• Added a warning when setting a custom global max resource and group duration if it exceeds a year
• Fixed broken labels on break glass modal

• Performance improvements for the risk center.
• Fixed colors for EC2 usage table in dark mode
• Added more detail to some GCP connection creation errors.
• Fixed a bug where the assignment of AWS Identity Center resources were not populated if one of their assignees is missing an email.

• Fixed a bug causing access rules to sometimes not be synced.
• Added groups and apps to UAR schedules table.
• Changed UAR paths to used nested routes instead of category search params
• Changed UAR schedules path from /access-reviews/t/{SCHEDULE_ID}?category=schedules to /access-reviews/{SCHEDULE_ID}
• Converted all paths for UARs to routes instead of hashes. Eg. #my-review -> /my-review
• Improved handling of LaunchDarkly errors and fallback to degraded experience if it is down.
• Fixed a bug where GCP projects would not be removed from Opal after being deleted in GCP.

• Updated request form label from Expires In to How long do you need access?
• Opal can now automatically revoke access from users in end systems when they are deprovisioned in IDP/HRIS systems. This can be enabled in IDP/HRIS settings.
• Added max possible duration option when creating an API Access Token
• Fixed missing My Access toggle in app detail view in Catalog
• The "Connect" button for AWS Identity Center Roles now directly links to an AWS session using the role in question rather than the AWS Identity Center start page.

• Improved the sorting order for the last used field in the risk center to make it easier to view usage data.
• Visibility configuration can now be modified for Access Rules & Okta group rules.
• Minor UI changes to Risk Center.
• Added 'New Access Request' entry to quick search menu.
• Mitigated an issue where Okta replication lag would result in stale data to be imported.
• Removed feature-flagging service from the critical path such that the app functions if it goes down.

• Improved API request validation to properly handle all requests with bodies. This fixes an issue creating and modifying terraform resources using apis with no request body.
• Added the ability to update a user's access level or duration in a group via the API.
• Fixed a bug when setting a custom duration for an Owner Escalation Policy would default to an invalid '0' option.
• Fixed a bug where some custom connector login events were not attributed to their resource.
• AWS, Azure and GCP apps now default to list view in the UI.

• Deleted Opal v2
• Clarified copy on unrequestable items
• Fixed a bug in the risk center where different access levels would cause the wrong expiration to be displayed.
• Added titles column to inventory users table
• Added direct reports to user hovercards
• Added ingestion of GCP service account usage events.
• Began ingesting usage data for GCP service account resources.
• Fix GitHub Org Role icon

• Normalized default access request durations instead of interpolating
• Updated tabs for groups to use nested routes rather than hashes
• Fixed links to Inventory users with invalid characters
• Fixed access counts for users in the inventory users table
• Updated resource and app paths to use sub routes instead of hashes. Eg. #resources is now /resources
• Updated ui for custom access request template order

• Fixed Snowflake sync bug that caused errors
• Fixed some page load performance issues on inventory detail pages

• Added hovercards to user links on request details page
• Updated styling to initial import view
• Fixed an issue where Okta Rules couldn't be imported through the App Import flow.
• Fixed an issue where tags couldn't be completely removed from a resource.
• Fixed a sporadic error that would happen when attempting to import some groups or resources for an App.
• Fixed a bug related to risk center suggestions on Okta groups rules.

API

• Added a new API endpoint for approving access requests, allowing programmatic approval of pending requests.

Breaking change

• API endpoints now strictly require bearer token authentication. Session cookies are no longer accepted for API requests, and all API calls must include a valid Authorization header with a Bearer token.