Important note (for self-hosted customers):

This upgrade contains a substantial migration. You may notice higher latency across all actions in your Opal instance for up to 10 minutes while deploying this release. We recommend running this upgrade off-hours if possible.

Improvements:

• Added client side validation for custom field character limits
• Fixed bug where attribute mapping was inaccessible without a direct link
• Fixed a bug where multiple concurrent tasks synchronizing removals of users from groups could attempt to propagate those removals back to the end system.
• Fixed Issue viewing requested groups
• Microsoft ActiveDirectory added as a new iDP provider.
• Add catalog modals to UARs so you don't have to leave the page to view more details about a resource
• User first UARs now open the catalog modal so you can see additional information without leaving the UAR
• Modernized Access Changes table under access reviews
• Updated resources table under group modals
• Updated integration settings styling
• Updated Add Principals Sidebar
• Updated month picker styles on Create UAR Schedule page
• Updated copying fields on resource and app details
• Made minor adjustments to the My Access section of the details modal

• Updated the Import Roles sidebar for a more streamlined role import experience.
• Fixed an issue where Slack requesters and approvers needed to sign in to Opal before completing OIDC MFA validation with their identity provider. Users can now complete MFA validation directly from Slack without requiring an active Opal session.

• [On-Premises Deployments] This update includes a database migration involving events that may take extended time to complete. We recommend scheduling this update during off-hours to minimize impact.
• Added masking to the Tailscale API Key input during setup screen for enhanced security.
• Added support for importing array user attributes as user tags from Okta. A user tag will be created for every value in the array, enabling more flexible access rules based on manager and department hierarchies.
• Added a menu to end user detail cards with options to copy the asset link and asset ID.
• Improved Google Groups integration to function with reduced permissions - now only requires admin.directory.group.readonly scope instead of admin.directory.group.
• Improved Google Workspace integration to function with reduced permissions - now only requires admin.directory.rolemanagement.readonly scope instead of admin.directory.rolemanagement.
• Improved display of long description text for better readability.
• Improved access expiration notifications to display the full resource path, providing clearer context.
• Improved error messages for the remote resources API to provide better troubleshooting information.
• Fixed an issue preventing users from creating configuration templates with global visibility in Terraform.
• Fixed users with GROUP:EDIT_ASSIGNMENTS permission being unable to edit Access Rule conditions.
• Fixed an issue with Active Directory connections for users with empty email attributes.
• Fixed a synchronization issue where service accounts deleted in GCP were not being removed from Opal.

• Fixed a bug that prevented requesting access to custom Okta roles.
• Fixed bug where next scheduled access reviews were computed based on EST instead of past in timezone
• Updated copy on Add Group/User/Resource modal to more clearly articulate relationship between the source entity and the target entities.
• Allow the Google Workspace integration to function with the admin.directory.user.readonly scope instead of always requiring admin.directory.user.

• Fixed bug on Owners group escalation policy where opening the edit form would not reflect the current state of the policy when on
• Added custom Opal Roles, allowing Opal admins to create and edit Opal roles with fine-grained permissions. For detailed instructions and examples, please see the Custom Opal Roles documentation page.

• Fixed tab numbers on app assets.
• Added a new API endpoint to fetch a single request by ID with complete request details.
• Updated Add Resources to Bundle sidebar UX.

• Fixed an issue where empty tooltips could appear for revoked access reviews when no notes were present.
• Enables configuring user provisioning in custom connector apps, if available to customer.
• Fixed a bug where duplicating a request with permanent duration doesn't auto-populate the duration dropdown.
• Read only admins can again view visibility groups for a resource or group in the UI.
• Minor updates to search page styling.
• Fixed a bug where the import items view would not display an ongoing sync.
• Fixed a bug where two tags with the same value but different 255-character prefix would result in a sync error.

• Added support for Okta Group Rules as a group type in the API
• Added a Google Chat notification for requesters
• Fixed a bug with causing AWS Identity Center Roles to be un-imported when all of its users are removed in some configurations
• Added a button to add containing groups to a group on group/resources tab

• Bumped limit for Opal Impersonation role for large organizations.
• Fixed bug where forfeit button was unreachable

• Added banner to the top of the App that let's users know when there's an ongoing incident and directs them to the status page
• Improved UAR reviewer assignment experience
• Fixed an issue were it was impossible to remove all assigned reviewers from a UAR item once assigned