Changelog
info
For a brief overview of the changes, see our Release notes.
For information on upgrading from previous versions, see the
Atoti Limits Migration Notes.
4.0.3
2025-05-16
Added
| Issue Key | Details |
|---|---|
| LIM-1488 | Moved the IAuthenticatedLimitsUserService to limits-common and created a new implementation in limits-activeviam to assist with tasks requiring unrestricted access to Atoti Limits data. |
Changed
| Issue Key | Details |
|---|---|
| LIM-1622 | Changed the default DataLoadController to use an implementation that delegates the security context to the spawned threads. |
Deprecated
| Issue Key | Details |
|---|---|
| LIM-1611 | The ILimitsActivitiAuthenticationManager and the getWithAuth(...) methods in IWebClientService are no longer used and have been deprecated and marked for removal in the next minor release. |
Fixed
| Issue Key | Details |
|---|---|
| LIM-1550 | Fixed an issue where users with the ROLE_CREATE_ANY_LIMIT permission role were blocked when attempting to create a limit via the UI or REST. |
| LIM-1611 | Fixed an issue where JWT authentication was not being used when accessing Activiti or when querying the content server. |
Known issues
| Issue Key | Details |
|---|---|
| BAS-1330 | Deleting the last limit value deletes the limit structure. As a workaround, don’t delete all limits on a limit structure unless you are sure that the structure won’t be used again. Alternatively, if you do need to reuse the structure, you can create a limit on it using the endpoint /modules/limits-module/limits/rest/v2/limitDefinition/limits/save. The key of the limit structure will still be visible in the admin-ui. |
| LIM-846 | Complex Scopes: Currently, a limit with an aggregated scope and a limit with a non-aggregated scope cannot be created on the same limit structure. As a workaround, create the limits on two separate structures. |
| LIM-840 | Complex Scopes: Currently, limits can’t be defined with an aggregated scope location and another scope location. As a workaround, create two separate limits on two separate structures. |
| LIM-813 | Managers can incorrectly upload Limit Structures through the REST endpoint. |
| LIM-594 | Having email notifications enabled for breaches causes decreased limit evaluation performance. See Configuring the breach email on how to disable breach emails. |
| LIM-357 | The Six Eyes workflow is currently not implemented. |
| LIM-346 | Limits on calculated measures only work through File Upload, not through the UI. |
| LIM-320 | Calculated measures need to be included in Pivot Table Query in order to view a Limit’s KPI in the Pivot Table. See Measures for more on how to create a query for Limits on calculated measures. |
4.0.2
2025-03-28
Added
| Issue Key | Details |
|---|---|
| LIM-1481 | Added RestTemplate and RestClient beans in the connection modules when sending requests to Atoti Limits and reduced the number of requests sent between the application server and Atoti Limits. |
Changed
| Issue Key | Details |
|---|---|
| LIM-1552 | Only required folders are now fetched from the connected server when resolving calculated measures. |
| LIM-1560 | Use one global CalculatedMeasuresResolver to speed up queries on limits on calculated measures. |
| LIM-1563 | Performance improvements for creating, updating, and evaluating limits. |
Known issues
| Issue Key | Details |
|---|---|
| BAS-1330 | Deleting the last limit value deletes the limit structure. As a workaround, don’t delete all limits on a limit structure unless you are sure that the structure won’t be used again. Alternatively, if you do need to reuse the structure, you can create a limit on it using the endpoint /modules/limits-module/limits/rest/v2/limitDefinition/limits/save. The key of the limit structure will still be visible in the admin-ui. |
| LIM-846 | Complex Scopes: Currently, a limit with an aggregated scope and a limit with a non-aggregated scope cannot be created on the same limit structure. As a workaround, create the limits on two separate structures. |
| LIM-840 | Complex Scopes: Currently, limits can’t be defined with an aggregated scope location and another scope location. As a workaround, create two separate limits on two separate structures. |
| LIM-813 | Managers can incorrectly upload Limit Structures through the REST endpoint. |
| LIM-594 | Having email notifications enabled for breaches causes decreased limit evaluation performance. See Configuring the breach email on how to disable breach emails. |
| LIM-357 | The Six Eyes workflow is currently not implemented. |
| LIM-346 | Limits on calculated measures only work through File Upload, not through the UI. |
| LIM-320 | Calculated measures need to be included in Pivot Table Query in order to view a Limit’s KPI in the Pivot Table. See Measures for more on how to create a query for Limits on calculated measures. |
4.0.1
2025-02-05
Added
| Issue Key | Details |
|---|---|
| LIM-1378 | Added an ILimitsCacheService to store structures/limits that exist on the business server to speed up evaluations. |
| LIM-1531 | Added a property limits.cube.scope-hierarchies-enabled that can be used to disable scope hierarchies to improve loading performance for large cardinalities of limit scopes. |
Changed
| Issue Key | Details |
|---|---|
| LIM-1469 | Use the IConfigurationService instead of REST requests to execute MDX statements when creating Atoti Limits calculated measures to improve performance. |
| LIM-1525 | Improved performance of limit evaluations by skipping unnecessary retrieval of limit workflow information. |
Deprecated
| Issue Key | Details |
|---|---|
| LIM-1378 | The LimitsRetriever class and the limits/rest/v2/limitDefinition/limitsDefinitionStoreQuery endpoint are no longer used and are deprecated in favor of the ILimitsCacheService. They will be removed in version 4.1.0. |
Removed
| Issue Key | Details |
|---|---|
| LIM-1407 | limits-activeviam no longer has a dependency on limits-integration-common. Classes previously imported from limits-integration-common are now imported from limits-common. |
Fixed
| Issue Key | Details |
|---|---|
| LIM-1335 | Fixed an issue where data permissions in Atoti Limits were not applied to the KPIs and calculated members created by the module in the business cube. |
| LIM-1483 | Fixed an issue where KPIs were not refreshed after restarting Atoti Limits in persistent mode. |
| LIM-1492 | Fixed an issue where Atoti Limits calculated measures were being created on connected server KPIs that did not belong to Atoti Limits. |
| LIM-1498 | Fixed an issue where the connected application would not start if Atoti Limits Auto-configuration was disabled via limits.autoconfiguration.enabled=false. |
| LIM-1510 | Fixed an issue where the structure scope search can overflow the popover. |
| LIM-1512 | Fixed an issue where KPIs were not being created unless restricted users were defined. |
| LIM-1518 | Fixed an issue where warning thresholds were not being correctly evaluated. |
| LIM-1521 | Fixed an issue that prevented limits from being created on nested calculated measures. |
| LIM-1522 | Fixed an issue where generated IDs for limits created via the UI could collide with IDs for limits created via file upload if the uploaded limits respected the ordering of the generated IDs. |
| LIM-1530 | Fixed an issue where the evaluation error popover could overflow to the end of the screen. |
Known issues
| Issue Key | Details |
|---|---|
| LIM-1450 | Deleting an official limit makes the associated temporary limits invisible in the table. As a workaround, delete the temporary limit first. |
| LIM-1426 | Incidents workflows are not created/updated when modified via the IncidentCrudService. This does not apply on evaluation. |
| LIM-1309 | Wildcards and exclusive scopes are not handled by the IScopeRetrievalService default implementation. This affects the members visible in the scope level name and scope level member hierarchies, but only applies if exclusive scopes are used. |
| BAS-1330 | Deleting the last limit value deletes the limit structure. As a workaround, don’t delete all limits on a limit structure unless you are sure that the structure won’t be used again. Alternatively, if you do need to reuse the structure, you can create a limit on it using the endpoint /modules/limits-module/limits/rest/v2/limitDefinition/limits/save. The key of the limit structure will still be visible in the admin-ui. |
| LIM-846 | Complex Scopes: Currently, a limit with an aggregated scope and a limit with a non-aggregated scope cannot be created on the same limit structure. As a workaround, create the limits on two separate structures. |
| LIM-840 | Complex Scopes: Currently, limits can’t be defined with an aggregated scope location and another scope location. As a workaround, create two separate limits on two separate structures. |
| LIM-813 | Managers can incorrectly upload Limit Structures through the REST endpoint. |
| LIM-594 | Having email notifications enabled for breaches causes decreased limit evaluation performance. See Configuring the breach email on how to disable breach emails. |
| LIM-357 | The Six Eyes workflow is currently not implemented. |
| LIM-346 | Limits on calculated measures only work through File Upload, not through the UI. |
| LIM-320 | Calculated measures need to be included in Pivot Table Query in order to view a Limit’s KPI in the Pivot Table. See Measures for more on how to create a query for Limits on calculated measures. |
4.0.0
2024-11-20
Added
| Issue Key | Details |
|---|---|
| LIM-468 | The default format for KPI Goal values can now be configured using the limits.cube.format.kpi-goal property. |
| LIM-987 | You can now drill down by a limit scope’s level name and level values in a pivot table. |
| LIM-1045 | Updated Atoti Server to version 6.1.1. This includes the upgrade of artifacts required to connect to 6.1.1 versions of Atoti Server. |
| LIM-1155 | Added an IScopeRetrievalService and a default implementation, facilitating granular querying of the scopes stores by passing a level or a member. |
| LIM-1199 | Limits CSV files can now contain Simplified Scopes. |
| LIM-1200 | An “Available Amount” and “Utilization %” measure for each KPI has been added to the limits-auto-config, calculating the difference and quotient between a KPI’s goal and the KPI’s value, respectively. |
| LIM-1205 | Added a property to configure whether or not filters are applied on evaluation. |
| LIM-1234 | Added support for permission-based data access depending on the user’s role. See Data access permissions. |
| LIM-1268 | Moved core configuration classes from limits-activeviam to limits-starter. |
| LIM-1275 | Added debug logs when evaluating Atoti Limits KPIs detailing eligible limits, exposures, and evaluation location. |
| LIM-1299 | Added connector artifacts for versions of Atoti Server running on Java 11. |
| LIM-1302 | Added support for restricting access on scopes in the role permissions. |
| LIM-1318 | Updated the Workflow Common Library to version 2.4.1 and H2 to version 2.2.220 to fix CVEs. |
| LIM-1324 | Pagination has been added to the Limits viewer. |
| LIM-1328 | Added new matchMode values for scopes to support more flexible retrievals in the IScopeRetrievalService. For details, see Match mode. |
| LIM-1339 | Added permission roles to control user access to UI actions. |
| LIM-1340 | Permission roles are now enforced on REST requests, blocking the action from being processed by the server if the user does not have the required permissions. |
| LIM-1341 | Permission roles for the workflow actions of approving/rejecting limits and processing incidents are now supported. |
| LIM-1345 | Improved performance in the Limits viewer screen by using the ScopeCacheService to help retrieve scope objects. |
| LIM-1355 | Added /limits/rest/v2/limitDefinition/limits/status/get endpoint to get limits status & server setting to include status for limit structures. |
| LIM-1357 | Added new property to set the default-scope-match-mode for scope permissions. |
| LIM-1369 | Added new property to set the owner role(s) for KPIs and calculated members Limits creates in connected Atoti servers. This property is optional and can be auto-configured. |
| LIM-1373 | Updated Data Connectors to version 4.2.0-AS6.1. |
| LIM-1377 | Added a service in the connected servers to be triggered on limit events. See Sending events to your connected server. |
| LIM-1382 | Atoti Limits has been upgraded to Atoti Server 6.1.1. The 6.0.X and 6.0.X-sb3 modules have been upgraded to use Atoti Server 6.0.17 and 6.0.17-sb3 respectively. |
| LIM-1390 | Permissions for uploading/downloading limits are now supported. |
| LIM-1395 | Added Alive field to the Limits store to indicate if a limit is active or deleted/expired. |
| LIM-1356 | Separate loading of workflow statuses by setting -Dlimits.workflow.workflow-status-fetched-with-limit=false. |
| LIM-1418 | The datepicker for the limit start date in the Limits viewer screen now defaults to the server’s as of date. |
| LIM-1449 | Added re-evaluate action for reviewed incidents to allow them to be re-evaluated. |
| LIM-1466 | Updated Common Library to version 2.1.0-AS6.1. |
Changed
| Issue Key | Details |
|---|---|
| LIM-1033 | Maven artifact groupIDs have been renamed from com.activeviam.limits to com.activeviam.solutions.limits to align with other ActiveViam Business Solutions. |
| LIM-1096 | KpiCrudService and KpiCrudRestService have been updated, separating the two classes into a Spring Service and a REST Controller wrapper. |
| LIM-1257 | Improved handling of workflow-related exceptions so better information is provided in UI responses. |
| LIM-1276 | The limits-auto-config API has been improved. For more information see Atoti Java. |
| LIM-1298 | Improved property handling in Atoti Limits auto-configuration. |
| LIM-1300 | Modified properties of LimitsWorkflowConfigurationProperties to add a new token. Root for these properties is now limits.workflow. |
| LIM-1304 | The “DTO” suffix has been removed from java objects that were not pure data transfer objects. |
| LIM-1310 | “Complex scopes” have been renamed to “Advanced scopes”. |
| LIM-1314 | Improvements have been made to the validation framework. See the custom validator page for more information. |
| LIM-1323 | Improved performance of filters in Limits tables. |
| LIM-1344 | The ILimitsRetrievalService methods have been updated and the implementation modified to avoid executing methods recursively and to reduce the number of transactions in methods. For more details, see Changes to IlimitsRetrievalService. |
| LIM-1359 | The limits-shared-properties module has been renamed to limits-common and the limits-lookup-postprocessors modules have been merged into the limits-integration and limits-common modules. |
| LIM-1410 | Merged RemoteLimit, RemoteLimitEntity and LimitGoal into the new SimpleLimit class. |
Removed
| Issue Key | Details |
|---|---|
| LIM-285 | Between and Not Between KpiTypes have been disabled. For more information, see Removing Between and Not Between KPI types. |
| LIM-658 | The properties for the Atoti Limits content server have been removed as they are no longer used. |
| LIM-1231 | The manual configuration has been removed in favor of auto-configuration. |
| LIM-1274 | private_ and internal imports have been removed from Atoti Limits. |
| LIM-1312 | Removed support for Atoti Server version 5.11 as it is no longer supported by ActiveViam. |
Fixed
| Issue Key | Details |
|---|---|
| LIM-1303 | Fixed the admin-ui database tab by adding @EnableWebMvc and removing custom message converters. |
| LIM-1308 | Utilizations represented as strings as well as special or undetermined numbers are now handled correctly. |
| LIM-1325 | Fixed the scope selector overflowing the popover for large lists of scope members. |
| LIM-1349 | Removed the incorrect usage of the thread pool when creating/dropping KPIs in the KpiCrudService. |
| LIM-1358 | Updated calculated member creation to set ROLE_USER as the default owner and reader so all users can see the measures. |
| LIM-1366 | Fixed issue with evaluation errors not being cleared when retrying the evaluation. |
| LIM-1371 | Limits are now correctly evaluated via the Inventory screen or REST services when cube filters are disabled. |
| LIM-1375 | The “Available amount” and “Utilization perc.” measures are now available for limits created both on startup and at runtime. |
| LIM-1413 | Removing the row(s) on the last page of the Limits Viewer table will no longer result in a table with an empty page. This includes deleting limits and canceling limit creation. |
| LIM-1416 | The Re-Evaluate icon for incidents in the Status screen is now disabled for users with no permission to evaluate limits. |
| LIM-1429 | Fixed an issue where restarting Atoti Limits in persistent mode did not restore the object and workflow states. |
| LIM-1430 | Corrected Limits roles documentation for roles that were previously prefixed by GROUP_, but are now prefixed by ROLE_. |
| LIM-1439 | Fixed the Limits viewer column configurator allowing reordering columns. |
Known issues
| Issue Key | Details |
|---|---|
| LIM-1450 | Deleting an official limit makes the associated temporary limits invisible in the table. As a workaround, delete the temporary limit first. |
| LIM-1426 | Incidents workflows are not created/updated when modified via the IncidentCrudService. This does not apply on evaluation. |
| LIM-1309 | Wildcards and exclusive scopes are not handled by the IScopeRetrievalService default implementation. This affects the members visible in the scope level name and scope level member hierarchies, but only applies if exclusive scopes are used. |
| BAS-1330 | Deleting the last limit value deletes the limit structure. As a workaround, don’t delete all limits on a limit structure unless you are sure that the structure won’t be used again. Alternatively, if you do need to reuse the structure, you can create a limit on it using the endpoint /modules/limits-module/limits/rest/v2/limitDefinition/limits/save. The key of the limit structure will still be visible in the admin-ui. |
| LIM-846 | Complex Scopes: Currently, a limit with an aggregated scope and a limit with a non-aggregated scope cannot be created on the same limit structure. As a workaround, create the limits on two separate structures. |
| LIM-840 | Complex Scopes: Currently, limits can’t be defined with an aggregated scope location and another scope location. As a workaround, create two separate limits on two separate structures. |
| LIM-813 | Managers can incorrectly upload Limit Structures through the REST endpoint. |
| LIM-594 | Having email notifications enabled for breaches causes decreased limit evaluation performance. See Configuring the breach email on how to disable breach emails. |
| LIM-357 | The Six Eyes workflow is currently not implemented. |
| LIM-346 | Limits on calculated measures only work through File Upload, not through the UI. |
| LIM-320 | Calculated measures need to be included in Pivot Table Query in order to view a Limit’s KPI in the Pivot Table. See Measures for more on how to create a query for Limits on calculated measures. |
Open CVEs
| Issue | Status | Details | Impacting | Product impact | Workaround | Fix expected |
|---|---|---|---|---|---|---|
| CVE-2024-38821 | Critical | Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: - It must be a WebFlux application - It must be using Spring’s static resources support - It must have a non-permitAll authorization rule applied to the static resources support. |
org.springframework.security:spring-security-web |
Low. Atoti Server does not ship sensitive static assets, only the stock UI and the necessary config files. All sensitive information is performed in the backend. | Use an alternative provider for static resources, like Nginx, at the cost of a more complex security configuration in the Java application. | Yes, once Atoti Server is updated to the next version |
| CVE-2024-28752 | Critical | An SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8 allows an attacker to perform SSRF-style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default data binding) are not impacted. | org.apache.cxf:cxf-core |
Low. This CVE is present in the limits-atoti-server-60-sb3 artifact which is only intended for testing purposes. |
Upgrade to the latest version of Atoti Server. | No, as this CVE only exists in an artifact intended for testing purposes. |
| CVE-2022-1471 | Critical | SnakeYaml’s Constructor class, which inherits from SafeConstructor, allows any type to be deserialized given the following line:new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized. |
org.yaml:snakeyaml |
Low. This CVE is present in the limits-atoti-server-60 artifact which is only intended for testing purposes. |
Upgrade to the latest version of Atoti Server. | No, as this CVE only exists in an artifact intended for testing purposes. |
| CVE-2016-1000027 | Critical | Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. | org.springframework:spring-web, com.activeviam.activepivot:activepivot-server-spring |
Low. Only applies to Atoti Server version 6.0.x artifacts. Remote invocation is used for services defined by com.qfs.server.cfg.impl.ActivePivotRemotingServicesConfig. They can be optionally imported and are historically required for ActivePivotLive, an old abandoned version of AtotiUI. |
Do not import com.qfs.server.cfg.impl.ActivePivotRemotingServicesConfig in projects. |
No, as the only fix is migrating to Spring 6 by upgrading your connected server to Atoti Server version 6.0.x-sb3 or higher. |