We are pleased to announce the release of EmpowerID Build 7.211.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

Connectors

GCP Connector

In this latest release, GCP Connector has evolved and provides more advanced capabilities, ensuring an unparalleled experience in managing your Google Cloud Platform (GCP) resources.

The GCP Connector currently offers the following features:

• Inventory of standard, service, and guest accounts with incremental and full inventory support.

• Inventory of groups with incremental and full inventory support.

• Inventory of group memberships for all account types with incremental and full inventory support.

• Inventory of nested groups under a parent group.

• Create, update, disable, and delete standard accounts.

• Enable, disable, and delete service accounts.

• Create, update, and delete groups.

• Provisioning accounts through EmpowerID Resource Entitlements.

• Resetting passwords for GCP accounts.

• Handling group membership additions, removals, and ownership changes for all account types.

• Assigning group memberships to accounts with management role (RBAC) assignment.

Microservices

EmpowerID Announcements (Notifications)

We have implemented a notification system across all our microservices to inform end-users about important updates and events related to EmpowerID. This system is designed to provide personalized notifications based on user preferences and predefined policies. Users will receive notifications for important events such as planned maintenance, changes in system status, and custom events.

To manage the notifications, administrators will use the EID Announcements Workflow Wizard. This tool allows them to create, edit, and delete notifications and policies, ensuring efficient user communication. Administrators can create announcements with titles, bodies, and banners/popups, which can be scheduled and may require acknowledgment or serve as one-time messages. These announcements are visible across all registered applications and tailored to target audiences. The Announcement component centralizes date ranges, content, tracking, and prioritization and supports localization.

Open

IAM SHOP

Person Search Functionality

Users can now search for a person using different criteria, such as email, first name, last name, full name, and login credentials, during the Shopping for Someone Else process from IAM Shop. When using this shopping mode, an expanded search box will appear, making it easier for users to enter and search for the necessary details to find the correct person. This update provides more flexible and efficient search capabilities.

Open

Activate Now for Applications in Request Access Screen

The Request Access and Manage Access screens have been enhanced to display an ActivateNow button for pre-approved application roles (appRoles), role definitions (RoleDefs), and management roles (ManagementRoles) when the policy SkipBRIfPreApproved is set to true, allowing users to activate these roles without additional approval steps. Additionally, the Manage Access screen will now show all pre-approved roles assigned to the user, regardless of the application's eligibility status.

A new EnableEligibility property has been added to indicate that if an application is pre-approved or eligible, all granular roles under it will also be considered pre-approved/eligible and displayed accordingly. This update streamlines the activation process, improves user experience, and provides greater transparency of access rights.

Process Steps with Descriptive Information

Now, users can easily understand the purpose of each step by viewing its descriptive information, which is derived from the 'LocalizedBusinessRequestItemTypeActionFriendlyName' field in the database. When designing the NO Code Flows, administrators can provide detailed descriptions to ensure that users are well-informed and can proceed with confidence, knowing exactly what each step does.

Added Instructions while Requesting Access to an Application

We have added a feature that lets users view instructions when requesting access to an application through IAM Shop. Users can now find helpful instructions regarding appRoles, appRights, and appManagementRoles while shopping for access.

Enhanced Visibility to Credential Type of the Azure App Secret

With the addition of a 'Credential Type' column and a filter, users can now easily identify and differentiate between various types of credentials. This information empowers users to make more informed decisions when managing their app secrets, ensuring they have clear visibility into the specific types of credentials.

Split Business Request by Field Type Value of AZLocalRight

If the Split Business Request by Field Type Value setting is enabled at the AZLocalRight level, routing approvals will be required based on each field type value. This means that there will be a separate item in the business request for each field type value, and as a result, the shopping cart will have as many items as there are field type values.

OnboardAZ Global Function Workflow

In this release, we have introduced a new workflow for managing global functions. Users can now select ‘Global Rights,’ create new global functions, and map rights accordingly. This enhancement streamlines the process of managing global permissions, making it more efficient and user-friendly.

Generate Local Function Mapping Policy Workflow

In this release, we introduced a workflow, GenerateLocalFunctionMappingPolicy, designed to simplify the creation of Local Functions and Rights Mapping Policies. This workflow automatically generates Local Functions for each resource system type based on Global Functions and their mapped rights. Users can configure whether to consolidate all rights into one policy per Local Function or create separate policies for each right.

Onboard Az Local Function Policies Workflow

In this release, we're introducing the "OnboardAzLocalFunctionPolicy" workflow, aimed at simplifying the generation of Rights Mapping Policies for selected rights, particularly suited for systems like Azure. This workflow allows users to choose multiple rights and either consolidate them into one Rights Mapping Policy or create individual policies for each right. This workflow does not yet support the selection of field-type values for rights. It's designed to streamline policy creation within Azure and similar systems, enhancing usability and efficiency for users.

Added a Pre-Approved Filter for AzureRoles

We've introduced a new filter for Pre-Approved in both the Request and Manage Access screens specifically tailored for AzureRoles. This enhancement empowers users to swiftly identify and manage pre-approved AzureRoles, further optimizing access management workflows. This new filter allows users to easily navigate their roles, ensuring smoother and more efficient searching.

FreeTextMultiValue Control Type for PBAC Field Type

We have added the FreeTextMultiValue SelectionRule/Control type for the PBAC field, which lets users and administrators add any key/value pairs. This is helpful when there's no predefined list of options and a sequential range doesn't fit. For example, it allows users to specify company codes for which they have the ApprovePurchase order permission without needing a predefined list of company codes.

Resource Admin

We are pleased to inform you about the recent updates to the Resource Admin microservice. These updates are designed to improve user experience by providing better control, flexibility, and efficiency in managing resources. We believe that these enhancements will significantly enhance user experience. For further details on these updates, please refer to the information below.

Improved Caching Mechanism for Faster Retrieval of Locations Data for Groups/Management Roles

Implemented an enhanced caching mechanism to optimize data retrieval for Locations associated with Groups/Management Roles. This improvement significantly improves the speed of fetching data, enhancing user experience.

Field Type Management for PBAC Application

We have added the ability for Resource Admins to directly add, edit, and delete field types within the application details interface for PBAC-supported applications.

Enhanced PBAC Approver Resolution for AzLocalRole Assignments

This update introduces an enhancement to the PBAC system, extending the rule for resolving approvers from PBAC Right assignments to AzLocalRole assignments. By mapping approval rights to AzLocalRight and AzLocalRole, the system automatically identifies approvers based on specified criteria, such as possessing the approval right for the local right or role specified in the Business Request Item. This streamlined approach ensures that only direct assignees with the necessary qualifications are considered approvers, simplifying the approval process and enhancing user experience.

Easier Management of App Right With Field Type for PBAC Applications

In this release, we have made some improvements to simplify application rights management for PBAC Applications. We have added a new functionality allowing you to easily add and assign app rights. By clicking the "Assign App Right" button, you will trigger a workflow where you can select the app right you want to grant and to whom, along with the relevant field type values. Additionally, you can use the "Edit" button to update the app rights and the selected field type values. This addition has made it easier for users to access and modify application rights directly.

Easier Management of Role Definition Assignments With Field Type for PBAC Applications

We have introduced a new update simplifying assigning role definitions within PBAC Applications. A key feature of this update is the "Assign Role Definition" functionality, which makes the assignment process more efficient. Users can easily assign role definitions and Field Types to specific individuals or groups using the Assign role definition button. This triggers a wizard workflow that facilitates the assignment process. Additionally, users can effortlessly adjust role definitions and associated parameters thanks to the "Edit" button.

More Visibility and Easier Management of the Field Types from App Rights

By simplifying the interface, we have made managing and viewing Field Types easier within app rights. Field Types can now be accessed through a dedicated tab, which increases their visibility and makes them more user-friendly. Users can edit or delete existing field types effortlessly using this tab. Adding a new field type is also made easy through the self-service workflow called "ConfigureApplicationAuthorizationFieldType." To add a new field type, simply click the Add Field Type button, and the workflow will guide you through seamlessly integrating it into your app rights.

Visibility of Inventoried Permissions for Shared Folders

All inventoried permissions for shared folders are conveniently displayed within the resource admin UI. Previously, this feature was only accessible through the legacy application. With this update, users can easily access and manage inventoried permissions.

AzLocalRole Time Constraint Enhancements

The Assign AzLocalRole operation now adheres to the time limits set by the Access Request Policy. If the start and end dates are not specified (null), the system sets the start date to the current date and the end date to the current date plus the maximum time duration allowed for access (CurrentDatetime + TimeAccessMaximumDuration).

If the start and end dates are specified, the system validates the end date against the maximum allowed duration (AssignAzLocalRightScope.End > CurrentDatetime + TimeAccessMaximumDuration). It is set if the end date exceeds the maximum duration (CurrentDatetime + TimeAccessMaximumDuration).

My Tasks

My Tasks has been updated with several features to improve the user experience handling business requests. These enhancements streamline the review and response process, making it more efficient and user-friendly.

Process Steps with Descriptive Information

Users can now easily understand each step's purpose by viewing its descriptive information. The description is sourced from the 'LocalizedBusinessRequestItemTypeActionFriendlyName' field in the database.

Enhanced Visibility into Task Start Times from Business Request

With the latest update, users can now access information about the expected start time for task completion. If a process step has a Start After X Hours setting specified and is scheduled to run only after a specific time, the fulfillment date for that step will be provided in the details of the business request. This enhancement ensures that users know when tasks will begin, addressing previous instances where users were left uninformed about the progress of process steps.

No Code Flows

Send Email Flow Item

The Send Email Flow Item, available within No Code Flows, provides an automated solution for seamlessly integrating email communication into various processes, eliminating manual intervention. The Email Flow Item within No Code Flows offers an automated solution for sending emails, seamlessly integrating email communication into various processes without manual intervention. Its purpose is to facilitate customized notifications based on specific conditions within workflows. For instance, if an employee leaves a particular organizational zone, the regional administrator should receive a notification, whereas in other cases, the global administrator should be notified. This flexibility allows users to tailor email notifications to suit their unique requirements by configuring the flow item to match specific conditions. Detailed information about the Send Email Flow Item is provided here in the docs. Send Email Flow Item

Security Enhancements

We have made important improvements in this release to ensure your system's and data's security. We've upgraded the SAP integration library to SAP .NET Connector 3.1 (SNO), improving performance and compatibility. Introducing test certificate-based SNC authentication enhances user authentication's robustness. Additionally, S/MIME signing for outgoing emails enhances email communication security.

SAP Library Upgrade and Certificate-Based Authentication

The SAP integration library has been upgraded from ERPConnect to SAP .NET Connector 3.1 (SNO) for improved performance and compatibility. Security has been bolstered with the addition of test certificate-based SNC authentication.

S/MIME Encryption for Outgoing Emails

In this release, we introduce S/MIME signing for emails sent from EmpowerID. This feature enhances the existing email encryption functionality by ensuring that emails are digitally signed using S/MIME certificates, adding another layer of security and trustworthiness to communications sent from EmpowerID.

System Optimization and Performance Enhancements

RBAC Performance Enhancements

We have introduced a series of optimizations and enhancements to improve the RBAC system's stability, performance, and flexibility in EmpowerID.

• Indexes Views Replaced by Compiled Tables: Implemented a significant architectural change where index views are replaced by compiled tables, enhancing stability and performance.

• Resolved Crashes: We addressed an issue where creating a new ResourceTypeRole or Location delegation would cause system crashes. Users can now create these delegations without encountering any crashes.

• ResourceRole Redundancy Removed: We eliminated the need for ResourceRole by optimizing policy compilation. We now utilize the Resource combined with ResourceTypeRole. This optimization ensures flexibility in creating access levels without compromising performance.

• RBAC Enhancements: RBAC processes and tables now rely on GUIDs for all compiled processes while retaining INTs for reference in compiled tables. Synchronization methods have been added to maintain consistency in IDs for migrations or regular updates.

• Simplified Inheritance Handling: Removed the necessity for the block Inheritance table.

• Improved Performance with Assignee Comparison: Enhanced performance by implementing AssigneeHash for assignee comparison, resulting in significant performance improvements.

• RBAC Refactor: Conducted a comprehensive refactor of all session tables and methods in the RBAC system. Compilation processes are now prefixed with Rbac_Compile_ and provide constant progress updates.

• Dynamic Compilation: We introduced new columns, IsCompiledOperation and IsCompiledResourceTypeRole, eliminating the need to create a set of indexed views and methods for compiling operations or ResourceTypeRoles. This feature allows for on-demand compilation, ensuring efficiency and flexibility.

Bulk Update of Business Request Items

We have optimized the BusinessRequest and BusinessRequestItem with a bulk update feature. Now, bulk updates allow multiple records to be updated in a single operation, reducing the number of individual database transactions. This minimizes the overhead associated and leads to quicker execution times.

Improved Caching Mechanism for Faster Retrieval of Locations Data for Groups/Management Roles

Implemented an enhanced caching mechanism to optimize data retrieval for Locations associated with Groups/Management Roles. This improvement significantly improves the speed of fetching data, enhancing user experience.

General Product Improvements

Email Template Enhancements

We've enhanced our email templates in this release to provide more flexibility and customization options.

• Recipient Name in Task Delegation Email Template: In this release, we have improved the email notification template "MyTasks_BusinessRequestItem_AddApprovers_FormerApprover” to address the target person by name when delegating tasks or adding additional approvers. As part of this enhancement, the email template has been updated to address the intended recipient by name, ensuring clarity and improving user task management efficiency.

• Business Request Link in Email Template: In this release, we have refined the email template for business request links to enhance the user experience. We have improved the functionality so that the link within the email template directs users to the specific business request item. This enhancement aims to simplify navigation in business request approval processes. The templates "EmailTemplateNameForAnyoneWithUnfinishedTasks" and "EmailTemplateNameForAllAuditParticipants" support this enhancement.

• Account Store Name for Audit Notifications: In this release, we have improved the email notifications sent to Line Managers (Approvers) for audit processes. Previously, the target application variable did not support passing the account store name associated with the group being recertified. We have now added support for the account store name within these email templates. As a result, Line Managers will now receive notifications with visibility into the account store name, providing important context for the recertification process.

Added Account Store or Resource System in the GrantActorAccess Page

We have enhanced our search functionality by adding the Resource System as an available search field in the grant actor access page. When performing a search, you will see an additional field labeled Resource System. Simply select the desired system from the dropdown menu to filter the results by that specific system. This feature is especially useful for managing multiple SAP instances where group names might be repetitive across systems.

Improved Person Overview for Admins

This update improves the person overview screen. Administrators and managers can now access additional attributes like the person's last login date and their last password change. These attributes will help manage users and enhance security. The system settings allow clients to configure the information displayed based on their organizational requirements, leading to better decision-making, improved user experience, and compliance with security standards.

Fixed Issues

Resolved Issue in MFA for PSM Workflow

A bug in the Privileged Session Management (PSM) workflow was causing the system to ask users for Multi-Factor Authentication (MFA) every time they ran the workflow, even if the session had already been authenticated and had sufficient points. Furthermore, the workflow did not automatically recognize or select the registered authentication method, requiring users to manually choose the verification option and input their contact number again.

This issue has been fixed. Users will no longer be prompted for MFA every time they use the PSM workflow if their session already has enough points. The workflow will now automatically recognize and select the registered authentication method, making the authentication process more efficient and enhancing the user experience.

Fixed Issue with Failed to Set Password Message in Master Login

Previously, users encountered a bug where a "Failed to set password" message would appear after entering a valid password while setting the master password in the UI master login. This issue has been resolved.