12.8.0

Enhanced session security by implementing automatic session termination when users follow links marked with both rel="external" and target="_top" attributes. This controlled security feature only affects links that take over the main browser window and provides administrators flexibility in managing session termination behavior through link attribute configuration.

Added the loadcvagents utility to install the Customer-Verified connectors. The post-installation or post-upgrade tasks when loading connectors is also modified to install the Customer-Verified connectors for the configured target systems on the Bravura Security Fabric instance server.

Removed the Customer-Verified pre-installation check to no longer run for proxy server upgrades.

Updated the notice message for target systems to notify if any targets are missing their connectors and to show a list of the affected platforms.

Added a pre-installation check for Connector Pack upgrades to identify Removed connectors for configured target systems on the Bravura Security Fabric instance server.

Added support for .NET 8.

Updated minimum supported Microsoft SQL Server version to 2016.

Replaced SQL Server audit trigger CONTEXT_INFO with SESSION_CONTEXT, which can store more audit data.

The psunix and idmunix configuration, sample, other files are rebranded for Bravura Security references.

Updated browser title for desktop web notifications to match current branding.

Added a new system variable, PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS, to control whether failed randomizations are shown in the password history search engine for managed accounts. By default, failed randomizations are not shown.

Adjusted a unit test in the IDMlib environment to showcase the escaping of a double quote.

Fixed an issue that prevented Functional.hid_authchain_forgot_password cleanup script from manually executing within PyCharm or the command line.

Modified hid_authchain_forgot_password to not shadow token.py from stdlib.

Module names must not match any of the names of standard library modules. sys.stdlib_module_names includes a list of names for a given version of Python.

A minimal example: Create a file named socket.py using the listing below.

from socket import socket

print()

Running the listing would produce the following output:

> py -3.11 socket.py
Traceback (most recent call last):
  File "C:\Program Files\Bravura Security\Bravura Security Fabric\mstg\component\socket.py", line 1, in <module>
    from socket import socket
  File "C:\Program Files\Bravura Security\Bravura Security Fabric\mstg\component\socket.py", line 1, in <module>
    from socket import socket
ImportError: cannot import name 'socket' from partially initialized module 'socket' (most likely due to a circular import) (C:\Program Files\Bravura Security\Bravura Security Fabric\mstg\component\socket.py)

Updated base components to use the DISCOVERY_FLAG_SMALL_QUEUE flag for small discoveries (such as a single object).

: Added a component, role_rerun, that requests a rerun of wfreq if a role add with a template requiring a password exists in the request.

Fixed a race condition in replication environments for password reset requests from the UI from other nodes by adding the IDPM BLOCK CHECK ALL NODES system variable to control if all replication nodes should be checked for the blocking records and to perform a slower but more thorough check and for when transparent synchronization is also set up.

Exposed failed hosts in IDPM_REQUEUE exit trap.

Introduced a new option to exclude specific hosts from password expiry notifications and adjusted the notification service to be independent of the target configuration option "Check password expiry" (host.usrexp).

Added a check to prevent extdb model creation if a model contains the @ in one of its fields.

Added README.mds outlining installation, configuration, and use of the Functional.plus_password_change_service and Functional.plus_automatic_resecure components.

Changed how accounts are filtered in Pass Plus to avoid over burdening the REST API with expensive queries.

Added script that caches Pass Plus account enrollment in Bravura Cloud, to enable Cloud to visualize what accounts are enrolled, and Fabric to more quickly evaluate which accounts are enrolled.

Updated display of accounts in the UI so if the account name (longid) is a guid value, it will fall back to loading account's shortid. This affects all the places where account information is displayed.

Added SAFE_TARGET and SAFE_ATTRIBUTE configuration keys to Pass Plus's global configuration namespace. The keys represent the Target ID of the Bravura Safe Target, and the name of the account attribute that contains the account GUID of the real account for which the Bravura Safe secret contains the password.

Modified the Pass Plus Password Change Service to validate that accounts submitted for password changes have associated Bravura Safe secrets.

Modified the Pass Plus Password Change Service to update the Bravura Safe secret with the new password for the account.

Added FILTER_ACCOUNT_PLUGIN script to Functional.plus_password_change_service to prevent users from manually changing the password of Pass Plus accounts via self service password change. Passwords can still be manually updated via Help Desk, in case Pass Plus accounts require manual intervention.

Added new functionality to Pass Plus to create Safe Secrets automatically for enrolled Users and Accounts. This functionality is disabled by default to prevent performance issues or over provisioning if filters are configured incorrectly.

Added a new password generation plugin, advrandpasswd to be able to generate stronger passwords for Bravura Pass Plus.

Modified the Request access to network resources page and using the SMB Protocol for Active Directory DN network resource (nrcifs.exe) to display the list of network resources in a sorted order by the resource's name.

Added a new option to run r bacenforce.exe and autores.exe to submit requests to resolve violations in parallel.

Added the -threads option for both rbacenforce.exe and autores.exe to submit requests to resolve violations in parallel as well as the PSUPDATE AUTORES THREADS and PSUPDATE RBACENFORCE THREADS system variables for the number of threads to use during auto-discovery.

Added system variable IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK which allows randomizations to be done on the local node, in the event that the managing node is unavailable. This is enabled by default.

If IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK is disabled, a confirmation dialog box will appear on pages where bulk randomizations is performed, stating that randomizations will be performed by the local node.

Added a discovery flag to reduce disk space usage for discoveries that are likely to be small (such as pull-mode ones). By default, pull-mode systems will use this flag. The LWS SAVE QUEUE SPACE system variable can be used to return pull-mode systems to their old behavior.

Modified the Privilege app to separate randomization of multiple accounts according to managed system policies.

Optimized import rule execution for import policy rules to be more efficient.

Clarified password conflicts pages that could be read to imply that the reason displayed was the reason the conflict happened rather than the reason that the conflict could not be automatically resolved.

Import rule attribute condition compacity has been increased.

Enhanced the Guacamole RDP Disclosure plugin to display the remote hostname in browser tab titles, significantly improving user experience when managing multiple remote desktop sessions.

Optimized team-filtered searches, especially for cases with very large numbers of memberships.

Updated disclosures version to 12.8.0.

Added support for Red Hat Enterprise Linux 9 for the idmunix-rhel-el9.x64.tar.gz package.

The following features are available in this package and therefore now support Red Hat Enterprise Linux 9:

Improved the styling and structure of radio selection lists in authentication chains.

Added support for reCAPTCHA v3 for authentication chains by adding the Functional.hid_authchain_recaptcha_v3 and Scenario.hid_authchain_recaptcha_v3 components.

Added a health check for user class cache validity. The check includes a link to recalculate the caches.

Updated autores utility to skip the deprecated role specified by option -role , and do not calculate variances or submitting request for the deprecated role.

Modified requests app to add two more filters in OTHER REQUESTS section in the left menu panel for users with "View workflow requests" global help desk ACL, and retired ACLs "View open requests" and "View archived requests" as they are no longer needed with the new filters. Here are the new filters:

Optimized GroupMemberList and GroupMemberListByAccount stored procedures.

Introduced a new system variable MANAGED GROUP INHERITANCE COPY TARGET. It enables more intuitive handling of phased authorization when inheriting target system authorization. The system variable allows for retaining prior behavior so as not to disturb release trains. Upgrades will retain prior behavior (having the system variable disabled). New installs will have this turned on by default, allowing for new behavior.

Enhanced the upgradetest utility to perform a database object integrity check upon completion, validating that the schema after the upgrade test matches the intended schema of the new version. This is the same check that the "database objects verification" post-upgrade" check that setup installer does.

The upgradetest.exe utility was expanded to do a verify database objects check after it has completed using the verifydbobjects.exe utility.

The upgradetest.exe utility is also used to do an upgrade on a copy of the database to ensure that all tables can be upgraded without issue. The expansion is for the utility to run the verifydbobjects.exe check afterwards to ensure that the database objects are correct.

Added "targetsystems_get" policy check for v2 REST API endpoints:

Modified the REST API endpoint POST /users({{userKey}})/credentials/BravuraSecurity.REST.Models.v2.Question so that it fails immediately if the user specified by userKey doesn't exist.

Modifies REST API to query system variable values directly from the database, as needed, instead of consulting a cache that relies on change notifications from SQL Service Broker.

Added support for OpenSSL 3.0 for the psunix package for Connector Pack and for the idmunix package for Bravura Security Fabric .

Added the agttelnet-openssl.exe Telnet connector that adds support for OpenSSL 3.0.

Added the Path to attribute value (XPath/JSONPath) parameter when creating or overriding account attributes for a target type for the path meta attribute to attribute definition schema that provides the ability for the customization of rest/xml paths to specific data in custom schemas.  This is primarily for REST / JSON based connectors with expandable schemas.

Added configuration options in config.js to control the Chosen jQuery plugin's activation thresholds for both single-select and multi-select elements, improving accessibility for dropdown menus with fewer options.

Killed stored procedures will now be retried indefinitely. Administrators can set a registry setting, NoKillRetry , to bypass the behavior if a procedure needs to be killed and not retried.

Added two hardcoded exclusions to file replication: a folder under the instance root named local and a registry key under the instance root named local. These two locations can be used to hold files and registry values that are local to an instance and should not be replicated

Added configurable keepalive options to both the client and server sides of the WebSocket Connector Proxy and reduced the default setting from 2 minutes to 30 seconds. Some network appliances have aggressive idle connection timeouts that will disconnect the WebSocket Connector Proxy's apparently-idle connection without a short keepalive.

Enabled specifying more than one proxy on the same host being for a target system. This is the correct way to specify a fallback proxy when using the WebSocket Connector Proxy. Note that while it is now possible to configure multiple non-WebSocket proxies on the same host, it remains an incorrect configuration.

Prior to the WebSocket Connector Proxy feature being added, the previous implementation for the "List of proxies to run connectors on" target configuration option would only allow for unique proxy server hosts to be configured for this option since they needed to be separate hosts/systems. With this change, it now allows for the same proxy server host with separate port numbers to be configured, for example: "localhost/3344,localhost/3345" in order to support the additional configuration for multiple proxy server hosts that may be optionally set for the WebSocket Connector Proxy feature.

Addressed CVE-2024-39694 by porting the fix from Duende to the OSS IdentityServer 4.

Added a check to only display scripted connectors if their script exists when checking for missing connectors for the target configuration page.

Updated the target configuration page to mention the checkplatform.exe utility when configured targets are missing one or more connectors.

Modified the installer to correctly verify .NET 6 is installed on pre-installation check.

Fixed an issue when using an absolute path for custom connectors that was previously showing an error for "The connector for [] is not installed" on the target configuration pages.

Added the ability to use relative paths for the directories that loadplatform uses for the connectors rather than absolute paths so that the connector files such as attribute definition files can be located correctly.

Fixed an issue for the trace functionality in order to log the thread id correctly for agent operations in the trace file that is used by the Trace Logging target system address configuration option.

Removed installer requirement that the SQL Server service broker be enabled.

Ensured logs are flushed to disk (file) when robot installation is completed or failed.

Modified setup to remove an extraneous check for the "Connectors Being Removed" pre-install check so that this check does not run when upgrading the global Connector Pack on a proxy server.

Updated the Login Assistant installer (ska-x64.msi) to hide the password for the administrative credentials (ADMIN_USERNAME, ADMIN_PASSWORD) in the log file.  It is now replaced with "**********" in the logs.

Fixed formatting issue of error message when unable to load customer-verified connectors during setup.

Added headers to manage_components.py list {choice} --automated csv .

Fixed manage_components.py list <choice> --automated kvg to correctly output all dependents and conflicts.

Fixed issues with Functional.im_termination:

Unset the SCHED-NOTIFY attribute in the DEFER-TERM PDR to avoid sending excess warning messages about users whose termination was deferred.

Reverted the use of the DISCOVERY_FLAG_SMALL_QUEUE discovery flag.

Bravura Security Fabric checks if the hid_extdb table exists before removing component data from it. This fixes a problem where a component providing both a model and a data cannot be removed.

Changed Primary Key of the pam_dislcosure_filter_policy table from FitlerID to StageNumber and RuleNumber so that it behaves like other Policy tables.

Resolve an issue with chosen select lists where the destructor would fail in certain refbuild wizard configurations.

Changed behavior of hid_authchain_select's expression MatchType.

expression now only works with set, notset, equal and notequal:

Resolved an issue when a connector operation fails to show the actual error message, rather than "Failed (Failed: Operation results missing for index [0].)" generic failure message, to aid with troubleshooting.

Made account attributes available to connectors for GRUA and GRUD operations.

Adjusted the pattern descriptions to match the new naming.

Added a lock mechanism to loading components so that multiple load executions cannot interfere with one another.

Optimized auto-discovery.

Fixed the "console users with empty passwords" check in auto discovery (psupdate) to properly retrieve the console users' display names.

Fixed a crash in discovery when malias.txt is not formatted correctly.

Fixed incorrect display of which node is the cause when the replication details page is read-only due to running auto-discovery.

Optimized userclass/userclasspoint cache update triggered by single user psupdate, so instead of recalculating all memberships of the affected userclasses/userclasspoints, it now only tests userclass/userclasspoint memberships against the specified user, and update cache accordingly, which should be much faster.

Optimized auto assignment variances checking and generation of autores child request spawned from another request

Avoid committing and waiting on empty discoveries.

Move the discovery item tracking logic into idmlib.dll

Remove the default value for context_exit_action from discovery_context

Fixes a deadlock that can occur when the system is experiencing severe memory pressure.

Fixed an issue where cross-target group relationships can not load as group members (if the account/group members are also loaded within scope) on subsequent nightly discovery. This was previously causing an issue where Active Directory domain accounts could not be listed for an NT managed group that would only list local users as group members.  The Active Directory domain accounts are now also listed for the NT managed group members.

The default value for discovery option Link accounts on this target system to subscribers"for target system discovery template "NT_TEMPLATE" has been changed from enabled to disabled.  Additionally, all discovered systems created from NT_TEMPLATE will result in this setting being set to disabled during upgrade.

Optimized views and queries to calculate nested group memberships which can improve performance of stored procedure UserclassUserList called by loaduccache utility.

Fixed an issue where Q&A can not be validated against external question sets properly (always pass) when authenticated through idapi (idapisoap).

Fixed an issue where phased authorization was stuck when an authorizer approves a phase when:

Fixed an issue with phased authorization when there is a denial at one phase due to insufficient authorizers causing later phase(s) to not open, ultimately resulting in the request being stuck in approval state and never completing.

Fixed an issue with the httpauth.exe web server authentication plugin in regards to querying cookies that was previously causing an invalid session for the transparent authentication integration.

Simplified the SAML RelayState payload so that it is less than 80 characters, to meet the SAML specification.

Fixed an issue where authchain cannot validate against external question sets properly (if configured).

The hid_authchain_forgot_password authentication chain uses HTTP_ORIGIN instead of {{HTTP_REFER. Referrer-Policy was adjusted to no-referrer so the HTTP_REFERER value is no longer available.

Fixed an issue when setting the From all question sets option to a numbered value.  This option can be found in the Number of questions to ask during authentication section for the response.pss module for an authentication chain. Setting this option will now correctly prompt a user for the number of randomly selected questions from their question sets for the number of questions noted for this option.

Fixed some stored procedures that were replicating when they shouldn’t be.

Optimized the FoundCompattrListMV stored procedure as well as some pre-defined requests using the same schema.

Performance improvements by way of replacing a number of calls to stored procedure WstnPwdGetFull with less expensive ones.

Bravura Security Fabric pre-emptively prevents SQL Server from choosing a poor plan for MetaMergeGetDeleted.

Fixed unittest failures related to renamed PlatformBacking table.

Fixed a failure of the stored procedure FoundComputerImportRevert that could occur when multiple target system import rule evaluations for the same discovered system occurred within the same millisecond and target creation ultimately failed (due to network failure, incorrect credentials, and so on). Failure of this stored procedure causes temporary target systems to be left behind.

Performance fix for stored procedures AttributeSet and AttribAdd leading to the prevention of deadlocks when large sets of data are involved.

Optimized one of the queries in ObjattrResync.

Fixed an issue where requested action's audit time was not updated when the action is processed. The Request event log report can now load the end time of the action properly.

Fix to Managed Account Attributes report to enable user who scheduled the report to be used during scheduled execution.

The Sent Notifications (usernotif) report now contains the correct number of users in summary mode.

Fixes an upgrade failure in some cases when the upgrade script intended to correct very rare group membership data inconsistencies encounters both consistent and inconsistent data.

Streamlined component load process to not import every Python script.

Fixed group set data created in pre-12.0.0 so that check-outs and check-ins perform as expected after upgrade.

Resolved an upgrade issue due to failure in dropping index reqinfo_full_uk1.

Fixed an issue where WebSocket Connector Proxy clients could not connect if the host service was unable to shut down cleanly.

Fixed an issue where it was only possible to create one ProxyTunnel client with persistent listing disabled.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixed a failure when upgrading a proxy that does not have the WebSocket connector proxy installed.

Fixed an issue where proxy services would incorrectly report that a file didn't exist if that file was larger than 4 GB.

Fixed an issue where the WebSocket Connector Proxy was unable to authenticate after performing a major-version upgrade.

Changed the checkorder entries of sample import rules to not conflict.

Fixed import rule and import rule expression checkorder validation bugs in idmconfig that were preventing updates to existing import rules.

Fixed an issue to correctly inject the password into RDP credential window when using RDP disclosure plugin on Windows 11.

Fixed Managed account's rule conditions page to always load select button (>) in the rules list table even when the page is not wide enough (not collapsing the button into the expand details button).

Fixed incorrect group assignment for accounts that were deleted and then recreated with the same name while not listed (for example, while in a non-listing OU).

Fixed Wizard-related stored procedures to not fail on unnecessary failed type conversions.

Fixed an idmconfig export issue where ImportRuleAttr would only export if the associated import rule is disabled.

Added the accountShortID builtin attribute for account import rules.

Added a discovery flag to reduce disk space usage for discoveries that are likely to be small (such as pull-mode ones). By default, pull-mode systems will use this flag. The LWS SAVE QUEUE SPACE system variable can be used to return pull-mode systems to their old behavior.

Improved speed of evaluation of import rules.

Fixed ajax.exe crashing on IPC failure.

Added fixes that improve the efficiency at which local service mode discovered system data is sent to the Discovery service (iddiscover).Fixed server-side issues to local service mode to reduce the amount of discoveries submitted to the Discovery service (iddiscover).

A vault-only password override is disabled in Resources > Privileged access > Managed systems > Managed accounts > [choose account] if the account is in HISTORICAL_DATA_GRP.

In the Guacamole server connection error page:

Fixes import rule and import rule condition data during upgrade so that there are no duplicate checkorder values that may have been erroneously inserted in an older product version with inadequate data validation.

Verified import rules can be added and updated using idmconfig-util.exe. Invalid checkorder validation has been removed.

When determining passwords that need to be flagged as "uncertain", the Local Workstation Service includes ones that are pending and have svcids that no longer exist.

Prevented the ystem variable BYPASS_SCHEDULE_FOR_PRIORITY_RANDOMIZATIONS from affecting local service mode systems.

Fix to properly detect password conflicts when the password is randomized simultaneously on its very first randomization.

Clipboard contents are not pasted into the Guacamole menu when it is not visible.

Description text of system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK has been improved.

When system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK is set to disabled, dialog warning text when clicking the Randomize button on the following screens has been improved:

Fixed a minor bug where discovered system audit data is not always updated.

Import rule attribute condition compacity has been increased.

Added plugin-only search filter support for the IN operator. Components use the IN operator where possible.

Prevented disabling of randomizations on Managed System Policies with authentication of Group set only.

In the pam_system_management component, added the missing EXPLICIT_API_USERS ACLs for HISTORICAL_DATA_GRP. This fixes the case where a system was first archived, then, disabled, and finally deleted. The last two actions could not be done without the missing permissions.

Fixed component import and export of managed system policies with multi-phase authorization so that all authorizers are accounted for instead of just one.

The guacamole in-browser RDP token redemption request has been modified to use POST instead of GET to prevent the token from appearing in IIS logs. 

Details: Two components have been modified:

Fixed an issue where password rule "not have been changed by you in the last N hours" fails to validate when user has multiple accounts, even some of the accounts' passwords are changed within N hours but there is at least one account’s password was changed a while back (before N hours).

Fixed idpm when resetting password for user's accounts with a previously used password (if password policy allows so), and that old password is only used by one account, but idpm set history.time to the previous time, when the old password was initially used/changed, for all accounts, it should only set it for that single account.

A password changed will only be recorded when the password change succeeded (so the “not have been changed by you in the last N hours” rule can pass for a password that failed to be set).

Fixed an issue on the password reset results page where error messages returned from a connector for failed reset were truncated.

Fixed the Login Assistant that was previously sometimes preventing the network connector selector to appear when WiFi is disconnected.

Fixed unexpected quit during password reset when the browser client IP was too long.

The Database service (iddb) writes to two named pipes to update OPADotNet for REST and IdentityServer applications.

Fixed the Login Assistant that was previously sometimes preventing the network connector selector to appear when WiFi is disconnected.

Fixed Functional.plus_automatic_resecure not finding all expired accounts for a user.

Fixed issue in Functional.plus_automatic_resecure that prevented the processing of expired accounts with a \ in the name.

Fixed an issue in Functional.plus_password_change_service to enable a hook where the startup type of the pluspwdsvc service was not correctly set to Automatic (Delayed Start).

Fixed an issue in the provisioning script that would cause it to fail to associate Secrets to Collections if too many new Groups were provisioned at once.

Fixed issues in the Requests app for implementer request:

Fixed an issue where account attributes could not be set in the product database for a new account created by an implementer, based on the following mapping configurations:

Added upgrade for the modified role app components.

Fixed an issue where account attributes can not be passed to the agent for create new account operation when the user (profile name) is renamed after the request is submitted.

Fixed a performance issue where it took a long time to start creating role requests when there are a large number of existing roles configured.

Mapped account attribute has option "Action when updating account" set to "Set to specified value", mapped profile attribute is also loaded from it, there was a request issued (completed) to update the profile attribute to another value, when the account attribute is cleared on the target, the profile attribute can be removed during psupdate.

Fixed an issue where transfer subordinate couldn't update orgchart properly after request is approved, if the old manager is already terminated (invalid).

Adjusted the early termination condition in im_corp_hr_orgchart_manager to check the OrgChart data in addition to attribute values.

im_corp_hr_orgchart_manager: adjust the early termination condition to check the orgchart data in addition to attribute values

Fixed an issue with request for new account and new groups (on the same target as the new account), when editing an already submitted (pending) request or during request creation, the requested new group can not be removed.

Modified the workflow service (idwfm) and the transaction monitor service (idtm) to be able to automatically complete (set reqbatch.status to 'C') request stuck in processing due to idtm not getting agent returned results back in a timely manner (grace period is determined by the remaining of the retry intervals), and it will mark the result of unfinished operation as "N" (Unknown) on idtm service start.

This is a key workflow improvement when requests become stuck in processing.

Fixed an issue when a delegate of a request is trying to view request details in Requests app, the popup page is empty and states that the user does not have the permission.

Disallow options Changes made will invalidate authorizations and Encrypt this attribute in the database to be checked at the same time when adding/updating an attribute via UI or idmconfig.

Fixed a regression where profiles could have profile attributes deleted during discovery if:

Fixed multiple issues in the wizard functionality, including form control validation, attribute page navigation, and disabled attribute handling. This resolves problems with moving between wizard pages when date selector attributes are in read-only mode, ensuring a smoother and more intuitive user experience during request submissions and authorizations.

Fixed Functional.hid_batch_request_submit to automatically remove the leading and trailing spaces from column name values.

Updated Scenario.pam_vault_management to convert generic exceptions into specific error messages.

Fixed a log warning when loading time zone information for UTC, where the warning was:

Warning: Failed to read registry value for TZI for [Coordinated Universal Time] - The system cannot find the file specified.

Fixed an issue on request details popup page where attributes ACLs are not respected on refresh.

Improved request KVG in workflow plug-in's input. In the case of request containing duplicate resources, it always includes the copy from the enacted resource if applicable. This can avoid issues with authmod, implementer, and other plug-ins due to the duplicate resources.

Moved AUTHORIZERS-OF-LAST-RESORT functionality from Funcitonal.im_policy_authorization to Functional.last_resort_authorization:

Fixed an issue where implementer(request)-created account could conflict with discovered account if their object names only differ by case, resulting in a runtime error during discovery.

Fixed an issue where the authmod plugin failed to populate authorizers if a request has duplicate RLUA operations (added by wfreq plugin).

Fixed an issue where wizard entitlement members page is broken to start a request in the roles app, when some of the potential members descriptions are too long.

The base logging configuration (specified under the idmlogsvc service in Manage the system > Maintenance > Services > idmlogsvc) no longer replicates, to allow for different nodes to log at different levels.

Fixes a delayed crash that may occur when agents are timed out at the same time that they finish running.

Removed the hard-coded retry message from the Transaction Monitor Service (idtm) to resolve an issue with error messages from ACTryAgainLater.

Updated idpm service to be able to log queue password reset operation with appropriate result (success/failure) for password reset requested from UI.

Fixed utility loaduccache.exe to return only cacheable userclasses/userclasspoints with the -listuc and -listucp options respectively.

Fixed a random crash in the rbacenforce utility.

Instdump.exe now includes the MTCSPI common files subfolder when listing binary versions

Modified utility userunlock when "-all" option is specified to ignore system variable LOCKOUT_DURATION, which should only be used for automatic unlock.

Improved usability around the logutil utility on non-instance systems. Well-known instance names that correspond to client utilities (such as disclosure plugins) no longer require the makekey flag to be set.

Resolved an issue with loadplatform where we added additional error handling/messages on missing CSV files that would not typically be part of a custom component connector. The fix involves removing the error handling/messages on these missing CSV files. Involved changes to connector pack location of script to find custom components.

Fixed an issue with the updproxy utility when replicating files from the primary to proxy servers and to allow for both .exe and .py files within the plugin folder to be replicated over.  Previously the .py scripts were not replicated over to the proxy server.

Added a retry when creating a symbolic link during log rotation.

Fixed idmsuite log lines that are longer than the allowed maximum not having "…" appended to indicate this fact.

Fixed idmsuite log lines that are longer than the allowed maximum having the process name blank.

Clarified and improved logging related to discovery.

Fixed incorrect error message when psupdate failed to run because another instance of psupdate was already running.

Fixed an issue where the identifier in the logs intended to correlate user activity in the AJAX service would get stuck showing the same user ID repeatedly.

Fixed an issue to now fill in the Identifer field (ident column in the sesslog_full table) for password reset related operations such as for transparent synchronization requests.  This was previously causing the Identifier field to be blank in the Event Log reports for later versions of Bravura Security Fabric.

New Windows event logs for Admin and Operational events now appear in Windows Event Viewer under Applications and Services Logs > Bravura Security Fabric instead of Applications and Services Logs > Hitachi -> Hitachi ID Systems > Hitachi ID Suite.

Fixed an issue where some CGIs could fail to load until IIS was restarted after initial product installation.

Fixed an issue where the product login page wasn't respecting the browser's preferred language settings, ensuring users now see the login interface in their browser-defined preferred language.

Fixed REST API v2 bugs that were causing some group membership related endpoints to return incomplete json when requested with full metadata.

REST API v2 fixed for endpoints:

REST API v2 PATCH /group requests now properly apply group attribute changes.

Added target system validation before attempting to GET target system attribute definitions

REST API data validation fixed:

Target system PATCH fixed to not allow empty values for target system address or target system description.

Target system create fixed to set default targetGroup value to 'DEFAULT' instead of nothing.

Fixes missing scheduled task to clear the nodestat database, if enabled.

Added Postman documentation and examples for REST API v2 endpoints GET managedSystemPolicies, GET managedSystemPolicies({key}), GET managedSystemPolicies({key})/managedAccounts, and GET managedSystemPolicies({key})/managedSystems.

Fixes REST API GET /users endpoint bug where a null display name value causes incomplete output.

Resolved duplicate left joins on REST API calls when expanding with OData:

REST API will no longer start if schema is missing, if iddb is down or if configuration (BASE_IDSYNCH_URL) is missing. Bravura Security Fabric will retry every 30 seconds until ready, and then start accepting requests.

Removed SQL Service Broker dependency from OPADotNet.

Introduced a named pipe to trigger policy updates in OPADotNet.

Fixed database view HID_Rest.targetsystemoption issues where some boolean values are not properly emitted.

Fixed a limitation in idmconfig that prevented saving OPA (Open Policy Agent) policies containing the custom REGO function IsSuperuser or the custom REGO function GetProfileAttributeValues.

Fixed REST API endpoint PATCH /targetSystems({key)} to properly save target system option "automaticallyDiscoverResourcesToLoad".

Added OPA policy identity_connect_token to IdentityServer login endpoint to authorize login attempts.

Default policy identity_connect_token set to check for user class membership to _EXPLICIT_REST_API_USERS_.

Added new Rego custom function GetProfileAttributeValues.

Implemented custom Persisted Grant Cleanup Service to remove expired tokens beyond a threshold (24 hours).

Idmlib functions, used by REST API only, have Operation identifier added alongside user token.

Idmlib checks confirm that token was valid at the time of operation request.

New operation types added to constraints.

Fixed several resource leaks when clients attempt to log in to the idapisoap service but fail (for example, if they have the wrong userid or password)

As a result of this change, when calling an API function using the single-call functionality (providing the username and password in the sessdat field) with an incorrect password, the error code has changed from ERR_NOT_LOGGED_IN to ERR_INVALID_SESSKEY.

Fixed an issue where user IVR numeric IDs are not updated if the user is renamed.

Need to install .NET Runtime 8.0 with the following:

Turned on TCP keepalive by default on all inter-service sockets. The default time is 30 seconds.

Removed KeepAliveTime registry setting, which duplicated SocketKeepAlive.

Default components have upgrade scripts, but anything Custom using MatchType expression and MatchCondition equal should be changed/upgraded to use MatchCondition set in order to maintain existing behavior. See release note.

The default behavior for the managed account password search engine has changed to hide failed randomizations. You can revert to the previously-default behavior by enabling the PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS system variable.

Custom components previously using the catch-all authorizers functionality need to be updated to use Functional.last_resort_authorization.

Update the Guacamole server.

No upgrade actions are needed for stock to stock upgrades; however, custom to stock/custom upgrades may require adjustments if affected components were customized or any criteria elements defined in those components were referenced. List of changed components:

Existing users of Pass Plus will need to configure some additional settings in order to take advantage of the automatic provisioning feature, including configuring a target for Safe User Management, and setting up a template account for Safe Secrets. These steps are outlined in the component's README file.

Enable the MANAGED GROUP INHERITANCE COPY TARGET system variable if you want to enable the more intuitive handling of inherited phased authorization.

You can now disable the SQL Server Service Broker. The dependency was removed.