12.5.2

Changed discovery to load the @passwordExpiration and @lastPasswordChange pseudoattributes for accounts instead of merely loading them into the “expiry” table.

Optimized sproc UserAccountSearch to reduce tempdb storage for calculation. Added a new index on table "conflictedpasswords" to help with performance.

Optimized the user count license check.

Added perfsproc messages for license-checking processes.

Updated the version of the sqlite3 dll to 3.41.2.

Improved performance in stored procedure PolicyRuleComputerDeploy.

Modified requests app to add two more filters in OTHER REQUESTS section in the left menu panel for users with "View workflow requests" global help desk ACL, and retired ACLs "View open requests" and "View archived requests" as they are no longer needed with the new filters. Here are the new filters:

Added index to speed up import rule evaluations and optimize the PolicyRuleAccountPrepare stored procedure.

Updated the local service mode server CGI to reduce how often calculated attribute updates are sent to iddiscover:

Updated the local service mode client to no longer send updates for account attributes pwda and llogon.

Updated default descriptions and default values for system variables RES_ATTRIBUTE_UPDATE_DELAY and RES_DELAY_UPDATE_ATTRIBUTES:

Improved performance of stored procedure LWSMonWstnCheck.

Added index to table wstnpwdchkout_full.

Added database index wstnpwdchkout_full_idx_4 to table wstnpwdchkout_full to improve performance of stored procedure LWSMonWstnCheck.

Optimized sproc UCCacheValidityListForRequestNonUser to return early if the current request does not have GRGA/D operations to improve userclass cache updates triggered by request.

Fixed an issue with phased authorization when there is a denial at one phase due to insufficient authorizers causing later phase(s) to not open, ultimately resulting in the request being stuck in approval state and never completing.

Improved smonc.exe logs to include filesystem error details where possible for session monitoring.

Added the "down" option to nodestat.cfg / loadbalancerstatus.exe to cause it to always report the node as down.

Addressed CVE-2024-39694 by porting the fix from Duende to the OSS IdentityServer 4.

Fixed an issue (in loaddb) where displayName (metaobj.objectdesc) change for accounts could not be loaded to the associated profile.

Fixed an issue where requested account information (target system) couldn’t load properly on request details page if the account was renamed after the current request is submitted.

Fixed an issue where KMKeyGetByAccount could fail to resolve the correct account when the resourceid parameter was empty.

Fixed a discovery issue that occurs when multiple source-of-profile accounts would be renamed to the same name but a profile of the new name already exists (and may or may not have the same casing).

Updated auto-discovery, so Source of Profile target accounts that do not produce profiles can still auto-associate to other profiles.

Fixed an issue when re-onboarding the same user (with same profile ID) that account and profile attributes could not be populated properly.

Fixed an auto-discovery duplicate-key error, where a workflow request implementer task recreates a previously deleted account with the same stable ID as the deleted account.

Modified idtm to respect attrdef.setuserattr (account attribute mapping option "Populate mapped profile attribute with values from target system") so it only updates profile attribute with the agent returned account attribute value(s) if it is set to true.

Fixed slow discovery bulk loading.

Fixed to not return empty user when there are unassociated accounts as members of groups when calling PSLang getUsersByGroup function. This will avoid loaduccache fail to run if getUsersByGroup is used in userclass' list expression and orphan account member(s) exist.

Fixed the "console users with empty passwords" check in auto discovery (psupdate) to properly retrieve the console users' display names.

Optimized userclass/userclasspoint cache update triggered by single user psupdate, so instead of recalculating all memberships of the affected userclasses/userclasspoints, it now only tests userclass/userclasspoint memberships against the specified user, and update cache accordingly, which should be much faster.

Optimized auto assignment variances checking and generation of autores child request spawned from another request.

Fixed some stored procedures that were replicating when they shouldn’t be.

Allowed Python’s DBAPI to control if a sproc call replicates.

Optimized LoaddbInit discovery stored procedure.

Changed the field piqueue.retrydata to memo in the schema.

Fixed dbarc to work correctly on schemas with characters that need escaping (such as hyphens).

Simplified the SAML RelayState payload so that it is less than 80 characters to meet the SAML specification.

Improved the speed of migratedata when exporting large numbers of rows.

Improved usability of upgradetest.exe , especially on RDS.

Fixed an extremely rare upgrade failure when stableids are duplicated with only a difference in whitespace-only Unicode characters.

Fixed a less-rare upgrade failure when stableids are duplicated, differing only by case, for group objects.

Removed build-id links from hid-common, hid-idapi, hid-pamutil, and hid-mobproxy rpms to improve compatibility.

Fixed database verification error bug encountered during instance upgrades to 12.5, 12.6, and 12.7.

Fixed cosmetic error encountered when trying to import pamteam data with migratedata.exe .

Fixes an upgrade failure in some cases when the upgrade script intended to correct very rare group membership data inconsistencies encounters both consistent and inconsistent data.

Fixed group set data created in pre-12.0.0 so that check-outs and check-ins perform as expected after upgrade.

Added the "down" option to nodestat.cfg/loadbalancerstatus.exe to cause it to always report the node as down.

Fixed local workstation service issues (client side and server side) caused by out-of-band account deletions (hard disk restore, virtual machine revert, etc).

Fixed bug to allow local service mode calculated computer attributes to be updated more reliably:

Updated discovered system “lastload” value to current time when computer attributes are modified so that nightly auto discovery can more accurately set computer attributes compNotDiscoveredPastThreshold and compNotDiscoveredDays.

Included computer attribute compNotDiscoveredPastThreshold in the list of local service mode calculated attribute to be updated so that a dormant local service mode system that resumes connecting to the instance can get itself “rediscovered” without having to wait for the next nightly auto discovery.

Increased default value of system variable LWS_LAST_CONNECTION_UPDATE_INTERVAL from 30 to 1440 (one day) so that local service mode computer attribute lastSuccessConnection updates less often. This is to reduce load on the iddiscover service and replication.

Reduced how often local service mode computer attribute sourceAddress is updated to reduce the load on the iddiscover service and replication. It is only updated when other computer attributes are being updated.

Added new variable LWS_ENABLE_NETWORK_ADAPTER_ATTRIBUTE_DISCOVERY with default true value. When true, the LWS CGI (pamlws.exe) submits network adapter computer attributes to iddiscover, leading to their storage in the database. When false, network adapter computer attributes will not be sent to iddiscover and stored in the database. When false, load on the iddiscover service and replication will be decreased, especially in cases where local service mode systems are often moved from one network to another (e.g. laptop often moving between home and office).

Improved session monitor recorded sessions search:

Fixed local service mode service crash bug triggered by account rename.

Fixed an issue where pull-mode resynchronizations could fail to complete properly.

Reduced calculated attribute discoveries submitted by local service mode.

Removed one local service mode discovery during registration phase.

Updated Guacamole Client UI scripts to work with clipboard features in the Guacamole menu.

Fixed stored procedure ImportRuleSearch so that it does not try to insert data, that is too large in size (due to an extraordinary amount of import rule conditions), into search engine cache table field cache_importrule.conditions, causing the stored procedure to fail, leading to import rule display failure in the web UI.

Fixed a case where we would use the wrong IP address as the ident in sesslog for operation "View workstation passwords" (WVPW) when calling KMKeyGetByAccount.

Fixed checked-out data on sessdata on previously selected items.

Verified the timezone value is now displayed next to its label in the Privileged Access app, for a date/datetime field. Previously, it was displayed next to its widget which made it rendered nearly hidden.

Fixed password CICO expiry email to load the proper time zone info for TIME variable.

Fixed listing of the "Date of password change" column in the Password change history report to include values from before and after an upgrade to 12.* .

Added checking when uploading a file to request a file attribute, so it would fail if the file name's length exceeds the size of the corresponding db field to store such value.

Fixed bug in 1.2 -> 1.3 upgrade for Scenario.pam_team_privilege_trustees that would cause the script to give up completely on a partial failure.

Reduced the number of discovery batches submitted by local service mode systems when both of these are true:

Fixed bug where calculated local service mode computer attributes were not getting deleted when their values change from populated to unpopulated.

Improved accuracy of calculated computer attributes updates for compNotDiscoveredPastThreshold and compNotDiscoveredDays while reducing discovery batches submitted by local service mode systems.

Added debug logging to make it easier to track all local service mode discovery batch submissions (can search for "discovery submission" log entries).

Fixed local service mode bug where computer attribute operatingSystemServicePack was being submitted to iddiscover, unnecessarily, when its value is empty.

Fixed the setting of new default values for system variables RES_ATTRIBUTE_UPDATE_DELAY, RES_DELAY_UPDATE_ATTRIBUTES, LWS_LAST_CONNECTION_UPDATE_INTERVAL, and LWS_ENABLE_NETWORK_ADAPTER_ATTRIBUTE_DISCOVERY during upgrade.

Added the accountShortID builtin attribute for account import rules.

Fixes import rule and import rule condition data during upgrade so that there are no duplicate checkorder values that may have been erroneously inserted in an older product version with inadequate data validation.

Verified import rules can be added and updated using idmconfig-util.exe. Invalid checkorder validation has been removed.

Fixed idpm so recipient user’s profile information can be recorded in sesslog for Admin change expire (ACEX) and Admin change (ACHG) operations, so the operations can show up when viewing the recipient user's operation history.

Changed usernotif.macros data type to memo for notifications.

Fixed a crash on reset password page when loading password policy "not begin with the first N characters of the profile ID or name" and the user’s full name containing non-ascii characters.

Fixed an issue where a file lock (for example, from a virus scanner) at the wrong time during discovery could cause incorrect data to be loaded.

Fixed a crash on shutdown in runurl.exe .

Fixed an issue where password rule "not have been changed by you in the last N hours" fails to validate when user has multiple accounts, even some of the accounts' passwords are changed within N hours but there is at least one account’s password was changed a while back (before N hours).

Fixed idpm when resetting password for user's accounts with a previously used password (if password policy allows so), and that old password is only used by one account, but idpm set history.time to the previous time, when the old password was initially used/changed, for all accounts, it should only set it for that single account.

Fixed issues in the Requests app for implementer request:

Modified request update sprocs to always sync reqacct.profilename with reqbatch.recipientname for new user request (before request is approved).

Fixed an issue where users without a TERM-STATE value would be ignored in Scenario.im_corp_hr_orgchart_manager's evaluation of users.

Fixed an issue with rehire request (of a user whose profile is invalid) when orgchart manager change is also requested, it ended up with duplicate ORG* operations in the request.

Fixed a runtime error mismatching number of BEGIN and COMMIT statements from sprocs UserClassCacheUpdateUser and UserClassPointCacheUpdateUser when the userclass/userclasspoint cache to be updated is invalid.

Fixed an issue with idtrack where it keeps issuing requests to set user attribute to NULL where the user attribute value is already NULL.

Fixed an issue in loaddb so when account attribute value is removed on the target, the corresponding profile attribute (single mapping) can now be removed regardless of whether the profile attribute value is loaded from the target or not.

Fixed an issue where account attributes can not be passed to the agent for create new account operation when the user (profile name) is renamed after the request is submitted.

Improved performance to load/check authorization configuration of an object (managed group, target, etc.) by returning only the userclasspoint(s) for authorization configured for the specific object instead of returning all userclasspoints back and filter in the C++ code.

Adjusted priority of Scenario.hid_profileid so that setting of recipient occurs after attribute calculation.

Fixed an issue with phased authorization where a request, has unenacted operation, could not be approved after phase 2 (or phase >1) authorizer approves it, due to later phase could not open properly.

Fixed an issue where duplicate accounts are created when multiple create-new-account requests are issued and completed by implementer.

Fixed an issue where workflow-created objects may conflict with subsequently discovered objects if their names differ only by case.

Fixed an issue with the wrong child request generated based on hid_policy_request_chain due to a rename happened after the (parent) request is submitted and before it’s approved/processed.

Optimized requests app to load large size request.

Fixed a regression where profiles could have profile attributes deleted during discovery if:

Fixed a log warning when loading time zone information for UTC, where the warning was:

Warning: Failed to read registry value for TZI for [Coordinated Universal Time] - The system cannot find the file specified.

Fixed an issue where transfer subordinate couldn't update orgchart properly after request is approved, if the old manager is already terminated (invalid).

Fixed an issue in Bravura Security Fabric Scheduler Service that would cause a scheduled job to be re-enabled if it was disabled during its execution.

The base logging configuration (specified under the idmlogsvc service in Manage the system > Maintenance > Services > idmlogsvc) no longer replicates, to allow for different nodes to log at different levels.

Fixed serviceacct.exe to correctly update all applications.

Fixed error in post-installation in shared schema.

Fixed all installations in shared schema to not change the RestApiKey on secondary nodes.

Added ENCRESTAPIKEY to INF file for replication and/or shared schema setups.

Modified resetkey.exe utility to include option to export RestApiKey into INF file.

Removed token creation on login to CGIs.

Fixed an issue with idapi submitted create group request where CRTG (Create Group) operation is not added to the request.

Changed wix attribute to correctly run stored procedure on upgrade.

Fixed UserEnable, UserDisable API functions to properly set auth even if a user has never attempted to log in.

Fixed several resource leaks when clients attempt to log in to the idapisoap service but fail (for example, if they have the wrong userid or password)

As a result of this change, when calling an API function using the single-call functionality (providing the username and password in the sessdat field) with an incorrect password, the error code has changed from ERR_NOT_LOGGED_IN to ERR_INVALID_SESSKEY.

Updated Nuget package 'Microsoft.Data.SqlClient' from 5.0.1 to 5.2.0 for REST API.

Fixed a small memory leak in some cryptographic functions that would accumulate over long periods of time in service processes.