Blue Prism 7.1: June 2022

When using Active Directory Single Sign-on in Blue Prism, it is now possible to configure the system to support users from across multiple forests within a common Active Directory Network Infrastructure with options for role management either in Blue Prism or Active Directory, or both. Previously, users across multiple forests could be accommodated only if managing the user role assignment directly in Blue Prism; whereas assigning roles via Active Directory security group membership only supported users within a single common Active Directory forest.

Active Directory authentication must be enabled on the Security - Sign-on Settings screen and the appropriate credentials for each relevant domain must be configured in Blue Prism.

This applies to all scenarios below:

• Active Directory users logging into the interactive client via Authentication Server.
• Active Directory users logging into the interactive client using built-in authentication.

• Authentication of AutomateC commands, runtime resources, and process alerts via the /sso command line parameter.

• Authentication of the telnet commands /getauthtoken, /user and /password via User Principal Name (UPN), username, and user ID.

• Active Directory authentication when calling web services exposed on runtime resources.

• When using the AutomateC /rolereport command to generate a report on all the roles and associated permissions for each user in the system.

Active Directory users can now be created in Blue Prism either by manually creating users and directly assigning roles and permissions to them via the Create User Wizard, or by mapping Active Directory security groups to Blue Prism roles via the Role Membership dialog.

Users belonging to Active Directory security groups are created in Blue Prism either when they log into Blue Prism for the first time, or by using the  Synchronize users with Active Directory option available when clicking the menu button on the Security - Users screen. When this option is enabled, Active Directory users across both single and multiple forests will be synchronized.

An Active Directory's user details are refreshed in Blue Prism from Active Directory every time they log into Blue Prism, but administrators can refresh the details of all Active Directory users in the user list by selecting the Synchronize users with Active Directory option, regardless of how they were created, as follows:

• Any new Active Directory user accounts assigned to a security group which is mapped to a Blue Prism role will display in the Blue Prism user list.
• Any user accounts disabled in Active Directory will be marked as deleted in Blue Prism. If a previously disabled account has been re-enabled in Active Directory, it will display in the Blue Prism user list again.
• Any user accounts deleted from Active Directory will be marked as deleted in Blue Prism, but they can no longer be reinstated.
• Any updates to a user’s Distinguished Name or UPN in Active Directory will display in Blue Prism. If the UPN is updated, the user’s username will be updated accordingly.

The following behaviors will occur when an Active Directory user is attempting to: access the browser-based Control Room in Hub; access the Blue Prism interactive client; and authenticate AutomateC commands and runtime resources using the /sso command line parameter:

• If an account does not already exist for the user, a Blue Prism account is automatically created in the Blue Prism database.

• If a user has no Blue Prism roles assigned when attempting to log into the interactive client, either directly in Blue Prism or via security groups in Active Directory, they will be prevented from logging in.
• If a user account has been deleted/disabled in Active Directory, it will be marked as deleted in Blue Prism and the user will be prevented from logging in.

• If a user account has been marked as deleted in Blue Prism, the account will be restored if it is subsequently reinstated in Active Directory, regardless of whether they are assigned Blue Prism roles or not. This occurs either when the administrator synchronizes the user list with Active Directory, the user logs into Blue Prism, or the user details are edited in Blue Prism.

Blue Prism system administrators can now view, add, edit, and delete Active Directory domains and associated credentials stored in the database via a new Sign-on Settings - Active Directory Domains screen.

When adding a new domain:

• The domain name must be fully qualified using the format subdomain.domain.com or domain.com.
• The domain name and mandatory credentials are validated against the Active Directory domain controller.

Credentials are stored when creating or editing an Active Directory domain. The username and password are encrypted before storage.

The credentials stored for each domain should be that of an Active Directory service account. This service account's password should not expire, should not be a user account, and should follow Active Directory service account best practices.

When searching Active Directory for users or security groups on a device connected via an application server, the credentials stored against the domain and encrypted in the database are now used to execute this query. If no stored credentials are found, queries that require authentication will be executed under the context of the Windows account running the Blue Prism application server. It is no longer possible to provide custom credentials.

When searching Active Directory for users or security groups on a device that is connected directly to a database and no stored credentials are found, queries that require authentication will be executed under the context of the Windows account that was used to launch, and run, Blue Prism locally.

The credentials stored against Active Directory domains in the Blue Prism database are now used during the authentication of Active Directory users from those domains, to enable reading from the appropriate domain controller.

The stored credentials are used in the following scenarios:

• Authentication of process alerts via the alerts/sso command. To authenticate the command, credentials must be saved for domains in all appropriate forests and the user must have the Subscribe to Process Alerts permission assigned in Blue Prism.

• Authentication of telnet user, password, and getauthtoken commands via UPN for Active Directory users.

• Built-in authentication to the Blue Prism interactive client.

• Built-in authentication of runtime resources.

• Built-in authentication of the AutomateC commands using the sso command line parameter.

• When calling a process that has been exposed as a web service using an Active Directory UPN and password.

• When logging into the Blue Prism interactive client via Authentication Server to retrieve Active Directory user record and determine the user's security group membership.

No credentials are required when upgrading from a single forest environment and/or environments where the account running the Blue Prism application server is authorized to read from all domain controllers in the environment.

If using the following connection modes with a Blue Prism Server connection, a Service Principal Name (SPN) must be configured against the Active Directory (AD) account under which each Blue Prism Server service instance is running:

• WCF: SOAP with Message Encryption & Windows Authentication
• WCF: SOAP with Transport Encryption & Windows Authentication

• .NET Remoting Secure

This is because when a Blue Prism interactive client or a runtime resource connects to an application server using one of the connection modes above, the Microsoft Negotiate Security Package is used to select the best Security Support Provider (SSP) to authenticate the connection. The internal code of the Blue Prism interactive client provides the expected SPN to the Microsoft Negotiation Security Package, which prompts Microsoft Negotiation to select the Kerberos SSP over New Technology LAN Manager (NTLM) SSP, provided the SPN is present in Active Directory.

This configuration applies to all Blue Prism environments, however, if the Active Directory account under which your BP Server instances are running resides in a different domain to the Active Directory account used for the Blue Prism interactive client and runtime resource, the additional configuration outlined below is required.

The following two new settings must be configured on the Connection Configuration screen in the Blue Prism interactive client:

• Kerberos Realm – This must be configured for each Blue Prism Server connection in the interactive client where the user's Kerberos realm is different to that of the account configured to run Blue Prism Server. The option can also be set via the new AutomateC command /setkerberosrealm, for example, /setkerberosrealm mycompany.com. The Kerberos realm is usually the same as the domain name, however, please check with your IT team for the correct value.

• Force NTLM – This forces Microsoft Negotiate Security Package to select New Technology LAN Manager (NTLM) as the Security Support Provider (SSP) when authenticating connections. This option is provided so that NTLM can be used when Kerberos is unavailable or not configured (see SPN configuration). This option can also be set via the new AutomateC /forcentlm, for example, /forcentlm true, for the last used or specified connection (using the /dbconname switch) when authenticating the Blue Prism server connection.

  Please consult with your security team before enabling this option as NTLM is considered a less secure protocol.

If login failures or performance issues are encountered during the login process via Active Directory, system administrators can manually configure trusted Active Directory domains that will be queried during the login process. If at least one Active Directory domain is manually configured, these  settings will be used during the login process to query only the configured domain(s), rather than programmatically identifying which domains can be queried. For more information, see Single sign-on troubleshooting.

A database script (BP-9497-ConfigureTrustedDomain.sql) with the manual configuration is available for download from the Blue Prism Portal.

The Security - Sign-on Settings screen has been redesigned to improve accessibility and better reflect the authentication methods available:

• The main user authentication options have been renamed as follows: User login via Authentication Server (required if using the browser-based Control Room with the current Blue Prism environment) and User login using built-in authentication (no support for the browser-based Control Room).
• The existing Active Directory and Blue Prism native authentication methods display under a new Built-in authentication settings submenu. The built-in authentication methods available are also used to authenticate runtime resources, telnet commands, AutomateC commands, and when calling web services exposed on runtime resources.
• The Password Rules section has been renamed to Password rules for native authentication and has been rearranged in a more logical sequence. Password rules are only applicable to Blue Prism native authentication.
• The Login Options section has been renamed to Native login options and only displays if User login using built-in authentication and then Blue Prism native authentication have been selected.
• The login option Show a list of users on the login screen available in previous versions of Blue Prism has been removed to improve performance.

• A  new Role management for Active Directory users section allows administrators to determine how Active Directory user roles are managed. At least one of the following options must be selected if Active Directory authentication has been enabled under Built-in authentication settings:

  • Manage role membership in Blue Prism – Active Directory users are directly assigned to Blue Prism roles. Users can be assigned to multiple Blue Prism roles.

  • Manage role membership in Active Directory – Active Directory security groups are mapped to Blue Prism roles. Users can be assigned to multiple Blue Prism roles by being a member of multiple relevant Active Directory security groups.

  These options apply in all situations when Active Directory authentication is used:

  • Logging into the interactive client via Authentication Server.
  • Logging into the interactive client using built-in authentication.

  • Authentication of runtime resources and AutomateC commands using the sso command line parameter.

  • Authentication of web service requests and telnet commands using Active Directory credentials.

  If only Blue Prism native authentication has been enabled under Built-in authentication settings, these options can be left unselected on the screen.

When creating a new Blue Prism database, users no longer have to choose between single‑authentication and multi‑authentication environments. A single Blue Prism database now covers all environment types and authentication methods.

The Create a new database screen has been updated to reflect this change. The Configure Database button on the Connection Configuration screen has also been removed as the configuration steps previously included in this action are now carried out via the user interface.

Blue Prism system administrators can now manage the membership of roles for all account types in the system in one place – native, Active Directory or Authentication Server user accounts, as well as Active Directory security groups and Authentication Server service accounts.

A new Role Membership dialog displays when clicking the Manage role membership button on the Security - User Roles screen. Administrators can assign one or more users and/or security groups to a role by searching for existing users in Blue Prism or for security groups in Active Directory if Active Directory authentication has been enabled.

The Roles and Permissions tab on the User Settings screen now displays the roles assigned to a user depending on the authentication type and, if applicable, on the role membership option selected for an environment on the Security - Sign-on Settings screen.

Active Directory users can no longer be unintentionally deleted from Blue Prism by pressing the Delete key on the keyboard.

When using Active Directory authentication, the Blue Prism Server connection mode check no longer occurs during database configuration. Previously, an error message displayed if the non-supported connection modes (WCF: SOAP with Transport Encryption, WCF: Insecure, and .NET Remoting: Insecure) were selected when creating a single-authentication Active Directory database.

When creating a new database in version 7.1, the distinction between single-authentication and multi-authentication environments is no longer made, so the check for the connection mode is now performed when a user attempts to log in using Active Directory either via the interactive client or the command line tool.

The descriptions for the Blue Prism Server connection modes have been updated to indicate whether they support Active Directory authentication or not, to help prevent users from selecting an unsupported option.

When upgrading from a single-authentication Active Directory environment to a 7.1 database (which covers all environments types and authentication methods), if a security group cannot be found in Active Directory based on the existing data stored, a warning message displays in the Role Membership dialog prompting the administrator to re-assign the security group to the Blue Prism role(s) it was previously assigned to.

Built-in security groups are not supported so if a Blue Prism role is assigned to a built-in security group, the administrator will need to create a custom group, add the users from the in-built security group to the custom group and assign it to the Blue Prism role.

When upgrading from a Blue Prism version earlier than 5.0.24, the format of the Active Directory domain and security groups mapped in the database are updated to the format that is used in version 7.1. The first login after the upgrade has completed may take a little longer than usual due to some administrative actions being performed in the background.

To reduce memory consumption, only one AppMan.Service.exe instance now runs in the background in the Citrix VDE. Previously, users could run multiple instances at the same time.

An issue has been fixed where a timeout error message incorrectly displayed when attempting to attach a Blue Prism process to the Citrix VDE after the AppMan.Service.exe had been terminated and restarted.

Messages over 1 KB sent to applications automated in a Citrix VDE no longer cause the AppMan.Service to terminate unexpectedly.

An issue has been fixed where the Blue Prism interactive client stopped responding after initially attaching a Blue Prism process to the AppMan.Service and then closing the AppMan.Service. The availability of the AppMan.Service is now checked before closing Blue Prism.

Previously, if the AppMan.Service was launched and an error occurred, the service terminated but the created tray icon was not removed from the notification area. The tray icon is now correctly removed when the application closes following an error.

An error no longer incorrectly displays if a process in Process Studio is paused after the process has been launched (via a Launch action in a Navigate stage) and before an application (for example, Notepad) is launched on the Citrix VDE.

Previously, an error occurred when attempting to automate an application via a Citrix VDE using a Navigate stage with an Activate window action. This was because the required 32/64-bit Activator files were missing from the Citrix install directory. These files have now been added, so the error no longer occurs.

The View Schedule permission no longer allows users to update configuration options when viewing schedules in Control Room. Previously, some fields were incorrectly enabled for editing, yet errors presented when attempting to save changes.

Resources changed from local to public now successfully display on the Session Management screen in Control Room. Previously, local resources which were updated to public no longer displayed on the user's machine.

The way session information is retrieved on the Session Management screen in Control Room has been updated to call data more efficiently so only one call is made to the database. Previously, duplicate database calls were made for filtered session views.

The Start option on the shortcut menu for the Environment panel on the Sessions screen in Control Room is now disabled for users that do not have the Control Resource permission enabled on their user role. Previously, this option was available to all users, but triggered an error when selected by users without the required permission.

An issue when running the Scheduler reports (such as Recent Activity), from Control Room or via the Command Line, which resulted in a Null Reference Exception error, has been fixed. This intermittently occurred when the report had more than 2000 entries.

An issue has been fixed where a schedule configured with a weekly run and an expiration date in Control Room could sometimes incorrectly run past its set expiration date. In addition, this also ensures that such schedules display correctly in the Scheduler >Timetables list.

When the maximum number of concurrent sessions allocated to a user's license has been reached, scheduled sessions are no longer triggered, and a message to indicate this is added to the schedules log. Previously, if a user created a schedule which assigned a process to multiple resources, sessions were triggered on these resources even if the maximum number of sessions had been reached.

For enhanced security, fields for concealed passwords throughout the user interface and in data tables now display a standardized number of 15 characters to conceal the length of password values. This change has been applied to the following data tables:

• Session variables
• Environment variables

• Collection stages when the field type is Password

• Data items where the field type is Password

• Text fields which automatically conceal inputs, such as the Password field on the Connection Configuration screen.

An issue has been fixed where a database connection error message was incorrectly displayed in the Windows Event Viewer when connecting to a database on an Azure SQL Server.

The Last refreshed on field on the Reporting screen in System Manager no longer includes a time stamp. This is because any configured refresh time is not saved to the database, which means only the default refresh time of 0:00:00 always displayed.

An issue has been fixed where a misleading error message referring to certificate private keys was displayed on the runtime resource window. This happened in error scenarios relating to transport security for Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

The error message now reflects the scenario of the exception being raised.

The following actions are now available when automating Chrome, Edge, and Firefox browsers. Previously, these were only available in Internet Explorer browsers.

The Blue Prism Application Modeller Conversion Tool available on the Digital Exchange could be useful when moving from automating Internet Explorer browsers to integrating with Chrome, Edge, and Firefox browsers. For more details, see Digital Exchange.

Wait stages:

• Check HTML attributes – This ensures that the specified HTML attribute of an element matches the provided value.

• Check URL – This ensures that the URL of the currently loaded document matches the URL of the current browser page.
• Check URL domain – This ensures that the URL domain of the currently loaded document matches the URL of the current browser page.
• Check Value – This checks whether the HTML element is a specific value before progressing to the next step of the process.

Read stages:

• Get Document URL – This ensures that the spied web page returns the full URL of the current browser page.
• Get Document URL domain – This ensures that the spied web page returns the domain of the URL. If the URL domain is not returned within five seconds, an error message displays.
• Count Selected Items – This checks whether the number of items identified in the data properties match the number of items selected in the Data drop-down list.

• Get Selected Item Text – This ensures that the output of the data properties matches the text of the selected item.

• Count Items action – This counts the number of items in a drop-down list and returns the result as an output parameter.
• HTML Snapshot action (at application level) – This takes a snapshot of the HTML Document Object Model (DOM) in the current browser page.

Navigate stages:

• Navigate – This ensures the Blue Prism application navigates to the active tab of a browser based on the provided URL.

• Insert Javascript fragment (at application level) – This inserts the supplied Javascript fragment into the parent document. Previously, this action was only available at element level.

• Invoke Javascript function (at application level) – This calls and executes the supplied Javascript function on the active tab of the browser. Previously, this action was only available at element (child) level.

• Item Value input parameter (within the Select List Item action) – This selects an item in a drop-down list, based on the HTML value attribute.

Users can now activate an application using Microsoft Edge in Internet Explorer (IE) mode in the same way as when using either Edge or Internet Explorer. This is achieved by selecting the Browser-based Application (Internet Explorer) option in Application Modeller, and then pointing to an Edge application. For more details on how to continue to run IE-based processes using Edge in Blue Prism, see Microsoft Edge IE Mode.

An issue has been fixed where, when launching a Chrome, Edge, or Firefox browser, if a window of the same browser was already open, the new window could not be spied using Win32 mode.

Due to changes in Google's extensions platform and the move to Manifest V3, the previously available functionality to insert or invoke JavaScript on web pages via the Chrome or Edge browser extension is no longer available. This is a limitation enforced by Manifest V3 for security reasons. For more details, see the Google documentation. Firefox browser extensions still use Manifest V2 so are not currently affected.

Where existing processes or objects are making use of the insert or invoke JavaScript functionality, we recommend that the design be amended following an upgrade to replace this functionality using standard in‑built features instead. For more information, see this Knowledge Base article and the Manifest V3 Impact Assessment Utility tool.

An issue has been fixed where some actions in the Excel VBO did not always return Unicode characters correctly, for example Chinese (尔) and German (ü). The affected actions were:

• Get Worksheet as Collection Offset
• Get Worksheet Range as Collection

The way Blue Prism retrieves the values has been changed, so Unicode characters will now be returned correctly in the above actions.

A new input parameter, Fetch Data With Method has been added to these actions. The value options for this parameter are:

• Text – The formatted cell's displayed value.
• Value – The value of the cell, with date or currency indicators if the cell has date or currency formatting.
• Value2 – The underlying value of the cell, stripped of any extra information.

The default is Value. This is the same option as used previously in these VBO actions, so existing processes which use these actions will continue to run correctly.

A new endpoint and a GET calendars request have been added, which returns a list of all calendars in the environment.

/api/v7/processes

A new endpoint and a GET processes request have been added, which returns a list of all processes in the environment.

In addition, the following filtering parameters have been implemented:

• processName – Searches by process name.

• description – Searches by description.

• groupName – Searches by group name.

• attributesInclude – Controls which statuses are included in the returned process list. Supported statuses are Retired, Published, and PublishedWebService.

• attributesExclude – Controls which statuses are excluded from the returned process list. Supported statuses are Retired, Published, and PublishedWebService.

• sortBy – Determines how process lists are ordered. The default sort order is by process name, in ascending alphabetical order, with numbers first.

Process lists called from this endpoint are paginated to improve performance when retrieving large data sets. The default limit is 1000 processes per page, but this can be amended using the itemsPerPage parameter.

The GET resources request has been updated to add the ability to filter by Retired status. The default is to search for non-retired resources, but this can be amended using the retirementFilter parameter.

/api/v7/resources/pools

A new endpoint and a GET pools request have been added, which returns a list of resource pools. The request will not return a pool if the user querying the endpoint does not have permissions for the relevant group which contains the pool.

/api/v7/schedules

A new POST schedules request has been added, which creates a new schedule definition. This request can also be used to clone schedules. This is achieved using the copyFrom parameter, where users specify which schedule to clone. The cloned schedule will be created and the name prefixed with 'Copy of'.

/api/v7/schedules

/api/v7/schedules/{scheduleId}

/api/v7/schedules/{scheduleId}/tasks/{taskId}

The validation for the POST and PUT requests have been updated. The maximum character limit for task and schedule description fields has been increased to 32,767 to align with the Blue Prism interactive client.

/api/v7/schedules/{scheduleId}

A new PUT schedules request has been added, which amends an existing schedule.

/api/v7/schedules/{scheduleId}/sessions

A DELETE running schedule request has been added, which gives the user the ability to stop a running schedule. When used, any active sessions created by the schedule that are running will be set to terminated status and the current instance of the schedule will be stopped, preventing any further associated tasks from being performed.

/api/v7/schedules/{scheduleId}
/tasks

A new endpoint has been added, which includes the following requests:

• GET schedule tasks – Returns a list of tasks for the specified schedule ID.
• POST schedule tasks – Creates a task for the specified schedule ID.

/api/v7/schedules/{scheduleId}
/tasks/{taskId}

A new endpoint has been added, which includes the following requests:

• GET schedule tasks – Returns the details of a specific schedule task.

• PUT schedule tasks – Amends an existing schedule task.

• DELETE schedule tasks – Deletes a scheduled task. Deleted tasks are recorded in the audit table.

/api/v7/schedules/{scheduleId}/tasks/{taskId}/sessions/{sessionId}

A new DELETE schedule sessions request has been added, which deletes a scheduled task session.

/api/v7/schedules/{scheduleId}/tasks/{taskId}/sessions

A new GET schedule sessions request has been added, which returns a list of the scheduled sessions for a specified task.

This is the same functionality as the GET request for the existing /api/v7/schedules/tasks/{taskId}/sessions endpoint, which will be deprecated in a future release.

A new POST schedule sessions request has been added, which creates a scheduled session for a specified task.

A new endpoint has been added, which includes the following requests:

• GET schedule session parameters – Returns start-up parameters for a scheduled task session.
• PUT schedule session parameters – Assigns the start-up parameters for a scheduled task session. When parameters are passed in the request, validations are performed on the parameter name, type, and quantity.

/api/v7/schedules/logs

Logs retrieved from this endpoint can now be filtered by scheduleName and serverName parameters. This endpoint is being deprecated and will be removed in future release.

/api/v7/scheduleLogs

A new endpoint and GET schedule logs request has been added, which returns all the times a schedules has been run.

This is the same functionality as the GET request for the existing /api/v7/schedules/logs endpoint, which will be deprecated in a future release.

/api/v7/scheduleLogs/{scheduleId}

A new GET schedule logs request has been added, which returns all logs for the specified schedule.

This is the same functionality as the GET request for the existing /api/v7/schedules/{scheduleId}/logs endpoint, which will be deprecated in a future release.

/api/v7/sessions

Users can now instruct a digital worker to run processes via a new POST sessions request. The endpoint creates a new session for the specified resource ID and process ID.

/api/v7/sessions/{sessionId}

A PATCH sessions request has been added, which updates a session. This endpoint can be used to immediately run sessions by updating the session status.

/api/v7/sessions/{sessionId}/parameters

A new GET session parameters request has been added, which returns a list of start-up parameters, and their values, for a specified session.

Users without permission to a resource, or related processes, cannot access parameter details.

A new PUT session parameters request has been added, which updates the start-up parameters for the specified session.

A new endpoint and GET timezones request has been added, which returns a list of all time zones in the environment.

/api/v7/workqueues/{workQueueId}/items/batch

A new batch POST workqueue items request has been added, which allows users to create multiple work queue items at a time.

This is the same functionality as the POST request for the existing /api/v7/workqueues/{workQueueId}/items endpoint, which will be deprecated in a future release.

/api/v7/workqueues/{workQueueId}/items/{workQueueItemId}

A new endpoint and a GET workqueue item request have been added, which returns details of a specified item from a work queue.

This is the same functionality as the GET request for the existing /api/v7/workqueues/items/{workQueueItemId} endpoint, which will be deprecated in a future release.

/api/v7/workqueues/{workQueueId}/items

The GET workqueue items request has been updated to add the ability to filter by State. The filter is disabled by default, but this can be amended using the state parameter.

N/A

Responses returned from the API now include a new bp-api-version header, which contains the current version number of the API. For Blue Prism API 7.1.0, this version number is: 7.1.0.0.

An issue has been resolved whereby sessions and resources associated with pool members were not returned for users who did not have the System Administrator role assigned.

The error message displayed when an API user is not correctly mapped to an Authentication Server user has been improved to be more informative. Previously, the error message only stated that an unknown failure had occurred.

The GET request for the /api/v7/sessions/{sessionId} endpoint has been updated to remove unnecessary permission checks, and to align with the other /sessions endpoints. Previously, the request incorrectly required the Audit - Process Logs or Audit - Business Object Logs permissions.

The responses returned from the GET /api/v7sessions request have been improved for users without correct permissions. Previously, the request succeeded but returned an empty list of items, now a 403 response code is returned as expected.

The responses returned from the /api/v7/resources/{resourceId} request have been improved for users without correct permissions. Previously, PUT requests returned a 404 response code, now a 403 response is returned as expected.

The responses returned from the /api/v7/resources/{resourceId} request have been improved when attempting to retire a resource which is online. Previously, PUT requests returned a 500 response code, now a 409 code with the message "This resource is currently online and cannot be retired" is returned to align with the Blue Prism interactive client.

Date range validations have been added to the sessions and schedule logs endpoints, such as confirming start times are before end times.

The POST /api/v7/workqueues/{workQueueId}/items and GET /api/v7/workqueues/{workQueueId}/items/{workQueueItemId} endpoints have been updated to return error messages for work queues that have an application server-based encryption key. Only work queues that are not encrypted, or use database-based encryption keys, can use these endpoints. The Blue Prism API reference now includes more detailed information regarding this limitation.

The /api/v7/resources/{resourceId} endpoint now returns a 404 response code if an invalid resource ID is passed in the request.

The error handling has been improved for requests which do not contain request body content. Previously, the endpoints returned a 400 response code, and now return a 500 code. This has been updated for the following endpoints:

• PUT /api/v7/resources/{resourceId}

• POST /api/v7/schedules/{scheduleId}/tasks

• POST /api/v7/schedules/{scheduleId}/tasks/{taskId}/sessions

• PUT /api/v7/schedules/{scheduleId}/tasks/{taskId}/scheduledSessionParameters

• PUT /api/v7/schedules/tasks/{taskId}

• POST /api/v7/schedules/{scheduleId}/sessions

• PUT /api/v7/sessions/{sessionId}/parameters

• POST /api/v7/workqueues/{workQueueId}/items

• POST /api/v7/workqueues

• POST /api/v7/resources/{resourceId}/sessions

Work queue items with Locked status are now shown correctly when returned from the /api/v7/workqueues/items/{workQueueItemId} or /api/v7/workqueues/{workQueueId}/items/{workQueueItemId} endpoints. Previously, locked items were returned with the status Pending.

The GET Sessions request has been updated to add validations to parameter values. This resolves issues with 500 response errors when non-numerical values were passed in the sessionNumber parameter.

The guidance in the OpenAPI v3 specification for PUT requests using the /api/v7/resources/{resourceId} endpoint has been updated to provide more detail on how the endpoint can be used to retire or unretire a specified resource.

The OpenAPI v3 specification has been updated to align the handling of datetime elements with the API requests.

Corrected the permission required by the PUT /api/v7/resources/{resourceId} endpoint from Control Resource to Configure Resource.

The CefSharp Chromium browser used to present login dialogs has been replaced with WebView2 to deliver embedded browsers more securely, as is required for Authentication Server login.

The WebView2 runtime must be installed locally on any machine that runs the interactive client so users can sign into Authentication Server. For more details, see https://docs.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution.

The AutomateC mapping tool can now only be used to add Blue Prism users into the Authentication Server database; or map existing Blue Prism users to existing Authentication Server users.

• Authentication Server users can no longer be added automatically to Blue Prism via the mapping tool. Selected Authentication Server users are now only added to Blue Prism at the time when they are assigned to a role via the Role Membership dialog.

• Authentication Server users can no longer be mapped to Blue Prism users that do not exist. If an administrator using the AutomateC mapping tool does not enter a Blue Prism username in the CSV file, but enters an Authentication Server User ID, an error message displays to the user.

Administrators can now create CSV file templates containing pre-populated data from the Blue Prism and Authentication Server databases for mapping users between the two databases. Two new parameters have been added to the AutomateC command line tool for this purpose: /getblueprismtemplateforusermapping <pathtooutputfile> /user <adminuser> <adminpwd> and /getauthenticationservertemplateforusermapping {outputpath}. The Authentication Server - Map users permission required to run these commands is assigned by default to system administrators on the Security - User Roles screen  in the Blue Prism interactive client.

The Authentication Server Integration tab on the Blue Prism Server Configuration Details screen has been updated as follows:

• Users no longer need to create a credential on the Security - Credentials screen in the Blue Prism interactive client to store the Client ID and Client Secret values of the service account used to connect to Authentication Server. The Client ID and Client Secret values can now be entered directly in the Authentication Server Integration tab on the Blue Prism Server Configuration Details screen under a new Client Details section. The Authentication Server credential drop-down field has also been removed from the Security - Sign-on Settings screen.

  These changes have been made because the requests to the RabbitMQ message broker are made from the server and there can be more than one server pointing to a single Blue Prism database.

  Users who previously configured these settings in Blue Prism 7.0 will need to add the client ID and client secret of the associated service account on the Server Configuration Details screen for each Blue Prism application server service in the deployment.

  While it is recommended that the client ID and secret are different on all servers, multiple servers in the same environment are permitted to use the same values.

• A new Test connection button can be used to check that the specified values for the broker settings are valid before administrators enable the connection to the message broker via the Enable connection check box. A message displays to help users diagnose issues with the connection if the settings are not deemed valid.

• A message now displays if invalid characters have been entered in the Environment Identifier field prompting the user to enter a valid set of characters and spaces. Previously, if any invalid characters were entered, an error occurred when attempting to create the message queue.

A new Synchronize users with Authentication Server option is available when clicking the menu button on the Security - Users screen in the Blue Prism interactive client. This allows data between the Blue Prism and Authentication Server databases to be manually synchronized outside of the RabbitMQ update schedule in the event of any service disruption. When selected, this will:

• Add any new Authentication Server service accounts to the Blue Prism environment.

  Authentication Server users are not added to the Blue Prism environment when using this option, they must be manually assigned to a Blue Prism role on the Role Membership screen, see the Authentication Server configuration guide. This is to prevent large numbers of Authentication Server users who do not need access to Blue Prism (for example, Interact users), from being added into the Blue Prism database.

• Retire users and service accounts that have been retired in the Authentication Server database in the Blue Prism environment as well.

• Restore any users and service accounts in the Blue Prism environment that have been unretired in the Authentication Server database.

To use this option, the interactive client must be connected via a Blue Prism server.

Hub users are now prevented from accessing the Control Room plugin if the User login via Authentication Server option on the Security - Sign-on Settings screen in the Blue Prism interactive client has not been selected.

• Automatic synchronization of user accounts between Authentication Server and the Blue Prism application server still requires user authentication via Authentication Server to be enabled, whereas service accounts are still synchronized even when user authentication via Authentication Server has not been enabled.
• Previously, the synchronization would incorrectly not occur if the User login via Authentication Server option was not enabled on the Security - Sign-on Settings screen.

A message now informs users that all user authentication will occur via Authentication Server if they select the User login via Authentication Server option, enter an Authentication Server URL and click Apply on the Security - Sign-on Settings screen.