12.6.2

Added API_ADMIN_PLUGIN_EXCLUDE system variable, to filter out users from running for API_ADMIN_PLUGIN plugin.

Modified the workflow service (idwfm) and the transaction monitor service (idtm) to be able to automatically complete (set reqbatch.status to 'C') request stuck in processing due to idtm not getting agent returned results back in a timely manner (grace period is determined by the remaining of the retry intervals), and it will mark the result of unfinished operation as "N" (Unknown) on idtm service start.

This is a key workflow improvement when requests become stuck in processing.

Improved performance to load/check authorization configuration of an object (managed group, target, etc.) by returning only the userclasspoints for authorization configured for the specific object instead of returning all userclasspoints back and filter in the C++ code.

Added a system variable IDP_DISABLE_ABSTAIN to control if authorizers are allowed to abstain from a request (from API and UI).

Optimized the Requests app to load large size requests.

Modified requests app to add two more filters in OTHER REQUESTS section in the left menu panel for users with "View workflow requests" global help desk ACL, and retired ACLs "View open requests" and "View archived requests" as they are no longer needed with the new filters. Here are the new filters:

Improved the styling and structure of radio selection lists in authentication chains.

Added system variable IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK which allows randomizations to be done on the local node, in the event that the managing node is unavailable. This is enabled by default.

If IDARCHIVE_RANDOMIZE_LOCAL_FALLBACK is disabled, a confirmation dialog box will appear on pages where bulk randomizations is performed, stating that randomizations will be performed by the local node.

Modified the Privilege app to separate randomization of multiple accounts according to managed system policies.

Improved performance of stored procedure LWSMonWstnCheck.

Added index to table wstnpwdchkout_full.

Optimized import rule execution for import policy rules to be more efficient.

Optimized sproc UCCacheValidityListForRequestNonUser to return early if the current request doesn't have GRGA/D operations to improve userclass cache updates triggered by request.

Added components for interfacing with Bravura Cloud as part of Pass Plus's Password Change/Resecure feature.

Changed how accounts are filtered in Pass Plus to avoid over burdening the REST API with expensive queries.

Added script that caches Pass Plus account enrollment in Bravura Cloud, to enable Cloud to visualize what accounts are enrolled, and Fabric to more quickly evaluate which accounts are enrolled.

Added database index wstnpwdchkout_full_idx_4 to table wstnpwdchkout_full to improve performance of stored procedure LWSMonWstnCheck.

Changed Acceptable Use Policy (AUP) as follows:

Addressed CVE-2024-39694 by porting the fix from Duende to the OSS IdentityServer 4.

Improved logic of scripted agent for OTP API Account creation to tolerate timeouts and retries.

Fixed an issue with HTTPS bindings in the IDAPI SOAP service.

Fixed UserEnable, UserDisable API functions to properly set authentication even if a user has never attempted to log in.

Fixed several resource leaks when clients attempt to log in to the idapisoap service but fail (for example, if they have the wrong userid or password)

As a result of this change, when calling an API function using the single-call functionality (providing the username and password in the sessdat field) with an incorrect password, the error code has changed from ERR_NOT_LOGGED_IN to ERR_INVALID_SESSKEY.

Updated Nuget package 'Microsoft.Data.SqlClient' from 5.0.1 to 5.2.0 for REST API.

Fixed auto-discovery duplicate-key error where a workflow request implementer task recreated a previously deleted account with the same stable ID as the deleted account.

Fixed an issue in loaddb where displayName (metaobj.objectdesc) change for accounts couldn't be loaded to the associated profile.

Added a discovery-batching throttler to reduce discovery overhead for cases where large numbers of discoveries are continuously arriving, such as Local Workstation Service deployments.

Fixed slow discovery bulk loading.

Fixed an issue with rehire request (of a user whose profile is invalid) when orgchart manager change is also requested, it ended up with duplicate ORG* operations in the request.

Fixed a crash on reset password page when loading password policy "not begin with the first N characters of the profile ID or name" and the user’s full name containing non-ascii characters.

Fixed an issue where a file lock (for example, from a virus scanner) at the wrong time during discovery could cause incorrect data to be loaded.

Fixes cosmetic error encountered when trying to import pamteam data with migratedata.exe .

Fixed the "console users with empty passwords" check in auto discovery (psupdate) to properly retrieve the console users' display names.

Fixed an issue in loaddb so that when account attribute value is removed on the target, the corresponding profile attribute (single mapping) can now be removed regardless of whether the profile attribute value is loaded from the target.

Optimized userclass/userclasspoint cache update triggered by single user psupdate, so instead of recalculating all memberships of the affected userclasses/userclasspoints, it now only tests userclass/userclasspoint memberships against the specified user, and update cache accordingly, which should be much faster.

Optimized auto assignment variances checking and generation of autores child request spawned from another request

Made password validation work properly when validating against profile id or name related password rules for create new user or rename existing user request.

Fixed an issue where phased authorization was stuck when an authorizer approves a phase when:

Fixed an issue where Q&A can not be validated against external question sets properly (always pass) when authenticated through idapi (idapisoap).

Fixed an issue with phased authorization when there is a denial at one phase due to insufficient authorizers causing later phase(s) to not open, ultimately resulting in the request being stuck in approval state and never completing.

Simplified the SAML RelayState payload so that it is less than 80 characters, to meet the SAML specification.

Fixed an issue where authchain cannot validate against external question sets properly (if configured).

Fixed an issue where transfer subordinate couldn't update orgchart properly after request is approved, if the old manager is already terminated (invalid).

Fixed an issue where duplicate accounts are created when there are multiple create-new-account requests issued and completed by implementer.

Restored the disabled state for wizard date attributes.

Fixed an issue where workflow-created objects may conflict with subsequently discovered objects if their names differ only by case.

Fixed an issue with the wrong child request generated based on hid_policy_request_chain due to a rename happened after the (parent) request is submitted and before it’s approved/processed.

Fixed an issue where requested account information (target system) couldn’t load properly on request details page if the account was renamed after the current request is submitted.

Fixed an issue with request for new account and new groups (on the same target as the new account), when editing an already submitted (pending) request or during request creation, the requested new group can not be removed.

Fixed i dmconfig so SoD rules' member entitlements can be set properly.

Fixed Bravura Security Fabric to no longer return empty user when there are unassociated accounts as members of groups when calling PSLang getUsersByGroup function. This will avoid loaduccache fail to run if getUsersByGroup is used in userclass' list expression and orphan account members exist.

Fixed an issue when a delegate of a request is trying to view request details in Requests app, the popup page is empty and states that the user does not have the permission.

Fixed a regression where profiles could have profile attributes deleted during discovery if:

Fixed Functional.hid_batch_request_submit to automatically remove the leading and trailing spaces from column name values.

Updated Scenario.pam_vault_management to convert generic exceptions into specific error messages.

Fixed a log warning when loading time zone information for UTC, where the warning was:

Warning: Failed to read registry value for TZI for [Coordinated Universal Time] - The system cannot find the file specified.

Fixed an issue where requested action's audit time was not updated when the action is processed. The Request event log report can now load the end time of the action properly.

Fix to Managed Account Attributes report to enable user who scheduled the report to be used during scheduled execution.

Fixed an issue where WebSocket Connector Proxy clients could not connect if the host service was unable to shut down cleanly.

Added fixes that improve the efficiency at which local service mode discovered system data is sent to the Discovery service (iddiscover).

Reduced the number of discovery batches submitted by local service mode systems when both of these are true:

Improved accuracy of calculated-computer-attribute updates for compNotDiscoveredPastThreshold and compNotDiscoveredDays while reducing discovery batches submitted by local service mode systems.

Added debug logging to make it easier to track all local service mode discovery-batch submissions (can search for "discovery submission" log entries).

Fixed local service mode bug where computer attribute operatingSystemServicePack was being submitted to iddiscover unnecessarily when its value was empty.

Fixed bug where calculated local service mode computer attributes were not getting deleted when their values change from populated to unpopulated.

Fixed ajax.exe crashing on IPC failure.

Improved speed of evaluation of import rules.

Added the accountShortID builtin attribute for account import rules.

Reduced calculated attribute discoveries submitted by local service mode.

Removes one local service mode discovery during registration phase.

Fixed an idmconfig export issue where ImportRuleAttr would only export if the associated import rule is disabled.

Fixed Wizard-related stored procedures to not fail on unnecessary failed type conversions.

Fixed incorrect group assignment for accounts that were deleted and then recreated with the same name while not listed (for example, while in a non-listing OU).

Fixed Managed account's rule conditions page to always load select button (>) in the rules list table even when the page is not wide enough (not collapsing the button into the expand details button).

Fixed an issue to correctly inject the password into RDP credential window when using RDP disclosure plugin on Windows 11.

Fixed import rule and import rule expression checkorder validation bugs in idmconfig that were preventing updates to existing import rules.

A vault-only password override is disabled in Resources > Privileged access > Managed systems > Managed accounts > [choose account] if the account is in HISTORICAL_DATA_GRP.

Fixes import rule and import rule condition data during upgrade so that there are no duplicate checkorder values that may have been erroneously inserted in an older product version with inadequate data validation.

Verified import rules can be added and updated using idmconfig-util.exe. Invalid checkorder validation has been removed.

Fixed an issue where password rule "not have been changed by you in the last N hours" fails to validate when user has multiple accounts, even some of the accounts' passwords are changed within N hours but there is at least one account’s password was changed a while back (before N hours).

Fixed idpm when resetting password for user's accounts with a previously used password (if password policy allows so), and that old password is only used by one account, but idpm set history.time to the previous time, when the old password was initially used/changed, for all accounts, it should only set it for that single account.

A password changed will only be recorded when the password change succeeded (so the “not have been changed by you in the last N hours” rule can pass for a password that failed to be set).

Fixed a race condition in idpm where the request issuer got a reply from idpm before idpm finished the agent operation due to agent operation time out.

Fixed idpm so that recipient user's profile information can be recorded in sesslog for `Admin change expire` (ACEX) and `Admin change` (ACHG) operations, so the operations can show up when viewing the recipient user's operation history.

Fixed a crash on shutdown in runurl.exe .

Fixed Functional.plus_automatic_resecure not finding all expired accounts for a user.

Fixed issue in Functional.plus_automatic_resecure that prevented the processing of expired accounts with a \ in the name.

Fixed issues in the Requests app for implementer request:

Fixed an issue with idtrack keeps issuing requests to set user attribute to NULL where the user attribute value is already NULL.

Fixed an issue where idapi submitted create group request where CRTG (Create Group) operation was not added to the request.

Fixed an issue where account attributes could not be set in the product database for a new account created by an implementer, based on the following mapping configurations:

Fixed an issue with idtrack where it keeps issuing requests to set user attribute to NULL where the user attribute value is already NULL.

Modified request update sprocs to always sync reqacct.profilename with reqbatch.recipientname for new user request before request is approved.

Fixed an issue where account attributes can not be passed to the agent for create new account operation when the user (profile name) is renamed after the request is submitted.

Fixed the setting of new default values for system variables during upgrade:

Corrected upgrades from pre-12.0.0 where incorrectly attempting to de-duplicate objects of different types with the same stableid (e.g., an account and group both named "root").

Modified upgrade script to properly clean up invalid data from "ucpcache" (12.3.0) so upgrade can proceed.

Improved performance of host triggers, especially when upgrading past version 12.0.0.

Fixed database verification error bug encountered during instance upgrades to 12.5, 12.6, and 12.7.

Improved the speed of migratedata when exporting large numbers of rows.

Fixed upgrade error from (12.6.0 or 12.5.1 and older) to (12.6.2 or 12.7.0) where "usernotif"."macros" field length was not increased to MAX.

Fixed a setup.exe issue that caused the IIS backup action to fail during upgrades.

Fixes an upgrade failure in some cases when the upgrade script intended to correct very rare group membership data inconsistencies encounters both consistent and inconsistent data.

Streamlined component load process to not import every Python script.

Fixed group set data created in pre-12.0.0 so that check-outs and check-ins perform as expected after upgrade.

Fixed wizard attributes page to allow interpretation of attribute group's notesabove and notesbelow as HTML.

Fixed some stored procedures that were replicating when they shouldn’t be.

Schema change: made field piqueue.retrydata memo.

Fixed a runtime error mismatching number of BEGIN and COMMIT statements from sprocs UserClassCacheUpdateUser and UserClassPointCacheUpdateUser when the userclass/userclasspoint cache to be updated is invalid.

Fixed dbarc to work correctly on schemas with characters that need escaping (such as hyphens).

Bravura Security Fabric pre-emptively prevents SQL Server from choosing a poor plan for MetaMergeGetDeleted.

Optimized the FoundCompattrListMV stored procedure as well as some pre-defined requests using the same schema.

Performance improvements by way of replacing a number of calls to stored procedure WstnPwdGetFull with less expensive ones.

Optimized one of the queries in ObjattrResync.

Fixed serviceacct.exe to correctly update all applications.

The base logging configuration (specified under the idmlogsvc service in Manage the system > Maintenance > Services > idmlogsvc) no longer replicates, to allow for different nodes to log at different levels.

Allowed Python's DBAPI to control if a sproc call replicates.

Fixed bug where unable to search for resource attributes when resource type is not specified.

Removed example component Functional.hid_custom_logo , as it duplicates example in design\examples\customLogo .