Skip to main content

help center

Pay Suite

Submit a request
Submit a request
  1. beqom PaySuite HelpCenter
  2. Releases
  3. Product-centric release notes

beqom Pay Suite - Authorization feature release notes

Nolwenn Marjou

beqomPay Suite - Authorization feature release notes

beqomPay Suite 19.0

Custom fields as subject attributes in ABAC

Starting with version 19.0, it is now possible to use custom fields as subject attributes in Attribute-Based Access Control (ABAC) configurations. This enables more granular and flexible access control rules that align with unique organizational requirements, provides greater flexibility for complex data models and enables more precise access control aligned with tenant-specific needs.

Previously, ABAC subject attributes were limited to standard Data Foundation fields. This update extends ABAC to support custom fields defined in individual customer environements..

To use a custom field in ABAC, the field must first be created in the Data Management section of the Workbench, then a support ticket must be submitted to request schema enablement. Once enabled, the custom field can be used in ABAC policies through the API or CSV configuration in the Roles & Permissions workflow.

beqomPay Suite 18.1

Enhanced authorization for population assignment in performance review templates

We have improved how authorization is applied when assigning populations to performance review templates in Performance Management

  • Review admins can now select any available population when configuring a template.

  • The system evaluates the population criteria to generate the full list of workers included in each population.

  • We now apply the primary owner’s ABAC rules to ensure that only workers the primary owner is authorized to see can be assigned.

  • Co-owners assigning additional populations will also have the same ABAC rules applied, ensuring consistent and secure access control across all assignments.

These enhancements provide more flexibility for Review admins while maintaining strict, attribute-based security for worker visibility.

beqomPay Suite 16.0

GrantFullAccess ABAC subject attribute

We've introduced a new GrantFullAccess subject attribute to simplify and standardize how administrators grant full data visibility across the product.

GrantFullAccess is a boolean attribute (TRUE / FALSE). When set to TRUE, the user gains visibility to all workers. Other scoping attributes, such as WorkCountry, OrgItem, and cohorts, are ignored. However, exclusions always apply, meaning any excluded employees or organizational items will still be filtered out. When set to FALSE, standard ABAC/RBAC rules, cohorts, and overrides apply as usual.

The attribute can be managed through a Professional Roles CSV upload, which includes a new GrantFullAccess column that supports TRUE/FALSE values, or through the Authorization API, which accepts a GrantFullAccess boolean field in the payload.

Example Scenarios

  • Grant full access with exclusions: A user with GrantFullAccess=TRUE and ExcludeEmployeeIds=[101,202] will see all workers except employees 101 and 202.

  • Other attributes ignored: A user with GrantFullAccess=TRUE and WorkCountry=IE will see all workers globally, not just those in Ireland.

  • Fallback: A user with GrantFullAccess=FALSE continues to follow normal ABAC/RBAC logic.

beqomPay Suite 15.0

Performance management outbound API filtering: sub-org support

The Performance management outbound API has been updated to simplify data retrieval for organizations with large hierarchies.

A new tenant management setting, Include sub org items for outbound API filter, controls whether sub-organizations are returned.

  • By default, the API returns data only for the explicitly specified orgItem IDs.

  • When the setting is enabled, the API will automatically return data for the specified orgItem and all of its sub-organizations, which eliminates the need to manually include every ID.

This change reduces the complexity of integration and improves efficiency by avoiding the need to pass long lists of orgItem IDs.

Performance management outbound API: Expanded response context

The Performance management outbound API has been enhanced to provide more context for each record by adding new fields to its response bodies.

API responses now include the following fields:

  • OrgItemId: Identifies the organizational unit associated with the record.

  • LegalEntityId: Provides the linked legal entity for clearer mapping.

  • Country: Indicates the country context for the record.

These additions provide the organizational, legal, and geographic context needed for accurate downstream processing. This improves the reliability and clarity of integrations while also reducing the need for additional lookups or custom mappings.

Authorization logic update

As part of release 1.15, we are introducing an enhancement to the authorization logic to give customers greater flexibility and control over who their users can see in the platform.

Previously, all subject attributes were evaluated using the AND logic (meaning that all attributes needed to be true). This made access rules overly restrictive and harder to manage, especially when customers needed to grant access to specific users outside the defined cohort.

Concretely, subject attributes are now split into two distinct categories, each evaluated differently: cohort definers and inclusion/exclusion overrides.

Cohort definers

Cohort definers define the base population to which a user can access. They are evaluated using

  • The AND logic between attributes

  • The OR logic within the values of each attribute

Example:

  • OrgItemIds = [Sales, Marketing]

  • WorkerCountry = [Ireland, UK]

  • EmploymentStatus = [Active]

This will include workers who ware in Sales or Marketing AND located in Ireland or UK AND whose employment status is Active.

Inclusion/exclusion overrides

These attributes are evaluated outside the cohort logic, and allow specific individuals or org units to be added or removed from visibility.

This is an note/information message.

An article explaining the logic fully will be available fully in the Knowledge Base.

beqomPay Suite 14.0

The latest Platform release streamlines the logout process to strengthen system security.

Change in logout workflow

An enhanced logout workflow has been implemented to strengthen system security. All logout operations now include a mandatory redirection to the Logout action of your SAML provider's logout counterpart. This means that your Identity Provider (IdP) is responsible for the final redirection step after all logout operations are completed.

This enhancement ensures a more secure and consistent logout experience. If your SAML logout configuration is empty, the behavior will now depend on your Identity Provider, and users may be directed to your organization's default logout page. To avoid unexpected behavior, it is recommended to explicitly set a Logout URL in your IdP configuration.

For those needing a default logout success page, a generic page is available at: [subdomain].beqom.io/auth/logout-success.

beqomPay Suite 1.12

Granular Access Control List (ACL) support for Pay Suite

This release significantly improves the management of access control, especially for TCM v10 clients moving to Pay Suite. We've introduced powerful updates to efficiently handle large Access Control Lists (ACLs), boosting performance and ensuring a smooth transition:

  • We've launched a new, dedicated API for importing ACL lists. This robust endpoint can handle any number of worker IDs, effortlessly managing even massive datasets (over 100,000 records) without slowing down performance.

  • We've also improved how attributes are imported with a new validation rule. This rule limits the number of items per standard attribute to 1,000, preventing accidental overloads and keeping everything running smoothly.

  • Finally, our export capabilities have been extended. Now, authorization data exports will include ACL lists. This means all authorization-related information can be easily audited externally or moved to other systems.

beqomPay Suite 1.9

Extended security attributes for Performance Management

In this release, we have enhanced security subject attributes, providing greater granularity and control when assigning security attributes to users. These improvements allow for more precise access management within Performance Management.

The following attributes are now available for security configuration:

  • WorkRegion: derived from the Worker entity

  • LocalGrade: derived from the IndividualPayRange entity

  • GlobalGrade: derived from the IndividualPayRange entity

These enhancements offer more refined role-based access control, ensuring that security policies can be tailored to meet your organization’s needs.

On the configuration side, these additional attributes provide finer control over access management, ensuring security is enforced at a more granular level. Users can configure these attributes via:

  • CSV upload: navigate to Workbench > Platform Setup > Security & Roles.

  • API: refer to our Knowledge Base for API configuration details.

Security attributes can be managed by users with the Security Role assigned to them.

beqomPay Suite 1.8

This version provides enhanced security and greater configurability while ensuring customers can seamlessly transition to the new access model. Users can manage security attributes via CSV or API, and we have introduced automatic backend mapping to preserve existing behavior while improving access control mechanisms.

Specifically, the security subject attributes were significantly enhanced, providing greater granularity and control when assigning security attributes to users. The updated list of available attributes is as follows:

  • OrgItemsIds

  • ExcludedOrgItemIds

  • IncludeEmployeeIds

  • ExcludedEmployeeIds

  • WorkerCountry

  • WorkerPerformanceEligibility

  • EmploymentHomeCountry

  • EmploymentLegalEntity

  • EmploymentStatus

  • EmploymentCostCenter

  • EmploymentMaterialRiskTaker

  • EmploymentGlobalMobilityFlag

  • EmploymentHostCountry

  • EmploymentHostCountryLegalEntity

  • EmploymentHostCountryCostCenter

  • EmploymentJobLevel

  • EmploymentJobTitle

  • EmploymentJobFamily

  • EmploymentJobCategory

  • EmploymentJobFunction

These additional attributes provide finer control over access management, ensuring security is enforced at a more granular level. Users can configure these attributes via:

  • CSV upload, under Workbench > Platform Setup > Security & Roles.

  • API

Security attributes can be managed by users who have been assigned the Security professional role.

This is an attention message.

Please note that the information detailed below changes the default access logic for OrgItemsIds.

Previously, security attributes relied on a simpler configuration model. If a user had no attributes assigned to an OrgItemsIds, they would automatically gain visibility into all content within the company.

To enhance security, 16 new "include" attributes were introduced and the default access logic was changed:

  • The default "no attributes" behavior is disabled: Users with professional roles who have no security attributes assigned to OrgItemIds will no longer have universal access.

  • Explicit assignment is now required: Users with professional roles must have security attributes defined to gain access.

Updated access flow

To ensure smooth adoption and prevent unintentional access restrictions, the following flow updates were introduced:

  • Explicit "All company" access for professional roles: users with professional roles will only receive company-wide access if explicitly granted via the OrgItem attribute.

  • Default access for non professional roles: employees without professional roles will continue to inherit all company access by default, eliminating the need for manual updates.

  • Back-end mapping for professional roles: A backend mapping ensures that "All company" access is automatically assigned to users with professional roles who do not have specific attributes assigned. This preserves existing behavior for current customers.

  • CSV file update: when customers download the CSV file, "All company" will now be explicitly included in the OrgItem attribute column for users with professional roles who did not previously have attributes assigned.

Custom root OrgItemIds handling

The root OrgItem external ID is set as "All Company" by default. However, since it is possible to override this value, the system dynamically accommodates changes:

  • If the external ID (e.g., changing "All Company" to "All Company 101") is changed, the new value automatically appears in the CSV configuration file.

  • The updated external ID must be used in CSV/API configurations to continue granting "all company" access.

beqomPay Suite 1.5

Auth API Updates

We have streamlined our Auth API by reducing the number of required fields in the GET /integrationapi/v1.0/auth/subject-attribute-values request. Now, only workerId is required to perform the request, making integration more efficient. The following fields have also been removed: Email, GivenName, FamilyName.

Updated Field List

In 1.5 release we updated our field list. This enhancement reduces data complexity, focusing on the essential workerId field for easier integration and improved API efficiency.

The following fields are now available in the updated Auth API:

  • workerId (string) - unique identifier of the subject. (Required)

  • roles (array of strings) - list of roles assigned to the subject.

  • orgItemsIds (array of strings) - organizational item IDs associated with the subject.

  • excludedEmployeeIds (array of strings) - employee IDs excluded from the subject’s scope.

  • excludedOrgItemIds (array of strings) - organizational item IDs excluded from the subject’s scope.

  • includeEmployeeIds (array of strings) - employee IDs specifically included for this subject.

Was this article helpful?
0 out of 0 found this helpful
Return to top