We are happy to announce the coming upgrade of IAM to a newer version including the following changes.
- Operation protection: Introduction of the functionality of multi-factor authentication (MFA) for critical actions
- For critical actions, such as deleting an ECS, administrators can now enable the feature operation protection to require MFA for executing the critical action.
- This can be enabled for the executing user or for a different user to achieve four-eyes-principle compliance.
- Authorization Records: Introduction of a new view to quickly view authorizations for users
- On the new page, authorization records are displayed and can be searched by e.g. username to display assigned policies/roles to the searched user.
- IAM Batch Operations: Introduction of batch operations for multiple users, including,
- User Deletion and
- User Modification (Status (Enabled/Disabled), Verification Method (Programmatic/Management Console), Verification Method (SMS/Email/Virtual MFA Device/Disabled)).
- New SSO User Type: Introduction of SSO User Types “Virtual User” and “IAM User”
- Virtual User: After a user logs in to OTC through an identity provider, the system automatically creates a virtual identity for the user. Multiple identity providers of the virtual user SSO type can be created under an account.
- IAM User: After a user logs in to OTC through an identity provider, the system maps the user to an IAM user based on the configured identity conversion rules. Only one identity provider of the IAM user SSO type can be created under an account. If you select this type, ensure that you have created an IAM user and set the external identity ID.
- Access Key Management
- By default, this option is disabled, and all the users under your account can manage (create, enable, disable, and delete) their own access keys. If you enable this option, only the administrator can manage access keys of users.
- Information Self-Management
- By default, this option is enabled, and all IAM users under your account can modify their own basic information (mobile number, email address, and password). If you disable this option, only the administrator can modify IAM user information.
- Enhancing soft quota of user groups to 500.
- While creating or updating IAM users a message is displayed indicating that the mailbox has been used and which user is using the mailbox.
- Identity Provider Modification Screen
- Removing the preconfigured metadata section for Identity Provider settings. Customers can upload metadata XML or manually configure the metadata.
- Account Settings / Security Settings Screen
- Renaming of Account Settings to Security Settings with new Layout with Sections „Basic Information”, “Critical Operations”, “Login Authentication Policy”, “Password Policy” and “ACL”.
- Custom Policy Screen
- Policy scope must not be set anymore in the selection screen and will be picked automatically by the system.
- A custom policy can only contain permissions for either global or project-level services.
- MFA Device Administration: Allows an IAM administrator to unbind a MFA Device from Users (e.g. in case of lost devices)
- 1password plugin incompability
More details can be found in the related community techblog.