Release notes Topicus KeyHub 46

Proudly, we announce the release of Topicus KeyHub 46. Over the past 2 years, a lot of work has gone into our Identity Lifecycle Management module. In this release, we make much of that functionality available to everyone. Also, as promised in our previous release notes, it is now possible to remove multiple groups in a single request. Lastly, this release contains many performance- and memory-related improvements. As always, we've also included a number of smaller improvements and fixes.

Important notice

TKH-3620 The minimum memory requirements for new installations has been increased from 6GB to 8GB. If your VM currently has less than 8GB of memory available, we strongly recommend to increase the memory size to at least 8GB. Your installation will likely continue to function with less than 8GB of memory. However, you may experience degraded performance or even out-of-memory errors.

Identity Lifecycle Management

We continue to evolve our comprehensive Identity Lifecycle Management (ILM) and Identity Governance and Administration (IGA) capabilities within Topicus KeyHub. This release reinforces that commitment with a variety of new features.

Access profiles available to all users

• Account provisioning via access profiles

• Source directory provisioning with writable accounts

• Identity sources

• Inbound SCIM provisioning

Identity sources

TKH-3360 For account attributes definitions that allow self-service, it is now possible for the user to provide his or her own values. The user's profile page displays a list of self-service attributes, allowing the user to update these values if needed.

Self-service for attributes

TKH-3362 It is now possible to import account attributes directly from CSV files. For this, a new type of identity source was added, which defines the structure of the CSV file. This definition can even be used to repeatedly import updated versions of the CSV file. This provides an easy way to manage attributes that are not covered via an automated integration.

TKH-3634 Until now, Chapter 19 (Identity sources) of our manual only indicated that this module was under development. If you open the manual, you will now find a section covering our AFAS and CSV import identity sources.

Identity sources

Complex attributes

TKH-3603 A new type of attribute is introduced: complex (or 'JSON'). These attributes support nested properties and are represented as JSON objects. This allows you to store virtually anything in an account attribute in a structed way.

Complex attribute

Smaller improvements to ILM and IGA

The following smaller improvements and bug fixes are included in the Topicus KeyHub 46 release:

• TKH-3551 It is now possible to configure the interval between full synchronisations for linked systems. The default 'smart' setting will automatically determine an appropriate interval between 1 and 24 hours, depending on the number of changes detected during previous synchronisations.

• TKH-3552 The log level is now configurable per linked system, greatly reducing the amount of logging under normal circumstances.

• TKH-3588 Our identity source connector service is now completely stateless, allowing easy load balancing of requests over multiple nodes.

• TKH-3592 Adding a new group on system via a linked system incorrectly asked for an access profile, making it impossible to add a group this way.

• TKH-3594 TKH-3596 In some cases, it was possible to select invalid groups as owner for a new access profile, resulting in a permission denied error.

• TKH-3599 Trying to inspect or edit values for attributes that are 'freely usable' (i.e. not bound to a directory) no longer results in permission denied errors.

• TKH-3600 Accounts are now sorted correctly on the attribute details page for an access profile.

• TKH-3637 The LDAP OU for groups on the internal LDAP connector no longer gives an error when trying to list all groups.

Removing groups in bulk

TKH-3493 As announced in the release notes for Topicus KeyHub 45, it is now possible to remove multiple groups with a single request. This allows you to remove entire sections in one go, for example when an entire environment is removed or when a product is discontinued.

TKH-3499 As part of this change, the user interface for selecting groups was redesigned. This change was also applied to the similar page for selecting groups to move to another organisational unit.

The new remove groups design

The following smaller improvements and bug fixes were applied to removing groups:

• TKH-3459 Removing groups now correctly checks all relations to linked systems (owner, technical administrator, content administrator).

• TKH-3460 Removing groups now correctly checks all relations with organisational units (owner and specific roles selected under its settings).

• TKH-3541 The test coverage for removing groups was improved significantly.

• TKH-3542 The service responsible for removing groups was refactored to make it more readable, more performant and easier to maintain.

• TKH-3590 TKH-3591 Mails and notifications no longer contain 'null' instead of the name of the group to remove.

• TKH-3625 With the changes made in version 45, we lost the ability to give a reason for removing a group. It is now once again possible to provide a reason for removing a group.

• TKH-3638 When searching for groups to remove on the selection page, the page will no longer lose the current selection.

Performance and memory usage

Unfortunately, we have recently identified a degradation in performance, especially since the release of Topicus KeyHub 44. Some of the issues were caused by the new logging for account provisioning, while others were caused by regressions in components running on the OS-level. Our team has worked hard to address these issues in Topicus KeyHub 46. We have made the following changes:

• TKH-3529 TKH-3617 TKH-3624 We now calculate and store summaries with statistics for provisioning logs, greatly reducing the load on the database compared to gathering these statistics on the fly.

• TKH-3564 The performance of permission checking has been improved substantially by checking easy-to-check permissions first. In many cases, these easy to check permissions are also more likely to yield a positive outcome.

• TKH-3565 The performance of the account profile page was improved.

• TKH-3570 We fixed a concurrency issue between a background task and activating groups on the dashboard.

• TKH-3620 The Topicus KeyHub VM now requires 8GB of RAM to function properly. The distribution of this memory has also been adjusted, giving more memory to certain components and slightly less to others. This should make out of memory situations much less likely.

• TKH-3636 We fixed an error in the construction of some queries which would cause a large a large number of joins with the same table being added.

• TKH-3639 We've discovered that salt-api, a critical component for configuration management of the VM, has a memory leak. Until this issue is fixed, salt-api will be restarted automatically every 24 hours.

Assorted improvements

The following improvements and bug fixes both large and small were made:

• TKH-3099 It is now possible to scope a group classification to a specific organisational unit subtree. The classification won't be available for groups outside this subtree.

• TKH-3478 An audit record was added for revoking authorisation for group activation.

• TKH-3491 When sending a mail to a group, you can now choose between just the managers or all members as recipient. The subject can now also be specified.

• TKH-3524 A warning will now be displayed when sharing a vault record from a group that requires activation for vault access.

• TKH-3531 The update files now contain metadata describing the contents of the update file. This will prevent users from using an incorrect file.

• TKH-3533 The support dumps now contain information about license features in use.

• TKH-3539 The configuration for elevate was changed to prevent it from searching for packages in online repositories. This will help with the next major OS upgrade.

• TKH-3548 If allowed by its metadata, a hotfix can now be applied multiple times.

• TKH-3549 The dashboard of the appliance managers on nodes in a cluster other than the cluster coordinator now shows much more information.

• TKH-3550 During long running tasks, Topicus KeyHub will check if an upgrade was started. If so, the long running task is aborted and restarted after the upgrade. This will prevent locking issues on the database.

• TKH-3554 The guest tools for VMWare, KVM and Xen are now installed automatically if any of these virtualisation platforms is detected.

• TKH-3561 The most important logs are now recorded with millisecond precision.

• TKH-3562 We've added two fields to webhook payloads: product and origin. The first contains the fixed value Topicus KeyHub, the second the URL of the Topicus KeyHub environment.

• TKH-3574 When restoring a large database from one node in a cluster to another, the webhook call to initiate the transfer should no longer timeout.

• TKH-3580 A small typo was fixed in the audit log entries for changes to the responsible disclosure setting.

• TKH-3587 More tests were added around account lockouts after multiple failed login attempts.

• TKH-3593 Tests are now run with the minimum required license feature set for that test to pass. This allows us to spot bugs that only occur when certain license features are disabled.

• TKH-3595 Tests were added to cross check property names and pages in our translations. These tests identified about 20 spots where translations were missing or labled incorrectly.

• TKH-3606 The 'Apply configuration' button is now properly hidden when starting the configuration rollout during installation.

• TKH-3609 A permission error caused support dumps on cluster environments to only contain information from the first node.

• TKH-3612 Some queries and permissions did not check all properties of the webhook.

• TKH-3613 We no longer support webhooks on specific accounts. Support for this was never implemented in the UI or the RESTful API, but nonetheless existed in the domain model.

• TKH-3616 The audit dashboards no longer show incorrect numbers for auditors on organisational units below the root.

• TKH-3622 All CSV files produced or consumed by Topicus KeyHub are now RFC-4180 compliant. The most notable change is how double quotes are now escaped by repeating them: ""

• TKH-3623 Generating the statistics for a support dump could trigger a concurrency error.

• TKH-3626 On step 4.1 of the installation, the 'Clear all' button was shown when nothing was entered yet. Clicking it would result in an error.

• TKH-3629 The Apple APNS certificate for push notifications was renewed.

• TKH-3647 We've fixed inadvertently swapped translations for audit record types for enabling and disabling two-factor authentication.

Visit the Topicus KeyHub manual

Here you can find the complete manual to the latest version of Topicus KeyHub.