General Enhancements and Changes

Summary

The following enhancements and changes have been made as part of the 2025.2 update:

  • Rhino has been upgraded to version 1.8.0, giving developers access to newer language features for improved solutions when coding in JavaScript. For details, refer to the Rhino support web site at https://mozilla.github.io/rhino/compat/engines.html.

  • The 'Test & Time Business Rule' dialog now supports the ability to select any object type in the 'Test Object' parameter. Previously, business rules could only be tested against products, assets, entities, and classifications. This enhancement allows users to test any object type in the system, such as attributes and lists of values, that is valid for the business rule being tested. For more information, refer to the Testing a Business Rule topic in the Business Rules documentation.

  • The 'STEP Extension API Guide' has been updated to include examples that work with Java 21 and instructions for updating existing components. Refer to the Technical Documentation accessible at [system]/sdk or from the Resources section of the system's Start Page.

  • The Change Package 'Before Install' and 'Install Preview' columns have been improved to eliminate false positives due to comments in the detailed 'Compare Package Contents' dialog, especially when using Git. For details, refer to the Statuses and Discrepancies in Change Package Items topic in the Configuration Management documentation.

  • The 'Reset Multifactor Authentication' option, accessible by right-clicking the user, is now enabled to allow a configuration reset based on the 'Multifactor Authentication Required' parameter being set on the user group or on one of its parents' user groups. Refer to the Multifactor Authentication topic in the System Setup documentation.

  • Several system setup actions now properly generate events. These actions include: create / modify / delete Setup Group, modify / delete Web UI, modify JavaScript in Business Rules, changes to privileges for Action Set and User Group, and user added / removed from User Group. Refer to the Core Events topic in the System Setup documentation.

  • The 'Started By' column has been removed from all subprocesses on the Elasticsearch Reindexing tab and will now only appear on the parent process. Refer to the Elasticsearch Index Publishing topic in the System Setup documentation.

  • Updated Kafka connection authentication for DaaS.

  • New warning messages appear when approaching the memory limit for sandbox environments.

  • The automatic deletion of obsolete image cache files has been optimized. Additionally, with STEP 2025.2, existing image cache files will automatically migrate to new and more efficient storage. This migration will not have a performance impact. Refer to the Image Cache Processing Plugin Parameters and Triggers topic in the System Setup documentation.

  • The Execute Business Action for Event Batch event processor now allows for triggering events in the Main and/or the Approved workspaces. This improvement adds the Triggering Workspace parameter for batches, aligning with existing functionality on the Execute Business Action event processor. Refer to the Execute Business Action for Event Batch Processing Plugin Parameters and Triggers topic in the Data Exchange documentation.

  • For the event-based outbound integration endpoints (OIEPs) or event processors (EPs), change flags for externally maintained attributes are now present whether the attribute is defined as a triggering element at the attribute level or via attribute groups. Previously, change flags were only available if the triggering element was an attribute group linking the externally maintained attributes. Refer to the 'Change Flags for Events' section of the Core Events topic in the System Setup documentation.

  • The background process (BGP) storage functionalities and mechanisms are enhanced to improve execution and performance. While existing BGP UI functionality is unchanged, intermediate BGP files are now accessible only through APIs and the user interface. The feature is being rolled out gradually to SaaS environments and is not immediately available to all customers.

These enhancements and changes are also including in the 2025.2 update and are described in the Details section that follows:

  • Reflection in JavaScript business rules will be disabled with the 2025.3 update. Refer to the Details section below to find information on how to identify rules that need to be rewritten before reflection is disabled.

  • The JavaScript API methods have been enhanced to support new asset actions, user and group deletions, system name access, and improved exception handling for event triggers in workflows. Additionally, 'NULL' arguments are now valid for 'queryReferences(refType)'.

  • A new healthcheck reports file system access by JavaScript business rules. This informs users about business rules that should be modified in preparation for the future prevention of file system access.

  • A new healthcheck alerts users to deprecated Stibo Systems methods used in JavaScript business rules. These methods, found in both public and private APIs, will be gradually removed in future updates. Admins can use the new healthcheck to identify business rules that should be updated for long-term stability.

  • The new 'Deactivated' user functionality allows inactive users to be excluded from the licensed number of users, while retaining all settings and log information for potential reactivation. This feature ensures that user management is more efficient and flexible, accommodating changes in user activity.

  • Alternate user IDs longer than 40 characters are now supported in environments with external authentication, such as OAuth or SAML. This enhancement allows seamless use of unique User Principal Names (UPNs) with Active Directory. Additionally, the unique Key functionality is now available for User objects which prevents duplicate alternate user IDs.

  • The Globally Configured Unfolding Data Container now supports help text for attributes, providing user guidance on attribute population. Users are encouraged to transition from the Globally Configured Data Container component to the Globally Configured Unfolding Data Container component for an enhanced experience.

  • The product data onboarding offering has been extended to also support Enhanced Content Delivery.

Details

Use of reflection in JavaScript business rules will be disabled in 2025.3

In JavaScript business rules, reflection has been used to access non-public methods in the API. Since reflection can be a security risk and can also potentially lead to performance issues and unexpected issues during upgrade, it will be disabled with the 2025.3 update.

With the 2023.3 update, a Configuration healthcheck 'Reflection usage in business rules' was made available. It identifies business rules that use reflection, and a warning with the text 'Attempted to call reflection API...' is written to the step.0.log. To prepare for restricted access of reflection usage, rewrite the reported business rules to use publicly available methods. If the needed functionality is not public, create an idea in Community or reach out to your Stibo Systems representative.

For information on the healthcheck, refer to the Healthcheck Test Index topic in the Performance Analysis documentation.

Updates to the JavaScript API

The JavaScript Asset method can now use:

  • Asset.hasContent() to verify that an asset has content.

  • Asset.getContent() to retrieve content from an asset.

The JavaScript AssetContent method can now use:

  • AssetContent.isLocal() to check that asset content is local in the current viewing context.

  • AssetContent.delete() to delete asset content.

The JavaScript SystemInformation Manager.getSystemInformation() method now gives access to the system name as follows:

  • interface SystemInformation {
  String getSystemName()
}

The following JavaScript methods now allow users and groups to be deleted. This improvement matches functionality that is available with existing REST methods.

  • com.stibo.core.domain.Group

  • com.stibo.core.domain.User

Improved exception handling is now available in the JavaScript methods:

  • TriggerResult triggerByID(String taskEventID, String message)

  • void triggerLaterByID(String taskEventID, String message)

The following methods have been made available for 'ReferenceTypeHome': 

  • getProductReferenceTypes

  • getClassificationReferenceTypes

  • getAssetReferenceTypes

  • getEntityReferenceTypes

'NULL' arguments are now accepted for the 'queryReferences(refType)' JavaScript API call. This change makes querying the server for lists of references much easier.

For more information, refer to the Javadoc that is linked in the 'Scripting API' section of the Technical Documentation accessible at [system]/sdk or from the Resources section of the system's Start Page.

File system access by a JavaScript business rule

As first reported in the 2024.3 Update Guide, a future update will disable opening files from business rules to prevent improper access that could unintentionally lead to system instability or security issues.

To assist users in identifying JavaScript business rules that access the file system, the new 'Javascript file access' healthcheck will report business rules that potentially accessed the file system in the past seven (7) days. Users should explore alternative methods to achieve the desired outcome without using the file system.

For more information, refer to the Healthcheck Test Index topic in the Performance Analysis documentation.

Deprecated Stibo Systems methods

Both public and private APIs can include deprecated Stibo Systems methods that are used in JavaScript business rules. These deprecated methods will be gradually removed in future updates. Admins can use the new 'JavaScript Deprecated Method Usage' healthcheck to identify the usage of deprecated methods and make updates to instead use supported methods for long-term stability. For details, refer to the Healthcheck Test Index topic in the Performance Analysis documentation.

New 'Deactivated' user functionality

Although inactive users exist in STEP, they do not presently need access to STEP, for example, while on extended leave. Inactive users can be identified as defined in the User Last Activity topic within the System Setup documentation. Previously, these users counted against the licensed number of users, regardless of their activity level. Setting the new 'Deactivated' parameter on the User editor means that user is not included in the licensed number of users. The user can be reactivated if necessary, retaining all settings and log information, unlike deleting a user.

A deactivated user cannot log into STEP, invoke REST API or GraphQL API, or be impersonated. When a deactivated user is assigned to a background process (BGP), integration endpoint (IEP), event processor (EP), gateway integration endpoint (GIEP), or a workflow task, running the process or endpoint will fail.

A user with the 'Maintain users and groups' setup action can update a user's status in System Setup via the 'Deactivated' parameter on the User object. The status of the 'Deactivated' parameter can be reviewed and changed with REST V2 API using the PATCH /users/{id} operation. The status can also be returned with GraphQL, but updates are not allowed.

The 'Deactivated' status for a user can be included in STEPXML with the 'deactivated=' tag, where the valid options are "true" or "false". When the tag is absent, the value of the 'Deactivated' parameter is not changed. Refer to the STEPXML section using the 'XSD' link in the Technical Documentation accessible at [system]/sdk or from the Resources section of the system's Start Page.

For more information, refer to the Working with Users topic in the System Setup documentation.

Alternate user IDs allowed for external authentication

Environments that use external authentication, such as OAuth or SAML, often need user IDs that are longer than the 40-character limit allowed in STEP. This enhancement allows seamless use of unique User Principal Names (UPNs) with Active Directory. A user created in an external IdP will be synchronized to STEP and the STEP user will be created. The user object will have the Externally Maintained parameter enabled and must use the alternate ID to access STEP.

Configuring STEP to work with alternate IDs includes creating a description attribute valid for User objects to hold the alternate ID, creating a Key to ensure ID uniqueness, and adding a Stibo Systems Service Portal ticket to request setting the 'OAuthSSO.UserIdentification.KeyID' configuration property to identify the external ID authentication key.

Refer to the Unique Keys topic and the Alternate Authentication topic, both in the System Setup documentation.

Attribute help text in Globally Configured Unfolding Data Container

With the 2025.2 update, users can now display help text for attributes within the Globally Configured Unfolding Data Container on a Node Details screen in the Web UI. When the ‘Context Help metadata attribute’ is configured and made valid for the relevant attributes within the data container, the help text will be displayed for these attributes, providing information to end users about the attributes and how they should be populated.

For details, refer to the topics Globally Configured Unfolding Data Container View and Attribute Help Text in Web UI in the Web User Interfaces documentation.

With this added feature, the Globally Configured Data Container component, which displays data containers in the Web UI, has been superseded. While the component remains available for use, we recommend that users transition to the Globally Configured Unfolding Data Container component for an enhanced and consistent user experience.

For more information, refer to the topics Global Data Container Representations and Globally Configured Data Container (superseded) in the Web User Interfaces documentation.

Enhanced content delivery

With the 25.2 update, we are extending the product data onboarding offering to also support enhanced content delivery through the Enhanced Content Tab. Once the enhanced content setup is completed in STEP , the suppliers invited will be granted access to our Enhanced Content Cloud Service providing a strong toolkit to produce below-the-fold content. This includes several standardized modules to compose the layout that best conveys the product story.

The content produced can then be sent to STEP through the native integration established, where it can be reviewed in a structured process facilitated by STEP Workflows. When approved, the content can be provided to the downstream eCommerce platform to easily embed it on the appropriate product detail pages .

The access to the Enhanced Content Cloud Service lowers the barrier suppliers are facing to start producing engaging enhanced content for the products listed, posing a potential to improve the number of listings leveraging enhanced content availability to achieve higher conversion rates. Additionally, content look and feel is naturally consistent as all suppliers are producing content with the same set of standardized modules.

The unified approach to content ingestion eliminates the need to consolidate and transform the content and allows Product Content Specialists to focus their efforts on reviewing content as part of the product onboarding process.

Also included with this update is better content quality, faster processing, and more consistent Product Details Pages.

For more information, refer to the Enhanced Content Tab topic in the Product Data Exchange section of the Data Integration documentation.