2023 Release Notes

January 15, 2023 #

Updated #

• Secret Store Type Names. Updated the names of secret store types to reflect the services they represent more accurately.

Fixed #

• Resource Update Sync. Fixed an issue that caused updates to resource information made in the Admin UI and CLI not to be reflected immediately in the desktop app.
• Resource Name Display. Fixed an issue that caused resource names to flash when resizing the browser window on the resource view in the Admin UI.
• Table String Display. Fixed an issue that caused long strings in tables to behave erratically at a particular screen size in the Admin UI.
• Order of Activity Logs. Fixed an issue that sometimes caused the Admin UI to display activities logged at the same time in the wrong logical order (for example, “failed login” displayed after a “successful login”).
• Admin UI Navigation Menu. Fixed an issue in the Admin UI navigation accordion menu that caused it to expand incorrectly.
• Combobox Keyboard Interactions. Fixed combobox keyboard interactions for accessibility in the Admin UI.

January 31, 2023 #

New #

• User Insights Generally Available. Increased admin productivity by providing them with metrics about their organization’s StrongDM seat usage. The new metrics—Active Seats, Inactive Seats, and Billable Seats—are displayed to StrongDM admins in the Admin UI.
• EKS Instance Profile Generally Available. Released the Elastic Kubernetes Service (instance profile) cluster type resource to all customers.

Updated #

• Resource Tag Wildcard Options. Added support for an additional wildcard option when filtering by resource tags. A blank key in the key=value tag format treats the key as a wildcard (for example, =foo is treated as *=foo).
• Login Screens for Password Managers. Updated login-related screens to work better with 1Password and Google Password Manager.

Fixed #

• Double Refresh. Fixed an issue in which refreshing the Admin UI Users page in the web browser resulted in the page being refreshed twice.
• User Invitation in Admin UI. Fixed an issue that caused flashing error messages when inviting new users from within the Admin UI.
• Install sdm in PATH on Windows. Fixed an issue with the desktop app Install sdm in PATH option that destructively updated the user’s PATH variable on Windows machines.
• Website Resource Healthchecks. Fixed an issue that caused healthchecks to produce a timeout error for a website resource using a reverse proxy.
• sdm doctor. Fixed an issue that caused the sdm doctor -v CLI command to report an incorrect latency of zero for all gateways.

February 15, 2023 #

Updated #

• EKS Instance Profile. Added the EKS Instance Profile cluster resource to the SDKs and Terraform provider.
• EKS Server CA. Updated the certificate validation process to return an error if the retrieved Server CA certificate for EKS resource types is an empty string.
• Login Flow. Implemented additional security measures in the login flow. When logging into the desktop app with SSO enabled, the user is now presented with an interstitial StrongDM page to confirm that the login attempt is intentional. For more information, see the StrongDM Security Advisory.
• Terraform RDP Ports. Made RDP ports optional in Terraform. If ports are not provided, they are replaced with a default value.
• Members Search. Changed the search behavior on the Admin UI’s Roles > Members tab so that searching for accounts assigned to a role now searches according to the full name and email rather than by first name only.
• sdm admin ssh Help Text. Updated the help text and descriptions of the sdm admin ssh CLI command to clarify that it supports only public key SSH servers and not other types of SSH servers (for example, certificate-based or customer-managed key).

Fixed #

• Temporary Access Timezone. Fixed an issue that caused the current time for a specified time zone to display incorrectly when creating a temporary access grant.
• Activities Filter. Fixed an issue in which the Admin UI Activities log date filter didn’t allow for single-digit month or day values.
• Zscaler. Fixed an issue that caused network issues to occur in some cases when using StrongDM alongside Zscaler.
• SSH Connections Not Closing. Fixed an issue that sometimes caused SSH connections to be unable to disconnect when using the desktop app.
• Desktop App Memory Leak. Fixed an issue that caused the desktop app to experience a memory leak under certain circumstances.
• Client Stability. Fixed an issue that, in some cases, caused StrongDM clients in the “logged out” state to see high CPU usage.

February 28, 2023 #

New #

• Delinea Secret Server. Made Delinea Secret Server generally available. This new Secret Store integration helps you to protect your business by making it easy to use StrongDM while storing all types of secrets, such as passwords, credentials, and SSH keys, in a centralized digital password vault.

Updated #

• Gateway Form. Updated the Admin UI’s gateway configuration form by including a link to documentation and omitting the word “publicly” from the help text.
• SSO Settings. Updated the Admin UI settings to allow organizations to choose to disable single sign-on (SSO) relogin attempts.
• Resource Count Display. Updated Admin UI resource tables so that the total number of resources shown in the header updates based on Admin UI changes made in other web browsers.

Fixed #

• Desktop App Documentation Link. Fixed an issue in the desktop app where the link to documentation had the wrong URL.
• Download & Install Page. Fixed an issue where the desktop app was missing from the StrongDM packages on the Admin UI Download & Install page.
• Desktop App for Windows. Fixed an issue in order to prevent runaway memory leaks in the desktop app for Windows.
• Audit Record Expiration. Fixed an issue that could cause audit records to be incorrectly expired and potentially result in some duplicate audit records being present for February 28, 2023.

March 15, 2023 #

New #

• Direct SSO Links. Added the option to create organization-specific login links that automatically direct the user to the configured SSO provider.

Updated #

• Update Automatic Port Allocation. Updated the automatic port allocation for port overrides to start at 10000 and to skip default ports in the range.
• Update Secret Store Field Requirements. Updated the Server CA (path) field to be optional when using secret stores for cluster resources.
• Added Fields for sdm audit activities. Updated the fields shown when running sdm audit activities to include four more fields: actor first name, actor last name, actor email, and actor external ID.

Fixed #

• Error Handling for sdm login. Fixed an issue in the CLI where sdm login failures failed silently instead of returning an error.
• Log File Creation at Installation. Fixed an issue in the CLI where sdm install created log files with the wrong extension.
• HTTP Error Pages. Fixed an issue with website resources where rendering error pages or interacting with them did not work as intended.

March 31, 2023 #

New #

• Advanced Insights. Released Advanced Insights, the new reporting and auditing bundle that helps protect the business with the Audit API and Reports Library.
  • The Audit API extends the auditing and logging capabilities of the SDKs and CLI. If enabled for your organization, it allows you to programmatically extract the history of what happened in your organization, view full snapshots, view shells for all replays, view SSH session data and watch sessions play live, look at queries as they come in, and more.
  • The Reports Library provides admins with in-depth analysis of access grants to resources. Four new reports allow you to quickly understand how your most critical resources are used, see which roles are over-privileged or underutilized, and keep tabs on your most sensitive resources.
• Strong Vault. Released Strong Vault, StrongDM’s native vault where you can store secrets, keys, and credentials for authenticating users to your resources.

Updated #

• Read-Only Remote Identity Field. Changed the Remote Identity field in the Admin UI to be read-only if the user was created with SCIM integration, in order to prevent SCIM from overwriting the Remote Identity username when the user is SCIM-managed.
• MongoDB Query Parsing. Updated the way that data is parsed into MongoDB queries in order to include significantly more information.
• SSH Key Types. Added supported SSH key types to the SDKs.
• StrongDM for Linux. Updated the Linux package to include a --home parameter that can be used to override the default install config directory for Linux-installed clients and nodes.
• Node Activities. Added a new activity entity type for nodes and added the node entity to node activities in the SDKs.
• Activity Actor Name. Updated activities without an associated actor to display “StrongDM System Action” as the actor name instead of “Unknown User ()” in the sdm audit activities CLI output and the API responses when using the SDKs.
• EKS Instance Profile With User Impersonation. Updated the Elastic Kubernetes Service (instance profile - User Impersonation) cluster types to allow Kubernetes Remote Identities to pass user roles in the Impersonate-Group header.

Fixed #

• Kubernetes Event Tracker. Fixed an issue in the Kubernetes resource’s event tracker that could potentially lead to out-of-memory errors on relays with kubectl port-forward and kubectl exec commands. In addition, fixed an issue that could potentially cause excessive log spam of StartQuery called after CompleteQuery and CompleteQuery called after CompleteQuery errors when using kubectl port-forward.
• Service Account Auto-Connect. Fixed an issue that caused service account auto-connect to break service account logins.
• Okta-Managed User Suspension. Fixed an issue where Okta-managed users were not suspended when unassigned from the StrongDM app within Okta.
• MSSQL Healthchecks. Fixed an issue that caused MSSQL healthchecks to fail.
• Password Reset Panel Display. Fixed an issue where the password reset panel was not shown to root admins in parent organizations.
• SSO Login From CLI. Fixed an issue where SSO login via the CLI didn’t open two tabs in the web browser.

April 15, 2023 #

New #

• Azure MySQL Generally Available. Released the Azure MySQL datasource type.

Updated #

• Elasticsearch Password Field. Updated the Elasticsearch datasource type to have an optional Password field.
• Reports Library Refresh Frequency. Updated the Admin UI Reports Library to retry generating failed reports every minute instead of every 24 hours.
• Terraform Provider Resources. Added the Elastic Kubernetes Service (instance profile - User Impersonation) cluster type to the Terraform provider resources.

Fixed #

• Google-Provisioned User Suspensions. Fixed an issue that arose due to differences in how Google and StrongDM handle suspended users, in which a user that was suspended in Google but was still a member of a group(s) continued to be assigned to the corresponding role(s) in StrongDM.
• Report Export CSV Button. Fixed an issue in the Reports Library that allowed reports that failed to generate to be exported.
• Response to Invalid Report Filter Query. Fixed an issue in the Reports Library where entering in an invalid filter query or a filter query that returned no results caused the Admin UI to say the report was not found instead of “No search results match the query.”
• SQL Server. Fixed a potential issue with relays when using SQL Server resources running Microsoft SQL Server 2016 or later, which could cause an out-of-memory error when a client requests column encryption to be enabled.

April 30, 2023 #

New #

• AWS Management Console Generally Available. Released AWS Management Console as a cloud resource type.
• Email Daily Quota System. Improved StrongDM’s email-sending layer by adding a daily quota system that restricts the number of emails that can be sent to new users (for example, when inviting users to the organization or resetting user passwords). This change helps to prevent misbehaving automation or other extenuating circumstances from degrading email services, and it should have no impact on your normal operations.

Updated #

• Least Privilege Report Options. Added report options to the Least Privilege report that allow you to generate a report that shows access grants that haven’t been used in a custom number of days, within a 1- to 90-day range.
• Reports Library Tag Selector. Updated the Admin UI Reports Library to disable the ability to select duplicate keys to filter by in the Tags dropdown menu. For example, if you have made the selection to filter by env=prod, you can’t select env=dev at the same time.
• Sensitive Resources Report Display in Admin UI. Updated the Sensitive Resources report in the Admin UI to display sensitive resources that have no access grants as single rows and also allow filtering to these rows using the Has no Access Grants filter under the user dropdown.
• Reports Display of Resources. Updated the Sensitive Resources and Sensitive Resources Recent Grants reports in the Admin UI to display resources with the resource tags that were assigned to them at the time the report was generated (as opposed to the current resource tags).
• sdm update. Updated the sdm update command to take no update actions when the user is logged out. If logged out, the command now prints You are not logged in. No update actions will be taken until you log in.
• Timeout Option for CLI Commands. Updated most sdm admin and sdm audit CLI commands to include a --timeout option that allows users to set the timeout value to up to a maximum of 5 minutes, as opposed to the default 30 seconds.
• SDK Version. Updated the SDKs to version 3.12.0, which adds a new Capture field that contains capture details for SSH, Kubernetes, and RDP queries. This update is useful because clients do not have to interpret the capture JSON otherwise returned in the query response in order to obtain those details.
• Secret Store Path Fields in SDKs and Terraform. Updated the SDKs and Terraform provider to expose secret store paths/keys. This update applies to all StrongDM SDKs and does not require a client-side interaction for the new behavior to take effect. For the Terraform provider, a manual update of the client’s library version is required for the new fields to be present, and it primarily affects the import of resources into Terraform.
• IDs Returned When Listing Queries. Updated the StrongDM API to return useful IDs (for example, n-12345) instead of UUIDs for the EgressNodeID field when listing queries.
• Cloud HTTP Proxy Support and New Fields. Updated cloud resources to have HTTP proxy support, and added new fields Subdomain, Bind-Interface, and PortOverride to all cloud types in the SDKs and CLI.

Fixed #

• User Email Link to Docs. Fixed a broken link to desktop app documentation in the email sent to new users.
• Speed of Operations During Report Generation. Fixed an issue that caused some StrongDM operations to be slow while reports in the Admin UI were generating.
• Reports Displaying Deleted Resources. Fixed an issue that caused the Sensitive Resources and Sensitive Resources Recent Grants reports to be able to display resources that had been deleted within the last 90 days of the report. Now the reports only display resources that were not deleted at the time the report was generated.
• Reports Library Tags Filter. Fixed an issue that caused the resource tags filter in the Admin UI Reports Library to filter on all tags instead of the selected tag(s).
• Admin UI Usability in Chrome. Fixed an issue in order to prevent the Admin UI from scrolling in Chrome when adding resources.
• HTTP Subdomain Validation on Clouds. Fixed an issue in order to prevent bad subdomains from reaching the server, by adding client-side HTTP subdomain validation on cloud resources.
• SSH and Kubernetes Command Query Display. Fixed an issue that caused queries for SSH and Kubernetes commands to display incorrectly in sdm audit ssh or sdm audit kubernetes CLI output and the Admin UI logs if they contained newline and tab characters.
• SQL Server Query Tracker. Fixed an issue in the query tracker for the SQL Server resource where responses to RPC requests may not have been correctly processed and which prevented those responses from being recorded correctly (and possibly subsequent traffic on the connection). This issue only occurred in connections that have requested the optional column encryption feature to be enabled.
• RDP. Fixed an issue that prevented new RDP connections from being established from macOS Microsoft Remote Desktop clients starting with version 10.8.2.

May 15, 2023 #

Updated #

• SDKs. Updated the SDKs to include a new CreatedAt field for the StrongDM API’s AccountResources domain object. Using the new field requires updating to the latest SDKs.
• Admin UI Icons. Improved the Admin UI user experience by changing emojis to icons for healthchecks on gateways, relays, and resources; Settings page buttons; and some warning messages.
• Display of Last Healthcheck. Made the Admin UI’s “Last checked” field for resource healthchecks more accurate by changing the field to return Never instead of a timestamp such as 01 01 001 at 12:00 AM UTC or similar if the resource had no recorded healthchecks.
• Certificate Expiration Time. Changed the certificates used by the SSH Certificate-based resource type to have a validity of 24 hours (up from 3 minutes).
• Reports Library CSV Export. Added suboptions to the Reports Library CSV export option to allow all report rows to be exported as CSV, or only filtered report rows.
• Dock Icon for macOS. Made the desktop app dock icon hidden on macOS.
• Activity Messages for Unknown Users. Changed the format of activity messages for unknown or support actors to show “StrongDM System Action” if there’s no Actor ID, or “Unknown User” for unknown users.
• Activities Information. Added all actor information to activities on creation.

Fixed #

• Resource Audit Data. Fixed an issue where renaming a resource right after creating the resource sometimes caused audit records to be written with the old name of the resource.
• Replay Storage. Fixed an issue that could potentially cause a silent failure to save replays.
• Queries Permission Requirements. Fixed an issue with permissions checks for sdm audit queries so that API requests for queries restricted by query category to only SSH or Kubernetes queries now only require SSH audit permission, and API requests for queries restricted by query category to only non-SSH or Kubernetes queries now only require Queries audit permissions. Requests for queries in all categories (including requests that do not specify any category filter) require both permissions.
• Cloned Resource Audit Records. Fixed an issue that caused two audit records to be written for a resource that was cloned from inside the resource configuration page and renamed soon after.
• Query Row Error. Fixed an issue that caused queries with no next rows to incorrectly return an error saying there are no rows.
• SQL Server. Fixed issues and limitations with the Microsoft SQL Server resource type to prevent untracked queries and parsing errors.
• MFA Validation. Fixed an issue that caused MFA settings in the Admin UI not to validate correctly.
• Desktop App Auto Update. Fixed an issue that caused the desktop app to become unstable when trying to automatically update when the user was logging in.
• CLI Help Text. Fixed an issue where help text and command options were missing for sdm admin kubernetes clone and sdm admin kubernetes add CLI commands.

May 31, 2023 #

New #

• Log Stream. Made Log Stream available as part of the Advanced Insights reporting and auditing bundle. Log Stream is a new feature that allows you to stream logs to an external bucket such as Amazon S3 for ingestion into security information and event management (SIEM) applications.
• Microsoft SQL Server (Kerberos) and Microsoft SQL Server (Azure AD). Made the Microsoft SQL Server (Kerberos) and Microsoft SQL Server (Azure AD) resource types generally available. These resources enable authenticating with Microsoft SQL Server using Kerberos (Windows authentication) and Azure Active Directory authentication, respectively. This release includes a new release of the SDKs, adding support for these resources.
• Billing. Added the Billing page to the Admin UI, which provides information about how many licensed seats your organization is contracted for and how many of those licenses are currently being used.
• OpenSSH Key Type. Added support for OpenSSH private keys as a customer-provided key type in the Admin UI.

Updated #

• EKS Cluster Settings. Added the Port Override field to Elastic Kubernetes Service (EKS) cluster resource types across all of StrongDM, including the SDKs and Terraform provider. Updating to the latest version is only necessary if using the SDKs and Terraform provider; the CLI and Admin UI update automatically.
• Reports Library Tags. Updated the Reports Library in the Admin UI to allow multiple tags to be accepted (five or fewer, where multiple tags are treated as an “OR” condition) when designating sensitive resources.
• Gateway and Relay Secret Store Health. Updated the Secret Stores tab in gateway and relay details to show the health status of that particular secret store/node pair. The health status used to report whether any gateway or relay could reach the secret store.
• Terraform Provider Version. Updated the Terraform provider to version 4.0.0 and removed the secret_store_..._path and _key fields from the provider, preferring that users use the normal credential fields formatted as paths instead. Users must opt into this change.
• Terraform Provider Resources. Updated the Terraform provider to force resources to be recreated automatically when their secret store ID is changed.
• Snowsight in Desktop App. Changed the display of Snowsight resources in the desktop app so that they appear like a website without the ability to disconnect.
• Report Sorting. Updated the sorting for the Sensitive Resource report and Sensitive Resources Recent Grants report in the Admin UI. Resources and users in both reports used to be sorted Z to A, and now they are sorted A to Z.

Fixed #

• Proxy Support. Fixed an issue with proxy.pac mode support for console types in the client.
• HTTP Proxy. Fixed an issue where using the HTTP proxy.pac for cloud purposes caused AWS Terraform commands to fail and websites to fail when a cloud was connected.
• Admin UI Labels. Fixed an accessibility issue with the Admin UI Users page so that there are now labels in the markup throughout the page for screen readers to use.
• Client Routing. Fixed an issue in the client so that connection routes are cached for 15 seconds instead of 5 minutes, which allows for faster timeouts and better routing.
• Log Encryption & Storage Form. Fixed a form validation issue with the Admin UI Log Encryption & Storage page that caused the Save button to be disabled when not using public key encryption.
• Admin UI Table Elements. Fixed an accessibility issue where tables in the Admin UI rendered empty table header elements instead of empty table data cells in the table header.

June 15, 2023 #

New #

• Web Domain: Added a read-only Web Domain field and copy button to the Admin UI General settings page to make it easier for users know their organization’s domain name when, for example, accessing web resources or querying the Release endpoint.
• sdm aws run: Added the sdm aws run subcommand. If the cloud resource is already set to Port Overrides mode, this command allows the use of a shell wrapper to set up the environment for external scripts. To use it, you must update your CLI.

Updated #

• Terraform Provider: Updated the Terraform provider with support for the Microsoft SQL Server (Kerberos) and Microsoft SQL Server (Azure AD) resource types.
• Google Provisioning: Increased the timeout for provisioning requests that talk to external Google services.
• MySQL Authentication Mode: Added support for cached_sha2_password authentication mode for MySQL connections (that is, the default authentication mode for MySQL 8); and exposed settings on MySQL resources to turn on or off this new authentication mode and use a username style for compatibility with Azure Single Server resource types.
• SCIM: Updated the SCIM API with the following:
  • Added support for some additional ways of setting extended attributes (for example, patching directly: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName).
  • Marked name, name.givenName, and name.familyName as required for Users in the schema, which was already the case and already noted in the descriptions of those fields but may have been previously ignored by some automated tools.
  • Enabled support for the excludedAttributes and attributes query parameters on Groups.
• Reduced Desktop App CPU Usage: Updated the desktop app to reduce its CPU usage in some circumstances when the user is logged out.
• sdm gcloud: Changed the name and properties of the configurations used by the sdm gcloud CLI command. Users that previously called sdm gcloud init and used gcloud commands outside of the wrapped sdm gcloud call may need to execute init again, and remove any previous configurations for StrongDM.
• Gateway or Relay Connection Route Caching: Changed how long routes are cached on the client before requerying for updated routes from StrongDM. The term “routes” refers to the order of gateways and relays used to connect to a target resource. Previously, routes were cached for five minutes. Now they are cached for 15 seconds.
• sdm doctor Unverified TLS: Added Unverified TLS as an option to the sdm doctor CLI command in order to better identify when clients may be reachable over TCP but have severed the TLS connection between the client and a gateway; and added emphasis on “Not Ready” links in sdm doctor output.
• Snowsight: Added more debug logging to the StrongDM Snowsight proxy, and added one cloud query that tracks when users log in from StrongDM to Snowsight. This update does not otherwise change existing limitations around Snowsight logging with StrongDM.
• Snowflake Healthcheck: Simplified the Snowflake healthcheck process.
• Bindinterface Filter Option: Added support for the bindinterface filter option in sdm admin datasources list --filter.
• Presto: Removed the username field, which is not currently supported, from the Presto resource type.
• Client Looping: Improved the client to prevent certain scenarios where it may potentially enter a loop of continuously attempting and failing to restart. Such a loop has been observed to lead to excessive CPU usage and log spam.
• Desktop App Menu: Updated the desktop app with a right-click context menu and a quit option.

Fixed #

• SCIM Activity Field: Fixed an issue where the “last activity at” field for SCIM tokens was unpopulated. This issue began around mid-day on May 31, 2023.
• Password Reset Email: Fixed an issue that caused the text used in password reset emails to state an expiration time of 15 minutes instead of one hour.
• Google Sync: Fixed an issue in paginating Google groups and members where workspaces with over 200 groups or groups with over 500 members would not advance to successive pages, causing an infinite loop.
• Snowsight Connect Button: Fixed an issue where the Snowsight resource’s Connect button was not treated like a website link.
• Website Resource Connections: Fixed an issue where connecting to website resources would sometimes fail.
• sdm audit permissions CSV Output: Fixed an issue in the CSV output of the sdm audit permissions command in the CLI where the headers for the “Expires At” and “Start From” columns did not match the output in the data rows. The order of the headers has been swapped to correctly match the data output. This issue has been present since the “Start From” column was introduced in CLI version 31.79.0. This fix also addresses an issue in the CSV and JSON output of the sdm audit permissions CLI command in the clients, where in some cases the “Granted At” timestamp incorrectly reported the time from which access started instead of the time the grant was created, and the “Start From” timestamp was omitted. “Granted At” now correctly reports the time the temporary account grant was created and “Start From” correctly reports the time from which the temporary account grant provides access. This issue has been present since CLI version 38.8.0.
• Desktop App Logging: Fixed an issue in the logging library used by the desktop app that may prevent the disk space occupied by rotated desktop app log files from being freed.
• Desktop App Loading After Login: Fixed a potential issue where the desktop app may fail to fully load when the client has detected a stale login and forced a logout. This may occur, for example, when user authentication has expired according to the organization’s session timeout policy.

June 30, 2023 #

Updated #

• sdm admin relays list and sdm admin roles list: Changed the way that CLI commands sdm admin relays list and sdm admin roles list query the server. This update changed to a paginated model, eliminating the scenario where a list call would fail due to the amount of data to transfer exceeding 4 MB. In addition, this update changed the behavior of callers of sdm admin relays list that lack the permission to list resources. Previously, this command would fail and print nothing. Now it outputs relays but excludes resource reachability information in this case. Lastly, this update changed the format of the ID within sdm admin relays list -j to the standard n- prefixed ID found in other interfaces.
• Log Stream: Added email headers for Log Stream errors.
• MySQL Authentication Mode: Added support for the cached_sha2_password authentication mode for MySQL connections. This is the default authentication mode for MySQL 8. In addition, this update added a setting on MySQL resources to turn off this new authentication mode and force all connections to use mysql_native_password mode, for backwards compatibility with previous MySQL versions. It also added a setting for username style for compatibility with Azure Single Server resource types.
• SDKs and CLI Fields: Added Node.ConnectsTo and marked GatewayFilter as deprecated in the SDKs and CLI. Users must update the CLI and SDKs to see the changes.
• SDK Comments: Added comments to uncommented fields in the SDKs.
• Delinea Secret Store: Improved the stability of Delinea secret stores.
• Node Warnings in Admin UI: Added the ability to show warnings for nodes in the Admin UI (for example, the “isolated” warning, which is applied when a relay is online but cannot reach any gateways).
• Location of Binary, Logs, and Other Files: Changed the default location of StrongDM binaries, log files, and internal files from the root of the filesystem to /sdm for the relay Docker container. This enables the use of the --read-only docker setting, when combined with -v /sdm -v /tmp.
• Auto-connect for Temporary Grants: Improved the ergonomics of connections to temporary grants.
• Display of Client Version Information: Updated the Admin UI to expose the last-used client version for users and service accounts. The version number updates every 5 minutes. If using both sdm listen and other CLI commands such as sdm admin, the version used by the sdm listen command is preferred. If multiple authentications are used by a single user, the one that most recently sent a request to the Control Plane is preferred.
• sdm audit queries: Improved the performance of sdm audit queries for ssh, rdp, k8s, web, and cloud CLI commands by parallelizing the retrieval of query data from Amazon S3.
• Default Timeout in CLI Commands: Removed the default timeout from the sdm audit activities and sdm audit queries CLI commands. A timeout may still be applied to these commands with the --timeout flag if desired.
• Activities: Updated activities to include the client user agent that the actor possessed when the activity was completed. It is presented as a string similar to the Ruby SDK version (for example, strongdm-sdk-ruby/3.17.0) or the CLI version (for example, strongdm-cli/38.25.0) involved.

Fixed #

• Admin UI Self-Sign-ups: Fixed an issue where an incorrect route path prevented users from self-signing up through the Admin UI.

July 15, 2023 #

New #

• Fallback DNS: Added the ability to set a fallback DNS to harden against sporadic failures. The fallback DNS is added with the SDM_FALLBACK_DNS environment variable. It defaults to 1.1.1.1:53 and is only used if a dial to app.strongdm.com fails.

Updated #

• Microsoft SQL Server Healthchecks: Updated healthchecks for Microsoft SQL Server resources to use the configured database for the resource instead of connecting to the default “master” database. This change prevents healthcheck failures when the configured user for the resource does not have access to the “master” database, which is especially common for restricted user accounts in Microsoft SQL Server instances in Azure. As a consequence, it is no longer necessary to enable the “Override Default Database” option for such configurations. Note that because the configured database was previously not used (unless “Override Default Database” was enabled) there is a small risk that existing Microsoft SQL Server resources could fail healthchecks after this update if the configured database was entered incorrectly, in which case the resource configuration will need to be updated to correctly specify a valid database the user can access.
• Query Audit Logs: Updated query audit logs to include the source IP of the user making the query, as seen by the gateway.

Fixed #

• Microsoft SQL Server (Azure AD): Fixed an issue for Microsoft SQL Server (Azure AD) resources that could result in a runtime error during authentication between a relay and the SQL Server instance.
• Node Restarts: Fixed an issue in node restart behavior introduced in version 38.44.0 in order to ensure that node restarts for newly created nodes are resolved as soon as possible.
• Log Stream JSON: Fixed an issue with Log Stream where query bodies containing valid JSON would be incorrectly zeroed in Log Stream records, affecting resources such as MongoDB, DynamoDB, and others that have JSON payloads. In addition, fixed an issue where query content that was valid JSON was not being logged via Log Stream.
• Temporary Access Via User Actions: Fixed an issue that prevented the Temporary Access modal in the Admin UI from opening from the user Actions menu on the Users page.
• Admin UI Filter for Selected Tags: Fixed the auto-populated filter generated in the Admin UI when selecting tags that contain spaces or colons, or commas in the key component of the tag.
• SSH Connections: Fixed an issue that could cause connections to an SSH server to be leaked by the relay from failures during the connection establishment process. This could occur when the server or client prematurely closes connections before the SSH handshake has completed, whether from a misconfiguration, a malformed or malicious client, or a port scanner running on the client.
• Gateway Listener Address: Fixed an issue where the server may not notify the client of a change in the listener address of an existing gateway. This is likely to be a rare issue, as gateway listener address are unlikely to change (and can only be changed through the CLI, not the Admin UI).

July 24, 2023 #

Updated #

• Admin UI TLS Support: Updated security policies for the Admin UI and ended support for TLS 1.0 and TLS 1.1 connections. All traffic to app.strongdm.com now requires TLS 1.2 or TLS 1.3.

July 31, 2023 #

New #

• sdm reset. Added the sdm reset CLI command, which is used to rename the .sdm directory and create a new one for debugging.
• Reset StrongDM. Added a Reset StrongDM button to the Diagnostics window of the desktop app.

Updated #

• Log Stream Fields. Updated Log Stream with query source IP and added support for unsigned fields.
• DNS Fallbacks. Changed the behavior of gRPC DNS fallbacks. If an HTTP(S) proxy is present in the environment, DNS fallbacks are disabled. In addition, if SDM_FALLBACK_DNS is set to0, DNS fallbacks are disabled.
• sdm admin create. Modified sdm admin create CLI commands for SSH (Customer Managed Key) and BigQuery resources to treat their private-key argument as the path to a local private key, rather than requiring the key contents to be passed directly to the CLI.
• GKE Port Overrides. Updated the Terraform provider and SDKs to include port overrides for Google Kubernetes Engine (GKE) resource types.

Fixed #

• Filter and Star Button Display. Fixed an issue that sometimes caused the starred filter and star button not to appear in the Admin UI.
• Query IP Tracking. Fixed an issue with query IP tracking in the CLI that caused IPs to register as the internal IP address of the ingress gateway, rather than the user that submitted the query.
• Snowflake. Fixed an issue where Snowflake resources could not have their schema set to an empty string after creation.
• Tags. Fixed an issue with tags in the Admin UI to prevent incorrect “There are no tags matching …” messages and allow the creation of tags of multiple lengths.
• TOTP MFA Enrollment. Fixed an issue where the TOTP MFA enrollment process might fail with an authorization error.

August 15, 2023 #

Updated #

• Gateway/Relay Warning Alerts. Changed the warning icon for gateways and relays in the Admin UI to be an alert triangle and added a yellow warning message.
• Web Domain Setting. Updated the Admin UI General Settings page to include informative Web Domain help text and an external link.
• sdm status. Updated the sdm status CLI command output to contain warnings if the version in use is beneath StrongDM’s minimum supported version. In addition, updated the output to include the suffix (auto) for resources that automatically remain connected.
• Filtering for sdm audit. Updated sdm audit CLI commands to support filters provided via CLI flags.

Fixed #

• Kubernetes Replays. Added support for the Elastic Kubernetes Service (instance profile - User Impersonation) cluster type to Kubernetes replays.
• sdm reset. Fixed an issue that caused the the sdm reset CLI command to fail on Windows.
• Microsoft SQL Server (Azure AD). Fixed an issue with the Microsoft SQL Server (Azure AD) resource type that could cause a failure to enumerate databases in some Microsoft SQL Server clients.
• Admin UI Error Display. Fixed an issue that caused spacing problems on error alert mesages in the Admin UI.
• Desktop App Connectivity Message. Fixed an issue that caused the “Unable to Connect” screen to display when loading the desktop app, even though no error was occurring.
• Desktop App State. Fixed an issue where if no gateways were able to be connected to, the desktop app failed to alert users of the degraded state.

August 31, 2023 #

New #

• Access Workflows. Made access workflows generally available as part of the enterprise bundle. This feature enables you to automate how access requests are submitted, reviewed, and approved (or denied).
• Replay Data Retention. Added the “Retain SSH, RDP, and Kubernetes Replay Data sent to StrongDM?” option in the Admin UI Log Encryption & Storage settings. This option provides the ability to intentionally not retain replay data within StrongDM, but still send non-replay queries and replay metadata (in particular, who acted on what, for how long). This functionality is useful for users who wish to ensure no sensitive data within replays is stored with StrongDM, but who otherwise want to utilize StrongDM’s centralized query logging. After enabling this setting, replays are unavailable immediately within the Admin UI. Some data may still be stored for up to five minutes as this setting propagates throughout StrongDM. Attempts to replay these sessions via the SDKs or CLI cause only session metadata to be provided, as no session content is available to be rendered.
• “Active” Filter for Users. Added support to the StrongDM API for the “active” filter for users, which filters users based on whether or not the user was active in the last 90 days. The CLI usage is sdm admin users list --filter "active:true".

Updated #

• API & Admin Tokens. Added “Workflows and Access Requests” to audit permissions for API and admin token creation in the Admin UI.
• SSO Authentication. Updated SSO authentication to prevent errors if users attempt to log in to the desktop app or CLI at the same time as logging into the Admin UI.
• MySQL and SQL Server Resource Properties. Changed the database field to be optional for MySQL and Microsoft SQL Server resource types.
• SQL Server TLS. Added a setting to Microsoft SQL Server resource types, which allows organizations to lower the minimum TLS encryption allowed for that resource from 1.2 to 1.0. This allows for connectivity with older resources.
• Reset StrongDM. Updated the StrongDM client so that the sdm reset CLI command and the Reset StrongDM button in the desktop app’s Diagnostics menu doesn’t change log files. This change importantly makes the command more effective on Windows, where before it would fail to move some files and not clear state unless no listener was online.
• Binary Location Output. Updated the output message of the StrongDM client’s install sdm in PATH option to include the location of the installed binary.
• Azure PostgreSQL Resource Form. Updated help text for the Azure PostgreSQL (Managed Identity) resource type, clarifying its username format for use with Azure Single Server.
• Logs. Updated query and web logs to show deleted resource names, where previously the name field for deleted resources used to be empty.
• Desktop App for Windows. Added x86-64 architecture support to the desktop app for Windows. Upgrading to this version should be automatic.
• Relay and Client Docker Images. Updated the relay and client Docker base images to use Ubuntu 22.04, and added a label so these images expire on quay.io after one year.

Fixed #

• Admin Deletion and Suspension. Fixed an issue in order to prevent admins from deleting or suspending themselves.
• Desktop App. Fixed an unhandled error around the status of gateways, which sometimes caused the desktop app to crash. In addition, fixed an issue where logging into the desktop app with MFA enabled and getting a password error caused the “Awaiting MFA” screen to appear preemptively.
• Queries. Fixed an issue where the sdm audit queries CLI command (and similar commands) could potentially fail with a “grpc: received message larger than max” error in the presence of one or more “large” query bodies. This issue impacted usage of the Queries List API from the SDKs as well. The number of queries returned in individual paged responses when listing all queries is now capped to prevent it exceeding this limit and returning an error. For CLI and SDK users there should be no visible change, as listing all queries will continue to return all queries, just in smaller batches when the queries are large. For queries that are very large, the response may be truncated. The complete query body is still stored on the server, should it need to be retrieved, and this limit does not apply to Log Stream.

September 15, 2023 #

New #

• Resource Lock Generally Available. Released Resource Lock, a new feature that allows a user to have exclusive access to an resource. Resource Lock is currently only configurable for RDP resources.
• Azure PostgreSQL (Managed Identity) Generally Available. Released the Azure PostgreSQL (Managed Identity) resource, which uses Azure’s Managed Identity service to connect to an Azure PostgreSQL datasource without the need for a password.

Updated #

• Desktop App Downloads. Updated endpoints and download links to ensure that deprecated versions of the desktop app cannot be downloaded.
• Activity Logs. Updated activity logs to surface the user agent for actions taken through the Admin UI.
• Activities Page of Admin UI. Updated the Activities page of the Admin UI for clarity of use and filters.
• Timeouts for sdm audit. Removed the default 30 second timeout from most sdm audit calls. In addition, removed the default timeout on sdm audit tokens.
• SDK Page Limits. Exposed page limit controls to the SDKs and defaulted new page limits from clients to 50, where older clients will default to 1,000 items per page. This was noticeable for replay or query requests, where it can take significant time for 1,000 items to populate.
• Slack Integration. Added the ability to partially complete the /sdm access to command in Slack. Duration and reason can be provided in any order and are now not required. If all arguments are not provided, the request access modal will appear with provided fields prepopulated.
• Generic SCIM. Updated “Generic Identify Providers” text references to “Generic SCIM” in the Admin UI.
• SDK Support for Workflow Management. Added support to the Go, Java, Python, and Ruby SDKs for managing workflows. Using the SDKs, admins can now create, update, list, get and delete workflows.
• Workflow Bulk Enable/Disable. Added a bulk option to workflows in the Admin UI in order to allow users to bulk enable and disable workflows.
• Certificates. Added a guard to local certificate processing, preventing a crash if an org.crt that had invalid PEM data was used.

Fixed #

• Relay Query Logging. Fixed an issue in relay query logging where relays did not use the configured log mode.
• HTTP Basic Auth. Fixed an issue so that the HTTP Basic Auth website resource does not refer to its Authentication type as Digest.
• Workflow Enable/Disable. Fixed an issue where the enable/disable toggle on a workflow was hidden, resulting in new workflows unable to be enabled and existing workflows unable to change their status. In addition, fixed an issue where a workflow could be disabled but not enabled afterward.
• Amazon ES Resource Form. Fixed an issue where the ARN field for Amazon ES connections showed as a checkbox instead of a textbox in the Admin UI.

September 30, 2023 #

New #

• Auditor Permission Level. Released the Auditor permission level, which allows a user to see everything in the Admin UI that an Administrator would see, but doesn’t allow them to make any changes to configuration.
• StrongDM Slack Integration. Made Slack integration generally available as part of the Enterprise bundle. When paired with access workflows, Slack integration allows users to browse for and request access to resources, as well as approve or deny such requests, if the user is eligible, all within Slack.

Updated #

• Page Limits for sdm audit. Added a --page-limit option to the sdm audit CLI command, allowing the default page size limit for API list requests from the CLI to be adjusted when needed to improve performance of the CLI in certain circumstances, such as when retrieving a large number of results.
• Workflow Filters. Added new filters for workflows. Specifically, workflow approvers, workflow roles, and workflow assignments now support filter strings that have ergnomic names with the ID appended (for example, “workflowid”) instead of naming the struct to filter on. The following filter fields are now supported: WorkflowRoles: workflowid, roleid, WorkflowAssignments: workflowid, resourceid, WorkflowApprovers: workflowid, approverid, and Workflows: enabled, autogrant. In addition, workflows now can be filtered on the enabled and autogrant status for the list by filter function.
• Filters for sdm admin users|services. Updated sdm admin users and sdm admin services CLI commands using filters (update, suspend, delete, list) to support all account-type filters. Previously only a subset of filters were supported.
• Workflow CLI Commands. Added access workflow management support to the CLI. The new sdm admin workflows command and its subcommands create, delete, list, and update allow workflows to be managed in the CLI.
• Workflows for SDKs and Terraform. Added workflows to the SDKs and Terraform provider. In addition, changed the exposed constant for the Read Only Admin permission level to be named Auditor instead.
• Workflow Creation. Allowed the SDK and Terraform provider create process to be used to create a fully enabled workflow with access rules applied.
• Workflow Bulk Editing. Enabled the bulk manipulation of multiple workflows in the Admin UI.
• SDK and Terraform README. Updated the SDK and Terraform provider README pages with new links to new SDK and Terraform examples in the various example repositories.
• AWS Secret Store Authentication. Added additional configuration options to AWS Secret Store authentication. First, by default, three new modes of authentication will be tried: using AWS_CONTAINER_CREDENTIALS_FULL_URI, using AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, and using a shared credentials file. These new options will be tried in that order, following existing methods (environment variables and EC2 role assumption). Second, in the unlikely case that this causes an integration to break, one can set SDM_AWS_LEGACY_PRIORITY to a truthy value such as 1 or true, and this will cause the old behavior to be executed instead. In a future release, this option will go away. Third, if one sets SDM_AWS_DEFAULT_PRIORITY to a truthy value, the priority of credentials will follow the default order specified by AWS under the “Specifying Credentials” section.
• Slack Authorization. Removed the requirement for profile and email scopes when a user authorizes the Slack app.
• sdm admin relays list. Restored sdm admin relays list -j returning [] instead of null in the CLI when no values are returned.
• Add SCIM Requests. Added support for Add SCIM requests modifying the defaultRemoteIdentity user field to support recent Azure changes.
• Replays. Updated replays to allow replays missing some internal data due to data transfer errors or corruption to be loaded in their entirety. As a side effect, if an SSH or Kubernetes session output zero printed characters to the terminal, it will be explicitly noted as a missing replay.

Fixed #

• Admin UI Page Loading. Fixed an issue that caused some Admin UI pages to return 404 errors when a trial was expired.
• Log Stream. Fixed an issue in Log Stream where “connection reset” errors from AWS S3 PUT requests would be treated as unable to retry and trigger an email notification to organization administrators. Because these errors are typically caused by transient network disruptions and are safe to retry, Log Stream will now retry on this error and only send an email notification when the error persists.
• Desktop App. Fixed an issue with the desktop app where the CLI and Virtual Networking Mode may fail to install if the path to SDM happens to include a space character. This typically happened when the user name of the account using SDM includes a space character.
• Certificate-Based SSH Auth. Fixed an issue where certificate-based SSH resources may fail to authenticate with the target resource, due to a server issue in determining the credentials to use.
• Admin UI Dropdowns. Fixed an issue with dropdown menu items in the Admin UI, where some items contained special characters, such as # or =.
• Admin UI UX. Fixed a visual issue with the role list of suspended users in the Admin UI.
• Go SDK. Fixed the Go SDK’s module to match its major version, 5.
• SCIM. Fixed an issue in order to prevent older SCIM tokens that are not granted remote identities related permissions from seeing errors on loading users’ remote identities information.
• Resource Form Fields. Fixed an issue in order to cause the IP Address field on a resource form in the Admin UI to automatically populate a valid value instead of defaulting to a potentially invalid value when creating a resource in Virtual Networking Mode.
• Relay and Gateway Form Fields. Fixed an issue where relay and gateway form fields were read-only when logged in to the Admin UI as an Admin. In addition, added proper validation messages on the Bind Port and Bind IP fields in the gateway configuration form, and changed the gateway or relay form to properly close when navigating away from the pages to ensure a clean state on the forms when navigating back and creating a new gateway or relay.
• Amazon ES ARN Field. Fixed an issue where the ARN field for Amazon ES connections showed as a checkbox instead of a textbox.

October 15, 2023 #

Updated #

• Access Request Duration. Added support for specifying days when requesting access to a resource via the Slack app’s slash command (/) or via the CLI’s sdm access to command. Valid specification of the request duration can now include days by providing a string such as 2d for two days.
• Prevention of Duplicate Access Requests. Updated workflows to prevent the creation of duplicate pending access requests. When creating an access request, an AlreadyExists error will be returned if an existing access request already exists in the pending state for the same resource and user via the same workflow. Please note that if multiple workflows could be used to fulfill the access request, the order of workflows dictates which takes precedence; the workflow to use is not specifiable in the access request.
• Admin UI Search. Made UX improvements to the Admin UI in order to allow searching via partial input strings to show more valid options.
• Integrations Page. Split the Integrations settings page of the Admin UI into multiple tabs: Directory and Connected Service.
• Logs. Added several logs to relay startup noting which settings have been configured for query log storage.
• Terraform Examples. Added some additional links to Terraform examples.
• sdm status. Changed sdm status in the CLI to explicitly report when a user has access to no resources.
• Desktop App Resource Connected Status. Augmented the desktop app to more clearly indicate when a resource is connected, but unhealthy or otherwise not usable.

Fixed #

• SDK Comments. Fixed some comment typos in the SDKs.
• Slack Integration Cancellation. Fixed an issue where when an admin would initiate a connection with Slack by clicking Connect in the Admin UI integrations page and then cancel, an error would occur. Now canceling a request returns you to the previous page.
• Admin Token Rotation. Fixed an issue with the tooltip on admin token rotation to reflect authentication expiry behavior.
• Node Status. Fixed an issue where using the web browser’s Back button to return to a node’s list of secret stores always presented nodes as unhealthy.
• CLI Help Text. Fixed a typo in the help text for the sdm access to CLI command.

October 31, 2023 #

Updated #

• Workflows Form. Changed the name of the Approvers column on the Admin UI Workflows form to be Approval Criteria and added some description about the nature of the workflow.
• Support Links. Changed StrongDM Support links in the product to direct users to the StrongDM Help Center for Support information and help requests. In addition, adjusted the callout text in the CLI command sdm doctor -v to point to the Help Center.
• CLI Filters Help. Added the --filters-help option to all CLI commands that accept a filter flag. When provided, these commands output the set of valid filters one can use, with a format example, for the given CLI command. This release also included the following:
  • Removed the grant-all option from sdm admin users, which has been nonfunctional and deprecated since July 2022.
  • Added a hint to sdm audit commands indicating the default lookback range.
  • Added further detail to the CLI filters help text for sdm access requests, including which specific filter values are acceptable for the status filter.
• sdm status. Changed sdm status to explicitly report when a user has access to no resources.
• App for Slack. Enhanced the StrongDM app for Slack by adding a modal to support searching the Access Catalog. In addition, added activity logs for disconnecting and deauthorizing Slack integration.

Fixed #

• Idle Timeout Setting. Fixed an issue where the Idle Timeout setting was not respected for users with the User permission level in the Admin UI.
• Nonfunctional Commands. Removed the following CLI commands: sdm admin roles attach, sdm admin roles detach, and sdm admin users grant. Prior to this release, since July 2022, these commands were nonfunctional and returned an error message when used.

November 2023 #

• Aurora PostgreSQL (IAM) and RDS PostgreSQL (IAM): Released Aurora PostgreSQL (IAM) and RDS PostgreSQL (IAM) datasource types.
• Workflow Settings: Added the Settings > Workflows page to the Admin UI, allowing you to set the maximum access grant duration for approved access requests and to enable or disable the sending of email notifications.

December 2023 #

ServiceNow Integration: Released StrongDM’s integration for ServiceNow, which, when paired with the Access Workflows feature, allows users to request access to StrongDM-managed resources via ServiceNow.