12.10.0

Single-user password reset

Added support to reset all managed accounts for a single user in a single operation. End users can reset their own accounts from self-service, and help desk analysts or administrators can reset all accounts for a selected user, with new passwords stored in Bravura Safe and full audit logging.

SQL Server 2025 support for Fabric backend and SQL connectors

Introduced support for Microsoft SQL Server 2025 as a Bravura Security Fabric database backend and as a target/server for the agtsql and agtsqlscript connectors, based on initial testing on Windows Server 2025.

Updated "Connectors Being Removed" pre-installation check URL

The "Connectors Being Removed" pre-installation check now points to the correct URL on the docs.bravurasecurity.com domain for the "Deprecated connectors" documentation page.

CC recipients in batch email and exit trap notifications

Batch email notifications and exit trap email notifications now support CC recipients, with the psntfsvc service passing the ccemail parameter to the email plugin. This requires a database schema change to the itsmmail table and related stored procedure updates; the included upgrade script applies this change automatically.

Event action strings help updated with new exit trap macros

The in-product "Event action strings help" popup now documents four new exit trap macros: MGRNAME (manager full name), MGREMAIL (manager email), EXPACCTHOST (target system IDs of affected accounts), and EXPACCTLONGID (long IDs of affected accounts).

KMKeyGetByAccount external scanner fallback mapping

Introduced a fallback mechanism in KMKeyGetByAccount so that when standard host/IP/DNS cross-reference lookups fail, external scanners such as Qualys can resolve credentials via a registry-based account/domain/resource mapping. The feature is disabled by default and can be enabled explicitly where needed without affecting existing deployments. For environments previously using the Qualys-specific registry value, rename it to the new generalized name while preserving the accountname domain resource_id format.

New forceactionable option for pwdconflicts.exe

Added a new forceactionable command-line option to pwdconflicts.exe that allows administrators to force-randomize non-actionable password conflicts. Existing behavior is unchanged unless the option is explicitly used. Inactive accounts are still filtered out regardless.

ManageableAccountSearch performance optimization

The ManageableAccountSearch query has been optimized by removing a bound variable that was causing 15 GB memory grants in SQL Server, significantly improving performance in large-scale deployments.

WstnPwdReqList performance optimization

The WstnPwdReqList query has been optimized for faster workstation password request listing, reducing response times when managing large numbers of workstation password requests.

Safer psupdate use in shared schema environments

In shared schema environments, running auto discovery from a non-primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

Removal of Firefox browser extension support

Removed Firefox browser extension support entirely, including the Firefox add-on code, native messaging host hidbext2.exe, XPI packages, Firefox MSI installers, build references, JavaScript FirefoxChannel widget, download handlers, and associated language strings. Chrome, Edge, and Safari extensions are unchanged.

Mass password reset pre-notification reminders

A new batch notification plugin sends configurable email reminders before a scheduled mass password reset. Reminder intervals are configured via the REMDAYS field (comma-delimited days, e.g., "7,3,1") in the MPR_PRERESET notification configuration entry. Available email macros: %DAYS%, %NEXTRUNTIME%, %JOBOWNER%, %AFFECTEDACCOUNTS%, %USERID%, %USERNAME%, %NREMIND%. Requires the mass_password_reset scheduled job to be enabled. The reminder cycle resets automatically after each reset completes or when the MPR job schedule is updated. In multi-server deployments, notifications are only sent from the primary node. A daily scheduled job _NFY_MPR_PRERESET triggers the reminders via psntfsvc plugins PLUGIN_BAT_MPR_PRERESET and PLUGIN_COMP_MPR_PRERESET.

Mass password reset post-reset email notifications

Added new MPR_SUCCESS and MPR_FAILURE exit traps that send per-user HTML email notifications with consolidated account reset results after a mass password reset batch completes, including success and failure information driven by configurable templates and existing notification policy UI.

Mass password reset status monitoring dashboard card

A new metric card on the adaptive dashboard shows MPR Admins whether a mass password reset is currently running or the date/time the last one completed. The card is clickable and redirects to the Requests App with the relevant MPR request selected. Requests App ACLs are updated so MPR Admin users can see all MPR requests.

Optional scope restriction via user class point

Mass operations (including mass password reset and onboarding) can now be scoped to a specific user class point when UCP_ID is configured in the MASS_PASSWORD_RESET namespace (stored in the extdb). If the userclass point cache is invalid or stale, the operation is skipped and a warning is logged; if UCP_ID is not set, behavior is unchanged and the operations apply to all users.

Local Reset Extension controls restored

The pslocalr.ocx and related controls have been added back to the product, along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers. The cgilocalr.cfg sample script has also been updated for the pslocalr control.

Per-account "not be an old password" validation on Change passwords page

Added per-account password validation on the Change passwords page to check the "not be an old password" rule against each selected account individually when transparent synchronization is disabled for the target group. This prevents users from reusing recent passwords on accounts that do not participate in transparent sync.

ODBC Q&A authchain compatibility with 12.9 address format

In 12.9, NULL target type stores the address in key-value pair format ({server=<DSN>;}) instead of the plain DSN name used in 12.7. The odbcqa.exe plugin now correctly parses the new format to extract the DSN name for SQLConnectW.

Userclass dsqltest field size increased to NVARCHAR(MAX)

Userclass definitions with more than 7 attribute logic statements previously caused silent SQL truncation, resulting in incorrect userclass calculations. The dsqltest field limit is removed and validation added. This change requires a database schema migration during upgrade.

Profiles with trailing whitespace now supported

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE-IN-ORG no longer fail with "Recipient identification ambiguous", and related profile reports now return the expected results.

Consolidated auto-denied PAM checkout request email notifications

When a PAM checkout request expires without approval, the system now sends a single consolidated "Request Denied" email instead of one email per authorizer, while preserving individual notifications for manual denials. A configuration option controls this behavior, addressing email overload scenarios where dozens of denial emails were generated per expired request.

Improved VIM display in Guacamole PAM sessions

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Error message when browser extension plugin process fails to launch

Added an error message box that displays when the browser extension plugin process cannot be launched, providing clear feedback instead of failing silently.

Windows Authentication support for MSSQL system type

Added support for Windows Authentication when connecting to MSSQL target systems, allowing Bravura Privilege to manage SQL Server accounts using integrated Windows credentials instead of requiring SQL Server authentication.

SMON session upgrade validation

Revalidated SMON session viewing and download functionality on upgrades (12.6 to 12.9.1.41530), confirming that live and recorded sessions show video, text, clipboard, and process data correctly and that download packages can be created for pre- and post-upgrade sessions without requiring an instance repair.

Vault account PDR system info link access denied resolved

A parameter shift in LoadDisplayManagedSystem caused DEFAULTUSERGROUP=0 (REQUEST_CAPACITY_INVALID) to be passed to the system info page, preventing users with vault trustee privilege from accessing vault system info links. The correct function overload is now used.

Python 3.14: connectors and component verification

All Python connectors (Dayforce, Bravura Safe, HYPR, NetSuite, Salesforce REST, Unix SSH, sample agents), interfaces (pxpython.exe), workflow/search/analytics/mail plugins, and the component management framework have been verified and updated for Python 3.14 compatibility.

Python 3.14: Connector documentation updated

Connector and plugin development guides, API documentation, and sample code have been updated to reflect Python 3.14 support. References to Python 3.7 and 3.10 have been removed.

OAuth support for global-mail-plugin

Implemented OAuth-based SMTP authentication (XOAUTH2) in the global-mail-plugin so that customers can use modern mail servers where basic authentication is being retired.

More robust enrollment completion navigation

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

HTML formatting for request macros in email

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer-specific HTML templates.

Scalability improvement for requests with many tasks

Handling of requests containing a large number of tasks (for example, roles with 70 or more groups) has been improved so that the 50-task display limit is enforced more gracefully and the behavior is documented. Roles that exceed this limit should be broken into smaller sub-roles.

ASP.NET Core 8.0.23 security baseline

Updated the bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

UserSetting REST API resource

A new UserSetting resource has been added to the REST API, nested within the User resource, providing full CRUD operations for per-user preferences such as theme, font size, datetime format, and time zone as JSON values in the usersettings database table. Supports OData query options on list retrieval. Where applicable, datetime format and time zone are mapped from user profile attributes, and PATCH updates are applied back to profile attributes to avoid parallel legacy setting paths. This enables persistent dashboard and UI customization across sessions and devices.

Customer branding REST API (logos and brand colors)

Added REST endpoints under /api/rest/v2/applicationSettings to retrieve/update branding configuration (JSON Patch for colors) and upload/serve/delete logos via /api/rest/v2/applicationSettings/logos({type}), including file-type validation by magic bytes, SVG sanitization, and hash-based filenames for cache busting. Write operations persist to both /ui/v2/assets/ (immediate React visibility) and /design/src/custom/ (rebuild-safe), with background-job processing and automatic cleanup of replaced assets.

Mass password reset post-reset confirmation events

Added per-user MPR completion events MPR_SUCCESS and MPR_FAILURE (configured under Manage the system > Policies > Options) to drive email notifications and/or program execution after a mass password reset completes for a user. These events expose session tags SUCCESSTARGETS and FAILTARGETS (comma-separated host\account pairs) and require the Bravura Pass license (KeyModPSynch).

Skip serverinfo validation for TargetPAMAssociatedCredential_set

The IDMConfig API no longer performs the serverinfo validation check when mapping managed accounts via TargetPAMAssociatedCredential_set, aligning API behavior with the GUI tool psa.exe.

Database indexes for get_account_attributes performance

Added three new database indexes (metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2) to optimize the performance of the REST API get_account_attributes operation, reducing query execution time in environments with large numbers of account attributes.

Exit traps for help desk operations in REST API calls

Added exit trap support for help desk operations invoked through the idmlib REST API, enabling event-driven automation (such as email notifications or external integrations) when help desk actions are performed via the API.

Database query optimization for ObjAssociateInitial and UserList

Updated database queries in the ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1), which restricts SQL Server to a single-threaded execution plan. This improves performance by avoiding parallel plan overhead in environments where parallelism introduces contention.

Default authorization policies for REST API write operations

Added default authorization policies (policies_post_create, policies_put, and policies_delete) to the REST API, providing out-of-the-box access control for create, update, and delete operations without requiring manual policy configuration.

OpenAPI specification published as a submodule

Configured ui/src/react/src/shared/api/spec as a Git submodule repository, making the OpenAPI specification available for import into Postman and other API tooling. This enables external teams and integrators to stay current with the API contract without manual file sharing.

REST API documentation reviewed and published

Postman documentation for the REST API has been validated including endpoints, examples, resources, and the OpenAPI 3.1 schema.

React UI is now the primary interface

The new React-based UI is now the primary interface, accessible at the application root URL. This provides a modern user experience with improved performance and clean URLs, replacing the legacy Angular UI as the default entry point. The legacy UI remains accessible via the version toggle for users who need it during the transition period.

Customer branding infrastructure and dynamic theming

Implemented a unified customer branding system that loads configuration from branding.json at startup and applies logos, theme colors, and overrides across React and Angular UIs. Includes dynamic light/dark theme generation, context-aware logo selection, dynamic favicon switching, login page styling with OS-driven dark mode support, fallbacks when branding assets are missing, and synchronized theme state with the legacy Angular iframe. Build integration through make.bat and generated branding SCSS.

Dashboard notifications center

A notifications center has been added to the React dashboard, displaying alerts, updates, and system messages with category and priority levels, badges/indicators, persistence/read status, and support for real-time updates. This provides a central place for users to review important events without relying on email alone.

Dashboard Favorites section

Introduces a Favorites section on the dashboard that lets users pin 3-6 of their most used actions based on recency and frequency, replacing basic Quick Actions with a personalized, accessible experience.

Dashboard Frequently Used Actions section

Adds a Frequently Used Actions section to the adaptive dashboard that ranks actions with a frequency-biased algorithm, personalizes the list per user, hides actions already in Favorites, and adapts the number of displayed actions by screen size while storing usage data per user/instance.

Dashboard All Actions layout refresh

Renames Quick Actions to All Actions and refreshes the layout with a collapsible section, smart category grouping, paired small categories, pending request badges, and tooltip support, improving responsiveness and initial render performance.

Dashboard metrics management and configuration UI

Added a Manage Metrics dialog to add/remove/reorder dashboard metrics and configure alert thresholds for urgency-based metrics. Metric cards now support visual types (count, urgency, progress), skeleton loading states, zero-state messaging, and auto-saving configuration dialogs.

Dashboard metric card accent bars

Accent bars on urgency-type metric cards (e.g., Passwords Near Expiry, Oldest Password Age) are now transparent for healthy/neutral states. Color is shown only for attention (orange) and critical (red) states, reducing visual noise.

Bravura Insights dashboard entry point

Added a "Bravura Insights" tile on the dashboard, visible to users with report ACL; drilling down requires an appropriate license.

User Profile widget "Show Last Login" option

The User REST API endpoint now returns last login data (timestamp of last successful login), re-enabling the "Show Last Login" option in the React UI User Profile widget.

Dashboard user profile card visual polish

The user profile card now displays configurable identity attributes (name, role/title, department, last login) with consistent styling, responsive layout across breakpoints, and WCAG 2.2 AA accessibility compliance.

Non-destructive UI file installation

The make.bat :INSTALL section now uses robocopy /MIR instead of del/rmdir/mkdir for both v1 and v2 UI file deployment. This synchronizes directory contents in-place, preserving IIS virtual directory mappings and preventing application pool restarts during UI installs.

Dashboard API query optimization

Optimized dashboard API queries to fetch only the required fields for each widget, reducing data transfer by 80-99% for user metrics, account summaries, and authentication operations. This significantly improves dashboard load times in large deployments.

Password manager autofill support on React login

Added autocomplete="username" and autocomplete="current-password" attributes to login form inputs and changed referrer-policy from no-referrer to strict-origin-when-cross-origin.

React UI session timeout now matches Angular UI behavior

The React UI now displays a countdown timer starting at 1 minute remaining, provides a functional "Extend" link, and handles session expiry consistently with the Angular UI.

Reduced white flash during login page load (dark mode)

Updated login page load behavior to prevent a white flash for dark-mode users by adding CSS color-scheme support and removing the hardcoded light-theme default.

Version toggle and navigation stability improvements

Fixed the React/legacy version toggle so logging back in honors the user's previously selected interface, and improved navigation state tracking to avoid inconsistent UI state when users navigate rapidly (blank pages, stuck spinners, or unexpected redirects).

Widget refresh behavior aligned to configured intervals

Updated the User Profile and User Accounts Summary widgets to respect refresh intervals consistently and reduce unnecessary REST calls triggered by tab switching.

Dashboard cache invalidation refactored

The dashboard now uses proper React Query invalidateQueries() instead of navigating to #/__refresh and back to force cache clearing.

React Auth Provider stability improvements

Improved front-end authentication stability by memoizing createAuthProvider and updating useAuthStateMonitor to avoid unnecessary dashboard cache clearing during authentication re-checks, reducing transient UI inconsistencies.

Change Passwords page enhancements

Improved the Change Passwords page with a dedicated page header for clearer navigation and a reusable PageHeader component for consistent page titles across the application.

Optional suggestedPasswords field for password policy validation

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, submitted passwords are validated against the suggested passwords list, ensuring that auto-generated password suggestions comply with the configured policy rules.

Saved report lists honour display limits

The "My saved reports" and "Other users' saved reports" pages now correctly honour the configured "Records to display" value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

WCAG accessibility remediations

Progressbar nodes now have accessible names, frame/iframe elements have title attributes, login page elements meet minimum color contrast ratios, and Lighthouse-identified issues (form labels, heading level order, prohibited ARIA usage) have been addressed to improve WCAG 2.1 AA alignment.

PostMessage protocol files synced between Angular and React

The postMessage protocol definition files between the Angular and React frameworks are now synchronized for consistency across both frameworks and branches.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React-based interface.

Strengthened ESLint rules for React/TypeScript

Existing ESLint warnings promoted to errors and new security, bug prevention, and async safety rules added to improve code quality and catch issues at build time.

Mass Password Reset admin screens filter PDRs

Mass Password Reset admin screens now filter the custom PDR (Password Disclosure Rules) list to show only PDRs relevant to Mass Password Reset operations, reducing clutter and potential administrator confusion.

Parent role columns in certification reports

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports, making it easier for reviewers to understand the role hierarchy and see which parent role grants each entitlement to a user.

Guacamole session correlation logging

A unique common identifier is now present in both guacd logs and BSF audit records, enabling administrators to match Guacamole session log entries to Bravura Privilege disclosure executions.

More accurate idmsuite.log timestamps

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file's modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

Security hardening documentation for CDN HSTS

Updated the Security Hardening Guide to document that HTTP Strict Transport Security (HSTS) must be configured at the CDN or load balancer layer, specifically at Cloudflare for CDN-based deployments, and reorganized related hardening topics and references.

Updated hid_batch_request_submit example for Identity

Updated documentation and examples for using hid_batch_request_submit in the context of Identity, including clarification of specific quirks, parameters, and return behaviors so that integrators can implement batch requests with fewer integration issues.

Mail plugin OAuth configuration

Added documentation describing how to configure OAuth authentication for the global-mail-plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

SQL error during 12.9 upgrade

Fixed an issue where upgrades from 12.5 to 12.9 could fail with an “explicit DROP INDEX is not allowed” SQL error, ensuring the database migration scripts complete successfully without requiring manual intervention.

Updated the end-user license agreement to remove the Training section.

instdump.exe now outputs connector pack binary versions

Fixed instdump.exe so that it correctly outputs global connector pack binary versions in its diagnostic output, making it easier to verify which connector pack version is deployed on each node.

Fixed an installation issue where IIS handler mappings lacked script execution permissions, preventing the instance from running correctly.

Fixed an installation issue where IIS handler mappings were created without script execution permissions, preventing the Bravura Security Fabric instance from running correctly after a fresh install or upgrade.

Login failure after upgrade to 12.9 when "Log on as a batch job" privilege missing

The installer/documentation now addresses the requirement that IIS_IUSRS must have "Log on as a batch job" privilege, which is required by the 12.9 identity apppool. Without this privilege, the identity apppool stops on first request, causing login failures.

Database objects verification errors on upgrade from 12.9 to 12.10 resolved

Upgrading from 12.9.1 to 12.10.0 no longer produces verification errors for missing restricted values "UStCr" and "UStDl" on the "operation" table column "kind".

Guacamole high CPU from infinite NumberFormatException loop

Fixed an unhandled NumberFormatException in HIDSessmon.ParseMessage() (line 79) that caused Tomcat worker threads to spin at 100% CPU indefinitely when malformed (non-numeric) session data was received. The exception is now caught and logged, and the affected message is skipped.

psupdate scheduler corruption on non-primary node

Fixed an issue in shared schema environments where manually running auto discovery from a non-primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

Fixed account associations that are not recalculated during psupdate after changes to account attributes made through Bravura Security Fabric

Fixed an issue where account associations were not recalculated during psupdate after changes to account attributes were made through the product UI or API. Associations now correctly update to reflect attribute changes without requiring a manual recalculation.

RBAC variance stored procedures no longer return duplicate surplus rows

Updated RBACVarianceUserListDetails and RBACVarianceUserListDetailsAll to use SELECT DISTINCT * to eliminate duplicate surplus variance rows and verified the change is present after upgrade.

UserclassIsMember stored procedure runtime error

Fixed a runtime error in the UserclassIsMember stored procedure caused by the SQL optimizer executing operations out of order, which led to data type conversion failures. The fix ensures the query plan evaluates type-safe operations in the correct sequence.

UserClassPointLoadFromCache NULL criteria handling

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained a NULL value, which could happen for user class points with no criteria defined.

SKA sessions no longer persist across users

Resolved an SKA session persistence issue where closing the "Change my password" window on shared workstations could allow a subsequent user to see the previous user's dashboard. Sessions now end when the SKA window is closed, requiring re-authentication. See Login Assistant compatibility.

Active Directory interceptor backward compatibility

Fixed a compatibility issue where the newer version of the Active Directory interceptor could not communicate with older versions of Bravura Security Fabric and the Password Manager service (idpm). The interceptor now works correctly in mixed-version environments during staged upgrades.

Mass Password Reset button missing from new dashboard

Fixed the Mass Password Reset (MPR) button not displaying in the new React dashboard by adding the missing translation mappings for the massPasswordReset dashboard item.

Mass onboard and mass password reset batch size adjusted

Adjusted the minimum and default batch size values used for mass onboard and mass password reset operations. The previous defaults were too high for the current version of the safe connector, causing failures. Note that setting batch sizes too low will degrade performance significantly.

Mass Password Reset configuration blanked after upgrade to 12.10.0

Upgrading from 12.9.1 to 12.10.0 wiped all MASS_PASSWORD_RESET and MASS_PASSWORD_ONBOARD configuration entries (TARGETS, VAULT_TARGET, VAULT_LINK_ATTRIBUTE, BATCH_SIZE, UCP_ID, REPORT, and related onboard entries) to blank. The upgrade procedure now preserves these values.

Missing hostid on LDEL operations in exit traps

The LDEL (link detach) operation now correctly populates the hostid field in exit trap account data. Previously, hostid was returned as None, causing exit trap scripts that filter by target system (e.g., SuccessFactors detach workflows) to fail silently.

"Recipient identification ambiguous" errors for some profiles

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious "Recipient identification ambiguous" errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

Guacamole clipboard paste in RDP sessions fixed

Pasting text containing special characters or modifier key sequences (CTRL+C, ALT+TAB, etc.) from the Guacamole sidebar clipboard into an RDP session via CTRL+V no longer causes random actions such as creation of folders. Right-click paste was not affected.

Session monitoring package removal error handling

Fixed the session monitoring service (idsmpg) to treat "file/path not found" as a successful result for both single and multi-session package removal, preventing spurious errors when cleaning up session packages that have already been removed.

Fixed the session monitor recording icon label branding.

PAM Linux components migrated to LINUX_NG connector

Adjusted the pam_system_type_linux component and other related components to use the LINUX_NG connector instead of the legacy LINUX connector, aligning PAM Linux target system management with the current supported connector.

Incomplete JSON sample files for AWS website disclosure documentation

Corrected incomplete JSON sample files in the AWS website disclosure documentation, updating the examples to contain valid JSON syntax and accurate configuration fields so that customers can use them directly as a reference.

Fixed mobproxy HTTP request handling issues for PATCH operations.

Updated mobile proxy paths for modern deployment.

SAML SSO redirect broken after 12.9 upgrade

Fixed a regression where both IdP-initiated and SP-initiated SAML SSO flows returned users to the PSF module (front-end portal) instead of completing the redirect to the service provider, affecting all configured SAML applications and both the default and /v1 URL paths. This behavior has been restored to match pre-12.9.0 releases.

Authentication failure on shared schema node

Fixed an issue where users could not log in from a shared schema server node because the PSF module returned a 401 error due to a failure requesting OpenIddict cookies (HTTP status 11). Environments using a load balancer were not affected.

First-time registration flow stability

Resolved an issue where the first-time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

Fixed a notification client white-screen issue; notifications now display properly.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi-line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Users with "View workflow requests" permission could not see request details

Fixed an issue where users with the "View workflow requests" (viewworkflow) permission were unable to view request details on the request popup page, despite having the correct permission assigned.

rbacenforce.exe failed request output format corrected

Modified rbacenforce.exe to properly save requests that failed to submit, using the same KVG format as the wizard produces. Previously, the saved file used a different format that could not be reprocessed.

Fixed hid_policy_wfemail to respect the default policy.

HtmlSanitizer.dll now included in deployed REST API

SVG logo uploads via PUT /applicationSettings/logos({type})/value no longer fail with a missing HtmlSanitizer assembly error. The build/installer packaging now includes HtmlSanitizer.dll and its transitive dependencies (AngleSharp). Non-SVG uploads (PNG, JPG, WebP, AVIF, GIF) were not affected.

REST API datetime output now respects time zones

Fixed the REST API to correctly include time zone information in datetime output fields. Previously, datetime values were returned without time zone context, which could lead to incorrect time interpretation by API consumers in different time zones.

discoveryId added to auto-discovery REST API output

Added the discoveryId field to the auto-discovery operation output for target systems in the REST API, enabling API consumers to correlate discovery results with specific discovery runs.

Fixed REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings

Fixed the REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings, preventing accidental exposure of encrypted password data in API responses.

Fixed group and account DELETE endpoints returning 400 error in v1 API

Fixed the group and account DELETE endpoints in the v1 REST API that were incorrectly returning HTTP 400 (Bad Request) errors instead of successfully processing deletion requests.

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens. Without this claim, subsequent API calls using refreshed tokens would fail authorization checks.

Fixed a mass password reset issue to URL-decode the X-CSRF-Token header value for REST API calls

Fixed a mass password reset issue where the X-CSRF-Token header value was not being URL-decoded before validation, causing REST API calls to fail with CSRF validation errors when the token contained URL-encoded characters.

Added superuser access to accounts and users patch operations

Added superuser access to the accounts and users PATCH operations in the REST API, allowing administrative users with superuser privileges to modify account and user attributes without requiring additional OPA policy configuration.

REST API error responses for invalid tokens

Improved REST API error responses for two scenarios: the userinfo endpoint now returns proper error responses when invalid or expired tokens are used, and all endpoints now return appropriate error responses when invalid CSRF tokens are provided, instead of generic or misleading error messages.

REST API token revocation now RFC 7009 compliant

The REST API now correctly invalidates access tokens when their associated refresh tokens are revoked, bringing token revocation behavior into compliance with RFC 7009. Previously, revoked refresh tokens did not cascade to their access tokens, potentially allowing continued API access after revocation.

Fixed an issue where the authchain2factor API call was failing.

Multi-issuer token validation with OpenIddict

Fixed multi-issuer token validation by configuring OpenIddict to use BASE_IDSYNCH_URL for consistent issuer claims. Previously, tokens issued from different nodes in a multi-node deployment could fail validation because the issuer claim did not match the validating node's URL.

OPA policies updated to authorize _REPORT_READERS_ user class

Modified the following default REST API OPA policies to authorize members of the _REPORT_READERS_ user class, enabling report-reader users to access the data they need through the REST API without requiring custom policy changes:

Added missing fields to ReqBatch.

Enhanced postMessage origin validation to prevent potential message interception by malicious frames.

Skip authentication button text cutoff

Fixed the Skip authentication button text being cut off on the login page by allowing login buttons to wrap text and styling the Skip button to match the Continue button dimensions.

Saved reports record count and paging

Resolved an issue where saved reports pages did not respect the "Records to display" setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for "No"

Fixed Boolean request attribute handling in the "Managed account check-outs / check-ins" report so that searching for "No" returns the correct results, matching how values are stored in the database.

Mass password reset PSF link behavior when PAM refbuild installed

The MPR link in PSF now correctly navigates when a refbuild component is installed, and PDR filtering ensures users see only the PDRs relevant to their user class.

Navigating after auto-discovery no longer goes to wrong screen

After running psupdate through the UI, navigating to another screen (e.g., target systems list) now correctly displays the intended page instead of redirecting back to Auto Discovery.

User Accounts Summary / User Profile widgets inconsistent refresh behavior fixed

These widgets now auto-refresh at the configured duration interval and no longer make excessive REST API calls when switching browser tabs.

Notification read status now retained when navigating within the same session

Previously, navigating away from the dashboard reset the notification read state, re-displaying the unread indicator. Read state now persists until logout.

Navigation state race condition during rapid navigation fixed

Replaced simple flag-based tracking with navigation-ID-based tracking in SmartLegacyRouter.tsx to prevent inconsistent state when rapidly clicking between routes.

URL redirection from login screen to a specific React UI page fixed

Navigating to a specific React UI URL (e.g., /change-passwords) and logging in now correctly redirects to that page instead of the main dashboard. This also fixes Domain SKA / Login Assistant redirect scenarios.

Version toggle routing bug on login fixed

When a user toggled to the legacy dashboard, logged out, and logged back in, they were incorrectly shown the React dashboard. The version toggle preference now persists across login sessions.

React auth error messages now display translated text instead of raw i18n keys

The i18nProvider.ts now loads 'auth' and 'core' namespaces into Polyglot's message catalog, so keys like auth.errorCategories.errors.insufficient_permissions resolve correctly.

Relative timestamps (timeago.js) now localized

Relative timestamps (e.g., "5 minutes ago") from timeago.js in the notification center, session timeout notification, and connection status components now display in the user's selected language (French, Spanish).

Dashboard elements now fully translated (metric cards, loading text)

Fixed untranslated strings ("in the next 30 days", "Loading Please wait") and a RelativeTimestamp styling regression in metric cards.

Expired passwords and password age metric cards fully translated

Text elements on these metric cards that remained in English regardless of the user's selected language are now properly localized.

Notification VIEW TASK button now works reliably on repeated clicks

Previously, clicking VIEW TASK a second time did nothing, and a third click produced a blank page with a 30-second delay. Navigation now works immediately on every click.

Mass Password Reset link with refbuild installed

The MPR link in psf now correctly navigates to /#/manage-resources when a refbuild component (e.g., RefBuild.pam_team_management) is installed, instead of the unavailable #/use-pre-defined-requests-for-custom-operations route.

Session timeout redirect to Angular login page

After session timeout in the React UI, re-authentication now returns the user to the React UI (preserving the original route, e.g., /#/manage-the-system/resources/target-systems) instead of the Angular #/login page with missing menus.

Suggested password dropdown display in legacy screen

The "Suggested password" dropdown is now properly sized when switching from the React interface to the legacy interface during password changes.

Iframe sandbox security hardening

Removed the allow-scripts + allow-same-origin combination from iframe sandbox attributes, which per MDN could allow embedded content to remove the sandbox attribute entirely and escape its restrictions.

Forgot password email link blank page in 12.9

The FORGOT_PASSWORD auth chain's validate.py redirect (JUMPTOCGI = PSS) now routes through the React SPA instead of directly to pss.exe. Previously, pss.exe loaded as a top-level browser window with no SPA parent context, causing all API calls to fail silently and rendering a blank page.

React deep-link login redirects (for example /change-passwords)

Fixed an issue where logging in from the main login page did not redirect to the requested React route (for example /change-passwords) and instead landed on the dashboard; legacy /v1/... paths continue to route to the legacy UI as expected.

Skin build failures when components define their own language tags

Fixed the skin build process so that component language files are correctly discovered and loaded in both product (ui/src/ui/) and instance (design/src/ui/) build contexts, resolving failures where component-specific language tags (such as mass_password_reset links) could not be found.

Dashboard "Favorites" and "Frequently Used" sections lost on logout

Fixed a bug where the dashboard Favorites and Frequently Used sections were reset after the user logged out and logged back in. The dashboard now persists these sections correctly across sessions.

Dashboard widget visibility and layout issues

Fixed multiple related bugs where dashboard widgets in the Frequently Used section could disappear when adding more than six items or when resizing the browser window. Widgets are now retained correctly regardless of viewport changes or section overflow.

Helpdesk "Skip authentication" button styling

Fixed the Helpdesk authentication screen so the Skip authentication bypass button uses the same button styling, sizing, and text casing as other authentication method options instead of rendering as a full-width, misaligned control.

Saved reports honor record limits

Fixed saved report pages so the "Records to display" setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Cookie check bypass for "forgot password" flow

Added a fix to bypass the cookie validation check when using the "forgot password" flow, which was incorrectly blocking password reset attempts when cookies were not yet established.

"Invalid request" error from popup window AJAX calls

Fixed an "Invalid request" error that occurred when AJAX calls were made from popup windows, caused by incorrect CSRF token handling in the popup context.

API calls firing before userId is set

Fixed a race condition where API calls could be made before the userId was set in the session context, causing authorization failures during initial page load.

Cross-instance logout when logging into a different instance

Fixed an issue where logging into a different Bravura Security Fabric instance would log users out of their current instance. Implemented instance-specific cookie paths so that sessions on different instances no longer interfere with each other.

In-app password character help dialog

Added an in-app help dialog that displays the allowed characters for the password rule "contain only characters available on a standard English (US) keyboard," helping users understand which characters are valid without consulting external documentation.

Password suggestion count respects AUTOGEN_NUM policy rule

The password suggestion count now uses the AUTOGEN_NUM rule from the configured password policies (defaulting to 5 if not configured), instead of always showing a fixed number of suggestions regardless of policy settings.

Password validation against suggested passwords list

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, submitted passwords are validated against the suggested passwords list to ensure compliance.

"Remember Me" persistence across logout and session expiry

Fixed the "Remember Me" functionality to correctly persist user preferences across logout and session expiry. Previously, remembered preferences were lost when the session expired or the user logged out.

OAuth2 Authentication Port label typo corrected

The address parameter label "OAuth2 Autentication Port" has been corrected to "OAuth2 Authentication Port" in the en-us-errmsg.kvg resource file, affecting the configuration screens for the Azure Active Directory and Exchange connectors.

"Session Active in Another Tab" text invisible in dark mode

Fixed the "Session Active in Another Tab" message text being invisible in dark mode due to insufficient color contrast.

Missing translations in User Accounts Summary widget configuration

Fixed missing translations in the User Accounts Summary widget configuration dialog for status filters, sort options, and sort order dropdowns, which were displaying raw translation keys instead of localized text.

Removed non-functional quick action menu from User Accounts Summary

Removed the quick action menu (3-dot icon) from the User Accounts Summary list view, as it was non-functional in this context and caused user confusion.

"Last activity" field removed from User Accounts Summary widget

Removed the "Last activity" field from the User Accounts Summary widget, including its display, configuration, sorting, and all related functionality, as the underlying data source was not reliably available.

XSS sanitization for password policy rule descriptions

Added XSS sanitization using DOMPurify to password policy rule descriptions, preventing potential script injection attacks through maliciously crafted policy rule text.

Default dashboard loading before user layout is determined

Fixed the default dashboard loading pre-emptively before determining if the user has a saved dashboard layout, which caused a visual flash. The LegacyIntegrationService is now the source of truth for userStorageKey, ensuring no shared dashboard layouts between users.

Mobile header logo overlapping navigation buttons

The mobile header now shows an icon-only logo on small screens to ensure the logout and navigation buttons remain accessible and are not obscured by an oversized logo.

Side menu search bar and description toggle positioning

Locked the search bar to the top and the description toggle to the bottom of the side menu, preventing them from scrolling out of view when the menu content is long.

Password policy descriptions not translating on language change

Fixed password policy descriptions not translating when the user changes language, by correctly parsing the Accept-Language header, adding language family fallback in the backend, and refetching policies on language change in the React UI.

Password policy validation improvements

Comprehensive improvements to password policy validation in the React UI: removed misleading fallback rules when policies fail to load, disabled the submit button when policies are unavailable or rules are not met, added clear error messages, fixed validation to check all required rules including regular expressions and whitelist entries, and corrected policy switching to use target group-specific policies that update correctly when switching between target groups.

Password policy rules panel shows regex and whitelist requirements

The password policy rules panel now displays regular expression and whitelist requirements alongside the standard rules, giving users complete visibility into all password requirements in one place.

Badge calculation errors in User Accounts Summary dashboard

Fixed badge calculation and display bugs in the "User Accounts Summary" dashboard widget where badge counts were incorrect or not updating properly.

User Profile widget dynamic attribute loading

The User Profile widget now dynamically loads attributes from the API with localized labels, filters out user-type attributes that should not be displayed, and includes comprehensive icons for each attribute type.

"Total Group Memberships" metric showing error instead of count

Fixed the "Total Group Memberships" user metric widget to correctly display the count of group memberships across all user accounts instead of showing a "Selected metric not found" error.

Removed the Show Last Login option from the user profile configuration widget.

Fixed the "Show Avatar" toggle to properly hide/show the user avatar.

Removed non-functional "Strong Passwords" metric from dashboard widgets.

Fixed an issue to read the CSRF token fresh from cookies on each request.

Enabled server logout endpoint to clear cookies.

CSRF token expiring after 1 hour while session is active

Fixed an issue where the CSRF token expired after 1 hour even while the user session remained active, causing unnecessary 403 errors on subsequent API calls. The token lifetime now aligns with the session lifetime.

REST API authorization failures for sessionclient tokens

Fixed REST API authorization failures for sessionclient tokens by adding missing user claims to the JWT payload. Without these claims, API calls using session-based tokens would fail OPA policy checks.

Added a missing GUID marker to the root HTML page.

User Accounts Summary "Enabled Statuses" filter not working

Fixed the User Accounts Summary widget's "Enabled Statuses" filter to correctly filter displayed accounts based on the selected status options instead of showing all accounts regardless of filter selection.

User Accounts Summary not showing real-time operation status

Fixed the User Accounts Summary widget to show real-time status updates until account operations (such as password resets or unlocks) fully complete, instead of showing stale status during in-progress operations.

User Accounts Summary list view showing plain text instead of status icons

Fixed the User Accounts Summary widget list view displaying plain text status chips instead of icon badges. The list view now shows the same status badge icons as the grid view for consistent status visualization.

Added missing legacy module ID mappings for dashboard items.

Fixed feature to restore default widgets on layout reset.

Multi-tab session coordination

Added a session transfer system for multi-tab coordination to prevent authentication conflicts and ensure a consistent user experience across browser tabs. Previously, opening multiple tabs could cause session conflicts or unexpected logouts.

Authentication race conditions on page refresh

Fixed authentication race conditions and iframe display issues that occurred on page refresh, which could result in blank pages or authentication errors requiring a manual re-login.

Legacy UI flash and navigation loop during logout

Fixed a legacy UI flash during React logout, a navigation loop after logout, and stale user cache data when switching users. The logout flow now cleanly transitions without visual artifacts or redirect loops.

Removed unused actions configuration option from User Accounts Summary widget.

Legacy iframe popups blocked by sandbox restrictions

Added the allow-popups-to-escape-sandbox token to the sandbox attribute of the legacy iframe, allowing popup windows opened from the legacy UI to function correctly without inheriting sandbox restrictions.

Fixed an issue to always use the top-level document for communications over the WebView channel.

Fixed an issue where quick actions were not loading on first login.

Language switching not translating UI controls

Language switching now correctly translates the dark/light mode toggle, logout button, and refresh button in all supported languages (English, French, Spanish). Previously, these controls remained in the original language after switching.

Password change notification messages are properly translated.

Memory leak in StorageService during logout/login cycles

Fixed a memory leak in StorageService that prevented proper cleanup of user session data during logout/login cycles. The fix eliminates unreleased promise references and race conditions in the authentication flow that could degrade browser performance over time.

Wrong exit trap used for self-service password reset in React UI

Fixed the React UI to use the proper self-service exit trap (PSS_RES) on password reset instead of the admin exit trap, ensuring that the correct notifications and automation are triggered for self-service operations.

Duplicate attributes on dashboard user profile card

Fixed an issue where duplicate attributes were displayed on the user profile card on the dashboard, caused by the same attribute being loaded from multiple sources.

User Accounts Summary widget loading and refresh improvements

Enhanced the User Accounts Summary widget with immediate account loading on display and configurable refresh intervals with intelligent caching, reducing unnecessary API calls while keeping data current.

Dashboard widget refresh intervals not working correctly

Fixed widget refresh intervals for Total Accounts, Passwords Near Expiry, Average Password Age, and Total Group Memberships widgets, which now automatically refresh every 5 minutes as intended. Previously, these widgets either only refreshed on browser refresh or refreshed on every page navigation, causing either stale data or excessive API calls.

Change passwords screens not updating correctly

On the React UI the "Changing…" status remained and never changed to "Success." On the Angular UI the screen went blank after clicking the change-passwords button. Passwords were actually reset in both cases, but the UI did not reflect the result.

Post-login spurious logout causing blank dashboard

After successful login, the React app's useAuthStateMonitor replayed a stale authenticated=false message from the login page's C_AUTHCHAIN_LOGIN, calling logout() and leaving the app in a half-authenticated state where the React appbar never rendered and the Angular iframe dashboard showed fullscreen.

Session expiry on legacy route shows blank screen instead of login page

When a session expired while the user was on a legacy (Angular) route, Angular's iframe reloaded but did not emit the authentication-state-change postMessage back to React because the EMBEDDED_MODE confirmation was lost on reload. The user saw a blank screen and could not proceed. React now detects the iframe reload and re-sends the EMBEDDED_MODE message.

Navigational issues with blank pages and UI refresh

Clicking a widget from the dashboard sometimes showed the page header with a blank white page body. Clicking the React UI refresh button would eventually show the Angular dashboard after ~30 seconds, and the native browser refresh also fell back to the Angular dashboard.

403 permission denied incorrectly logs user out

A non-admin user whose API requests returned 403 (OPA policy denial) was immediately logged out because checkError treated 403 the same as 401. A 403 now shows a localized "insufficient permissions" message without triggering logout.

RelativeTimestamp skips listeners when browser tab is hidden at mount

If the RelativeTimestamp component mounted while the browser tab was in the background, no interval timer, visibilitychange listener, or i18n languageChanged listener were registered — and they were never set up even when the tab became visible.

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

Frozen idmsuite.log modification time

Fixed a threading issue that could cause the idmsuite.log file's modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

Multi-node shared-schema upgrade pause required

A pause is required after the primary node's Post Upgrade Tasks complete. During this pause, run setup.exe on all secondary nodes and wait for their Post Upgrade Tasks to complete. Then proceed on the primary node ("Next"), and finally on each secondary node. Command-line installations must accommodate this pause step.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys-specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

HSTS at CDN layer (Cloudflare)

For environments using Cloudflare in front of Fabric, enable HSTS at the CDN edge (SSL/TLS > Edge Certificates > Enable HSTS) so Strict-Transport-Security is served as intended; verify with curl -I https://<host> | grep -i strict-transport.

referrer-policy header change

The referrer-policy HTTP header has been changed from no-referrer to strict-origin-when-cross-origin to enable password manager autofill. If your deployment relies on no-referrer for security policy reasons, review this change.

Python 3.14 installer check added to the installer for installing 12.10 or upgrading to 12.10. When upgrading to 12.10, Python 3.14 is required.

Multi-node upgrades via command line: pause/sequence support

Added setup.exe --pause-after-tasks for silent/command-line upgrades to support required coordination in multi-node shared-schema (and similar) environments: after post-upgrade tasks complete and before services start, the installer writes upgrade-pause.signal to the instance directory and waits until automation removes the file. Use with -U -silent to coordinate primary/secondary node sequencing.

IIS "Log on as a batch job" privilege required (12.9+)

After upgrading to 12.9 or later, the IIS_IUSRS group must have the "Log on as a batch job" privilege in Local Security Policy. Without this, the identity apppool will stop on first request and login will fail with a 503 error. On domain-joined servers, this privilege must be granted via Group Policy.

Database migration required for user class DSQL field length

The dsqltest and dsqllist fields in tables userclassdefattr, userclassdefgroup, userclasstestmember, and userclass are changed from NVARCHAR(2000) to NVARCHAR(MAX) to prevent silent truncation when user class criteria exceed the previous limit (for example, definitions with more than approximately 7–10 attribute/group criteria). This migration runs automatically during upgrade. Environments with user class definitions exceeding 7 attribute criteria should verify correct user class calculation after upgrade. For databases that were affected before upgrading, the DSQL values may need regeneration (for example via loaduccache.exe -loaddsql), and the installer upgrade path may run this regeneration automatically.

Database schema change for CC email support

Upgrading to releases that include CC support in batch and exit trap notifications requires a schema change to the itsmmail table (new column for CC email) and adjustments to related stored procedures. The supplied upgrade script applies these changes automatically during the database upgrade step.

Database schema change for upgrade from 12.9 to 12.10

Restricted values "UStCr" and "UStDl" are added to the "operation" table column "kind" during upgrade. If upgrading from 12.9.1, ensure you use the updated installer that includes this fix.

SQL Server 2025 / ODBC Driver 18+ compatibility

All sqlcmd invocations now include the -C (TrustServerCertificate) flag. If your environment uses self-signed certificates, no action is needed. If your test automation calls sqlcmd directly outside of the product framework, add -C to those invocations as well.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.

Plan OAuth transition for global-mail-plugin

For environments using global-mail-plugin with Exchange or other OAuth-capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft's basic-auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low-overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Firefox browser extensions removed

The firefox-extension-win-x64.msi and firefox-extension-x86.msi installers are no longer produced, and Firefox browser extensions are no longer supported. If your deployment relies on Firefox extensions for Bravura Safe or local reset, plan to migrate to a supported browser (Chrome, Edge, or Safari). Administrators should discontinue any remaining Firefox extension deployments.

Customer branding logo format changes

Customer deployments that use custom logos must update their branding customization to the new branding.json and logo file format described in design/custom/branding/README.md so that logos continue to render correctly in the React and Angular UIs.

Non-destructive UI install changes to custom deployment scripts

The make.bat :INSTALL section now uses robocopy /MIR instead of del/rmdir/mkdir. If you have custom scripts that depend on the previous destructive-install behavior or expect the ui/v1 and ui/v2 directories to be recreated, update them accordingly. IIS virtual directory mappings are now preserved during installs.

Review SKA deployment on shared workstations

For shared machines using the SKA "Change my password" tile, deploy updated SKA installers and verify that session-only cookie settings are applied so that no active session remains available when users close the SKA window.

SKA client registry entries require ephemeral cookie parameter

The SKA client software needs to either be upgraded to the latest version, or have its Windows registry entries modified to append ?EPHEMERALCOOKIE=1 to the URLs. This ensures that sessions are properly terminated when the SKA window is closed on shared workstations:

ODBC Q&A authchain: address format change in 12.9

If upgrading from 12.7 to 12.9+, NULL target type address values are stored in key-value pair format ({server=<DSN>;}) instead of plain DSN names. The odbcqa plugin now handles both formats, but administrators should verify their external question set configuration after upgrade.

Mass Password Reset configuration (upgrade to 12.10.0)

Environments upgrading from 12.9.x to 12.10.0 should document all MASS_PASSWORD_RESET and MASS_PASSWORD_ONBOARD configuration values before upgrading. Although this release includes the fix, administrators who already upgraded to an earlier 12.10.0 build should verify that MPR settings (TARGETS, VAULT_TARGET, VAULT_LINK_ATTRIBUTE, BATCH_SIZE, UCP_ID, REPORT, and related onboard entries) are populated. Re-enter any blank values from the pre-upgrade backup.

Python 3.14 agent/plugin development

Python 3.7 and 3.10 are no longer referenced in agent and plugin development documentation. Ensure custom agents and plugins are compatible with Python 3.14.