These docs are for v4.3. Click to read the latest docs for v4.4.

Release Notes 4.3 (2401 + 2401.1)

August 2024

FinOps

FinOps Maturity Assessment Name Change

  • To eliminate the risk of overlap and avoid confusion with Assessments reports created by executing best practices and controls, the report name FinOps Maturity Assessment – Detailed has been changed to FinOps Governance Review - Detailed and the report name FinOps Maturity Assessment - Executive Summary has been changed to FinOps Governance Review – Executive Summary.

Consolidated Charges with Markup Report Name Change

  • To more accurately reflect the capabilities of this report, the report name Consolidated Charges with Markup Report has been changed to Consolidated Charges with Markup/Discount Report.

Daily Cost Report Enhancements

  • Updated the visualization of the cost data in Azure, AWS, GCP, and OCI Daily Cost Reports.
  • After selecting the tenant, the bar chart will now show the aggregated amount of all the cloud account(s) vertically.
  • Dates will be visible for the period being selected.

Monthly Cost by Cloud Account Report Enhancements

  • Added up to one year of data visibility (based on data availability) as an option in the report (previously only 6 months data was available).
  • Added a monthly spend cost trend option at the tenant level.
  • If an AWS management account is selected, the report will now only show the cost of that management account’s resources.
  • Scheduling is now enabled for this report, with “Months” as the dynamic variable and the following options available for users to select from:
    • Current Month
    • Previous Month
    • Last 6 Months
    • Last 12 Months
  • Introduced Markup Slicer to differentiate the cost between markup and unblended.

Multi-Cloud Cost Trend Report Enhancement

  • The Multi-Cloud Cost Trend Report has been updated to display the top 5 Product Categories along with actual cost over the last two months as comparison, instead of the top 15 Product Categories and an aggregated cost amount.

Cost Anomaly Revamp

  • Cost impact definition has been simplified. Now, cost impact is calculated as the difference between predicted and actual cost.
  • Several backend and UX improvements were applied to show accurate data to users.
  • Users now have the option to download the data.

Remediation Feature Control through RBAC

  • Remediation RBAC has been cleaned up for consistency; Remediation actions for Cost Optimization recommendations and Budget actions are only available for certain admin roles.
    • All other roles can view the remediations and submit them for approval to an integrated ITSM tool.
    • Applicable roles who can perform this operation are FinOps Admin, Account Admin, and Tenant Admin.
    • For ITSM ServiceNow, the approval workflow is supported only for AWS, Azure, and GCP (RightSizing only).

New and/or Updated FinOps User Roles

  • As part of RBAC cleanup, user role names have been added/updated for FinOps. Refer to the table for a list of the available roles.
Role TitleDescription
Account AdminComplete access to all functions including user & roles management.
FinOps AdminAccess to all FinOps functions.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate FinOps functions to other users.
FinOps Lite ContributorMinimal access to enable FinOps functions.
FinOps Partner Service AdminFull access to CSP and EA management functions.
FinOps PractitionerAccess to manage and enable FinOps functions.
Provider AdminAccess to provide FinOps based functions to other users to govern and manage.
Tenant AdminFull access to tenant management functions.
FinOps ReaderRead-only access to all product pages with respect to FinOps modules.

Rightsizing

  • The AI/ML-driven Cost Optimization rightsizing recommendation capabilities are expanded to help customers in rightsizing AWS Relational Database Service (RDS) and Azure SQL instances. It recommends the optimal instance type for the database instances based on its usage patterns, helping to balance performance and cost.
  • The Cost Optimization rightsizing recommendation system has introduced a safety ranking in system recommendations. The platform’s proprietary “ranking algorithm” prioritizes recommendations based on safety and potential savings. This ensures that users are presented with the most suitable options, leading to increased cost savings and better performance. The supported resources are AWS EC2 Instances, Azure Virtual Machines, GCP Compute Instances, AWS RDS, and Azure SQL.

Azure Subscription to Include Reservation Charges

  • This innovative solution addresses a key Azure cost visibility issue. We've developed custom logic to capture reservation charges for individually onboarded subscriptions, which typically doesn't appear in usage APIs. This unique approach provides unmatched visibility into your true cloud costs, enabling more accurate reporting and smarter resource management.

Reports

  • The Monthly Cost by Cloud Account report is enhanced to include billing accounts. This will allow users to view costs at both parent and child account levels, providing greater flexibility and visibility into cloud expenditures. Partners can share, schedule, and distribute this report as per their business needs.

SecOps

New Role: SecOps Lite

  • Users with the SecOps Lite role can access the following modules:
    • Account Governance (for onboarding accounts)
    • Security Posture
    • Security Dashboard

New/Updated SecOps User Roles

  • As part of RBAC cleanup, user role names have been added/updated for SecOps (Security + Compliance). Refer to the table for a list of the available roles.
Role TitleDescription
Compliance AdminFull access to all compliance management functions.
Compliance MemberAccess to manage compliance management functions.
Account AdminComplete access to all functions including user & roles management.
SecOps AdminAccess to all SecOps functions. This is a combination of Security Admin and Compliance Admin roles.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate SecOps functions to other users.
Provider AdminAccess to provide SecOps based functions to other users to govern and manage.
Tenant AdminFull access to tenant management functions.
Security AdminFull access to all security management functions.
SecOps LiteMinimal access to enable SecOps functions.
Security MemberAccess to manage security management functions.
SecOps ReaderRead-only access to all product pages with respect to SecOps modules.

Compliance Notification Integration

  • Users can configure notifications for cloud accounts.
  • Post-completion of Compliance assessment execution of any global standard for that cloud account, a notification will be triggered for the configured email/webhook on the summary of the execution.

Compliance Schedule Enhancements

  • Compliance Schedule now has filters for Cloud Account, Compliance Standard, and Recurrence.
  • Search now lists all the columns displayed including Schedule Name, Compliance Standard, Cloud Account, and Recurrence.

Compliance Assessment Report by Region Enhancements

  • Added Region field to filter violated resources.
  • If a policy has resources in the region with violations, then that policy is violated for that region, and if a control has at least one policy violated, then the control is violated. This can help provide Compliance Status of a cloud account at a region level.

Reports

  • The Compliance Details table in the Compliance Violations report has a new “Account Reference” column added, which shows the account name from the cloud providers (i.e. AWS, Azure, GCP, OCI, etc).

CloudOps

Additional Scope Option for Monitoring and Alerts

  • New scope added for AWS and Azure clouds that can be used while creating or updating templates. For AWS, the option Region, and for Azure, the option Resource Group have been added newly.
    • If the user marks region scope template as default, then for any newly discovered resources under the selected cloud account, this takes the highest priority.
    • If the metrics are differentiated through tags, then users can prioritize the metrics based on tags.
  • Cloud account template with region/resource group and tag-based combination takes the highest priority. Refer to the following list that shows the order of precedence:
    • Cloud account template with region/resource group
    • Cloud account tag-based templates
    • Cloud account template
    • Tenant based template with tag
    • Tenant based template without tag
    • Account based template with tag
    • Account based template without tag

Custom Metrics for CloudWatch Agent

  • Users can now edit custom metrics for resources that are already available within the system, rather than having to delete and re-create them to apply custom metrics.
    • Existing metrics can also be edited to include new resources.
  • If the resources of custom metrics need to be synced immediately and users cannot wait for the auto-sync to happen (once every 12 hours), then a manual sync option is also now available. Manual sync can be triggered by users to sync the new resources.

JSON Format Support for Terraform

  • Users now have the choice to choose from .JSON (.json) or Terraform (.tf) format to save and commit their Terraform template parameters.

New/Updated CloudOps Roles

  • As part of RBAC cleanup, user role names have been added/updated for CloudOps. Refer to the table for a list of the available roles.
Role TitleDescription
Account AdminComplete access to all functions including user & roles management.
CloudOps AdminAccess to all CloudOps functions.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate CloudOps functions to other users.
Provider AdminAccess to provide CloudOps based function to other users to govern and manage.
Tenant AdminFull access to tenant management functions.
CloudOps MemberAccess to manage cloud operations management functions.
CloudOps ReaderRead-only access to all product pages with respect to CloudOps modules.

RDS Event Notification Support

  • RDS event subscription is supported for:
    • DB_Cluster
    • Parameter_Groups
    • DB_Snapshots
    • DBClusterSnapshot
    • DB_SecurityGroups

Monitoring Template Status

  • Users can now view accurate metric statistics for the selected monitoring template.

Azure Service Health Monitoring

  • Monitoring and alert notifications, along with ServiceNow incidents through the platform, are available for integration for all Azure health services.

Added Tag Filter for Azure Inventory Reports

  • Added a Tag filter to some Azure Inventory reports, allowing users to select specific, managed, or unmanaged cloud inventory resources based on the defined tags and gain greater flexibility in customizing views based on their specific requirements.
  • The following reports now have the Tag filter available:
    • Azure Utilization Based on Metrics
    • Azure Resource Health
    • Azure Newly Added Resource

New Report – Deleted Resource Report

  • Added a new Deleted Resource Report that shows the data of deleted cloud resources for the selected cloud account(s).

Assessments

UX Design Updates

  • UX improvements have been applied to align with the platform’s new design system in order to provide a better user experience.

Assessment Filter for List Workload and List Assessment Pages

  • Users can apply and save filters as Views that are applied on a particular page.
  • Users can select the saved views to load the filters with ease. Filters are specific to user and tenant context, so each user can have their own views saved for the same page.

Add AWS Partner ID

  • Users will now be able to update AWS Partner ID while creating an Assessment and can sync with AWS.

Configurable Auto-Assessment (For Onboarding)

  • Users will have an option to trigger auto-assessments as part of the Account Governance settings during cloud account onboarding only if the configuration is enabled by them.
  • By default, the configuration to trigger auto-assessments after cloud account onboarding is always disabled.

New/Updated Assessments Roles

  • As part of RBAC cleanup, user role names have been added/updated for Assessments. Refer to the table for a list of the available roles.
Role TitleDescription
Account AdminComplete access to all functions including user & roles management.
Assessment AdminFull access to assessment trigger and reports visibility.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate Assessment functions to other users.
Provider AdminAccess to provide Assessment based functions to other users to govern and manage.
Tenant AdminFull access to tenant management functions.
Assessment MemberAccess to read and manage assessment reports with limited access.
Assessment ReaderRead-only access to Assessment reports.
Assessment ApproverAble to approve and manage Assessment reports.
Workload OwnerAccess to setup and manage workloads.

Core

Account Governance Dashboard and Enhancements

  • The Account Governance landing page and dashboard has been majorly re-designed to improve the user experience and add a slew of additional functionalities, as described below.
    • This page also now includes Cloud Providers and Integrated Tools as sub-menus.
  • Unified Status & Governance Settings Page – Find all status and governance settings conveniently located in one unified page:
    • Cloud Account Onboarding Status: Track the onboarding status of a cloud account and get insights on failures, as well as access to help docs to fix any reported issues.
    • Feature Status: Stay informed about the statuses of different product-level features once onboarding is completed.
    • Processing Status & Re-run: Monitor the processing status and re-run tasks as needed for optimal performance.
    • Governance Configuration Settings: Easily configure governance settings to meet your specific requirements.
  • Intuitive New UI with Cloud Provider Tabs, Insights Cards, and Enhanced Table View
    • Implemented a re-designed user interface and access to only specific cloud provider tabs when onboarding respective cloud accounts for more efficient navigation and a seamless user experience.
    • Insights Cards provide call-to-action filters, facilitating streamlined data visualization in the Account Governance dashboard.
    • The enhanced table view will provide updated fields for comprehensive cloud account management with dynamic query filters:
      • Dynamic Query Filter: Easily filter data dynamically with our query filter feature.
      • Custom Tags Option: Tailor your experience with customizable tags.

New Cloud Account Onboarding Flows

  • Cloud Account Onboarding Step-by-Step Flow:
    • Introduced a new step-by-step flow to guide users through the cloud account onboarding journey, facilitating easy navigation between pages.
  • New cloud account onboarding flows have been created for the following cloud account types:
    • AWS Management Account
    • AWS Member Account
    • Azure Enterprise Agreement Account
    • Azure Microsoft Partner Agreement (CSP Direct) Account
    • Azure Subscription Account
    • GCP Cloud Billing Account
    • GCP Linked Project Account
    • GCP Parent Billing Account
    • OCI Tenancy
  • Enhanced Governance Configuration:
    • Improved governance configuration settings to offer greater flexibility and control.
  • Prerequisites Page for Access Permissions:
    • Implemented a dedicated Prerequisites page/step as part of the new cloud account onboarding flow to offer comprehensive guidance on setting up the right access permissions as per user requirements.
    • This page enhances clarity and ensures users have the necessary access permissions configured correctly before proceeding further.
  • Auto-Populated Cloud Account Name:
    • Cloud account aliases are automatically populated from the cloud provider side, reducing manual entry and ensuring accuracy.
  • Optional Additional Settings:
    • Made certain settings optional, allowing users to expedite the onboarding process by defaulting or configuring fields after cloud account onboarding.
    • This flexibility accelerates the onboarding process while still providing users with the option to fine-tune settings as needed.

Integrated Tools Dashboard and Onboarding

  • Users can now onboard integrated tools under Settings (Settings > Integrated Tools).
  • The Integrated Tools dashboard, which displays onboarded integrated tool accounts, has had a major re-design and is now located under the Account Governance dashboard page (Governance > Account Governance > Integrated Tools).
  • The new Integrated Tools dashboard features the following noteworthy changes:
    • Enhanced UI to improve user experience.
    • New onboarding flows added for tool accounts.
    • Two tabs for Manage Tools Accounts and Tools Dashboard, which display an overview of all onboarded tool accounts and tool-specific dashboard views, respectively.

Integrated Tool Options Available

  • The following integrated tools will be available to onboard as part of phase one in release 4.3 - 2401:

    Tool GroupTool NameTool Version
    ITSMServiceNow – Configuration Management & Incident ManagementWashington DC
    ITSMZoho ServiceDeskSupport any version
    Configuration ManagementAzure_DevopsSupport any version
    MonitoringAzure_Security_GraphSupport any version
    MonitoringAzure_SentinelSupport any version
    MonitoringApp_InsightsSupport any version
    Source Code ManagementGitHubSupport any version
    Vulnerability AssessmentTenable_NessusSupport any version

  • The following integrated tools will be deprecated as part of release 4.3 – 2401:

    Tool GroupTool Name
    ApplicationSkypeForBusiness
    ApplicationCanvas-LMS
    BaremetalCobbler
    Configuration ManagementChef
    MonitoringsFlow-RT
    MonitoringCloudFlare
    MonitoringHyperic_HQ
    MonitoringPRTG
    MonitoringAnomaly_Detector
    NFVVyatta_vRouter
    Patch ManagementSpacewalk
    SDNOpenDayLight

Product Bundles

  • Updated product bundles are included in this release with the following products included:

    New Bundle NameProducts Included
    FinOpsFinOps
    SecOpsSecOps
    AssessmentAssessment
    GovernanceFinOps, SecOps, CloudOps
    Governance+FinOps, SecOps, CloudOps, Assessments

Role Template Details

  • There are some existing roles that have been migrated to equivalent roles or new roles. Refer to the following list for details:

    Existing RolesNew Roles
    Cost AdminFinOps Admin
    Ops MemberCloudOps Member
    FinanceFinOps Practitioner
    Finance MemberFinOps Practitioner
    FinOps Engg LeadFinOps Practitioner
    FinOps ExecutiveFinOps Practitioner
    FinOps IT Finance ManagerFinOps Practitioner
    FinOps ProcurementFinOps Practitioner
    FinOps Product OwnerFinOps Practitioner
    Partner Service MemberFinOps Partner Service Admin
    Security LiteSecOps Lite
    FinOps Lite ContributorFinOps Lite
    Ops AdminCloudOps Admin

Tag Governance Enhancements

  • Users with different roles can now create baselines.
  • Role-based view/edit actions are available for baselines.
  • Support added for partial posture generation. Users can trigger partial posture generation based on their role and permissions.

Tag Governance – Support for Additional GCP Resource Types

  • Support for the following GCP resource types has been added for in Tag Governance:
    • Cloud DNS
    • VPC
    • Memory Store
    • File Store
    • Cloud Deployment Manager
    • Cloud Composer
    • Artifact Registry
    • Storage Disks
    • Logging
    • Certificate Authority Service
    • Cloud Healthcare API
    • Cloud Key Management Service
    • Dataproc
    • Data Fusion

Account Info Page Updates

  • On the Account page, under the Settings menu option, users can now view basic account information for the logged in user, including two new fields:
    • Product Bundle: Displays the product bundle that has been created by the Account Master.
    • Product(s): Displays the product(s) offered by the bundle.

Share Report Feature Enhancement in Analytics Report

  • While sharing analytics reports, users can now apply additional account filters while sending the email. This will help provide granular details.
  • The recipient of the report with applied filters will only see the restricted data.
  • The recipient of the report will be able to change data in the filters (filter is enabled).
  • UX improvements have been made to align with the platform’s new design system to provide a better user experience.

Share View Feature in Analytics Report

  • Users can share a report view via an email by entering email address(es). This will enable broader access to customized insights from views without requiring them to create it again for all users.
  • The recipient of the report with a view applied will only see the restricted data.
  • The recipient of the report will not be able to change data in the filters (filter is disabled).

RBAC – View and Read

  • Moving forward, users will not see the View option displayed in the actions for role policies, instead they will only see Read as the sole option which will provide them an option to read and view the pages.

Cloud Account Offboarding

  • Users can delete the account completely from the platform if the account is no longer required.
  • When an account is in Inactive state, data processing is stopped for such accounts.
  • The Delete action moves the data to archived state and the transient or temp data associated to the account will be hard deleted.

Email Address Configuration Post Onboarding

  • New users will have to manually configure the email notifications section to receive notifications.
  • Existing users will receive email notifications for their cloud accounts without having to manually configure it in the notifications section.

Service Integration

  • Azure Bastion new service integrations are available for: inventory, alerts, activity, management actions, tagging governance, utilization metric, and relationship enabled.
Resource CategoryResource TypeResource
NetworkVirtual NetworksBastion Hosts
  • Azure Open AI new service integrations are available for: inventory, dependent discovery, extended discovery, tagging governance, and relationships and management.
Resource CategoryResource TypeResource
AI Machine LearningAzure AI ServicesAzure OpenAI
AI Machine LearningAzure AI ServicesAzure OpenAI Keys
AI Machine LearningAzure AI ServicesAzure OpenAI Deployments
AI Machine LearningAzure AI ServicesAzure OpenAI Models
  • OCI new service integrations are available for: inventory, dependent discovery, extended discovery, metrics, utilization, activities and alerts, tagging governance, and relationships and management actions.
Resource CategoryResource TypeResource
DatabasesAutonomous DatabasesAutonomous Database
Identity SecurityKey Secret ManagementVaults
Identity SecurityKey Secret ManagementPrivate Endpoints
NetworkingDNS ManagementZones
NetworkingDNS ManagementPrivate Zones
Migration and Disaster RecoveryDisaster recoveryDR Protection Groups
Identity SecurityWeb Application FirewallWAF Policies (Edge Policy)
Identity SecurityWeb Application FirewallNetwork Address List
Analytics AIData ScienceData Science Private Endpoints
StorageObject storageBuckets
Observability & ManagementLoggingLog Groups
Observability & ManagementLoggingUnified Agent Configurations
Observability & ManagementLoggingService connectors
Observability & ManagementMonitoringAlarms
Identity SecurityWeb Application FirewallFirewall

Sync Logs for ServiceNow CMDB

  • Users can now view sync log details after enabling CMDB for ServiceNow integrations (sync logs will be enabled by default).
  • The CMDB sync logs can be used for trace-back and troubleshooting purposes.

CMDB – Configuration Export

  • To configure resources under the resource hierarchy, users can use the export option and then use external APIs to configure the CMDB. This is an interim solution and will save the tedious effort of configuring resources.

Incidents for Different Assignment Groups

  • While onboarding ServiceNow accounts, mapping of incidents for assignment groups can be made based on Cloud Provider, Product Category, Resource Type, and Resource.
  • After the configuration is made for an assignment group, users can reconfigure the same mapping for other resources, excluding the resources that were configured earlier.
  • Users can edit, view, and delete the saved attributes.

Dynamic Field Value for Incident Integration

  • Dynamic field mapping to be supported while integrating incidents with ServiceNow.
  • While creating an incident, the configuration item CMDB Sys ID can be mapped with an alarm in the resource location and involves mapping of resource to Compute Engine, BigQuery, etc.

CMDB – Additional Support

  • All the CMDB support details related to GCP services are available now.

Multiple Alarms Suppression

  • Users can now suppress alerts from native tools by disabling alert configuration rules, preventing the creation of any ITSM tickets.

Mismatch in Inventory and Tagging Governance

  • The resource count mismatch between Inventory and Tagging Governance has been fixed for AWS, Azure, and GCP cloud providers.

Policies

  • Policies parameterized:
    • GCP Audit Service Account Key Not Rotated CS Policy
  • Threshold for idle policies have been fine-tuned for below services:
    • AWS – RDS, EC2 Hosts T3, Route53, S3, EFS
    • Azure – App Service Plan, Cosmos DB, Maria DB, MySQL
    • GCP – Buckets, Filestore, Regional Disks

Bugs Fixed

FinOps Bug Fixes

  • Cost Optimizer: Fixed issue where confirmation email was not being sent after remediate actions failed in ServiceNow after being submitted for approval.
  • Optimize Rate: Fixed an issue where Azure Hybrid Benefit showed as disabled in the settings when it was actually enabled.
  • Cost Posture: Fixed an issue where some tag key(s)/value(s) were missing when selecting the top 10 tags.
  • Cost Posture: Fixed an issue where irrelevant reports were being shown when the Tenant View was selected.
  • Markup & Discounts: Fixed an issue where the cost shown in the Day field is wrong and the calculated cost did not match the cost shown in Cost Posture section.
  • Markup & Discounts: Fixed an issue where the Forecast Cost was showing as $0 when enabling Markup & Discounts.
  • Cost Anomaly: Anomalies detected in member or linked accounts do not duplicate in the management accounts.
  • Budget: The spend history inaccurately reflects costs by double-counting linked accounts' expenses within both individual account totals and overall organizational costs.
  • Executive Dashboard: The ED dashboard's Budget Drift and Budget Forecast widgets were updated with improved UX and logic to correctly reflect Budget Drifts.

CloudOps Bug Fixes

  • SSM in CloudOps: The Executed By column now shows the platform users who have executed the SSM document -- both command and automation documents. The Executed By column was not existing earlier for command documents, but has been added now.

SecOps Bug Fixes

  • Error while scheduling policy: While scheduling policies, if auto-trigger option is not supported for the selected policy, then an error message was being displayed. This issue is fixed and now a message is shown about whether the policy selection is supported or not.
  • Fixed AWS Security Hub findings mismatch between AWS and the platform.
  • Compliance Posture “By Policy” section filter issues have been fixed.
  • Policy mapping corrected for CIS Azure 1.5 compliance standard.

Policy Bug Fixes

  • Fixed some policies that were showing incorrect data in Resource ID and Resource Name as part of execution output.
  • AWS CloudTrail S3 Data Events: A policy checks if the data events are configured for CloudTrail. Previously, it only checked for basic event selectors, now it checks for both event selectors and advanced event selectors.
  • AWS Audit RDS Master Username CS Policy: Previously, the policy used to check if the default master username was 'admin’. The fix checks if default master username is 'admin' or 'awsuser', and provides the option for the user to change these through parameter.
  • AWS Encrypted Volumes: There is a known issue of inconsistent output with AWS Config managed policies. To produce consistent output, this policy is converted to AWS Config custom policy from managed policy.
  • Fixed policy logic for:
    • **AWS Audit Check IAM Password Policy
    • AWS Audit Unused IAM Credentials Check CS Policy
    • AWS SSL TLS Certificate Policy
    • AWS Audit MFA Enabled For IAM Console Access CS Policy
    • AWS Audit IAM Access Analyzer Findings CS Policy
    • AWS Audit AMIs Older Than X Days CS Policy.
  • Following policies are disabled:
    • OCI Cost of Resources Without Tags Detailed
    • Azure Cost of Resources Without Tags Detailed
    • AWS Cost of Resources Without Tags Detailed
    • AWS Audit Required Tags CS Policy
    • AWS Audit Required Cost Allocation Tag CS Policy

Core Bug Fixes

  • Fixed allowed tag values in Tag Governance where the Allowed Tag Values filter lists values from other tenants while users try to create a baseline. This issue is fixed by implementing Role Based Access Controls (RBAC).
  • Fixed Tag Governance Compliance issue, where users from one tenant were able to see baselines from other tenants. This issue is fixed by implementing RBAC.

External APIs

Known Issues

The functionalities below are not working as expected. We will try to fix it before the next release:

  • RBAC – Show Menu: Templates and Product bundles related policies will now have an additional action called Show Menu, which when selected will enable the users to show the particular menu option on the page even when Read is selected. The users still have the privilege to not choose Show Menu and just take up Read if they do not wish to see the menu shown (this option is a temporary fix, and we will move away from the Show Menu option to encompass only the Read option in the upcoming releases).
  • RBAC – Navigation Menu Accessible to Tenants: Users with multiple tenants, each with different roles assigned, will now see the left navigation menu for all the roles if any one of the tenants has a role granting access to all the pages (such as Account Admin or Tenant Admin). In this scenario, even tenants with the lowest level of permissions will now be able to see the menus they previously didn't have access to. However, if they attempt to access a menu that is still inaccessible to them, they will automatically revert to the permissions of the tenant that has access to that menu.
  • On the Executive Dashboard, if users select the parent accounts for GCP, EA, and CSP cloud providers in the Cloud Account drop-down filter, then they can see null data for all widgets. Users can view actual data through ED-posture parity.
  • RBAC: When a user creates a custom role and tries to onboard an account using that role, it will not be listed in the Account Governance dashboard, The work around is that the user must go back to the custom role and edit it to add the service account after which they will see it listed.
  • Account Governance: For Azure EA, we request that users ensure any individual Subscriptions that are part of the Azure EA root account have not already been onboarded when onboarding the Azure EA root account. If you want all Subscriptions to be part of the Azure EA root account after onboarding it, please remove any individual Subscription first, then onboard the Azure EA root account. If an individual Subscription has already been onboarded and is not required to be part of the EA root account, you can still onboard the EA root account without mapping the Subscription to it. Please note that individual Subscriptions show PAYG costs, while Subscriptions onboarded under the EA root will reflect costs according to rates applied in the EA root account.
  • Azure Real Time Threats: Post real- time threat configuration, the real- time threat data is not getting updated on Threat Posture after threat occurrence. The threat data will get updated as part of the periodic sync on posture.
  • Idle Recommendation: Post this release, the Idle Recommendation page (Cost > Cost Optimizer > Optimize Usage > Manage Idle) will continue to display the static threshold values from the platform-defined thresholds, rather than the customized threshold values used by the users for resources across AWS, Azure, GCP, and OCI. This issue is applicable only for Instances/Virtual Machines.
  • Account Governance: While switching from one tenant to another with the Delegation Admin role, users can view the Account Governance page without any error message being displayed. Ideally, an error message should be displayed while the Delegation Admin role is trying to view the Account Governance page.
  • Feature Settings: For accounts that have the CloudOps and SecOps products enabled during onboarding, the CloudOps and SecOps tabs in the Cloud Account Governance page will not show settings for Azure Sentinel and Tenable Nessus tools. In order for the user to add tool accounts, they would need to go to the Settings menu and edit the tool account details to make any changes.
  • On the Cloud Account Governance page, no option for alert configuration is available for the FinOps product.
  • Region Selection: While onboarding AWS cloud accounts by selecting a specific region, users sometimes get a permission error even though they have the right permissions for that region.
  • Compliance Posture: Displays overall posture data at the Standard level rather than at the Control level. Control level policy executions will not reflect in the posture.
  • Security Dashboard: Cloud account drop-down selection on security dashboard shows onboarded cloud accounts.
  • Policies Job History: Policy execution type is showing ‘On Demand’ instead of ‘Compliance’, when the policy execution is triggered as part of the Compliance Assessment.
  • Tag Governance Baseline Creation: Under cloud account scope, the Cloud Account drop-down shows cloud accounts that are not onboarded along with onboarded cloud accounts.