Release highlights
We've just released Omada Identity update! What's new?
Access-related updates
Context changes in Access request
We have enhanced how to handle context selection in the Access request flow. Now, you can submit requests for multiple identities with different contexts. When selecting the identities, a new column displays with the context information for each identity.
You can proceed with the flow as usual, selecting the resources you want to request access to and specifying the duration. After completing these steps, you will reach the Review and Submit step, where identities are differentiated by context.
In this step, you can review the access request and use the Remove button to remove an identity and the Add button to add it again immediately.
If you return back to the first step to add a new identity, a new warning message appears, indicating that to add a new identity, the resources need to be removed and reselected.
Support for SAP GRC risk analysis
We have added support for SAP GRC risk analysis, allowing the detection of Segregation of Duties (SoD) violations. See SAP GRC risk analysis for details.
UI/UX and functionality updates
Export survey results in PDF or CSV
We have introduced a new feature that allows you to queue exports of survey data in PDF or CSV formats. This simplifies the exporting process and offers more flexibility in handling large data sets.
- Upon clicking the Download button, a prompt will appear. You can select the desired file format (PDF or CSV) and choose whether to download the file immediately or queue it for later download.
- If you select to queue the download, the data for the file is generated by the timer service.
- You will receive an email notification with a link to download the file once it is ready.
- The generated file will be available for download for 24 hours.
New customer setting for custom PDF logos in survey exports
The PDFReportsLogoFileName customer setting has been replaced by a new customer setting SurveyPDFReportsLogo. The value of the setting should be a Base64 encoded logo image that will be used as logo when exporting Surveys to PDF.
If you want to know more about this feature, refer to Survey engine configuration.
New assignments explorer
We have introduced the assignments explorer feature to enhance the efficiency of exploring identity assignments. You can launch the assignments explorer from the Identity list view or via the Identity grid view dropdown action menu. The assignments explorer opens in a side panel, providing a hierarchical view of resource assignments associated with the selected identity.
Additionally, you can re-calculate the identity assignments and explore logs related to the identity calculations. To do that, click on the three dots button on the right upper corner of the assignment explorer to expand the dropdown menu, then you can select betweetn:
- Recalculate: it triggers the re-calculation process in the background.
- Calculation log: it displays the logs for the identity calculations.
Background data generation for Surveys
We have introduced a new feature that optimized the survey creation process by allowing you to queue survey data generation for background processing via timer service. This enhancement aims to improve efficiency and user experience through asynchronous data generation. The new change includes:
-
New checkbox Generate data in background that is available when launching a survey. Selecting this checkbox and clicking the Generate survey data button willl queue the survey data generation for background proccessing via timer service.
-
After initiating data generation, you will proceed to the survey's verification step. A message will indicate that data generation has been queued. You can close the dialog and return to your taks on the home page. Survey taks will remain accessible for furhter actions.
-
Upon completion of data generation, the initiating user will receive an email notification with a link to finalize the survey lunch process.
Clicking back the Go back button will remove the survey from the queue, preventing it from being processed by the timer service.
If you want to know more about this new feature, refer to Use cases in the Surveys documentation.
Exchange mailbox in the new UI Access request
We have enhanced the proccess for adding attributes in Access request for resources with the mailboxReference attribute in the new UI. Now, when selecting a resources with this attribute, you see a chip with the Add attributes.
When selecting a resource with the mailboxReference attribute, you’ll see Add attributes chip. Click on it to open a new pane.
Click the Add values to select the necessary attributes and save your changes.
New Customer setting - UseNewUIRequestFlow
We have introduced a new customer setting UseNewUIRequestFlow, that allows you to make the new UI for Access request the default. When it is enabled, the + button will redirect you to the new request flow. See Customer settings for details.
Revoking assignments - UI and functional update
You can now revoke an assignment using the Access rights tab in the Identities view. We introduced a new panel that summarizes the changes you make, allowing you to specify the revoke date. Color-coded messages will provide you with quick feedback whether the revoke was successful. See Revoking assignments for details.
Support for Portuguese language version in Omada Identity
Portuguese is now supported in Omada Identity. This is an initial release, we will be updating this language continuously over the course of subsequent releases.
Suggested filters in Access request
We restored the option to display suggested filters when using the search field in the access request process. The performance of suggested filters has been improved, but it may still impact the resource search. This option is disabled by default, you can activate it through the Access Request: Enable filter suggestions for resource types and systems customer setting. For more details, see Suggested filters.
New technical preview feature: Approval process launched by timer service
A new feature in technical preview introduces a customer setting, LaunchApprovalProcessWithTimerService, which allows the approval process to be launched by the timer service instead of during the request access process. This enhancement aims to improve the performance of the access request process, enabling faster completion as users no longer have to wait for the approval process to launch. For more details, see:
- Customer settings, row Launch approval process with timer service
- Approval process launched by timer service – Technical preview
Connectors
We introduced the following connectivity packages:
- Aha!
- Delinea
- LDAP RACF that allows you to manage users and groups within the IBM z/OS using the RACF LDAP interface.
- The Salesforce connector was updated and it now supports Salesforce REST API v61.
- A new version of the SAP SuccessFactors connector that allows you to read accounts/groups and manage group assignments using SuccessFactors SCIM API v2.
REST connectivity - support for multiple values in reference lookups
The REST data provisioning (connector) now supports multiple values in reference lookups. See Support for reference lookup with returned arrays for details.
REST/SCIM connectivity – lookup failure strategy
You can now choose the lookup failure strategy, giving you the option to define the connector behavior in such scenarios. See the Defining behavior in case of the lookup failure section in the REST/SCIM connectivity documentation.
Review mode buttons – UI update
In the Task mappings view, you can now enable and disable the Review Mode for selected items. See Review mode for details.
Support for shadow data objects
Shadow data objects are supported as resource types in provisioning task mappings. See Shadow data objects for details.
Provisioning-only systems
You can now onboard systems to perform provisioning only (using a new checkbox in the general settings). See Provisioning-only systems for details.
REST connectivity - JSON array supported in request template
The request template feature in REST connectivity has been extended, you can now use JSON arrays. See Request templates for details.
Various updates
Error codes overview for REST and Microsoft Active Directory connectivity
We added an error overview section for REST and Micrsoft Active Directory sections.
#INC-283184
Enhancement - Customer setting for Eligibility filtering
The customer setting EnableResourceEligibilityFiltering is now accesible to System administrators.
See Eligibility filtering for details.
Configuration of the Risk analysis in SAP GRC data object
We have implemented a new feature that allows you to modify the configuration data of the Risk Analysis data object in SAP GRC. This enhancement enables you to create mappings between a system and one or two web request configurations, providing greater flexibility and control over your risk analysis processes.
You can read more about how to configure the SAP GRC in the Policy & Risk check documentation.
Deprecation of ReportFormat configuration object
The configuration property ReportFormat has been deprecated, and is removed from the configuration object.
Automated handling of Application accounts
We have introduced an option for logical application accounts to be managed in the backend, which can help reduce administrative effort in application.
Virtual reference properties (VRPs)
We have updated two virtual reference properties ($EffectiveManager and $ActualManager) and added a new one ($EffectiveServiceDesk).
For more details on these and other VRPs, see Virtual reference properties.
$EffectiveManager
We have extended the functionality of the $EffectiveManager VRP by adding two new optional parameters: OWNERPROPERTY and MEMBERSHIPPROPERTYONLY.
By using the new OWNERPROPERTY parameter, you can specify an alternative manager property for the context, apart from the one configured for the context type object. This can help, for example, when an approval task or a mail notification is only destined for one manager (for instance, the HR manager, included in the EXPLICITOWNER field) and not the others (for instance, delegated managers, included in the MANAGER field, which is the default manager property calculated in organizational units).
Using the new MEMBERSHIPPROPERTYONLY parameter can help to avoid having tasks assigned during grace periods, as this VRP does not include or traverse direct context assignments.
$ActualManager
We have extended the $ActualManager VRP with a new functionality: it now supports the same two parameters as the $EffectiveManager VRP, that is, OWNERPROPERTY and MEMBERSHIPPROPERTYONLY.
$EffectiveServiceDesk
We have added a new VRP named $EffectiveServiceDesk that allows to retrieve the effective service desk for your primary context.
This VRP also supports the OWNERPROPERTY and MEMBERSHIPPROPERTYONLY parameters. This can help if, for instance, you want to resolve the service desk without including direct context assignments.
Unlike $EffectiveManager and $ActualManager, this VRP returns the identity or the user itself if it is the closest Service desk agent in the context tree.