We are pleased to announce the upcoming updates to Netwrix Identity Manager (NIM). This release introduces targeted improvements to certification workflows, usability, and platform alignment.
Want the full details? Click the link below!
Important Dates
- The update is scheduled to be released to the preproduction environment on 2026-04-07T14:00:00Z→2026-04-07T16:00:00Z
- The update is scheduled to be released to the production environment on 2026-04-20T15:00:00Z→2026-04-20T17:00:00Z
New Features and Enhancements
Platform update (.NET 10)
Netwrix Identity Manager has been upgraded to .NET 10 to ensure continued performance, security, and compatibility with the latest Microsoft ecosystem.
This update also anticipates the end of support for .NET 8 (October 2026), helping organizations avoid future risks related to deprecated frameworks.
Expanded native language support
The platform now includes native support for:
- Italian
- German
- Spanish
- Korean
- Traditional Chinese
These are available alongside existing French and English support.
This allows users to work in their preferred language without additional configuration and supports broader international deployments.
Multiple reviewers for certification campaigns (Preview)
Certification campaigns can now be configured with multiple reviewers per item.
- All assigned reviewers receive the certification request
- The first reviewer to act (approve or deny) finalizes the decision
- The item is removed from other reviewers’ pending queues once completed
- Audit logs clearly show who made the decision and when
This removes bottlenecks caused by single-reviewer assignment and improves campaign completion rates.
This feature is available in Preview mode and may evolve based on feedback.
Certification campaign UI improvements
The certification campaign interface has been updated to make the required actions clearer.
- Improved visibility of pending actions
- Better alignment between notifications and actual tasks
- Clearer indicators of what requires attention
These changes help reduce confusion, improve participation, and support more consistent campaign completion.
Bug Fixes and Miscellaneous Updates
New
| Component | Desription |
|---|---|
| Connectors and Integrations | SharePoint Online connections now support OAuth authentication via ClientId and ClientSecret, replacing the deprecated legacy username/password method that is disabled by default in SharePoint Online. NOTE: The agent must upgraded for this change. |
| UI / UX | A configuration check now validates that ViewHistory access control rule entries do not include dimension filters. Filters on ViewHistory permissions are not supported and cause access denied errors at runtime. |
| UI / UX | The default UI font is now Hubot Sans (headers) and Inter (body) to align with the Netwrix product visual identity. To retain the previous font (Segoe UI, Selawik), choose the legacy font on the Settings page or set UseLegacyFont: true in AppDisplaySettings. |
Fixed
| Component | Description |
|---|---|
| Access Control and Workflows | BuildUniqueValueAspect is now correctly recomputed when its expression dependencies (e.g., first name, last name) are modified through an update workflow. |
| Access Control and Workflows | Email .cshtml templates using complex C# expressions — such as LINQ operators (OrderByDescending, Select, FirstOrDefault), nested lambdas, or conditionals — may produce runtime errors or malformed SQL queries because the template expression rewriter does not support arbitrary nesting. Templates are now processed the same way as configuration expressions, ensuring all supported C# constructs are handled correctly. Verify that the C# expressions in your emails by importing the configuration with ‘force expressions’ and contact support if there is a problem |
| Configuration | The --export-scaffolding argument now works correctly when exporting configuration via the API (e.g., in SaaS deployments). Previously, scaffoldings were omitted from the export when deployment was API-based. |
| Connectors and Integrations | When creating a user in EasyVista too many permissions were required causing errors during provisioning if all permissions were not granted. Now, the necessary permissions have been recalibrated. NOTE: The agent needs to be updated to benefit from this correction. |
| Connectors and Integrations | SharePoint connection validation errors now appear in both application logs (with the specific conflicting option names) and in the UI (showing field labels rather than internal command aliases). Secured field values are never exposed in error messages. |
| Jobs and Policy | The role model incorrectly calculates scalar properties with offsets in certain cases. |
| Jobs and Policy | Non-conforming roles and resource types no longer have an end date set. |
| Jobs and Policy | When a resource type rule denies a resource type, a Delete provisioning order is now correctly generated and dispatched to the external system (e.g., Active Directory), removing the resource as expected. Previously, no provisioning order was generated. |
| Jobs and Policy | Roles configured with implicit approval are now auto-approved when assigned through the Assigned Roles page, consistent with the behavior already present when roles are assigned via workflows. Note: applies during in-memory computation only; Category, Role, and Workflow State filters are respected. |
| Jobs and Policy | When a single role is approved over a partial scope within a user’s contract period, assigned scalars are now correctly split: the role’s scalar applies to the role’s scope and the default scalar applies to the periods outside it. |
| Jobs and Policy | A query rule with an empty Literal expression caused a primary key violation, triggering internal errors during workflow execution. The expression is now parsed correctly, and the upgrade migration clears any corrupted entries, with correlation keys restored on the next correlation task run. |
| Logs / Performance / Security | A deadlock could occur when multiple synchronization jobs ran concurrently because the DELETE FROM ur_resourcechanges statement executed outside the database lock scope. The statement is now executed within the lock, eliminating the race condition. |
| Logs / Performance / Security | The --db-connection-string argument is now masked in logs generated by InvokeSqlCommandTask jobs, preventing database connection string from appearing in application log output. |
| UI / UX | The password reveal (eye) icon is now visible on connection screens in Microsoft Edge. Previously it was hidden due to a conflict with the browser’s built-in password reveal button. |
| UI / UX | The parameters section (including the parameters list and the ‘Add parameter’ button) is now visible when accessing a resource type page from the Connectors screen. Previously this content was missing. |
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: Identity Manager > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: Identity Manager > Ideas |
| If you have something cool to show… | Show everyone what you built: Identity Manager > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!