12.7.1

Added the loadcvagents utility to install the Customer-Verified connectors. The post-installation or post-upgrade tasks when loading connectors is also modified to install the Customer-Verified connectors for the configured target systems on the Bravura Security Fabric instance server.

Removed the Customer-Verified pre-installation check to no longer run for proxy server upgrades.

Updated the notice message for target systems to notify if any targets are missing their connectors and to show a list of the affected platforms.

Added a pre-installation check for Connector Pack upgrades to identify Removed connectors for configured target systems on the Bravura Security Fabric instance server.

Added support for reCAPTCHA v3 for authentication chains by adding the Functional.hid_authchain_recaptcha_v3 and Scenario.hid_authchain_recaptcha_v3 components.

Added system variable IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK which allows randomizations to be done on the local node, in the event that the managing node is unavailable. This is enabled by default.

If IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK is disabled, a confirmation dialog box will appear on pages where bulk randomizations is performed, stating that randomizations will be performed by the local node.

Modified the Privilege app to separate randomization of multiple accounts according to managed system policies.

Optimized import rule execution for import policy rules to be more efficient.

Fixed a race condition in replication environments for password reset requests from the UI from other nodes by adding the IDPM BLOCK CHECK ALL NODES system variable to control if all replication nodes should be checked for the blocking records and to perform a slower but more thorough check and for when transparent synchronization is also set up.

Exposed failed hosts in IDPM_REQUEUE exit trap.

Changed how accounts are filtered in Pass Plus to avoid over burdening the REST API with expensive queries.

Added script that caches Pass Plus account enrollment in Bravura Cloud, to enable Cloud to visualize what accounts are enrolled, and Fabric to more quickly evaluate which accounts are enrolled.

Updated display of accounts in the UI so if the account name (longid) is a guid value, it will fall back to loading account's shortid. This affects all the places where account information is displayed.

Added SAFE_TARGET and SAFE_ATTRIBUTE configuration keys to Pass Plus's global configuration namespace. The keys represent the Target ID of the Bravura Safe Target, and the name of the account attribute that contains the account GUID of the real account for which the Bravura Safe secret contains the password.

Modified the Pass Plus Password Change Service to validate that accounts submitted for password changes have associated Bravura Safe secrets.

Modified the Pass Plus Password Change Service to update the Bravura Safe secret with the new password for the account.

Added FILTER_ACCOUNT_PLUGIN script to Functional.plus_password_change_service to prevent users from manually changing the password of Pass Plus accounts via self service password change. Passwords can still be manually updated via Help Desk, in case Pass Plus accounts require manual intervention.

Modified the Request access to network resources page and using the SMB Protocol for Active Directory DN network resource (nrcifs.exe) to display the list of network resources in a sorted order by the resource's name.

Added a new option to run r bacenforce.exe and autores.exe to submit requests to resolve violations in parallel.

Added the -threads option for both rbacenforce.exe and autores.exe to submit requests to resolve violations in parallel as well as the PSUPDATE AUTORES THREADS and PSUPDATE RBACENFORCE THREADS system variables for the number of threads to use during auto-discovery.

Added support for Red Hat Enterprise Linux 9 for the idmunix-rhel-el9.x64.tar.gz package.

The following features are available in this package and therefore now support Red Hat Enterprise Linux 9:

Updated autores utility to skip the deprecated role specified by option -role , and do not calculate variances or submitting request for the deprecated role.

12.7.x version of the Rest API documentation can be found here: https://documenter.getpostman.com/view/20302012/2sA3Qv9WrQ

Added "targetsystems_get" policy check for v2 REST API endpoints:

Modified the REST API endpoint POST /users({{userKey}})/credentials/BravuraSecurity.REST.Models.v2.Question so that it fails immediately if the user specified by userKey doesn't exist.

Killed stored procedures will now be retried indefinitely. Administrators can set a registry setting, NoKillRetry , to bypass the behavior if a procedure needs to be killed and not retried.

Enhanced the upgradetest utility to perform a database object integrity check upon completion, validating that the schema after the upgrade test matches the intended schema of the new version. This is the same check that the "database objects verification" post-upgrade" check that setup installer does.

Added configurable keepalive options to both the client and server sides of the WebSocket Connector Proxy and reduced the default setting from 2 minutes to 30 seconds. Some network appliances have aggressive idle connection timeouts that will disconnect the WebSocket Connector Proxy's apparently-idle connection without a short keepalive.

Enabled specifying more than one proxy on the same host being for a target system. This is the correct way to specify a fallback proxy when using the WebSocket Connector Proxy. Note that while it is now possible to configure multiple non-WebSocket proxies on the same host, it remains an incorrect configuration.

Prior to the WebSocket Connector Proxy feature being added, the previous implementation for the "List of proxies to run connectors on" target configuration option would only allow for unique proxy server hosts to be configured for this option since they needed to be separate hosts/systems. With this change, it now allows for the same proxy server host with separate port numbers to be configured, for example: "localhost/3344,localhost/3345" in order to support the additional configuration for multiple proxy server hosts that may be optionally set for the WebSocket Connector Proxy feature.

Addressed CVE-2024-39694 by porting the fix from Duende to the OSS IdentityServer 4.

Added a check to only display scripted connectors if their script exists when checking for missing connectors for the target configuration page.

Modified the installer to correctly verify .NET 6 is installed on pre-installation check.

Fixed an issue when using an absolute path for custom connectors that was previously showing an error for "The connector for [] is not installed" on the target configuration pages.

Added the ability to use relative paths for the directories that loadplatform uses for the connectors rather than absolute paths so that the connector files such as attribute definition files can be located correctly.

Fixed the "console users with empty passwords" check in auto discovery (psupdate) to properly retrieve the console users' display names.

Optimized userclass/userclasspoint cache update triggered by single user psupdate, so instead of recalculating all memberships of the affected userclasses/userclasspoints, it now only tests userclass/userclasspoint memberships against the specified user, and update cache accordingly, which should be much faster.

Optimized auto assignment variances checking and generation of autores child request spawned from another request

Fixed an issue where Q&A can not be validated against external question sets properly (always pass) when authenticated through idapi (idapisoap).

Fixed an issue where phased authorization was stuck when an authorizer approves a phase when:

Fixed some stored procedures that were replicating when they shouldn’t be.

Optimized the FoundCompattrListMV stored procedure as well as some pre-defined requests using the same schema.

Performance improvements by way of replacing a number of calls to stored procedure WstnPwdGetFull with less expensive ones.

Bravura Security Fabric pre-emptively prevents SQL Server from choosing a poor plan for MetaMergeGetDeleted.

Fixed a failure of the stored procedure FoundComputerImportRevert that could occur when multiple target system import rule evaluations for the same discovered system occurred within the same millisecond and target creation ultimately failed (due to network failure, incorrect credentials, and so on). Failure of this stored procedure causes temporary target systems to be left behind.

Optimized one of the queries in ObjattrResync.

Fixed an issue where requested action's audit time was not updated when the action is processed. The Request event log report can now load the end time of the action properly.

Fix to Managed Account Attributes report to enable user who scheduled the report to be used during scheduled execution.

Fixes an upgrade failure in some cases when the upgrade script intended to correct very rare group membership data inconsistencies encounters both consistent and inconsistent data.

Streamlined component load process to not import every Python script.

Fixed group set data created in pre-12.0.0 so that check-outs and check-ins perform as expected after upgrade.

Resolved an upgrade issue due to failure in dropping index reqinfo_full_uk1 .

Fixed an issue where WebSocket Connector Proxy clients could not connect if the host service was unable to shut down cleanly.

Fixed an issue where it was only possible to create one ProxyTunnel client with persistent listing disabled.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixed a failure when upgrading a proxy that does not have the WebSocket connector proxy installed.

Fixed an issue where proxy services would incorrectly report that a file didn't exist if that file was larger than 4 GB.

Changed the checkorder entries of sample import rules to not conflict.

Fixed import rule and import rule expression checkorder validation bugs in idmconfig that were preventing updates to existing import rules.

Fixed an issue to correctly inject the password into RDP credential window when using RDP disclosure plugin on Windows 11.

Fixed Managed account's rule conditions page to always load select button (>) in the rules list table even when the page is not wide enough (not collapsing the button into the expand details button).

Fixed incorrect group assignment for accounts that were deleted and then recreated with the same name while not listed (for example, while in a non-listing OU).

Fixed Wizard-related stored procedures to not fail on unnecessary failed type conversions.

Fixed an idmconfig export issue where ImportRuleAttr would only export if the associated import rule is disabled.

Reduced calculated attribute discoveries submitted by local service mode.

Removes one local service mode discovery during registration phase.

Added the accountShortID builtin attribute for account import rules.

Improved speed of evaluation of import rules.

Added fixes that improve the efficiency at which local service mode discovered system data is sent to the Discovery service (iddiscover).

A vault-only password override is disabled in Resources > Privileged access > Managed systems > Managed accounts > [choose account] if the account is in HISTORICAL_DATA_GRP.

Fixes import rule and import rule condition data during upgrade so that there are no duplicate checkorder values that may have been erroneously inserted in an older product version with inadequate data validation.

Verified import rules can be added and updated using idmconfig-util.exe. Invalid checkorder validation has been removed.

When determining passwords that need to be flagged as "uncertain", the Local Workstation Service includes ones that are pending and have svcids that no longer exist.

Prevented the ystem variable BYPASS_SCHEDULE_FOR_PRIORITY_RANDOMIZATIONS from affecting local service mode systems.

Fix to properly detect password conflicts when the password is randomized simultaneously on its very first randomization.

Clipboard contents are not pasted into the Guacamole menu when it is not visible.

Description text of system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK has been improved.

When system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK is set to disabled, dialog warning text when clicking the Randomize button on the following screens has been improved:

Fixed Functional.plus_automatic_resecure not finding all expired accounts for a user.

Fixed issue in Functional.plus_automatic_resecure that prevented the processing of expired accounts with a \ in the name.

Fixed an issue in Functional.plus_password_change_service to enable a hook where the startup type of the pluspwdsvc service was not correctly set to Automatic (Delayed Start).

Fixed issues in the Requests app for implementer request:

Fixed an issue where account attributes could not be set in the product database for a new account created by an implementer, based on the following mapping configurations:

Added upgrade for the modified role app components.

Fixed an issue where account attributes can not be passed to the agent for create new account operation when the user (profile name) is renamed after the request is submitted.

Fixed a performance issue where it took a long time to start create role request when there are a large number of existing roles configured.

Fixed an issue with request for new account and new groups (on the same target as the new account), when editing an already submitted (pending) request or during request creation, the requested new group can not be removed.

Modified the workflow service (idwfm) and the transaction monitor service (idtm) to be able to automatically complete (set reqbatch.status to 'C') request stuck in processing due to idtm not getting agent returned results back in a timely manner (grace period is determined by the remaining of the retry intervals), and it will mark the result of unfinished operation as "N" (Unknown) on idtm service start.

This is a key workflow improvement when requests become stuck in processing.

Fixed an issue when a delegate of a request is trying to view request details in Requests app, the popup page is empty and states that the user does not have the permission.

Fixed Authmod Policy components not operating correctly if the authorizer uses changes the request.

Fixed a regression where profiles could have profile attributes deleted during discovery if:

Fixed Functional.hid_batch_request_submit to automatically remove the leading and trailing spaces from column name values.

Updated Scenario.pam_vault_management to convert generic exceptions into specific error messages.

Fixed a log warning when loading time zone information for UTC, where the warning was:

Warning: Failed to read registry value for TZI for [Coordinated Universal Time] - The system cannot find the file specified.

Fixed multiple issues in the wizard functionality, including form control validation, attribute page navigation, and disabled attribute handling. This resolves problems with moving between wizard pages when date selector attributes are in read-only mode, ensuring a smoother and more intuitive user experience during request submissions and authorizations.

The base logging configuration (specified under the idmlogsvc service in Manage the system > Maintenance > Services > idmlogsvc) no longer replicates, to allow for different nodes to log at different levels.

Removed the hard-coded retry message from the Transaction Monitor Service (idtm) to resolve an issue with error messages from ACTryAgainLater.

Fixed REST API v2 bugs that were causing some group membership related endpoints to return incomplete json when requested with full metadata.

REST API v2 fixed for endpoints:

REST API v2 PATCH /group requests now properly apply group attribute changes.

Added target system validation before attempting to GET target system attribute definitions

REST API data validation fixed:

Target system PATCH fixed to not allow empty values for target system address or target system description.

Target system create fixed to set default targetGroup value to 'DEFAULT' instead of nothing.

Fixes missing scheduled task to clear the nodestat database, if enabled.

Fixed target system delete REST API endpoint.

Fixed target system PATCH REST API endpoint for target system address and target system description.

Added some error validation checks to attribute patching.

Modified account patch locked to fail when trying to set to true.

Added Postman documentation and examples for REST API v2 endpoints GET managedSystemPolicies, GET managedSystemPolicies({key}), GET managedSystemPolicies({key})/managedAccounts, and GET managedSystemPolicies({key})/managedSystems.

Added Postman documentation and examples for target systems, target system attribute definitions, target system credentials, and target system options (REST API v2).

Implemented custom Persisted Grant Cleanup Service to remove expired tokens beyond a threshold (24 hours).

Idmlib functions, used by REST API only, have Operation identifier added alongside user token.

Idmlib checks confirm that token was valid at the time of operation request.

New operation types added to constraints.

Fixed several resource leaks when clients attempt to log in to the idapisoap service but fail (for example, if they have the wrong userid or password)

As a result of this change, when calling an API function using the single-call functionality (providing the username and password in the sessdat field) with an incorrect password, the error code has changed from ERR_NOT_LOGGED_IN to ERR_INVALID_SESSKEY.