Sign in
Aras Innovator Platform
Aras Innovator Platform   AML Security

Overview

February 2, 2026 11:02 AM
1 min read

Starting with the 11.0 SP9 release, Aras Innovator introduced additional security features to the AML which is parsed by the Aras Innovator Server upon receipt from client machines. These changes include:

  • Verification of all values in Where attributes, Between condition, and In condition clauses executed by a client or client-side Methods.
  • The inclusion of a Suppression List in the core product that allows for exceptions to be added on a case-by-case basis.
  • The addition of a new global Operating Parameter in the InnovatorServerConfig.xml file to control this feature.
Note
Values of where/in/between attributes of AMLs executed from server-side methods are never validated.

All Where Attributes and Properties with the conditions In or Between present in the AML that are sent from the client to the server, prior to executing OnBefore* Server Events, will now be parsed, and verified to ensure that they are not using SELECT, UPDATE, EXISTS, or any SQL statements which could potentially be used to retrieve or update data on SQL Tables unrelated to the overall AML query. When an invalid criterion is passed in AML from a client, an Item Analysis error is now returned, with additional details available for Administrators. A full list of valid SQL Tokens is included in Appendix A – Allowed SQL.

Suppression of invalidating specific SQL statements can be introduced into Aras Innovator by creating new ItemSuppression files, in an XML format, in the Innovator Server’s App_Data. This allows for specific use cases with SQL statements to pass validation.

A new Operating Parameter in the InnovatorServerConfig.xml file has also been introduced that allows disabling validation of values of where/in/between attributes of AMLs passed from a client if existing code relied heavily on this feature prior to upgrading to Aras Innovator 11.0 SP9 or higher. The Operating Parameter will ignore all Item Analysis on the AML and treat Where Attributes and Properties with the conditions In or Between as in pre-11.0 SP9 environments. Disabling the validation is introduced for legacy purposes; however, this parameter will not be available in future major versions of Aras Innovator. We recommend either adding permanent suppressions in the ItemSuppression files or altering any affected code to eliminate the reliance on these queries.

Previous Topic
Hotfix 12141 - 37
Next Topic
AML Analysis