New Functionality

• Added custom date option to bulk expirations menu

• Added connector group and connector resource app identifiers to sublabels and hovercards

• Added ability to filter inventory/owners by specific users

Feature Enhancements

• Reworked access rules failsafe threshold for better accuracy

  • The threshold is now evaluated against additions and removals separately (as opposed to cumulative changes)
  • The threshold no longer has a 20 user minimum, this will make the failsafe useful for smaller single-team rules.

• Updated notification styling

Bug Fixes

• Fixed GitHub connection creation sync failure

Self-hosted only

• Added support for SMTP connections on port 25, with or without STARTTLS

Feature Enhancements

User Experience Improvements

• Added explore to the KBar
• Improved request approver flow with slight visual changes
• Added a new table view in User Settings to display active request reviewer delegations, making it easier to manage and track who can review requests on your behalf
• Added manager full name and manager ID to user export CSVs
• Display Role name on soon to expire notification subevent table

Search and Filtering

• Enhanced search filter on Inventory group users or resource user tables to now filter on names, email, or position
• Added the ability to filter resources by remote ID and resource type in the Resources API, enabling more precise resource lookups based on external system identifiers

API Enhancements

• Added REST Public API support for Github Org Roles

Bug Fixes

• Updated errors to include more details when Jira credentials are incorrect

Self-hosted only

• Added ability to tune memory requests and limits for some key opal pods

Feature Enhancements

Access Review Improvements

• Enhanced Resource Preview with pagination, sorting, and filtering capabilities
• Added pagination and sorting to Group Preview, improving performance for large datasets
• Replaced "Other Reviewers" column with a comprehensive list view instead of an icon

API Enhancements

• Added ability to request all resources a user has access to via the API

Integrations

• Added support for GitHub app installations
• Implemented app validations for Tailscale and allow authentication via OAuth instead of API keys
• Enabled automatic provisioning of Snowflake users
• Updated roles dropdown under User Access tab on resources

User Experience Improvements

• Changed resource creation flow to use modal instead of full page
• URLs are now clickable links in custom field descriptions and labels
• Performance improvements for the Risk Center

Bug Fixes

• Fixed issue where Soon To Expire notifications were being sent multiple times for the same asset
• Fixed conjugation/pluralization issue in Request Ticket banner
• (Self-Hosted only): Resolved a bug in Kubernetes manifest formatting that was preventing upgrades

• [Airgap Self-Hosted Only] Fixed a bug where customers could not toggle dry-run/read-only modes, nor update org-wise notification settings.
• [Self-Hosted only]: Fixed a bug in kubernetes manifest formatting that prevented upgrades.

• Fixed a bug where assets were still selected after removing from Bundle
• Updated Jira integration to use their new search endpoint. You must update or Opal cannot query the status of existing tickets during sync.

• Fix bug on Owners group escalation policy where opening the edit form would not reflect the current state of the policy when on
• Adding support for startTLS over smtp connections using port 587

• Improved Risk Center page performance
• Fixed a bug in UARs where some groups and resources were not appearing in the generated PDF

• Fixed an issue where grants and ipsets would be dropped from the Tailscale policy file.
• Fixed a bug where propagating access to two Okta roles at the same time would sometimes result in the user gaining access to only one of the roles.
• Fixed a bug that caused duplicate events to be created when removing a group from another group.
• Fixed manage in Inventory missing in group details modal.
• Added target_user_id and requester_id to requests API filters.
• Added database support for request reviewer delegations, allowing users to delegate their request review responsibilities to other users for a specified time period.
• Added lastSuccessfulSyncto groups API.
• Added lastSuccessfulSync to resources API.
• Updated Event Filters modal styling.
• Increased task timeout for most tasks to 3 hours.
• Moved remote events to the Usage tab for Okta apps, AWS IAM roles, and resources in custom connectors.
• Fixed issues related to bulk selecting bundle assets

Important note (for self-hosted customers):

This upgrade contains a substantial migration. You may notice higher latency across all actions in your Opal instance for up to 10 minutes while deploying this release. We recommend running this upgrade off-hours if possible.

Improvements and updates:

• Deprecated USERS_ADDED_TO_GROUPS, GROUP_USERS_UPDATED, and USERS_REMOVED_FROM_GROUPS events and migrated them to ROLE_ASSIGNMENT_CREATED, ROLE_ASSIGNMENTS_UPDATED, and ROLE_ASSIGNMENTS_DELETED, respectively
• Added client side validation for custom field character limits
• Fixed bug where attribute mapping was inaccessible without a direct link
• Fixed a bug where multiple concurrent tasks synchronizing removals of users from groups could attempt to propagate those removals back to the end system.
• Fixed Issue viewing requested groups
• Microsoft ActiveDirectory added as a new iDP provider.
• Add catalog modals to UARs so you don't have to leave the page to view more details about a resource
• User first UARs now open the catalog modal so you can see additional information without leaving the UAR
• Modernized Access Changes table under access reviews
• Updated resources table under group modals
• Updated integration settings styling
• Updated Add Principals Sidebar
• Updated month picker styles on Create UAR Schedule page
• Updated copying fields on resource and app details
• Made minor adjustments to the My Access section of the details modal

• Updated the Import Roles sidebar for a more streamlined role import experience.
• Fixed an issue where Slack requesters and approvers needed to sign in to Opal before completing OIDC MFA validation with their identity provider. Users can now complete MFA validation directly from Slack without requiring an active Opal session.