PlainID Platform - November 2024 Release

The November 2024 release of the Platform includes new features, product enhancements, UI/UX improvements, and bug fixes.

What’s New?

Application Management APIs

Introducing Management APIs for Applications, extending the existing Policy as Code (PaC) capabilities. These APIs enable CRUD operations—such as importing, exporting, and deleting Applications, ensuring that changes to the code are tracked and managed efficiently. This empowers organizations to streamline their workflows and scale their application management in a flexible manner, aligning with modern development practices.

Key Benefits:

• Management through API integration enables automating repetitive tasks related to Applications and Application metadata. It also facilitates CI/CD integration for seamless object migration between Environments. This reduces manual intervention and enhances efficiency.

• Consistency ensures technical alignment between Application IDs and Display Names. While APIs rely on Application IDs for consistent operations, Display Names are used in the UI for better readability. Application IDs are seamlessly integrated across PaC, PDP, and API configurations, simplifying management and ensuring smooth functionality.

Link Identity Sources to API Mappers

Application API mappers now have a new mapping option, enabling customers to fine-tune the use of Identity Sources in API use cases based on our PDP Operational Filtering functionality. This enhancement allows customers to gain better control over which Identity Data Sources are used for specific API access flows, reducing unnecessary data fetching and improving performance.

This new setup can be configured on the Application API Mapper page by establishing Identity Source Filtering, specifying the Exclude/Include filter type, and linking the relevant Identity Sources. These links are deployed as part of the API mappers and utilized by the PDP during Authorization calculations. They also leverage the PDP Operational Filtering functionality, as mentioned in our February 2024 release.

PDP (Runtime) Log Level APIs

Introducing the ability to change PDP service log levels through API calls. This enhancement simplifies troubleshooting in customer Environments, particularly in Production, where high log levels may limit visibility into service processes. Previously available for the PAA Agent and PIP-Operator services, this capability is now extended to the PDP Service, allowing customers to collect detailed logs without configuration changes or service restarts.

Redis Secret Rotation

PlainID now supports Redis secret rotation for PAA services connecting to Redis. This feature enables customers to integrate AWS Secrets Manager with the PlainID PAA Secret Management Service, facilitating periodic Redis secret rotation. The PAA services—including Agent, PIP-Operator, and Runtime - now dynamically retrieve secrets from the Secret Management Service, ensuring uninterrupted connectivity during secret rotations. Refer to our Documentation Portal or contact our Professional Services Team for detailed prerequisites and configuration steps.

Product Updates

Policy Wizard Enhancement - Conditions

Introducing a new enhancement to the Policy Wizard that further streamlines the Policy creation process. With this update, the ability to create Building Blocks directly from the wizard has been extended to the WHEN step. Now, when defining the WHEN step, users can create new Conditions without leaving the Policy creation flow. These newly created Conditions can be easily added to the current Policy and later reused in other Policies, improving efficiency and flexibility across the board.

Policy Simulator

The Policy Simulator now allows users to define the Identity Template ID, providing greater flexibility for simulating scenarios with different Identity types. Additionally, it supports the assetContext feature, enabling more comprehensive Policy testing and validation within specific assetContext objects. These enhancements make the Policy simulation process more robust and better aligned with real-world use cases.

SQL Database Authorizer

Introducing four enhancements to the SQL DB Authorizer, designed to improve data Policy modeling and flexibility in query modification. These updates provide customers with greater control and precision in managing data access and masking:

• Configuring Column Resource Type at Library Level: Use a new Query Mod Flag to set the Asset Type for column mapping during query modifications at the library level. This enhances customer control over data Policy modeling and increases flexibility across various Applications and services integrating with the SQL DB Authorizer.

• WITH Supporting Clause: Extend query modification functionality to support SQL WITH clauses, enabling dynamic data access control for complex queries that use WITH.

• Masking Inside Functions: Enable masking for controlled columns used within SQL functions, ensuring that protected column masking is enforced even in function contexts.

• Support for Conditional Masking: Enhance masking capabilities to allow for conditional masking scenarios, enabling customers to define specific masking instructions at a granular level. Policies can now dictate both the masking instructions on columns and the specific filters to be applied, allowing for cell-level masking.

SaaS Authorization Management Authorizers

• PlainID has implemented UI validation in the Policy metadata section to improve the Policy authoring experience and ensure accurate Policy configuration in Power BI, Zscaler, and Snowflake.

• Additionally, for the Power BI Authorizer, the ability to select Workspaces and Datasets from a discovered list has been enabled during new Policy creation. This enhancement simplifies the Policy authoring process and improves granularity for control, enabling more effective governance.

PDP (Runtime) Configuration Control

PlainID now offers a configurable file for fine-tuning Runtime service parameters to optimize performance based on your organization's needs. This new method allows users to configure and override PDP service keys via Environment Variables with a hierarchical naming syntax, providing greater flexibility and simplifying dynamic configuration across Environments.

PDP Asset Context Optimization

The PDP assetContext capability has been optimized to improve calculation performance, especially when processing large context sets in a request. Additionally, customers can now enable an optional optimized assetContext response using the new request flag, useOptimizedAssetContextResponse. This optimization modifies the response structure to produce a smaller payload by grouping similar responses per context, thereby reducing response processing time and network load.

For more details on this optimization, refer to our article on Working with assetContext.

Translator Property Environment Variables

PIP Translator Properties have been enhanced to support property usage values from Environment Variables. Customers can manage a more secure setup of their PIP integrations by setting translator properties using Environment Variables.

JWKS URL Deprecation in PAA

As part of the two phase deprecation process introduced in our January release regarding JWKS settings management at the Scope level, and in line with the deprecation notice provided in our Managing Scopes documentation, we are now beginning the first phase of deprecating the JWKS configuration at the PAA level. In this phase, editing or adding JWKS settings on the PAA setup page will be limited. Customers will still be able to copy their configurations to the relevant Scope. In the next release, JWKS settings on the PAA page will be fully removed.

Policy Authorization Agent (PAA)

This release includes security enhancements for the PAA.

For upgrade instructions, refer to the Admin Portal at https://docs.plainid.io

We're happy to hear about your experiences with these new features and look forward to hearing more about what you want to see in the Platform.
For more information, visit the PlainID Documentation Portal.