Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Identity Manager 10 LTS: Base Engine & Developer Updates

One Identity
04/25/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


dependencies specific applications does have are running us into conflict situations. And this is as well if the identity manager starts using components which are not shipped with the identity manager for example. I'm talking about .exe files called from the PowerShell component or from other components for optimization we have. In these cases sometimes the dependencies these applications or .exe files needs are of course not the dependencies the identity manager needs and so we are running in a conflict. Because of that in the PowerShell component NAT4 we just implemented the isolation type. That means it is now possible just to run such .exes in an isolated level so that it could run with its own dependencies and not harming the identity manager dependencies or need to use them. However this is implemented only in the PowerShell component NAT4 connector currently and maybe there will be something in addition in the future but currently this is what it is. Also additionally available is now the AWS secret manager support. This is to load the configuration options from secrets from AWS secrets manager and therefore as you easily can see that you need to write some configuration into your application JSON. How the whole thing works is what you can see on the right hand side where at the end the flat structure you need to use is more described. People who are interested to use that should as well read the according article in the manual of the identity manager. If we then go a little bit more into detail you see that there is a reload logic implemented. That means if that interval is set to trigger you can just determine how often a reload of these configurations will happen and it could be for example five minutes an hour or a day depending on what at the end you configure. Of course the interval must strictly be greater than zero. It is not like in other configurations that zero means there is no interval available. On the right hand side you see the AWS credentials and regions resolution. This is especially used if there is no region provided. In these cases the standard AWS SDK chain resolution is taken and the configuration is the snippet you can see on the right lower side. Next feature is and I think we talked a little bit about that on another topic is the re-architecture of login and logout audits. In the past all happened in the same table. Now we splitted them into different locations. This is I think what we talked about and all of the messages that is pretty new can now be sent to a syslog server if necessary. Logins and logouts are now stored in a table QBM login audit and can be configured with the help of the configuration parameters underneath of common journal login audit or log off audit. And as you easily see you can pre-configure lifetime failure, lifetime success and lifetime log off. Any other implementation of the previous audits we had for login and logouts is with this feature completely replaced and not available any longer. If you have customizations using that it is now necessary to review all of them and change them according to the new configuration. Also reviewed is the processing for cloud assistant as well. The adaptive cards that was sended are now following a new workflow which is more detailed and based on a schedule which eases the workflow itself where before the complete complexity was implemented to. Parts of the timely processed information is a new schedule called process approval by work by cloud assistant. There is a new table that as well store all of these different jobs that is called QBM cloud assistant message. And you have according to that a couple of new processes which are completely handling all of that. From delete messages to process messages up to cleaning up that temporary new table. With that the complete cloud assistant process is faster and of course works much more accurate than before. And now let's talk about development and operation support. SIEM integration again. In this case we are talking about the different SIEM messages exists. From now on an increased number of predefined messages exists. They are provide the old and the new values for a change. They are supporting additional messages for login and logout. They are also having messages for DBQ operations and job queue operations available, user account creation and permission granted. However, all the messages are fully syslog compatible. If you look a little bit more into details then you will see that a lot of new triggers are now just generating all of these messages and they do that in a new table called QBM CEF message. To ensure that this table will not just start to explode there is also a cleanup process implemented very similar to what we have for the job history and that process is just deleting the older ones not used any longer. With the help of select conditions for messages you can access old or new values if you like to. And remember the QBM CEF message table is the renamed QBM CEF definition table that was there before. That means QBM CEF definition did not exist any longer and if you was just using them in customizations it is now time to ensure that your customizations gets updated using the new table name. Script development got some updates as well. Standalone assemblies with dependencies can now be referred directly in scripts using the hash A tag. Before it was a hash R tag just to reference NuGet packages that we typically was using that. This is not removed. Hash R exists as well for NuGet packages but now the hash A tag exists additionally to that. This is by the way a simply migration from the old hash reference tag that was there very low in the past before. Remember hash references was something that was with .NET Framework. With .NET 8 we got hash R and now we have the hash A additionally. New in the database compiler is that you can now specify solution folders for the build operations available. And additionally to this exists also a clean up after build parameter. Yes it is clear we are talking about the DB compiler CMD. That last which I was talking about clean up after build is just cleaning the assembly cache directory after compilation immediately. And one of the last enhancements in this section the system debugger. Debugger supports from now on the testing and debugging of parameter sets. In the past that was not possible but now as you can see it here in the picture you can just select parameter sets and configure them for a test. Another improvement of the object layer is of course the multi-step resolving of foreign keys for display values. What's behind that? Sometimes in tables we do have specific keys. You can see that in the example M2ALL where part of a specific column is an object key to another table. And this object key can contain of course another object key. In this case you don't have the typical display where a foreign key UID is just pointing to another table and you get the display from there. This is what we had all the time. It is now possible as well to say depending on a specific object key we can go to another table find an object key there and from there we can go to that table and of course get that very specific parameter as well. You can see that very complicated example as the M2N example here on the slide where for example a sub user is in a sub user in sub role that means it does have assigned a sub role so you go from your user to the allocation table and from there to sub role and in sub role a sub role itself does have a sub mandant which is then assigned to the sub role which is the next step. All of these display values are getting together and building then the display name for that very specific object. However the great message here is it is possible but what you need to know it is possible but it will have effect on a potentially slower loading time which are the price for getting more information cross table. And a little bit more often triggered by our UX people I'm talking again about ease of configuration starting with something pretty new which is of course to define value ranges. Think about custom properties for example on a custom property you can enter data. This data could of course be limited for example if you define a list of selectable values but it can also be entered and this is new if you define a min value and a max value for a specific numbered field. In this case people can just add something into that very specific field within a frame of validity. If you enter something above or below that specific frame then automatically the system will limit that specific entered value to the next available border. That means if it is much bigger then it will be the max value. If it is much lower then it will be the min value. Another good message is that no error message is generated. That is especially good for automated processes. Just the limitation will happen. And it looks then like you can see it here on the screen where this is configured for a data value. And a little bit more ease of configuration. Now a customizer process exists that just prohibits that you can set the log changes flag on a specific attribute in the same way than the no log flag. Both of them are more or less the opposite of each other and so in the past there was just an access denied message if you tried to enter something. Now the customizer takes care of that. If you set the one you can't set the other and vice versa. Multiline content fields are as well supported with a new functionality. There you can now use an enforce current line feed feature and this very specific feature will ensure that every line ends with an R and an N ending. This might be good especially in Windows because there the current return and line feed are always set together in difference to Linux where it is the one or the other. HDB connections are at the end stored in the app settings.json but if you want to have that more secure it is now possible just in the app server installer to set a very specific option which is the encrypt connections option. If this option is set then automatically every connection stored in this file will automatically get encrypted stored so that it is more secure. In previous identity manager versions all the time when it was necessary to create a new other object on the main data of a parent object to implement that with the help of a very specific custom form or a hardcoded part of the form to fill out the fields of that very specific new object. In the new identity manager version now it is only configuration. You can directly enter this configuration in designer in the specific section for that property where you want to create another object from and then there will be a plus directly behind the field where you can then just start a generic process as you easily can see. This is then to be configured here in designer on the object level and what you at the end will get is what you will see here as well and that is now a standard form that allows you just to enter all the fields you have defined in your previous configuration.

TL;DR

  • PowerShell component NAT4 now supports isolated execution of external executables with independent dependencies, preventing conflicts with Identity Manager's core dependencies
  • Login and logout auditing has been re-architected with separate storage in QBM login audit table, configurable retention policies, and full syslog server integration for SIEM workflows
  • Developer tools enhanced with hash A tag for assembly references, solution folder support in database compiler, parameter set debugging, and multi-step foreign key resolution across tables
  • Configuration improvements include value range enforcement for custom properties, encrypted database connections, and the ability to create related objects directly from parent forms without custom code
  • AWS Secrets Manager integration enables loading configuration from cloud secrets with configurable reload intervals and standard AWS SDK credential resolution

Base Engine Enhancements and Dependency Management

The Identity Manager 10 LTS update introduces critical improvements to handle dependency conflicts that arise from faster software development cycles. A new isolation type in the PowerShell component NAT4 allows external executables to run with their own dependencies without conflicting with Identity Manager's core dependencies. This addresses situations where applications called from PowerShell or other components require different dependency versions. Additionally, AWS Secrets Manager support has been implemented, enabling configuration options to be loaded from AWS secrets with configurable reload intervals. The system uses standard AWS SDK chain resolution when no region is specified, providing flexible credential management for cloud-integrated deployments.

Audit Architecture and SIEM Integration

Login and logout auditing has been completely re-architected, moving from a single table to separate storage locations in the new QBM login audit table. All audit messages can now be sent to syslog servers, with configurable retention periods for successful logins, failed logins, and logouts via the common journal login audit parameters. The SIEM integration has been significantly expanded with an increased number of predefined messages that are fully syslog-compatible. New triggers generate messages for DBQ operations, job queue operations, user account creation, and permission grants, all stored in the renamed QBM CEF message table with automated cleanup processes to prevent table bloat.

Developer Tools and Script Enhancements

Script development capabilities have been enhanced with the new hash A tag for referencing standalone assemblies with dependencies directly in scripts, complementing the existing hash R tag for NuGet packages. The database compiler now supports specifying solution folders for build operations and includes a cleanup after build parameter to automatically clear the assembly cache directory post-compilation. The system debugger has been upgraded to support testing and debugging of parameter sets, a capability previously unavailable. The object layer now supports multi-step resolving of foreign keys for display values, allowing traversal across multiple tables to build comprehensive display names, though this comes with potential performance implications for loading times.

Configuration Improvements and Security Features

Several ease-of-configuration enhancements have been introduced, including the ability to define value ranges with minimum and maximum values for numbered fields in custom properties. When values outside the defined range are entered, the system automatically limits them to the nearest boundary without generating error messages, which is particularly beneficial for automated processes. The customizer now prevents conflicting settings between log changes and no log flags on attributes. Multiline content fields support enforced carriage return and line feed formatting for Windows compatibility. Database connections in app settings.json can now be encrypted via an option in the app server installer. A significant usability improvement allows creating new related objects directly from parent object forms through configuration rather than requiring custom forms or hardcoded implementations.

Chapters

0:00 - Dependency Isolation in PowerShell
1:26 - AWS Secrets Manager Support
3:01 - Login and Logout Audit Re-architecture
4:02 - Cloud Assistant Processing Updates
5:07 - SIEM Integration Enhancements
6:39 - Script Development Improvements
7:56 - System Debugger Parameter Sets
8:17 - Multi-step Foreign Key Resolution
10:07 - Value Range Configuration
12:23 - Connection Encryption and Object Creation

Key Quotes

0:15 "With a much faster software development we have seen in the last years, more and more dependencies specific applications does have are running us into conflict situations."
0:50 "In the PowerShell component NAT4 we just implemented the isolation type. That means it is now possible just to run such .exes in an isolated level so that it could run with its own dependencies and not harming the identity manager dependencies or need to use them."
3:01 "The re-architecture of login and logout audits. In the past all happened in the same table. Now we splitted them into different locations."
5:13 "An increased number of predefined messages exists. They are provide the old and the new values for a change. They are supporting additional messages for login and logout. They are also having messages for DBQ operations and job queue operations available, user account creation and permission granted."
6:50 "Standalone assemblies with dependencies can now be referred directly in scripts using the hash A tag."
11:09 "Another good message is that no error message is generated. That is especially good for automated processes. Just the limitation will happen."
Categories:
  • » Cybersecurity » Application Security
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • Technical Deep Dive
  • How-To
  • DevSecOps
  • Cloud Security
  • Identity and Access Management
  • PowerShell Integration
  • Dependency Management
  • AWS Secrets Manager
  • Audit Logging
  • SIEM Integration
  • Script Development
  • Database Compiler
  • System Debugging
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Identity Manager 10 LTS: Base Engine & Developer Updates

              Upcoming Webinar Calendar

              • 06/17/2026
                12:00 PM
                06/17/2026
                Action1: The Remediation Gap: Vulnerability Management in the Age of AI
                https://www.truthinit.com/index.php/channel/2010/action1-the-remediation-gap-vulnerability-management-in-the-age-of-ai/
              • 06/23/2026
                01:00 PM
                06/23/2026
                The AI-Powered VMware Alternative
                https://www.truthinit.com/index.php/channel/2009/the-ai-powered-vmware-alternative/
              • 06/24/2026
                11:00 AM
                06/24/2026
                LATAM: Accelerating Insights on AI Through an Engaging Webinar Series
                https://www.truthinit.com/index.php/channel/2012/accelerating-insights-on-ai-through-an-engaging-webinar-series/
              • 06/25/2026
                01:00 PM
                06/25/2026
                Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier
                https://www.truthinit.com/index.php/channel/1998/generative-ai-security-preventing-ai-from-becoming-a-data-breach-multiplier/
              • 07/01/2026
                04:00 AM
                07/01/2026
                Schutz von KI in Anwendungen, Agenten und APIs.
                https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
              • 07/02/2026
                10:00 AM
                07/02/2026
                Resilience Insights from Hybrid Threats When the Cloud Faces Challenges
                https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-when-the-cloud-faces-challenges/

              Upcoming Events

              • Jun
                17

                Action1: The Remediation Gap: Vulnerability Management in the Age of AI

                06/17/202612:00 PM ET
                • Jun
                  23

                  The AI-Powered VMware Alternative

                  06/23/202601:00 PM ET
                  • Jun
                    24

                    LATAM: Accelerating Insights on AI Through an Engaging Webinar Series

                    06/24/202611:00 AM ET
                    • Jun
                      25

                      Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier

                      06/25/202601:00 PM ET
                      • Jul
                        01

                        Schutz von KI in Anwendungen, Agenten und APIs.

                        07/01/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version