Security

Version	Type	Description	ID
21.1.0.0	ENH	Security permissions granted to system administrators and Trapeze6 Client Shell users for some operations have been configured to be always set to Deny for Anonymous users. The security permissions granted system administrators are: Core/Admin/ Core/Context/Write Core/Security/Edit Users and Groups Core/Security/Set Permissions Core/TableEdit/ Core/SqlDirect/ The security permissions granted Trapeze6 Client Shell users are: Core/File/Browse Core/File/Write	DEVCORE3-5430
21.2.0.0	ENH	The following changes have been added to support the new In-App survey functionality: # The following security permissions have been added: The following security permissions have been added: TI/TiSurvey/Admin/View: Ability to access and view the admin page. TI/TiSurvey/Admin/Modify: Ability To modify the current survey. TI/TiSurvey/Public Methods: Ability to call the GetActiveSurvey service method. To use the new service, the following must be added to the profile: database dbd - `"..\Modules\Ti\Data\TiSurvey.db-schema"` Components: `<group name="TiSurvey">` Plugins: `<plugin name="TiSurveySrv.services"></plugin></group></database>`	TI-17895
21.2.0.0	ENH	A new security key, Hiwire/Admin/TNowSuspensions has been added to support the ability of users to suspend receiving alerts. The system checks if the Admin user has been granted permission to use the functionality. If denied, the Suspensions feature is not shown on the Manage Users screen.	TI-17722
21.3.1.0	CORR	An issue where an error message appeared when saving attribute changes on built-in identity type users has been fixed.	DEVCORE3-5486
21.3.1.0	CORR	The issue of users being unable to continue to log on unless they change their password immediately after a warning appears stating that their password will expire in X days has been fixed.	DEVCORE3-5469 This task is related to DEVCORE-4301.
21.3.1.0	ENH	Added new security key, Hiwire > Admin > TNowSuspension. The Suspensions feature is displayed or hidden in the Manage Users page in TransitNow depending on how the key is set.	TI-17717
21.7.0.0	ENH	A new option, None has been added to the Core > Security > Use SameSite Cookies switch. (Previously, the only options were: Lax and Strict.)	DEVCORE3-5516
21.17.0.0	ENH	Updates have been made to Trapeze6 security defaults: Default password complexity rules have been updated in Properties: Core > Security > Policy > Minimum Password Length: Minimum length in characters of a valid password. A value of 0 allows empty passwords. Default value is 8. Core > Security > Policy > Password Required Character Types: Specifies character types that must be included in all passwords. This property depends on other password policy context properties. Options are: Upper case alpha character, Lower case alpha character, Symbol character, and Number character. By default, all four character types must be used. Core > Security > Policy > Password Hashing > Algorithm. Select the way passwords are hashed and stored in the CoreIdentity table: TCF1 (64-bit hash). Original algorithm used for backward compatibility when older client and server applications that do not support newer algorithms are connected to the same database. PBKDF2 (192-bit hash). Industry-standard password hashing function, used to produce a 192-bit hash incorporating a 192-bit cryptographically random salt. (Default.) Core > Security > Policy > Password Storage > Algorithm: Applies to stored passwords in context properties and Service Shell profile files. Select one of the following values: AES256 (Private key) - Select for stronger encryption using a randomly generated private key. (Keyfile.bin in the Config folder) This will require manual copying of the Keyfile.bin to other application installation folders if there is more than one installation sharing the same database. Otherwise, the other applications won't be able to decrypt the stored passwords. If this file is lost then the stored passwords will not be retrievable and will have to be re-entered using a new Keyfile.bin. AES256 (System key) - Select for stronger encryption using the system key built into the application framework. (Default) TCF1 - Select this for backward compatibility for older versions that do not have this option.	DEVCORE3-5470
		Note: If Core > Security > Policy > Enforce Password Policy on Next is selected, users may need to reset their passwords to meet new default requirements the next time they sign in. Descriptions for the following Service Shell switches have also been updated: Core > Security > Authenticate: Turn OFF to disable username/password authentication and permission checks. DEPRECATED! This switch may be removed in a future version. Core > Security > Check Permissions: Turn OFF to disable permission checking (even if Authentication is still ON.) DEPRECATED! This switch may be removed in a future version.
21.39.0.0	ENH	Removed the use of the TwitCurl library within the CommonInfoServer service due to potential vulnerabilities and deprecated functionality. Eliminated Twitter and Facebook support from reference G2 markups, aligning with current client usage and security standards. Updated G2 Upgrade notes to reflect these changes, ensuring documentation is consistent with the removal of TwitCurl dependencies.	MPSTE-3559

21.1.0.0

ENH

Security permissions granted to system administrators and Trapeze6 Client Shell users for some operations have been configured to be always set to Deny for Anonymous users. The security permissions granted system administrators are:

Core/Admin/
Core/Context/Write
Core/Security/Edit Users and Groups
Core/Security/Set Permissions
Core/TableEdit/
Core/SqlDirect/

The security permissions granted Trapeze6 Client Shell users are:

Core/File/Browse
Core/File/Write

DEVCORE3-5430

21.2.0.0

ENH

The following changes have been added to support the new In-App survey functionality: # The following security permissions have been added:

The following security permissions have been added:
- TI/TiSurvey/Admin/View: Ability to access and view the admin page.
- TI/TiSurvey/Admin/Modify: Ability To modify the current survey.
- TI/TiSurvey/Public Methods: Ability to call the GetActiveSurvey service method.
To use the new service, the following must be added to the profile:
- database dbd - "..\Modules\Ti\Data\TiSurvey.db-schema"
- Components: <group name="TiSurvey">
- Plugins: <plugin name="TiSurveySrv.services"></plugin></group></database>

TI-17895

21.2.0.0

ENH

A new security key, Hiwire/Admin/TNowSuspensions has been added to support the ability of users to suspend receiving alerts. The system checks if the Admin user has been granted permission to use the functionality. If denied, the Suspensions feature is not shown on the Manage Users screen.

TI-17722

21.3.1.0

CORR

An issue where an error message appeared when saving attribute changes on built-in identity type users has been fixed.

DEVCORE3-5486

21.3.1.0

CORR

The issue of users being unable to continue to log on unless they change their password immediately after a warning appears stating that their password will expire in X days has been fixed.

DEVCORE3-5469

This task is related to DEVCORE-4301.

21.3.1.0

ENH

Added new security key, Hiwire > Admin > TNowSuspension. The Suspensions feature is displayed or hidden in the Manage Users page in TransitNow depending on how the key is set.

TI-17717

21.7.0.0

ENH

A new option, None has been added to the Core > Security > Use SameSite Cookies switch. (Previously, the only options were: Lax and Strict.)

DEVCORE3-5516

21.17.0.0

ENH

Updates have been made to Trapeze6 security defaults:

Default password complexity rules have been updated in Properties:
- Core > Security > Policy > Minimum Password Length: Minimum length in characters of a valid password. A value of 0 allows empty passwords. Default value is 8.
- Core > Security > Policy > Password Required Character Types: Specifies character types that must be included in all passwords. This property depends on other password policy context properties. Options are: Upper case alpha character, Lower case alpha character, Symbol character, and Number character. By default, all four character types must be used.
- Core > Security > Policy > Password Hashing > Algorithm. Select the way passwords are hashed and stored in the CoreIdentity table:
  1. TCF1 (64-bit hash). Original algorithm used for backward compatibility when older client and server applications that do not support newer algorithms are connected to the same database.
  2. PBKDF2 (192-bit hash). Industry-standard password hashing function, used to produce a 192-bit hash incorporating a 192-bit cryptographically random salt. (Default.)
- Core > Security > Policy > Password Storage > Algorithm: Applies to stored passwords in context properties and Service Shell profile files. Select one of the following values:
  1. AES256 (Private key) - Select for stronger encryption using a randomly generated private key. (Keyfile.bin in the Config folder)
    This will require manual copying of the Keyfile.bin to other application installation folders if there is more than one installation sharing the same database. Otherwise, the other applications won't be able to decrypt the stored passwords. If this file is lost then the stored passwords will not be retrievable and will have to be re-entered using a new Keyfile.bin.
  2. AES256 (System key) - Select for stronger encryption using the system key built into the application framework. (Default)
  3. TCF1 - Select this for backward compatibility for older versions that do not have this option.

DEVCORE3-5470

Note:

If Core > Security > Policy > Enforce Password Policy on Next is selected, users may need to reset their passwords to meet new default requirements the next time they sign in.

Descriptions for the following Service Shell switches have also been updated:
1. Core > Security > Authenticate: Turn OFF to disable username/password authentication and permission checks. DEPRECATED! This switch may be removed in a future version.
2. Core > Security > Check Permissions: Turn OFF to disable permission checking (even if Authentication is still ON.) DEPRECATED! This switch may be removed in a future version.

21.39.0.0

ENH

Removed the use of the TwitCurl library within the CommonInfoServer service due to potential vulnerabilities and deprecated functionality. Eliminated Twitter and Facebook support from reference G2 markups, aligning with current client usage and security standards. Updated G2 Upgrade notes to reflect these changes, ensuring documentation is consistent with the removal of TwitCurl dependencies.

MPSTE-3559