Release Notes for EmpowerID Build 7.209.0.0

 

We are pleased to announce the release of EmpowerID Build 7.209.0.0, a comprehensive update with new features, enhancements, and refinements aimed at empowering administrators and enriching the user experience. This release emphasizes the following key areas:

Azure AD B2C SCIM Connector

We have expanded our connector library to include the Azure AD B2C SCIM Connector. This new connector optimizes Azure AD B2C identity management via EmpowerID, providing seamless integration with Azure Active Directory B2C (Azure AD B2C) and significantly benefits IT administrators. This feature update streamlines user management by automating user provisioning and deprovisioning processes in Azure AD B2C, reducing manual intervention and potential errors.

The SCIM connector supports real-time synchronization of user data between EmpowerID and Azure AD B2C, ensuring consistent and up-to-date information across both platforms. This enhancement contributes to a more secure environment and a better customer user experience.

The SCIM connector offers flexible configuration options for IT administrators, allowing customization tailored to an organization's specific requirements. By leveraging this SCIM connector integration, admins can more effectively manage customer identities, enhance security, and provide a seamless experience across EmpowerID and Azure AD B2C platforms.

Escalation Policies

In this latest release, we're pleased to introduce a new feature known as No Code Flows, also called Business Request Flows. This feature is designed to streamline the orchestration of business processes in response to specific events, such as a person leaving the organization (PeBusiness Request Escalation Policies, a robust feature designed to enhance the management of business requests by automating actions when time limits are exceeded.

Key Highlights:

  • Escalation Policy Definition: Administrators can now create and manage policies specifying actions to be taken when approval steps surpass defined time thresholds.

  • Automated Actions: Actions include sending notifications, reassigning approvers, and auto-approving or rejecting requests based on configured criteria.

  • Sequential Action Execution: Policies support a sequence of actions, ensuring that steps are taken in a specific order to handle overdue requests effectively.

  • Integration: Policies can be applied at specific and general approval step levels, with default policies ensuring consistent application.

This feature ensures timely processing and decision-making, improving the efficiency and reliability of business request workflows.

No Code Flows

In this latest release, we're excited to introduce a new feature called No Code Flows, also called Business Request Flows. This feature is designed to streamline the orchestration of business processes in response to specific events, such as a person leaving the organization (Person Leaver event). The main advantage of No Code Flows is its ability to empower administrators to create and execute workflows efficiently in response to various scenarios without writing a single line of code.

Key Components of No Code Flows

Flow Definitions

Flow Definitions act as containers for sequential tasks or actions called Flow Items. They define the actions that will be executed when specific events occur. For example, a Flow Definition might outline the steps to take when a person leaves the organization (Person Leaver event).

Flow Definitions Library

Flow Items

Flow Items represent individual tasks or actions within a Flow Definition. Each Flow Item has parameters such as Item Type Action (the task to be performed), Item Scope Type (where the task is to be executed), and an Item Collection Query (an SQL query that identifies the resources impacted by the task). These parameters help determine how the action will be carried out and which resources it will affect.

Flow Items Library

Flow Events

Flow Events serve as triggers that initiate the actions defined by the Flow Items in a Flow Definition. Examples of Flow Events include a new mailbox being discovered (Mailbox Discovered event) or a person leaving the organization (Person Leaver event). When a Flow Event occurs, the corresponding Flow Definition is activated, and the system executes the specified sequence of Flow Items.

Person Leaver Flow Event

Flow Events Library

Flow Policies

Flow Policies dictate which Flow Definitions should be activated in response to specific Flow Events. They connect the events with the appropriate actions, ensuring that the correct sequence of tasks is executed for each scenario. Administrators can configure multiple policies for the same event, allowing for tailored responses to situations (e.g., internal vs. external leavers).

Process Overview

In response to a specific event (a Flow Event), the system triggers a series of actions (contained in a Flow Definition) based on the rules defined (Flow Policies). These actions (Flow Items) consist of precise tasks, each characterized by parameters like Item Type Action (task), Item Scope Type (target), and Item Collection Query (SQL query to fetch relevant data). This process ensures that every action is performed correctly, at the right time, for every event – all without writing a single line of code.

Joiner, Mover, Leaver Integration with Flow Engine

Joiner, Mover, and Leaver events have been integrated with the Flow engine to allow organizations more options and greater flexibility for handling those events and how the system handles them. By altering a few configuration settings, organizations can now choose to have those events picked up by the Flow engine and processed as Flow events. These new settings include those listed below.

Advanced Leaver Flow Configuration Settings

EmpowerID includes several configuration settings for Planned Leaver Events (Advanced Termination) that can be configured to instruct the system to bypass the default termination process for planned leavers and send those Person accounts to the Business Request Flow engine for processing. When this is the case, each Person account claimed by the SubmitPersonTeminations permanent workflow is sent to the Flow Event Inbox and processed per your organization’s Person Leaver Flow policies.

These settings include the following:

Setting

Type

Purpose

Note

Setting

Type

Purpose

Note

TerminatePersonTriggerFlowEvent

Resource System Setting

Boolean that specifies whether the system bypasses the termination and reactivation process for planned leavers and uses the Business Request Flow engine to process leavers.

This is a global setting that, when enabled, overrides the PreTerminatePersonWithFlowEvent, TerminatePersonWithFlowEvent, and ReactivatePersonWithFlowEvent settings.

PreTerminatePersonWithFlowEvent

Resource System Setting

Boolean that specifies whether the system should use Flow Events for the Preleaver Notification process.

If set to true, and TerminatePersonTriggerFlowEvent is set to false, the Account Inbox Settings page displays an option for users to select the Flow Event Type for Preleaver Notifications.

TerminatePersonWithFlowEvent

Resource System Setting

Boolean that specifies whether the system should use Flow Events for the Leaver Process.

If set to true, and TerminatePersonTriggerFlowEvent is set to false, the Account Inbox Settings page displays an option for users to select the Flow Event Type for Preleaver Notifications.

ReactivatePersonWithFlowEvent

Resource System Setting

Boolean that specifies whether the system should use Flow Events for the reactivation process.

If set to true, and TerminatePersonTriggerFlowEvent is set to false, the Account Inbox Settings page displays an option for users to select the Reactivation Event Type for Preleaver Notifications.

Preleaver Notification Event Type

Account Inbox Setting

Dropdown that allows users to select the Flow Event Type for Preleaver Notifications.

This setting only appears when the PreTerminatePersonWithFlowEvent resource system setting is set to true and TerminatePersonTriggerFlowEvent is set to false.

Leaver Event Type

Account Inbox Setting

Dropdown that allows users to select the Flow Event Type for leaver events.

This setting only appears when the TerminatePersonWithFlowEvent resource system setting is set to true and TerminatePersonTriggerFlowEvent is set to false.

Preleaver Notification Event Type

Account Inbox Setting

Dropdown that allows users to select the Flow Event Type for Preleaver Notifications.

This setting only appears when the PreTeminatePersonWithFlowEvent resource system setting is set to true and TerminatePersonTriggerFlowEvent is set to false.

 

New Wizard Workflows

This release features new or updated wizard workflows, which streamline various aspects of Azure application management and improve onboarding procedures for individuals, groups, accounts, mailboxes, credentials, computers, and Management Roles.

Credential Workflows

Management Role Workflows

  • Onboard Management Role Workflow: Navigate the creation of Management Roles with a step-by-step wizard, choosing from predefined role types and setting hierarchical relationships like the parent Management Role Definition, nesting, and IAM Shop publication.

  • Manage Management Role Workflow: This wizard simplifies management Role administration with features like role deletion, modification of IAM Shop settings, and responsible party assignment. It can assist with both single and multiple operations.

    Manage Management Role workflow displaying actions of the workflow.

Group Workflows

  • Onboard Group Workflow: We've improved the group onboarding experience with a comprehensive and intuitive wizard workflow. This feature guides users through the manual process of onboarding new groups within the system. Users can now accomplish multiple group-related tasks within the same workflow, including configuring responsible parties, owners and deputies, IAM Shop settings, and group members from a single easy-to-follow wizard interface. For more information, see Onboard Groups

  • Manage Group Workflow: Perform various group management tasks, including viewing group details, editing group attributes, deleting groups, assigning responsible persons, and managing group membership.

Azure Application Workflows

  • Create Azure Application: This workflow simplifies creating a new Azure application, guiding users through each step to ensure accurate configuration. For more information, see Create Azure Applications

  • Create Azure Application Certificates: This workflow allows users to upload and assign self-signed certificates to Azure applications managed by EmpowerID. For more information, see Create Client Certificates

  • Create Azure Application Client Secret: This workflow helps users create and upload client secrets for Azure applications managed by EmpowerID. For more information, see Create Client Secrets

  • Create Azure Application Scopes: Wizard workflow for creating scopes for Azure applications managed by EmpowerID. For more information, see Add Application Scopes

  • Create Azure Application Roles: Wizard workflow for creating app roles for Azure applications managed by EmpowerID. For more information, see Add App Roles

  • Update Azure App API Permissions: New wizard workflow for efficient API permissions management for Azure applications integrated with EmpowerID. For more information, see Update API Permissions

Person and Account Workflows

  • Onboard Person: Wizard workflow for onboarding people with different options (Simple, Advanced, and From Another Mode), allowing users to tailor the process according to their needs. For more information, see Onboard People

  • Manage Account: The Manage Account Wizard is a new workflow designed to simplify account management by offering a guided, step-by-step process for key actions such as enabling or disabling accounts, deleting accounts, and editing account attributes. Further, it facilitates the assignment of responsible parties and enables the addition of accounts to various groups.

Self-Service Workflows

  • Login Assistance Wizard: The Login Assistance Wizard allows users to address login-related issues independently. Accessible directly from the login screen, this user-friendly wizard simplifies various operations such as password reset/unlock and Azure Temporary Access Pass (TAP) issuance. It also provides for Azure/EmpowerID Multi-Factor Authentication (MFA) reset, unblock, unenrollment, and deleting MFA assets/preferences.

     

  • Manage Your Identity Wizard Workflow: Users can easily manage aspects of their identity from a single, easy-to-follow wizard, including deleting MFA devices, enrolling for a Q&A password reset, changing passwords, editing profiles, and registering MFA authenticators. For more information, see User Experience - Manage Your Identity

Computer Workflows

  • Onboard Computer Wizard Workflow: The Onboard Computer Wizard is a new workflow that makes onboarding computers a more effortless and adaptable process. The wizard simplifies adding computers, seamlessly integrating them into the IAM Shop, and customizing eligibility settings. Plus, it brings more flexibility in managing Privileged Session Management (PSM) settings, including linking PSM credentials. For more information, see Onboard Computers

Mailbox Workflows

  • Onboard Mailbox: The Onboard Mailbox Wizard is a new workflow that streamlines the integration of shared, room, or equipment mailboxes. This intuitive workflow allows you to effortlessly publish these mailboxes in the IAM Shop, seamlessly incorporate them into relevant groups, and easily configure eligibility criteria for users requesting access. The feature further optimizes the approval process by directing the flow when users request access.

  • Manage Mailbox: The Manage Mailbox Wizard is a new workflow simplifying mailbox management. This user-friendly wizard lets users modify essential mailbox settings while providing efficient control over email forwarding, policy establishment, and quota restrictions.

More Flexibility for Access Requests

We've updated EmpowerID with a new feature called "IAM Shop Permission Levels." This feature provides tailored access to important resources such as shared folders, mailboxes, computers, and Privileged Session Manager sessions. Companies can customize these settings to allow users to request certain access levels for resources, such as "read-only" for shared folders or "local admin" for computers.

When users request access to a resource through the IAM Shop, they'll see options relevant to their needs. For instance, if a user requests access to a computer, they might see "Local Admin" and "Domain Admin" as options. These levels correspond to specific groups in the native system that provide those permissions. If a user selects "Local Admin," EmpowerID will grant this access by adding them to the group with local admin rights on that computer. This update makes it simpler and more efficient for users to get the necessary permissions. For more information, please see Configure IAM Shop Permission Levels.

Enhanced Privileged Session Manager

With this release, Privileged Session Manager (PSM) has been significantly improved to support the following:

Telnet Session Support: EmpowerID's Privileged Session Management (PSM) feature now accommodates Telnet sessions, broadening its compatibility with various operating systems, including Linux, Windows, macOS, and more. This enhancement assures reliable PSM session connectivity and communication with an expanded range of devices.

Real-Time Session Monitoring: We've added a session monitoring functionality to the platform, enabling users to track and monitor the status of PSM applications, encoders, and uploaders in real-time. This feature empowers users to ensure optimal performance, detect potential issues, and take proactive steps for a seamless user experience.

PSM Workflow Improvements: A range of enhancements have been implemented to streamline the PSM workflow, making it more efficient, secure, and resilient. The revised workflow includes the following steps:

  1. Check "UseExistingAccountIfPresent" Property: The system will first check if the computer has the "UseExistingAccountIfPresent" property. If not found, it will search in the "AccessRequestPolicy."

  2. User Account Search: If "UseExistingAccountIfPresent" is true, it will search for the person's user account in the local computer's account store and the AD (Active Directory) AccountStore. If both accounts are found (a rare occurrence), the account associated with the "JITLocalAdminGroupID" property will be selected.

  3. Find Personal Credential: The system will locate the personal credential associated with the selected user account's account store. The credential is identified using the "AccountGUID" column in the externalCredential table.

  4. Handling of Personal Credential: If the personal credential is not found, a temporary account will be created in the account store associated with the "JITLocalAdminGroupID" group. These accounts are considered orphan accounts and are deleted after the PSM session ends based on the "JITDeletePSMAccount" setting. If the personal credential is found, the "JITLocalAdminGroupID" group is added to the account in the ExternalCred (external credential store). The group is removed from the account, but the account itself is not deleted after the PSM session ends.

  5. Create Temporary Account: If the "UseExistingAccountIfPresent" property is false, a temporary account is created in the account store associated with the "JITLocalAdminGroupID" group. After the PSM session ends, the created account is deleted.

SAP Connector Enhancements

In the latest releases of EmpowerID, we have introduced several significant enhancements to our SAP connector to improve security, performance, and flexibility. These updates include support for SNC authentication, incremental role and profile changes, alternative BAPI options, and the adoption of Microsoft's NCo (.NET Connector). Below are the detailed descriptions of these new features and settings:

SNC Authentication

SNC Authentication is now supported, enabling certificate-based and Kerberos-based authentication. The following system-specific settings have been added:

  • Connection_SNC_DisableUsrPwdAuth: Required. Set to "true" to activate SNC-based authentication instead of username/password.

  • Connection_SNC_QualityOfProtection: Optional. Defaulted to 0 but can be overridden to support the required QoS.

  • Connection_SNC_MyName: Required. Corresponds to the DN specified in SAP for the connection-user.

  • Connection_SNC_PartnerName: Required. Corresponds to the DN of the SAP system.

  • Connection_SNC_CryptoLibPath: Required. Physical path to the CryptoLib, which must be installed on the Cloud Gateway, EmpowerID Server, or included in the containers (consult with EmpowerID DevOps for the last case).

Incremental Modification of Role and Profile Changes

The default logic for role and profile manipulation has changed from using BAPI_USER_ACTGROUPS_ASSIGN or BAPI_USER_PROFILES_ASSIGN to using IDENTITY_MODIFY. This change ensures only incremental operations are performed, reducing unnecessary audit records. The previous behavior can be restored by enabling the following setting:

  • disableIdentityManagementBAPI: Optional. Defaulted to false, but can be set to true to revert to previous behavior.

Ability to Specify an Alternative RFC_READ_TABLE BAPI Name

EmpowerID can now use a more performant version of the RFC_READ_TABLE BAPI, known as RFC_READ_TABLE2. This can be activated by configuring the following settings:

  • rfcReadTable2_Enabled: Optional. Defaulted to false, but can be set to true to enable the use of the more performant BAPI.

  • rfcReadTable2_Override: Optional. Specifies an alternate location for RFC_READ_TABLE2 if it differs from the default BODS module location ("/BODS/RFC_READ_TABLE2").

Transition to Use NCo (.NET Connector)

EmpowerID has transitioned to using Microsoft's official NCo (.NET Connector) library, replacing the previously used third-party library. This transition requires the connection-account to be authorized to invoke the RFC_METADATA_GET function. The old third-party library can still be used by setting the following option:

  • nco31_Enabled: Optional. Defaulted to true but can be set to false to revert to using the older third-party library.

ServiceNow Integration with EmpowerID Microservices

Organizations that have successfully connected EmpowerID to ServiceNow can leverage the powerful capabilities of EmpowerID's IAM Shop, Resource Admin, and Identity Manager microservices directly from the ServiceNow user interface. This is achieved by adding a widget to ServiceNow for each microservice you want to integrate. For details on how to set this up, please see Integrate EmpowerID Microservices with ServiceNow.



Projection for AzLocalRights and AzLocalRoles

EmpowerID provides centralized administration, assignment, and permissions enforcement across Azure app roles and external systems while offering improved auditing and tracking of app role assignments and changes.

EmpowerID offers new features and enhancements for Azure app roles,

  • Previously, EmpowerID only supported the ability to assign Azure users and Azure groups to the Azure app roles, but now you have the ability to assign non-Azure objects using the projection engine. The assignment capabilities have been extended to include person, management roles, and business role locations alongside users and groups.

  • Bulk assignments of Azure app roles to multiple users or groups are now supported.

  • A new feature of Fulfillment groups is introduced, which can be automatically created by workflows or manually created by users. By linking a fulfillment group to an Azure app role, EmpowerID can project individuals into the corresponding Azure group in the tenant, enabling the enforcement of permissions in the external system. The RBAC engine in EmpowerID analyzes assignments, determines which rights or roles are mapped to fulfillment groups, and adds or removes individuals based on their membership status and assigned rights.

  • We have introduced the AssignAZRightScope workflow, which offers a user-friendly interface to access the above-mentioned features.

 


Updated Microservices

Resource Admin

In our continual pursuit of improving user experience, we are pleased to announce significant updates to the Resource Admin microservice in our latest release. This enhanced feature offers users increased control and flexibility in managing resources. One of the key improvements is the expanded ability for administrators to monitor and allocate resources within the system more efficiently. This streamlines the management process and enables more precise resource administration.

To provide a more detailed picture of the enhancements, here's what you can expect:

  1. Management Role Management: Users can now view and manage all aspects of Management Roles in Resource Admin.

     

  2. Mailbox Management: To simplify mailbox management, users can now easily access and manage mailboxes within the Resource Admin interface. Resource admins can efficiently assign individuals to designated mailboxes, modify mailbox permissions, and execute other mailbox management tasks.

     

  3. Shared Folder Management: We've expanded our Resource Admin functionality to fully manage shared folders for inventoried Windows servers. This includes creating, deleting, and editing shared folders.

     

  4. Claims Mapping Policies: Users can now access a comprehensive list of the Claims Mapping policies for applications and update those policies and policy assignments as needed.

     

  5. People Management: The update allows users to effectively manage people within Resource Admin, improving administrative efficiency.

     

  6. App Rights: Improved visibility of App Rights is now available in Resource Admin. Users can view the details of app rights from the context of a specific application and the app rights membership details for people they are allowed to see, promoting transparency and accountability.

  7. Role Definitions: The update provides visibility into role definitions for applications within Resource Admin. Users can view the details of role definitions from the context of a specific application and the assignments of role definitions within the context of an application. , facilitating better role-based access controls.

IAM Shop

With this release, the IAM Shop has several enhancements that focus on improving the user experience and expanding functionality, offering users more control over their access rights and resource management.

Enhancements include the following:

  1. Requesting Access Rights: End-users can directly request app rights, role definitions, and app management roles for a protected application through the IAM Shop. This enhancement simplifies obtaining necessary access permissions, thereby increasing efficiency and reducing the time spent on administrative tasks.

  2. Improved Access Management: The latest update offers improved visibility and management of access rights. Under 'Manage Access' for applications, end-users can now see the app rights, app management roles, and role definitions to which they currently have access. The ability to manage these assignments directly from this view streamlines the process, making it easier for users to maintain control over their access rights.

  3. Eligible Resources Visibility: To provide a more personalized and relevant experience, we've updated the system to allow end-users to see only their eligible resources. This means users will no longer see resources they cannot access or utilize, reducing clutter and enhancing usability by focusing on the most relevant information.

Workflow Studio Enhancements

Enhancements to Workflow Studio include the following:

  • We removed dependency on Microsoft Edge for Workflow Studio login. Workflow Studio now uses modern authentication with front-channel flow for better accessibility.

  • Introduced a fulfillment workflow template for Business Requests, simplifying request management.

  • BotFlow has a new feature to pin resources to facilitate easier interaction. Pinning a resource means keeping it easily accessible, allowing for executing multiple actions or workflows without selecting or inputting the same resource multiple times. Pinning resources in bot flows can be either temporary or permanent.

  • Added a Workflow Activity for ChatGPT, facilitating smoother integration and communication with ChatGPT within EmpowerID.

  • Incorporated a new Workflow and Bot flow for interacting with ChatGPT in EmpowerID and the Bot, respectively.

  • Updated the user interface of Workflow Studio to give it a more modern and contemporary look.

    • Revamped and modernized baseline configuration and integration for AvaloniaUI, delivering an improved and contemporary user interface experience.

    • A new LowCode/NoCode panel utilizing the AvaloniaUI framework has been implemented, resulting in improved functionality and a more user-friendly experience.

  • Added support for developing workflows and integration for SAP BAPI

    • Introduced a new Workflow Activity that allows calling any BAPI function and executing the result, broadening the scope of workflows and integrations.

    • With the LowCode UI, values can be set from the BAPI structure at design time or run time, increasing customization and adaptability.

  • The Repeater sections in Workflow Studio forms have been updated to include Add, Edit, and Delete options and display records in a card UI, which was already a feature. This allows developers greater flexibility in design and a better UI experience for end users.

Additional Improvements

Group Membership Engine

We are pleased to announce an update that enhances the processing and auditing of group membership changes across Active Directory, Azure AD, and SAP account stores. The Membership Queue within the Audit log now captures and displays comprehensive information about each membership change event, including:

  • Status Tracking: Monitor the status of detected membership changes.

  • Change Type: View the type of change made – addition, deletion, etc.

  • Affected Accounts: Identify the user account and group impacted by the change.

  • Authorization Source: Determine whether the change was authorized through RBAC (Role-Based Access Control) or a local right assignment.

Paths for Group Membership Enforcement

1. RBAC Membership Delegation

  • Description: This is the conventional path for enforcement. Users with an RBAC delegation to a resource role are automatically added as members to the corresponding group.

2. Via AzAssigneeLocalRightScope

  • Description: If a Resource System group is mapped to an AzLocalRight in the AssignedByGroupID, then accounts associated with an Assignee in the AzAssigneeLocalRightScope will be automatically added as members to that group (AssignedByGroupID).

3. Via AzAssigneeLocalRoleScope

  • Description: For groups in the Resource System mapped to an AzLocalRole in the AssignedByGroupID, accounts can become group members in two scenarios:

    • Accounts with an Assignee status in the AzAssigneeLocalRoleScope will be added to the group (AssignedByGroupID).

    • Accounts with an Assignee status in the AzAssigneeLocalRightScope for an AzLocalRight that has a blank AssignedByGroupID but belongs to the AzLocalRole will also be added as members to the group mapped in the AzLocalRole.

All group membership changes for Active Directory, Azure AD, and SAP account stores are now processed by the group membership engine and can be viewed from the Membership Queue in the Audit log. This allows you to view the status of the detected membership change, the change type, the affected user account, and group, and the RBAC or local right assignment responsible for the change.

Key Features

 

When we do group membership enforcement, these are the paths for an account to end as a member of a group:

  1. RBAC membership delegation: This is the traditional enforcement that adds accounts belonging to people with an RBAC delegation to the resource role member of a group as a member of that group.

  2. Via AzAssigneeLocalRightScope. If a group of the ResourceSystem is mapped to a AzlocalRight in the AssignedByGroupID, then any account of a person that has or is the Assignee in the AzAssigneeLocalRightScope will be added as a member of that group(AssignedByGroupID)

3.Via AzAssigneeLocalRoleScope. If a group of the ResourceSystem is mapped to a AzlocalRole in the AssignedByGroupID, then:

any account of a person that has or is the Assignee in the AzAssigneeLocalRoleScope will be added as a member of that group(AssignedByGroupID)

any account of a person that has or is the Assignee in the AzAssigneeLocalRightScope for an AzLocalRight that has a blank AssignedByGroupID but belongs to the AzLOcalRole, will also be added as member of that group mapped in the AzLocalRole

Rehire Capability in Advanced Leaver

We've added rehire support to the Advanced Leaver feature. This is particularly useful when an individual rejoins the organization after a previous departure. The rehiring process involves restoring a previously deleted person object and its associated access provisions, contingent on certain fulfilled criteria. The workflows for rehire support automatically restore the person, reapply attribute flow to all accounts, and generate a restoration task for manual approval.

Time-Based Escalation for Recertification

The recertification feature now includes a Time-Based escalation, enhancing flexibility and control in the Business Roles review process. For instance, an automatic escalation request is sent to the Digital Access Governance Manager if a review has been pending for a month. If there is no response within six months from the initial review request, the system will automatically remove the business role and initiate deprovisioning related accesses. Users can now configure settings to manage notification and escalation timing and actions.

New Relative Delegations

Administrators now have the ability to set up relative delegations for Locations within their organization. This extends the capacity to delegate visibility and responsibility to business locations at the Organization level. In response to the need for greater flexibility in configuring delegations, we have broadened administrators' delegation capabilities.

Enhanced SetGroup Delegations

In the upcoming release, we are introducing a significant delegation enhancement within our system through SetGroups, also known as Query-Based Collections.

Previously, only designated "Assignees" received permissions granted to SetGroups. For example, if a SetGroup included all salespeople in Australia and you assigned them permission to execute a workflow, only those salespeople could use that permission. However, assigning permissions to a SetGroup containing Management Roles, Business Role Locations, or Groups didn't provide permissions to persons who were members of those roles, locations, or groups. Now, any assignee of the SetGroup, whether directly an “Assignee “ person or member of Management Roles, Business Role Locations, or Groups within a SetGroup, will receive the delegated permissions. For this delegation to occur, the SetGroup must be marked with the "CanBeAssigneeInRBAC" flag set to true.

Business Request Expiration Enhancements

Efficiently manage business requests with set expiration dates, ensuring timely approvals to meet regulatory needs. Expired requests are hidden from approvers, enhancing overall request management. EmpowerID presents two expiration strategies: a fixed 90-day policy automatically expires incomplete requests, while a dynamic inactivity expiration adapts based on user actions.

Expiration Date: Upon creation, a request is assigned an expiration date in the "ExpirationDate" field. If not specified, the default is 90 days from creation.

Inactivity Expiration Date: This dynamic date accounts for user activity. It adds "ExpireRequestAfterXDaysOfInactivity" from the request type to the current date. Interactions adjust the date, recalculating based on request type days.

Detailed information about the expiration feature is provided in the Business Request Expiration article.

Expiring Access Notifications

Our Notifications engine now includes an option to email users about impending access assignment expiry, specifying resource details and the expiration date.

Google ReCaptcha Upgrade

We've upgraded to Google ReCaptcha V3, enhancing security and user experience. Users will no longer need to solve CAPTCHA challenges, and the system can detect risk based on user behavior.

Enhancement to Azure Group Account Membership Management

This release improves Azure AD group account membership management. We have transitioned to a queue-based model, which bolsters efficiency and reliability. You can seamlessly add and remove Management Roles, Business Role and Location combinations, and Query-Based Collections from Azure AD groups.

Exchange Mailbox Audit Settings Sync

EmpowerID now periodically retrieves and syncs audit settings from Exchange Mailbox, ensuring the consistency of audit settings between EmpowerID and Microsoft Exchange Online.

Upgraded Azure Microservices

Azure microservices have been upgraded from .NET 5 to .NET 6. This upgrade includes the following services and components:

  • Azure AD SCIM Microservice – The Azure AD microservice and the Terraform template used for deploying it have been upgraded from .NET 5 to .NET 6. Previous versions are now in maintenance support mode.

  • Exchange Online Web Jobs and Functions – The Exchange Online (EXO) web jobs and functions have been upgraded from .NET Core 3.1 to .NET 6. Previous versions of these jobs and functions are now in maintenance and support mode.

  • SharePoint Online Web Jobs and Functions – The SharePoint Online (SPO) web jobs and functions have been upgraded to .NET 6. Previous versions of these jobs and functions are now in maintenance and support mode.

Security Enhancements

MFA OTP Patch

Resolved Issues

We have addressed several issues in this release:

  • A problem with the Function Access report's general search functionality has been rectified, enabling search by Function Friendly Name.

  • Missing functionality in the My Tasks application's My Requests view has been implemented to filter My/All Requests by Request Status changed Dates.

  • Missing functionality in Privileged Session Management (PSM) MFA authentication has been addressed to correctly recognize SMS authentication.

  • Enhancements have been made to the "Owned by" filter in the IAM Shop group context to improve usability. The default value will now be "Myself" if a user doesn't have access to the filter and "anybody" if they do.

  • The date filter “Request Status Changed Dates” in the My Tasks application now validates that the start date is not later than the end date, ensuring accurate filtering results.

  • For PSM, we've resolved an issue affecting PSM video recordings. The recording length differed by a few seconds from the actual session duration. Now, timestamps accurately mirror the correct recording length.

  • For PSM, we've improved the session management capabilities of the UI, which handles instances when the workflow screen times out and displays the EmpowerID login page. We've added handlers for the 'userUnloaded' event, supplementing the existing 'userSignedOut' event handler for effective session timeout management.

  • We've resolved an issue where users reported an intermittent loss of the CTRL key functionality during PSM sessions, preventing them from using associated key combinations. With this fix, users should no longer experience the loss of CTRL key functionality.


Deprecated Features

 

IN THIS ARTICLE