Transcript
There is a new predefined filter available for policy valuations, and this filter is now integrated into the filter data of attestation cases. You can find them, of course, there. There are recommendations available as well. You can filter policy violations in the same way than recommendations in consideration than that, and you can filter for the overview of attestation cases. That should help just to limit the amount of failures in a specific pending attestation case list. Additionally to that, for report attestation, the report can now be downloaded as a PDF file. Therefore, you need only to hit a button, which from my perspective is much easier than to define the report somewhere else and get it out of the system. To ease the configuration, there is as well a new functionality in where you can now just copy an attestation procedure. And this attestation procedure copy includes copies of filtered parameters as well so that you have not newly to define them. And now it's time to talk about the typical changes that happens to the connector world. That means to connected system modules and system connectors. We are starting with a connected system module, EntraID. And in EntraID, there is an improvement, especially to creation of guest users in EntraID. So we are now supporting, as you easily can see, phone authentication methods, which was, of course, not in the tool before. Therefore, EntraID permissions are needed. You see them here, user authentication method, read, write all, which is necessary. And to do so in the identity manager, we just created a new table, which is the AAD user phone authentication module table. And to make it available, of course, there is now a new extra synchronization workflow step phone available where you can just have a look at. The picture on the right hand side shows at the end how the whole thing looks like and how you can reach it using the task on write lower. And some minor additions as well. On the left upper side, on-premise extension attributes of the EntraID user can be modified now. That was not possible in the past. The synchronization projects are modified, and they are controlled by a can edit script at the column level. Delta synchronization supports the sync from now on. That means it is now possible to run delta synchronization of the complete data set. That will, of course, speed up the synchronization time enormouslyously. But of course, with all the typical considerations, these delta synchronizations does have. On the right upper side, support multi-value custom Microsoft EntraID schema extensions. What meant there is that in EntraID, there could be custom columns available with multi-value entries. And it is now possible to build that as well in the identity manager and to synchronize that. And then retries from HTTP requests can now be configured. This is especially to deal with delays or timeouts. With that, it is possible in the identity manager world just to configure the number of retries before something stops with an error message. And the next one is, of course, the connected system module for Microsoft Exchange Online. On that side, first of all, there is a support send as permissions for mail users, as you easily can see that. Before that was not really supported. Now they are available. Therefore, a new table in the identity manager was necessary. You can see the name on the left hand side. The whole thing looks like you see in the picture. And we can step to the next feature, which is the support for SMTP forwarding addresses for mailboxes. These forwarding addresses was not just handled in the past. Now, therefore, a new column on the mailbox level exists, which is the forwarding SMTP address. And as you easily can see, that looks then like in the picture below. And there is, of course, a patch ID number, which could be helpful for the one or the other. Another minor addition to the product is that now the loading behavior of single objects in Exchange Online is just improved. And that means objects can be matched by distinguished name only. That was not possible before. And some customers told us that they are not really happy with. And this is now already implemented as well. And now from the online products to the on-premise products, starting with the connected system module for Microsoft Active Directory. We support, of course, the Active Directory now coming with Windows Server 2025. This includes, of course, the new support for the delegated management service account. And it includes also the native Identity Manager Active Directory connector and the Active Roles connector that exists for the Identity Manager. And then the connected system module for SAP. On the SAP side, there is a new version as well supported, which is the SAP.NET connector 3.1 for x64 machines. That requires, of course, a version 3.1.5.0 or higher from SAP. And of course, because it is a .NET connector, now .NET 8. What that will mainly and mostly will do, the updated connector will, of course, improve the performance for synchronization of SAP authorizations, which could be from the one or the other enterprise perspective, be a big deal. Then we have a new ABAP functionality module available for the SAP usage data. And that is able to select transaction calls per user and provides them as a list. We have also the deployment of one Identity Manager SAP add-ons, which allows now the reinstallation without just to uninstall a package first. Therefore, the PAD package was updated. So that means the last thing, of course, is for the insert of Identity Manager SAP packages into the SAP itself. And now the SAP HCM connector, which is also known as the SAP R3 connector, is just updated. From now on, we support the synchronization of cost centers, operating codes, and cost codes. They can now get synchronized. Therefore, you need another patch ID from the ADO. You see that number down below. Additionally to that, you can now automatically create business roles out of the SAP HCM job descriptions, which was not possible before. This is now automated. Additionally to that, on the right-hand side of the picture, active plan version for HR assignments in SAP HCM systems. Before, it was typically standardly and hard-coded one. Now you can just configure that number if this is necessary. And last but not least, you can now synchronize the personal ID data number, which was not possible to get synchronized before. From a Michelangelo's connector perspective, we have safeguard on one login. On the safeguard side, we are now supporting one identity safeguard, SPP 8.1. The feature set, by the way, is exactly the same feature set than the feature set for the 8.0 version. And on the one login side, there is now a configurable timeout available for API requests. You can see that on the picture below, where you can configure the during of the connection configuration. On the generic LDAP connector side, we have on the one-hand side configurable certificate revoke checks in the connection wizard. That means in the case that the permission situation changes, that will have effect. And yes, of course, this is especially of interest for bulk operations. Additionally to that, fractions of sections was just removed from each query used when loading list objects. This is only then the case if this LDAP server behind that is supporting this type of format. On the right-hand side in the picture, you can then, of course, see where the checkbox in the middle sits. That just says check the certificate or not. If it's unchecked, it is the old behavior. If it is checked, you have the new behavior activated. For Domino and Microsoft Exchange, there are also some features on the Domino side, the improved login when establishing a connection. It is now possible just to turn off if the availability of a Domino system is checked or not. If it is not checked, then the value needs to be zero. Additionally to that, we had removed some of the columns. You can see them on the left lower side. I think I talked about them with the deprecated features. Here, of course, columns, filename, password, security type on the NDO server or NDO user was removed. This is not really making any difference to the past. Even if these columns contains data, the data was, of course, at least old like Identity Manager 7, which is super old, and because nobody will miss that. On the Microsoft Exchange side, on the right-hand side, we are now supporting Microsoft Exchange server subscriptions, and we made the authentication methods during connection setup now selectable so that you have not to enter them manually. You can now directly select them from a list. Last but not least, the SIM connector. The SIM connector was also approved. SIM connector typically is mainly and mostly used with One Identity Cloud Connect. Of course, it could be used with any other SIM-speaking system, and implemented was an automated detection. If a SIM provider supports patch instead of put, this is something that has to do with web requests. Remember, there are put and patch requests, and systems might sometimes just use different version for similar things. In these cases, the automated detection gets then activated if the endpoint is available or configured. What that thing will do, it will automatically look into the schema and figure out if patch is somewhere accepted, and if this is the case, then this will be automatically documented in the schema type in the connection so that the patch method can be used instead of the put. The functionality, of course, is accordingly. Additionally to that, the composition of the URL used for authentication has been changed in a way of that these authentication parts of the URL was removed. The good message here is that even older URLs can be used again, especially because the API understands them. But if you like to change this in a way of that the authentication parts of the URL are not any longer seen, then you should now go into your configuration and change that. The last change for the SIM connector is that there was often a little bit of problem just identifying, yeah, I like to say bad or not really nice used URLs. Now, the connection wizard that is responsible just to connect a SIM-based system to the machine is much more detailed in, of course, messages or in checking the specifics necessary to connect one of these scheme-based systems. That means depending on what is wrong, the connector will now, during the configuration, let you know what's to improve. And now let's talk about the synchronization engine enhancements. That means all the updates and enhancements we made to synchronization editor and tools just related to this one. We start with a new application role. Why the hell a synchronization editor needs an application role? Very easy to answer, especially because of the operation support web portal. Remember, we do have now a small synchronization editor in the web portal like a synchronization editor light and we need some permissions just to display that in the operation support web portal so that not all people have access to this tool can see that. And with that, synchronization projects gets now an owner and these owners can, of course, be managed like all of these identity manager application roles you can just add and remove identities from them. Users having that specific synchronization editor application role can then configure synchronization, edit synchronization templates and authorize other identities as owners. To get not a lot of problems with these synchronization roles and to create them, the system is doing that automatically. That means at the end, if you insert a synchronization project into your synchronization editor, automatically a same name synchronization project role is getting created underneath of that custom synchronization entry. And yes, of course, if you create such then automatically your ID will be assigned to that new role to ensure that at the end one person exists that can edit this synchronization project. Revision handling was also optimized. Yes, of course, we have revision handling since a while and revision handling speeds up as we all know our synchronization. However, this complete handling was updated and that means in a specific way that the amount of data get read out of the target system and handled from the synchronization editor can be easier limited with the help of filters. The whole thing happens in the background. That means the system tries determine the smallest amount of data, which can be loaded and handled so that synchronization should be speeded up as well. Necessary to be able to do so is of course, the flag on the right-hand side that needs to be checked before this scope filtering can happen. And yes, of course, this is a filter on the target system side. That means it needs to be just configured per synchronization project for the specific target system connector. We have a default currency detection in our synchronization engine as well. And in the past, this currency detection was just happening shortly before the processing of a specific synchronization object starts. This means pre-processing. That means a list of object was loaded before the processing started. The new behavior is now pre-commit. That means a pending process are checked immediately before the saving in the database happens. Pre-commit makes mostly more sense and that is the reason why we are doing that.