Release notes

Axiomatics Services Manager (ASM) features, bug fixes, and known issues by release date.

Version 7.5.0

What's new

• PostgreSQL upgrade

  PostgreSQL was upgraded to version 15.4 that introduced various vulnerability fixes, enhancements, and performance improvements.

• InfluxDB upgrade

  InfluxDB was upgraded to version 2.7.3 that introduced several bug fixes, security updates, and improvements.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.5.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  • HTTP Attribute Connector 5.2.0
  • Parser Attribute Connectors 1.0.0
  note

  Earlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Improvements

• Online documentation updates

  • To improve clarity and readability, the Upgrade section was revised and split into two distinct sections:

    • Backup and restore

    • Upgrade

    Additionally, new instructions for upgrading air-gapped environments were included.

  • The Installation using Kubernetes section was revised to address the following issues:

    • The Create secrets subsection of the Cloud installation instructions was updated by adding two placeholders for the dbuser and dbpassword instead of offering fixed values.

    • The Final steps subsection of the Cloud installation instructions was updated to include the missing CERTIFICATE_KEY_STORE_PASSWORD variable.

  • The Licenses section has been cleared of duplicate entries.

Fixed issues

• Special characters in PostgreSQL password

  A bug was causing the system to throw an error during deployment when special characters were used in the PostgreSQL password. This is now resolved.

• Domain Management API specification - URL bug fix

  A bug was preventing the system from displaying the Domain Management API specification because it was utilizing an incorrect URL to access Swagger UI. This is now fixed.

Version 7.4.1

What's new

• User interface improvements

  The Dashboard area of ASM is enhanced as follows:

  • The height of the Total requests sidebar was adjusted in order to fit more data and allow users with low-resolution screens to go through the information without scrolling.
  • Historical data, meaning data for the same domain name but for an older domain version, included in the graphs now have a different background than the current data to be easily recognized.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.4.1 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  • HTTP Attribute Connector 5.0.1
  • Parser Attribute Connectors 1.0.0
  note

  Earlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Fixed issues

• ASM disposes referenced policies after Attribute Connector removal

  After removing an Attribute Connector from a domain, the configuration for that domain was missing its referenced policies. This is now fixed.

• Inconsistent policy versioning causing ADS exceptions

  Due to a bug, the listed version number of a policy referenced by another policy in a domain file was deviating from the versioning of the policy itself. This disparity was causing ADS to throw an error since it crosschecks both the policy ID and its version. For example, although the actual policy version was 1.0, it was being referenced as 1. This issue is now resolved.

• Invalid domains produced when an attribute ID includes special characters

  ASM would produce an invalid domain if the policy applied to or an Attribute Connector configuration included in the domain was using an attribute with an ID that is not a syntactically correct ALFA identifier. This bug is now fixed.

• Attributes with a non-empty issuer

  Previously, attributes with a non-empty issuer were not included in the Attribute Dictionary section of the authorization domain file. This bug is now fixed.

• Missing attributes section from policies created using Policy Designer

  Due to a bug, the attributes section was missing from the generated domain file of a policy created using Policy Designer. This is now resolved.

• ASM Domain Management visual issues

  Several minor visual bugs in the user interface of ASM are now resolved.

Version 7.4.0

What's new

• Attribute Dictionary updates in the domain file

  Previously, the attributes listed in the domain file produced by ASM were only those provided by the included Attribute Connectors.

  With this update, ASM lists all attributes referenced within the XACML policy, along with all the attributes that are provided and resolved by the Attribute Connectors. As a result, it creates a fully defined Attribute Dictionary in the domain file, enabling better integration with Contextual Authorization Query (CAQ). Learn how CAQ utilizes the Attribute Dictionary in the CAQ documentation.

• ASM user interface revamping

  The UI of ASM now utilizes the new Axiomatics design language that offers a modern experience and various accessibility enhancements such as improved keyboard navigation, contrast ratio, text scaling, and screen reader experience.

  With this update, the following areas of ASM were redesigned:

  • Login page
  • Dashboard
  • Domain management

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.4.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  • HTTP Attribute Connector 5.0.0
  • Parser Attribute Connectors 1.0.0
  note

  Earlier versions of the attribute connectors, with the exception of HTTP and Parser, should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Known issues

• Attributes with a non-empty issuer

  Attributes with a non-empty issuer are not included in the Attribute Dictionary section of the authorization domain file.

  note

  It is only possible to define an issuer for an attribute within an Attribute Connector's configuration file or by importing an attribute into the Attribute Dictionary in ASM.

• Invalid domains produced when an attribute ID includes special characters

  ASM will produce an invalid domain if the policy applied to or an Attribute Connector configuration included in the domain uses an attribute with an ID that is not a syntactically correct ALFA identifier.

  As a workaround, make sure that none of those attributes contain special characters in their ID.

  Only the following character-sets are allowed:

  • Letters: English alphabet a-z and A-Z
  • Numbers: 0-9
  • Punctuation marks: period/full stop . and underscore _

---

Version 7.3.0

What's new

• Kubernetes Axiomatics registry

  With this update, ASM offers the option for easier Kubernetes deployments using a pre-configured remote registry provided by Axiomatics. This new registry eliminates the need to download, build, and push the Docker images, enabling quicker deployments.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.3.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  note

  Earlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Improvements

• asm-core image size reduction

  The image size of asm-core was reduced allowing for quicker transfer and deployment times.

• Keycloak upgrade

  Keycloak version 20.0.3 is now included with ASM.

• Policy Designer quicker load times

  This version includes several Policy Designer code improvements for quicker load times.

• New Policy Designer system messages

  Policy Designer was updated to provide informative messages when configuration issues occur.

• Policy Designer configuration improvement

  Previously, you could only configure Policy Designer during the ASM deployment stage. If you skipped configuring Policy Designer during this stage, you wouldn't be able to use it later. With this update, you can configure Policy Designer at any time after deploying ASM, which increases deployment flexibility.

Fixed issues

• Disabled attribute cache causes ADS initialization failure

  Previously, ADS could not be initialized if it was configured to retrieve its authorization domain from ASM and the attributes cache was disabled in the ASM Attribute Connector Management UI (the default behavior).

  This has been resolved, and no workarounds are required.

• Maven-related error when building ASM

  Fixed an issue that was causing Docker deployments to fail due to a problem with the certificate on Maven's repository.

---

Version 7.2.0

What's new

• Policy Designer

  Policy Designer is a web application bundled with ASM that allows business and application owners to express simple policies in a natural language, removing the burden of learning a formal authorization language.

  Policy Designer enables orchestrated authorization across an organization by focusing on the following key goals:

  • Accelerate adoption: Accelerate the adoption of orchestrated authorization.
  • Reduce burden: Reduce policy authoring burden on the IAM/Security team.
  • Scale securely: Empower every application owner to create secure authorization policies.
  • Gain insights: Gain policy insights to evolve the overall authorization strategy.

• Kubernetes deployment

  ASM offers enhanced support for deployments with Kubernetes (K8s) that achieve improved stability, availability, and efficiency. K8s allows you to easily scale your application and provides self-healing capabilities to restart or replace a container when it fails or crashes. This results in high uptime and performance while reducing costs and administration requirements.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.2.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  note

  Earlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Known issues

• License update on Kubernetes environments

  The license update procedure through the UI of ASM is not functional on Kubernetes environments. Instead, the procedure should be carried out using the CLI.

---

Version 7.1.0

What's new

• Dashboard for authorization metrics

  The Dashboard is a new feature introduced to ASM, providing visualization of key metrics for monitoring the authorization performance of the running ADS instances. The metrics data for the graphs of the Dashboard are published by ADS to ASM, and stored in an instance of InfluxDB running within ASM.

  Graphs display Request Rate (successful requests and errors), Decisions (number of permit/deny/indeterminate/not applicable), and Request Latency (the distribution of the duration of the requests).

  The Dashboard (and the inclusion of the supporting InfluxDB instance) is an optional feature that can be enabled and disabled by the choice of startup command for ASM.

• User role domain-auditor added

  The role domain-auditor has been added to the user configuration options. This new role is used to manage access to historical data, for example for auditing. Consequently, a user must be assigned this role to have access to the Roll back functionality of ASM.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.1.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.3.0
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  note

  Earlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM. They should be subject to compatibility information for each attribute connector, respectively.

Fixed issues

• Online documentation updates

  Various revisions and amendments to improve the clarity and usability of the online documentation. In addition, the following chapters have been added:

  • Upgrade
  • Backup and Restore

• Export button becoming unresponsive after executed export

  Previously, the Export button in the Domain Management UI became unresponsive after one use, and a new export was possible only after a page reload. This has been fixed and the Export button now works as expected.

Known issues

• Disabled attribute cache causes ADS initialization failure

  Attribute caching configuration is optional for ADS. If attribute caching configuration is enabled, then the minimum accepted attribute cache parameters values are 1. In the ASM Attribute Connector Management UI, the attributes cache is disabled by default ("Default" = Time to live (seconds)=0, Max cache size=0). The same values apply for the "NoCache" attribute cache configuration (“NoCache” = Time to live (seconds)=0, Max cache size=0).

  When ADS tries to retrieve a domain with zero attribute configuration settings, then ADS cannot be initialized. The issue exists only in the case when ADS is configured to retrieve its authorization domain from ASM. As a workaround the ASM users must navigate to the attribute connectors management UI in the Cache Configuration tab and update the "Default" cache settings (Time to live (seconds), Max cache size) from (0,0) to (1,1).

  On top the "NoCache" attribute cache configuration should not be used.

---

Version 7.0.1

Fixed issues

• State of the containers externalized by using volumes

  Previously, if ASM was stopped using the command docker-compose down, it resulted in the loss of the ASM database, as this command stops the container and removes all the running services. This has been fixed. ASM now uses volumes to externalize the state of the containers, ensuring the persistence of data generated by and used by Docker containers. ASM can now be stopped and restarted without the risk of losing container data.

• Online documentation updates

  Various revisions and amendments to improve the clarity and usability of the online documentation.

Known issues

• Lack of clarity regarding JDBC and JNDI data sources for attribute connectors

  Only the JDBC data source is supported in ASM 7.x. JNDI is not supported. However, in the UI of the Attribute Connector configuration for SQL and Table, JNDI still appears as an option, and there is also an advice against using JDBC displayed. This can be disregarded.

  The performance problem referred to in the UI does not apply anymore, and JDBC must be selected as the data source for a working configuration of an attribute connector.

---

Version 7.0.0

What's new

• Simplified installation of ASM

  This release introduces a simplified way to install and run ASM based on Docker. The new installation process delivers the functionality of ASM without the need to install and run a separate application server.

• New ASM license required

  The ASM 7.0.0 application requires a version 7.0.0 license. A license created for any previous version of ASM will not work. Contact Customer Support for more information.

• Online documentation

  The documentation for ASM has been converted to an online format, and is now exclusively available at https://docs.axiomatics.com. PDFs are no longer included in the distribution. The online distribution model will improve availability and ensure that users always have easy access to the latest version of the documentation.

• Domain Management redesigned

  The Domain Management functionality has been refactored with a new user interface and an enhanced workflow. This is intended to provide users with an improved user experience when creating, editing, and managing domains in ASM.

  Three new features are introduced to Domain Management:

  • Copy will allow users to copy the contents of a domain to another domain.
  • Roll back will allow reverting to an earlier version of a domain.
  • Delete will allow users to delete a domain.

• ASM can call endpoints directly

  It is possible to manage domains by calling the endpoints directly, using a domain management API, as an alternative to using the UI. The project functionality of ASM is implemented in the API via the use of namespaces. This domain management API is also supported by the standalone component Authorization Domain Manager (ADM). See the "Domain Management" section of the documentation for more information.

• Attribute Connector versions

  The development of other Axiomatics components that use attribute connectors makes it necessary to state explicitly the version numbers of the attribute connectors that are compatible with the release of each component.

  ASM 7.0.0 is delivered with the following versions of the standard attribute connectors:

  • LDAP Attribute Connector 6.1.1
  • SQL Attribute Connector 6.2.2
  • Table Attribute Connector 7.0.0
  note

  Earlier versions of the attribute connectors should be considered incompatible with this version of ASM and should not be used. Updated versions of the attribute connectors may be released, which may be installed and used with this version of ASM subject to compatibility information for each attribute connector, respectively.

• Database platform support

  ASM 7.0.0 only supports PostgreSQL for the ASM database. This is handled automatically during the installation, during which a PostgreSQL database is provided and configured for the purpose.

• Services management for ASM-PDP has been removed

  The Services management functionality for ASM-PDP has been removed. ASM 7.x will not manage ASM-PDP instances. Access Decision Service (ADS) is the primary authorization engine for ASM 7.x onwards.

Known issues

• Missing or invalid license blocks ASM

  If ASM 7.0.0 is initialized with a missing or invalid license during startup, all further actions are blocked. An invalid license would be an expired ASM 7.0.0 license or a license created for any previous version of ASM.

  To resolve the issue of an invalid license, replace the invalid license with a valid license and run the docker compose -- build command again.

  To resolve the issue with a missing license, navigate to the docker\ folder of the extracted distribution. There you will find an empty folder with the name of the license file. Delete the folder, put a valid license file in the docker/ folder and run the docker compose -- build command again.

• Error message appears on user's first login

  When a new user logs in for the first time, an error message may appear. Logging out and then logging back in again will resolve this. If the user has not yet been assigned to a project, an information message to that effect will be displayed.

• Export button unresponsive after executed export

  When the Export button in the Domain Management UI is clicked, the authorization domain is exported as expected. After that, the button becomes unresponsive for that particular domain, and clicking it again will not trigger a new export action. Reloading the page will make the button responsive again.

• Changing project name causes domains to be unavailable

  If the name of a project is changed, the authorization domains previously assigned to that project can no longer be retrieved. Changing back to the original name restores the domain assignments.

• Projects cannot be removed

  Projects created in ASM 7.0.0 cannot currently be removed. This feature will be provided in an upcoming release.