This release introduces Business Unit (BU) segmentation, enabling organizations to manage multiple teams, departments, or portfolio entities within a single tenant—without requiring separate logins or environments.
With centralized governance at the HQ level and clear data separation at the BU level, organizations gain stronger security, simplified administration, and a more tailored user experience across complex enterprise structures.
Organizations can now create and manage Business Units (BUs) within a single tenant. HQ administrators retain centralized oversight while delegating day-to-day administration to BU-level admins.
This enables:
- Separation of departments, subsidiaries, or portfolio companies
- Simplified management without duplicating tenants
- Clear ownership and accountability at each organizational level
All records are now scoped to a Business Unit, ensuring users only see and interact with data belonging to the BU(s) they are authorized to access.
This improves:
- Data security and privacy
- Regulatory and contractual compliance
- Confidence when managing multiple organizations in one environment
Access control has been enhanced with default record permissions applied at creation time, configurable per application and module.
Benefits include:
- Reduced risk of overexposure
- Consistent access enforcement
- Less manual permission management
Groups have been enhanced with granular CRUD permissioning.
Benefits include:
- Granular Access Controls for Users in a Group
- Fully Customizable "Roles" via Group Creation
HQ administrators can centrally manage and enforce tenant-wide configurations, including:
- Single Sign-On (SSO) with limitations
- Access roles
- Default Legacy Groups are migrated over into the initial default App as Group Roles
Users who have access to multiple Business Units can:
- Switch between BUs within the application
- Once creating an App you cannot delete the created App.
- RegML Compatibility: Impact is limited to fresh deployments. Existing tenants upgrading to 6.29.0.0 aren't affected. A gap exists when there's no pre-existing Harvester-SA to migrate — i.e., a brand new database. RegML accounts will need to be created manually. Go to the Default App → Service Accounts tab → create "Harvester-SA" manually.
- Roles will be deprecated going forward. To accommadate this there will be groups created that mirror the permission list of the former roles. This is only the case if a user in the tenant had that role explicitly assigned to them. Meaning if no user had the General User role assigned to them then no group will be created to mimic that role's behavior.
- SSO Compatibility: Previous SSO assignments are only compatible with the Default App in a Tenant if that Group Exists upon upgrade. New SSO Assignments will follow a new naming schema. This naming schema is in the format of "RegScale-GroupId:{id}". There is button on the groups list to easily capture this name.
- When logging in with SSO user, the group configured in the Identity Provider will be assigned automatically to that user and will not be removed. If you want to change the group assignment at a later time in the Identity Provider the user will still be in the old group and also in the new group. The user can be manually removed from the old group in the App if that is the desired state.
- Retired APIs (i.e. RBAC, Groups , etc.). Many APIs do not apply any longer with the architecture changes of this relese and have either been removed or changed. They cannot be backward compatible due to the non-backward compatible nature of the changes required for this release. (See list below in Changes section)
- Enterprises managing multiple departments or subsidiaries
- Organizations overseeing acquisitions or portfolio companies
- Managed Security Service Providers (MSSPs)
- Customers seeking stronger governance with less operational overhead
-
Business Unit (BU) Architecture
- Introduced Business Unit segmentation to support multi-organization tenants.
- Added BU-level admins, user assignment, and enforced access hierarchy.
- Enabled switching between Business Units with isolated data and permissions.
- Implemented default record permissions and CRUD access per module.
-
Access Control & RBAC Enhancements
- Added module-level permission enforcement across APIs and UI.
- Introduced cascading permissions with optional inheritance from parent records.
- Added warnings when changing records from Public to Private.
- Expanded support for app-scoped, group-based Service Account permissions.
- Added missing RBAC endpoints and improved permission validation feedback.
-
Platform & App Builder Enhancements
- Added cross-app reporting (feature-flagged).
- Added Access Request feature (feature-flagged).
- Improved App Builder configuration and setup workflows.
- Added background processing for long-running permission propagation.
- Introduced improved caching services for users, permissions, and modules.
-
SSO & Authentication
- Enhanced SSO configuration and role handling across tenants and BUs.
- Added MFA improvements and validation handling.
- Improved global admin login handling across environments.
-
Security Plans (SSP)
- Fixed risks, issues, vulnerabilities, and control implementations not appearing in SSPs.
- Resolved permission propagation failures when switching SSPs between Public and Private.
- Fixed child records not inheriting or reverting access correctly.
- Resolved 500/504 errors when adding controls or populating implementations.
- Fixed missing UI updates when adding controls or profiles.
-
Access Control & Permissions
- Fixed incorrect access for read-only and limited-permission users.
- Resolved unauthorized access returning 404 instead of 403.
- Fixed group access inheritance, read-only enforcement, and access list UI issues.
- Fixed global admin and tenant admin visibility inconsistencies.
- Resolved users retaining access after permissions were revoked.
-
User & Group Management
- Fixed issues adding/removing users from groups and apps.
- Resolved duplicate, missing, or stale users/groups in Admin and App Management views.
- Fixed pending users appearing incorrectly in dropdowns.
- Corrected user routing, profile navigation, and admin list behaviors.
-
API Stability & Data Integrity
- Fixed numerous 400/401/403/404/500/504 API errors across records, modules, and imports.
- Corrected DELETE, PUT, POST, and GET inconsistencies across core endpoints.
- Fixed service account authentication and authorization failures.
- Resolved GraphQL queries failing under service account tokens.
- Fixed batch create/update failures and migration-related errors.
-
UI / UX & Performance
- Resolved stuck spinners, blank pages, and missing UI components.
- Fixed console errors across Setup, Security Modal, Forms, and Builders.
- Improved dropdown behavior, validation messages, and toaster notifications.
- Fixed navigation issues, tab alignment, and missing buttons.
- Resolved severe performance degradation during permission propagation.
-
Forms, Questionnaires & Automation
- Fixed questionnaire creation, deletion, permissions, and instance handling.
- Resolved Response Automation job failures and file upload issues.
- Fixed Form Builder save, import/export, validation, and refresh problems.
- Restored missing automation endpoints and Swagger documentation entries.
-
Architecture & Backend
- Refactored Service Account architecture to be app-scoped and group-based.
- Migrated RBAC logic to centralized permission evaluation and caching layers.
- Introduced background tasks for email delivery and permission propagation.
- Improved replica and cache consistency for users, groups, and permissions.
- DEPRECATED ENDPOINTS (6):
- GET /api/rbac/{intModuleId}/{intParentId}
- GET /api/rbac/add/{intModuleId}/{intParentId}/{intGroupId}/{intPermissionType}
- DELETE /api/rbac/{intModuleId}/{intParentId}/{intRbacId}
- GET /api/rbac/public/{intModuleId}/{intParentId}/{isPublic}
- GET /api/rbac/detail/{intModuleId}/{intParentId}
- GET /api/rbac/reset/{moduleId}/{parentId}
- NEW ENDPOINTS (3):
- GET /api/rbac/security/{moduleId}/{parentId} - Get security modal data
- POST /api/rbac/security - Save security settings
- GET /api/rbac/groups/{moduleId}
-
App & Module Behavior
- Changed record security inheritance terminology and behavior for clarity.
- Improved module reset, factory reset, and upgrade migration reliability.
- Updated module configuration storage and consolidation logic.
- Improved enforcement of module visibility based on permissions.
-
Admin & Setup Experience
- Reorganized App Setup and Management UI for clarity and consistency.
- Improved validation, error handling, and feedback during app creation.
- Updated admin tables, labels, and navigation behavior.
- Improved auditability and logging while limiting sensitive console output.
