2026 Release Notes for Customer-Managed Alation Releases

Customer Managed Applies to customer-managed instances of Alation

Note

The release notes on this page track releases for customer-managed instances (deployed on customer premises).

• If you’re looking for OCF connector release notes, see OCF Connector Release Notes.

• If you’re looking for release updates for Alation Cloud Service, see:

  • 2026 Alation Backend Releases

  • 2026 Alation Frontend Releases.

RELEASE 2026.4.0.0

build 23.5.0.133409

Released May 4, 2026

Note

This release is for customer-managed (on-premise) instances.

New Features and Enhancements

Platform

• AL-237389: Upgraded the Alation Analytics PostgreSQL database from version 16.10 to version 16.13 to take advantage of improvements, bug fixes, and security enhancements.

• AL-237390: Upgraded the Alation internal PostgreSQL database from version 16.10 to version 16.13 to take advantage of improvements, bug fixes, and security enhancements.

• AL-228892: Upgraded Elasticsearch version to 8.19.12.

• AL-230587: Upgraded Jackson to 2.18.6 and refreshed base image packages to address multiple security vulnerabilities.

• AL-225786: Refreshed the Auth Service base image and dependencies to improve security and stability. Vulnerable libraries have been updated, and dependency rules ensure safe versions remain in effect even when transitive dependencies pull in older versions.

Authentication

• AL-202855: Added the alation.authentication.saml.create_unknown_user configuration flag to control automatic user creation during SAML login.

  • Default behavior is unchanged. Users are still automatically created on first SAML login (the flag defaults to True).

  • Setting this flag to False restricts SAML login to only users that already exist in Alation (for example, users provisioned via SCIM). Unknown users will see a Login not allowed error page.

  • This is useful for customers who use SAML for authentication and SCIM for user provisioning and want to prevent unauthorized users from being auto-created.

  • Configure via alation_conf and restart Alation. No migration required.

• AL-236968: Added support for per-user identity propagation in Compose SSO via AWS IAM Identity Center (IDC) for Redshift. Users connecting through Compose are now authenticated under their individual IDC identity (for example, awsidc:user@email.com) instead of a shared service account, enabling proper audit trails and least-privilege access controls on both provisioned clusters and serverless workgroups. The Compose JDBC URI must include authenticator=oauth, Plugin_Name=com.amazon.redshift.plugin.IdpTokenAuthPlugin, and token_type=EXT_JWT.

• AL-223520: Deprecation notice: User V0 tokens are deprecated. Existing User V0 tokens will continue to function during the deprecation period, but customers are strongly encouraged to migrate to User V1 tokens for continued support and compatibility. Update your integrations and automation workflows to use User V1 tokens, and avoid creating new User V0 tokens. Find more information in this Alation Community update (requires a login).

Alation Analytics

• AL-226121: Alation Analytics now tracks schema-level privacy settings. The rdbms_schemas table includes a nullable private column that reflects whether a schema is Private or Public, accounting for both data source-level defaults and schema-level explicit permission overrides. This enables governance reporting on schema access controls.

• AL-223038: Alation Analytics dashboards now load correctly when a custom Content Security Policy (CSP) is enabled. Previously, enabling nginx.csp_custom_enabled=True would block Alation Analytics dashboards. The Alation Analytics domain (*.aa.alationdata.com) is now included as a default integration in the restrictive CSP, so no additional configuration is needed. Customers who previously added this domain manually to nginx.csp_custom may now remove it.

• AL-209626: Improved incremental ETL performance in Alation Analytics. The incremental extraction logic now uses hour-level precision for the extraction start time instead of restarting from midnight on each run. Multiple ETL runs on the same day no longer redundantly reprocess data from earlier in the day, resulting in faster ETL run times and reduced compute usage. No customer action is required.

Catalog Content and Customization

• AL-228228: Users can now programmatically ingest column and attribute metadata for files in file system connectors via the new /integration/v2/file_attribute/ API endpoints. This enables:

  • Automating schema documentation for file-based data sources

  • Bulk creation and updates of file attributes

  • Custom field assignment to file columns

  The following endpoints are available:

  • POST /integration/v2/file_attribute/?fs_id=<id>: Create file attributes

  • GET /integration/v2/file_attribute/?fs_id=<id>: List file attributes

  • PATCH /integration/v2/file_attribute/?fs_id=<id>: Update file attributes

  You must have the Server Admin role or the File System Admin permission for the file system you’re updating to use this API.

• AL-230881: Added deletion support via the API for file attributes through the asset type framework. File attributes can now be deleted via DELETE /integration/v2/asset/file_attribute/<id>/, which performs a hard delete since file attributes do not support soft deletion. Requires admin permissions.

Per-Object Parameters

• AL-219591: The Admin Settings > Feature Configuration page now has new feature parameters (toggles) to control global defaults for per-object parameters:

  • Default Enable Compose Functionality: Controls whether the Compose functionality is enabled by default when creating new data sources.

  • Default Mark Attributes as Sensitive: Controls whether new attributes (columns) are marked as sensitive by default. When enabled, newly discovered attributes will automatically be flagged as containing sensitive data.

  • Default Maximum Rows to Scan: Sets the default maximum number of rows to scan during profiling for newly created schemas and tables. This controls how many rows the profiler will examine to generate statistics and samples.

  • Default Maximum Sample Rows to Store: Sets the default maximum number of sample rows to store from profiling for newly created schemas and tables. These sample rows are used to provide data previews and examples in the catalog.

  • Default Profiling Sampling Enabled: Controls whether profiling sampling is enabled by default when creating new schemas and tables.

  • Default Skip View Profiling: Controls whether view profiling is skipped by default when creating new schemas.

  • Display Table Names in BI Datasource Fields: When enabled, a new column will appear in BI datasource field tables to show the source table names for each field.

• AL-229350: New Bulk Per-Object Parameters public API allows administrators to update profiling and catalog parameters (excluded, sensitive, skip profiling) for multiple schemas, tables, and attributes in a single API call via CSV or JSON upload. Changes cascade to child objects automatically, matching existing UI behavior. Upload limits are configurable via alation_conf:

  • Max file size: 10 MB (default). Configure with: alation.api.bulk_per_object_parameters.max_file_size_bytes.

  • Max rows: 10,000 (default). Configure with: alation.api.bulk_per_object_parameters.max_row_count.

• AL-194932: When Sample? or Skip Views is enabled for a schema, the Run Sample button is now disabled for tables and views in that schema, with a tooltip explaining why. This prevents user confusion when sampling data does not refresh because profiling was skipped.

Domains and Document Hubs

• AL-122787: Users can now export and import domain memberships for catalog assets using the Data Dictionary:

  • Export — When downloading a Data Dictionary, a new metadata::domains column shows each object’s associated domains.

  • Import — Add or update domain memberships by specifying domains in the metadata::domains column during upload.

  • Supported formats:

    • By ID and name: 123|Marketing Domain

    • By ID only: 123

    • By name only: Marketing Domain

    • Multiple domains: 123|Marketing;456|Sales

  This enables bulk management of domain memberships across many objects at once, streamlining governance workflows.

• AL-233582: Added a rich-text format Description field to domains’ catalog pages.

Lineage

• AL-225439: Reduced the default value of the lineage_graph_loading_limit_max_nodes configuration parameter from 2000 to 100. Lineage charts with more than 100 nodes will now default to Incremental Load mode, improving page load performance. Customers who have explicitly configured this parameter are not affected. To restore the previous behavior, set lineage_graph_loading_limit_max_nodes to 2000.

• AL-221281: Stored procedure names are now automatically applied as titles for dataflows created from stored procedures. Previously, these dataflows appeared as Untitled Dataflow. The enhancement also adds support for updating custom fields during dataflow insertion, with tracking and error handling to ensure reliable updates.

• AL-231907: Removed the BETA badge from Manage Connections in Lineage Settings.

Other Improvements

• AL-175569: You can now opt out of file system attribute indexing to reduce Elasticsearch storage usage in environments with large file system catalogs where file attribute search is not commonly used. Request Alation Support to disable the attribute indexing. Updating the flag value requires reindexing of the Search index.

• AL-222134: The Health tab on BI report catalog pages now follows the alation.feature_flags.enable_data_health feature flag setting.

• AL-223552: When the Lexicon feature flag (alation.feature_flags.enable_lexicon) is disabled, the Lexicon feature is now fully hidden and cannot be accessed or run from the UI or settings.

Bug Fixes

• AL-238093: Fixed a 500 Internal Server Error when creating or updating API resources with an empty input or output schema (for example, "input_schema": {}). The error occurred because empty schemas caused the system to incorrectly associate unrelated schema objects with the new resource, leading to a crash on subsequent requests.

• AL-191966: Strengthened protection against stored XSS in the Customize Homepage feature. JavaScript execution is now blocked in uploaded media files (including SVG files used for homepage customization) when accessed directly through media server URLs, preventing attackers from exploiting malicious embedded scripts.

• AL-236406: Fixed search filter facets to display human-readable names instead of raw numeric IDs for Document Hub term types and glossary collections when the underlying custom template or glossary object had been deleted.

• AL-234368: Fixed an issue where column-level lineage polling had no maximum limit, causing uWSGI threads to be blocked and resulting in outages on customer instances. Polling now has a maximum of 10 retries and a 60-second time limit.

• AL-234218: Catalog Admin users can now access the lineage and dataflow public APIs (/integration/v2/lineage/, /integration/v3/lineage/, and /integration/v2/dataflow/). Previously, only Server Admin and Source Admin roles had access. This aligns Catalog Admin permissions with the role hierarchy: Catalog Admin should have at least the same API access as Source Admin.

• AL-232415: Fixed an issue where special characters (such as &) in BI Server Source names were displayed as HTML entities (for example, &) in the source list and settings pages. This fix also applies to other catalog object titles managed by the Logical Metadata System.

• AL-228925: Resolved an issue where the Details tab in the dataflow editing sidebar would crash with a JavaScript error, preventing users from viewing or editing lineage details. The same fix also addresses the crash that occurred when clicking on endorsement chips in lineage graphs.

• AL-227826: Fixed an issue where BI report popularity was not being calculated for non-Tableau connectors, including Domo, Power BI, Sigma, and Universal BI.

  Note

  For the Domo connector, users must configure the Popularity Dataset ID setting with their Domo Card Loads DomoStats dataset ID.

• AL-226942: Fixed an issue where the CSV report generation feature produced incorrect status information for Multi-Picker fields and Rich Text fields containing certain special characters, showing Not Applied – Unknown Failure for field updates that were actually applied successfully. Rich Text fields (descriptions with HTML formatting and @mentions) and Multi-Picker fields are now properly validated. Applied status correctly appears for successful catalog updates, and Not Applied status is reserved for genuine failures requiring attention.

• AL-225797: Removed the spurious error log for missing object types on certain custom templates when the object type is in the asset type range, as this is expected behavior. This reduces noise in the logs.

• AL-222819: Improved the display of error messages in Compose execution results. Multi-line error messages now properly preserve line breaks and formatting, making database errors easier to read and troubleshoot. Long error messages wrap appropriately without truncation, providing better visibility into query execution issues.

• AL-222241: Enhanced the key vault bulk rekey process to support tables with any primary key data type, resolving previous limitations that caused failures with UUID and varchar primary keys. The system now automatically detects the correct primary key data type for each table during rekey operations, providing full support for UUID, varchar, integer, and all other PostgreSQL primary key types. No manual configuration is required.

• AL-215118: Improved performance for updating the Domain field on more than 1,000,000 records.

• AL-214933: Fixed an out-of-memory kill (SIGKILL) during Tableau MDE lineage computation on large Tableau instances. Lineage link accumulation has been converted from in-memory lists to streaming Python generators, reducing peak memory usage from 2.5+ GiB to approximately 1.2 GiB. This affects customers with large Tableau deployments (10K+ reports, 500K+ columns).

• AL-209584: Fixed an issue where running a query in Compose that returns zero rows displayed a red error message (Failed to stream query results: Index: 0, Size: 0) instead of the expected No data available in table message. Compose now correctly handles empty query results across all data source types. The fix applies automatically — no feature flags, configuration changes, or restarts are required. Affects all users running queries in Compose on data sources with result storage restriction enabled (the default for cloud deployments).

• AL-208989: Fixed an issue where the Compose table preview panel did not appear for tables with external or unknown schema prefixes. Users can now get table preview information when writing cross-database queries or referencing tables in schemas not yet cataloged locally.

• AL-204715: Fixed a column alignment issue in the Upload Data Import confirmation step that occurred when previewing a CSV file with a small number of columns. Previously, the column headers and data table could appear misaligned during the final confirmation view, with headers positioned on the left while the data table was centered.

• AL-202732: Fixed two Compose Admin Settings that previously had no effect on query exports:

  • Trim extra spaces for fixed-length char types now correctly trims leading and trailing whitespace from string columns in downloaded and exported CSV files.

  • Wrap fields in quotes for exports and downloads now correctly wraps string values in ="value" format in CSV exports, preventing applications such as Excel from auto-converting values (for example, dates, phone numbers, and IDs stored as text). CSV files use QUOTE_ALL only when this setting is enabled; otherwise minimal quoting is used.

  These settings are controlled by alation.compose.trim_spaces_added_for_char_type (default False) and alation.compose.wrap_text_in_quotes_for_export_and_download (default False), and can be enabled in Admin Settings → Compose.

• AL-201750: In Compose, when obfuscate literals is enabled on a data source, non-author users now correctly see obfuscated SQL under run history on the query form page. Previously, the raw SQL with literals exposed was visible. In neo, run history also now obfuscates the literals.

• AL-200379: Fixed an issue when users selected the Run full query and ignore errors option in Compose, where queries could fail with an error even when the option was selected.

• AL-184089: Improved permission guidance when accessing shared queries via links. Error messages now indicate that users should check both query permissions and data source permissions in the catalog.

• AL-171062: Enhanced how Compose displays database error messages to make them clearer and more actionable. When queries encounter errors, the system now shows cleaner, more understandable messages that focus on the actual database issue rather than technical details.

• AL-165519: When scheduled queries fail to run because query scheduling is disabled or not supported by the data source, users now see clear error messages in the query execution history instead of a misleading Running state.

• AL-207603: Fixed a performance issue causing slow load times for the Published Queries and Query Run History sections on schema and table catalog pages. The root cause was inefficient data retrieval when fetching queries associated with multiple collaborators. The underlying data retrieval has been optimized to eliminate this bottleneck. This fix affects all users who access Published Queries or Query Run History on schema and table catalog pages.

• AL-225040: Fixed inconsistent custom-field naming across internal search filter APIs so that custom filters (especially those configured with plural display names) reliably appear in the left-side Add More Filters list.

• AL-227963: Addressed an issue where the Admin Settings > Monitor > Health Checks page appeared empty.

• AL-236345: Fixed an issue where newly created manual lineages required manual toggling of Show to be visible on the chart, and attempts to publish new lineages failed with a database error related to the updated_at column. Newly created manual lineage will be displayed correctly going forward.