PingDataGovernance 8.1.0.0 Release Notes
Critical fixes
This release of the Data Governance Server addresses critical issues from earlier versions. Update all affected servers appropriately.
- Addressed an issue that could lead to slow, off-heap memory growth. This only occurred
on servers whose
cn=Version,cn=monitor
entry was retrieved frequently.- Fixed in: 8.1.0.0
- Introduced in: 5.2.0.0
- Support identifiers: DS-41301
- The following enhancements were made to the topology manager to make it easier to
diagnose connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it has been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38334 SF#00655578
- The topology manager now raises a
mirrored-subtree-manager-connection-asymmetry
alarm when a server can establish outbound connections to its peer servers but those peer servers cannot establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38344 SF#00655578
- Fixed two issues in which the server could have exposed some clear-text passwords in
files on the server file system.
- When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor.
- When running certain command-line tools with an argument instructing the tool to read a
password from a file, the password contained in that file could have
been written into the server's tool invocation log instead of the path
to that file. Affected tools include backup,
create-initial-config,
ldappasswordmodify,
manage-tasks, manage-topology,
reload-http-connection-handler-certificates,
remove-defunct-server,
restore, rotate-log, and
stop-server. Other tools are not affected. Also
note that this only includes passwords contained in files that were
provided as command-line arguments; passwords included in the
tools.properties file, or in a file referenced
from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords might have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear might have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition might have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations. You also might want to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you might want to sanitize or destroy any existing tool invocation log files that might contain clear-text passwords.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38897 DS-38908
- The following enhancements were made to the topology manager to make it easier
to diagnose connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it has been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
- Fixed in: 7.2.1.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38334 SF#00655578
- The topology manager now raises a
mirrored-subtree-manager-connection-asymmetry
alarm when a server can establish outbound connections to its peer servers but those peer servers cannot establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.- Fixed in: 7.2.1.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38344 SF#00655578
- Fixed two issues in which the server could have exposed some clear-text
passwords in files on the server file system.
- When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor.
- When running certain command-line tools with an argument instructing the
tool to read a password from a file, the password contained in that file
could have been written into the server's tool invocation log instead of
the path to that file. Affected tools include backup,
create-initial-config,
ldappasswordmodify,
manage-tasks, manage-topology,
reload-http-connection-handler-certificates,
remove-defunct-server,
restore, rotate-log, and
stop-server. Other tools are not affected. Also
note that this only includes passwords contained in files that were
provided as command-line arguments; passwords included in the
tools.properties file, or in a file referenced
from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords might have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear might have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition might have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations. You also might want to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you might want to sanitize or destroy any existing tool invocation log files that might contain clear-text passwords.
- Fixed in: 7.0.1.3
- Introduced in: 7.0.0.0
- Support identifiers: DS-38897 DS-38908
Upgrade considerations
Keep in mind the following important considerations for upgrading to this version of PingDataGovernance Server.
- General
-
-
PingDataGovernance 8.1.0.0 uses a new policy request format that requires changes to the Trust Framework.
If you are using policies intended for a previous release, you can continue to use your existing policies by setting the
trust-framework-version
property of the Policy Decision Service to v1. If you upgrade your server using the update tool, this property is set for you automatically.The v1 format is deprecated, however, and you are strongly encouraged to update your Trust Framework as soon as possible. To do this, load your existing policies in the Policy Administration GUI and apply the Trust Framework changes by going to resource/policies/upgrade-snapshots/8.0.0.0-to-8.1.0.0.SNAPSHOT file included with the server. Then, configure PingDataGovernance Server to issue policy requests using the new Trust Framework by setting the
and selecting thetrust-framework-version
property of the Policy Decision Service to v2. - If you are upgrading to PingDataGovernance 8.1.0.0, an updated version of the Policy Administration GUI is required.
- The PingDataGovernance Policy Administration GUI no longer uses the UNIX environment variable PING_HOSTNAME. Instead, server administrators should use PING_EXTERNAL_BASE_URL to specify both the domain and the port. For more information, see the PingDataGovernance Server Administration Guide.
-
- Policy processing and advice
-
- The Allow Attributes advice and the Prohibit Attributes advice have been removed and can no longer be used. Requests involving policies that refer to these advice types will fail.
- The
HttpRequest.Headers
policy request attribute is not available starting with Trust Framework version v2. It has been replaced by theHttpRequest.RequestHeaders
andHttpRequest.ResponseHeaders
policy request attributes. Update existing policies or Trust Framework entities that refer toHttpRequest.Headers
to refer toHttpRequest.RequestHeaders
. - SCIM 2 requests now include the resource type in the service value during policy processing. For example, for a SCIM 2 request that affects the "Users" resource type, the service value will now be "SCIM2.Users" instead of "SCIM2". Existing policy rules or targets that rely on an exact equality match for "SCIM2" must be updated. For example, a condition of "Service Equals SCIM2" would need to be updated to "Service Matches SCIM2".
- For security, by default, the policy engine's SpEL processor now invokes Java classes
only in the
allow-list
presented in the PingDataGovernance Server Administration Guide. To use other classes, add a key to thecore
section of the Policy Administration GUI's configuration calledAttributeProcessing.SpEL.AllowedClasses
with a list of the classes to include. If you are using embedded PDP mode, add a policy configuration key of the same name to the PingDataGovernance Server configuration.
- PDP API
-
- The XACML-JSON PDP API now requires a different request format. With this new format, you can make multiple decisions using a single HTTP request. In addition, the response format is now compliant with the XACML-JSON specification. The 8.0 PDP API request format is no longer supported. For more information, see the PingDataGovernance Server Administration Guide.
- Peer setup and clustered configuration
-
- Peer setup and clustered configuration are deprecated and will be removed in PingDataGovernance 9.0. We encourage deployers to manage server configuration using server profiles, which support deployment best practices such as automation and Infrastructure-as-Code (IaC). For more information about server profiles, see the PingDataGovernance Server Administration Guide.
- If you have upgraded a server that is in a cluster (that is, has a cluster name set in the Server Instance configuration object) to version 8.1, you will not be able to make cluster configuration changes until all servers with the same cluster name have been upgraded to version 8.1. If needed, you could create temporary clusters based on server versions and modify each server's cluster name appropriately to minimize the impact while you are upgrading.
What's new
-
Updated the Policy Administration GUI for common tasks during policy development. Now the GUI shows decision trace graphs for the most recent policy decisions, including their attributes. Also, administrators can reuse and chain together attribute processors as well as add attribute processing as an additional step to attribute resolution. Combined, this greatly improves the capabilities of attribute processing while removing any clutter of intermediate attributes in the Trust Framework.
-
Added more actions for fine-grained enforcement on API and SCIM requests and responses. Using the
modify-headers
advice, now policy can modify an API's request and response headers. Using theregex-replace-attributes
advice, now policy can search and replace known or potentially sensitive values or value patterns within requests and responses. -
Updated the core attributes used in policy decisions for SCIM and API transactions to add use cases, simplify policy testing, and improve performance. Added attributes for the raw OAuth2 Access Token and the client's IP address. Also, you can mock all
HttpRequest
child attributes individually during policy testing in the Policy Administration GUI. This avoids the complexity of testing with a large, complexHttpRequest
mock object. -
Improved support for highly automated or orchestrated environments that provide auto-healing and auto-scaling. A new, simple HTTP status endpoint now reports overall instance health and availability to a cluster orchestrator like Kubernetes or to a network load balancer like AWS Network Load Balancer. You can determine overall instance health through the configuration of any combination of internal monitoring gauges and thresholds.
-
Updated the Policy Administration GUI to support single sign-on with other OpenID Connect Providers besides PingFederate.
-
Changed the Policy Decision Point API to support batches of requests and decision responses. Previously, you could externalize business logic from non-API use cases, like legacy web applications, using the PDP API, but only one decision at a time. For better performance, now an enforcement point can submit a batch of requests and receive a batch of decision responses.
-
Added TLS security options for REST and LDAP Trust Framework Services that give more flexibility in preproduction environments and more security in production environments. Now administrators can relax TLS certificate checks, configure specific certificate trust, and provide client certificates for full mutual TLS security.
-
Improved the Policy Administration GUI setup process to support automated deployments and Docker containers. Now you can use the same deployment scripts or Docker image across different preproduction and production environments by using environment variables to provide instance- and environment-specific values. Also, it is now easier to move the policy database to a persistent volume, thereby retaining policy history across Docker image updates.
-
Simplified the Policy Administration GUI upgrade process. Now you can use the setup tool to update an existing Policy Administration GUI. Doing so automatically updates the policy database, if necessary.
-
Several improvements to collect-support-data to help troubleshoot PingDataGovernance servers when running in containers. To build an archive of support data outside of the container, administrators can schedule the collect-support-data tool to run as a recurring task and direct its output to a volume mounted to a host directory. To get support data on-demand, administrators can use collect-support-data on a client system, directing it to run the task remotely and download the results.
Known issues / workarounds
The following items are known issues in the current version of PingDataGovernance Server:
- The Policy Administration GUI produces an error when a user attempts to import an exported snapshot that contains references to named value processors.
- Several known issues can occur when you use the Administrative Console with Tomcat 9.0.31. You can resolve these issues by upgrading to Tomcat 9.0.33 or later.
- If you use the create-systemd-script tool to create a forking
systemd service, the service is stopped by the
systemctl stop ping-data-governance.service command. At
that time, you can see the status using the systemctl status
ping-data-governance.service command. That status might contain an
indication of failure:
Active: failed (Result: exit-code)
. This error has to do with the way the service exits. It is harmless.
Resolved issues
The following issues have been resolved with this release of PingDataGovernance Server.
Ticket ID | Description |
---|---|
DS-1046, DS-1204, DS-36547 |
Added support for remotely invoking the collect-support-data tool
using an administrative task and for invoking the tool on a
regular basis as a recurring task. The tool has also been
updated to add an |
DS-37829 |
The create-systemd-script tool now creates a "forking" service file because Ping services are started by a process (the start-server script) that is different than the actual service process. |
DS-38122 |
Added support for an extended operation that can be used to invoke the
collect-support-data tool from a remote
system and stream the output and resulting support data archive
back to the client. The collect-support-data
command-line tool has been updated to support this capability
through the new |
DS-38535 |
Fixed an issue that could cause the server to generate an administrative alert about an uncaught exception when trying to send data on a TLS-encrypted connection that is no longer valid. |
DS-39076 |
The Policy Decision Service's |
DS-39587 |
The payload formats of the include-attributes and exclude-attributes advices are more permissive. If only one path is needed, you can enter a JSONPath directly; previously, you had to enter an array of strings. For example, both the payload '$.secret' and the payload '["$.secret"]' now remove the "secret" attribute from the response. |
DS-39733 |
A new advice type, |
DS-39734 |
The advice type |
DS-39791 |
The "service" value used in policy requests for SCIM 2 operations now includes the SCIM resource type, using the format "SCIM2.<resource type>". For example, if the current operation targets the "Users" resource type, then the service value used in the corresponding policy request will be "SCIM2.Users". This allows policy writers to easily match SCIM 2 requests by resource type. |
DS-39798 |
Fixed a bug in which SEMI_AGGRESSIVE and AGGRESSIVE JVM Tuning Parameters were previously allowed to both be selected. |
DS-40119 |
Fixed an issue where the SCIM attributes |
DS-40356 |
Updated the manage-profile tool to prevent displaying warnings about offline config changes when starting the server. |
DS-40410 |
Previously, the |
DS-40551 |
Fixed an issue that could prevent some tools from running properly with an encrypted tools.properties file. |
DS-40567 |
A license is now always required when using the manage-profile replace-profile tool. |
DS-40577 |
The PingDataGovernance Gateway no longer retains the changes that policy advice performs on hop-by-hop, resource versioning, or other HTTP headers intended for proxy use. |
DS-40649 |
The Sideband API now accepts prevalidated access token claims provided by an API gateway plugin. This prevents PingDataGovernance Server from duplicating work already performed by the API gateway, potentially improving overall performance in some scenarios. For information about configuring this feature, see the PingDataGovernance Server Administration Guide. |
DS-40746 |
Updated the logic that the server uses to select an appropriate default set of TLS cipher suites. |
DS-40767, DS-41229 |
Fixed an issue in which a PingDataGovernance Server could return an HTTP 500 error while
logging the policy decision response if using these items:
Also, the Policy Decision Logger now records external policy decisions to the policy decision log as a single line for easier use with the Policy Administration GUI Decision Visualizer. |
DS-40790 |
Server SDK extensions for PingDataGovernance Server no longer support the use of an
internal ScimInterface. This was previously available using the
|
DS-40806 |
Fixed an issue that could cause the shutdown process to stall if the server is configured to use TCP to communicate with a StatsD endpoint that has become unresponsive. |
DS-40823 |
The PingDataGovernance Policy Administration GUI setup tool now uses relative paths when configuring the Advice JSON schema files. |
DS-40889 |
Fixed an issue with recurring exec tasks where the working-directory attribute was ignored. |
DS-40909 |
All policy files, including snapshots, deployment packages, and upgrade snapshots, are now bundled with both PingDataGovernance Server and the PingDataGovernance Policy Administration GUI in the resource/policies directory. |
DS-40963 |
You can now specify a custom OpenID Connect client ID when setting up the Policy Administration GUI. |
DS-40980 |
PingDataGovernance Server no longer prevents a server with an expired license from restarting. |
DS-40984 | The include-attributes , exclude-attributes ,
modify-attributes , and
filter-response advice now support request and
response bodies that are JSON Arrays as well as Objects. |
DS-41054 |
Fixed an issue that stopped new extensions from being installed. |
DS-41074 |
Fixed an issue with the way the server reports memory usage after completing an explicitly requested garbage collection. |
DS-41086 |
Updated the StatsD monitoring endpoint to replace any spaces, commas, or colons with underscores, and remove and single quotes or double quotes in sent metric lines. This simplifies parsing of the produced metrics. |
DS-41087 |
The Policy Administration GUI now includes decision evaluation details in decision-audit.log by default. With this change, policy writers can visualize decisions by copying and pasting the JSON into the Decision Visualizer. |
DS-41115 |
Setup no longer supports adding servers to a topology with mirrored configuration when run interactively. |
DS-41118 |
PingDataGovernance now provides a gauge called HTTP Processing (Percent) that measures the capacity that the server has to process new incoming HTTP requests. |
DS-41126 |
Updated the server to make the general monitor entry available to JMX clients. |
DS-41131 |
The XACML-JSON PDP API now requires a different request format. With this new format, you can make multiple decisions using a single HTTP request. In addition, the response format is now compliant with the XACML-JSON specification. For more information, see the PingDataGovernance Server Administration Guide. |
DS-41142 |
Improved debugging support for Server SDK extensions. If debugging is enabled, the server will now generate a debug message whenever it invokes an extension. For some extension methods that return a value, the server will also generate a debug message with that return value. |
DS-41198 |
Updated the PingDataGovernance setup process to support joining an existing PingDirectory topology in noninteractive mode. To view the noninteractive arguments for joining a PingDirectory topology, in the output of setup --help, look in the "Join an Existing Directory Server Topology Options" section. Alternatively, after setup is complete, you can run the manage-topology add-server command to join a PingDirectory topology. |
DS-41201, DS-41615, DS-41693 | You can now configure load-balancing algorithms to automatically detect PingDirectory Servers that handle SCIM 2 API requests and token owner lookups made by SCIM Token Resource Lookup Methods. For more information, see the PingDataGovernance Server Administration Guide. |
DS-41235 |
Updated the |
DS-41236 |
To avoid inconsistencies, changing a clustered configuration now requires all servers in the cluster to be on the same product version. Servers will not pull any clustered configuration from the master of the cluster if they are on a different product version. |
DS-41244 |
The Policy Administration GUI setup now allows users to define policy
configuration keys, trust store details, and other settings in a
YAML file using the |
DS-41261 |
Fixed an issue with |
DS-41264 |
Fixed an issue where the SCIM Impacted Attributes Provider would return all the attributes of a SCIM PUT request instead of only those that have been modified. |
DS-41265 |
The embedded PDP now automatically loads new, updated, or deleted policy configuration keys. Previously, any policy configuration key change required you to restart the embedded PDP. |
DS-41273 |
The PingDataGovernance Policy Administration GUI setup tool now stores
certain configuration values, including their default values, as
environment variables. For example, the configuration property
|
DS-41289 |
Fixed an issue that prevented password changes for topology administrators unless their password policy was configured to allow pre-encoded passwords. |
DS-41294 |
Fixed an issue that could cause the PingDataGovernance license to be deleted when joining a PingDirectory topology using manage-topology add-server. |
DS-41301 |
Critical: Addressed an issue that could lead to slow, off-heap memory growth. This
only occurred on servers whose
|
DS-41309 |
When setting up the Policy Administration GUI in noninteractive mode, you can now specify the base URL of an OpenID Connect provider instead of a hostname and port. With this change, you can use the Policy Administration GUI with OpenID Connect providers that include a customer-specific ID in their URLs, such as PingOne. |
DS-41313, DS-41800, DS-41839 |
PingDataGovernance Server now requires a Trust Framework version to be explicitly specified in the Policy Decision Service configuration. The Trust Framework version configuration determines the format used by the server to generate policy requests and must be compatible with the actual Trust Framework used by your policies. For more information about Trust Framework versions, see the PingDataGovernance Server Administration Guide. PingDataGovernance Server will now also raise an alarm and mark the server as UNAVAILABLE if the Policy Decision Service is not ready to evaluate policies and requires further configuration. This will happen, for example, after installing the server for the first time. |
DS-41329, DS-41330 |
Services in the Trust Framework now support more flexible handling of TLS connection
security: A service can use a client certificate provided by a
key store to handle mutual TLS authentication with an external
server; also, a service can use a custom trust store to
determine whether the certificate presented by an external
server should be accepted. For embedded PDP mode, you can
configure the Policy Decision Service with any necessary key
stores or trust stores using the
|
DS-41366 |
Updated the base monitor entry to include |
DS-41396 |
Updated the Server SDK to add ClientContext and OperationContext methods for obtaining the name and DN of the associated client connection policy. |
DS-41400 |
Updated the file servlet HTTP servlet extension to add support for requiring authentication to access the content. You can limit access to members of a specified set of groups. |
DS-41482, DS-41812 |
Added the |
DS-41659 |
DataGovernance will now enter an UNAVAILABLE state when all of the LDAP external servers backing the UserStoreAdapter are unavailable. |
DS-41731 |
Fixed an issue that could prevent setup from generating a self-signed certificate for systems with non-ASCII hostnames. |
DS-41751, DS-41752 |
The values of Trust Framework attributes marked as secret are now recorded to the policy decision log in encrypted form when using embedded PDP mode. In addition, the trace logger now supports two new options for the pdp-message-type property, "info" and "warning". When these options are enabled, the trace log will record additional details about embedded PDP processing, such as summary information about policy information provider invocations. |
DS-41760 |
The Policy Administration GUI setup tool now automatically upgrades the policy database if an older version is detected. |
DS-41761 |
The Policy Administration GUI now allows users to override additional configuration values at runtime using UNIX environment variables for the policy database credentials (PING_DB_APP_USERNAME, PING_DB_APP_PASSWORD) and the file location (PING_H2_FILE). For more information, see the PingDataGovernance Server Administration Guide. |
DS-41762 |
Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list. |
DS-41818 |
Added the |
DS-41820 |
Added an administrative task that you can use to generate a server profile. Also added a corresponding recurring task that you can use to invoke the task on a regular basis. |
DS-41821 |
Added an instance root file servlet to the default configuration. HTTPS requests to
/instance-root by authenticated users with the
|
DS-41823 |
Fixed an issue where using the |
DS-41850 |
Servers running on Linux will now log a warning about possible performance impacts if
the current memory control group has
|
DS-41869 |
Fixed an issue in which the Sideband API would respond with an HTTP 500 error if a
request to /sideband/response was missing required subfields of
the |
DS-41908 |
Added a |
DS-41909 |
Added a |
DS-41914 | PingDataGovernance users no longer need to set the Decision Node when configuring Policy External Servers if they are using policy snapshots provided by or created from those provided with the distribution. |
DS-42006 |
The server now warns the administrator at startup if there are multiple versions of the same jar listed in the classpath and the first one in the classpath is not the newest one. |
DS-42033 | Addressed an issue where some tools would throw a NullPointerException if a server was configured with a custom global result code map. |
DS-42150, DS-42163 | Fixed an issue in which the
HttpRequest.RequestURI attribute was malformed
and the HttpRequest.QueryParameters attribute was
missing during the retrieve phase of policy processing for SCIM 2
searches. |
DS-42218 | Fixed an issue in which the PingDataGovernance Gateway generated error responses that did not include a correlation ID. |
DS-42387 | Updated the manage-profile generate-profile
subcommand to exclude files in the ldif/ and
bak/ directories by default when generating
a server profile. If necessary, you can manually include those
directories using the --includePath
argument. |
No ID | In the Policy Decision Point, improved LDAP service executor thread safety and XML interpolation. Also, added support in the HTTP service executor for MA-TLS. |
No ID | Fixed an issue in the Policy Decision Point in which services were called twice when an Attribute is marked as secret and used in a Statement. |
No ID | In the PingDataGovernance Policy Administration GUI, you can now resolve branch merge conflicts within Version Control. Also, branch merges no longer break when merging a source branch with a deleted entity to a target branch where that entity still exists. |
No ID | In the Policy Administration GUI:
|
No ID | Fixed an issue in the Policy Administration GUI in which changes were lost when you reordered Saved Rules. |
No ID | Fixed an issue in the Policy Administration GUI in which creating a condition on a constant Attribute Resolver would throw an error when selecting an Attribute comparand. |
No ID |
The Policy Administration GUI now maintains a buffer of recent policy decision requests that you can view in the Decision Visualizer. This view provides useful details about policy decision requests and responses, attribute resolution, and service calls that would otherwise only be available in the server's policy decision log. |
No ID |
This release of the Policy Administration GUI includes various
improvements to processors and attribute resolvers:
|
No ID |
HTTP services you define in the Trust Framework no longer perform hostname validation if server certificate validation is set to No Validation. |
No ID |
When you define a new policy in the Policy Administration GUI, the default combining algorithm for the new policy is now The first applicable will be the final decision. This algorithm stops evaluating as soon as a decision other than NOT_APPLICABLE is reached. The previous default combining algorithm was Unless One Decision is Deny, the Decision will be Permit. |
No ID |
Fixed an issue in which the Policy Administration GUI login page could fail to behave correctly when loaded directly from a URL or through the web browser history. |
No ID |
Fixed an issue in the Policy Administration GUI in which importing a snapshot would fail with the error message "Unable to decode object". |
No ID |
Fixed various drag-and-drop issues in the Policy Administration GUI. |
No ID |
Fixed a policy engine issue in which a validation exception could be thrown if an attribute containing a processor with named attributes was interpolated in an advice payload. |
No ID |
The following changes to data types have been made in the policy engine:
|
No ID |
Fixed an issue in which multiple uses of the system "Current DateTime" attribute resolver in a single decision request or batch of requests did not yield the same value. |
No ID |
Fixed an issue in the policy engine in which Zoned Date Time values were not represented in textual form using the correct ISO-8601 encoding. |
No ID |
Fixed a policy engine issue in which converting the string "-1" to a boolean would yield a result of False. This will now cause a type conversion error. |
No ID |
Fixed a policy engine issue in which converting the number -1 to a boolean would yield a result of False. This will now return True. |