Verify Privilege Vault 11.7.000031 Release Notes

On-premises: October 22, 2024

All references to "Platform" only pertain to Secret Server and not Verify Privilege Vault.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.33.0

Protocol Handler: 6.0.3.29

If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.

New Features

Entra ID Discovery

We are excited to introduce Entra ID discovery in IBM Security's Verify Privilege Vault! This enhancement expands our current discovery feature by adding support for Microsoft's Entra ID, alongside our existing AWS and GCP discovery types.

With Entra ID discovery, Verify Privilege Vault can now scan Microsoft Entra ID for roles and users, importing users as secrets based on the Entra ID User Account template. This completes the suite of features necessary for Verify Privilege Vault to discover and manage accounts from Microsoft's Entra ID.

Bug Fixes, Changes, and Enhancements

Bug Fixes

Fixed “Secret Erase” translation in some non-English languages.

Fixed a bug where distributed engines ignored WinRM quota limits.

Fixed a bug with running disaster recovery data replication from an older source to a newer replica.

Fixed a UI issue with discovery Import where the button would not respond due to validation against hidden fields.

Fixed an issue that prevented resilient secrets (DR) replica from updating Verify Privilege Vault after the source has been updated with 11.7.31.

Fixed an issue to restore configurability of secrets associated with custom launchers.

Fixed an issue where enabling QuantumLock on a secret threw the error “The partner transaction manager has disabled its support for remote/network transactions.”

Fixed an issue where stored data growth impacted proxy sessions. The secret session table is now managed and part of the supported tables of the data retention feature. Secret session records are now truncated in accordance with the existing data retention configuration. Please make sure to review your organization's Data Retention “Max Record Age” settings.

Fixed an issue where the “All time” filter on the inbox might not show all results.

Fixed an issue where users with MFA enabled would be incorrectly sent to the home page on login, instead of the page they were attempting to access.

Fixed an issue where video conversion failed due to SQL deadlock

Fixed content security policy fields for frame-ancestors.

Fixed incorrect access checks concerning reports.

Fixed incorrect Secret search totals when filtering by multiple templates.

Fixed issue where the “su -id” command was failing when the user did not have access to view the password for the secret they were elevating to.

Fixed issue where the maximum log Length was not used to truncate the tbSystemLog.

Fixed issue with “What folder permissions exist” report. Groups with no active users now properly included on the report

Fixed main navigation alignment issues.

Fixed ServiceNow allowed status validation over distributed engine.

Fixed the “view detail” link on the user detail panel.

Fixed The folder tree is now updated when unlimited admin mode is toggled.

Fixed timeouts for large amounts of data—paging for user audits is now done in the database.

Fixed: “Minimum Required Character Count Rules” on password requirements reverts when updating other things on password requirements.

Fixed: A user that did not have the “view launcher password” role permission was unable to create a secret that had a required password because the password field was hidden.

Fixed: About page links not working.

Fixed: Added null checks for username.

Fixed: Added support for Cisco devices when using a question mark after the command or partial command. This allows Cisco to work as normal, while not allowing the blocked commands.

Fixed: Addressed an issue where a launcher type field that was replicated via resilient secrets would not function with all prompt-able field names.

Fixed: Addressed one scenario where a backend process that publishes session information would error.

Fixed: Adjusted secret overview tab to not use a banner for heartbeat failed.

Fixed: Adjusted Secret tab pending password change status to be a chip instead of a banner.

Fixed: Audit handler was missing the “View Configuration Unlimited Admin” permission as an option.

Fixed: Authentication errors are now 401s for API requests.

Fixed: Broken “view detail” link on the user detail panel.

Fixed: Creating an access request with custom dates/times displayed an incorrect warning or had incorrect dates/times when approved.

Fixed: Discovery runtime summary information is now correctly accessible for screen readers.

Fixed: Distributed engine now respects the MaxShellsPerUser setting for PowerShell tasks. If the setting is set, engine will throttle tasks that leverage PowerShell and requeue messages that are over quota.

Fixed: Extended the Migration Center to migrate all active roles.

Fixed: Folder path now shows when specified in secret import preview.

Fixed: Heartbeat listed as “pending” when the heartbeat is actually disabled. This occurred when the pending status did not resolve before the secret was disabled.

Fixed: Improved compatibility with Windows high contrast mode.

Fixed: In some scenarios only the first 30 subfolders were loaded on initial load for a single folder.

Fixed: In some scenarios the folder tree would not auto-expand when linking directly to a folder.

Fixed: Left navigation expand/collapse toggle incorrectly labeled for screen readers.

Fixed: Login SSH key menu showing properly in cloud when configured.

Fixed: Mobile logo now displaying properly.

Fixed: Most KB links now point to docs.delinea.com instead of delinea.center for redirects to the documentation article.

Fixed: Pinned folders now re-root the tree to the selected pinned folder.

Fixed: Reduced situations where a check-in error could occur when already checked-in.

Fixed: Removed links to legacy create discovery wizard pages.

Fixed: Resolved an issue that caused SAML logins to fail, resulting in a rollback of the previous update.

Fixed: Resolved an issue where approvals that cross a day threshold from UTC could not be requested.

Fixed: Resolved secret permission issue when many user and groups had been selected and only the 60 were saved when edited again. Resolved for teams selection as well.

Fixed: RPC errors for SAP template secrets, which were occurring with SAP “system user” user types, even when using a privileged account during the RPC.

Fixed: Searching in all secrets now shows the full folder path for folder search results.

Fixed: Secret Key rotation failed with the error “Thycotic.AppCore.Cryptography.MacMismatchException: Exception of type 'Thycotic.AppCore.Cryptography.MacMismatchException' was thrown.”

Fixed: Secret password compliance is now calculated when a password is updated to empty and the password is not required. Prior to this, the secret would maintain the compliance flag that was calculated when the password had a value. A password with some characters might fail compliance, but if there is no password and it is not required, then it is compliant.

Fixed: ServiceNow integration could fail with a misleading error due to a space in the domain name.

Fixed: Site name now wraps instead of truncating on the “sites and engines” page so you can read the whole site name.

Fixed: SQL report editor is now properly announced for accessibility.

Fixed: SSH keep-alives sent to the proxy are now relayed to the endpoint server.

Fixed: Suggested secret template toggle, when creating an inline secret from new discovery source, is now more closely positioned to the template list to be more clear.

Fixed: Teams group membership removed when more than 60 items in Team.

Fixed: The SSH key-expiration configuration value now displays correctly.

Fixed: Unlimited admin mode audit dialog box is now correctly aligned.

Fixed: Updated all the logs to be warnings and information and to state whether they retried or not.

Fixed: Updated Discovery Network view to better handle extremely large record numbers.

Fixed: Updated the distributed engine service to persist the current the web-proxy.config file upon update. When upgrading to version from version 8.4.29.0 or lower, the web-proxy.config will be overwritten, but any upgrades afterwards will preserve it.

Fixed: User username link was sometimes unusable. It is is no longer a link. View details link is in menu and preview panel.

Fixed: When viewing folder targets for event pipeline policies the full path is now shown.

Fixed: when viewing the access-request inbox, the request start date and requested date were transposed.

Changes

Change: Admin breadcrumb renamed to Settings.

Change: Corrected license expiration banner link.

Change: Removed the color mode toggle from the top navigation as it is available under user preferences.

Change: The SSL menu item is removed as it is not an option that can be modified in cloud.

Change: User list detail link added back based on user feedback.

Enhancements

Enhancement: Added “RPC PRIVILEGED SECRET UPDATED” and “RPC PRIVILEGED SECRET REMOVED” events to audits.

Enhancement: Added a “Clear cached AD credentials” button in cloud.

Enhancement: Added a “test syslog” button to syslog pages in configuration.

Enhancement: Added a direct link for launching connection manager.

Enhancement: Added AIX support for SSH Proxy su automatic password entry.

Enhancement: Added an OOB RPC template for Okta. Okta requires an “Generic API” secret as the RPC privileged account.

Enhancement: Added an OOB RPC template for ServiceNow. ServiceNow requires an account to have Admin or write permissions to the password field, or an account with those permissions as its RPC privileged account to change the password.

Enhancement: Added landing page for when the user is unable to access Verify Privilege Vault instead of showing banners.

Enhancement: Aria label added to inline secret-preview copy buttons. Main search category toggles now keyboard accessible.

Enhancement: Associated secrets will now show “No Access” in the secret name if you do not have access to it.

Enhancement: Converted grids on 3 Automatic Export pages (Audit, Log and Storage) to thy-data-view for consistent look/feel and functionality, such as allowing Notes field to be fully viewed in right panel on row click rather than via tooltip.

Enhancement: Converted key management to the latest design and added a verification checkbox confirmation step.

Enhancement: Creating secrets in REST API now accepts optional parameters for privileged secret ID and associated secrets.

Enhancement: Heartbeat and password-compliance notices now use chips instead of banners.

Enhancement: Improved startup logging for distributed engines.

Enhancement: New import secret page allows you to import when global setting requires that secrets are in folders.

Enhancement: On premises now shows a diagnostics section under settings in the left navigation panel.

Enhancement: The left navigation folder tree now expands on focus to show longer folder names.

Enhancement: Updated password compliance label to a chip.

Enhancement: Updated Putty to version 0.81. Updated version addresses several Putty vulnerabilities, including the Terrapin vulnerability.

Enhancement: Updated Redis library for improved Redis operations.

Enhancement: Updated the server nodes page.

Enhancement: Updated the user profile menu to have more consistent styling and include links to the account details page.

Enhancement: Updated user sorting to cover 2FA.