Version: Cloud

Release highlights

We've just released Omada Identity Cloud update! What's new?

Cloud Application Gateway

With the July Cloud Update we introduce the CAG (Cloud Application Gateway) solution, which is a new and revolutionary improvement to connectivity and integration architecture. It is a modern and secure solution for connecting Omada Identity Cloud to on-premises and cloud-based deployments.

The CAG reduces complexity and potential security risks that that might be a part of the hybrid integration. The CAG solution supports the following core capabilities:

Import and provisioning
Schema discovery
Test connection

Those capabilities are performed over a secure, outbound-only TLS connection. This eliminates the need to configure inbound firewall access, which is often disallowed in enterprise environments.

Improved security is of a highest importance, meaning that the CAG relies on the client-side key management. The encryption keys and sensitive secrets are under full customer control at all times. It is also never stored and transmitted through Omada systems.

The CAG solution can be deployed on Windows hosts.

Paired with the automated over-the-air (OTA) updates, CAG simplifies patch management and reduces the administrative overhead typically required to keep integration components secure and up to date.

Key characteristics

Property	Description
Network configuration	Outbound-only TLS; no inbound rules or public IPs required.
Encryption & Key Handling	Customer-retained encryption keys; zero-knowledge architecture.
Deployment methods	Containerized or Windows-hosted options supported.
Update management	OTA updates for security and version control.

Important

For guidance on how to enable or migrate to the CAG solution, contact the Omada Support.

For more information, go to Cloud Application Gateway documentation.

UI and UX

We have introduced the following improvements:

You can now configure the approval survey in the new UI to require a comment when access request is being rejected. Use a new customer setting ApprovalRejectionReasonRequired in the Standard Application category to enable this feature. When set to true, users need to enter comments for each rejected item, otherwise they won't be able to submit them.
In the access approval process, rows can now be grouped either by identities (the default option) or by resources, which gives the approver a better overview of the asignees and resources.

To group by identities or resources, select the ellipsis icon (three dots) next to Identity or Resource, and select Group by Identity or Group by Resource. For more information on enabling and desabling the grouping, see Row grouping.
Before, the approver was only able to see the new valid to date of the access request, which did not inform them if it was the first access request or an access extension request. Now, if a user submits an extension request, the approver will see both the original and new valid to date.
While reviewing requests sent for approval, you can now filter them by request types (access extension or access request). This way, you can work separately on those two types of requests and have a better insight into both of them. To do that, on the Access approvals page, select Filters and choose Request type from the drop-down. Then, select Request access or Extend access. See Access for more information.
We have enabled easy navigation from user groups to resources. You can now click Resource while viewing user groups.
Various optimizations and improvements were introduced to provide better readability and UX for forms (in the new UI).
In the main left-side menu, the counter badge for the Tasks item now shows the total number of tasks pending, including the pending approvals.

Revoking resource assignments for multiple identities

We have added an option to revoke resource assignments for multiple identities at once. In the Identities view, you can now select more than one identity and then, in the top right corner, click the ellipsis (three dots) > Access Rights. A side panel with details will let you perform a quick review before the revoke. See Revoking assignments (multiple identities) for details.

info

To allow users to revoke multiple assignments at once, change the Allow mass revoke of resource assignments (key: AllowMassRevoke) customer setting value to True. See Customer settings - User Interface for details. Otherwise, users will be able to revoke one assignment per action only.

Clickable columns in the Access view - displaying additional information

In the Access view (after navigating to Access from the main menu on the left in Omada Identity), the Access for and Resource columns are now clickable. An additional side panel is displayed, presenting more information about the data object in the read-only mode.

Surveys

Survey complete post-action handler

A new post-action handler (PAH) called SurveyCompletePostActionHandler has been implemented, which allows defining a property-value dictionary that is automatically applied to survey objects when a survey is closed by a system user.

This streamlines survey lifecycle management by enabling automatic tagging or classification, improving data consistency and reducing manual administrative effort.

For more information, see Survey templates - post actions.

Connectors

AWS connectivity package

We introduced a new connectivity package for AWS that supports governing and managing AWS IAM API environments. See AWS for details.

PostgreSQL support (generic database connector)

We have added support for data provisioning for PostgreSQL using the generic database connector. See Generic SQL connector - data provisioning for details.

Extensions.GetValue and Extensions.SidToHex functions

You can now use the Extensions.GetValue and Extensions.SidToHex functions for all connectors (for environments running on July 2025 Cloud Update and Horizons). See Information, procedures, and tips applicable to all collectors for details.

Role and Policy Engine

Improvements to queuing methods

As part of our efforts to enhance RoPE performance, we have improved the speed of RoPE calculations.

Improved performance of resource hierarchy

This release introduces a new customer setting, Maintain resource parent child relation in RoPE DB, which improves the performance of resource hierarchy loading by populating the resource parent-child relation into the ResourceParentChild table.

This change significantly reduces database load and improves scalability for environments with complex resource hierarchies.

For more information, refer to Customer settings – Role and Policy Engine.

Access to Event Log

We have implemented access authorization for the Event Log (applicable to Omada Identity Cloud only). As part of this change, a new authorization element named Event Log has been added. The System Administrator and Operation Administrator roles have been granted access to this element.

Omada Identity Analytics

Access Navigator dashboard

Dashboards in Omada Identity Analytics now support a deeper understanding of customer’s data without having to create a report. New jump-to dashboards are available in the Access Navigator, including:

Identity Change Log
Accounts on Date
Accounts Log for Identity
Assignments in Period
Assignments Change Log

For more information on this dashboard, see Access Navigator.

Data Quality dashboard

The Data Quality dashboard now supports analytics on additional reports:

Accounts pending deprovisioning
Accounts recently unused
Accounts without owner
Resource assignments pending deprovisioning
Resources without owner

See Data Quality for the full documentation on this dashboard.

Report Generator dashboard

The Report Generator dashboard has been refreshed with a new layout and structure: the Data fields and Metrics widgets are now combined to make the dashboard easier to use. See Report Generator for full documentation.

Cloud Management Portal

Logging level configuration

We have introduced a setting in the environment configuration, allowing to adjust logging level for the logging target. It provides a possibility to connect and filter the information sent to your logging system.

When setting the logging level, you can choose from the following options:

Level	Use Case	Severity
Trace	Provides detailed internal diagnostics	lowest
Debug	Contains debugging info	low
Information	Provides normal app flow information	medium
Warning	Provides information about unexpected but non-breaking events	medium
Error	Provides information about recoverable failure events	high
Critical	Provides information about unrecoverable failure events	high

Documentation

REST connectivity - practical examples

We added a new subsection that covers practical examples for REST connectivity (a comprehensive configuration and usage examples for anchor property, ResultValuesJsonPath, multivalue property handling, and other). See REST - practical examples for details.

Cloud Application Gateway​

Key characteristics​

UI and UX​

Revoking resource assignments for multiple identities​

Clickable columns in the Access view - displaying additional information​

Surveys​

Survey complete post-action handler​

Connectors​

AWS connectivity package​

PostgreSQL support (generic database connector)​

Extensions.GetValue and Extensions.SidToHex functions​

Role and Policy Engine​

Improvements to queuing methods​

Improved performance of resource hierarchy​

Access to Event Log​

Omada Identity Analytics​

Access Navigator dashboard​

Data Quality dashboard​

Report Generator dashboard​

Cloud Management Portal​

Logging level configuration​

Documentation​

REST connectivity - practical examples​