architecture

Why should you use EmpowerID’s SCIM VDS for Azure Identity Management?

  • All the Advantages of SCIM without the effort — Created in 2011 as an open standard, lightweight provisioning protocol for the “Cloud age,” SCIM provides a uniform way for applications to communicate identity information to each other. Adoption of SCIM has been slow, but it is the way forward. With EmpowerID’s SCIM VDS, organizations can convert their applications to SCIM without waiting for vendors to come onboard or doing the heavy lifting of converting their legacy proprietary applications to SCIM.

  • Seamlessly Integrate All Your Applications with Azure Provisioning Services — The EmpowerID SCIM Virtual Directory is a microservice and a SCIM server that can be deployed as an App Service in any Azure tenant. Simply plug the VDS into any Azure environment, secure it with an Azure managed identity and then register as many of your enterprise applications as needed. If the VDS knows about these applications, it will pass Azure provisioning commands to that system, SCIM compliant or not.

  • Workflow-Driven Virtual Directory Services — More than just a “SCIM gateway,” that is, more than just an application that simply passes identity lifecycle commands like – “provision this user” or “add this user to that group” – from one system to another, the EmpowerID VDS treats everything as a workflow. This keeps your business logic in the process. Commands are evaluated by the VDS, which can trigger policies, invoke naming conventions, generate strong passwords and send policy violations for human approval before any final provisioning action occurs. You determine what needs to happen when Azure makes a provisioning call.

  • Fills in Azure AD Provisioning Gaps — Azure is here to stay and so is the shift away from on-premise user directories like Active Directory. Microsoft’s aim is to make Azure AD the central point for authentication, conditional access and MFA. They want you to use Azure AD for all your identity-aware applications. The idea is that you do identity in Azure and Azure then propagates that to your other systems. So, for example, if you provision new users in Azure AD, those users should be provisioned in a connected HR system and vice-versa. Well that sounds about right; however, there is a huge problem: The process is blind to your business logic. When you add EmpowerID to Azure, you fill in these gaps by bringing all the features of EmpowerID to your Azure subscription, including:

    • Cross-System Password Reset

    • Access Certification

    • Compliant Access

    • Role Mining Analytics

    • Delegated Identity Administration

    • End User Email Notifications

 

New EmpowerID Microservices

EmpowerID SCIM Microservice

The EmpowerID SCIM microservice is designed to help you manage your Azure tenants and subscriptions to include licenses and roles. Beyond the licensing challenges associated with Azure subscriptions is the fluid nature of the Azure infrastructure and how quickly new services can be introduced and then decommissioned. This fluidity can make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. The SCIM microservice helps you address both these issues by giving you full visibility and control over both Azure Roles and Azure licenses via Azure License Manager and Azure RBAC Manager. For more information setting up the EmpowerID SCIM microservice in Azure, see Deploy the EmpowerID SCIM Microservice.

IT Shop Microservice

The IT Shop brings a familiar shopping cart experience to the license access request process. Users simply search for the resources they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.

Figure 5: User Interface for the IT Shop Microservice

Azure Analytics Microservice

The Azure Analytic Microservice provides organizations with intelligent, real-time visual feedback on the drivers of their Azure expenses and the number of licenses being consumed by their organization at any given data point.

Figure 6: Azure License Analytics Dashboard

 

Azure License Manager

Azure License Manager is an licensable module in the EmpowerID Suite that is designed to help organizations inventory their Azure licenses and expenses across multiple Azure tenants for cost reporting and allocation of license expenses within their organization. According to research, of the 200 million Office 365 users Microsoft is reporting, 56% of licenses are inactive, underutilized, over-sized or unassigned. Azure License Manager can help you save up to 50% of your license costs by discovering licenses that fall into that category and automating Azure license management using flexible policies. How does Azure License Manager help with this?

Figure 7: Azure License Manager User Interface

 

  • Gives you an accurate inventory of all your Azure Licenses — Azure License Manager can connect to all your Azure and Office 365 tenants to retrieve a detailed license inventory. You’ll immediate know all your organization’s subscriptions, license counts both allocated, activated, and disabled. You’ll also have an accurate picture of which service plans assigned within the subscriptions are enabled for different user populations. License Manager allows you to enter the negotiated costs for each of your SKUs to enable accurate reporting on actual cost allocations and to identify real savings from unused or nonoptimal license assignments.

  • Helps you allocate responsibility and track costs with License Pools — Azure License Manager can connect to all your Azure and Office 365 tenants to retrieve a detailed license inventory. You’ll immediate know all your organization’s subscriptions, license counts both allocated, activated, and disabled. You’ll also have an accurate picture of which service plans assigned within the subscriptions are enabled for different user populations. License Manager allows you to enter the negotiated costs for each of your SKUs to enable accurate reporting on actual cost allocations and to identify real savings from unused or nonoptimal license assignments.

  • Helps you allocate responsibility and track costs with License Pools — A key challenge in managing Office 365 licenses is the inability to partition a subscription into smaller units to allocate to different business units and geographies within the organization for delegated assignment and cost allocation and tracking. Azure License Manager introduces the concept of License Pools. License Pools are created to subdivide portions of the licenses within a subscription to allocate responsibility and for chargeback reporting. By segmenting your licenses into pools, you’ll be able to track usage and assign costs to each team.

  • Gives you the tools needed for license optimization — Azure License Manager can provide rapid ROI by identifying all your inactive, oversized and duplicated Office 365 licenses and allowing them to be reallocated easily. You’ll be able to see which inactive users are assigned licenses that could be reclaimed and used elsewhere. Azure License Manager also includes the ability to track service plan usage for products like Exchange, Teams, and Yammer. This data can spot users that are “over-licensed,” meaning the services they actually use could be delivered via a less expensive license bundle. Analysis of overspending can quickly save money or identify areas of the business with poor adoption of new technology.

  • Lets you create policies to automate license assignment — Azure License Manager supports the creation of flexible and dynamic policies to automate the lifecycle of license assignment. License bundles from pools can be assigned to users automatically based on almost any criteria such as company, department, location, group membership. As user’s join the organization and transition between departments and roles, Azure License Manager reevaluates assignment policies to always ensure each user has the correct licenses while eliminating costly manual license management tasks. All policy-based assignments provide a wealth of reporting so admins and auditors can see exactly why each user has the licenses they are assigned.

  • Lets users to directly request licenses — Azure License Manager brings a familiar shopping cart experience to the license access request process. Users simply search for the licenses they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.

  • Secure Deployment Model — Azure License Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. The microservice can be deployed to your tenant as a native Azure App Service. This deployment model enables secure fine-grained Graph API access managed by your security team. The microservice leverages an Azure Managed Identity which eliminates the need to share credentials.

Azure RBAC Manager

Azure RBAC Manager provides auditing, Zero Trust delegated administration, policy-based access assignment, self-service shopping, and access recertification for Azure security. Azure RBAC Manager empowers organizations to maintain an accurate understanding of their Azure security landscape, to optimize its management, and to ensure compliance with an organization’s risk policies. How does Azure RBAC Manager help?

Figure 8: Azure RBAC Manager User Interface

 

  • Reduce risks through increased visibility — One of Azure’s key strengths is the ease with which new services and IT resources can be self-provisioned on the fly. Also, just as quickly these services can be decommissioned. The elastic nature of the Azure infrastructure and these rapid changes make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. Azure RBAC Manager empowers organizations to maintain an accurate understanding of their Azure security landscape, to optimize its management, and to ensure compliance with an organization’s risk policies by continuously monitoring for changes. Azure RBAC Manager continuously inventories the RBAC structure of your Azure tenants including the tenant Root, Management Groups and subgroups, Subscriptions, and Resource Groups. This structure is key to understanding the scope of your Azure Role assignments and their impact. Azure includes 3 very different types of roles including Azure AD “Directory Roles”, Azure RBAC “Resource Roles”, and Azure “Application Roles”. Azure RBAC Manager handles all three types and even reports the individual fine-grained rights granted by each role. Azure Resource Roles can be assigned at any level or scope in the Azure hierarchy, even on individual resources. Azure RBAC Manager inventories even these individual resources like virtual machines, Kubernetes clusters, and SQL databases including any of their direct role assignments.

  • Access Intelligence — The greatest challenge in identifying and managing enterprise risk is understanding the actual business access that the technical entitlements granted to users enable. EmpowerID uncovers the real-world impact of Azure access assignments with a concept known as Business Functions. Business Functions are the business user recognizable terms for the activities performed by users with the access they are granted. EmpowerID ships with a large library of function definitions for Microsoft Azure. These functions add transparency to the fine-grained access assignments granted by out of the box and custom Azure Roles. Process owners and application owners may also use the Function mapping tools in EmpowerID to define additional Functions based on your Azure permissions.

  • Least Privilege Delegated Role Management — With Azure RBAC Manager you gain secure controlled delegation of access management for Azure roles and resources without being required to grant overly broad roles or to grant access to the Azure Portal or Office 365 Admin interfaces. Entitlement managers can see and manage access assignments in one place for all their Azure roles and resources across any number of tenants and environments. Entitlement managers can even delegate access management to non-technical owners to manage access using a non-technical interface. The EmpowerID risk engine ensures delegated admins grant only “Compliant Access” which is position appropriate and does not violate an organization’s risk policies.

  • Just in Time Temporary Privileged Access — A just in time and just enough administrative access infrastructure can dramatically increase an organization’s overall security by shrinking their attack surface and risk profile. Users require privileged access when performing administrative duties, but permanent access can invite misuse. A just in time privileged access system grants temporary access to decrease risk. With Azure RBAC Manager, business users and admins can request temporary elevation of their own privileges on demand. Azure Roles and entitlements can be shopped for using a shopping cart system to request access. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.

  • Define and Manage Custom Granular Roles — Azure RBAC Manager supports managing and creating custom Azure Roles. Custom roles can be useful to define least privileged bundles of access whose scope is limited to specific resources or subscriptions. Azure RBAC Manager allows entitlement managers to request custom roles and be responsible for their assignment.

  • Role Ownership Management and Recertification — A security challenge that develops over time is understanding why roles and role assignments were initially created, by whom, and if they are still needed. Azure RBAC Manager provides automated processes to identify new roles and assignments, to assign ownership responsibility, to track their usage, and to allow periodic recertification. Recertification ensures that access which is no longer required is eliminated and least privilege principles are maintained.

  • Secure Deployment Model — Azure RBAC Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. The microservice can be deployed to your tenant as a native Azure App Service. This deployment model enables secure fine-grained Graph API access managed by your security team. The microservice leverages an Azure Managed Identity which eliminates the need to share credentials.

Azure Native Authentication

EmpowerID can be configured to allow users to authenticate to EmpowerID and single sign-on (SSO) into other applications to which EmpowerID serves as an Identity Provider using their Azure credentials. Once a user authenticates and does SSO to other Service Provider applications such as Salesforce or ServiceNow, that user can seamlessly sign out of all applications simply by signing out of one. The flow for both of these scenarios looks as follows:

Login Scenario — The user goes to SP1 and lands on the EmpowerID Login page for authentication. The user selects Azure Native Auth. Subsequently, the user performs single sign-on into SP1, SP2 and SP3.

Figure 9: Azure Native Authentication Login Flow

 

Logout Scenario — The user logs out of SP1 and multiple logout requests/responses are exchanged between EmpowerID, Azure Mutli-tenant IDP and the service providers.

Figure 10: Azure Native Authentication Single Logout Flow

 

The single log out flow from the above image is as follows:

  1. SP1 sends logout request to EmpowerID.

  2. EmpowerID sends logout request to Azure.

  3. Azure sends logout response to EmpowerID.

  4. EmpowerID sends logout request to SP2.

  5. SP2 sends logout response to EmpowerID.

  6. EmpowerID sends logout request to SP2.

  7. SP3 send logout response to EmpowerID.

  8. EmpowerID sends logout response to SP1.

 

EmpowerID Mobile App for MFA

The EmpowerID Mobile App provides multi-factor authentication (MFA) and chatbot help. The authentication feature provides both push and passcode authentication. You can download the app from the Google Play Store and the Apple App Store for Android and iOS, respectively. You can register multiple devices to your EmpowerID account and you can register multiple accounts to the same device.

Figure 11: EmpowerID Mobile Push Notification

 

Enhancements

Customizable Navbar

The object-focused navbar in previous releases of EmpowerID has been simplified and reordered to present users with a less technical, more modular interface. Organizations can further enhance the user experience and completely customize the navbar without needing to write any code or maintain a complicated overrides structure. Simply enable one or more of the NavBarSection EmpowerID system settings, localize the text for that section and define the appropriate Noun and Verb. And if you prefer the old object-focused navbar, you can bring it back by toggling a single system setting.

For more information, see Customizing the Navbar.

Figure 12: Customizable Navbar

 

Passwordless Login

In EmpowerID, Passwordless login is a type of multi-factor authentication (MFA) that you can apply to Password Manager Policies to allow users with the policy to skip the password and login using only their EmpowerID user names or email addresses. This simplifies the login process for users by not requiring them to remember their passwords, while making their accounts more secure through multi-factor authentication.

To login using Passwordless login, users click the Passwordless Login link on the login page. This initiates the Passwordless Login MFA workflow, which asks the users to submit either their user names or passwords. The workflow looks at the Password Manager Policy associated with those users—and based on the Passwordless Login MFA settings of that policy—asks each user to authenticate using one or more of the MFA types set for the policy until they reach the required number of MFA points to login.

Figure 13: Passwordless Login Feature

T-RBAC Management Roles

The old Management Role model, which included roles that granted broader access to resources—such as the Enterprise IT Administrator Management Role—has been replaced with a more granular and functional set of Management Roles known as T-RBAC or Task-Based RBAC. In this new model, roles are prefixed by their function in EmpowerID and include the following:

  • UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role is the UI-Computer-PAM-User-Full-Access Management Role. This role grants access to the user interfaces and workflows for requesting PSM access to computers. The Management Role Definitions for these UI- workflows grant access to call the API endpoints used by the user interfaces.

  • VIS — Management Roles prefixed with VIS grant users the ability to see specific objects (Object level visibility) in EmpowerID. An example of this type of role is the VIS-Computer-MyLocations Management Role. This role grants access to see computers that belong to same location as the person with the role. Most security sensitive objects are now not visible by default. Default visibility filter policies assign “No Access” requiring access to be granted (secure by default).

  • ACT — Management Roles prefixed wtih ACT grant users the ability to manage specific objects (perform activities) in EmpowerID. An example of this type of role is the ACT-Computer-Shared-Credential-Assigner-MyLocations Management Role. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.

These types of roles extend to every resource type protected by EmpowerID, allowing administrators to tightly delegate what users can and cannot do in the system.

Redesigned Resource View Pages

The View pages that users see when looking at the details for a given resource have been completely redesigned to present users with a more visually appealing and intuitive experience. Figure 14 below shows View page for a person that users see when viewing information about a person in EmpowerID.

Figure 14: Person View Page

 

 

New and Improved Integrations

Enhancements for Office 365 Hybrid Mode

The EmpowerID Office 365 connector provides support for organizations migrating user mailboxes from on-premise Exchange to Office 365 using DirSync. In those situations, EmpowerID uses RET policies to provision Active Directory accounts synced to Office 365 user accounts and sets Remote Mailbox Enabled for those AD accounts. In this way, EmpowerID prevents Active Directory from creating on-premise Exchange mailboxes for those users.

Support for Remote Integrations (Requires Cloud Gateway)

All account stores with local directories, such as Active Directory, LDAP, SAP, etc., can be inventoried and synchronized with EmpowerID via the cloud by enabling the Is Remote (Requires Cloud Gateway) setting for those account stores. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store.

Figure 15: Remote Integration for on-premise Account Stores

EmpowerID Orchestration Pack for ServiceNow

The EmpowerID Orchestration Pack for ServiceNow provides ServiceNow process designers with workflow activities, web services, and example workflows to embed EmpowerID capabilities within their ServiceNow business processes. Example workflows included in the orchestration pack include those listed below. These example workflows can be used as is in production, but are intended to be leveraged by ServiceNow process designers in existing and future workflows.

  • New Hire — Allows for the creation of a new ServiceNow user account and a corresponding EmpowerID Person linked to that account

  • Add User to Group — Allows for adding and removing ServiceNow users to and from AD groups.

  • Request Management Role — Allows for adding and removing ServiceNow users to and from EmpowerID Management Roles.

  • Reset Password — Grants users the ability to reset their EmpowerID passwords in ServiceNow. Password resets originating in ServiceNow are synchronized to the EmpowerID Person and any AD user accounts linked to that ServiceNow user.

In addition, the Orchestration Pack provides the ability to integrate an AI-powered chat bot virtual assistant, the EmpowerID Bot (shown in the below image), into ServiceNow. With the bot, users can perform secure self-service, such as resetting their passwords, at any time within the ServiceNow portal.

Figure 16: EmpowerID Chatbot for ServiceNow

VMWare ESXI Servers

The ESXi connector allows organizations to bring the user, permissions, and roles data in their stand-alone VMware ESXi systems to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Create new users

  • Edit user attributes

  • Delete users

  • Create new roles and permissions

  • Manage roles and permissions membership

  • Delete roles and permissions

For more information, see Connecting to VMWare EXSi.

Web Page Designer

Workflow Studio include a new Page Designer that allows you to design your own web pages using the same objects used in many existing EmpowerID pages:

Design Elements

  • Grids

  • Tabs

Data

  • Stored Procedures (Methods)

  • Parameters

User Input Controls

  • Advanced Search Panels

  • Trees

Each offers choices that you can customize to create exactly the page that you need. For more information, see Page Designer Overview.

Workflow Studio Enhancements

GIT Source Control

All workflow binaries have been migrated from database format to file format as Workflow Studio now uses GIT for source control. This change increases performance for the EmpowerID SQL Server-based Identity Warehouse, as well as gives organizations the ability to take advantage of the modern DevOps model and practices, which include continuous delivery, frequent deployments and automation. Workflow Studio developers can make file changes and immediately share those changes with other team members, where they can be tested and integrated into the production environment more quickly and efficiently than was possible using SQL Server as source control.

Azure Blob Support

Workflow instance data can now be stored in Azure blob instead of the EmpowerID Identity Warehouse. This reduces the amount of data being stored in the database, which provides much faster response times—especially when using EmpowerID hosted in Azure. This build includes two new configuration settings that allow you to make the switch.

  • WorkflowDataFactory — This setting specifies the storage location for workflow instance data. There are two possible values, SQL and Azure.

  • AzureWFDataConnectionString — This setting is for specifying the Azure Storage connection string.

Workflow Studio Items Can Now Be Edited in Visual Studio

All Workflow Studio class libraries can now be edited in either Workflow Studio (WFS) or Visual Studio (VS). This allows Workflow Studio developers who prefer Visual Studio to use the whole functionality of Visual Studio when writing a class library. Changes made to class libraries in Visual Studio appear when those same libraries are opened in Workflow Studio and vice-versa.

For more information, see Editing Class Libraries in Visual Studio.

Custom REST API Endpoints

Developers can now create secure custom REST API endpoints in Workflow Studio. For more information, see Creating Custom REST API Endpoints.

Easier Access to Important Aggregate Data

Many of the pages in the EmpowerID application have been modified to include new tabs and accordions to provide admins with easier access to relevant aggregate information. For example, managers and other delegated users can click the Report tab on the Person View page to view detailed resource ownership and access information for that person.

Enhanced Cloud Gateway Client for SaaS

The EmpowerID Cloud Gateway enables your EmpowerID Cloud SaaS tenant to inventory and manage your on-premise systems without requiring ports to be opened on your firewall. The Cloud Gateway is a lightweight client that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance.


Additional Features or Enhancements

Feature or Enhancement

Description

Feature or Enhancement

Description

Security Enhancements

EmpowerID-1808

As a security admin, I want it to be clear which operations are required to check out a cred for PSM to a computer and to allow approvers to approve without having this same access. For more information, see PAM Management Roles.

EmpowerID-1774

As a security Admin, I would like to identify groups that contain only disabled or expired users so I can clean them up.

EmpowerID-1989

Bot: As an end user I would like to be able to share and unshare a secret with others.

EmpowerID-1819

As an end user, I would like an easy to use interface for checking out vaulted passwords.

EmpowerID-1670

As a security admin, I would like to view any/all user agreements a person has agreed to and the version number.

EmpowerID-1612

As a security admin, I would like to easily assign Business Roles and Locations to Management Roles.

EmpowerID-1192

As a security admin, I would like a simple report grid showing all RBAC assignments to a Management Role.

EmpowerID-961

As a security architect, I would like to control who may make REST API calls for which EmpowerID components and views using RBAC security.

EmpowerID-933

As a security admin, I would like to run the EmpowerID Windows Services and App Pools as Group Managed service Accounts.

EmpowerID-928

As a security architect, I would like to be secure by default not allowing computer objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-927

As a security architect, I would like to be secure by default not allowing group objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-926

As a security architect, I would like to be secure by default not allowing account objects to be seen unless a person has a management role explicitly allowing it.

EmpowerID-849

As a security admin, I would like to ensure that passwords for Windows Services and app pools are rotated on a scheduled basis and updated/recycled automatically.

EmpowerID-511

As a security admin, I would like to grant the RBAC Actor set as the OwnerAssigneeID for a resource an RBAC Access Level for that resource.

EmpowerID-465

As a security admin, I want to ensure that each application using the login framework is recognized as its own OAuth application.

EmpowerID-304

As a security admin, I would like EmpowerID to run in a least privilege secure configuration.

EmpowerID-277

As an admin, I would like to schedule a password reset for an account and have it update all Services and App Pools with the new password.

SSO and Login Enhancements

EmpowerID-1950

As a customer, I would like to login using my Azure AD as the IdP.

EmpowerID-1994

As an SSO Admin, I would like to see and manage MFA Devices.

EmpowerID-1990

As an end user, I would like to use the passwordless login when logging in through the Oath IdP.

EmpowerID-1748

As a privileged user, I would like to be able to edit my own email address in EmpowerID.

EmpowerID-1713

As an EmpowerID Admin, I would like to see all relevant configuration information in one page for an account store and its associated resource system.

Integration Enhancements

EmpowerID-1199

As an EmpowerID Admin, I would like to create a Linux account store connection in the web.

EmpowerID-838

As an EmpowerID Admin, I want to create an LDAP account store.

EmpowerID-438

As an EmpowerID Admin, I would like to create a Custom Connector account store connection in the web.

EmpowerID-129

As an EmpowerID admin, I want to inventory and manage my on-premise Active Directory from a Cloud or off network EmpowerID instance.

EmpowerID-91

As an EmpowerID admin, I would like to create a Salesforce.com account store connection in the web.

EmpowerID-87

As an EmpowerID admin, I would like to create a Universal Connector account store connection in the web.

Workflow Studio Enhancements

EmpowerID-1336

As an EmpowerID Admin, I would like Workflow Studio to write-out design data of items to files/folders, allowing me to integrate with any source control system.

EmpowerID-1330

As an EmpowerID developer, I would like to be able to display data on forms using a radio button control.

EmpowerID-1312

As an EmpowerID developer, I would like to know how to dynamically add activities to my workflow via code at runtime to simplify it and allow it to be fast

EmpowerID-382

As an EmpowerID workflow developer, I would like the mobile app to display messages I send to the user when approving a signing request.

EmpowerID-381

As an EmpowerID developer, I would like to easily generate push signing requests and use the response in my operations.

EmpowerID-379

As an EmpowerID developer, I would like to easily be able to generate a push notification in workflows, jobs, etc., for signing approval.

EmpowerID-374

As an EmpowerID developer, I would like to develop back-end workflows to perform the fulfillment for front-end workflows that write to a queue.

EmpowerID-373

As an EmpowerID developer, I would like to process workflows on a back-end system retrieved from a queue.

EmpowerID-372

As an EmpowerID developer, I would like my workflow operations to write to a queue for back-end system processing.

EmpowerID-371

As an EmpowerID developer, I would like an easy to use framework for developing queue-based workflows and jobs.

EmpowerID-362

As an EmpowerID Developer, I would like to ensure the authenticity of workflow requests that I'm passing to back-end services and queues by signing them using a server/application certificate.

EmpowerID-309

As an EmpowerID developer, I would like to create custom WF activities with pre-defined line rules to make it easier to use my activity in workflows.

EmpowerID-286

As an EmpowerID developer, I would like to easily add MFA to any workflow process. For more information, see Adding Multifactor Authentication to Workflow Processes.

User Interface Enhancements

EmpowerID-939

As an EmpowerID Admin, I would like to be able to edit the language-specific translations interactively within the EmpowerID user interface

EmpowerID-912

As an EmpowerID installation engineer, I would like to configure the Core Identity Inbox settings. For more information, see Setting up Core Identities.

EmpowerID-863

As a system admin, I would like to see the extension attributes for a computer on its View One page

EmpowerID-369

As an EmpowerID project engineer, I would like better reporting of any data migration

EmpowerID-303

As an admin, I would like to see all the user accounts owned by a person on their View One page, even those from their other Person objects that are linked to the same core identity

PAM / PSM Enhancements

EmpowerID-274

As an admin, I would like to create a new account and link to an existing computer for privileged session management

EmpowerID-273

As an admin, I would like to create a new shared credential and linked computer object in a single process

EmpowerID-271

As an admin, I would like to convert multiple accounts to be managed as shared credentials

EmpowerID-77

As an EmpowerID system admin, I would like to easily deploy my PSM solution as a set of Docker containers.

Additional Changes for Version 7.151.0.7799 and later

SAP Connector

  1. Inventory behavior has changed to use overlapping-pagination instead of retrieving all table data at once for each SAP table. This change has led to overall optimization of memory and greater stability in large environments

  2. Trailing and leading white spaces in usernames are now ignored, as these sort of data-entry errors violate security best-practices (by making the erroneous username indistinguishable from its valid record in the EmpowerID UI).

It is highly encouraged that these type of data-issues be cleaned-up to prevent indistinguishable entries and inaccurate reporting.

Deprecated Features

The EmpowerID Management Console has been removed. All configuration settings can now be set in the Web application.