4.0

Version: cloud_4.0 product release

Date: 10 October 2025

Frontend Framework Upgrade

Upgraded Node.js version to v20.16.0 for frontend build generation.

Spring Boot Upgrade

Migrated the backend framework to Spring Boot v3.4.4 and upgraded multiple dependent libraries.

Amaya Enhancements

Multi-role Support

Supports multiple role assignments if the application supports it.

New Node Types & Capabilities

  • Conditional Node: Expression builder support using forwarded data variables.

  • Transformational Node: Modify or add new attributes (primarily used in sync operations).

  • API Node:

    • Create/Update/Delete/Role Assign/Unassign operations.

    • Resolved a bug which previously required calling an additional API to get UID.

  • Iterator Node: Transform and update object lists for synchronization.

  • Subflow: Sub-process specifically applicable within an Iterator context.

  • Run Flow: Allows debugging with mock data to validate flow logic.

  • Run Request: Preview flow execution with input variables, bypassing actual provisioning.

Quick Setup Templates Updated

New templates added in AMAYA for:

  • Zoho Expenses

  • Zoho Books

  • Zoho CRM

  • Zoho Desk

SSO Policy

  • 12-hour frequency added for MFA enforcement on applications.

Separation of SSO and PAM

Based on a configuration property, SSO and PAM can now be enabled/disabled independently for flexible access control.

SOD

  • Enhanced UI with conflict details on Teams & Inbox pages.

  • Bug fix for handling multiple conflicting rules under the same SoD policy.

External SoD Violation Handling (Preventive)

Preventive approach for checking the potential violation of the user to stop violations from occurring.

Reconciliation

Reconciliation History UI

Users can now view reconciliation summaries directly from the table view.

Reconciliation Improvements

  • Skip updates if the application is not assigned.

  • Skip user update if already linked; remarks added to history.

  • For both-exist update case: if application is not assigned then user update will not happen; remark “Application not present so skipping” added and marked as error.

  • For both-exist link case: validation added — if the application is already assigned, the user will be skipped and a remark added in the reconciliation history.

  • Multipod reconciliation support added.

  • Assign a deleted or inactive user as a manager to users (updation provided to allow creation and updation of users with inactive RM).

Role Reconciliation Enhancements

This release extends reconciliation capabilities to include both users and their associated roles.

  • Role Synchronization: Along with users, one or more roles (if present) can now be synced into Cymmetri. Supported sources include REST API applications, database applications, and Amaya.

  • Role Reconciliation Dashboard: A new dashboard provides visibility into roles, with options to keep or remove stale roles (roles not present in the source but existing in Cymmetri).

Suspend to Archive Enhancements

  • Final delete provisioning call triggered by default unless explicitly disabled.

  • Property-based toggle: cymmetri.suspend.to.archive.provision.triggered = false disables it.

Suspend During Deletion Logging

Application and status logs are now captured under USER_CHANGE_STATUS for traceability.

Bulk User Actions

Bulk actions introduced via the dashboard:

  • Lock/Unlock User

  • Activate/Deactivate User

  • Delete User

  • Assign Local Group

  • Bulk Action Summary Dashboard

  • Assign Delete Manager to user

Post-Commit Hook for Application Update

New hook: Application Post Update After Commit — provides enhanced support for executing actions after an application update is finally committed in Cymmetri.

Redis Stream Support

Support for JMS with Redis Streams is provided now.

Workflows

  • Enhanced logic for unique Task ID generation.

  • Task ID format can now be configured (length, characters).

  • New notification templates added for application assign / un-assign / update, post-workflow emails:

    • Target User Notification (the user for whom application event is triggered)

    • Requester Notification (the user who initiated application event for the target user)

  • Inbox - Bulk Action: Approvers can perform bulk actions on multiple access requests directly from their inbox (select several requests and approve or reject in one operation).

  • Pending Workflows – Unclaimed Workflows:

    • On the Pending Workflows page, workflows not yet claimed will display "UNCLAIMED" in the Current Assign column.

    • A note will be shown: “Pending claim with group, grade, userlist, or no approver found. See details for actual assignment.”

Annotations

Annotations enable dynamic approver configuration in access reviews and workflows. They can be assigned as reviewers or approvers for both Application and Group Reviews. Supported combinations include:

  • User only

  • User + Application

  • User + Application + Role

  • User + Group

Approvers can be individual users or groups.

Group Review

Introduced the Group Review capability in access reviews. Admins can now initiate reviews based on:

  • All Groups

  • Specific multiple Groups

  • Specific multiple Applications

Exclusion Access Types in Campaigns

Support for Exclusion Access Types has been introduced in Application Access Review Campaigns, allowing more granular control over which accesses are excluded from reviews. The following types are now supported:

  • On Create by Provision Rule

  • On Update by Provision Rule

  • Exception Applications

  • Global Applications

  • On Demand Applications

Data Pipeline

The Data Pipeline enables merging and processing of data from multiple sources for views, such as:

  • MongoDB to ClickHouse

  • ClickHouse to ClickHouse

The processed data is stored in ClickHouse, and can be leveraged in hooks, APIs, and for reporting.

Policy Simulator

Cymmetri's Policy Simulator enables rule-based enforcement of access and compliance policies by evaluating "Should" and "Should NOT" scenarios. It identifies access gaps or violations (e.g., missing MFA or conflicting roles) and allows launching targeted review campaigns based on these insights.

CAPTCHA Support

Cymmetri now supports CAPTCHA validation using hCaptcha and Traditional CAPTCHA, enhancing protection against automated and bot-based attacks.

Ticker

The Ticker feature allows administrators to broadcast time-bound text-based updates, announcements, or alerts directly within Cymmetri. Messages can be broadcasted to specific users before and after login based on rules.

Self Registration

Cymmetri now supports configurable Self Registration, allowing users to securely register themselves based on defined parameters and policies.

Sub User Creation

Admins can configure registration fields and hook code for creating and updating sub users (Team Members).

Activation Link

New self-registered users can set their login passwords using the Activation link support.

Reset Password Link

Admins or Managers can send a reset password link to registered users so they can set their login passwords.

Role Management

Cymmetri’s Role Management enhancements improve handling of roles at an individual level, including:

  • Role-wise Status Management (e.g., Success, Fail) for better visibility and traceability of role lifecycle events.

  • Single Role Retry Mechanism.

  • Time-based Role Management with Status Tracking.

  • Old vs. New Role List Management.

1

Role Management: Overview

As per the new implementation in scripts, the following role variables are available for role assignment/unassignment cases.

2

<ROLE_ASSIGN> Case

  • ROLE: Backward compatibility with all roles list; contains a list of successfully assigned roles and new roles that are to be assigned.

  • ALREADYASSIGN: Set of all the roles that are assigned to the user.

  • NEWROLE: Single role (new role which is being assigned).

3

<ROLE_UNASSIGN> Case

  • ROLE: Single role (role which is being unassigned).

360 Generate Comparison Report

The 360 Degree Reconciliation feature allows pulling user and role information from target applications connected to Cymmetri, enabling comparison of users and their entitlements across applications, the source of truth, and the Cymmetri identity store. Use cases include:

  • Identities present in Source application but not in Identity Store.

  • Identities present in Source but not in Target application.

  • Similar reports for entitlements across applications.

Team Configuration Changes

  • Admin can provide configuration, registration fields, password reset activation link, and hook code for creating and updating sub users (Team Members).

  • Admin can configure the Manager Application setting in the Assign Application setting to restrict the Manager to assign and the user to request only applications that are assigned to the manager.

The Banner feature allows administrators to broadcast time-bound image-based updates, announcements, or alerts directly within Cymmetri. Banners can display scrolling images or carousels and can link to an external page via a valid URL. They can be broadcasted to specific users before and after login based on rules.

Advanced Analytics (Cube.js) – Custom Reports & Dashboards

Enhancements provide more control and flexibility over Cymmetri data:

  • Custom Reports (Dashlets): End users can create reports with various dimensions and measures.

  • Export & Share: Download reports as CSV/PDF or send via email.

  • Custom Dashboards: Combine multiple reports into personalized dashboards for a complete view of KPIs and metrics.

Note

  • For SAML related services - the Spring upgradation has not been performed for this release.

Last updated

Was this helpful?