Changelog

Reviews and Approvals is a workflow management tool designed to streamline the recipe deployment process between environments (Development, Test, and Production). It provides a structured and collaborative system for reviewing, approving, and deploying changes, ensuring that all deployments meet organizational standards before going live.

With Project-Level Permissions, Project Administrators can give access rights to users on a project-level as well as on an environment-level basis. This gives admins more control over access rights, minimizing potential security risks.

What's new:

• Granular project permissions: Set access levels for each project. For example, for Project A a user may have a read-only permission, while in Project B they have full access.
• Collaborator groups: Set permission groups for quicker RBAC.
• New Project Administrator role: Project Administrators have project-level access management without workspace admin rights.
• Scalability: Developer API support + SAML/SCIM integration for group management.

Prerequisites:
Customers MUST have an empty home assets folders before enabling. Home assets will be converted to regular projects. Reach out to your CSM for access.

We’re enhancing the Analyst and Operator system roles to provide access to new features, expanding capabilities while preserving each role’s core responsibilities.

How to Enable:
Workspace admins can enable these features as needed.

What’s Changing:

Operator Role:

• Read access added for Genies, Knowledge Bases, and Data Pipelines.

Analyst Role:

• Full access added for Genies, Knowledge Bases, and Data Pipelines.
• Deployment permissions upgraded from “Deploy” to “Deploy, Review”
• Full access to Insights, our data visualization and manipulation engine.

For more granular permission control, we recommend using custom roles.

Timeline:
These changes will take effect on Tuesday, July 29, 2025.

AWS IAM Role Sharing is now available for Automation HQ (AHQ) customers, streamlining AWS access management across parent and child workspaces:

• When enabled, child workspaces now inherit the same External ID as the parent workspace's environment, removing the need to manage workspace unique IDs individually.
• Simplifies access control for AWS resources like Secrets Manager, S3, and IAM-authenticated connectors.
• Improves security and governance by enforcing consistent IAM policies across all workspaces.
• Reduces administrative overhead and minimizes compliance risks for enterprises with complex AHQ environments.

Learn more in the AWS IAM Role Sharing documentation.

Workspace admins can now manage collaborators from any environment, improving the overall workflow. This new feature provides admins a unified view and control over all collaborators across all environments.

Learn more in our Workspace Collaborators documentation.

A new endpoint has been released to assist in workspace administration: `PUT /api/members/:id`. This endpoint allows modification of collaborator roles in one or all environments.

Within your custom role settings, you can now allow users to have partial visibility and edit permissions to the workspace settings. When enabled, users with this permission can view and edit the Workspace information, notifications, and AI feature settings, and view the subscription plan details.

By default, this permission is disabled for custom roles, and will need to be manually enabled if desired.

A new endpoint has been released in the Developer API to assist with regular audit reports and compliance. GET /api/activity_logs uses the same data as the Activity audit UI in-product, and supports pagination and filters. API clients get access to this endpoint per environment.

The member_invitations endpoint now supports setting roles for new collaborators in all available environments, not just Dev. We have maintained backward compatibility with the previous logic, so you can use either role_name or env_roles to set roles for collaborators.

• On-prem secrets management: Connect Conjur to a running on-prem group (Conjur Enterprise / Conjur Open Source) for a full on-prem configuration
• Credential rotation: Call the clear_cache API to retrieve the latest secret versions if credential rotation is enabled on Conjur