Powered by Algolia

    New in v2026.5.2

    OpenIAM version 2026.5.2 delivers a set of enhancements focused on platform modularity, access certification usability, workflow visibility, and overall reliability.

    This release introduces a standalone batch-task-manager microservice that extracts batch processing out of the ESB for independent scaling and failure isolation, Groovy script bulk import and export for easier environment management, support for multiple campaign managers on a single access certification campaign, and a new Workflow Request Overview report. In addition, it addresses a range of stability, data consistency, and UI issues across access reviews, OAuth configuration, email delivery, and managed system provisioning.

    New features

    Platform architecture

    OE-3716 – Batch Task Manager extracted into its own microservice The batch task subsystem — schedulers, initializers, the BATCH_CONFIG/BATCH_SCHEDULE tables, and the Groovy task runners — has been pulled out of openiam-esb and into a new standalone microservice, batch-task-manager.

    Why this matters:

    • Batch jobs no longer share heap with the ESB. The ESB can be sized for API traffic; the batch manager can be sized (and scaled) independently for job load.
    • Lower ESB memory footprint and fewer GC spikes during heavy batch windows.
    • Failure isolation — a stuck or memory-heavy job no longer impacts the ESB request path.
    • Resolves cache-consistency issues between the ESB and the batch runtime that previously surfaced as EntityNotFoundException: Unable to find ... BatchTaskScheduleEntity (FD 1225). Schedule entities are now owned and evicted exclusively by the batch task manager.

    What's introduced:

    • A new deployable: batch-task-manager (Spring Boot, packaged jar). Shipped as a new Helm chart (helmcharts/batch-task-manager/) and a new ArgoCD application (openiam-batch-task-manager).
    • A new database, batchtasks, which now owns BATCH_CONFIG and BATCH_SCHEDULE. These tables are no longer maintained in the openiam DB. Flyway migrations are shipped for MySQL/MariaDB, MSSQL, Oracle, and PostgreSQL under conf/schema/<vendor>/batchtasks/2026.5.2.0/.
    • An automatic, one-shot migration that copies existing BATCH_CONFIG rows from the legacy openiam DB into the new batchtasks DB the first time the batch task manager starts. No flag or operator action is required — simply starting the new service triggers the migration. Subsequent starts are no-ops.

    See the instructions for upgrading and the configuration steps in RPM and Kubernetes.

    Groovy Script Management

    OE-4025 – Groovy Script bulk import and export Administrators can now move Groovy scripts between environments — or back them up — without manual copy-paste. Two new operations are available in the Webconsole Groovy Manager screen and via the REST API:

    • Export all scripts — downloads every Groovy script as a single .zip archive (groovy-scripts.zip). Each entry is placed at <folder>/<name>_<version>.groovy preserving the folder hierarchy.
    • Export selected scripts — select individual scripts in the file-browser tree and export only those as groovy-scripts-selected.zip.
    • Import from zip — upload a .zip file to bulk-create or update scripts. The importer matches existing scripts by path + name + version and updates them in-place rather than creating duplicates. Entries at the root level (no folder) and entries whose filename does not match the name_version.groovy format are skipped with a warning written to the audit log.

    Both import and export operations are fully audited under the IMPORT_GROOVY_SCRIPTS and EXPORT_GROOVY_SCRIPTS audit actions respectively.

    See Groovy Manager API reference for the new endpoint details.

    Access reviews and certification

    OE-3861 – Default to User View for certification campaigns
    When a reviewer opens a certification campaign, the User View is now shown by default. Reviewers can still switch to Entitlement View as before.

    OE-4096 – Multiple campaign managers for access review campaigns
    Access certification campaigns can now be jointly managed by more than one campaign manager.

    This improvement enables:

    • Multiple users assigned as campaign managers during campaign creation or while a campaign is in progress.
    • All assigned managers have equivalent permissions to monitor progress, manage delegation, send reminders, and perform other administration tasks.
    • Manager actions are recorded so the audit trail shows which manager performed which action.

    Reporting and visibility

    OE-3870 – Workflow request reporting
    A new reporting area in the SelfService portal gives administrators and managers visibility into workflow request volume and outcomes across all request types.

    Key capabilities include:

    • A new top-level "Request Management" menu in SelfService, grouping Request Administration and the new Workflows Overview report.
    • Aggregate counts of workflow requests by request type and status.
    • Asynchronous CSV export of request detail, delivered by email for larger result sets.

    Authentication and security

    OE-3883 – Reset password auto-generate option
    The Reset Password dialog now clearly distinguishes between "fill password manually" and "auto-generate password" as primary options, ensuring the selected option always matches the action that will be performed.

    OE-3674 – Multiple redirect URLs for OAuth clients
    Multiple redirect URLs can now be added and saved against a single OAuth client configuration.

    Enhancements and tasks

    Access reviews and certification

    OE-4125 – Access certification campaign dashboard improvements
    Refreshed the dashboard on the access certification campaign screen.

    Updated behavior:

    • The dashboard accurately reflects the current status of the campaign and its key details.
    • Charts update as the campaign progresses.
    • Reviewers and campaign managers see consistent progress information without needing to refresh manually.

    OE-4107 – Add Policy button position restored
    Restored the position of the Add Policy button on the policy maps screen of managed systems, so administrators no longer need to scroll back to the top after adding each policy.

    OE-4058 – Faster Segregation-of-Duties evaluation during access review
    Improved performance of SoD policy evaluation during access certification campaign preparation, reducing overall campaign launch time for large policy sets.

    Bug fixes

    Access reviews and certification

    OE-3908 – Sorting and filtering in access review tables
    Fixed sorting controls on column headers and filters in the Entitlement View and User View tables during UAR campaigns — both now correctly re-order and narrow the visible data.

    OE-4053 – Correct item counts in multi-step access review
    Resolved incorrect progress counts shown on campaign cards and inside campaigns when reviews have more than one approval step, or when items are delegated or escalated.

    OE-4167 – Reliable UAR notification email delivery to large reviewer populations
    Fixed an issue where only a subset of reviewers received the initial notification email on campaigns with very large reviewer populations.

    Authentication and security

    OE-3799 – OAuth client configuration form cleanup
    Fixed field placeholder text overlapping saved values in the OAuth Client configuration form under Access Control > Authentication Provider.

    Managed systems and provisioning

    OE-4112 – DEFAULT_IDM policy attribute now saves
    Resolved an error that prevented saving user policy attributes of type DEFAULT_IDM on managed system policy maps.

    OE-4113 – Requests for child roles now trigger workflows
    Fixed an issue where submitting a SelfService request for a child role failed with an error and did not start the configured approval workflow.

    Email and notifications

    OE-4177 – Admin password reset delivers the new password
    Fixed an issue where users received the generic password-changed notification but not the email containing the actual new password when an administrator reset their password with "Notify user via email" enabled.

    OE-4180 – Redesigned HTML password emails
    Redesigned password-related email templates (password changed, new-password, and reset activation) as properly styled HTML, correcting broken layout, typos, broken field references, and a plain-text call-to-action in the reset activation email.

    UI and user experience

    OE-4045 – Clear validation when required fields are missing
    Fixed the Create New User flow in the Webconsole to display a specific validation message identifying the missing required field instead of a generic "An unknown error has occurred" message.

    Minor updates

    • Multiple campaign managers can now be assigned to a single access certification campaign.
    • New Workflow Request Overview report and Request Management menu in SelfService.
    • Improved access certification dashboard accuracy and real-time progress updates.
    • Restored Add Policy button placement on managed system policy maps.
    • Faster SoD evaluation during campaign preparation.
    • Stability and data consistency fixes across access reviews, OAuth configuration, email delivery, and managed system provisioning.
    Previous
    New in v2026.4.2
    Next
    New in v4.2.1.5