12.5.0

Rebranded the user interface for Bravura Security.

Updated branding in visible portions of components.

Local service mode software has been updated to use the new Bravura Security branding.

Added ability to include/exclude accounts in the MANAGEABLEACCOUNTS search engine.

Add the ability to update the team description in the PDR Team: Update .

Added conflict check between pam_disclosure_view_copy and pam_account_management_disclosure_view_copy scenario components.

Added ability to control whether owners of personal admin accounts can override/randomize the password of the account. Personal admin accounts need to be updated after an upgrade to enable this ability.

Local service mode software has new upgrade-specific installation properties.

See Upgrading Local Workstation Service software .

The Internet Explorer requirement for the Login Assistant and SKA / Credential Provider as well as for the Notification client for the locked down browser has been removed and replaced with a Microsoft Edge browser solution that utilizes Microsoft Edge WebView2.

Added the ability to allow a second 'warning' threshold to be defined for the rehire scenario that is used to add additional authorizers to the request if the rehire detection meets a certain value.

Added "safe" upgrade scripts that do not replace data in an effort to maintain custom data. Instead the upgrade script adds a new threshold row, renames 'threshold' to 'block_threshold' and adds another row to the newly dependent authorization policy table.

Added additional rehire functionality.

Modified rbacenforce generated violations KVG:

Added new password rules:

Improve ability for customer to customize the colours throughout the product.

Added "Password profile attribute fulfillment" report, that provides details on who has set a value for profile attributes of type "password".

Improved connectivity test feedback when adding a new replica.

Added telemetry for replication to gather metrics regarding the replication queue state.

Added the -infolist option to the agtsvccli.exe utility to output statistical information in the kvgroup format for the currently running persistent list target.

Added a -testconnect option to testlist that executes serverinfo operation.

Added a -quiet option to testlist to only emit output KVG from agent.

Improved usability of upgradetest with clearer feedback.

Cleaned up the warning level log messages when unlocking mobile accounts.

Reassignment of the primary node is now prevented while psupdate or persistent lists are currently running.

Improved error handling around very large discovered attributes.

Added control files for AD_HOOK_POST_PSUPDATE_PRE and AD_HOOK_POST_PSUPDATE_POST system variables.

Added a limited and faster resynchronization mode on the database replication page that avoids transfers of larger audit data.

Added the ability for script manage-components.py to reload only the environment for component(s) specified in the new optional parameter --components.

Removed IDMLib usage of distutils as the Python package is being deprecated (PEP 632).

Added idmlib/list_db.py for working with agent list DB files.

Modified idmconfig to allow setting all types of product administrator.

Added support for REST API functions to Add, Remove and Replace group attributes.

Changed login flow to password grant type for IdentityServer4 to allow all users to mint tokens, and allow session tokens to be generated for UI to use.

Updated branding in visible portions of components.

Clarified messages for pre-install SQL provider checks.

Exposed parent attribute details for AttributeRestrictedValue when exporting idmconfig data.

Fixed file replication, to correctly synchronize 64-bit global connector pack files.

Corrected issue where removing and re-adding the same node to replication could cause the Database service (iddb) to crash.

Improved resynchronization resilience around SQL errors on the sending node

Optimized the discovery tracking logic to enhance the performance of the auto-discovery process.

Fixed an issue where the audit information would affect all users in the orgchart table when there is any change to a user's manager.

Fixed an issue in wizard where segregation of duties violations are not listed when violations are triggered by requesting new role memberships and existing indirect group membership is also involved.

Fixed an issue where request to delete multiple roles (operations added by wfreq at submission time) failed to submit due to duplicate operations (expanded from roles).

Fixed password page in wizards to check whether a request generated password is provided before proceeding.

Fixed an issue to ensure that the correct record is updated in the orgchart when transferring subordinates.

Optimized the stored procedures to check for segregation of duties rule violations to return early when no valid rules are configured so that queries to prepare role memberships based on validity windows in order to calculate sod violations will be skipped.

Some improvements for stored procedures used by the rbacenforce utility to return a list of variances for all users.

Changed behavior in request app so that implementer tasks section is not automatically expanded when the implementer selects a request.

Moved the csv_to_pdr.py idmlib sample CLI script into the hid_batch_request_submit component and enhanced the script for extra options.

The accounts POST endpoint no longer requires the attribute array when creating and account on a target.

The REST api attributes endpoint will return the correct reference fields for attributes of type 'file'

Updated component im_corp_hr_orgchart_manager to not submit duplicate requests.

Optimized the psupdate_post script in component im_corp_hr_orgchart_manager to efficiently retrieve the users missing an orgchart manager.

Modified idwfm to only cancel autores (child) requests spawned from another request if wfreq failed the child request.

Fixed escape issue in IDTrack workfile.

Made optional role member entitlements assigned to user available under Roles section in profile information and entitlements page.

Fixed an issue on groups search page (PSA); when selecting groups to un-manage, a proper check is done to see if the selected groups are in use, and if so, error out and do not unmanage them.

Fixed an issue where a session becomes invalid when accessing a resource configuration page, where an invalid user is configured as an authorizer in one of the phased authorizers.

Updated Login Assistant installer, to validate the password of the Login Assistant account against the password policy of the system.

Fixed an issue with the Login Assistant / Credential Provider when multiple language skin files are specified and they contain the same language and locale.

Disabled the Keyboard manager application kbdmgr.exe that could be launched on some Lenovo laptops using the FN+F11 hot key from the Credential Provider for the Login Assistant.

Fixed an issue with the Login Assistant / SKA to no longer allow the system menu options to be available from VPN prompts or windows.

Fixed an issue with the Login Assistant / Credential Provider when right clicking on the VPN status / countdown prompt.

Modified Profile and request attribute information page to make configuration option Allow duplicate values available under Bravura Pass-only license.

Fixed auto-discovery, so that import rules based on the memberOf computer attribute will be correctly evaluated.

Changed the behavior for account checkout limits to only accept either no value or integers from 1 to 10 inclusively for the maximum checkout limit on vault and onboarded accounts.

pam_account_management: Updated search filter for the ONBOARD_ACCOUNT pre-defined request to hide already onboarded accounts.

Fixed issue where the access control page for managed system policies would not function if any access groups had a space in their IDs.

Resolved an issue where having teams or team groups with long descriptions could cause pre-defined requests to fail.

Resolved an issue where managed accounts with special characters in the username or password could not be used with secure browser/webapp disclosure.

Resolved an error in website disclosure configuration scripts when disclosing managed accounts with special characters in the name or password.

Fixed session monitor to avoid modifying the keyboard state in the keyboard hook (Windows 10 build 1607 and later).

Allow session monitoring to capture keystrokes where multiple characters are produced from a single keystroke (i.e. when typing the sequence ~x on a United States-International keyboard, nothing is outputted when you press ~ but 2 characters ~x are outputted when you press the final x).

Fixed issue in session monitor keystroke recording where the presence of diacritics would cause issues with buffer lengths, resulting in the recorded text being cut off or the process name being null.

Group IDs are now recalculated properly when changing teams.

Updated the pam_personal_admin_management component to read the personal admin MSP from the global configuration table.

idmlib: adjusted helper functions for unmanaging/managing groups to align with stored procedure changes.

Managed accounts with conflicted passwords will no longer be acted upon if they are in the historical policy.

Fixed Session Monitor so that screenshots from multiple monitors are properly captured.

Corrected dependencies for 2 data components:

System and account onboard/offboard requests submitted using RMS are now auto-approved.

Added Scenario.pam_rms_auto_authorization component, that creates an API user for RMS requests and corresponding authorization rules

Scenario.pam_vault_management: Updated dependencies so that view and copy disclosures for onboarded accounts are pulled from a single component.

pam_team_management.pdr.team_members: Forcing the deselection of a group to assure that teams with the same group name does not cause errors in member list population.

Fixed race condition in replication so creation of PAMUtil API User through team management PDR will only have one GUID in the DB.

pam_team_management: check the profilename field returned from GroupMemberList before using it

pam_team_management: improve PAM team user membership maintenance and notifications

pam_team_management: enable the orphaned team notifications by default

pam_team_management: properly mark the account relationships for deletion

Optimized the UCCacheValidityListDiff and UCPCacheValidityListDiff stored procedures to return a list of affected userclasses/ucps by changed groups during discovery

Added Scenario.pam_rms_auto_authorization as a dependency to RefBuild.pam_team_management component

Fixed the installer when upgrading instances where the service administrator password contains < or > characters.

Fixed issues when skipping or retrying failed SQL upgrade scripts.

Changed the post-upgrade schema verification task to report on all errors encountered rather than just the first.

Fixed installer to not prompt for REST API user password during upgrade if REST API user already exists.

Corrected component upgrade scripts preventing successful 11.1.3 to 12.4.x upgrades.

Fixed two issues where proxy instances could not be upgraded.

Components only change version number on successful upgrades.

Manage Components CLI now emits messages on upgrade failures, and has improved logging.

Added an upgrade script to fix userclasspoint's id for MGRP_IMPLEMENTER_GROUP and MGRP_AUTHORIZER_GROUP userclasspoints (from pre-12 version) due to nosgroupguid is now all upper-cased.

Improved queueflush.exe error detection

Fixed non-expiring scheduled reports failing due to an invalid date format in the database table.

Fixed the issue where the Review certification delegations report did not properly filter delegations.

Fixed problem with scheduled jobs report, which would return an extra record if the scheduled job is enabled to run on all nodes of an instance.

Fix the multiple-value integer profile attribute issue for PDR Update attributes.

Fixed an issue where the selected language is lost through a SAML authentication.

Fixed the following issues with mobile device registration page navigation:

Fixed an issue where current authorization phase couldn't be closed and/or next authorization phase couldn't open up properly in some cases, which results in request hanging in a state can not be completed.

Made changes tonsure the default value for attrtype field will appear in RequestGetAttribute generated sproc code.

Modified utility loadplatform and idmconfig to error out if the new platform id is too long (when adding new platform/target).

Fixed loaduccache utility to continue running if iddb service goes down.

Improved idmlib's handling of IDAPI handles when the API is called using Python scripts.

Modified idapi function WFResultSet to do post processing properly when implementer successfully completes the task.

Enabled autoaddupdate when calling API function WFPDRSubmit for appropriate PDRs.

A user added to the _EXPLICIT_REST_API_USERS_ user class can now successfully log in to the REST API.

Added support for Windows Authentication to MSSQL for the REST API.

Fix reference to ManagedSystem resource returned when retrieving ManagedSystem attribute.

Fixed a logging issue with setup.exe when installing a new instance.

Fixed users' session security.

Fixed a tree traversal vulnerability where the hard drive directory structure could be explored.

Optimized stored procedure execution during auto discovery.

Improved iddiscover robustness around loading list files that don't exist, have no data, or were produced by failed listing.

Fixed edge case where setting a json value to "true" or "false" in an environment file would occasionally fail.

Fixed Database service (iddb) crash on startup when unable to connect to the SQL Server backend.

Fixed an authentication issue that could occur on environments with both mobile proxy and Azure MFA authentication configured.