IAUG Feature Request Tracker

Change Administrator logon to something other than "Administrator". An "Administrator" logon is a security risk. Not a best practice to use "Administrator".

The ability for end users to record messages via the phone while announcements are part of an audio group.

In the latest AADS release support was added for SSO with J100 telephones. This SSO service uses Avaya's own IAM system linked via SAML to a customer IDP. When an end user scans the J100 QR code or uses the manual link, they must enter their email address twice. The first time is on the Avaya SSO site, then again on the customer's IDP. Some customers use usernames to authenticate, and others use email to authenticate. Having to enter an email, then a separate credential after can be confusing for some end users. My feature request is that the QR Codes or Manual Links will forward directly to the customers IDP without having to enter an email twice, or that some mechanism is made available so that the SSO link can identify the correct IDP and go directly to it without the end user having to enter anything to the Avaya IAM system.

Is there any way for the avaya spaces chat to have a read-receipt option? Users that I am trying to get on spaces notice that they dont know if the message has been read. This would be a very valuable option.

Avaya spaces had remote desktop assist with the desktop version. Is it possible to have it with the web version now? this will help greatly with remote support for daily work to assist customers.

Is there a way to be able to sign in to a spaces account but being able to switch user accounts? I maintain multiple spaces accounts and I would like to be able toggle different accounts.

In AIC 7.3.10 version the Application-level passwords are discoverable which is highlighted as security risk. The AIC client/application uses a database account to maintain its data. The aicadmin account and its hash is hardcoded in the configuration files (e.g., vesp.imp). Every Vodafone Call Center employee can obtain this information from the files. The client connects to the database with this account and queries the data of its application-level user. By modifying the network data packets, the logged-in user can learn the password of another user. If the admin password is decrypted, all the application data can be read and modified.

In proper storage of passwords. From the communication of the application's DataServerMSSQL interface, it was clear that user passwords are stored in the back-end database with their plain unsalted MD5 hashes. Related risk: With today's hardware, an attacker can decrypt user passwords relatively quickly. Recommendation: To store passwords, a secure hash algorithm (e.g., SHA2 or SHA3) with cryptographic salt must be used according to today's standards. Encryption of the communication channel is a prerequisite for the protection of login data.

Currently the URI Listings can't be sorted. We have hundreds of extensions in a remote worker URI group but we are unable to sort so have to browse the list in order to edit or delete.