Planned Backwards Compatibility Changes

Overview

Change for Users with restricted branch access

Mambu has made a change to the API GET request: /api/loans/ when an ‘accountState’ filter is used (for example; /api/loans?accountState=PENDING_APPROVAL or /api/loans?accountState=ACTIVE). This API call is used to retrieve all loan accounts with the given state and currently returns accounts at all branches even for users who have restricted branch access.

Currently, when running a GET API call for any state of the loan account, we do not perform any branch validations. As an effect, regardless of a user's branch access, the GET API call for loan accounts of any state would return all matching accounts for all branches.

In order to correct this behaviour, we have introduced filtering of the results, according to the branches to which the user has access. Running a GET API call will now return loan accounts from only those branches that the user has access to.

Replacing Default Sort Criterion 'lastModifiedDate' with 'creationDate' for Paginated Lists via API 2.0 across Mambu

When retrieving paginated lists of clients, deposit or loan accounts via API 2.0, Mambu might return the pages with missing and duplicate entries. By default the retrieved lists are currently sorted by “lastModifiedDate”, which is a mutable field. Between two API calls (to retrieve different pages of the same list), some accounts or clients could be modified and therefore they would change order in the retrieved pages. In certain integrations relying solely on an entity's position in the list, this could lead to missing entries and duplicates.

To create predictable and consistent lists, we are redesigning our API 2.0 GET endpoints to sort retrieved lists across Mambu by “creationDate” — an immutable field. This change affects the following endpoints:

• GET /api/deposits (DEP-1580)
• GET /api/loans (CORE-2721)
• GET /api/clients (CUS-2438)
• GET /api/groups (CUS-2445)

Apply Read permission standards on API 1.0 GET 'Branches' endpoint

With the introduction of Granular Administrator Permissions Standards and granular permissions for Branches with Mambu V9.54, you can now access and use 'Branches' via Mambu UI and Mambu API 2.0, only if you have specific permissions to your user account or you have a user type Administrator.

As the design of API 1.0 does not support adding this new behaviour on top, we would like to let you know that we will be requesting View permission in order to access the following endpoints starting with the week on November 12th 2020.

• GET /api/branches
• GET /api/branches/{branchID}

This gives you 3 months to prepare the transition to this new behaviour and ensure none of your integration relies on access without standard permission authorisation to these endpoints.

Apply Read permission standards on API 1.0 GET 'Centres' endpoint

With the introduction of Granular Administrator Permissions Standards and granular permissions for Centres with Mambu V9.54, you can now access and use 'Centres' via Mambu UI and Mambu API 2.0, only if you have specific permissions to your user account or you have a user type Administrator.

As the design of API 1.0 does not support adding this new behaviour on top, we would like to let you know that we will be requesting View permission in order to access the following endpoints starting with the week on November 12th 2020.

• GET /api/centres
• GET /api/centres/{centreID}

This gives you 3 months to prepare the transition to this new behaviour and ensure none of your integration relies on access without standard permission authorisation to these endpoints.

Scheduled upgrade to latest AWS 'Application Load Balancer' (ALB) security policy requiring 'forward secrecy' and 'strong protocols and ciphers'

At Mambu, we are on a mission to continuously improve our product as well as our product security.

In order to provide a secure communication channel and keep high security standards, we are announcing a scheduled update of the AWS Application Load Balancer (ALB).

Since this update cannot be done while maintaining backwards compatibility, we would like to let you know that we will be updating the AWS Application Load Balancer for all Mambu Capabilities, in the week of November 23rd, 2020.

What is the impact?

We will switch all our load balancer security policies to the latest version of ALB; this includes the Mambu monolith, new capabilities, MPO and MyMambu.

This update might break existing customer integration and the usage of Mambu app with outdated browsers as ELBSecurityPolicy-FS-1-2-Res-2019-08 is the most restrictive policy available till date. This policy supports TLS 1.2 only and includes only ECDHE (PFS) and SHA256 or stronger (384) ciphers.

For more details, please see Application Load Balancer and Network Load Balancer Add New Security Policies for Forward Secrecy with More Stringent Protocols and Ciphers.

You can also find more information in our related email campaign that will arrive in your inbox on August 25th, 2020 and which you can also preview here.