IAM Shop Permission Levels in EmpowerID represent permissions for specific resources in native systems, such as shared folders, mailboxes, computers, and Privileged Session Manager sessions. Organizations can configure these permission levels to grant particular permissions to resources, like "read-only" access for a shared folder or "local admin" access for a computer.
When users request access from the IAM Shop to a resource configured with IAM Shop Permission Levels, they can now select their desired permission level, as demonstrated in the below image. This enhancement makes the access management process more transparent and efficient.
To illustrate, if a user requests computer access, they might see “Local Admin” and “Domain Admin” as permission level options. These levels map to specific groups in the native system that provide the related permissions. If the user chooses “Local Admin,” EmpowerID grants this access by adding the user to the group with local admin rights on the computer. This feature streamlines access requests, making it easier for users to obtain the right permissions for their needs.
With this release, Privileged Session Manager (PSM) has been significantly improved to support the following:
Telnet Session Support: The Privileged Session Management (PSM) feature of EmpowerID now accommodates Telnet sessions, broadening its compatibility with a variety of operating systems, including Linux, Windows, macOS, and more. This enhancement assures reliable PSM session connectivity and communication with an expanded range of devices.
Real-Time Session Monitoring: We've added a session monitoring functionality to the platform, enabling users to track and monitor the status of PSM applications, encoders, and uploaders in real time. This feature empowers users to ensure optimal performance, detect potential issues, and take proactive steps for a seamless user experience.
PSM Workflow Improvements: A range of enhancements have been implemented to streamline the PSM workflow, making it more efficient, secure, and resilient. The revised workflow includes the following steps:
Check "UseExistingAccountIfPresent" Property: The system will first check if the computer has the "UseExistingAccountIfPresent" property. If not found, it will search in the "AccessRequestPolicy."
User Account Search: If "UseExistingAccountIfPresent" is true, it will search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore. If both accounts are found (a rare occurrence), the account associated with the "JITLocalAdminGroupID" property will be selected.
Find Personal Credential: The system will locate the personal credential associated with the selected user account's account store. The credential is identified using the "AccountGUID" column in the externalCredential table.
Handling of Personal Credential: If the personal credential is not found, a temporary account will be created in the account store associated with the "JITLocalAdminGroupID" group. These accounts are considered orphan accounts and are deleted after the PSM session ends based on the "JITDeletePSMAccount" setting. If the personal credential is found, the "JITLocalAdminGroupID" group is added to the account in the ExternalCred (external credential store). The group is removed from the account, but the account itself is not deleted, after the PSM session ends.
Create Temporary Account: If the "UseExistingAccountIfPresent" property is false, a temporary account is created in the accountStore associated with the "JITLocalAdminGroupID" group. After the PSM session ends, the created account is deleted.
Now the Privileged Session Management (PSM) of EID supports Telnet sessions, making it compatible with a wide range of computer operating systems. Whether you are using Linux, Windows, macOS, or any other Telnet-capable system, our latest feature ensures PSM sessions connectivity and communication with various devices.
Added PSM session monitoring functionality to our platform. This feature enables users to easily track and monitor the status of the PSM application, encoder, and uploader. With real-time monitoring, users can ensure optimal performance, identify potential issues, and take proactive measures to maintain a seamless user experience.
This release includes significant updates to EmpowerID’s microservice applications.
Resource Admin
Improved Views: In our ongoing efforts to improve user experience, we've added new listing and details views for applications in the Resource Admin to include the following:
App Management Role Details: We've added a Details view for application Management Roles. This provides users with improved visibility about the App Management Roles associated with an application.
Claims Mapping Policies: Users can now view a list of all claims mapping policies and their details for a given application.
Role Definitions: Users can effortlessly view a list of Role Definitions, assignments, and their details in Resource Admin from the context of a specific application.
App Rights: Improved visibility of App Rights is now available in Resource Admin. Users can view the details of app rights from the context of a specific application, as well as the app right membership details for people they are allowed to see.
PBAC Definitions: We've made it easy for users to view the PBAC definitions for a selected application.
Additional Detail Viewing: Users can now view additional details on their screens to enhance the visibility of data related to Management Roles. The newly added "Access Granted" tab in the Management Roles section allows users to easily view the access granted to a Management Role from its details page. Furthermore, the new "Eligibility" tab lets users view the eligibility status of the Management Role directly from the details page.
Full Management of Shared Folders: We've expanded our Resource Admin functionality to fully manage shared folders for inventoried Windows servers. This includes creating, deleting, and editing shared folders.
Mailbox Management: To simplify mailbox management, users can now easily access and manage mailboxes within the Resource Admin interface. Resource admins can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.
Enhancements to Workflow Studio include the following:
Removed dependency on Microsoft Edge for Workflow Studio login. Workflow Studio now uses modern authentication with front-channel flow for better accessibility.
Introduced a fulfillment workflow template for Business Requests, simplifying request management.
BotFlow has a new feature to pin the resources in BotFlow and facilitate easy interaction. To pin a resource means to keep it easily accessible, allowing for the execution of multiple actions or workflows without selecting or inputting the same resource multiple times. Pinning resources in bot flows can be either temporary or permanent.
Added a Workflow Activity for ChatGPT, facilitating smoother integration and communication with ChatGPT within EmpowerID.
Incorporated a new Workflow and Bot flow for interacting with ChatGPT in EmpowerID and the Bot, respectively.
Updated the user interface of Workflow Studio to give it a more modern and contemporary look.
Revamped and modernized baseline configuration and integration for AvaloniaUI, delivering an improved and contemporary user interface experience.
A new LowCode/NoCode panel has been implemented utilizing the AvaloniaUI framework, resulting in improved functionality and a more user-friendly experience.
Added support for developing workflows and integration for SAP BAPI
Introduced a new Workflow Activity that allows calling any BAPI function and executing the result, broadening the scope of workflows and integrations.
With the LowCode UI, values can be set at design time or run time from the BAPI structure, increasing customization and adaptability.
The Repeater sections in Workflow Studio forms have been updated to include Add, Edit, and Delete options in addition to displaying records in a card UI, which was already a feature. This allows for greater flexibility in design for developers and a better UI experience for the end users.
Rehire Capability in Advanced Leaver: We've added rehire support to the Advanced Leaver feature. This is particularly useful when an individual rejoins the organization after a previous departure. The rehiring process involves restoring a previously deleted person object and its associated access provisions, contingent on certain criteria being fulfilled. The workflows for rehire support automatically restore the person, reapply attribute flow to all accounts, and generate a restoration task for manual approval.
Time-Based Escalation for Recertification: The recertification feature now includes a Time-Based escalation, enhancing flexibility and control in the Business Roles review process. For instance, an automatic escalation request is sent to the Digital Access Governance Manager if a review has been pending for a month. If there is no response within six months from the initial review request, the system will automatically remove the business role and initiate the deprovisioning of related accesses. Users can now configure settings to manage notification and escalation timing and actions.
New Relative Delegations: Administrators now have the ability to set up relative delegations for Locations within their organization. This extends the capacity to delegate visibility and responsibility to business locations at the organization level. In response to the need for greater flexibility in configuring delegations, we have broadened delegation capabilities for administrators.
Expiring Access Notifications: Our Notifications engine now includes an option to alert users about impending access assignment expiry via email, specifying resource details and the expiration date.
Google ReCaptcha Upgrade: We've upgraded to Google ReCaptcha V3, enhancing security and user experience. Users will no longer need to solve CAPTCHA challenges, and the system can detect risk based on user behavior.
Azure Group Account Membership Management Enhancement: This release introduces a significant enhancement to Azure AD group account membership management with the transition to a queue-based model, increasing efficiency and reliability.
Exchange Mailbox Audit Settings Sync: EmpowerID now periodically retrieves and syncs audit settings from Exchange Mailbox, ensuring the consistency of audit settings between EmpowerID and Microsoft Exchange Online.
Resolved Issues
We have addressed several issues in this release:
A problem with the Function Access report's general search functionality has been rectified, enabling search by Function Friendly Name.
Missing functionality in the My Requests view of the My Tasks application has been implemented to filter My/All Requests by Request Status changed Dates.
Missing functionality in Privileged Session Management (PSM) MFA authentication has been addressed to correctly recognize SMS authentication.
Enhancements have been made to the "Owned by" filter in the IAM Shop group context to improve usability. The default value will now be "Myself" if a user doesn't have access to the filter and "anybody" if they do.
The date filter “Request Status Changed Dates” in the My Tasks application now validates that the start date is not later than the end date, ensuring accurate filtering results.
For PSM, we've resolved an issue affecting PSM video recordings, where the recording length differed by a few seconds from the actual session duration. Now, timestamps accurately mirror the correct recording length.
For PSM, we've improved the session management capabilities of the UI, which handles instances when the workflow screen times out and displays the EmpowerID login page. We've added handlers for the 'userUnloaded' event, supplementing the existing 'userSignedOut' event handler, for effective session timeout management.
We've resolved an issue where users reported an intermittent loss of the CTRL key functionality during PSM sessions, preventing them from using associated key combinations. With this fix, users should no longer experience the loss of CTRL key functionality.
IAM Shop
Updated the manage access tab in the application context of the IAM shop to include more details regarding App Rights, App Management Roles, and Role Definitions.