12.9.1

Updated the "Connectors Being Removed" pre-installation check for the "Deprecated connectors" link to now point to an updated URL for the documentation site and to use the docs.bravurasecurity.com domain.

Safer psupdate use in shared schema environments.

In shared schema environments, running auto discovery from a non‑primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

Exit trap variable macros for email notifications

Four new exit trap macros are now available: MGRNAME, MGREMAIL, EXPACCTHOST, and EXPACCTLONGID. These macros can be used in exit trap email notifications for unlock and password reset operations (ADMIN_UNLOCK, PSK_UNLOCK, PSS_RES, ADMIN_RES start/success/failure events), enabling richer contextual information in automated emails.

ManageableAccountSearch performance optimization

The ManageableAccountSearch query has been optimised by removing a bound variable that was causing 15 GB memory grants in SQL Server, significantly improving performance and reducing resource consumption in large-scale deployments.

WstnPwdReqList performance optimization

The WstnPwdReqList query has been optimised for faster workstation password request listing, reducing response times when viewing or managing large numbers of workstation password requests.

External scanner fallback mapping

Introduced a fallback mechanism in KMKeyGetByAccount to retrieve credentials for external scanners such as Qualys when standard cross-reference lookups fail, controlled by a registry key so that it is disabled by default and can be enabled explicitly where needed without affecting existing deployments.

New forceactionable option for pwdconflicts.exe

Added a new forceactionable command-line option to pwdconflicts.exe that allows administrators to force-randomize non-actionable password conflicts, providing greater flexibility in managing password discrepancies while keeping existing behavior unchanged unless the option is explicitly used. Inactive accounts are still filtered out regardless, so they are not affected by this option.

KMKeyGetByAccount external scanner fallback mapping

Added KMKeyGetByAccount fallback mapping so that when host/IP/DNS lookups fail, external scanners can resolve credentials via a registry‑based account/domain/resource mapping, with the feature remaining disabled unless the registry key is configured.

SMON session upgrade validation

Revalidated SMON session viewing and download functionality on upgrades (12.6 to 12.9.1.41530), confirming that live and recorded sessions show video, text, clipboard, and process data correctly and that download packages can be created for pre- and post-upgrade sessions without requiring an instance repair.

Consolidated auto-denied PAM checkout request email notifications

When a PAM checkout request expires without approval, the system now sends a single consolidated “Request Denied” email instead of one email per authorizer, while preserving individual notifications for manual denials. A configuration option controls this behaviour, addressing email overload scenarios where dozens of denial emails were generated per expired request.

Better VIM display in Guacamole PAM

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Tomcat updated from 9.0.94 to 9.0.109.

Added an error message box when the browser extension plugin process cannot be launched.

Added support for Windows Authentication for the MSSQL system type.

Mass password reset post-reset email notifications

Added new MPR_SUCCESS and MPR_FAILURE exit traps that send per-user HTML email notifications with consolidated account reset results after a mass password reset batch completes, including success and failure information driven by configurable templates and existing notification policy UI.

The pslocalr.ocx and other controls are added back along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers.  The cgilocalr.cfg sample script is also updated for the pslocalr control.

Added per-account password validation on Change passwords page to check "not be an old password" rule against each selected account when transparent synchronization is disabled for the target group.

Profiles with trailing whitespace now supported.

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE‑IN‑ORG no longer fail with “Recipient identification ambiguous”, and related profile reports now return the expected results.

Added support for Android version 15 for the Bravura One mobile app.

More robust enrollment completion navigation.

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

OAuth support for global‑mail‑plugin

Implemented OAuth‑based SMTP authentication (XOAUTH2) in the global‑mail‑plugin so that customers can use modern mail servers where basic authentication is being retired.

HTML formatting for request macros in email.

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer‑specific HTML templates.

Scalability improvement for requests with many tasks

Handling of requests containing a large number of tasks (for example, roles with 70 or more groups) has been improved so that the 50-task display limit is enforced more gracefully and the behavior is documented. Roles that exceed this limit should be broken into smaller sub-roles.

ASP.NET Core 8.0.23 security baseline

Updated Bravura Security’s bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

OTP account creation API regressions

Resolved breaking behavior changes where WFRequestActionsGet returned F after PDR completion (instead of S) and WFRequestAttrsGet did not return created PAM UTIL account information, impacting integrations such as DTCC’s PAMUtil automation.

Customer branding REST API (logos and brand colors)

Added REST endpoints under /api/rest/v2/applicationSettings to retrieve/update branding configuration (JSON Patch for colors) and upload/serve/delete logos via /api/rest/v2/applicationSettings/logos({type}), including file-type validation by magic bytes, SVG sanitization, and hash-based filenames for cache busting. Write operations persist to both /ui/v2/assets/ (immediate React visibility) and /design/src/custom/ (rebuild-safe), with background-job processing and automatic cleanup of replaced assets.

User setting REST API (v2)

Added REST support for per-user key/value settings, including create/list/get/update/delete operations with OData query options on list retrieval; the value field supports any valid JSON value. Where applicable, datetime format and time zone are mapped from user profile attributes, and PATCH updates are applied back to profile attributes to avoid parallel legacy setting paths.

Mass password reset post-reset confirmation events

Added per-user MPR completion events MPR_SUCCESS and MPR_FAILURE (configured under Manage the system > Policies > Options) to drive email notifications and/or program execution after a mass password reset completes for a user. These events expose session tags SUCCESSTARGETS and FAILTARGETS (comma-separated host\account pairs) and require the Bravura Pass license (KeyModPSynch).

Skip serverinfo validation for TargetPAMAssociatedCredential_set

The IDMConfig API no longer performs the serverinfo validation check when mapping managed accounts via TargetPAMAssociatedCredential_set, aligning API behavior with the GUI tool psa.exe, which does not perform this check.

Added database indexes to optimize REST API get_account_attributes performance. Three new indexes added: metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2.

Add exit traps for help desk operations in idmlib REST calls.

Updated database queries in ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1) for improved performance.

Added default authorization policies policies_post_create, policies_put, and policies_delete.

Set ui/src/react/src/shared/api/spec to be a submodule repository for postman, to get our OpenAPI specification.

Version toggle preference respected on re-login

Fixed the React/legacy version toggle so logging back in honors the user’s previously selected interface, including correct full-screen iframe behavior and preventing stuck loading states caused by routing/unmount timing.

Reduced React navigation race conditions during rapid route changes

Improved navigation state tracking in SmartLegacyRouter.tsx to avoid inconsistent UI state when users navigate rapidly (for example blank pages, stuck spinners, or unexpected redirects due to stale completions).

Reduced white flash during login page load (dark mode)

Updated login page load behavior to prevent a white flash for dark-mode users by adding CSS color-scheme support and removing the hardcoded light-theme default so the page stays consistent from the first frame through the login overlay render.

Widget refresh behavior aligned to configured intervals

Updated the User Profile and User Accounts Summary widgets to respect refresh intervals consistently and reduce unnecessary REST calls triggered by tab switching by using appropriate cache/stale-time behavior. (BSCS-10557, fixVersion: 12.10.0, 12.9.1)

Dashboard accessibility improvements (Lighthouse)

Addressed Lighthouse-identified accessibility issues including missing/incorrect form labels, progressbar accessible naming, prohibited ARIA usage, heading level order, and contrast issues to improve WCAG 2.1 AA alignment.

Dynamic theme system for customer branding (React UI)

Implemented dynamic theming across the React UI based on branding.json, including light/dark theme generation, context-aware logo selection, dynamic favicon switching, and login page styling with OS-driven dark mode support. Added fallbacks when branding assets/config are missing, preserved user theme/dashboard preferences across logout, and synchronized theme state with the legacy Angular iframe.

Dashboard metrics management and configuration UI

Added a Manage Metrics dialog to add/remove/reorder dashboard metrics and configure alert thresholds for urgency-based metrics, and updated metric card presentation to align with the refreshed dashboard design. Metric cards now support visual types (count, urgency, progress), skeleton loading states, zero-state messaging, and auto-saving configuration dialogs.

Dashboard notifications center

Implemented a dashboard notifications center with categorization, priority levels, badges/indicators, persistence/read status, and support for real-time updates.

Customer branding infrastructure for React and Angular

Implemented a unified customer branding system that loads configuration from branding.json at startup and applies logos, theme colors, and overrides across React and Angular UIs via a BrandingProvider context, CompanyLogo component, Zod-validated schema, and legacy build integration through make.bat and generated branding SCSS.

Notifications center on React dashboard

A notifications center has been added to the React dashboard, displaying alerts, updates, and system messages with category and priority levels, read status, and real-time updates. This provides a central place for users to review important events without relying on email alone.

React Auth Provider stability improvements

Improved front-end authentication stability by memoizing createAuthProvider in App.tsx and updating useAuthStateMonitor to avoid unnecessary dashboard cache clearing during authentication re-checks, reducing the likelihood of transient UI inconsistencies for authenticated users.

Adaptive dashboard: Frequently Used Actions

Adds a Frequently Used Actions section to the adaptive dashboard that ranks actions with a frequency-biased algorithm, personalizes the list per user, hides actions already in Favorites, and adapts the number of displayed actions by screen size while storing usage data per user/instance for future server‑side support.

Dashboard All Actions layout refresh

Renames Quick Actions to All Actions and refreshes the layout with a collapsible section, smart category grouping, paired small categories, pending request badges, and tooltip support, improving responsiveness and initial render performance.

Dashboard Favorites section

Introduces a Favorites section on the dashboard that lets users pin 3–6 of their most used actions based on recency and frequency, replacing basic Quick Actions with a personalized, accessible experience.

Saved report lists honour display limits.

The “My saved reports” and “Other users’ saved reports” pages now correctly honour the configured “Records to display” value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React‑based interface.

Adaptive dashboard stakeholder demos

Completed the first stakeholder demo phase for the adaptive dashboard design, collecting feedback and refining the Storybook implementation before applying it to production.

The new UI is now the primary interface accessible at the application root, providing a modern user experience with improved performance and clean URLs.

Optimized dashboard API queries to fetch only required fields, reducing data transfer by 80-99% for user metrics, account summaries, and authentication operations.

Change Passwords Page Enhancements

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, passwords validate against the suggested passwords list.

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports to show parent role information for role member entitlements.

More accurate idmsuite.log timestamps.

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file’s modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

Updated hid_batch_request_submit example for Identity

Updated documentation and examples for using hid_batch_request_submit in the context of Identity, including clarification of specific quirks, parameters, and return behaviors so that integrators can implement batch requests with fewer integration issues.

Mail plugin OAuth

Added documentation describing how to configure OAuth authentication for the global‑mail‑plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

SQL error during 12.9 upgrade

Fixed an issue where upgrades from 12.5 to 12.9 could fail with an “explicit DROP INDEX is not allowed” SQL error, ensuring the database migration scripts complete successfully without requiring manual intervention.

Fixed instdump.exe so that it outputs global connector pack binary versions.

Fixed an installation issue where IIS handler mappings lacked script execution permissions, preventing the instance from running correctly.

Update Jamfile to properly set the upgrade file as patchdbxml.

psupdate scheduler corruption on non‑primary node.

Fixed an issue in shared schema environments where manually running auto discovery from a non‑primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

Fixed account associations that are not recalculated during psupdate after changes to account attributes made through our product.

SKA sessions no longer persist across users

Resolved an SKA session persistence issue where closing the “Change my password” window on shared workstations could allow a subsequent user to see the previous user’s dashboard. Sessions now end when the SKA window is closed, requiring re‑authentication. See Login Assistant compatibility.

Fixed a compatibility issue to ensure that the newer version of the Active Directory interceptor will work with older versions of Bravura Security Fabric and the Password Manager service (idpm).

Fixed Mass Password Reset (MPR) button not displaying in the new dashboard by adding translation mappings for the massPasswordReset dashboard item.

Adjusted the minimum and default batch size values used for mass onboard and mass password reset.

The initial values were too high for the current version of the safe connector.

Note that the performance will degrade significantly with low values.

“Recipient identification ambiguous” errors for some profiles.

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious “Recipient identification ambiguous” errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

Fixed the session monitoring service (idsmpg) to treat the file/path not found as success for both single and multi-session package removal.

Fixed the session monitor recording icon label branding.

Adjusted the pam_system_type_linux component to use the LINUX_NG connector.

Adjusted other components to use LINUX_NG instead of LINUX.

Incomplete JSON sample files for AWS website disclosure documentation

Corrected incomplete JSON sample files in the AWS website disclosure documentation, updating the examples to contain valid JSON syntax and accurate configuration fields so that customers can use them directly as a reference.

Fix mobproxy HTTP request handling issues for PATCH operations.

Updated mobile proxy paths for modern deployment.

RBAC variance stored procedures no longer return duplicate surplus rows

Updated RBACVarianceUserListDetails and RBACVarianceUserListDetailsAll to use SELECT DISTINCT * to eliminate duplicate surplus variance rows and verified the change is present after upgrade.

Fixed a runtime error in UserclassIsMember stored procedure due to SQL optimizer executing operations out of order, causing data type conversion failures.

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained NULL value.

SVG logo upload no longer fails due to missing runtime dependencies

Fixed SVG logo uploads via PUT /api/rest/v2/applicationSettings/logos({type})/value failing at runtime due to missing HtmlSanitizer.dll (and transitive dependencies such as AngleSharp.dll and AngleSharp.Css.dll) in the deployed REST API directory.

Fixed REST API output of datetimes to respect timezones.

Added discoveryId to auto-discovery operation output for target systems.

Fixed REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings.

Fixed group and account DELETE endpoints returning 400 error in v1 API.

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens.

Fixed a mass password reset issue to URL-decode the X-CSRF-Token header value for REST API calls.

Added superuser access to accounts and users patch operations.

Added REST API error response fixes for:

Account information now properly populated in SessionLogs REST API responses for ACUA operations.

Fixed an issue where the authchain2factor API call was failing.

REST API now invalidates access tokens when refresh tokens are revoked (RFC 7009 compliance).

Excluded PWGEN_NUM from PasswordPolicy GET endpoints to list rules.

Fix multi-issuer token validation by configuring OpenIddict to use BASE_IDSYNCH_URL for consistent issuer claims.

Modified the following default REST API OPA policies to authorize members of user class _REPORT_READERS_:

Added missing fields to ReqBatch.

Saved reports record count and paging.

Resolved an issue where saved reports pages did not respect the “Records to display” setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for “No”

Fixed Boolean request attribute handling in the “Managed account check‑outs / check‑ins” report so that searching for “No” returns the correct results, matching how values are stored in the database.

Blocked insecure HTTP methods TRACE and CONNECT to address penetration test findings while preserving REST API functionality.

Resolved 8 npm security vulnerabilities by updating playwright, vite, storybook, and other dependencies to secure versions.

Enhanced postMessage origin validation to prevent potential message interception by malicious frames.

Fixed the Skip authentication button text cutoff by allowing login buttons to wrap and styling the Skip button to match the Continue button.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi‑line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Fixed an issue to allow users with the "View workflow requests" (viewworkflow) permission to view request details on the request popup page.

Modified util rbacenforce.exe to properly save requests failed to submit, now the file has similar request kvg as the one produced by wizard.

First‑time registration flow stability.

Resolved an issue where the first‑time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

Fixed a notification client white-screen issue; notifications now display properly.

SAML SSO redirect broken after 12.9 upgrade

Fixed a regression where both IdP-initiated and SP-initiated SAML SSO flows returned users to the PSF module (front-end portal) instead of completing the redirect to the service provider, affecting all configured SAML applications and both the default and /v1 URL paths. This behavior has been restored to match pre-12.9.0 releases.

Authentication failure on shared schema node

Fixed an issue where users could not log in from a shared schema server node because the PSF module returned a 401 error due to a failure requesting OpenIddict cookies (HTTP status 11). Environments using a load balancer were not affected.

Fixed hid_policy_wfemail to respect the default policy.

React deep-link login redirects (for example /change-passwords)

Fixed an issue where logging in from the main login page did not redirect to the requested React route (for example /change-passwords) and instead landed on the dashboard; legacy /v1/... paths continue to route to the legacy UI as expected.

React dashboard navigation rendering inconsistencies

Fixed issues where React dashboard navigation could route into legacy/Angular pages and leave the UI in a mixed state (React menu with Angular content) or fail to load selected left-nav pages.

Skin build failures when components define their own language tags

Fixed the skin build process so that component language files are correctly discovered and loaded in both product (ui/src/ui/) and instance (design/src/ui/) build contexts, resolving failures where component-specific language tags (such as mass_password_reset links) could not be found.

Dashboard “Favorites” and “Frequently Used” sections lost on logout

Fixed a bug where the dashboard Favorites and Frequently Used sections were reset after the user logged out and logged back in. The dashboard now persists these sections correctly across sessions.

Dashboard widget dropped when “Frequently Used” exceeds six items

Fixed a bug where adding a seventh widget to the Frequently Used section caused the oldest widget to disappear entirely from the dashboard instead of being moved back to the Other Actions area. Widgets are now retained correctly.

Dashboard action cards dropped from visibility on resize

Resolved a bug where action cards in the Frequently Used section of the dashboard could disappear from view when the browser window was resized, ensuring that cards remain visible regardless of viewport changes.

Dashboard sections removed on logout and login

Fixed an issue where the Favorites and Frequently Used sections on the dashboard did not persist and would be removed after user logout and subsequent login, so that user-configured dashboard sections now remain intact across sessions.

Dashboard widget visibility issue when adding multiple widgets

Corrected a problem where adding a seventh widget to the Frequently Used section could cause other widgets to disappear from the dashboard layout, ensuring all configured widgets remain visible regardless of the number added within supported limits.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React‑based interface.

Saved reports honour record limits

Fixed saved report pages so the “Records to display” setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Added a fix to bypass the cookie check when using the "forgot password" flow.

Fixed "Invalid request" error when AJAX calls are made from popup windows.

Fixed an issue to prevent API calls before the userId is set.

Fixed an issue where logging into a different instance would log out users from their current instance by implementing instance-specific cookie paths.

Added in-app password character help dialog for password rule contain only characters available on a standard English (US) keyboard.

Removed Login Manager (SSO) from the license and list of supported products.

Password suggestion count now uses the AUTOGEN_NUM rule from password policies (defaults to 5 if not configured).

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, passwords validate against the suggested passwords list.

The "Remember Me" functionality now correctly persists user preferences across logout and session expiry.

OAuth2 Authentication Port label typo corrected

The address parameter label “OAuth2 Autentication Port” has been corrected to “OAuth2 Authentication Port” in the en-us-errmsg.kvg resource file, affecting the configuration screens for the Azure Active Directory and Exchange connectors.

Fixed "Session Active in Another Tab" text visibility in dark mode.

Fixed missing translations in User Accounts Summary widget configuration for status filters, sort options, and sort order dropdowns.

Removed quick action menu (3-dot icon) from User Accounts Summary list view.

Removed "Last activity" field from User Accounts Summary widget including display, configuration, sorting, and all related functionality.

Add XSS sanitization to password policy rule descriptions with DOMPurify to prevent script injection attacks.

Ensured default dashboard does not pre-emptively load before determining if user has saved dashboard layout.

LegacyIntegrationService is the source of truth for userStorageKey, ensuring no shared dashboard layouts between users.

Mobile header now shows icon-only logo on small screens to ensure logout and navigation buttons remain accessible.

Locked the search bar at the top and description toggle to the bottom of the side menu.

Password policy rules panel now displays regular expression and whitelist requirements alongside the rules.

Fixed password policy descriptions not translating when user changes language by parsing Accept-Language header correctly and adding language family fallback in backend, plus refetching policies on language change in React UI.

Password Policy Validation

Mobile header now shows icon-only logo on small screens to ensure logout and navigation buttons remain accessible.

Fixed badge calculation and display bugs in "User Accounts Summary" dashboard.

User Profile widget now dynamically loads attributes from the API with localized labels, filters out user-type attributes, and includes comprehensive icons.

Fixed "Total Group Memberships" user metric widget to correctly display the count of group memberships across all user accounts instead of showing "Selected metric not found" error.

Remove the Show Last Login option from the user profile configuration widget.

Fixed the "Show Avatar" toggle to properly hide/show the user avatar.

Removed non-functional "Strong Passwords" metric from dashboard widgets.

Fixed an issue to read the CSRF token fresh from cookies on each request.

Enabled server logout endpoint to clear cookies.

Fixed CSRF token expiring after 1 hour while session remains active, preventing unnecessary 403 errors.

Fixed REST API authorization failures for sessionclient tokens by adding missing user claims to JWT payload.

Added a missing GUID marker to the root HTML page.

Fixed User Accounts Summary widget's "Enabled Statuses" filter to correctly filter displayed accounts based on selected status options.

Fixed User Accounts Summary widget to show real-time status updates until account operations fully complete.

Fixed User Accounts Summary widget list view displaying plain text status chips instead of icon badges. List view now shows the same status badge icons as grid view for consistent status visualization.

Added missing legacy module ID mappings for dashboard items.

Fixed feature to restore default widgets on layout reset.

Added session transfer system for multi-tab coordination to prevent authentication conflicts and ensure consistent user experience across browser tabs.

Fixed authentication race conditions and iframe display issues on page refresh.

Fixed legacy UI flash during React logout, navigation loop after logout, and cleared user cache to prevent stale data when switching users.

Removed unused actions configuration option from User Accounts Summary widget.

Added the allow-popups-to-escape-sandbox token to the sandbox attribute of the legacy iframe.

Fixed an issue to always use the top-level document for communications over the WebView channel.

Fixed an issue where quick actions were not loading on first login.

Language switching now correctly translates dark/light mode toggle, logout button, and refresh button in all supported languages (English, French, Spanish).

Password change notification messages are properly translated.

Fixed memory leak in StorageService that prevented proper cleanup of user session data during logout/login cycles, eliminating unreleased promise references and race conditions in the authentication flow.

Fixed a React UI issue to use the proper self-service exit trap on password reset.

Fixed an issue to avoid displaying duplicate attributes on the user profile card on the dashboard.

Enhanced User Accounts Summary widget with immediate account loading and configurable refresh intervals with intelligent caching.

Fixed widget refresh intervals not working correctly:

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

Frozen idmsuite.log modification time.

Fixed a threading issue that could cause the idmsuite.log file’s modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys‑specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

Embedded Python security update for supported pre-12.10 branches

Updated the embedded Python runtime to 3.11.15 (a security bugfix release for the legacy 3.11 series) for supported release branches earlier than 12.10.0; validate any environment-specific Python dependencies against the updated binary.

Multi-node upgrades via command line: pause/sequence support

Added setup.exe --pause-after-tasks for silent/command-line upgrades to support required coordination in multi-node shared-schema (and similar) environments: after post-upgrade tasks complete and before services start, the installer writes upgrade-pause.signal to the instance directory and waits until automation removes the file. Use with -U -silent to coordinate primary/secondary node sequencing.

Plan OAuth transition for global‑mail‑plugin

For environments using global‑mail‑plugin with Exchange or other OAuth‑capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft’s basic‑auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning.

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low‑overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.

Customer branding logo format changes

Customer deployments that use custom logos must update their branding customization to the new branding.json and logo file format described in design/custom/branding/README.md so that logos continue to render correctly in the React and Angular UIs.

Pass – Review SKA deployment on shared workstations

For shared machines using the SKA “Change my password” tile, deploy updated SKA installers and verify that session‑only cookie settings are applied so that no active session remains available when users close the SKA window.

The SKA client software needs to either be upgraded, or have windows registry entries modified (append ?EPHEMERALCOOKIE=1 to the URLs):