12.6.0

Starting in 12.6.0, as Internet Explorer is no longer supported, ActiveX controls are no longer officially supported. They will still be shipped, but will not be loaded on any web page. They can still be installed on client workstations, where native extensions skip the download and use the installed.

Use Guacamole controls and Secure browser/webapp in place of ActiveX controls.

Removed installers for ActiveX local reset extensions

Removed old Internet Explorer 11 specific styles and JavaScirpt.

Added unsupported browser redirect when the product is accessed with Internet Explorer 11.

Bravura Security Login Manager has been discontinued and is no longer supported.

Removed deprecated SOAP WCF-based binaries.

Mac OS support for Login Assistant / Self Service Anywhere is now deprecated.

Updated Password Change Notification Module installer, so the LONGID installer variable can be used on the command line to configure the setting "Long ID format to send to Password Manager service".

Added filter to hide invalid accounts from PAACCESS. .

Secure browser has been updated to make use of WebView2 which is based on Microsoft Edge

https://learn.microsoft.com/en-us/microsoft-edge/webview2/ .

The shipped Content-Security-Policy was hardened to remove wildcards.

One wildcard on connect-src that must be hardened after installing and setting up replication and load balancers. See Content-Security-Policy (CSP) .

img-src defaults to self which means only images served by the instance can be loaded. Customers that use an external directory for profile picture URLs must whitelist the external directory for images to load.

The Recaptcha component has been updated to use the recaptcha.net URL instead of google.com; Check that this component was upgraded successfully.

Added proxy tunnel client functionality to use HTTPS-based approach to connect to proxy servers and avoid opening inbound TCP ports.

Updated auto discovery, so Source of Profile target accounts that don't produce profiles can still auto-associate to other profiles.

Configurations for boolean account and group attributes now include settings for specifying the values representing "true" and "false" on the target system.

Updated the version of the sqlite3 dll to 3.41.2

Removed explicit schema name from models generated by peewee_iddb.

Added support for Python 3.11 for Bravura Security Fabric .

Added the upgradetest utility with the shipped installation files to check for potential issues prior to upgrading the database.

Updated migratedata to support migrating manual associations of accounts to profiles (-manual_assoc).

Updated migratedata to support migrating profile role memberships. Only memberships with valid profiles can be migrated, and memberships to deprecated and non-assignable roles can be filtered out (-rolembrs).

Moved PSN "user becomes compliant" message to be displayed in the Front-end (PSF).

Modified auto discovery error email to keep the text formatting even when system variable MAIL_CONTENT_TYPE is enabled (Enable HTML mail content).

Added support to send out IDTM failure notification emails to requester, recipient and the authorizers when operation fails to implement after the second try, so interested parties can be more responsive to address the issue.

Reduce loading time of profile page when a user has many entitlement attributes.

Upgrade Angular to 15.2.9 (and all NPM dependencies).

Enhanced the iddbadm utility to be to swap between SQL and Windows authentication.

Added the ATTR_AUTO_PROPAGATE_THRESHOLD to control whether requests should be submitted at all if the number of requests exceeds the threshold when running idtrack . Bravura Security Fabric sends an email to the product administrator.

Added the AUTO_ASSIGNMENT_THRESHOLD to control whether requests should be submitted at all if the number of requests exceeds the threshold when running autores . Bravura Security Fabric sends an email to the product administrator.

Modified migratedata utility to add support for "userattr_file".

Added a limited node synchronization checking utility, limitedsynccheck .

Added client tools support for Windows 11.

Modified account/group attribute override page to warn if both values are set and mapped account/group attribute to profile/request/resource attribute are configured.

Modified Transaction Monitor Service (idtm) when determining the attribute values passed to the agent on account update, requested profile attribute values precedes literal values.

Changed file replication to skip log-level overrides for specific modules (such as via psdebug.exe). These overrides are now node-specific.

Added *.pyc files to the hardcoded file replication blacklist.

Added idmconfig support for policy retrieval and update.

Added new REST API authorization policies page under Manage the system > Policies. The page allows you to search, download, and reset these policies to default.

Default authorization policies have been added for many REST API endpoints. Endpoints which don't have a specific policy yet will use the 'generic_policy' policy. Default policies and their mappings can be found in the REST API Postman documentation. Alternatively, policy mappings can be viewed on the Manage the system > Policies > REST API authorization policies page, where you can also download the current policy or reset modified policies to their defaults.

Target namespace of IDAPI SOAP API has been updated to www.bravurasecurity.com.

Instance pre-installation check "IIS Web Server Module Conflict check" warns if IIS module "Web Distributed Authoring and Versioning" (WebDAVModule) is installed and suggests disabling it due to potential interference with REST API usage.

See Primary server requirements .

The installer for Phone Password Manager was fixed for an error that occurred during upgrades.

Fixed a problem where minimal connector pack installs may not be able to list.

Fixed an error in post-installation in shared schema.

Fixed all installations in shared schema to not change the RestApiKey on secondary nodes.

Added ENCRESTAPIKEY to INF file for replication and/or shared schema setups.

Modified resetkey utility to include option to export RestApiKey into INF file.

Archived accounts are hidden in the CREATE_PAMUTIL_API_USER pre-defined request.

In the Privileged Access app, for a date/datetime field, the timezone value is now displayed next to its label; before, it was displayed next to its widget which made it rendered nearly hidden.

Fixed password CICO expiry email to load the proper time zone info for TIME variable.

Improved performance in stored procedure PolicyRuleComputerDeploy.

Fixed checked-out data on sessdata on previously selected items

Adjusted netvalidatepwpol plugin to be able to directly check against Azure.

Fixed invalid authchain select rule in Scenario.hid_authchain_saml_sp.

Fixed request generation to include seqno's in reqinfo kvg for default attribute values.

Ensured that OrgChart authorizer email only sends out to the related managers when request also has non-org operations.

Fixed an issue with UPDT (account attribute update) request so that an empty value is set for the affected account attribute that is mapped to a profile attribute of user type, and there is no valid account associated with the user profileguid (userattr value) on the same target as the account to be updated.

Fixed an issue in the requests app when workflow manager views a selected request which he/she doesn't have ACLs on the requested attributes, the wrong capacity is loaded, and when he/she clicks on the hyperlink to view request details, requested attributes ACLs are not respected, and wfreq plugin fails to run.

Fixed an issue so that multi-value account attribute values are set properly when an implementer completes the account creation tasks.

Account attribute values returned by agents on create/update will now flow through to mapped profile attributes.

Fixed request details popup page to properly check the viewer's ACLs on the attributes instead of the request's requester's ACLs to determine if requested attributes should be loaded.

Added the request ID information to the email plugin input.

Request information is saved to the session to avoid the lost of the operations when the wfreq plugin fails.

IDMConfig will not abort any more if there is an attempt to add a duplicate default value to an attribute. It will be logged as an warning instead.

Fixed a potential runtime error "Subquery returned more than 1 value..." in sproc BlackboardRuleGetBatch, which results in request being canceled.

Fixed an issue where ORGCHART_MANAGER attribute was updated with the manager's accountname (instead of manager's profileguid) for create/update attribute request.

Fix issue in certification where spinner did not appear when revoke remediation PDR was being calculated.

Changed migratedata.exe to require administrator permissions.

Removed the symbolic link in the registry between the Hitachi ID and Bravura Security keys when they are no longer needed or in use and installing a new instance.

Modified upgrade scripts to properly clean up invalid data from "xgrpmbr_diff" (11.2.0) and "ucpcache" (12.3.0) so upgrade can proceed.

Fixed an extremely rare upgrade failure when stableids are duplicated with only a difference in whitespace-only Unicode characters

Fixed a less-rare upgrade failure when stableids are duplicated, differing only by case, for group objects.

The Password change history report lists the Date of password change column with values from before and after an upgrade to 12.*.

Fixed migratedata failing to correctly export encrypted profile attributes

Fixed a handle leak in idfilerep when an i/o error occurs (such as the disk being out of space).

Fixes an issue preventing account attribute modification history from propagating to secondary nodes.

Added the "down" option to nodestat.cfg/loadbalancerstatus.exe to cause it to always report the node as down.

Update X-XSS-Protection HTTP header to recommended value these days (0, or disabled).

Fixed a security issue where users could potentially cancel a request for others from the Requests app, where they don't have the privilege to do so.

Fixed a security issue when viewing the request details of other requests when he/she doesn't have the privilege.

Patched jQuery vulnerabilities CVE-2019-11358, CVE-2015-9251 and CVE-2020-11022.

Fixed an issue to prevent XSS injection while editing main menu boxes and items.

Fixed replacement of variables within environment files.

Fixed issue where loaddb components would fail if the stableid of an object changed only by its case.

Fixed idtrack Scenarios to account for invalid Profiles.

Removed sanitize_number function from SMS provider components.

Fixed how export_data_components.py check_encrypted behaves so can actually be used to correct invalid/unusable TargetCredentials.

Fixed an issue where users without a TERM-STATE value would be ignored in Scenario.im_corp_hr_orgchart_manager's evaluation of users.

Fixed the logic in pam_team_authorization to correctly select a random sample of authorizers if the number of requested authorizers was less than the number available.

Fixed issue where extra authorizers could not be added to a request via pam_team_authorization extdb table.

Fixed Resource* class of IDAPI functions to be able to modify discovery flags of targets.

Fixed an issue where sessionid is not returned back from api call WFRequestCreate if no preqid.

Fixed idmconfig-based target administrator onboarding to respect the "isconnpswd" flag.

Fixed the external password hash execution for the pwdhash utility that is used alongside the LDAP Directory Service connector for the "pwhash" option in the LDAP attribute script file.

Modified Requests app search page to load new user's name under Recipient column when the user does not exist yet.

Modified "orgchart_stg" table to remove primary key on "profileguid" and add a unique key with IGNORE_DUP_KEY on instead. This will avoid failure to build orgchart during auto discovery when duplicate manager values present.

Added index to speed up import rule evaluations.

On the Scheduled jobs page for psupdate in the Manage the system , the local server is now included in the list of servers in the Run this job on the following Bravura Security Fabric servers field.

The certification round's initiator is passed as requester to the CERT SIGN OFF exit trap.

Made the recipient's Profile ID available in the Recipient section of Create new user request emails.

Changed usernotif.macros data type in notification to memo.

Modifies our queue code to properly deal with events that are to be handled more than 23 days in the future (due to overflow), do not create idtm thread for implementer tasks.

Guacamole now launches with appropriate width, height, and DPI settings based on the client browser dimensions and pixel density.

The 'resize-method' Guacamole parameter is now stripped out if it has been added as a disclosure attribute as it causes problems with session monitoring currently.

Added audit fields to "userclassmember" table and a new table "userclassmember_audit" to log changes to "userclassmember" table.

The "userclassmember" table is now available to generate the "Database table audit" report.