We are proud to announce Topicus KeyHub 47. This release introduces Segregation of Duties as a new compliance capability, significantly expands the AFAS integration with support for custom attributes and additional data tables, and adds a read-only mode for linked systems to facilitate safe testing without side effects. As always, this release also contains a large number of improvements and bug fixes.
TKH-3538 Topicus KeyHub now supports Segregation of Duties (SoD) through group exclusions. Two groups can be designated as mutually exclusive, meaning a user cannot be a member of both simultaneously. This is a key control for compliance scenarios where conflicting roles must be kept separate.
Setting up a group exclusion requires approval from the managers of both groups involved. Once an exclusion is accepted, any existing members who belong to both groups are automatically removed from the group being set up as the excluding group. Outstanding access requests that would result in a conflict are cancelled as well. Group exclusions are visible on the group details pages for both regular users and auditors.
Group exclusions require the "Compliance Plus" license feature.
Group exclusions
This release contains several improvements to AFAS integration and the broader account attribute system.
TKH-3361 Custom attributes can now be read from an AFAS identity source and mapped to account attribute definitions. These values flow through to connected systems, enabling AFAS to act as the authoritative source for additional account attributes beyond the built-in fields.
TKH-3372 Additional connector tables — including complex (multi-valued) tables — can now be fetched from AFAS. This makes a broader set of AFAS data available for use within Topicus KeyHub.
TKH-3644 Directory-specific attribute configuration is being phased out and replaced by the unified account attribute definitions system introduced in earlier releases. Existing directory attributes are migrated automatically.
TKH-3652 Account attributes are no longer blindly propagated from a source system if no access profile is linked that maps those attributes. This prevents unintended attribute values from being written to accounts when no explicit mapping has been configured.
TKH-3724 New attribute values are now normalized before comparison with the old values. This prevents repeated updates being recorded for identical values.
Custom attributes on AFAS
TKH-3579 Linked systems can now be placed in read-only (dry-run) mode. In this mode, Topicus KeyHub continues to read data from the system — such as group memberships and account information — but does not perform any writes. This is useful for validating connector configuration and provisioning behaviour without affecting the target system.
Read-only linked system
Throughout the years, different views on accounts and groups for different roles had diverged. We've reevaluated the data shown and redesigned these screens from the bottom up.
TKH-3465 The account details pages for auditors, administrators and help-desk users have been substantially reworked. It now shows group and access profile memberships, as well as attributes and the audit log for all roles with access to this page.
TKH-3676 The group details page in the administration interface has been redesigned. Navigation and layout have been revised for consistency with other recently updated pages, and links to related resources such as provisioning groups and clients are now accessible to auditors as well.
Account details
TKH-3508 The Chart.js library used for dashboard charts has been upgraded to version 4.5.0.
TKH-3544 The bundled PostgreSQL database has been upgraded to version 18. Existing installations will be upgraded automatically. Backups taken on PostgreSQL 17 can be restored on PostgreSQL 18.
TKH-3685 The application server has been upgraded to WildFly 39. This includes an updated JDK version 21.0.10. Note that in this JDK version, all TLS_RSA ciphers are disabled, as recommended in RFC-9325. This may impact communication with external systems, such as LDAP servers, if these obsolete ciphers are used.
TKH-3708 The pgpool-II connection pooler has been upgraded to version 4.7.1.
The following improvements and bug fixes both large and small were made:
TKH-1275 Support dumps now include a report of any deviations between the live database schema and the schema expected by Hibernate. This helps identify schema drift that may have been introduced outside of the normal migration process.
TKH-3635 The Docker healthcheck interval for the application container has been increased to 60 seconds, giving the application more time to recover from transient issues before being marked as unhealthy.
TKH-3646 The filter bar on list pages now applies a minimum width to filter fields, preventing them from becoming too narrow on smaller screens or when many filters are shown simultaneously.
TKH-3649 The maximum allowed file size for file-type vault records has been increased to 5 MB.
TKH-3650 Refreshing an identity provider certificate now has an immediate effect on new SAML SSO sessions. The updated certificate is now picked up by the web console without requiring a restart.
TKH-3653 Accept and decline links in notification emails now correctly route through the review page where appropriate, ensuring the user sees the review context before confirming their decision.
TKH-3656 A missing translation for the 'encrypted' property has been added to the appliance backup restore screen.
TKH-3658 Audit log entries for group removal requests stored in the old single-group format are now handled correctly and no longer produce errors when displayed.
TKH-3665 The application healthcheck now detects a broken Infinispan cluster state, such as a split-brain situation, and reports the node as unhealthy so that they will be restarted.
TKH-3672 Deletion and pseudonymisation of audit records is now performed in batches, preventing timeouts and excessive database load when large numbers of records need to be processed.
TKH-3675 Dynamic debug logging for the WireGuard module is now enabled by default, making it easier to diagnose cluster connectivity issues.
TKH-3678 The memory allocation and load listener configuration panels in the application configuration screen are now disabled when the total available VM memory is below the required minimum.
TKH-3680 The comment icon on the group details page was misaligned. It is now correctly centred.
TKH-3681 The change report shown during group removal previously displayed blank space when there were no changes to report. It now shows a proper "no changes" message.
TKH-3683 The properties showing authorizing groups were incorrectly visible while a group was being edited. They are now hidden during edit mode.
TKH-3686 A typographical error in the CSV import translation has been corrected.
TKH-3688 Importing a malformed CSV file no longer results in a server error. Validation errors are now reported with a clear, descriptive message.
TKH-3689 Bulk group deletion now correctly filters the candidate list to groups for which the current user is manager or delegated manager, preventing errors when attempting to delete groups outside that scope.
TKH-3693 The 'Next' button on the group removal confirmation page now correctly detects an expired authentication session and prompts for re-authentication before proceeding.
TKH-3700 The manual now includes a description of the purpose and limitations of maintenance mode, clarifying when it should be used and what effect it has on running processes.
TKH-3701 Fetching group classifications for the audit statistics dashboard now correctly respects the organisational unit tree, preventing permission denied errors.
TKH-3703 Concurrent cleanup and rolling update on provisioning logs no longer cause the rolling update step to fail.
TKH-3704 Docker images from previous releases are now cleaned up more aggressively during updates, preventing disk space exhaustion on systems that have been updated many times.
TKH-3712 A certificate that was generated by the installer but never used has been removed from the installation process.
TKH-3717 The upgrade to PostgreSQL 18 could cause an automatic snapshot rollback if it took over 45 minutes. The automatic rollback is now disabled during the database migration.
Here you can find the complete manual to the latest version of Topicus KeyHub.