We've just released Common Fate v2.10.0 Here's an overview of what's new:

New Audit Log View

A new Audit Log view has been added to the Common Fate Console. Users are now able to track and analyse access events through the new interface, with powerful filtering capabilities:

• Search by specific users (Actors)

• Filter by accessed resources (Targets)

• Review specific types of actions taken

• Track activity within custom time ranges

New Session Log View

A new Session Log view has been added to the Common Fate Console. This dedicated session logging interface allows users to view events during EKS Proxy or RDS Database sessions, with flexible filtering options:

• Monitor access by specific principals

• Track activity on target resources

• Review session access based on specific roles

• Filter by target and role types

• Search within custom time periods

JIRA Attachments to Access Workflows

Access workflows can now be configured to require that a JIRA ticket is attached to an access request.

Snowflake Integration

Common Fate now integrates with Snowflake to manage just in time access to Snowflake Databases or Accounts.

Improvements

• Fixes an issue which could cause a delay in access being applied for the deployment admin role.
• Selector playground now gracefully handles tokenize errors.
• Approve button should not be shown when active access requests are selected.
• Adjusted spacing in debug entitlement access view.

‍

Audited EKS Access

Building on the same proxy platform as our RDS proxy, Common Fate now supports audited access to AWS EKS clusters.

End users use the command `granted eks proxy` to connect to a cluster which adds an entry to their kubeconfig file.

Users can then use their regular Kubernetes tooling such as `kubectl` to perform operations on the cluster.

In Common Fate, a full audit trail of API actions is captured.

This new proxy also supports `kubectl exec` shell sessions. When a user starts a shell session, the proxy captures a full transcript of their session and makes this available for replay in the Common Fate Console.

‍

Improvements

• Administrators can now configure a default port for each database user in their terraform configuration when using the RDS Proxy. This port is used when running `granted rds proxy` and makes it easier to have a consistent configuration for multiple databases/users.

‍

JIRA Ticket Integration

Common Fate now supports adding JIRA tickets in Access Requests.

Once the JIRA integration is set up in Common Fate. Users will now be able to include JIRA tickets in the Access request reason with deep linking to the issue.

‍

‍

Multi-Step Approvals on Request Workflows

Access Workflows can now be set up to require 1 or more conditions which must be met for a grant to be approved.

Each step must be completed by a separate reviewer and will not be able to be activated until all approval conditions are met.

To get started with Multi-Step approvals the Access Workflows Terraform resource now has a field approval_steps which can be used to configure one or more approval steps.

Sending Review Requests to Approvers

We have moved the list of approvers to within the grant status details, and improved the readability of larger lists of approvers.

On top of this, users can now send a one time alert to each of the approvers asking for their review on the request. This will be tracked and ticked off when they have completed their review.

Improvements

• Additional expiry conditions have been added to make sure stale requests are closed automatically. `requested_to_approve_expiry` `requested_to_activate_expiry` have been added to Access Workflows to configure this.
• Fixed an issue causing the Entra integration role to not be found when using Connected Identities.
• AWS Proxy integration now respects the SSO Start URL override if configured on the AWS IDC integration.
• Fixed an issue causing Entra and Okta resources to not show in resource views for users using Connected Identities.
• Performance improvements to background tasks for syncing integration resources.

Reason Pattern Matching Validation in Access Workflows

Common Fate now supports reason pattern matching validation in access workflows.

This feature allows administrators to set up more sophisticated rules for access requests, ensuring that provided reasons meet specific criteria or patterns.

For example, administrators can now validate that reasons include specific formats (like JIRA ticket IDs) or enforce minimum length requirements for provided reasons.

Advanced Filtering for Access Requests

Common Fate has significantly enhanced the filtering capabilities on both the Requests and My Requests pages. Users can now apply a range of new filters to quickly find the information they need. These new filters include:

• Grant count filtering to sort requests based on the number of associated grants.
• Manual or auto approval filtering to distinguish between requests that went through manual review and those approved automatically.
  
• Time range filtering for key events in the request lifecycle, including when requests were submitted, approved, and closed.
  

Improved Transparency for Access Request Closures

Users will now find attached reasons describing why access request grants were closed. This addition provides clearer insights as to why a request was closed, such as activation period expiry or access duration expiry.

Improvements

• Added the ability to specify an override for the RDS endpoint per RDS user, allowing read roles to use a read-only replica endpoint.
• Fixed an issue where access requests with many entitlements attached would not deprovision correctly.
• Fixed a performance issue which could cause the Availability Maker background job to fail.
  
• Removed the assign public IP feature on the control plane for improved security.

‍

Improved Request Viewing Experience

The My Requests page has been updated to include a list of all Active, Pending and Closed requests.

The All Requests page has had some filtering functionality improvements as well with the new filter chips to enable anyone to filter requests by the requestor, reviewer or closer of any request in the organization.

Improved Integrations Management

Get an overview of your integrations connected with Common Fate with the new integrations pages.

Admins can now drill into each integration with a detail page that displays all the relevant configuration variables as well as any background tasks related to the integration.

The background tasks table can be filtered by time range to look through the history of tasks.

Improvements to the RDS Proxy

Fixes an issue causing empty AWS start URL when using RDS proxy with connected identities enabled.

Request detail view for RDS proxy requests will now display the correct name for the target and role.

Adds support for the `aurora-postgresql` Postgres engine type.

Improvements

• Administrators can now soft delete users from the users directory page.
• A reason is now required by default when break-glass access is used.
• The AWS account number is now included in Slack request messages.
• Fix overflow issue on request details for large target and role names.

‍

We've just released Common Fate v2.5. Here's an overview of what's new.

Personalised Notifications Controls

Users can now control which events to be notified about in Slack using the notification settings in the console, available from the profile menu in the bottom left corner.

Access Selector Playground

Administrators can now view their existing Selectors from the settings page in the console. This new page shows which resources are being matched by the selector, with a convenient search function.  

You can also use the new Selector playground to test new selector configurations.

You will be able to see resources matches in real time without needing to deploy the Selector.

The selector playground also generates a terraform snippet, making it easy to deploy your new selector.

My Access Requests

Users can now view their own access requests on a dedicated page.

All access requests for the deployment can now be filtered by principal, approver, and closed by.  

The access requests are now more clearly separated into pending, active and closed tabs.

Authorization log filters

Authorization logs can now be filtered by principal type, either User or Service, making it easier to search the logs.  
The API now supports more advanced filtering, which will be integrated into the Console in a future release.

Click-ops Integrations Setup

Integrations can now be configured via click-ops in the Common Fate console.  
This new click-ops approach makes it simpler to configure integration secrets for SaaS customers with built-in secrets management.

AWS RDS Proxy Integration Overhaul

Following feedback from initial users we have overhauled the configuration process for the RDS Proxy.

The proxy and database configuration are now deployed as seperate terraform modules.

These changes significantly reduce downtime during configuration changes.

Databases can now be registered in the terraform modules where they are deployed.

These are breaking changes and we recommend customers drop the existing proxy infrastructure and re-deploy by following the guide here

Improvements

• The advanced search features for the new request page have been documented in the Console and in the user guide in our docs.
• For BYOC customers, the `aws` provider block has been removed from the terraform module. Checkout the migration guide here for full details.
• Fixes an issue where the s3 audit log export feature would continually write the last log event to S3.
• Added syntax highlighting to the cedar policies and json entity data in the authorization logs and access preview pages.

You can now write automated tests to verify your Common Fate authorization policies. Access tests can be run locally and in your CI/CD platform.

Learn more about this in our announcement blog post and testing documentation.

‍

We've just released Common Fate v2.3. Here's an overview of what's new.

S3 Bucket Access

Our AWS Resource Access Integration is now generally available with S3 buckets being the first resource released.

Users can now request 4 levels of access from Reader to Owner to one or more S3 Buckets in an account. A Permission Set will be created dynamically for the user to assign access at the requested level.

Access Controls

The resources page in the console is now restricted to users who are permitted to use the CF::Admin::Action::"Read" action.

Identity Syncing

This release adds identity syncing for OpsGenie and Datastax, which can now be viewed in the Directory page in the console.

Reliability

Access Requests with more than 5 grants are now supported and the provisioning time for AWS requests with multiple grants has been improved.

‍

AWS RDS Integration

Our AWS RDS Integration is now generally available. When using the integration you can run:

granted rds proxy

To broker a connection to an AWS RDS database over AWS SSM Session Manager. The connection is routed through a Common Fate AWS Proxy in the VPC which captures audit logs of the SQL statements executed.

New User Directory

We have overhauled how we manage users and groups in Common Fate. Users with read administrator access will now find a dedicated panel in the taskbar dedicated to the Directory.

Microsoft Entra Syncing

This release adds support for pull-based syncing for Entra. Pull-based syncing allows Common Fate to sync nested Entra groups.

Web Console Latency Improvements

This release improves latency for searching and viewing insights in the web console.

‍

We're now publishing signed Debian releases of Granted: https://www.commonfate.io/blog/apt-linux.

Insights

Common Fate now shows key metrics to measure the impact of using Just-In-Time access. Access Hours Reduction measures the risk reduction compared to persistent access. Protected Users helps you track adoption of Common Fate.

Access Extension Improvements

We've overhauled our Access Request extension feature. You can now configure the extension duration and maximum number of extensions.

User Provisioning Improvements

We've improved user account provisioning to fix an issue where users needed to log in to the web console and wait for resource syncing to complete after their initial sign in before requesting access.

As part of this change, Common Fate now proactively creates user accounts for users we discover in your Slack, PagerDuty, and IAM Identity Center integrations. You may see additional CF::User resources after this update; this is expected and does not affect your authorization policies.

‍

We've released Common Fate v2. We've marked this as a major version change because this version removes the standalone authorization service which was bundled with the deployment.

To upgrade, you can check the migration guide here for full details.

‍

We’ve released Common Fate v1.43.1. Some notable improvements include:

• Added an S3 Log Destination integration to write audit log events to
• Added a read-only client that you can use for fetching the schema and running terraform plan
• Fix Debugger UI not showing a user if their name is not set
• Adds deep linking to the AWS console. After requesting access to an entitlement, clicking the ‘open URL’ button will open the AWS console with the requested account and role.
• You can now select multiple Access Requests in the web console to approve or close all of them at once.
• Improved performance for authorization checks when requesting access. Internally we’ve seen a 5x improvement in average latency here.
• Adds the ability to customise the AWS IAM Identity Center start URL used with the built-in AWS Profile Registry. To customise this, specify the sso_access_portal_url variable in the commonfate_aws_idc_integration resource.

‍