12.7.0

Modified the Change password page when single account selection is configured for the selected target group , so now when there are multiple accounts available, no account is selected by default.

Added LINUX platformtype to disclosure rules provided by:

Added comments within Guacamole Dockerfile with example proxy configuration .

Updated the Guacamole version to 1.5.3 and simplified the installation process.

Added variable LWS_ENABLE_NETWORK_ADAPTER_ATTRIBUTE_DISCOVERY with default true value. When true, the LWS CGI (pamlws.exe) will submit network adapter computer attributes to iddiscover , leading to their storage in the database. When false, network adapter computer attributes will not be sent to iddiscover and stored in the database. When false, load on the iddiscover service and replication will be decreased, especially in cases where local service mode systems are often moved from one network to another (e.g. laptop often moving between home and office).

Improved performance of stored procedure LWSMonWstnCheck.

Added index to table wstnpwdchkout_full.

Added debugging functionality to iddiscover.exe , allowing it to archive tables during auto-discovery.

Added the PSUPDATE_LOCK_WAIT_TIME system variable to control how long psupdate will wait for its lock before giving up.

Added persistent listing support to the WebSocket Connector Proxy .

Updated the Local Service Mode server CGI to reduce how often calculated attribute updates are sent to iddiscover :

Updated the local service mode client to no longer send updates for account attributes pwda and llogon.

Updated default descriptions and default values for system variables RES_ATTRIBUTE_UPDATE_DELAY and RES_DELAY_UPDATE_ATTRIBUTES :

Updated the descriptions of both system variables to be more clear.

Updated auto discovery to load the @passwordExpiration and @lastPasswordChange pseudoattributes for accounts instead of merely loading them into the "expiry" table.

Released Bravura One 5.0.3 on the Google Play store supporting the latest devices (and API version 30+).

Updated the Bravura One mobile app for the minimum versions for iOS (12.0 or higher) and Android (11.0 or higher).

Increased support to additional older Android devices by decreasing the minimum API level from 32 to 30. This expands the supported devices from just Android 12L and up to include those that can run Android 11 and Android 12.

Improved error messages around certain cases of token expiry in Functional.hid_authchain_forgot_password.

Implemented signing of AuthnRequests with RSA-SHA1 or RSA-SHA2 for both HTTP Redirect and HTTP Post bindings.

Added a dropdown menu for "AuthnRequest Signature", with possible values: (None), RSA-SHA1, and RSA-SHA256, to the fedidp_samlauth authchain module.

Added fedsp-util.exe for generating a private key and public certificate for when Bravura Security Fabric is acting as the SP.

Added system variables for configuring which key to use for signing AuthnRequests:

Modified the Data.hid_authchain_saml_sp component to call fedsp-util and generate the key pair as well as set the above sysvars appropriately. This will also run on upgrade if the component was previously installed.

Added new components for Bravura OneAuth and 2factor OneAuth authchains .

Improved the styling and structure of radio selection lists in authentication chains.

Excluded tables in the BSF_Hangfire schema from database resynch.

Added sproc SesslogDelete to be called from dbcmd to clean up old sesslog data.

Added a dynamic OPA policy provider for REST API endpoints that will first check if the policy exists, and fallback to the generic OPA policy if no policy exists.

Version 2 of the Account Create REST API endpoint uses “userid” instead of “profileGuid”.

Version 2 of the REST API includes endpoints to add, update and delete target systems.

Version 2 of the REST API includes endpoints to get a list of platforms and its attributes.

Added Version 2 REST API endpoints for target system attribute definitions.

Added SUCCESS/FAILTARGETS session tags in UserPasswordSync and UserAccountsUnlock in SOAP API.

idpm : Made UserPasswordSync run password reset in parallel.

Updated Guacamole version to 1.5.3.

Changed Acceptable Use Policy (AUP) as follows:

Modified request update sprocs to always sync reqacct.profilename with reqbatch.recipientname for new user request (before request is approved).

Added a system variable IDP_DISABLE_ABSTAIN to control if authorizers are allowed to abstain from a request (from API and UI).

Improved performance to load/check authorization configuration of an object (managed group, target, etc.) by returning only the userclasspoint(s) for authorization configured for the specific object instead of returning all userclasspoints back and filter in the C++ code.

Optimized sproc UCCacheValidityListForRequestNonUser to return early if the current request does not have GRGA/D operations to improve userclass cache updates triggered by request.

Turned on Roles app by default. The required component Scenario.im_role_wizard is now installed by default.

Added default access to the Roles app for end users.

Added event triggers (exit trap) for ROLE ENTITLEMENT ADD and ROLE ENTITLEMENT DELETE .

Updated the zlib library shipped with the product to version 1.2.13, to improve security.

Updated other libraries with dependencies on the zlib library; namely cairo, libhpdf, and libpng.

Updated libxml2 to version 2.11.4

Updated the version of the ZeroMQ library shipped with the product to version 4.3.4.

Added API_ADMIN_PLUGIN_EXCLUDE system variable, to filter out users from running for API_ADMIN_PLUGIN plugin.

Updated cgilocalr.cfg sample file used by the Local Reset Extension plugin (cgilocalr) to remove pslocalr.ocx references.

Fixed a crash on Reset password page when loading password policy "not begin with the first N characters of the profile ID or name" and the user's full name containing non-ASCII characters.

Fixed a race condition in idpm where the request issuer got a reply from idpm before idpm finished the agent operation due to agent operation time out.

Fixed idpm so recipient user's profile information can be recorded in sesslog for Admin change expire (ACEX) and Admin change (ACHG) operations, so the operations can show up when viewing the recipient user's operation history.

Fixed a crash on shutdown in runurl.exe .

Fixed an issue where password rule "not have been changed by you in the last N hours" fails to validate when user has multiple accounts, even some of the accounts' passwords are changed within N hours but there is at least one account’s password was changed a while back (before N hours).

Fixed idpm where resetting password for user's accounts with a previously used password (if password policy allows so), and that old password is only used by one account, but idpm set history.time to the previous time, when the old password was initially used/changed, for all accounts, it should only set it for that single account.

A password changed will only be recorded when the password change succeeded (so the “not have been changed by you in the last N hours” rule can pass for a password that failed to be set).

Corrected password validation to work properly when validating against a profile ID or name-related password rules for requests to create a new user or rename an existing user.

Improved smonc.exe logs to include filesystem error details where possible.

Fixed bug in 1.2 -> 1.3 upgrade for Scenario.pam_team_privilege_trustees that would cause the script to give up completely on a partial failure.

Fixed local workstation service issues (client side and server side) caused by out-of-band account deletions (hard disk restore, virtual machine revert, etc.).

Fixed Local Service Mode calculated computer attributes to update more reliably:

Included computer attribute compNotDiscoveredPastThreshold in the list of Local Service Mode calculated attributes to be updated (see above) so that a dormant local service mode system that resumes connecting to the instance can get itself "rediscovered" without having to wait for the next nightly auto-discovery.

Updated discovered system "lastload" value to current time when computer attributes are modified so that nightly auto-discovery can more accurately set computer attributes compNotDiscoveredPastThreshold and compNotDiscoveredDays.

Increased default value of system variable LWS_LAST_CONNECTION_UPDATE_INTERVAL from 30 to 1440 (one day) so that local service mode computer attribute lastSuccessConnection updates less often, to reduce load on the iddiscover service and replication.

Reduced update frequency of local service mode computer attribute sourceAddress to only update when other computer attributes are being updated, to reduce load on the iddiscover service and replication.

Improved session monitor recorded sessions search:

Fixed an issue where local-workstation-mode resynchronizations could fail to complete properly.

Fixed local service mode service crash bug triggered by account rename.

Reduced the number of discovery batches submitted by local service mode systems when both of these are true:

Fixed bug where calculated local service mode computer attributes were not getting deleted when their values change from populated to unpopulated.

Improved accuracy of calculated-computer-attribute updates for compNotDiscoveredPastThreshold and compNotDiscoveredDays while reducing discovery batches submitted by local service mode systems.

Added debug logging to make it easier to track all local service mode discovery-batch submissions (can search for "discovery submission" log entries).

Fixed local service mode bug where computer attribute operatingSystemServicePack was being submitted to iddiscover unnecessarily when its value was empty.

Fixed performance for stored procedure LWSMonWstnCheck.

Added index to table wstnpwdchkout_full.

Fixed this issue: "When there is a group set that contains one or more groups with the same ID from different managed systems (i.e. MSYS1 and MSYS2), requesters can request access to a group set from one of the managed systems, but not the other. This happens when the groups are explicitly attached." The fix is to display a checkbox for each group.

Fixed ajax.exe crashing on IPC failure.

Improved speed of evaluation of import rules.

Reduced calculated attribute discoveries submitted by local service mode.

Removed one local service mode discovery during registration phase.

Improved performance of sprocs to populate role memberships based on validity window.

Fixed a small memory leak in some cryptographic functions that would accumulate over long periods of time in service processes.

Increased maximum transmission limit for ajax requests to 100MB.

Optimized requests app to load large size requests.

Reduced the amount of log noise generated by the load balancer health check (loadbalancerstatus).

Optimized sproc RBACVarianceUserListDetails when running against the entire user population with a large number of roles configured and requests in the instance.

Fixed an issue in loaddb so that, when account attribute value is removed on the target, the corresponding profile attribute (single mapping) can now be removed regardless of whether the profile attribute value is loaded from the target or not.

Fixed an issue where a file lock (e.g., from a virus scanner) at the wrong time during discovery could cause incorrect data to be loaded.

Fixed slow discovery bulk loading.

Added a discovery-batching throttler to reduce discovery overhead for cases where large numbers of discoveries are continuously arriving, such as Local Workstation Service deployments.

Fixed auto-discovery duplicate-key error where a workflow request implementer task recreated a previously deleted account with the same stable ID as the deleted account.

Updated auto-discovery so source-of-profile target accounts that do not produce profiles can still auto-associate to other profiles.

Fixed an issue in loaddb where displayName (metaobj.objectdesc) change for accounts could not be loaded to the associated profile.

Optimized userclass point caching by moving it to the database server in certain cases, including the common one that runs during nightly discovery.

Fixed a discovery issue that occurred when multiple source-of-profile accounts were renamed to the same name, but a profile of the new name already existed (and may or may not have had the same casing).

Optimized auto-discovery performance by adding SQL Server hint to ObjAttrResync stored procedure.

Fixed Bravura Security Fabric to no longer return empty user when there are unassociated accounts as members of groups when calling PSLang getUsersByGroup function. This will avoid loaduccache fail to run if getUsersByGroup is used in userclass' list expression and orphan account members exist.

Fixed a setup.exe issue that caused the IIS backup action to fail during upgrades.

Fixed cosmetic error encountered when trying to import pamteam data with migratedata.exe .

Improved the speed of migratedata when exporting large numbers of rows.

Fixed upgrade error from (12.6.0 or 12.5.1 and older) to (12.6.2 or 12.7.0) where "usernotif"."macros" field length was not increased to MAX.

Fixed database verification error bug encountered during instance upgrades to 12.5, 12.6 and 12.7.

Improved performance of host triggers, especially when upgrading past version 12.0.0.

Modified upgrade script to properly clean up invalid data from "ucpcache" (12.3.0) so upgrade can proceed.

Corrected upgrades from pre-12.0.0 where incorrectly attempting to de-duplicate objects of different types with the same stableid (e.g., an account and group both named "root").

Changed wix attribute to correctly run stored procedure on upgrade.

Fixed the setting of new default values for system variables during upgrade:

Fixed a runtime error mismatching number of BEGIN and COMMIT statements from sprocs UserClassCacheUpdateUser and UserClassPointCacheUpdateUser when the userclass/userclasspoint cache to be updated is invalid.

Schema change: made field piqueue.retrydata memo.

Improved replication details screen to show raw SQL queries as well as stored procedures.

Optimized PolicyRuleAccountPrepare stored procedure.

Fixed a potential race condition which results in duplicate profile attributes when updating profile attributes through request in a replication environment.

Fixed receive queue details page incorrectly showing detailed statistics for only one receive queue and changed the interval from five minutes to one hour.

Forwarded request to the primary node to process if the recipient does not exist on all the nodes.

Fixed an issue where an instance may come back online too soon during a UI-based resynchronization.

Improved data safety during web UI resynchronizations.

Made database backup resynchronizations more robust.

Improved performance in stored procedure PolicyRuleComputerDeploy.

Fixed error in post-installation in shared schema.

Fixed all installations in shared schema to not change the RestApiKey on secondary nodes.

Added ENCRESTAPIKEY to INF file for replication and/or shared schema setups.

Modified resetkey.exe utility to include option to export RestApiKey into INF file.

Fixed generation of SP metadata from the fedidp_samlauth authchain module. The authchain needs to be set to enabled before the export button will appear for the module, allowing you to download the metadata as an XML file.

Fixed a bug that made finding certificates stored in the user or computer certificate stores impossible.

Fixed support for the external QA plugin, so answers (provided one at a time, instead of all at once) for the same question set can be properly validated.

Simplified the SAML RelayState payload so that it is less than 80 characters, to meet the SAML specification.

Fixed an issue where authchain cannot validate against external question sets properly (if configured).

Added validation to prevent some common misconfigurations with list file override.

Fixed deletion of a target not working correctly if the target had accounts that were members of a group on another target that were at one point unknown.

Fixed UserEnable, UserDisable API functions to properly set auth even if a user has never attempted to log in.

Fixed an issue with idapi- submitted create-group request where CRTG (Create Group) operation was not added to the request.

Fixed an issue with HTTPS bindings in the IDAPI SOAP service.

Improved logic of scripted agent for OTP API Account creation to tolerate timeouts and retries.

Fixed idapi crash when WFResultSet was executed by multiple concurrent callers.

Updated the idapi service to simultaneously support the deprecated and new SOAP endpoints.

Moved storage of REST API's Hangfire background jobs from a SQLite database file to the Microsoft SQL Server database used by the product. All Hangfire tables and indexes are located under the 'BSF_Hangfire' schema name.

Fixed an issue with idtrack where it kept issuing requests to set user attribute to NULL when the user attribute value was already NULL.

Fixed idmconfig so SoD rules' member entitlements can be set properly.

Fixed an issue where requested account information (target system) could not load properly on request details page if the account was renamed after the current request is submitted.

Fixed an issue where the wrong child request generated based on hid_policy_request_chain due to a rename happening after the (parent) request is submitted and before it is approved/processed.

Fixed an issue where workflow-created objects may conflict with subsequently discovered objects if their names differ only by case.

Restored the disabled state for wizard date attributes.

Fixed an issue with rehire request (of a user whose profile is invalid) when orgchart manager change is also requested; it ended up with duplicate ORG* operations in the request.

Modified idtm to respect attrdef.setuserattr (account attribute mapping option "Populate mapped profile attribute with values from target system") so it only updates the profile attribute with the agent-returned account attribute value(s) if it is set to true.

Fixed an issue where duplicate accounts are created when there are multiple create-new-account requests issued and completed by implementer.

Fixed an issue with phased authorization where a request with an unenacted operation was approved by a 'phase 2 or later' authorizer, and then a later phase authorizer could not open it properly for final approval.

Fixed to allow the conversion of CSV-formatted files over to pre-defined requests and, when the PDRs are batch submitted together, to tolerate the CSV files that were originally created in Windows Notepad.

Changed web notifications to sanitize HTML markup only when a raw string is used. Please ensure that you review any web notifications configured via custom skin file tags and properly sanitize any HTML in them.

Notifications: Changed usernotif.macros data type to memo.

Fixed bug where unable to search for resource attributes when resource type is not specified.

Fixed a couple of issues on user search page when system variable SEARCH_USER_WITH_ACCOUNTS is enabled:

Softened the Content-Security-Policy form-action policy to allow SAML to function out of the box. Additional manual hardening recommended for customers.

Fixed FormToggle javascript so that it can clear number fields when it disables them.

Removed token creation on login to CGIs.

Fixed issue where resource attribute could not be updated from a subsidiary page.

Corrected timezone inaccuracies for historical times in jurisdictions with timezone policies that have changed since the displayed time.

Fixed issues on request details (popup) page for role removal request when clicking on Expand role button:

Fixed wizard attributes page to allow interpretation of attribute group's notesabove and notesbelow as HTML.

Added checking when uploading a file to request a file attribute, so it will fail if the file name's length exceeds the size of the corresponding db field storing the value.

Fixed issue when re-onboarding the same user (with same profile ID) where account and profile attributes could not be populated properly.

Deprecated Debian 9 as a supported platform.

Removed PhantomJS from Bravura Security Fabric instances.

Discontinued shipping of Unix modules (for the following platforms) with Bravura Security Fabric 12.7.0 and Connector Pack 4.6 or newer:

Support can be provided at additional cost.

Removed build-id links from hid-common, hid-idapi, hid-pamutil and hid-mobproxy rpms to improve compatibility.

Fixed the AJAX service for an edge case where it would not list target systems if it tried to truncate a target's address in the middle of a UTF8-encoded character.

Fixed serviceacct.exe to correctly update all applications.

Fixed dbarc to work correctly on schemas with characters that need escaping (such as hyphens).

Updated the agent_sample.py idmlib sample script to fix a typo.

Allowed Python's DBAPI to control if a sproc call replicates.

Removed example component Functional.hid_custom_logo , as it duplicates example in design\examples\customLogo .

Deprecated Debian 9 as a supported platform.

Removed PhantomJS from Bravura Security Fabric instances.

Discontinued shipping of Unix modules (for the following platforms) with Bravura Security Fabric 12.7.0 and Connector Pack 4.6 or newer:

Support can be provided at additional cost.