12.9.1

Updated "Connectors Being Removed" pre-installation check URL

The "Connectors Being Removed" pre-installation check now points to the correct URL on the docs.bravurasecurity.com domain for the "Deprecated connectors" documentation page.

Event action strings help updated with new exit trap macros

The in-product "Event action strings help" popup now documents four new exit trap macros: MGRNAME (manager full name), MGREMAIL (manager email), EXPACCTHOST (target system IDs of affected accounts), and EXPACCTLONGID (long IDs of affected accounts).

ManageableAccountSearch performance optimization

The ManageableAccountSearch query has been optimized by removing a bound variable that was causing 15 GB memory grants in SQL Server, significantly improving performance in large-scale deployments.

WstnPwdReqList performance optimization

The WstnPwdReqList query has been optimized for faster workstation password request listing, reducing response times when managing large numbers of workstation password requests.

KMKeyGetByAccount external scanner fallback mapping

Introduced a fallback mechanism in KMKeyGetByAccount so that when standard host/IP/DNS cross-reference lookups fail, external scanners such as Qualys can resolve credentials via a registry-based account/domain/resource mapping. The feature is disabled by default and can be enabled explicitly where needed without affecting existing deployments. For environments previously using the Qualys-specific registry value, rename it to the new generalized name while preserving the accountname domain resource_id format.

New forceactionable option for pwdconflicts.exe

Added a new forceactionable command-line option to pwdconflicts.exe that allows administrators to force-randomize non-actionable password conflicts. Existing behavior is unchanged unless the option is explicitly used. Inactive accounts are still filtered out regardless.

Hangfire QueuePollInterval changed from zero to 2 seconds

Hangfire previously polled SQL Server ~60–100 times/second even with no jobs queued, creating constant database load. The poll interval is now 2 seconds, reducing SQL queries by ~99.4 %. Async provisioning jobs may start up to 2 seconds later on average (below the threshold of perceptible delay).

Safer psupdate use in shared schema environments

In shared schema environments, running auto discovery from a non-primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

Fixed data race on clipboard field in HIDSessmon ParseMessage()

The clipboard boolean field in HIDSessmon.java is now declared volatile to ensure proper memory visibility across threads per the Java Memory Model.

SMON session upgrade validation

Revalidated SMON session viewing and download functionality on upgrades (12.6 to 12.9.1.41530), confirming that live and recorded sessions show video, text, clipboard, and process data correctly and that download packages can be created for pre- and post-upgrade sessions without requiring an instance repair.

Consolidated auto-denied PAM checkout request email notifications

When a PAM checkout request expires without approval, the system now sends a single consolidated "Request Denied" email instead of one email per authorizer, while preserving individual notifications for manual denials. A configuration option controls this behavior, addressing email overload scenarios where dozens of denial emails were generated per expired request.

Improved VIM display in Guacamole PAM sessions

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Tomcat updated from 9.0.94 to 9.0.109

Updated the bundled Apache Tomcat from version 9.0.94 to 9.0.109, incorporating security patches and bug fixes from the upstream Tomcat project.

Error message when browser extension plugin process fails to launch

Added an error message box that displays when the browser extension plugin process cannot be launched, providing clear feedback instead of failing silently.

Windows Authentication support for MSSQL system type

Added support for Windows Authentication when connecting to MSSQL target systems, allowing Bravura Privilege to manage SQL Server accounts using integrated Windows credentials instead of requiring SQL Server authentication.

Mass password reset post-reset email notifications

Added new MPR_SUCCESS and MPR_FAILURE exit traps that send per-user HTML email notifications with consolidated account reset results after a mass password reset batch completes, including success and failure information driven by configurable templates and existing notification policy UI.

Local Reset Extension controls restored

The pslocalr.ocx and related controls have been added back to the product, along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers. The cgilocalr.cfg sample script has also been updated for the pslocalr control.

Per-account "not be an old password" validation on Change passwords page

Added per-account password validation on the Change passwords page to check the "not be an old password" rule against each selected account individually when transparent synchronization is disabled for the target group. This prevents users from reusing recent passwords on accounts that do not participate in transparent sync.

Profiles with trailing whitespace now supported

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE-IN-ORG no longer fail with "Recipient identification ambiguous", and related profile reports now return the expected results.

Android 15 support for Bravura One mobile app

Added support for Android version 15 (API level 35) for the Bravura One mobile app, ensuring compatibility with the latest Android platform features and security requirements.

More robust enrollment completion navigation

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

OAuth support for global-mail-plugin

Implemented OAuth-based SMTP authentication (XOAUTH2) in the global-mail-plugin so that customers can use modern mail servers where basic authentication is being retired.

HTML formatting for request macros in email

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer-specific HTML templates.

Scalability improvement for requests with many tasks

Handling of requests containing a large number of tasks (for example, roles with 70 or more groups) has been improved so that the 50-task display limit is enforced more gracefully and the behavior is documented. Roles that exceed this limit should be broken into smaller sub-roles.

ASP.NET Core 8.0.23 security baseline

Updated the bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

Cache-Control headers on sensitive API responses

Cache-Control: no-store and Pragma: no-cache response headers are now added to sensitive API endpoints (account details, user profiles, OAuth userinfo) so browsers do not cache authenticated responses to local disk. Static assets (SVGs, localization JSON) remain cacheable. Addresses pentest finding "Cacheable HTTPS response."

REST API documentation reviewed and published

Postman documentation for the REST API has been validated including endpoints, examples, resources, and the OpenAPI 3.1 schema.

sessionLogs endpoint ACLs enabled for authenticated users

Authenticated users can now query the /api/rest/v2/sessionLogs endpoint filtered by their own requester ID. OData $filter, $top, and $orderby are supported. The React dashboard uses this endpoint to display "last login" on the user profile card.

OTP account creation API regressions

Resolved breaking behavior changes where WFRequestActionsGet returned F after PDR completion (instead of S) and WFRequestAttrsGet did not return created PAM UTIL account information, impacting integrations such as DTCC's PAMUtil automation.

Customer branding REST API (logos and brand colors)

Added REST endpoints under /api/rest/v2/applicationSettings to retrieve/update branding configuration (JSON Patch for colors) and upload/serve/delete logos via /api/rest/v2/applicationSettings/logos({type}), including file-type validation by magic bytes, SVG sanitization, and hash-based filenames for cache busting. Write operations persist to both /ui/v2/assets/ (immediate React visibility) and /design/src/custom/ (rebuild-safe), with background-job processing and automatic cleanup of replaced assets.

User setting REST API (v2)

Added REST support for per-user key/value settings, including create/list/get/update/delete operations with OData query options on list retrieval; the value field supports any valid JSON value. Where applicable, datetime format and time zone are mapped from user profile attributes, and PATCH updates are applied back to profile attributes to avoid parallel legacy setting paths.

Mass password reset post-reset confirmation events

Added per-user MPR completion events MPR_SUCCESS and MPR_FAILURE (configured under Manage the system > Policies > Options) to drive email notifications and/or program execution after a mass password reset completes for a user. These events expose session tags SUCCESSTARGETS and FAILTARGETS (comma-separated host\account pairs) and require the Bravura Pass license (KeyModPSynch).

Skip serverinfo validation for TargetPAMAssociatedCredential_set

The IDMConfig API no longer performs the serverinfo validation check when mapping managed accounts via TargetPAMAssociatedCredential_set, aligning API behavior with the GUI tool psa.exe.

Database indexes for get_account_attributes performance

Added three new database indexes (metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2) to optimize the performance of the REST API get_account_attributes operation, reducing query execution time in environments with large numbers of account attributes.

Exit traps for help desk operations in REST API calls

Added exit trap support for help desk operations invoked through the idmlib REST API, enabling event-driven automation (such as email notifications or external integrations) when help desk actions are performed via the API.

Database query optimization for ObjAssociateInitial and UserList

Updated database queries in the ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1), which restricts SQL Server to a single-threaded execution plan. This improves performance for these specific queries by avoiding parallel plan overhead in environments where parallelism introduces contention.

Default authorization policies for REST API write operations

Added default authorization policies (policies_post_create, policies_put, and policies_delete) to the REST API, providing out-of-the-box access control for create, update, and delete operations without requiring manual policy configuration.

OpenAPI specification published as a submodule

Configured ui/src/react/src/shared/api/spec as a Git submodule repository, making the OpenAPI specification available for import into Postman and other API tooling. This enables external teams and integrators to stay current with the API contract without manual file sharing.

OpenIddict token introspection caching (30 s TTL)

Every authenticated API request previously made an HTTP round-trip to the identity server for token validation, adding 500–1000 ms per call. Introspection results are now cached in IMemoryCache keyed by SHA-256 of the token, with a TTL of min(30 s, time-until-token-expiry). This eliminates redundant introspection calls during page navigation, reducing per-page auth overhead from 2.5–10 s to near zero. Session-extension logic remains piggybacked on real introspection calls and self-heals on the next cache miss.

WCAG accessibility remediations

Progressbar nodes now have accessible names, frame/iframe elements have title attributes, login page elements meet minimum color contrast ratios, and Lighthouse-identified issues (form labels, heading level order, prohibited ARIA usage) have been addressed to improve WCAG 2.1 AA alignment.

React UI npm audit vulnerabilities resolved (1 critical, 14 high, 6 moderate)

Security vulnerabilities in handlebars, vite, lodash/lodash-es, brace-expansion, defu, flatted, and tar dependencies are resolved.

Dashboard cache invalidation refactored

The dashboard now uses proper React Query invalidateQueries() instead of navigating to #/__refresh and back to force cache clearing.

Deduplicated users() API calls by sorting $select parameters deterministically

Multiple callers requesting the same user fields now produce identical React Query cache keys, eliminating duplicate network requests on page load.

PostMessage protocol files synced between Angular and React

The postMessage protocol definition files between the Angular and React frameworks are now synchronized for consistency across both frameworks and branches.

AppBar decluttered: language and theme controls moved into user menu

The language selector and theme toggle are moved from the top-level AppBar into the user menu dropdown, reducing visual noise in the header.

React UI session timeout now matches Angular UI behavior

The React UI now displays a countdown timer starting at 1 minute remaining, provides a functional "Extend" link, and handles session expiry consistently with the Angular UI.

Dashboard user profile card visual polish

The user profile card now displays configurable identity attributes (name, role/title, department, last login) with consistent styling, responsive layout across breakpoints, and WCAG 2.2 AA accessibility compliance.

Version toggle and navigation stability improvements

Fixed the React/legacy version toggle so logging back in honors the user's previously selected interface, and improved navigation state tracking to avoid inconsistent UI state when users navigate rapidly (blank pages, stuck spinners, or unexpected redirects).

Reduced white flash during login page load (dark mode)

Updated login page load behavior to prevent a white flash for dark-mode users by adding CSS color-scheme support and removing the hardcoded light-theme default.

Widget refresh behavior aligned to configured intervals

Updated the User Profile and User Accounts Summary widgets to respect refresh intervals consistently and reduce unnecessary REST calls triggered by tab switching.

Dashboard metrics management and configuration UI

Added a Manage Metrics dialog to add/remove/reorder dashboard metrics and configure alert thresholds for urgency-based metrics. Metric cards now support visual types (count, urgency, progress), skeleton loading states, zero-state messaging, and auto-saving configuration dialogs.

Dashboard notifications center

A notifications center has been added to the React dashboard, displaying alerts, updates, and system messages with category and priority levels, badges/indicators, persistence/read status, and support for real-time updates. This provides a central place for users to review important events without relying on email alone.

Customer branding infrastructure and dynamic theming

Implemented a unified customer branding system that loads configuration from branding.json at startup and applies logos, theme colors, and overrides across React and Angular UIs. Includes dynamic light/dark theme generation, context-aware logo selection, dynamic favicon switching, login page styling with OS-driven dark mode support, fallbacks when branding assets are missing, and synchronized theme state with the legacy Angular iframe. Build integration through make.bat and generated branding SCSS.

React Auth Provider stability improvements

Improved front-end authentication stability by memoizing createAuthProvider and updating useAuthStateMonitor to avoid unnecessary dashboard cache clearing during authentication re-checks, reducing transient UI inconsistencies.

Adaptive dashboard: Frequently Used Actions

Adds a Frequently Used Actions section to the adaptive dashboard that ranks actions with a frequency-biased algorithm, personalizes the list per user, hides actions already in Favorites, and adapts the number of displayed actions by screen size while storing usage data per user/instance for future server-side support.

Dashboard All Actions layout refresh

Renames Quick Actions to All Actions and refreshes the layout with a collapsible section, smart category grouping, paired small categories, pending request badges, and tooltip support, improving responsiveness and initial render performance.

Dashboard Favorites section

Introduces a Favorites section on the dashboard that lets users pin 3-6 of their most used actions based on recency and frequency, replacing basic Quick Actions with a personalized, accessible experience.

Saved report lists honour display limits

The "My saved reports" and "Other users' saved reports" pages now correctly honour the configured "Records to display" value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React-based interface.

React UI is now the primary interface

The new React-based UI is now the primary interface, accessible at the application root URL. This provides a modern user experience with improved performance and clean URLs, replacing the legacy Angular UI as the default entry point. The legacy UI remains accessible via the version toggle for users who need it during the transition period.

Dashboard API query optimization

Optimized dashboard API queries to fetch only the required fields for each widget, reducing data transfer by 80–99% for user metrics, account summaries, and authentication operations. This significantly improves dashboard load times, especially in large deployments with many users and accounts.

Change Passwords page enhancements

Improved the Change Passwords page with a dedicated page header for clearer navigation and a reusable PageHeader component for consistent page titles across the application.

Optional suggestedPasswords field for password policy validation

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, submitted passwords are validated against the suggested passwords list, ensuring that auto-generated password suggestions comply with the configured policy rules.

OData controller query performance: server-side filtering before materializationOData controller query performance: server-side filtering before materialization

Multiple controllers (Attributes, SessionLogs, Credentials, Settings, Operations, Users, Groups, Accounts — 21 occurrences across 8 controllers) previously called ToListAsync() to load entire tables into memory before applying OData $filter/$top/$skip. A request for $top=10 on a 50 000-row table now loads only the matching rows at the database level instead of materializing the full table.

Default OData pagination (MaxTop=500)

EnableQueryFeatures() now enforces MaxTop=500. Endpoints that previously returned all records when the client omitted $top are now capped. The React frontend already sends $top=25 and is unaffected. See Upgrade Actions for compatibility details.

Translation pre-loading at application startup

The TranslationService static Translate() method (called by AutoMapper) previously used .GetAwaiter().GetResult() on async database calls, blocking thread-pool threads. On cold cache with 100 entities this could cause thread-pool starvation. All translations from the Language table are now pre-loaded into a static cache during ApplicationInitializationService startup, eliminating runtime database round-trips for translations.

React dashboard query consolidation

The "At a Glance" dashboard section previously issued 7 separate API calls (4 of which independently scanned the accounts table). These have been consolidated into 1–2 navigation-property calls with client-side aggregation, reducing total API time from ~4.7 s to ~500 ms and API round-trips by 75 %.

Navigation-property pattern for user-scoped account queries

User-scoped account queries now use /users({id})/accounts instead of /accounts?$filter=user/id eq X, which is 4–5× faster (241–327 ms vs 1 233–1 628 ms) because it starts with a PK lookup and follows the FK index rather than scanning the accounts table.

$select added to OData queries

All useApiData calls now include $select to limit returned fields to what the component actually uses, reducing response sizes by 73–90 % (e.g., user profile from ~2 KB to ~200 B).

Parent role columns in certification reports

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports, making it easier for reviewers to understand the role hierarchy and see which parent role grants each entitlement to a user.

Guacamole session correlation logging

A unique common identifier is now present in both guacd logs and BSF audit records, enabling administrators to match Guacamole session log entries to Bravura Privilege disclosure executions.

More accurate idmsuite.log timestamps

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file's modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

Immediate WebSocket reconnect on tunnel disconnect

The TunnelClient now retries the WebSocket connection immediately upon disconnect before applying TunnelRetryDelay (default 5 minutes). The backoff delay only kicks in after the immediate retry fails. This significantly reduces downtime for proxy-dependent operations (logins, password verifications, PAM sessions) during transient network interruptions.

Updated hid_batch_request_submit example for Identity

Updated documentation and examples for using hid_batch_request_submit in the context of Identity, including clarification of specific quirks, parameters, and return behaviors so that integrators can implement batch requests with fewer integration issues.

Mail plugin OAuth configuration

Added documentation describing how to configure OAuth authentication for the global-mail-plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

SQL error during 12.9 upgrade

Fixed an issue where upgrades from 12.5 to 12.9 could fail with an “explicit DROP INDEX is not allowed” SQL error, ensuring the database migration scripts complete successfully without requiring manual intervention.

instdump.exe now outputs connector pack binary versions

Fixed instdump.exe so that it correctly outputs global connector pack binary versions in its diagnostic output, making it easier to verify which connector pack version is deployed on each node.

Fixed an installation issue where IIS handler mappings lacked script execution permissions, preventing the instance from running correctly.

Fixed an installation issue where IIS handler mappings were created without script execution permissions, preventing the Bravura Security Fabric instance from running correctly after a fresh install or upgrade.

Jamfile upgrade file type corrected to patchdbxml

Updated the Jamfile to properly set the upgrade file as patchdbxml, ensuring that database patch XML files are correctly identified and processed during the upgrade build step.

Login failure after upgrade to 12.9 when "Log on as a batch job" privilege missing

The installer/documentation now addresses the requirement that IIS_IUSRS must have "Log on as a batch job" privilege, which is required by the 12.9 identity apppool. Without this privilege, the identity apppool stops on first request, causing login failures.

Guacamole high CPU from infinite NumberFormatException loop

Fixed an unhandled NumberFormatException in HIDSessmon.ParseMessage() (line 79) that caused Tomcat worker threads to spin at 100% CPU indefinitely when malformed (non-numeric) session data was received. The exception is now caught and logged, and the affected message is skipped.

psupdate scheduler corruption on non-primary node

Fixed an issue in shared schema environments where manually running auto discovery from a non-primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

Fixed account associations that are not recalculated during psupdate after changes to account attributes made through Bravura Security Fabric

Fixed an issue where account associations were not recalculated during psupdate after changes to account attributes were made through the product UI or API. Associations now correctly update to reflect attribute changes without requiring a manual recalculation.

Targetsync.exe now correctly updates password expiry data

Previously, targetsync.exe created a separate _exp.db file containing outdated expiry values, causing incorrect password expiration emails. A full discovery would fix the values, but subsequent targetsync runs reverted them.

RBAC variance stored procedures no longer return duplicate surplus rows

Updated RBACVarianceUserListDetails and RBACVarianceUserListDetailsAll to use SELECT DISTINCT * to eliminate duplicate surplus variance rows and verified the change is present after upgrade.

UserclassIsMember stored procedure runtime error

Fixed a runtime error in the UserclassIsMember stored procedure caused by the SQL optimizer executing operations out of order, which led to data type conversion failures. The fix ensures the query plan evaluates type-safe operations in the correct sequence.

UserClassPointLoadFromCache NULL criteria handling

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained a NULL value, which could happen for user class points with no criteria defined.

DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD false positive during system reboot suppressed

The alert was triggered during normal service initialization when the queue_delay is initialized to INT_MAX before any records are processed. The alert is now suppressed when the value is INT_MAX within 10 minutes of system boot. No functional impact to data consistency or replication.

SKA sessions no longer persist across users

Resolved an SKA session persistence issue where closing the "Change my password" window on shared workstations could allow a subsequent user to see the previous user's dashboard. Sessions now end when the SKA window is closed, requiring re-authentication. See Login Assistant compatibility.

Active Directory interceptor backward compatibility

Fixed a compatibility issue where the newer version of the Active Directory interceptor could not communicate with older versions of Bravura Security Fabric and the Password Manager service (idpm). The interceptor now works correctly in mixed-version environments during staged upgrades.

ODBC Q&A authchain compatibility with 12.9 address format

In 12.9, NULL target type stores the address in key-value pair format ({server=<DSN>;}) instead of the plain DSN name used in 12.7. The odbcqa.exe plugin now correctly parses the new format to extract the DSN name for SQLConnectW.

Mass Password Reset button missing from new dashboard

Fixed the Mass Password Reset (MPR) button not displaying in the new React dashboard by adding the missing translation mappings for the massPasswordReset dashboard item.

Mass onboard and mass password reset batch size adjusted

Adjusted the minimum and default batch size values used for mass onboard and mass password reset operations. The previous defaults were too high for the current version of the safe connector, causing failures. Note that setting batch sizes too low will degrade performance significantly.

Mass Password Reset configuration blanked after upgrade to 12.10.0

Upgrading from 12.9.1 to 12.10.0 wiped all MASS_PASSWORD_RESET and MASS_PASSWORD_ONBOARD configuration entries (TARGETS, VAULT_TARGET, VAULT_LINK_ATTRIBUTE, BATCH_SIZE, UCP_ID, REPORT, and related onboard entries) to blank. The upgrade procedure now preserves these values.

Missing hostid on LDEL operations in exit traps

The LDEL (link detach) operation now correctly populates the hostid field in exit trap account data. Previously, hostid was returned as None, causing exit trap scripts that filter by target system (e.g., SuccessFactors detach workflows) to fail silently.

"Recipient identification ambiguous" errors for some profiles

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious "Recipient identification ambiguous" errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

SSH session recording playback with Guacamole 1.6 fixed

SSH session recordings previously showed a gray/black screen during playback in the Sessmon App, although live viewing worked correctly. The issue was specific to the Guacamole 1.6 SSH recording/playback pipeline. RDP sessions were not affected.

Lost guacamole-rdp access disclosure plugin attributes resolved

When ARCHIVE_ONBOARDED_SYSTEM processed a DELETE action, the WstnClean stored procedure could inadvertently delete all guacamole-rdp disclosure attributes for unrelated systems. The cleanup logic is now scoped correctly.

Guacamole HIDSessmon clipboard data race

Fixed a data race on the clipboard boolean field in HIDSessmon.java where concurrent access by HIDSessmonReader and HIDSessmonWriter threads lacked synchronization. The field is now declared volatile to ensure proper memory visibility per the Java Memory Model.

Guacamole clipboard paste in RDP sessions fixed

Pasting text containing special characters or modifier key sequences (CTRL+C, ALT+TAB, etc.) from the Guacamole sidebar clipboard into an RDP session via CTRL+V no longer causes random actions such as creation of folders. Right-click paste was not affected.

Session monitoring package removal error handling

Fixed the session monitoring service (idsmpg) to treat "file/path not found" as a successful result for both single and multi-session package removal, preventing spurious errors when cleaning up session packages that have already been removed.

Fixed the session monitor recording icon label branding.

PAM Linux components migrated to LINUX_NG connector

Adjusted the pam_system_type_linux component and other related components to use the LINUX_NG connector instead of the legacy LINUX connector, aligning PAM Linux target system management with the current supported connector.

Incomplete JSON sample files for AWS website disclosure documentation

Corrected incomplete JSON sample files in the AWS website disclosure documentation, updating the examples to contain valid JSON syntax and accurate configuration fields so that customers can use them directly as a reference.

Vault account PDR system info link access denied resolved

A parameter shift in LoadDisplayManagedSystem caused DEFAULTUSERGROUP=0 (REQUEST_CAPACITY_INVALID) to be passed to the system info page, preventing users with vault trustee privilege from accessing vault system info links. The correct function overload is now used.

Fixed mobproxy HTTP request handling issues for PATCH operations.

Mobile proxy paths updated for modern deployment

Updated mobile proxy URL paths to align with the modern deployment structure, ensuring the Bravura One mobile application can correctly route requests through the proxy in current environments.

False user lockouts from proxy communication failures

The auth chain no longer increments the invalid password lockout counter when a proxy tunnel communication failure (agent error code 25 / PLUGIN_ERROR_PROCESS) occurs. Previously, transient proxy outages during WebSocket reconnect cycles caused agtaddn.exe failures to be treated as failed password attempts, locking out users whose passwords were never validated. Users now receive a system connectivity error instead of "incorrect password."

SAML SSO redirect broken after 12.9 upgrade

Fixed a regression where both IdP-initiated and SP-initiated SAML SSO flows returned users to the PSF module (front-end portal) instead of completing the redirect to the service provider, affecting all configured SAML applications and both the default and /v1 URL paths. This behavior has been restored to match pre-12.9.0 releases.

Authentication failure on shared schema node

Fixed an issue where users could not log in from a shared schema server node because the PSF module returned a 401 error due to a failure requesting OpenIddict cookies (HTTP status 11). Environments using a load balancer were not affected.

First-time registration flow stability

Resolved an issue where the first-time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

Fixed a notification client white-screen issue; notifications now display properly.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi-line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Users with "View workflow requests" permission could not see request details

Fixed an issue where users with the "View workflow requests" (viewworkflow) permission were unable to view request details on the request popup page, despite having the correct permission assigned.

rbacenforce.exe failed request output format corrected

Modified rbacenforce.exe to properly save requests that failed to submit, using the same KVG format as the wizard produces. Previously, the saved file used a different format that could not be reprocessed.

Fixed hid_policy_wfemail to respect the default policy.

REST API v2 unit test failures for SessionLogs and TargetSystems

Fixed 20 failing unit tests (14 in v2, 6 in v1) in the REST.Test suite that were failing since the c270987d commit.

HtmlSanitizer.dll now included in deployed REST API

SVG logo uploads via PUT /applicationSettings/logos({type})/value no longer fail with a missing HtmlSanitizer assembly error. The build/installer packaging now includes HtmlSanitizer.dll and its transitive dependencies (AngleSharp). Non-SVG uploads (PNG, JPG, WebP, AVIF, GIF) were not affected.

REST API datetime output now respects time zones

Fixed the REST API to correctly include time zone information in datetime output fields. Previously, datetime values were returned without time zone context, which could lead to incorrect time interpretation by API consumers in different time zones.

discoveryId added to auto-discovery REST API output

Added the discoveryId field to the auto-discovery operation output for target systems in the REST API, enabling API consumers to correlate discovery results with specific discovery runs.

Fixed REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings

Fixed the REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings, preventing accidental exposure of encrypted password data in API responses.

Fixed group and account DELETE endpoints returning 400 error in v1 API

Fixed the group and account DELETE endpoints in the v1 REST API that were incorrectly returning HTTP 400 (Bad Request) errors instead of successfully processing deletion requests.

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens. Without this claim, subsequent API calls using refreshed tokens would fail authorization checks.

Fixed a mass password reset issue to URL-decode the X-CSRF-Token header value for REST API calls

Fixed a mass password reset issue where the X-CSRF-Token header value was not being URL-decoded before validation, causing REST API calls to fail with CSRF validation errors when the token contained URL-encoded characters.

Added superuser access to accounts and users patch operations

Added superuser access to the accounts and users PATCH operations in the REST API, allowing administrative users with superuser privileges to modify account and user attributes without requiring additional OPA policy configuration.

REST API error responses for invalid tokens

Improved REST API error responses for two scenarios: the userinfo endpoint now returns proper error responses when invalid or expired tokens are used, and all endpoints now return appropriate error responses when invalid CSRF tokens are provided, instead of generic or misleading error messages.

Account information in SessionLogs REST API for ACUA operations

Fixed the SessionLogs REST API responses to properly populate account information for ACUA (Account Check-out/Unlock/Access) operations, which were previously returning empty or incomplete account data.

Fixed an issue where the authchain2factor API call was failing.

REST API token revocation now RFC 7009 compliant

The REST API now correctly invalidates access tokens when their associated refresh tokens are revoked, bringing token revocation behavior into compliance with RFC 7009. Previously, revoked refresh tokens did not cascade to their access tokens, potentially allowing continued API access after revocation.

PWGEN_NUM excluded from PasswordPolicy GET rule listing

Excluded the PWGEN_NUM internal rule from the PasswordPolicy GET endpoints that list password rules, as this is a configuration parameter for password generation count rather than a user-facing validation rule.

Multi-issuer token validation with OpenIddict

Fixed multi-issuer token validation by configuring OpenIddict to use BASE_IDSYNCH_URL for consistent issuer claims. Previously, tokens issued from different nodes in a multi-node deployment could fail validation because the issuer claim did not match the validating node's URL.

OPA policies updated to authorize _REPORT_READERS_ user class

Added missing fields to ReqBatch.

Insecure HTTP methods TRACE and CONNECT blocked

Blocked the insecure HTTP methods TRACE and CONNECT to address penetration test findings, while preserving full REST API functionality for all supported methods (GET, POST, PUT, PATCH, DELETE).

npm dependency security vulnerabilities resolved

Resolved 8 npm security vulnerabilities by updating playwright, vite, storybook, and other front-end dependencies to their latest secure versions, addressing known CVEs in the React UI build toolchain.

Enhanced postMessage origin validation to prevent potential message interception by malicious frames.

Skip authentication button text cutoff

Fixed the Skip authentication button text being cut off on the login page by allowing login buttons to wrap text and styling the Skip button to match the Continue button dimensions.

Saved reports record count and paging

Resolved an issue where saved reports pages did not respect the "Records to display" setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for "No"

Fixed Boolean request attribute handling in the "Managed account check-outs / check-ins" report so that searching for "No" returns the correct results, matching how values are stored in the database.

System onboard PDR displays "request not submitted" for Cisco IOS devices despite successful processing

When system verification took longer than expected (e.g., 64 seconds for agtssh), the batch record lookup returned before the batch was created, causing the UI to display a false failure message. The timing/polling logic is now corrected.

Mass password reset PSF link behavior when PAM refbuild installed

The MPR link in PSF now correctly navigates when a refbuild component is installed, and PDR filtering ensures users see only the PDRs relevant to their user class.

Navigating after auto-discovery no longer goes to wrong screen

After running psupdate through the UI, navigating to another screen (e.g., target systems list) now correctly displays the intended page instead of redirecting back to Auto Discovery.

User Accounts Summary / User Profile widgets inconsistent refresh behavior fixed

These widgets now auto-refresh at the configured duration interval and no longer make excessive REST API calls when switching browser tabs.

Fix refresh loop causing unexpected logout in React UI

Eliminated the infinite refresh loop between /#/__refresh and /#/ that eventually caused session timeouts and unexpected logouts. Dashboard cache clearing now uses React Query's invalidateQueries() method.

Momentary spinner flash during page navigation eliminated

A loading spinner that appeared on the current page before navigation completed has been removed, and the sidemenu now prevents additional clicks during navigation.

PAM refbuild "Manage Resources" custom link now displayed on React PSF screens

When RefBuild.pam_team_management is installed, the "Manage Resources" custom link now appears correctly on the React PSF screens, matching the legacy (Angular/CGI) behavior.

Notification read status now retained when navigating within the same session

Previously, navigating away from the dashboard reset the notification read state, re-displaying the unread indicator. Read state now persists until logout.

Navigation state race condition during rapid navigation fixed

Replaced simple flag-based tracking with navigation-ID-based tracking in SmartLegacyRouter.tsx to prevent inconsistent state when rapidly clicking between routes.

URL redirection from login screen to a specific React UI page fixed

Navigating to a specific React UI URL (e.g., /change-passwords) and logging in now correctly redirects to that page instead of the main dashboard. This also fixes Domain SKA / Login Assistant redirect scenarios.

Version toggle routing bug on login fixed

When a user toggled to the legacy dashboard, logged out, and logged back in, they were incorrectly shown the React dashboard. The version toggle preference now persists across login sessions.

React auth error messages now display translated text instead of raw i18n keys

The i18nProvider.ts now loads 'auth' and 'core' namespaces into Polyglot's message catalog, so keys like auth.errorCategories.errors.insufficient_permissions resolve correctly.

Relative timestamps (timeago.js) now localized

Relative timestamps (e.g., "5 minutes ago") from timeago.js in the notification center, session timeout notification, and connection status components now display in the user's selected language (French, Spanish).

Dashboard elements now fully translated (metric cards, loading text)

Fixed untranslated strings ("in the next 30 days", "Loading Please wait") and a RelativeTimestamp styling regression in metric cards.

Expired passwords and password age metric cards fully translated

Text elements on these metric cards that remained in English regardless of the user's selected language are now properly localized.

Notification VIEW TASK button now works reliably on repeated clicks

Previously, clicking VIEW TASK a second time did nothing, and a third click produced a blank page with a 30-second delay. Navigation now works immediately on every click.

Mass Password Reset link with refbuild installed

The MPR link in psf now correctly navigates to /#/manage-resources when a refbuild component (e.g., RefBuild.pam_team_management) is installed, instead of the unavailable #/use-pre-defined-requests-for-custom-operations route.

Session timeout now redirects back to React UI instead of Angular login

After a session timeout, re-authentication now returns users to the React UI (ideally the same page they were on) instead of the Angular #/login page with missing menus and an error message.

Suggested password dropdown display in legacy screen

The "Suggested password" dropdown is now properly sized when switching from the React interface to the legacy interface during password changes.

Iframe sandbox security hardening

Removed the allow-scripts + allow-same-origin combination from iframe sandbox attributes, which per MDN could allow embedded content to remove the sandbox attribute entirely and escape its restrictions.

Iframe reference race condition during logout

Fixed a race condition where the Angular legacy app sent a postMessage to show the iframe before the React iframe ref was mounted, producing "Cannot show iframe: no iframe reference" warnings during logout transitions.

Forgot password email link blank page in 12.9

The FORGOT_PASSWORD auth chain's validate.py redirect (JUMPTOCGI = PSS) now routes through the React SPA instead of directly to pss.exe. Previously, pss.exe loaded as a top-level browser window with no SPA parent context, causing all API calls to fail silently and rendering a blank page.

React deep-link login redirects (for example /change-passwords)

Fixed an issue where logging in from the main login page did not redirect to the requested React route (for example /change-passwords) and instead landed on the dashboard; legacy /v1/... paths continue to route to the legacy UI as expected.

React dashboard navigation rendering inconsistencies

Fixed issues where React dashboard navigation could route into legacy/Angular pages and leave the UI in a mixed state (React menu with Angular content) or fail to load selected left-nav pages.

Skin build failures when components define their own language tags

Fixed the skin build process so that component language files are correctly discovered and loaded in both product (ui/src/ui/) and instance (design/src/ui/) build contexts, resolving failures where component-specific language tags (such as mass_password_reset links) could not be found.

Dashboard "Favorites" and "Frequently Used" sections lost on logout

Fixed a bug where the dashboard Favorites and Frequently Used sections were reset after the user logged out and logged back in. The dashboard now persists these sections correctly across sessions.

Dashboard widget visibility and resize issues

Fixed bugs where adding a seventh widget to the Frequently Used section caused the oldest widget to disappear, and where action cards could disappear from view when the browser window was resized. Widgets are now retained correctly regardless of count or viewport changes.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React-based interface.

Saved reports honor record limits

Fixed saved report pages so the "Records to display" setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Cookie check bypass for "forgot password" flow

Added a fix to bypass the cookie validation check when using the "forgot password" flow, which was incorrectly blocking password reset attempts when cookies were not yet established.

"Invalid request" error from popup window AJAX calls

Fixed an "Invalid request" error that occurred when AJAX calls were made from popup windows, caused by incorrect CSRF token handling in the popup context.

API calls firing before userId is set

Fixed a race condition where API calls could be made before the userId was set in the session context, causing authorization failures during initial page load.

Cross-instance logout when logging into a different instance

Fixed an issue where logging into a different Bravura Security Fabric instance would log users out of their current instance. Implemented instance-specific cookie paths so that sessions on different instances no longer interfere with each other.

In-app password character help dialog

Added an in-app help dialog that displays the allowed characters for the password rule "contain only characters available on a standard English (US) keyboard," helping users understand which characters are valid without consulting external documentation.

Login Manager (SSO) removed from supported products

Removed Login Manager (SSO) from the license and list of supported products, as this component has been deprecated and is no longer maintained or supported.

Password suggestion count respects AUTOGEN_NUM policy rule

The password suggestion count now uses the AUTOGEN_NUM rule from the configured password policies (defaulting to 5 if not configured), instead of always showing a fixed number of suggestions regardless of policy settings.

Password validation against suggested passwords list

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, submitted passwords are validated against the suggested passwords list to ensure compliance.

"Remember Me" persistence across logout and session expiry

Fixed the "Remember Me" functionality to correctly persist user preferences across logout and session expiry. Previously, remembered preferences were lost when the session expired or the user logged out.

OAuth2 Authentication Port label typo corrected

The address parameter label "OAuth2 Autentication Port" has been corrected to "OAuth2 Authentication Port" in the en-us-errmsg.kvg resource file, affecting the configuration screens for the Azure Active Directory and Exchange connectors.

"Session Active in Another Tab" text invisible in dark mode

Fixed the "Session Active in Another Tab" message text being invisible in dark mode due to insufficient color contrast.

Missing translations in User Accounts Summary widget configuration

Fixed missing translations in the User Accounts Summary widget configuration dialog for status filters, sort options, and sort order dropdowns, which were displaying raw translation keys instead of localized text.

Removed non-functional quick action menu from User Accounts Summary

Removed the quick action menu (3-dot icon) from the User Accounts Summary list view, as it was non-functional in this context and caused user confusion.

"Last activity" field removed from User Accounts Summary widget

Removed the "Last activity" field from the User Accounts Summary widget, including its display, configuration, sorting, and all related functionality, as the underlying data source was not reliably available.

XSS sanitization for password policy rule descriptions

Added XSS sanitization using DOMPurify to password policy rule descriptions, preventing potential script injection attacks through maliciously crafted policy rule text.

Default dashboard loading before user layout is determined

LegacyIntegrationService is the source of truth for userStorageKey, ensuring no shared dashboard layouts between users.

Mobile header logo overlapping navigation buttons

The mobile header now shows an icon-only logo on small screens to ensure the logout and navigation buttons remain accessible and are not obscured by an oversized logo.

Side menu search bar and description toggle positioning

Locked the search bar to the top and the description toggle to the bottom of the side menu, preventing them from scrolling out of view when the menu content is long.

Password policy rules panel shows regex and whitelist requirements

The password policy rules panel now displays regular expression and whitelist requirements alongside the standard rules, giving users complete visibility into all password requirements in one place.

Password policy descriptions not translating on language change

Fixed password policy descriptions not translating when the user changes language, by correctly parsing the Accept-Language header, adding language family fallback in the backend, and refetching policies on language change in the React UI.

Password policy validation improvements

Comprehensive improvements to password policy validation in the React UI: removed misleading fallback rules when policies fail to load, disabled the submit button when policies are unavailable or rules are not met, added clear error messages, fixed validation to check all required rules including regular expressions and whitelist entries, and corrected policy switching to use target group-specific policies that update correctly when switching between target groups.

Badge calculation errors in User Accounts Summary dashboard

Fixed badge calculation and display bugs in the "User Accounts Summary" dashboard widget where badge counts were incorrect or not updating properly.

User Profile widget dynamic attribute loading

The User Profile widget now dynamically loads attributes from the API with localized labels, filters out user-type attributes that should not be displayed, and includes comprehensive icons for each attribute type.

"Total Group Memberships" metric showing error instead of count

Fixed the "Total Group Memberships" user metric widget to correctly display the count of group memberships across all user accounts instead of showing a "Selected metric not found" error.

Removed the Show Last Login option from the user profile configuration widget.

Fixed the "Show Avatar" toggle to properly hide/show the user avatar.

Removed non-functional "Strong Passwords" metric from dashboard widgets.

Fixed an issue to read the CSRF token fresh from cookies on each request.

Enabled server logout endpoint to clear cookies.

CSRF token expiring after 1 hour while session is active

Fixed an issue where the CSRF token expired after 1 hour even while the user session remained active, causing unnecessary 403 errors on subsequent API calls. The token lifetime now aligns with the session lifetime.

REST API authorization failures for sessionclient tokens

Fixed REST API authorization failures for sessionclient tokens by adding missing user claims to the JWT payload. Without these claims, API calls using session-based tokens would fail OPA policy checks.

Added a missing GUID marker to the root HTML page.

User Accounts Summary "Enabled Statuses" filter not working

Fixed the User Accounts Summary widget's "Enabled Statuses" filter to correctly filter displayed accounts based on the selected status options instead of showing all accounts regardless of filter selection.

User Accounts Summary not showing real-time operation status

Fixed the User Accounts Summary widget to show real-time status updates until account operations (such as password resets or unlocks) fully complete, instead of showing stale status during in-progress operations.

User Accounts Summary list view showing plain text instead of status icons

Fixed the User Accounts Summary widget list view displaying plain text status chips instead of icon badges. The list view now shows the same status badge icons as the grid view for consistent status visualization.

Added missing legacy module ID mappings for dashboard items.

Fixed feature to restore default widgets on layout reset.

Multi-tab session coordination

Added a session transfer system for multi-tab coordination to prevent authentication conflicts and ensure a consistent user experience across browser tabs. Previously, opening multiple tabs could cause session conflicts or unexpected logouts.

Authentication race conditions on page refresh

Fixed authentication race conditions and iframe display issues that occurred on page refresh, which could result in blank pages or authentication errors requiring a manual re-login.

Legacy UI flash and navigation loop during logout

Fixed a legacy UI flash during React logout, a navigation loop after logout, and stale user cache data when switching users. The logout flow now cleanly transitions without visual artifacts or redirect loops.

Removed unused actions configuration option from User Accounts Summary widget.

Legacy iframe popups blocked by sandbox restrictions

Added the allow-popups-to-escape-sandbox token to the sandbox attribute of the legacy iframe, allowing popup windows opened from the legacy UI to function correctly without inheriting sandbox restrictions.

Fixed an issue to always use the top-level document for communications over the WebView channel.

Fixed an issue where quick actions were not loading on first login.

Language switching not translating UI controls

Language switching now correctly translates the dark/light mode toggle, logout button, and refresh button in all supported languages (English, French, Spanish). Previously, these controls remained in the original language after switching.

Password change notification messages are properly translated.

Memory leak in StorageService during logout/login cycles

Fixed a memory leak in StorageService that prevented proper cleanup of user session data during logout/login cycles. The fix eliminates unreleased promise references and race conditions in the authentication flow that could degrade browser performance over time.

Wrong exit trap used for self-service password reset in React UI

Fixed the React UI to use the proper self-service exit trap (PSS_RES) on password reset instead of the admin exit trap, ensuring that the correct notifications and automation are triggered for self-service operations.

Duplicate attributes on dashboard user profile card

Fixed an issue where duplicate attributes were displayed on the user profile card on the dashboard, caused by the same attribute being loaded from multiple sources.

User Accounts Summary widget loading and refresh improvements

Enhanced the User Accounts Summary widget with immediate account loading on display and configurable refresh intervals with intelligent caching, reducing unnecessary API calls while keeping data current.

Dashboard widget refresh intervals not working correctly

Fixed widget refresh intervals for Total Accounts, Passwords Near Expiry, Average Password Age, and Total Group Memberships widgets, which now automatically refresh every 5 minutes as intended. Previously, these widgets either only refreshed on browser refresh or refreshed on every page navigation, causing either stale data or excessive API calls.

MUI anchorEl warning in UserMenu during logout transition

The UserMenu's anchorEl reference became stale when the component tree unmounted during logout, causing MUI's Popover to attempt positioning against a removed DOM element.

Angular header and sidebar flash during login page load

The Angular header and sidebar briefly flashed on the login page during initial load and every ~75 s session refresh because the body[data-transaction="C_AUTHCHAIN_LOGIN"] CSS selector was not applied until Angular bootstrapped. The data-transaction attribute is now set in index.html so the header starts hidden by default.

Double headers intermittently shown on UI pages

A duplicate header bar was sometimes rendered when clicking through pages or performing a browser refresh.

Change passwords screens not updating correctly

On the React UI the "Changing…" status remained and never changed to "Success." On the Angular UI the screen went blank after clicking the change-passwords button. Passwords were actually reset in both cases, but the UI did not reflect the result.

Post-login spurious logout causing blank dashboard

After successful login, the React app's useAuthStateMonitor replayed a stale authenticated=false message from the login page's C_AUTHCHAIN_LOGIN, calling logout() and leaving the app in a half-authenticated state where the React appbar never rendered and the Angular iframe dashboard showed fullscreen.

Session expiry on legacy route shows blank screen instead of login page

When a session expired while the user was on a legacy (Angular) route, Angular's iframe reloaded but did not emit the authentication-state-change postMessage back to React because the EMBEDDED_MODE confirmation was lost on reload. The user saw a blank screen and could not proceed. React now detects the iframe reload and re-sends the EMBEDDED_MODE message.

Navigational issues with blank pages and UI refresh

Clicking a widget from the dashboard sometimes showed the page header with a blank white page body. Clicking the React UI refresh button would eventually show the Angular dashboard after ~30 seconds, and the native browser refresh also fell back to the Angular dashboard.

403 permission denied incorrectly logs user out

A non-admin user whose API requests returned 403 (OPA policy denial) was immediately logged out because checkError treated 403 the same as 401. A 403 now shows a localized "insufficient permissions" message without triggering logout.

RelativeTimestamp skips listeners when browser tab is hidden at mount

If the RelativeTimestamp component mounted while the browser tab was in the background, no interval timer, visibilitychange listener, or i18n languageChanged listener were registered — and they were never set up even when the tab became visible.

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

IDPM GetClientIP() now respects X-Forwarded-For

The GetClientIP() function in idpmactcgi.cpp has been aligned with the AJAX code path (ajax.cpp) to honour X-Forwarded-For and TRUSTED_REVERSE_PROXY configuration. Previously, audit logs for IDPM events (e.g., pss_reset_success) recorded the ALB/proxy IP instead of the real client IP in reverse-proxy environments (Cloudflare → ALB → IIS → BSF).

Frozen idmsuite.log modification time

Fixed a threading issue that could cause the idmsuite.log file's modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

Cache-Control headers on API responses

Sensitive API responses now include Cache-Control: no-store. HTTP clients or proxies that relied on caching authenticated API responses will no longer be served from cache. Static assets remain cacheable.

Multi-node shared-schema upgrade pause required

A pause is required after the primary node's Post Upgrade Tasks complete. During this pause, run setup.exe on all secondary nodes and wait for their Post Upgrade Tasks to complete. Then proceed on the primary node ("Next"), and finally on each secondary node. Command-line installations must accommodate this pause step.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys-specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

Embedded Python security update for supported pre-12.10 branches

Updated the embedded Python runtime to 3.11.15 (a security bugfix release for the legacy 3.11 series) for supported release branches earlier than 12.10.0; validate any environment-specific Python dependencies against the updated binary.

Hangfire poll interval increased to 2 seconds

Asynchronous REST mutation jobs (Users, Settings, Credentials, TargetSystems, Policies, Platforms, Groups, Accounts, ManagedAccounts/Secrets, ApplicationSettings, PasswordPolicies) may now start up to 2 seconds after submission instead of near-instantly. Average added latency is ~1 s, well below the perceptible threshold for admin operations. No client-side changes are required.

Multi-node upgrades via command line: pause/sequence support

Added setup.exe --pause-after-tasks for silent/command-line upgrades to support required coordination in multi-node shared-schema (and similar) environments: after post-upgrade tasks complete and before services start, the installer writes upgrade-pause.signal to the instance directory and waits until automation removes the file. Use with -U -silent to coordinate primary/secondary node sequencing.

IIS "Log on as a batch job" privilege required (12.9+)

After upgrading to 12.9 or later, the IIS_IUSRS group must have the "Log on as a batch job" privilege in Local Security Policy. Without this, the identity apppool will stop on first request and login will fail with a 503 error. On domain-joined servers, this privilege must be granted via Group Policy.

SQL Server 2025 / ODBC Driver 18+ compatibility

All sqlcmd invocations now include the -C (TrustServerCertificate) flag. If your environment uses self-signed certificates, no action is needed. If your test automation calls sqlcmd directly outside of the product framework, add -C to those invocations as well.

Plan OAuth transition for global-mail-plugin

For environments using global-mail-plugin with Exchange or other OAuth-capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft's basic-auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low-overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.

Customer branding logo format changes

Customer deployments that use custom logos must update their branding customization to the new branding.json and logo file format described in design/custom/branding/README.md so that logos continue to render correctly in the React and Angular UIs.

OData pagination cap (MaxTop=500)

OData endpoints now enforce MaxTop=500. The React frontend already sends $top=25 and is unaffected. However, Angular legacy UI pages, customer integrations, and admin scripts that expect unbounded result sets from the REST API v2 may need to implement client-side pagination. This is a potentially breaking change for consumers that omit $top or set $top above 500.

Review SKA deployment on shared workstations

For shared machines using the SKA "Change my password" tile, deploy updated SKA installers and verify that session-only cookie settings are applied so that no active session remains available when users close the SKA window.

SKA client registry entries require ephemeral cookie parameter

The SKA client software needs to either be upgraded to the latest version, or have its Windows registry entries modified to append ?EPHEMERALCOOKIE=1 to the URLs. This ensures that sessions are properly terminated when the SKA window is closed on shared workstations:

ODBC Q&A authchain: address format change in 12.9

If upgrading from 12.7 to 12.9+, NULL target type address values are stored in key-value pair format ({server=<DSN>;}) instead of plain DSN names. The odbcqa plugin now handles both formats, but administrators should verify their external question set configuration after upgrade.

TunnelClient immediate reconnect behavior change

The TunnelClient now retries immediately on disconnect. The default TunnelRetryDelay (5 minutes) remains unchanged but now only applies after the first immediate retry fails. No configuration changes are required, but administrators who set very low TunnelRetryDelay values to work around the previous behavior may wish to restore defaults.