Powered by Algolia

    New in v2026.2.1

    OpenIAM version 2026.2.1 delivers a set of enhancements and improvements, continuing our commitment to stability, usability, and platform growth. This release includes a total of 13 new features, 19 bug fixes, and 4 Infrastructure / DevOps updates.

    New features

    Security and authentication

    OE-2910 – Compromised password detection
    After successful login, OpenIAM now asynchronously checks the user's password against the Have I Been Pwned (HIBP) API using k-Anonymity (only a 5-character SHA-1 prefix is sent). If the password is found in a known breach, the user receives an email notification prompting them to change their password immediately.

    Segregation of Duties (SoD)

    OE-3728 – Mitigating controls for SoD
    A new Mitigating Controls tab has been added under Access Control > Segregation of Duties. Administrators can define compensating controls (with name, manager/owner type, and effective/expiration dates) and associate one or more controls with SoD policies. This allows organizations to document accepted risks and compensating measures when strict SoD enforcement is not feasible.

    OE-3274 – SoD violation notifications for manager groups
    Managers assigned to SoD policies now receive email notifications when violations are detected or resolved. Three new email templates are included: Violation Detected (Soft), Violation Detected (Hard), and Violation Resolved.

    OE-3760 – UAR SoD violations UI
    The User Access Review (UAR) interface now surfaces SoD violation information directly on the User Details view. Reviewers can resolve conflicts or skip/pass violations to the next reviewer. On the Entitlement View, rows with active SoD violations are highlighted and approve/revoke buttons are disabled until the violation is addressed.

    OE-3819 – UAR campaign batch save refactor and reviewer-scoped views
    The campaign persistence layer has been refactored to eliminate stale-state and cascade-delete issues. A batch save mode now correctly accumulates counters under concurrent load. Non-global-manager reviewers now see counts and paginated results scoped only to their reviewer ID.

    Access control and organization management

    OE-2387 – Organization-level filter for the Access Control model
    Implements virtual tenant functionality. Organization Admins can now be scoped so they only see users, roles, groups, resources, and entitlements belonging to their assigned organization(s). Applicable in both the SelfService portal (catalog, request history, access management) and the web console. Super-admin users retain full global visibility.

    Risk management

    OE-3229 – Risk management UI
    A new Administration > Risk Factors Configuration page is available. It provides a summary panel with a pie chart showing risk factor distribution (High/Medium/Low) and individual configuration cards for five risk factors: Entitlement Sensitivity, Entitlement Origin, Entitlement Lifetime, Approval Path, and UAR Awareness. Each factor can be enabled/disabled and weighted (0.0–1.0). A JSON configuration section is available for factors that support custom parameters.

    Password management

    OE-3608 – Change password UI redesign
    The SelfService Change Password screen has been fully redesigned with an improved user experience.

    OE-3736 – Change password: Email selection for generated passwords
    Users can now select which of their registered email addresses should receive a system-generated password (instead of always defaulting to the primary email).

    OE-3735 – Change password: SMS delivery method
    Users can now select a registered phone number to receive a system-generated password via SMS.

    Direct reports and user admin

    OE-2162 – Employee type column in direct reports screen
    The Direct Reports screen in SelfService now supports a configurable Employee Type column. Column ordering and visibility can be managed via Administration > System Configuration > System tab.

    Bug fixes

    SoD and mitigating controls

    OE-3783 – SoD role search fix in segments
    Fixed a bug where roles could not be found via the search bar within a SoD segment when that segment already had 20 or more roles. The entitlement selection UI has been redesigned with a per-type modal for managing entitlements.

    OE-3781 – SoD violations not cleared after policy update
    Resolved an issue where users remained listed in the Violations tab even after the related SoD policy was updated (e.g., inactivated, segment removed, or entitlement removed).

    OE-3794 – SoD mitigating control: Manager/Owner type update error
    Fixed an unexpected error thrown when changing the Manager or Owner type (user to group or group to user) on a Mitigating Control, which also now properly resets the Manager/Owner value.

    OE-3793 – SoD mitigating control: Friendly deletion error message
    When attempting to delete a Mitigating Control that is linked to one or more SoD policies, the system now shows a clear, user-friendly message: "Mitigating control linked to one or more SoD policies" instead of a generic error.

    OE-3792 – SoD mitigating control: Date field issues

    Fixed multiple date-handling bugs on Mitigating Controls: dates were being saved as one day off; adding a second date caused the first to be lost; and saving any field update was clearing both dates. Also added validation requiring that the Expiration Date is not earlier than Effective Date.

    Authentication and SAML

    OE-3752 – "Set Header" metadata: Incorrect propagate flags on save
    Fixed a bug where newly added "Set Header" metadata properties on a content provider URI would always save with both "Propagate Through Proxy" and "Propagate on Error" flags enabled, regardless of the user's selections.

    OE-3730 – Human-readable resource names in OAuth scopes
    Fixed an issue (introduced in 4.2.2) where OAuth client scopes and Groovy script references were displaying raw internal resource IDs instead of human-readable names. Scopes now display in the format: coorelatedName(name).

    Content providers

    OE-3752 – "Set Header" metadata: Incorrect propagate flags on save
    Fixed incorrect propagation flag behavior.

    OE-3730 – Human-readable resource names in OAuth scopes
    Improved readability of OAuth scope names.

    User admin and profiles

    OE-3748 – Supervisor principal missing in user profile
    Fixed a bug where the Principal column was blank for supervisors listed under User Profile > Supervisors & Subordinates.

    OE-1305 – Email checkbox state retained on user create
    Resolved a long-standing bug where email flag checkboxes (active, published, default) were not correctly retained when creating a new user. When a user has only one email address, the backend now automatically sets all three flags..

    OE-3619 – Phone number field bug on user forms
    Fixed a bug with the out-of-the-box Phone Number field that was preventing form saves and causing area code to be incorrectly appended to the phone number. The area code is now automatically determined from the selected country/region.

    Cart and SelfService

    OE-3733 – Cart validation Groovy script: Missing requesterId
    Resolved a bug where currentlySelectedData.getRequesterId() returned null in the CartValidation Groovy script during the first "Add to Cart" action in a session.

    Localization and database

    OE-3731 – MSSQL: Missing LANGUAGE_MAPPING for CONNECTORTEMPLATE
    Added missing LANGUAGE_MAPPING database entries for the CONNECTORTEMPLATE resource for all active languages, so the "Connector configuration" menu item now displays correctly regardless of the selected UI language.

    UI and theming

    OE-3696 – UI theme broken on RPM environment
    Fixed a Thymeleaf template parsing error that caused the IDP page to fail rendering when a custom UI theme was applied on RPM installations.

    OE-3813 – UAR dashboard pagination improvement
    Fixed non-intuitive pagination on the UAR Dashboard grid view — pages (except the last) are now fully filled before a new page starts, preventing partially filled rows from appearing to be the end of the results.

    Infrastructure / DevOps

    OE-3823 – UI Helm charts separated into standalone chart
    All UI-related Helm charts have been moved out of the monolithic Kubernetes project and published independently via the iam-ui repository.

    OE-3822 – ESB Helm charts separated into standalone chart
    All ESB Helm charts have been moved out of the monolithic Kubernetes project and published independently via the iam-services repository.

    OE-3790 – Automated Helm chart versioning in CI
    The CircleCI start_new_sprint job now automatically updates the version field in all relevant Chart.yaml files (configmap, gremlin, nginx, pvc, rabbitmq, vault) at the start of each release cycle.

    OE-3832 – SCIM Connector: Java 21 compatibility fix
    Fixed a NoClassDefFoundError: javax/annotation/Priority crash that caused the SCIM connector to restart continuously on Java 21 due to a missing jakarta.annotation dependency in the Jersey client classpath.

    Previous
    New in v2026.1.1
    Next
    New in v2026.3.1