12.6.3

Added support for .NET 8.

Added FILTER_ACCOUNT_PLUGIN script to Functional.plus_password_change_service to prevent users from manually changing the password of Pass Plus accounts via self service password change. Passwords can still be manually updated via Help Desk, in case Pass Plus accounts require manual intervention.

Added new functionality to Pass Plus to create Safe Secrets automatically for enrolled Users and Accounts. This functionality is disabled by default to prevent performance issues or over provisioning if filters are configured incorrectly.

Added a new option to run rbacenforce.exe and autores.exe to submit requests to resolve violations in parallel.

Import rule attribute condition compacity has been increased.

Enhanced the Guacamole RDP Disclosure plugin to display the remote hostname in browser tab titles, significantly improving user experience when managing multiple remote desktop sessions.

Optimized team-filtered searches, especially for cases with very large numbers of memberships.

Added the -threads option for both rbacenforce.exe and autores.exe to submit requests to resolve violations in parallel as well as the PSUPDATE AUTORES THREADS and PSUPDATE RBACENFORCE THREADS system variables for the number of threads to use during auto-discovery.

Fixing an issue where cross-target group relationships can not load as group members (if the account/group members are also loaded within scope) on subsequent nightly discovery. This was previously causing an issue where Active Directory domain accounts could not be listed for an NT managed group that would only list local users as group members.  The Active Directory domain accounts are now also listed for the NT managed group members.

Auto-discovery performance was optimized by adding SQL Server hint to ObjAttrResync stored procedure.

Added two hardcoded exclusions to file replication: a folder under the instance root named local and a registry key under the instance root named local. These two locations can be used to hold files and registry values that are local to an instance and should not be replicated

Introduced a new system variable MANAGED GROUP INHERITANCE COPY TARGET. It enables more intuitive handling of phased authorization when inheriting target system authorization. The system variable allows for retaining prior behavior so as not to disturb release trains. Upgrades will retain prior behavior (having the system variable disabled). New installs will have this turned on by default, allowing for new behavior.

Added a new system variable, PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS, to control whether failed randomizations are shown in the password history search engine for managed accounts. By default, failed randomizations are not shown.

Optimized GroupMemberList and GroupMemberListByAccount stored procedures.

Updated the scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Enabled specifying more than one proxy on the same host being for a target system. This is the correct way to specify a fallback proxy when using the WebSocket Connector Proxy. Note that while it is now possible to configure multiple non-WebSocket proxies on the same host, it remains an incorrect configuration.

Added a reuse address option to sockets in ProxyTunnel.

Bravura Security Fabric catches exceptions thrown when trying to rebind to sockets that already have connections.

Bravura Security Fabric skips adding connections to the database list if they already exist from ungraceful closed connections.

Modifies REST API to query system variable values directly from the database, as needed, instead of consulting a cache that relies on change notifications from SQL Service Broker.

Modified the installer to correctly verify .NET 6 is installed on pre-installation check.

Removed installer requirement that the SQL Server service broker be enabled.

Ensured logs are flushed to disk (file) when robot installation is completed or failed.

Updated the Login Assistant installer (ska-x64.msi) to hide the password for the administrative credentials (ADMIN_USERNAME, ADMIN_PASSWORD) in the log file.  It is now replaced with "**********" in the logs.

Resolved an issue when a connector operation fails to show the actual error message, rather than "Failed (Failed: Operation results missing for index [0].)" generic failure message, to aid with troubleshooting.

Made account attributes available to connectors for GRUA and GRUD operations.

Fixed an issue on the password reset results page where error messages returned from a connector for failed reset were truncated.

Resolved an issue with the Login Assistant / SKA when upgrading from version 12.4.x to 12.8.1 and up.  Upgrading to 12.5.0 and up caused an upgrade issue due to rebranding from Hitachi ID to Bravura Security.

Fixed an issue in Functional.plus_password_change_service to enable a hook where the startup type of the pluspwdsvc service was not correctly set to Automatic (Delayed Start).

Fixed an issue in the provisioning script that would cause it to fail to associate Secrets to Collections if too many new Groups were provisioned at once.

When determining passwords that need to be flagged as "uncertain", the Local Workstation Service includes ones that are pending and have svcids that no longer exist.

Prevented the system variable BYPASS_SCHEDULE_FOR_PRIORITY_RANDOMIZATIONS from affecting local service mode systems.

Fix to properly detect password conflicts when the password is randomized simultaneously on its very first randomization.

Removed Telnet support from guacamole.

Clipboard contents are not pasted into the Guacamole menu when it is not visible.

Description text of system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK has been improved.

When system variable IDARCH_RANDOMIZE_LOCAL_FALLBACK is set to disabled, dialog warning text when clicking the Randomize button on the following screens has been improved:

Fixed a minor bug where discovered system audit data is not always updated.

Import rule attribute condition compacity has been increased.

Improved usability around the logutil utility on non-instance systems. Well-known instance names that correspond to client utilities (such as disclosure plugins) no longer require the makekey flag to be set.

Changes to Create OTP user request:

Fixed a performance issue where it took a long time to start create role request when there are a large number of existing roles configured.

Removed the broken and unmaintained hid_synthetic_target component

Provided a sample showing how to wrap an agent using agtpython

The Sent Notifications (usernotif) report now contains the correct number of users in summary mode.

Requests are forwarded to the primary node to process if the recipient doesn't exist on all the nodes.

Fixed a potential race condition that results in duplicate profile attributes when updating profile attributes through a request in a replication environment.

Fixed multiple issues in the wizard functionality, including form control validation, attribute page navigation, and disabled attribute handling. This resolves problems with moving between wizard pages when date selector attributes are in read-only mode, ensuring a smoother and more intuitive user experience during request submissions and authorizations.

Fixed an issue on request details popup page where attributes ACLs are not respected on refresh.

Fixed an issue where the authmod plugin failed to populate authorizers if a request has duplicate RLUA operations (added by wfreq plugin).

Fixing issues on request details (popup) page for role removal request when clicking on Expand role button:

Improved request KVG in workflow plug-in's input. In the case of request containing duplicate resources, it always includes the copy from the enacted resource if applicable. This can avoid issues with authmod, implementer, and other plug-ins due to the duplicate resources.

Fixed an issue where implementer(request)-created account could conflict with discovered account if their object names only differ by case, resulting in a runtime error during discovery.

Fixed an issue where wizard entitlement members page is broken to start a request in the roles app, when some of the potential members descriptions are too long.

Fixed an issue where the product login page wasn't respecting the browser's preferred language settings, ensuring users now see the login interface in their browser-defined preferred language.

Resolved an upgrade issue due to failure in dropping index reqinfo_full_uk1 .

Fixed a failure of the stored procedure FoundComputerImportRevert that could occur when multiple target system import rule evaluations for the same discovered system occurred within the same millisecond and target creation ultimately failed (due to network failure, incorrect credentials, and so on). Failure of this stored procedure causes temporary target systems to be left behind.

Performance fix for stored procedures AttributeSet and AttribAdd leading to the prevention of deadlocks when large sets of data are involved.

Fixes a delayed crash that may occur when agents are timed out at the same time that they finish running.

Fixing utility loaduccache.exe to return only cacheable userclasses/userclasspoints with the -listuc and -listucp options respectively.

Fixed a random crash in the rbacenforce utility.

Instdump.exe now includes the MTCSPI common files subfolder when listing binary versions

Modified utility userunlock when "-all" option is specified to ignore system variable LOCKOUT_DURATION, which should only be used for automatic unlock.

Improved usability around the logutil utility on non-instance systems. Well-known instance names that correspond to client utilities (such as disclosure plugins) no longer require the makekey flag to be set.

Fixes a deadlock that can occur when the system is experiencing severe memory pressure.

Updated idpm service to be able to log queue password reset operation with appropriate result (success/failure) for password reset requested from UI.

The default value for discovery option Link accounts on this target system to subscribers"for target system discovery template "NT_TEMPLATE" has been changed from enabled to disabled.  Additionally, all discovered systems created from NT_TEMPLATE will result in this setting being set to disabled during upgrade.

Fixed incorrect error message when psupdate failed to run because another instance of psupdate was already running.

Fixed an issue where the identifier in the logs intended to correlate user activity in the AJAX service would get stuck showing the same user ID repeatedly.

Fixed an issue to now fill in the Identifer field (ident column in the sesslog_full table) for password reset related operations such as for transparent synchronization requests.  This was previously causing the Identifier field to be blank in the Event Log reports for later versions of Bravura Security Fabric.

Implemented custom Persisted Grant Cleanup Service to remove expired tokens beyond a threshold (24 hours).

Idmlib functions, used by REST API only, have Operation identifier added alongside user token.

Idmlib checks confirm that token was valid at the time of operation request.

New operation types added to constraints.

Resolved duplicate left joins on REST API calls when expanding with OData:

REST API will no longer start if schema is missing, if iddb is down or if configuration (BASE_IDSYNCH_URL) is missing. Bravura Security Fabric will retry every 30 seconds until ready, and then start accepting requests.

Fixes REST API GET /users endpoint bug where a null display name value causes incomplete output.

Removed SQL Service Broker dependency from OPADotNet.

Introduced a named pipe to trigger policy updates in OPADotNet.

Fixed an issue where user IVR numeric IDs are not updated if the user is renamed.

Fixed a limitation in idmconfig that prevented saving OPA (Open Policy Agent) policies containing the custom REGO function IsSuperuser or the custom REGO function GetProfileAttributeValues.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixes an issue where the WebSocket Connector proxy is unable to start on older versions of the .NET framework.

Fixed a failure when upgrading a proxy that does not have the WebSocket connector proxy installed.

Fixed an issue where proxy services would incorrectly report that a file didn't exist if that file was larger than 4 GB.

Fixed an issue where the WebSocket Connector Proxy was unable to authenticate after performing a major-version upgrade.

Need to install .NET Runtime 8.0 with the following:

The default behavior for the managed account password search engine has changed to hide failed randomizations. You can revert to the previously-default behavior by enabling the PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS system variable.

Update the Guacamole server.

No upgrade actions are needed for stock to stock upgrades; however, custom to stock/custom upgrades may require adjustments if affected components were customized or any criteria elements defined in those components were referenced. List of changed components:

Existing users of Pass Plus will need to configure some additional settings in order to take advantage of the automatic provisioning feature, including configuring a target for Safe User Management, and setting up a template account for Safe Secrets. These steps are outlined in the component's README file.

Upgrade proxy nodes due to the following fixes in ProxyTunnel:

Enable the MANAGED GROUP INHERITANCE COPY TARGET system variable if you want to enable the more intuitive handling of inherited phased authorization.