Changelog
New updates and improvements to Common Fate.
We've just released Common Fate v2.5. Here's an overview of what's new.
Personalised Notifications Controls
Users can now control which events to be notified about in Slack using the notification settings in the console, available from the profile menu in the bottom left corner.
Access Selector Playground
Administrators can now view their existing Selectors from the settings page in the console. This new page shows which resources are being matched by the selector, with a convenient search function.
You can also use the new Selector playground to test new selector configurations.
You will be able to see resources matches in real time without needing to deploy the Selector.
The selector playground also generates a terraform snippet, making it easy to deploy your new selector.
My Access Requests
Users can now view their own access requests on a dedicated page.
All access requests for the deployment can now be filtered by principal, approver, and closed by.
The access requests are now more clearly separated into pending, active and closed tabs.
Authorization log filters
Authorization logs can now be filtered by principal type, either User or Service, making it easier to search the logs.
The API now supports more advanced filtering, which will be integrated into the Console in a future release.
Click-ops Integrations Setup
Integrations can now be configured via click-ops in the Common Fate console.
This new click-ops approach makes it simpler to configure integration secrets for SaaS customers with built-in secrets management.
AWS RDS Proxy Integration Overhaul
Following feedback from initial users we have overhauled the configuration process for the RDS Proxy.
The proxy and database configuration are now deployed as seperate terraform modules.
These changes significantly reduce downtime during configuration changes.
Databases can now be registered in the terraform modules where they are deployed.
These are breaking changes and we recommend customers drop the existing proxy infrastructure and re-deploy by following the guide here
Improvements
- The advanced search features for the new request page have been documented in the Console and in the user guide in our docs.
- For BYOC customers, the `aws` provider block has been removed from the terraform module. Checkout the migration guide here for full details.
- Fixes an issue where the s3 audit log export feature would continually write the last log event to S3.
- Added syntax highlighting to the cedar policies and json entity data in the authorization logs and access preview pages.
You can now write automated tests to verify your Common Fate authorization policies. Access tests can be run locally and in your CI/CD platform.
Learn more about this in our announcement blog post and testing documentation.
We've just released Common Fate v2.3. Here's an overview of what's new.
S3 Bucket Access
Our AWS Resource Access Integration is now generally available with S3 buckets being the first resource released.
Users can now request 4 levels of access from Reader to Owner to one or more S3 Buckets in an account. A Permission Set will be created dynamically for the user to assign access at the requested level.
Access Controls
The resources page in the console is now restricted to users who are permitted to use the CF::Admin::Action::"Read" action.
Identity Syncing
This release adds identity syncing for OpsGenie and Datastax, which can now be viewed in the Directory page in the console.
Reliability
Access Requests with more than 5 grants are now supported and the provisioning time for AWS requests with multiple grants has been improved.
AWS RDS Integration
Our AWS RDS Integration is now generally available. When using the integration you can run:
granted rds proxy
To broker a connection to an AWS RDS database over AWS SSM Session Manager. The connection is routed through a Common Fate AWS Proxy in the VPC which captures audit logs of the SQL statements executed.
New User Directory
We have overhauled how we manage users and groups in Common Fate. Users with read administrator access will now find a dedicated panel in the taskbar dedicated to the Directory.
Microsoft Entra Syncing
This release adds support for pull-based syncing for Entra. Pull-based syncing allows Common Fate to sync nested Entra groups.
Web Console Latency Improvements
This release improves latency for searching and viewing insights in the web console.
We're now publishing signed Debian releases of Granted: https://www.commonfate.io/blog/apt-linux.
.png)
Insights
Common Fate now shows key metrics to measure the impact of using Just-In-Time access. Access Hours Reduction measures the risk reduction compared to persistent access. Protected Users helps you track adoption of Common Fate.
Access Extension Improvements
We've overhauled our Access Request extension feature. You can now configure the extension duration and maximum number of extensions.
User Provisioning Improvements
We've improved user account provisioning to fix an issue where users needed to log in to the web console and wait for resource syncing to complete after their initial sign in before requesting access.
As part of this change, Common Fate now proactively creates user accounts for users we discover in your Slack, PagerDuty, and IAM Identity Center integrations. You may see additional CF::User resources after this update; this is expected and does not affect your authorization policies.
We've released Common Fate v2. We've marked this as a major version change because this version removes the standalone authorization service which was bundled with the deployment.
To upgrade, you can check the migration guide here for full details.
We’ve released Common Fate v1.43.1. Some notable improvements include:
- Added an S3 Log Destination integration to write audit log events to
- Added a read-only client that you can use for fetching the schema and running
terraform plan - Fix Debugger UI not showing a user if their name is not set
- Adds deep linking to the AWS console. After requesting access to an entitlement, clicking the ‘open URL’ button will open the AWS console with the requested account and role.
- You can now select multiple Access Requests in the web console to approve or close all of them at once.
- Improved performance for authorization checks when requesting access. Internally we’ve seen a 5x improvement in average latency here.
- Adds the ability to customise the AWS IAM Identity Center start URL used with the built-in AWS Profile Registry. To customise this, specify the
sso_access_portal_urlvariable in thecommonfate_aws_idc_integrationresource.