We are pleased to announce the new SaaS version of Netwrix Identity Manager (NIM). This release introduces targeted improvements to certification workflows, usability, and platform alignment.
Want the full details? Click the link below!
[wrap=no-email]
New Features
Multiple reviewers for certification campaigns (Preview)
Certification campaigns can now be configured with multiple reviewers per item.
- All assigned reviewers receive the certification request
- The first reviewer to act (approve or deny) finalizes the decision
- The item is removed from other reviewers’ pending queues once completed
- Audit logs clearly show who made the decision and when
This removes bottlenecks caused by single-reviewer assignment and improves campaign completion rates.
This feature is available in Preview mode and may evolve based on feedback.
Enhancements
Platform update (.NET 10)
Netwrix Identity Manager has been upgraded to .NET 10 to ensure continued performance, security, and compatibility with the latest Microsoft ecosystem.
This update also anticipates the end of support for .NET 8 (October 2026), helping organizations avoid future risks related to deprecated frameworks.
Expanded native language support
The platform now includes native support for:
- Italian
- German
- Spanish
- Korean
- Traditional Chinese
These are available alongside existing French and English support.
This allows users to work in their preferred language without additional configuration and supports broader international deployments.
Certification campaign UI improvements
The certification campaign interface has been updated to make the required actions clearer.
- Improved visibility of pending actions
- Better alignment between notifications and actual tasks
- Clearer indicators of what requires attention
These changes help reduce confusion, improve participation, and support more consistent campaign completion.
Bug Fixes and Miscellaneous Updates
New
| Component | Description |
|---|---|
| Connectors and Integrations | The Azure connector (Cloud/Azure package) now supports full connection configuration: a connection form is available in the UI with Application Key, Application ID, and Tenant ID treated as secured fields, and Subscription ID and Resource URL as non-secured fields. Fetch Schema and Check Connection operations are also implemented. |
| Connectors and Integrations | SharePoint Online connections now support OAuth authentication via ClientId and ClientSecret, replacing the deprecated legacy username/password method that is disabled by default in SharePoint Online. NOTE: The agent must upgraded for this change. |
| UI / UX | When selecting a role, filtering is again allowed on categories and there is improved visibility of search buttons on column headers. |
| UI / UX | The default UI font is now Hubot Sans (headers) and Inter (body) to align with the Netwrix product visual identity. To retain the previous font (Segoe UI, Selawik), choose the legacy font on the Settings page or set UseLegacyFont: true in AppDisplaySettings. |
| UI / UX | A configuration check now validates that ViewHistory access control rule entries do not include dimension filters. Filters on ViewHistory permissions are not supported and cause access denied errors at runtime. |
| Other | When the Manage History tool purges historical data, it now retains a minimal record, containing only the user ID and display name, for any user still referenced within the system, such as approvers in access certification campaigns or workflow reviews. This prevents audit and certification reports from displaying incomplete owner or reviewer information after a purge. See the documentation. |
Fixed
| Component | Description |
|---|---|
| Access Control and Workflows | BuildUniqueValueAspect is now correctly recomputed when its expression dependencies (e.g., first name, last name) are modified through an update workflow. |
| Access Control and Workflows | Email .cshtml templates using complex C# expressions — such as LINQ operators (OrderByDescending, Select, FirstOrDefault), nested lambdas, or conditionals — may produce runtime errors or malformed SQL queries because the template expression rewriter does not support arbitrary nesting. Templates are now processed the same way as configuration expressions, ensuring all supported C# constructs are handled correctly. Verify that the C# expressions in your emails by importing the configuration with ‘force expressions’ and contact support if there is a problem |
| Configuration | The --export-scaffolding argument now works correctly when exporting configuration via the API (e.g., in SaaS deployments). Previously, scaffoldings were omitted from the export when deployment was API-based. |
| Connectors and Integrations | When creating a user in EasyVista too many permissions were required causing errors during provisioning if all permissions were not granted. Now, the necessary permissions have been recalibrated. NOTE: The agent needs to be updated to benefit from this correction. |
| Connectors and Integrations | SharePoint connection validation errors now appear in both application logs and in the UI. Secured field values are never exposed in error messages. |
| Connectors and Integrations | During provisioning of the NIM connector, the Added counter was incremented even when a provisioning order failed, instead of the Errored counter. Additionally, when the NIM connector API returned a validation error, such as a missing mandatory field on an AssignedProfile, the error message stored in the ProvisioningResult did not include the validation exception details, making failures difficult to diagnose. Both counters now reflect the actual outcome of each provisioning order, and validation exception details are included in the error message. |
| Jobs and Policy | The role model incorrectly calculates scalar properties with offsets in certain cases. |
| Jobs and Policy | Non-conforming roles and resource types no longer have an end date set. |
| Jobs and Policy | When a resource type rule denies a resource type, a Delete provisioning order is now correctly generated and dispatched to the external system (e.g., Active Directory), removing the resource as expected. Previously, no provisioning order was generated. |
| Jobs and Policy | Roles configured with implicit approval are now auto-approved when assigned through the Assigned Roles page, consistent with the behavior already present when roles are assigned via workflows. Note: applies during in-memory computation only; Category, Role, and Workflow State filters are respected. |
| Jobs and Policy | Jobs with long-running operations that did not report progress frequently could be incorrectly marked as errored. Running tasks now send automatic heartbeats to keep their progress timestamp current, preventing false error transitions. |
| Jobs and Policy | When a single role is approved over a partial scope within a user’s contract period, assigned scalars are now correctly split: the role’s scalar applies to the role’s scope and the default scalar applies to the periods outside it. |
| Jobs and Policy | In Scalar Rules, Query Rules, and Correlation Rules dialogs, the expression type dropdown now shows all predefined options (e.g., date transforms, string transforms) when the source property has a binding. This corrects a regression where only the ‘C# Expression’ option was displayed in this case. |
| Jobs and Policy | A query rule with an empty Literal expression caused a primary key violation, triggering internal errors during workflow execution. The expression is now parsed correctly, and the upgrade migration clears any corrupted entries. |
| Jobs and Policy | Deactivating a connector incorrectly removed Fulfill and Generate Provisioning Order task steps from other connectors that were not being deactivated. Deactivating a connector now only removes tasks belonging to that specific connector. |
| Jobs and Policy | When assigning a role with Locked Mode set to ‘Context Bound’ to an identity with an end date (or locking the end date on an existing role assignment) the assignment could not be saved. The workflow now correctly handles the end date constraint for locked role assignments. |
| Jobs and Policy | When a workflow Review step created a clone record while also modifying the source record, the cloned record could inherit outdated property values instead of the values set during the Request step. The cloned record now correctly inherits the Request step values in all cases. |
| Logs / Performance / Security | A deadlock could occur when multiple synchronization jobs ran concurrently because the DELETE FROM ur_resourcechanges statement executed outside the database lock scope. The statement is now executed within the lock, eliminating the race condition. |
| Logs / Performance / Security | The --db-connection-string argument is now masked in logs generated by InvokeSqlCommandTask jobs, preventing database connection strings from appearing in application log output. |
| Logs / Performance / Security | Concurrent workflows using the BuildUniqueValue aspect could generate duplicate values, such as identical logins or email addresses, when two workflows validated the same identity changes before either committed to the database. Uniqueness is now enforced atomically, ensuring each generated value is exclusive to a single workflow. |
| UI / UX | In search bar criteria configured with the ComboboxMultiSelection input type, placeholder text overrides were ignored and the dropdown rendered incorrectly. Placeholder overrides are now applied correctly and the dropdown displays as expected. |
| UI / UX | The password reveal (eye) icon is now visible on connection screens in Microsoft Edge. Previously it was hidden due to a conflict with the browser’s built-in password reveal button. |
| UI / UX | The parameters section (including the parameters list and the ‘Add parameter’ button) is now visible when accessing a resource type page from the Connectors screen. Previously this content was missing. |
| Other | Saving permission changes in Settings > Profiles & Permissions deleted tile items from display tiles, causing a permanent blank page after reload that could only be resolved by redeploying the configuration. Tile items are now preserved when profile permissions are modified. |
Customers on LTS: Plan your upgrade
Please note that support for Netwrix Identity Manager will end on October 30, 2026. For more information, please visit Supported versions | Netwrix and Release types and support lifecycle.
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: Identity Manager > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: Identity Manager > Ideas |
| If you have something cool to show… | Show everyone what you built: Identity Manager > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!