We are pleased to announce support for the SCIM 2.0 standard, allowing integration with Microsoft Entra ID and automated provisioning of users and groups.

Read more about it here.

New Developer API endpoints

New endpoints have been added for:

1. Getting responses to an assessment

2. Updating third party custom attributes

Combined with the Custom Workflow Builder, these endpoints allow for updating third party information based on their responses to an assessment.

We are dedicated to refining our Reporting and Analytics module with key updates, including REST API improvements, better report formatting and charting, multi-language dashboard support, and critical security updates.

Key updates

• REST API Enhancements: New endpoints for retrieving content, dashboards, presentations and themes. User endpoint updated for easier profile and language preference management. Introduced Integration API utility for accessing user data securely.

• Report Builder upgrades: Drag-and-drop column reordering, calculated totals, and enhanced charting capabilities. Fixed filter issues, report formatting errors, and improved conditional formatting. Optimized file export formatting.

• Dashboard improvements: Multi-language support, improved folder access management and better localization.

• Infrastructure and security enhancements: Updated Apache Commons libraries and Apache Tomcat that has addressed the security vulnerability CVE-2024-50379

We've introduced a streamlined import process for custom registers, making it easier to bulk upload data while ensuring accuracy and consistency.

Import template

• Users can download the import template from the Import dialog.

• The template includes all default and custom fields relevant to the register.

Import process

• The import process is designed to support bulk data entry while ensuring data integrity and validation.

• Fields

  • If an unrecognized field is present in the file, the import fails with an "invalid field" error.

  • Required fields must be provided, and any missing or empty mandatory fields will result in import failure.

  • The system supports flexible column order, allowing data to be added or updated seamlessly across various field types, including text, numbers, dropdowns, and dates.

  • Additionally, system-generated fields, such as user and timestamp details, are automatically assigned to maintain accurate record-keeping.

• Atomic import process: If the import fails for any reason, no changes are made to the system.

These improvements ensure a more intuitive and error-proof import experience for managing custom register data. For detailed information, please visit Knowledge base: Importing register items

Simplified advisor assignment & automation with user groups

We've introduced new capabilities to simplify advisor assignments, improve access management, and enhance the user experience for Hub users. With these updates, assigning and managing advisors for spokes is now more efficient and intuitive.

Instant advisor assignments

• Hub users assigned as advisors to a spoke now gain access instantly.

• In-app and email notifications are sent to inform users when they are assigned as advisors.

• When an advisor is removed from a spoke, their access is revoked immediately.

Efficient group-based advisor assignments

• Assign spokes (one or more) to user groups

  • This would automatically grant all group members advisor access for assigned spokes.

• When users are added or removed from a group, their advisor access to the assigned spokes is updated accordingly.

Refreshed UI for managing groups

• A redesigned interface makes it easier to create, manage, and assign groups within the platform.

Check out our knowledge base for more in-depth information

• User groups

• Providing advisor access for spokes

Groups synchronization during just-in-time provisioning

For customers using SSO and taking advantage of just-in-time (JIT) provisioning, you can now synchronize your IdP's groups with 6clicks groups. The capability works in a similar manner to IdP group to 6clicks role synchronization, with the ability to use a convention-based mapping or an explicit mapping.

We are currently putting the finishing touches on our new SCIM provisioning support, with a view to releasing it by the end of March 2025. In tandem with the new JIT capability, this will great simplify user management for complex organizations. Read more here.

Improvements to MFA

We have made two changes to the email-based multi-factor authentication, following advice from our penetration tests. Both changes allow for an improved user experience without compromising security.

• Firstly, we have extended the timeout for entering an emailed PIN to 5 minutes.

• Secondly, for customers who have email-based MFA enabled for both "Seeing a list of teams associated with an account" and "Logging in after submitting a password", only the first PIN is required, removing the need to double-enter PINs.

Note that these changes do not affect users with SSO or two-factor authentication apps (such as Google Authenticator) enabled. We are continuing to work towards improving the experience for these users.

The export capability for registers has been enhanced, allowing users to quickly extract and analyze register data. This update enables exporting register items, including standard and custom fields, in an Excel (.xlsx) format.

What's new?

• A new Export option is now available under the More menu.

• Users can choose between:

  • Export (Selected fields) – Export only selected fields on the registers page.

  • Export (All fields) – Export all standard and custom fields.

• Upon selection, users will be prompted to save the .xlsx file.

Known issues

• Exporting after bulk-updating stage fields using stage tabs may result in incorrect data.

We’re continuously improving this functionality and will address the known issue in a future update. Let us know your feedback as we refine the import experience in a couple of weeks! 🚀

We’ve introduced a powerful Custom Workflow Builder, giving you full control over how items progress through different stages. This update allows you to define custom workflow stages, transitions, and permissions, ensuring workflows align with your organization's specific processes.

Key capabilities

• Custom workflow stages – Define unique workflow stages tailored to your needs.

• Transition rules & permissions – Control how items move between stages and who can transition them.

• Automated actions – Configure automatic updates and notifications upon stage transitions.

• Visual workflow editor – Easily design and manage workflows with an intuitive interface.

These enhancements bring greater flexibility and governance to workflow management, allowing teams to tailor processes to their unique requirements.

Developer API Improvements

To coincide with the release of the upgraded Custom Registers module and Custom Workflow Builder, we have added new endpoints to the Developer API.

• Risk History is now available. Query across multiple risks at a time, and integrate with Workato to build triggers when data changes.

• New endpoints, accessible under the /registers-api/1.1/ namespace are now available for working with Custom Registers and their Tasks. Please note that Issues and Incidents is now considered part of the Custom Register system and data can be retrieved through the /registers-api/1.1/ endpoints. The older /issues-api/ endpoints will continue to function but will be deprecated in subsequent API versions.

• A number of minor bug fixes and improvements to documentation have been released

We've introduced a significant update to standardize and enhance the functionality of all registers, including default and custom registers. This update ensures a seamless, intuitive experience across all the registers.

Key enhancements:

• Custom columns – Configure and manage columns to tailor register views.

• Sorting, filtering & bulk updates – Easily organize, refine, and update multiple items at once.

• Item linking – Link register items to related records for better traceability.

• Register-level permissions – Define who can access and manage each register.

• Item-level access control – Grant specific users or groups access to individual register items.

• Tasks & notifications – Assign tasks within registers and receive custom notifications.

• Custom workflow stages & transitions – Define workflows that match your organization's processes.

• Custom fields support – Extend item details with custom fields.

• New UI experience – A modern interface for improved user experience.

• Unique IDs per register – Auto-generated unique identifiers for each register item.

• Settings & configuration – Customize item names, colors, icons, and enable/disable features per register.

• Dev API support – Integrate register data seamlessly with external systems.

• Self-service reports – Generate and view reports directly within the platform.

What has changed?

To align with these new features, a few changes have been introduced:

• Issue actions are now called Tasks.

• All custom register items will now have unique IDs for better tracking and organization.

• IDs have been updated for:

  • Issues & Incidents

    • Old Issues & Incidents IDs will be made accessible via a custom field.

    • URLs using the old IDs will still direct to the Issue & Incident.

  • Issue & Incident Tasks (previously Issue Actions).

These enhancements bring greater consistency, control, and flexibility across all registers, ensuring a seamless user experience. We're also working towards bringing the Assets register to full parity with these capabilities and aim to complete this within the quarter. Your feedback is invaluable as we continue to refine and enhance the platform—let us know your thoughts!

Read more about Custom registers here!

We’ve introduced new capabilities that are in continuation of the previously released capabilities for user group assignment in assessments (link), further streamlining respondent assignment and invitation workflows :

• User Group assignment in Assessment templates – You can now assign user groups as respondents to specific questions in QBA assessment templates, streamlining the respondent assignment process.

• Respondent persistence in Draft mode – When an assessment is created from a template with assigned user-groups as respondents, those respondents are now saved and will be invited automatically when the assessment is published.

• Hub & Spoke assessment distribution – Assessment templates with user groups assigned to questions can now be sent to spokes. Users from existing user-groups are automatically invited when assessment is sent and new user-groups are created if they don't exist at spoke level. This ensures consistency and efficiency in assessment template management across your Hub & Spoke environment.

These updates simplify assessment management and ensure a seamless respondent assignment process.

Read more about sending assessments to spokes.

We're thrilled to announce key updates to the Controls module, making it easier to manage your data within 6clicks.

Import controls using Hailey

• Hailey AI can now extract controls directly from policy documents in Word or PDF format, reducing manual effort and streamlining data entry

• Check out our announcement blog for more details including a video demo

Export enhancements

• Export controls in the format that suits your needs:

  • CSV: Customize your export by choosing all fields or selected fields

  • JSON: Includes all fields, including custom fields

• All standard 6clicks control fields and managed (custom) fields are included

These updates make it easier than ever to integrate your controls data with other tools and workflows.

This week we've released an enhancement to our evidence gathering and presentation capabilities. Previously, during a Requirement-Based Assessment (RBA) on an Authority (compliance framework), we displayed 'Responsibilities' information associated with controls linked to Authority provisions.

With this update, we now also display all assessments conducted on a control. These assessments, particularly question-based ones used for evidence collection, will now be accessible to inform an aggregate picture against compliance requirements in an RBA.

Other changes in this release included -

• Ability to filter the questions by one or more user-groups using the 'Assigned to' filter (Assessment task)

• Bug fixes

We’re excited to announce the release of configurable dashboards in 6clicks, a powerful new feature providing personalized, data-driven insights of your GRC landscape.

Key capabilities include:

• Customizable layouts: Choose from several different layouts, including a full-screen option, to suit your preferences.

• Role-based insights: Tailor your dashboards to your specific role, such as compliance managers, risk officers, and executives.

• Dynamic widgets: Add and customize widgets, including 6clicks charts, Power BI reports, text content, and Hailey Assist, to create the dashboard that fits your needs.

• Real-time filtering: Filter data by statuses (e.g., open risks, completed audits) and time ranges to focus on critical information.

• Admin controls: Administrators can create and enforce standardized dashboards across the organization to ensure consistent reporting and alignment.

This update empowers users with flexibility while ensuring enterprises maintain control over data visibility and governance. Start customizing your dashboard today to gain deeper insights into your GRC landscape!

For more details, check out the Dashboard knowledge base article.

We’ve introduced the ability to assign user groups to question-based assessments, enhancing collaboration and efficiency.

• User groups can be added from the Respondents tab

• Clear prompts handle overlapping invitations, ensuring seamless group or individual assignment.

• Additionally, exported responses now include assigned user groups for improved tracking and reporting.

A number of updates and bug fixes have been released for our Developer API and Power BI connector. These changes appear automatically on the existing endpoints and you do not need to update your Power BI connector.

• Custom fields are now returned for risks, issues, and third parties.

• Bug fix: foreign-key fields marked as nullable in the schema now return null instead of nil-uuids (00000000-0000-0000-0000-000000000000) when a value is not present

In addition to the API improvements, the browser page titles displayed in the web application have now changed to include the full page title in all cases.

We've released a new administration module for customizing system notifications.

This includes the ability to:

• Customize email subject and body templates using dynamic templates

• Disable/enable emails and in-app notifications

• Customize the cadences at which reminder emails are sent, both before and after a due date

Find out more at Custom Notifications.

We’ve updated permissions to improve task management and clarity around Risk Treatment Plan (RTP) access along with introducing a new setting in the Administration area

• Permissions

  • My tasks

    • Users with this permission can access the "My Tasks" menu for streamlined task management

  • My tasks > Risk treatment plan

    • This permission enables users to view and respond to all RTPs assigned to them

    • Linked data within RTPs (e.g., Risks, Controls) is displayed based on each user’s permissions for greater data security and relevance

• New custom email address settings

  • Admins can now set a custom email address directly within 'Administration > Settings > Customization' tab

  • At the Hub level, this settings allows the custom email to be set as the default for all spokes. Spokes with their own specified email will override the Hub default.