• Improved Risk Center page performance
• Fixed a bug in UARs where some groups and resources were not appearing in the generated PDF

• Fixed an issue where grants and ipsets would be dropped from the Tailscale policy file.
• Fixed an issue where propagating access to two Okta roles at the same time would sometimes result in the user gaining access to only one of the roles.
• Fixed an issue that caused duplicate events to be created when removing a group from another group.
• Fixed an issue where Manage in Inventory was missing in the group details modal.
• Fixed issues related to bulk selecting bundle assets.
• Added target_user_id and requester_id to requests API filters.
• Added database support for request reviewer delegations, allowing users to delegate their request review responsibilities to other users for a specified time period.
• Added lastSuccessfulSyncto groups API.
• Added lastSuccessfulSync to resources API.
• Updated Event Filters modal styling.
• Increased task timeout for most tasks to 3 hours.
• Moved remote events to the Usage tab for Okta apps, AWS IAM roles, and resources in custom connectors.
  • Note: The Events tab on all resources, as well as CSV exports, the Events API, and Event Streaming, will contain only events originating in Opal.

Important note (for self-hosted customers):

This upgrade contains a substantial migration. You may notice higher latency across all actions in your Opal instance for up to 10 minutes while deploying this release. We recommend running this upgrade off-hours if possible.

Improvements and updates:

• Deprecated USERS_ADDED_TO_GROUPS, GROUP_USERS_UPDATED, and USERS_REMOVED_FROM_GROUPS events and migrated them to ROLE_ASSIGNMENT_CREATED, ROLE_ASSIGNMENTS_UPDATED, and ROLE_ASSIGNMENTS_DELETED, respectively
• Fixed an issue where attribute mapping was inaccessible without a direct link
• Fixed an issue where multiple concurrent tasks synchronizing removals of users from groups could attempt to propagate those removals back to the end system.
• Fixed an issue when viewing requested groups
• Added Microsoft Active Directory as a new IDP provider
• Added client-side validation for custom field character limits
• Added catalog modals to UARs, so you don't have to leave the page to view more details about a resource
• Updated user-first UARs to open the catalog modal, so you can see additional information without leaving the UAR
• Updated and modernized Access Changes table under access reviews
• Updated resources table under group modals
• Updated integration settings styling
• Updated Add Principals Sidebar
• Updated month picker styles on Create UAR Schedule page
• Updated copying fields on resource and app details
• Updated the My Access section of the details modal

• Updated the Import Roles sidebar for a more streamlined role import experience.
• Fixed an issue where Slack requesters and approvers needed to sign in to Opal before completing OIDC MFA validation with their identity provider. Users can now complete MFA validation directly from Slack without requiring an active Opal session.

• [On-Premises Deployments] This update includes a database migration involving events that may take extended time to complete. We recommend scheduling this update during off-hours to minimize impact.
• Added masking to the Tailscale API Key input during setup screen for enhanced security.
• Added support for importing array user attributes as user tags from Okta. A user tag will be created for every value in the array, enabling more flexible access rules based on manager and department hierarchies.
• Added a menu to end user detail cards with options to copy the asset link and asset ID.
• Improved Google Groups integration to function with reduced permissions - now only requires admin.directory.group.readonly scope instead of admin.directory.group.
• Improved Google Workspace integration to function with reduced permissions - now only requires admin.directory.rolemanagement.readonly scope instead of admin.directory.rolemanagement.
• Improved display of long description text for better readability.
• Improved access expiration notifications to display the full resource path, providing clearer context.
• Improved error messages for the remote resources API to provide better troubleshooting information.
• Fixed an issue preventing users from creating configuration templates with global visibility in Terraform.
• Fixed users with GROUP:EDIT_ASSIGNMENTS permission being unable to edit Access Rule conditions.
• Fixed an issue with Active Directory connections for users with empty email attributes.
• Fixed a synchronization issue where service accounts deleted in GCP were not being removed from Opal.

• Fixed a bug that prevented requesting access to custom Okta roles.
• Fixed bug where next scheduled access reviews were computed based on EST instead of past in timezone
• Updated copy on Add Group/User/Resource modal to more clearly articulate relationship between the source entity and the target entities.
• Allow the Google Workspace integration to function with the admin.directory.user.readonly scope instead of always requiring admin.directory.user.

• Fixed bug on Owners group escalation policy where opening the edit form would not reflect the current state of the policy when on
• Added custom Opal Roles, allowing Opal admins to create and edit Opal roles with fine-grained permissions. For detailed instructions and examples, please see the Custom Opal Roles documentation page.

• Fixed tab numbers on app assets.
• Added a new API endpoint to fetch a single request by ID with complete request details.
• Updated Add Resources to Bundle sidebar UX.

• Fixed an issue where empty tooltips could appear for revoked access reviews when no notes were present.
• Enables configuring user provisioning in custom connector apps, if available to customer.
• Fixed a bug where duplicating a request with permanent duration doesn't auto-populate the duration dropdown.
• Read only admins can again view visibility groups for a resource or group in the UI.
• Minor updates to search page styling.
• Fixed a bug where the import items view would not display an ongoing sync.
• Fixed a bug where two tags with the same value but different 255-character prefix would result in a sync error.

• Added support for Okta Group Rules as a group type in the API
• Added a Google Chat notification for requesters
• Fixed a bug with causing AWS Identity Center Roles to be un-imported when all of its users are removed in some configurations
• Added a button to add containing groups to a group on group/resources tab