12.4.3

Modified requests app to add two more filters in OTHER REQUESTS section in the left menu panel for users with "View workflow requests" global help desk ACL, and retired ACLs "View open requests" and "View archived requests" as they are no longer needed with the new filters. Here are the new filters:

Updated the Local Service Mode server CGI to reduce how often calculated attribute updates are sent to iddiscover :

Updated the local service mode client to no longer send updates for account attributes pwda and llogon.

Updated default descriptions and default values for system variables RES_ATTRIBUTE_UPDATE_DELAY and RES_DELAY_UPDATE_ATTRIBUTES :

Updated the descriptions of both system variables to be more clear.

Added variable LWS_ENABLE_NETWORK_ADAPTER_ATTRIBUTE_DISCOVERY with default true value. When true, the LWS CGI (pamlws.exe) will submit network adapter computer attributes to iddiscover , leading to their storage in the database. When false, network adapter computer attributes will not be sent to iddiscover and stored in the database. When false, load on the iddiscover service and replication will be decreased, especially in cases where local service mode systems are often moved from one network to another (e.g. laptop often moving between home and office).

Improved performance of stored procedure LWSMonWstnCheck.

Added index to table wstnpwdchkout_full.

Addressed CVE-2024-39694 by porting the fix from Duende to the OSS IdentityServer 4.

Fixed the "console users with empty passwords" check in auto discovery (psupdate) to properly retrieve the console users' display names.

Fixed an issue (in loaddb) where displayName (metaobj.objectdesc) change for accounts could not be loaded to the associated profile.

Fixed slow discovery bulk loading.

Fixed an issue when re-onboarding the same user (with same profile ID) that account and profile attributes couldn't be populated properly.

Updated auto discovery, so Source of Profile target accounts that don't produce profiles can still auto-associate to other profiles.

Fixed a discovery issue that occurs when multiple source-of-profile accounts would be renamed to the same name but a profile of the new name already exists (and may or may not have the same casing).

Fixed an issue in loaddb so that when account attribute value is removed on the target, the corresponding profile attribute (single mapping) can now be removed regardless of whether the profile attribute value is loaded from the target.

Changed discovery to load the @passwordExpiration and @lastPasswordChange pseudoattributes for accounts instead of merely loading them into the “expiry” table.

Optimized auto assignment variances checking and generation of autores child request spawned from another request.

Fixed error in post-installation in shared schema.

Fixed all installations in shared schema to not change the RestApiKey on secondary nodes.

Added ENCRESTAPIKEY to INF file for replication and/or shared schema setups.

Modified resetkey.exe utility to include option to export RestApiKey into INF file.

The Password change history report lists the Date of password change column with values from before and after an upgrade to 12.*.

Fixed the setting of new default values for system variables during upgrade:

Fixes an upgrade failure in some cases when the upgrade script intended to correct very rare group membership data inconsistencies encounters both consistent and inconsistent data.

Fixed group set data created in pre-12.0.0 so that check-outs and check-ins perform as expected after upgrade.

Fixed a small memory leak in some cryptographic functions that would accumulate over long periods of time in service processes.

Fixed some stored procedures that were replicating when they shouldn’t be.

Optimized the FoundCompattrListMV stored procedure as well as some pre-defined requests using the same schema.

Optimized LoaddbInit discovery stored procedure.

Added database index wstnpwdchkout_full_idx_4 to table wstnpwdchkout_full to improve performance of stored procedure LWSMonWstnCheck.

Schema change: made field piqueue.retrydata memo.

Add ability to ignore the currently loaded environment when exporting components.

Made password validation work properly when validating against profile id or name related password rules for create new user or rename existing user request.

Fixed an issue where phased authorization was stuck when an authorizer approves a phase when:

Simplified the SAML RelayState payload so that it is less than 80 characters, to meet the SAML specification.

Fixed an issue with phased authorization when there is a denial at one phase due to insufficient authorizers causing later phase(s) to not open, ultimately resulting in the request being stuck in approval state and never completing.

Fixed password CICO expiry email to load the proper time zone info for TIME variable.

Fixed bug in 1.2 -> 1.3 upgrade for Scenario.pam_team_privilege_trustees that would cause the script to give up completely on a partial failure.

Fixed local workstation service issues (client side and server side) caused by out of band account deletions (hard disk restore, virtual machine revert, etc).

Fixed Local Service Mode calculated computer attributes to update more reliably:

Included computer attribute compNotDiscoveredPastThreshold in the list of Local Service Mode calculated attributes to be updated (see above) so that a dormant local service mode system that resumes connecting to the instance can get itself "rediscovered" without having to wait for the next nightly auto-discovery.

Updated discovered system "lastload" value to current time when computer attributes are modified so that nightly auto-discovery can more accurately set computer attributes compNotDiscoveredPastThreshold and compNotDiscoveredDays.

Increased default value of system variable LWS_LAST_CONNECTION_UPDATE_INTERVAL from 30 to 1440 (one day) so that local service mode computer attribute lastSuccessConnection updates less often, to reduce load on the iddiscover service and replication.

Reduced update frequency of local service mode computer attribute sourceAddress to only update when other computer attributes are being updated, to reduce load on the iddiscover service and replication.

Fixed an issue where local-workstation-mode resynchronizations could fail to complete properly.

Fixed local service mode service crash bug triggered by account rename.

Reduced the number of discovery batches submitted by local service mode systems when both of these are true:

Fixed bug where calculated local service mode computer attributes were not getting deleted when their values change from populated to unpopulated.

Improved accuracy of calculated-computer-attribute updates for compNotDiscoveredPastThreshold and compNotDiscoveredDays while reducing discovery batches submitted by local service mode systems.

Added debug logging to make it easier to track all local service mode discovery-batch submissions (can search for "discovery submission" log entries).

Fixed local service mode bug where computer attribute operatingSystemServicePack was being submitted to iddiscover unnecessarily when its value was empty.

Fixes cosmetic error encountered when trying to import pamteam data with migratedata.exe .

Changed the checkorder entries of sample import rules to not conflict.

Fixed import rule and import rule expression checkorder validation bugs in idmconfig that were preventing updates to existing import rules.

Fixed an issue to correctly inject the password into RDP credential window when using RDP disclosure plugin on Windows 11.

Fixed incorrect group assignment for accounts that were deleted and then recreated with the same name while not listed (for example, while in a non-listing OU).

Fixed Wizard-related stored procedures to not fail on unnecessary failed type conversions.

Reduced calculated attribute discoveries submitted by local service mode.

Added the accountShortID builtin attribute for account import rules.

Added index to speed up import rule evaluations.

Optimized the PolicyRuleAccountPrepare stored procedure.

Fixed checked-out data on sessdata on previously selected items.

Fixes import rule and import rule condition data during upgrade so that there are no duplicate checkorder values that may have been erroneously inserted in an older product version with inadequate data validation.

Verified import rules can be added and updated using idmconfig-util.exe. Invalid checkorder validation has been removed.

Improved session monitor recorded sessions search:

Added checking when uploading a file to request a file attribute, so it would fail if the file name's length exceeds the size of the corresponding db field to store such value.

Improve smonc.exe logs to include filesystem error details where possible.

Fixed an issue with idtrack keeps issuing requests to set user attribute to NULL where the user attribute value is already NULL.

Fixed an issue where idapi submitted create group request where CRTG (Create Group) operation was not added to the request.

Fixed issues in the Requests app for implementer requests:

Fixed a runtime error mismatching number of BEGIN and COMMIT statements from sprocs UserClassCacheUpdateUser and UserClassPointCacheUpdateUser when the userclass/userclasspoint cache to be updated is invalid.

Modified request update sprocs to always sync reqacct.profilename with reqbatch.recipientname for new user request before request is approved.

Fixed an issue where account attributes can not be passed to the agent for create new account operation when the user (profile name) is renamed after the request is submitted.

Fixed a crash on reset password page when loading password policy "not begin with the first N characters of the profile ID or name" and the user’s full name containing non-ascii characters.

Fixed an issue where password rule "not have been changed by you in the last N hours" fails to validate when user has multiple accounts, even some of the accounts' passwords are changed within N hours but there is at least one account’s password was changed a while back (before N hours).

Fixed idpm when resetting password for user's accounts with a previously used password (if password policy allows so), and that old password is only used by one account, but idpm set history.time to the previous time, when the old password was initially used/changed, for all accounts, it should only set it for that single account.

A password changed will only be recorded when the password change succeeded (so the “not have been changed by you in the last N hours” rule can pass for a password that failed to be set).

Fixed a crash on shutdown in runurl.exe .

Fixed idpm so that recipient user's profile information can be recorded in sesslog for `Admin change expire` (ACEX) and `Admin change` (ACHG) operations, so the operations can show up when viewing the recipient user's operation history.

Fixed Bravura Security Fabric to no longer return empty user when there are unassociated accounts as members of groups when calling PSLang getUsersByGroup function. This will avoid loaduccache fail to run if getUsersByGroup is used in userclass' list expression and orphan account members exist.

Fixed an issue when a delegate of a request is trying to view request details in Requests app, the popup page is empty and states that the user does not have the permission.

Fixed an issue where requested account information (target system) couldn’t load properly on request details page if the account was renamed after the current request is submitted.

Fixed an issue with request for new account and new groups (on the same target as the new account), when editing an already submitted (pending) request or during request creation, the requested new group can not be removed.

Modified the workflow service (idwfm) and the transaction monitor service (idtm) to be able to automatically complete (set reqbatch.status to 'C') request stuck in processing due to idtm not getting agent returned results back in a timely manner (the remaining of the retry intervals determines grace period), and it will mark the result of unfinished operation as "N" (Unknown) on idtm service start.

This is a key workflow improvement when requests become stuck in processing.

Fixed an issue with the wrong child request generated based on hid_policy_request_chain due to a rename happened after the (parent) request is submitted and before it’s approved/processed.

Optimized requests app to load large size request.

Improved performance to load/check authorization configuration of an object (managed group, target, etc) by returning only the userclasspoints for authorization configured for the specific object instead of returning all userclasspoints back and filter in the c++ code.

Optimized sproc UCCacheValidityListForRequestNonUser to return early if the current request does not have GRGA/D operations to improve userclass cache updates triggered by request.

Fixed a regression where profiles could have profile attributes deleted during discovery if:

Fixed a log warning when loading time zone information for UTC, where the warning was:

Warning: Failed to read registry value for TZI for [Coordinated Universal Time] - The system cannot find the file specified.

Fixed UserEnable, UserDisable API functions to properly set auth even if a user has never attempted to log in.

Fixed several resource leaks when clients attempt to log in to the idapisoap service but fail (for example, if they have the wrong userid or password)

As a result of this change, when calling an API function using the single-call functionality (providing the username and password in the sessdat field) with an incorrect password, the error code has changed from ERR_NOT_LOGGED_IN to ERR_INVALID_SESSKEY.

Fixed dbarc to work correctly on schemas with characters that need escaping (such as hyphens).

Fixed serviceacct.exe to correctly update all applications.

The base logging configuration (specified under the idmlogsvc service in Manage the system > Maintenance > Services > idmlogsvc) no longer replicates, to allow for different nodes to log at different levels.

Updated Nuget package 'Microsoft.Data.SqlClient' from 5.0.1 to 5.2.0 for REST API.

Fixed an issue where proxy services would incorrectly report that a file didn't exist if that file was larger than 4 GB.