Identity and Access Management (IAM) update

Flexible Engine
Release Notes

October, 2023

What’s new?

In this latest upgrade to the Identity and Access Management (IAM) service, we are thrilled to introduce several new enhancements aimed at bolstering security and improving scalability. These include restricted sub-user modifications, enhanced user group support, optimized MFA authentication, and many more, all of which are listed below.

Identity and Access Management (IAM)

What is it

Identity and Access Management (IAM) is a service that facilitates precise permission management, enabling secure and controlled access to users’ cloud services and resources.

Key features

  • Restrict Sub-User Modifications: Administrators can now enhance security by limiting sub-users from changing email addresses, phone numbers, or virtual MFAs.
  • Enhanced User Group Support: IAM now handles over 500 user groups, a big increase from the old limit of 50, giving your organization better scalability.
  • MFA Device Unbinding: IAM Administrators can improve security by removing an MFA device from a user account if it’s lost.
  • View Authorization Records: A new feature lets IAM Administrators easily check authorization records in the console (Console -> Permissions -> Authorization).
  • SSO Identity Provider Integration: The console now smoothly works with different Single Sign-On (SSO) providers, making user management easier.
  • Mailbox Usage Management: When making an IAM user, the system now stops using the same email for different users in the same group or across groups, reducing confusion and conflicts.
  • Login and Agency Switchover: IAM now offers convenient login and agency switchover support for both the console website and service.
  • Optimized MFA Authentication: MFA login protection is better now. No need to authenticate for seven days when using MFA to log in.
  • Batch Operations: IAM user and group lists now allow batch operations, making admin tasks easier.

Bug fixes: 

  • Synchronized Access Keys (AKs) and Secret Keys (SKs) changes to the console (PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}).
  • Prohibited cloud services from registering system policies and system roles with the same names in IAM (not applicable to customers).
  • Resolved a bug where user administrator rights revocation invalidated user-generated tokens.
  • Fixed IAM’s MFA compatibility issue with the 1password plug-in.
  • Improved policy list searchability by description.
  • Corrected the issue where IAM users couldn’t delete the root project of the current account.
  • Added the ‘domain_id’ field to the response for querying the ELBv3 service list (GET /v3/services?type=elbv3).
  • Modified the error response for obtaining a federated authentication token in OpenID Connect ID token mode to return 400 instead of 500 when the scope request parameter is incorrect.

For more information on the IAM service please refer to the technical documentation