# 2025 ## October 19th 2025 ### New Features #### Authentication & Access * Expanded OIDC Support. Adds compatibility for additional identity providers to make single-sign-on easier across environments. * Session Timeout Controls. Lets administrators define custom session durations for stricter security posture. #### Security & Compliance Workflows * Pre-Approvals Lifecycle Automation. Automatically moves stale pre-approvals to archived status and notifies owners before expiration. * IAM Drift Detection Monitor. Flags unauthorized role or permission changes in AWS and GCP to maintain least-privilege posture. ### Enhancements #### User Experience * Improved Search Performance. Faster results and fuzzy matching across projects and monitors. #### Reliability & Performance * Caching for Directory Data. Speeds up identity lookups. * Optimized Data Snapshots. Reduces snapshot time and improves consistency under heavy load. #### Notifications & Integrations * Slack Error Resilience. Retries failed approvals and handles transient Slack API errors automatically. * Teams Integration UX Refresh. Cleaner approvals and notifications with rich context cards. * PagerDuty Routing Enhancements. Adds fine-grained routing options for incident notifications. *** ## October 6th 2025 ### New Features #### Cloud Platform Integrations * Build Installer for Entra Security Perimeter. One-click installer to deploy the Entra Security Perimeter components, reducing manual setup and configuration time. * Support bucket access on AWS GovCloud. Adds bucket access support in GovCloud accounts to broaden coverage for regulated environments. #### Authentication & Access * Okta SSO for AWS GovCloud. Enables single sign-on with Okta in GovCloud to simplify and standardize authentication. #### Security & Compliance Workflows * Duplicate Preset Monitors. Lets you clone a preset monitor and tailor it to your needs, speeding monitor setup. #### API & CLI Enhancements * Configurable Labels in P0 CLI. Allows custom labels in CLI workflows for consistent reporting and easier filtering. ### Enhancements #### User Experience * Fuzzy Search in “Allow” Modal. Find the right principal faster with typo-tolerant search in the selection field. * Consistent Entra Group Names. Ensures Entra group names appear consistently across pages and flows. #### Reliability & Performance * Caching for Entra Groups and Users. Reduces latency and load for directory-backed operations. * Backoff on HTTP 429 in P0 CLI. Automatically backs off on rate-limit responses to reduce failures in scripted runs. #### Security & Compliance Workflows * AWS IAM Management Policy (Terraform). Provides ready-to-use policy templates to standardize deployments across environments. *** ## September 22nd 2025 ### New Features #### Core Platform Capabilities * Azure Graph Integration ingestion for Microsoft Graph (resources and permissions), improving coverage for access modeling and future automations. * Create AWS Service Accounts (Roles) with IaC Adds infrastructure‑as‑code support to create service roles, simplifying setup in AWS environments. ### Enhancements #### Authentication & Access * SSH Access Controls Adds an access‑type filter for SSH, lets admins restrict SSH access types via routing rules, and introduces an SSH host key cache for faster, less noisy connections. * GCC High Entra role assignment Extends compatibility for regulated Azure environments (GCC High) to support more deployment scenarios. #### Core Platform Capabilities * IaC & Terraform Improvements Adds `sts:TagSession` permission to installer IAM policies and updates the Terraform provider to support partition `type`, keeping installs aligned across partitions. #### Platform Configuration & Limits * Monitors UX Lets you disable preset monitors and clarifies that new monitors are created from the Inventory page. #### Security & Monitoring * Compliance hardening Addresses compliance findings such as GCP service‑account IAM roles and MFA posture in Google Workspace. #### Stability & Fixes * `p0 ssh` host fingerprint saving Fixes saving of host fingerprints so first‑time SSH connections do not repeatedly prompt. * Intermittent 500 error path Fixes an intermittent `AxiosError: Request failed with status code 500` to restore normal operation. *** ## September 7th 2025 ### New Features #### Core Platform Capabilities * **AWS IDC Identities without specific IDC backing being required**\ Adds identity data to the graph for more complete access modeling when no IDC is specified. * **Automatic Registration & One-Click Install (Azure Integration)**\ Allows automatic registration and one-click installation, eliminating manual key copy-paste steps. ### Enhancements #### Authentication & Access * **Make OIDC Client Configs Optional**\ Makes certain OIDC client settings optional to ease setup without reducing security. #### Core Platform Capabilities * **Create Routing Rule from Fix View (GCP Unused Role Bindings)**\ Lets you create a routing rule directly from the Fix view to remediate unused GCP role bindings with JIT. #### Stability & Fixes * **`p0 ssh --size` Option**\ Fixes the `--size` flag for `p0 ssh`, restoring expected behavior *** ## August 24th 2025 ### New Features #### Core Platform Capabilities * **Self-Hosted Plugin for CLI**\ Adds support for a self-hosted plugin in the CLI to streamline provisioning and management. * **Automatic Registration & One-Click Install for tailscale**\ Allows automatic registration and one-click installation, eliminating manual key copy-paste steps. ### Enhancements #### Visibility * **Domain Users Counted as Internal**\ Counts domain users as internal rather than external for accurate auditing and policy targeting. #### Authentication & Access * **Secure GCP Service-Account Access**\ Prevents p0 access via GCP service accounts using tokens generated for 3rd-parties * **SSH Access Type for Tailscale**\ Adds dedicated SSH access type for Tailscale to improve clarity and policy management. * **Entra JiT CLI Help Text Fix**\ Removes duplicate “group” option in CLI help for clearer guidance. #### Platform Configuration & Limits * **Azure Bastion host: Case-Sensitivity Fix**\ Prevents permission errors during install by fixing a case-sensitivity check. #### Stability & Fixes * **`p0 ssh` Command Execution**\ Ensures commands rasdun and output is returned reliably with p0 ssh in very specific situations. * **`p0 ssh --size` Option**\ Fixes the `--size` flag behavior for `p0 ssh`. * **Intermittent `p0 ssh` Failures**\ Resolves sporadic failures to improve overall connection stability. *** ## August 10th 2025 ### New Features #### Authentication & Access * **Azure AD PKCE Sign-In**\ End users can sign in with Azure AD using PKCE, improving security and compatibility for browser-based OAuth flows. ### Enhancements #### Core Platform Capabilities * **`p0 ssh` Command Execution**\ Re-enables running remote commands with `p0 ssh`, restoring expected CLI behavior. * **“Accessible By” Display Correction**\ Corrects how lateral relationships are shown in the "accessible by panel" so they display valid accessors and removes additional accessees. #### Authentication & Access * **Settings Cleanup: Remove One-Party Approvals & “Reason Required”**\ Streamlines administration by removing rarely used toggles, reducing configuration overhead without changing approval behavior. *** ## July 28th 2025 ### New Features **Authentication & Access** * **Database Scoping in Routing Rules**\ You can now specify which database a routing rule applies to, giving finer-grained control over access routing and approvals. **Audit & Observability** * **Capture Authentication Context in Audit Logs**\ Authentication-related metadata is now captured in audit logs, improving traceability of actions and helping security teams correlate identity with activity. This includes authentication and authorization failures. **Platform Configuration & Limits** * **Configurable Upper Limit for Standing Access Requests**\ Administrators can now define upper bounds on standing access durations, helping enforce least-privilege policies and reduce unintended long-lived access. ### Enhancements **Core Platform Capabilities** * **Extended Postgres Installation UI Integration**\ The Postgres installation experience in the UI has been enhanced to better support customer workflows, making setup more intuitive and transparent. * **Enhanced Routing Rule Evaluation Logic**\ Improvements have been made to how routing rules evaluate group membership and related edge cases, reducing surprises in access decisioning. *** ## July 14th 2025 ### **New Features** **Core Platform Capabilities** * **Service Account Support for P0 API Requests**\ Service accounts (for example, those used by Terraform) can now authenticate and execute P0 API calls without needing static credentials, making infrastructure-as-code workflows smoother. * **Access‑Type Selector in Routing Rules**\ You can now pick specific access types when authoring routing rules just like the sample template so approvals can be tailored by, for example, “p0 request gcloud role.” * **Query Search for User Listings in Directory Integrations**\ When you’re browsing users in any directory integration (LDAP, Entra, etc.), there’s now a search box to filter by name, email, or ID. **User Experience** * **Disable Automatic Log-Out**\ A new toggle in the UI lets you disable automatic session log-outs, so your P0 session stays active until you choose to end it. ### **Enhancements** **Core Platform Capabilities** * **AWS Account Alias Support in SSH Requests**\ SSH commands now accept AWS account aliases in the `parent` parameter (e.g. `./p0 request ssh parent:alias-name`), so you can reference accounts by friendly names instead of numeric IDs. **Security & Monitoring** * **Dangerous Routing Rule Detection**\ Automatically detects and alerts on potentially dangerous routing rules, helping you catch misconfigurations before they impact your environment. *** ## June 29th 2025 ### New Features #### Core Platform Capabilities * **Group & Parent Context in SSH Notifier**\ SSH notifications now include both group and parent identifiers in their event payloads, giving you richer context for auditing and routing. * **Access-Type Selector in Routing Rules**\ A new UI control lets you pick specific access types (e.g., “p0 request gcloud role”) when authoring routing rules, so you can tailor approvals more precisely. #### Email Notifier Enhancements * **Evidence-Created Alerts**\ The Email Notifier can now send you a notification immediately when new evidence is submitted—keeping stakeholders in the loop. * **Expiration-Reminder Alerts**\ Receive automated email reminders before any evidence item expires, so nothing slips through the cracks.\ Automatic Expiration Workflow * **Pending-Request Auto-Expiration**\ Access requests that linger past their expiration date are now closed out automatically by a scheduled job, reducing manual cleanup. ### Enhancements #### Reliability & Error Handling * **Snowflake User Detection Fix**\ Resolved an issue where email case mismatches prevented user lookups in Snowflake. Emails are now normalized to avoid false negatives. * **Terraform-Backed GKE Updates**\ Improved our Terraform module to ensure GKE clusters and node pools stay aligned with the desired configuration. * **AWS Lambda Notifier Created-At Field**\ Fixed a missing timestamp field on Lambda-based notification events so you can reliably track when alerts were generated. * **ProxyCommand & Versioning CLI Fixes** * `p0 --version` now prints clean output without extra logging noise. * The `p0 proxy` command gracefully handles token expiry and exits quietly when no targets match. #### Developer Experience & Tooling * **Kubernetes Configuration Updates**\ Refined default configs for cluster access and context management to simplify developer onboarding. * **Off-Boarding Automation**\ Streamlined user off-boarding flows so that deactivated accounts are removed from all P0 services in one go. *** ## June 15th 2025 ### New Features * **Email Notifier Default Sender**\ The email notification channel now sends from a dedicated `noreply@p0.dev` address to minimize bounce-backs. * **Installer Enhancements** * **Resource ID Injection**\ The P0 installer can now automatically inject resource identifiers into its setup flow for more precise asset mapping. * **`~/.kube/config` Alias Generation**\ Running `p0 ssh` will create friendly host aliases in your Kubernetes config file, so you can connect with a simple name. ### Enhancements * **Authentication & Proxy Fixes** * Email addresses entered with uppercase letters (e.g. `Owner@Acme.com`) are normalized on sign-up so you never get blocked by case mismatches. * The `p0 proxy` command now handles token expiry without crashing and suppresses output when no matching instances are found. * **Resource Editor Robustness** * Guardrails have been added to the resource-editor UI to prevent “cannot read properties of undefined” errors. * **Retry & Timeout Improvements** * AWS component installation checks now automatically retry on transient failures. *** ## June 1st 2025 ### New Features #### Cloud Installers & Integrations * **Azure Application Installers** * Improved UI/UX for Azure related features. * **AWS Lambda Notifier Guide**\ Comprehensive documentation for configuring AWS Lambda as a custom alert notifier in P0. * **PagerDuty Auto-Approver**\ Routing rules can include PagerDuty on-call schedules as automatic approvers for emergency workflows. #### API & CLI Enhancements * **Default SSH Shell Configuration**\ Updated `p0 ssh` command to default to Bash, with an option to override for other shells. * **Resource Listing Endpoint & CLI**\ New REST API and accompanying `p0 resources list` command to fetch all supported resource types and their definitions. * **OpenAPI Specification Publications**\ Public OpenAPI docs released for: * Swisscom integration * Routing rules engine * AWS SDK installation workflow #### Documentation Improvements * **Azure Command References**\ Added step-by-step guidance for: * Creating the P0 Management Role in Azure * Generating federated credentials via CLI * **Custom Resource Types**\ Detailed walkthroughs for defining and using custom resource categories in P0. ### Enhancements #### CLI & Developer Experience * **SSH Performance & Errors**\ Reduced latency in `p0 ssh` connections and improved “identifier resolution” error messages. * **AWS Policy Hyphen Support**\ Enhanced attachment-rule parser to accept hyphens in AWS Function Caller policies. * **Persistent Access Duration**\ Fixed an issue where “persistent” access requests ignored the specified duration. * **Enhanced Tracing**\ Expanded internal tracing hooks for better diagnostics during CLI operations. #### UI & UX Tweaks * **Access-Key Lookback Correction**\ Adjusted the default audit time window displayed for access-key evidence in the UI. #### Microsoft Teams Resilience * **Case-Insensitive Channels**\ Channel name matching in Teams is now case-insensitive to avoid routing errors. *** ## May 18th 2025 #### ### New Features #### CLI Improvements * **Seamless Login**\ The `p0 login` command now detects existing sessions and skips redundant authentication steps, streamlining your workflow. * **Automatic SSH Config**\ A new `p0 ssh-config` command generates ready-to-use SSH configuration snippets for effortless access to your servers. #### Authentication & Notifications * **Microsoft Entra Support**\ New customers can create new accounts using Microsoft Entra, expanding your choice of identity providers. * **Email Alerts**\ An email notification channel has been introduced so you can receive P0 alerts directly in your inbox. * **Multi-Channel Notifications**\ Setup notifications and chat ops with Slack, Teams, or Email to stay informed where it’s most convenient. #### Cloud Platform Integrations * **AWS Just-In-Time Provisioning**\ Fine-tune IAM policy attachment rules with the new “extends from” attribute for more granular access control. * **Google Cloud Run Agent**\ Deploy P0 agents seamlessly to Cloud Run environments using the new installation component. #### Visualization & Installer * **Asset Relationship Graph**\ Explore a prototype graph layout for visualizing compute asset topologies and their interconnections. * **Teams Store Installer**\ The P0 installer now defaults to installing our Microsoft Teams app straight from the official Teams Store for a smoother setup. ### Enhancements #### CLI & UX Fixes * Corrected the default time shown in the `/p0 allow` modal’s DateTime picker. * Permission-set dropdowns now display all options instead of truncating choices. * Email addresses entered with uppercase letters (e.g.
) are normalized automatically. * Improved public-channel notification formatting and expanded help text for Microsoft Teams. * Clarified installation guidance messages for setting up notification channels. #### Reliability & Error Handling * Automatic retries during AWS component installation checks to mitigate transient errors. * Extended Semgrep scan timeouts in CI workflows to prevent premature cancellations. * Suppressed errors when AWS instances are already removed during evidence revocation. * Safeguarded against circular-reference issues by ensuring evidence records don’t match themselves. #### ProxyCommand Enhancements * Gracefully handle token expiration without crashing. * Exit quietly when no instances match, reducing unnecessary output. * Display SSH-friendly host identifiers for easier server selection. * Provide clear error messages when required parameters (e.g., reason) are missing. * Ensure `p0 ls` consistently lists servers according to specified filters. #### Web Request Submission Flow * Backend validation errors (including “Reason” and “Request duration” fields) now surface directly in the P0 web-request form for faster troubleshooting. *** ## April 20th 2025 ### New Features #### Slack & Notification Enhancements * **Rich Slack Modals**\ Interactive input blocks for the `/p0 allow` command—including date/time and duration pickers—plus optimistic pre-population of form data for faster approvals. * **Automated Expiration Alerts**\ Email and in-app notifications to requestors and approvers before evidence items expire, so nothing slips through the cracks. * **MS Teams Lifecycle Integrations**\ Submit audit evidence and lifecycle events directly from Teams, complete with clear guidance and error messaging. #### Security & Compliance Workflows * **AWS Trust Policy Monitor**\ Real-time checks on IAM roles to flag any trust policy granting unrestricted root access. * **Custom Resource Routing Engine**\ New API endpoints and routing rules for user-defined asset types, giving you total flexibility. * **Okta Assessment Automation**\ End-to-end Okta security reviews—from data collection through report generation—built into the P0 audit pipeline. #### Reporting & Analytics * **Cross-Project Findings Export**\ One-click export of detailed findings across all your projects for off-platform analysis. * **Enhanced Dashboard Charts**\ Bucket-date overlays on findings charts for clearer trend analysis over time. #### Cloud Platform Integrations * **AWS Just-In-Time Provisioning**\ “Extends from” support on attachment rules for more precise IAM policy scope. * **Google Cloud Run Agent Installer**\ Deploy P0 agents seamlessly into Cloud Run with a dedicated installation component. ### Enhancements #### Reliability & Performance * **Datastore Indexing**\ New index on evidence records to speed up complex queries. #### User Experience * **Posture & Monitor Pages**\ Fixed infinite-render issues on “all” views and ensured data loads reliably. * **Date Validation**\ Both client and server now enforce valid future start/end times in all access-request flows. * **Dropdown & Picker Fixes**\ Permission-set selects now show every option, and the `/p0 allow` DateTime picker defaults correctly every time. #### Notifications & Integrations * **PagerDuty Resilience**\ Standalone repro cases for token-expiry issues and automatic retries in notification flows. * **Error Messaging**\ Expanded help text and clarified error feedback across Slack, Teams, and email channels. *** ## April 6th 2025 ### New Features * **Unused IAM Roles Monitor**\ View IAM roles that haven’t been used (including “never used”), complete with last-used timestamps and guided remediation suggestions. * **AWS Identity Center Diagnostics**\ Built-in troubleshooting for Identity Center errors, surfacing detailed traces so you can resolve issues faster. * **Lifecycle SDK Enhancements**\ Full support for multi-valued objects in lifecycle workflows, enabling more complex automation scenarios. * **Automated “Fix” Commands**\ New one-click CLI commands to automatically remediate unused or overly-privileged IAM policies. * **AWS Service Discovery**\ Automatically enumerate which AWS services are enabled in your account to streamline compliance checks. * **Custom Permission-Set Scopes**\ Tailor exactly which resources, actions, and conditions are requested via both the UI and API. * **Virtualized Permission Tables**\ Replace full-render tables with virtualized lists so large graphs and tables load and scroll instantly. ### Enhancements * **Search & Navigation** * No-op on empty searches to prevent errors * Resource links now always navigate correctly in monitor views * **Form Validation & Error Feedback** * Inline display of JSON parse errors in environment payloads * Date-pickers enforce future dates and default to the correct time * Backend validation errors (e.g. missing Reason or invalid duration) now surface directly in the form * **Visual Consistency** * Warning icons and status badges reflect real-time data states * Table columns render consistently across browsers, with proper truncation * **Visibility Check Resilience**\ Clear error message and retry option when visibility-check endpoints are unavailable * **Performance & Responsiveness**\ Virtualized lists and optimized rendering ensure snappy load times and smooth scrolling throughout the app.