12.7.2

Enhanced session security by implementing automatic session termination when users follow links marked with both rel="external" and target="_top" attributes. This controlled security feature only affects links that take over the main browser window and provides administrators flexibility in managing session termination behavior through link attribute configuration.

Added support for .NET 8.

Introduced a new option to exclude specific hosts from password expiry notifications and adjusted the notification service to be independent of the target configuration option "Check password expiry" (host.usrexp).

Added new functionality to Pass Plus to create Safe Secrets automatically for enrolled Users and Accounts. This functionality is disabled by default to prevent performance issues or over provisioning if filters are configured incorrectly.

Import rule attribute condition compacity has been increased.

Enhanced the Guacamole RDP Disclosure plugin to display the remote hostname in browser tab titles, significantly improving user experience when managing multiple remote desktop sessions.

Optimized team-filtered searches, especially for cases with very large numbers of memberships.

Added two hardcoded exclusions to file replication: a folder under the instance root named local and a registry key under the instance root named local. These two locations can be used to hold files and registry values that are local to an instance and should not be replicated

Added a new system variable, PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS, to control whether failed randomizations are shown in the password history search engine for managed accounts. By default, failed randomizations are not shown.

Introduced a new system variable MANAGED GROUP INHERITANCE COPY TARGET. It enables more intuitive handling of phased authorization when inheriting target system authorization. The system variable allows for retaining prior behavior so as not to disturb release trains. Upgrades will retain prior behavior (having the system variable disabled). New installs will have this turned on by default, allowing for new behavior.

Added configuration options in config.js to control the Chosen jQuery plugin's activation thresholds for both single-select and multi-select elements, improving accessibility for dropdown menus with fewer options.

Optimized GroupMemberList and GroupMemberListByAccount stored procedures.

Modifies REST API to query system variable values directly from the database, as needed, instead of consulting a cache that relies on change notifications from SQL Service Broker.

Removed installer requirement that the SQL Server service broker be enabled.

Ensured logs are flushed to disk (file) when robot installation is completed or failed.

Modified setup to remove an extraneous check for the "Connectors Being Removed" pre-install check so that this check does not run when upgrading the global Connector Pack on a proxy server.

Updated the Login Assistant installer (ska-x64.msi) to hide the password for the administrative credentials (ADMIN_USERNAME, ADMIN_PASSWORD) in the log file.  It is now replaced with "**********" in the logs.

Fixed a minor bug where discovered system audit data is not always updated.

Import rule attribute condition compacity has been increased.

Improved usability around the logutil utility on non-instance systems. Well-known instance names that correspond to client utilities (such as disclosure plugins) no longer require the makekey flag to be set.

Fixed an issue on the password reset results page where error messages returned from a connector for failed reset were truncated.

Fixed an issue in the provisioning script that would cause it to fail to associate Secrets to Collections if too many new Groups were provisioned at once.

Resolved an issue when a connector operation fails to show the actual error message, rather than "Failed (Failed: Operation results missing for index [0].)" generic failure message, to aid with troubleshooting.

Made account attributes available to connectors for GRUA and GRUD operations.

Fixes a deadlock that can occur when the system is experiencing severe memory pressure.

Fixed an issue where cross-target group relationships can not load as group members (if the account/group members are also loaded within scope) on subsequent nightly discovery. This was previously causing an issue where Active Directory domain accounts could not be listed for an NT managed group that would only list local users as group members.  The Active Directory domain accounts are now also listed for the NT managed group members.

The default value for discovery option Link accounts on this target system to subscribers"for target system discovery template "NT_TEMPLATE" has been changed from enabled to disabled.  Additionally, all discovered systems created from NT_TEMPLATE will result in this setting being set to disabled during upgrade.

Fixed incorrect error message when psupdate failed to run because another instance of psupdate was already running.

Fixed an issue where the identifier in the logs intended to correlate user activity in the AJAX service would get stuck showing the same user ID repeatedly.

Fixed an issue to now fill in the Identifer field (ident column in the sesslog_full table) for password reset related operations such as for transparent synchronization requests.  This was previously causing the Identifier field to be blank in the Event Log reports for later versions of Bravura Security Fabric.

Fixes a delayed crash that may occur when agents are timed out at the same time that they finish running.

Updated idpm service to be able to log queue password reset operation with appropriate result (success/failure) for password reset requested from UI.

Resolve an issue with chosen select lists where the destructor would fail in certain refbuild wizard configurations.

Fixing utility loaduccache.exe to return only cacheable userclasses/userclasspoints with the -listuc and -listucp options respectively.

Fixed a random crash in the rbacenforce utility.

Instdump.exe now includes the MTCSPI common files subfolder when listing binary versions

Modified utility userunlock when "-all" option is specified to ignore system variable LOCKOUT_DURATION, which should only be used for automatic unlock.

Improved usability around the logutil utility on non-instance systems. Well-known instance names that correspond to client utilities (such as disclosure plugins) no longer require the makekey flag to be set.

Fixed an issue with the loadplatform utility that was preventing the Customer-Verified .con connectors from being properly loaded when using the loadplatform -target command line option.

The Sent Notifications (usernotif) report now contains the correct number of users in summary mode.

Fixed an issue on request details popup page where attributes ACLs are not respected on refresh.

Improved request KVG in workflow plug-in's input. In the case of request containing duplicate resources, it always includes the copy from the enacted resource if applicable. This can avoid issues with authmod, implementer, and other plug-ins due to the duplicate resources.

Fixed an issue where the product login page wasn't respecting the browser's preferred language settings, ensuring users now see the login interface in their browser-defined preferred language.

Fixed an issue where the WebSocket Connector Proxy was unable to authenticate after performing a major-version upgrade.

Fixed an issue with phased authorization when there is a denial at one phase due to insufficient authorizers causing later phase(s) to not open, ultimately resulting in the request being stuck in approval state and never completing.

Fixed an issue with the httpauth.exe web server authentication plugin in regards to querying cookies that was previously causing an invalid session for the transparent authentication integration.

Resolved duplicate left joins on REST API calls when expanding with OData:

REST API will no longer start if schema is missing, if iddb is down or if configuration (BASE_IDSYNCH_URL) is missing. Bravura Security Fabric will retry every 30 seconds until ready, and then start accepting requests.

Fixes REST API GET /users endpoint bug where a null display name value causes incomplete output.

Removed SQL Service Broker dependency from OPADotNet.

Introduced a named pipe to trigger policy updates in OPADotNet.

Fixed database view HID_Rest.targetsystemoption issues where some boolean values are not properly emitted.

Fixed a limitation in idmconfig that prevented saving OPA (Open Policy Agent) policies containing the custom REGO function IsSuperuser or the custom REGO function GetProfileAttributeValues.

Fixed an issue where user IVR numeric IDs are not updated if the user is renamed.

Need to install .NET Runtime 8.0 with the following:

The default behavior for the managed account password search engine has changed to hide failed randomizations. You can revert to the previously-default behavior by enabling the PASSWORD HISTORY VIEW INCLUDE FAILED PASSWORDS system variable.

Update the Guacamole server.

No upgrade actions are needed for stock to stock upgrades; however, custom to stock/custom upgrades may require adjustments if affected components were customized or any criteria elements defined in those components were referenced. List of changed components:

Existing users of Pass Plus will need to configure some additional settings in order to take advantage of the automatic provisioning feature, including configuring a target for Safe User Management, and setting up a template account for Safe Secrets. These steps are outlined in the component's README file.

The config.js file has been updated with additional configuration options. To use the new configuration options added, this file must be merged with any existing config.js file in components or the design/custom/ directory.

Enable the MANAGED GROUP INHERITANCE COPY TARGET system variable if you want to enable the more intuitive handling of inherited phased authorization.