Release notes
Axiomatics Services Manager (ASM) features, bug fixes, and known issues by release date.
Version 7.5.0
What's new
PostgreSQL upgrade
PostgreSQL was upgraded to version 15.4 that introduced various vulnerability fixes, enhancements, and performance improvements.
InfluxDB upgrade
InfluxDB was upgraded to version 2.7.3 that introduced several bug fixes, security updates, and improvements.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.5.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
- HTTP Attribute Connector 5.2.0
- Parser Attribute Connectors 1.0.0
noteEarlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Improvements
Online documentation updates
To improve clarity and readability, the Upgrade section was revised and split into two distinct sections:
Backup and restore
Upgrade
Additionally, new instructions for upgrading air-gapped environments were included.
The Installation using Kubernetes section was revised to address the following issues:
The Create secrets subsection of the Cloud installation instructions was updated by adding two placeholders for the
dbuser
anddbpassword
instead of offering fixed values.The Final steps subsection of the Cloud installation instructions was updated to include the missing
CERTIFICATE_KEY_STORE_PASSWORD
variable.
The Licenses section has been cleared of duplicate entries.
Fixed issues
Special characters in PostgreSQL password
A bug was causing the system to throw an error during deployment when special characters were used in the PostgreSQL password. This is now resolved.
Domain Management API specification - URL bug fix
A bug was preventing the system from displaying the Domain Management API specification because it was utilizing an incorrect URL to access Swagger UI. This is now fixed.
Version 7.4.1
What's new
User interface improvements
The Dashboard area of ASM is enhanced as follows:
- The height of the Total requests sidebar was adjusted in order to fit more data and allow users with low-resolution screens to go through the information without scrolling.
- Historical data, meaning data for the same domain name but for an older domain version, included in the graphs now have a different background than the current data to be easily recognized.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.4.1 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
- HTTP Attribute Connector 5.0.1
- Parser Attribute Connectors 1.0.0
noteEarlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Fixed issues
ASM disposes referenced policies after Attribute Connector removal
After removing an Attribute Connector from a domain, the configuration for that domain was missing its referenced policies. This is now fixed.
Inconsistent policy versioning causing ADS exceptions
Due to a bug, the listed version number of a policy referenced by another policy in a domain file was deviating from the versioning of the policy itself. This disparity was causing ADS to throw an error since it crosschecks both the policy ID and its version. For example, although the actual policy version was
1.0
, it was being referenced as1
. This issue is now resolved.Invalid domains produced when an attribute ID includes special characters
ASM would produce an invalid domain if the policy applied to or an Attribute Connector configuration included in the domain was using an attribute with an ID that is not a syntactically correct ALFA identifier. This bug is now fixed.
Attributes with a non-empty issuer
Previously, attributes with a non-empty issuer were not included in the Attribute Dictionary section of the authorization domain file. This bug is now fixed.
Missing attributes section from policies created using Policy Designer
Due to a bug, the attributes section was missing from the generated domain file of a policy created using Policy Designer. This is now resolved.
ASM Domain Management visual issues
Several minor visual bugs in the user interface of ASM are now resolved.
Version 7.4.0
What's new
Attribute Dictionary updates in the domain file
Previously, the attributes listed in the domain file produced by ASM were only those provided by the included Attribute Connectors.
With this update, ASM lists all attributes referenced within the XACML policy, along with all the attributes that are provided and resolved by the Attribute Connectors. As a result, it creates a fully defined Attribute Dictionary in the domain file, enabling better integration with Contextual Authorization Query (CAQ). Learn how CAQ utilizes the Attribute Dictionary in the CAQ documentation.
ASM user interface revamping
The UI of ASM now utilizes the new Axiomatics design language that offers a modern experience and various accessibility enhancements such as improved keyboard navigation, contrast ratio, text scaling, and screen reader experience.
With this update, the following areas of ASM were redesigned:
- Login page
- Dashboard
- Domain management
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.4.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
- HTTP Attribute Connector 5.0.0
- Parser Attribute Connectors 1.0.0
noteEarlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Known issues
Attributes with a non-empty issuer
Attributes with a non-empty issuer are not included in the Attribute Dictionary section of the authorization domain file.
noteIt is only possible to define an issuer for an attribute within an Attribute Connector's configuration file or by importing an attribute into the Attribute Dictionary in ASM.
Invalid domains produced when an attribute ID includes special characters
ASM will produce an invalid domain if the policy applied to or an Attribute Connector configuration included in the domain uses an attribute with an ID that is not a syntactically correct ALFA identifier.
As a workaround, make sure that none of those attributes contain special characters in their ID.
Only the following character-sets are allowed:
- Letters: English alphabet
a-z
andA-Z
- Numbers:
0-9
- Punctuation marks: period/full stop
.
and underscore_
- Letters: English alphabet
Version 7.3.0
What's new
Kubernetes Axiomatics registry
With this update, ASM offers the option for easier Kubernetes deployments using a pre-configured remote registry provided by Axiomatics. This new registry eliminates the need to download, build, and push the Docker images, enabling quicker deployments.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.3.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
noteEarlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Improvements
asm-core image size reduction
The image size of asm-core was reduced allowing for quicker transfer and deployment times.
Keycloak upgrade
Keycloak version 20.0.3 is now included with ASM.
Policy Designer quicker load times
This version includes several Policy Designer code improvements for quicker load times.
New Policy Designer system messages
Policy Designer was updated to provide informative messages when configuration issues occur.
Policy Designer configuration improvement
Previously, you could only configure Policy Designer during the ASM deployment stage. If you skipped configuring Policy Designer during this stage, you wouldn't be able to use it later. With this update, you can configure Policy Designer at any time after deploying ASM, which increases deployment flexibility.
Fixed issues
Disabled attribute cache causes ADS initialization failure
Previously, ADS could not be initialized if it was configured to retrieve its authorization domain from ASM and the attributes cache was disabled in the ASM Attribute Connector Management UI (the default behavior).
This has been resolved, and no workarounds are required.
Maven-related error when building ASM
Fixed an issue that was causing Docker deployments to fail due to a problem with the certificate on Maven's repository.
Version 7.2.0
What's new
Policy Designer
Policy Designer is a web application bundled with ASM that allows business and application owners to express simple policies in a natural language, removing the burden of learning a formal authorization language.
Policy Designer enables orchestrated authorization across an organization by focusing on the following key goals:
- Accelerate adoption: Accelerate the adoption of orchestrated authorization.
- Reduce burden: Reduce policy authoring burden on the IAM/Security team.
- Scale securely: Empower every application owner to create secure authorization policies.
- Gain insights: Gain policy insights to evolve the overall authorization strategy.
Kubernetes deployment
ASM offers enhanced support for deployments with Kubernetes (K8s) that achieve improved stability, availability, and efficiency. K8s allows you to easily scale your application and provides self-healing capabilities to restart or replace a container when it fails or crashes. This results in high uptime and performance while reducing costs and administration requirements.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.2.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
noteEarlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Known issues
License update on Kubernetes environments
The license update procedure through the UI of ASM is not functional on Kubernetes environments. Instead, the procedure should be carried out using the CLI.
Version 7.1.0
What's new
Dashboard for authorization metrics
The Dashboard is a new feature introduced to ASM, providing visualization of key metrics for monitoring the authorization performance of the running ADS instances. The metrics data for the graphs of the Dashboard are published by ADS to ASM, and stored in an instance of InfluxDB running within ASM.
Graphs display Request Rate (successful requests and errors), Decisions (number of permit/deny/indeterminate/not applicable), and Request Latency (the distribution of the duration of the requests).
The Dashboard (and the inclusion of the supporting InfluxDB instance) is an optional feature that can be enabled and disabled by the choice of startup command for ASM.
User role domain-auditor added
The role domain-auditor has been added to the user configuration options. This new role is used to manage access to historical data, for example for auditing. Consequently, a user must be assigned this role to have access to the Roll back functionality of ASM.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.1.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.3.0
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
noteEarlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.
Fixed issues
Online documentation updates
Various revisions and amendments to improve the clarity and usability of the online documentation. In addition, the following chapters have been added:
- Upgrade
- Backup and Restore
Export button becoming unresponsive after executed export
Previously, the Export button in the Domain Management UI became unresponsive after one use, and a new export was possible only after a page reload. This has been fixed and the Export button now works as expected.
Known issues
Disabled attribute cache causes ADS initialization failure
Attribute caching configuration is optional for ADS. If attribute caching configuration is enabled, then the minimum accepted attribute cache parameters values are 1. In the ASM Attribute Connector Management UI, the attributes cache is disabled by default ("Default" = Time to live (seconds)=0, Max cache size=0). The same values apply for the "NoCache" attribute cache configuration (“NoCache” = Time to live (seconds)=0, Max cache size=0).
When ADS tries to retrieve a domain with zero attribute configuration settings, then ADS cannot be initialized. The issue exists only in the case when ADS is configured to retrieve its authorization domain from ASM. As a workaround the ASM users must navigate to the attribute connectors management UI in the Cache Configuration tab and update the "Default" cache settings (Time to live (seconds), Max cache size) from (0,0) to (1,1).
On top the "NoCache" attribute cache configuration should not be used.
Version 7.0.1
Fixed issues
State of the containers externalized by using volumes
Previously, if ASM was stopped using the command
docker-compose down
, it resulted in the loss of the ASM database, as this command stops the container and removes all the running services. This has been fixed. ASM now uses volumes to externalize the state of the containers, ensuring the persistence of data generated by and used by Docker containers. ASM can now be stopped and restarted without the risk of losing container data.Online documentation updates
Various revisions and amendments to improve the clarity and usability of the online documentation.
Known issues
Lack of clarity regarding JDBC and JNDI data sources for attribute connectors
Only the JDBC data source is supported in ASM 7.x. JNDI is not supported. However, in the UI of the Attribute Connector configuration for SQL and Table, JNDI still appears as an option, and there is also an advice against using JDBC displayed. This can be disregarded.
The performance problem referred to in the UI does not apply anymore, and JDBC must be selected as the data source for a working configuration of an attribute connector.
Version 7.0.0
What's new
Simplified installation of ASM
This release introduces a simplified way to install and run ASM based on Docker. The new installation process delivers the functionality of ASM without the need to install and run a separate application server.
New ASM license required
The ASM 7.0.0 application requires a version 7.0.0 license. A license created for any previous version of ASM will not work. Contact Customer Support for more information.
Online documentation
The documentation for ASM has been converted to an online format, and is now exclusively available at https://docs.axiomatics.com. PDFs are no longer included in the distribution. The online distribution model will improve availability and ensure that users always have easy access to the latest version of the documentation.
Domain Management redesigned
The Domain Management functionality has been refactored with a new user interface and an enhanced workflow. This is intended to provide users with an improved user experience when creating, editing, and managing domains in ASM.
Three new features are introduced to Domain Management:
- Copy will allow users to copy the contents of a domain to another domain.
- Roll back will allow reverting to an earlier version of a domain.
- Delete will allow users to delete a domain.
ASM can call endpoints directly
It is possible to manage domains by calling the endpoints directly, using a domain management API, as an alternative to using the UI. The project functionality of ASM is implemented in the API via the use of namespaces. This domain management API is also supported by the standalone component Authorization Domain Manager (ADM). See the "Domain Management" section of the documentation for more information.
Attribute Connector versions
The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.
ASM 7.0.0 is delivered with the following versions of the standard attribute connectors:
- LDAP Attribute Connector 6.1.1
- SQL Attribute Connector 6.2.2
- Table Attribute Connector 7.0.0
noteEarlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM subject to compatibility information for each attribute connector, respectively.
Database platform support
ASM 7.0.0 only supports PostgreSQL for the ASM database. This is handled automatically during the installation, during which a PostgreSQL database is provided and configured for the purpose.
Services management for ASM-PDP has been removed
The Services management functionality for ASM-PDP has been removed. ASM 7.x will not manage ASM-PDP instances. Access Decision Service (ADS) is the primary authorization engine for ASM 7.x onwards.
Known issues
Missing or invalid license blocks ASM
If ASM 7.0.0 is initialized with a missing or invalid license during startup, all further actions are blocked. An invalid license would be an expired ASM 7.0.0 license or a license created for any previous version of ASM.
To resolve the issue of an invalid license, replace the invalid license with a valid license and run the
docker compose -- build
command again.To resolve the issue with a missing license, navigate to the
docker\
folder of the extracted distribution. There you will find an empty folder with the name of the license file. Delete the folder, put a valid license file in thedocker/
folder and run thedocker compose -- build
command again.Error message appears on user's first login
When a new user logs in for the first time, an error message may appear. Logging out and then logging back in again will resolve this. If the user has not yet been assigned to a project, an information message to that effect will be displayed.
Export button unresponsive after executed export
When the Export button in the Domain Management UI is clicked, the authorization domain is exported as expected. After that, the button becomes unresponsive for that particular domain, and clicking it again will not trigger a new export action. Reloading the page will make the button responsive again.
Changing project name causes domains to be unavailable
If the name of a project is changed, the authorization domains previously assigned to that project can no longer be retrieved. Changing back to the original name restores the domain assignments.
Projects cannot be removed
Projects created in ASM 7.0.0 cannot currently be removed. This feature will be provided in an upcoming release.