Release Notes

This section is the primary reference for updates to the Authorization Hub platform.

Version 26.1.0

Authorization Hub is the successor to the Axiomatics Services Manager (ASM), rebuilt using modern frameworks and a cloud-native architecture. Version 26.1.0 is the first official release of the platform. It introduces an API-first approach to managing Attribute Based Access Control (ABAC) and enforcing zero-trust principles.

What's new

• Cloud-native architecture and deployment

  The Authorization Hub is a Kubernetes-native application deployed using Helm charts and is fully compliant with Kubernetes RESTRICTED security profiles. The backend is built as a modular monolith, combining the operational simplicity of a single deployable unit with clean internal service boundaries.

• Audit logging

  All services produce audit logs that record who performed each action and when. This provides a consistent record across the platform to support compliance and governance requirements.

• API-first design

  Every capability in the Authorization Hub is exposed through documented REST APIs with a unified OpenAPI/Swagger UI. This enables full automation and CI/CD integration for authorization management workflows, including operations that were previously only available through the ASM UI.

• User management

  The Authorization Hub uses a tiered role system to control administrative permissions across the platform. Users are onboarded through an in-app invitation flow with email notifications, removing the need for direct identity provider administration. Additionally, the platform supports integration with external Identity Providers for extended enterprise identity federation.

• Projects

  Teams work within Projects, which serve as isolated workspaces that contain their own policies, attributes, connectors, and domains. Access to these environments is governed by project-specific roles assigned to users. Machine-to-machine (M2M) API clients utilize these same roles to operate within projects just as human users do, which enables CI/CD pipelines to function within defined boundaries. This model replaces the "All" and "Read-only" permissions previously available in ASM.

• Dictionary and attribute caching

  The Dictionary area in the Authorization Hub allows you to define and organize the attributes used in authorization policies. Supporting all ALFA data types and categories, attributes can be organized by namespace and managed through the UI or REST API. The dictionary also provides clear visibility into which attributes are utilized across various attribute connectors.

  Additionally, the platform supports attribute caching to optimize Access Decision Service (ADS) performance. Caching is configured on a per-attribute basis and is automatically included during domain creation.

• Attribute connectors

  Attribute connector configuration has been modernized with a guided, form-based UI for all supported attribute connectors (LDAP, SQL, Table, Parser, and HTTP). Notably, the HTTP attribute connector now features a structured form for connection settings, attribute mappings, authentication, and payload templates, replacing the manual text editing required in ASM. All operations are accessible both through the UI and REST API, with full import and export support for easier promotion across environments.

• Policy editor

  The Authorization Hub features a web-based code editor for authoring authorization policies in the ALFA (Abbreviated Language for Authorization) language. The editor provides an IDE experience, including syntax highlighting, code completion from the Dictionary, go-to-definition across files, and real-time error diagnostics. Policies are organized as multi-file ALFA packages with independent per-file saving.

  This transition to a "policy as code" framework allows authorization policies to be managed as plain-text assets which are naturally suited for version control, collaborative code reviews, and seamless CI/CD integration.

• Domains

  Domains serve as logical containers that aggregate policies, attributes, and attribute connectors into a deployable authorization configuration for the Access Decision Service (ADS). The Authorization Hub utilizes domain version 2.1, a YAML-based format designed to align with the ALFA policy structure and the updated attribute connector configurations.

• Policy insights

  Policy insights is a new feature, previously unavailable in ASM, that enables the analysis of deployed authorization policies through reusable query templates and reports. It leverages the Contextual Authorization Query (CAQ) engine to answer questions, such as "Under what conditions can a user perform a specific action?".

What's coming

Upcoming releases of the Authorization Hub will continue to expand the platform's capabilities. Highlights include a new graphical Policy Editor to simplify authoring, additional deployment options, and a migration path for existing ASM deployments.

Known issues

The following items have been identified as known issues and we are actively working on resolving them. Fixes will be included in upcoming releases of Authorization Hub.

• Intermittent policy validation inconsistencies

  Under rare conditions, policy code validation may stop functioning. You may notice the Problems panel highlighting resolved issues as still active or failing to report new errors in the code.

  Workaround: Perform a full page reload.

• Incorrect XACML IDs for default environment attributes

  Authorization Hub assigns incorrect xacmlId values to the three default environment attributes (currentDate, currentTime, and currentDateTime). This prevents ADS from evaluating policies that use them.

  Workaround: Manually update domain.yaml with the correct URIs and push it to ADS.

• "Back to Login" redirect loop

  Following a period of inactivity, you may encounter an error screen that prevents clean re-authentication, resulting in a continuous loop back to the error state.

  Workaround: Clear the site data or browser cache.