Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog
1 2 3 Previous Next

RSA Identity Governance & Lifecycle

116 posts

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have made some improvements to how reports are emailed and added a web service to run reports.

 

In previous releases, you could only configure a report to send an email, and optional attach the report, to a specific list of users.  Each user had to be explicitly listed and the only recipients were collected identities.  In 7.2.1, the email configuration has been enhanced to support richer rules.  This still allows for the specific selection of users but you can also create filters to include all users in a group for example or to send it to all users with the vice president title.  Lastly, you can now also list explicit email addresses.  No longer do the recipients have to be collected identities.

 

  

 

The web service runReport has also been introduced this release to allow a report to be run from a REST call.  This allows for a better integration from a workflow or some external application that needs to run a report.

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the Maintenance mode feature. Maintenance mode ensures that the system is in a quiet state allowing for maintenance, diagnostics, or analysis.

 

We see some changes in system behavior when in Maintenance Mode as follows:

  • Only users with the System:Admin entitlement can log in to the system
  • Web services calls are blocked when system
  • From 7.2.1, Scheduled jobs will be aborted or skipped when the system

 

Maintenance Mode can be configured from Admin -> System -> Maintenance Tab.

 

When system is in maintenance mode, users will see a maintenance message on the login screen.  This message can be customized as per user need.

 

Similarly, if user try to access the system through web services, users will get a forbidden (HTTP 403) error with the message configured for maintenance mode. All users including user's with the System:Admin entitlement will be blocked.

 

From 7.2.1, all scheduled jobs will be aborted when started during maintenance mode. These tasks will show on the Data runs page as Aborted(Maintenance Mode). Tasks can still be manually run from the user interface.  This can be useful trigger and diagnose a collection for example.

 

Some scheduled jobs are allowed to run in Maintenance mode, which can’t be run manually or are required to run for performance:

  • Backup job (Admin -> System -> Backup)
  • Clean up jobs (Heartbeat task, WFStatistics and many others)

 

Note : When Maintenance Mode is enabled and any job already in progress state will be completed.

 

For additional information on this update – please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the email functionality to include the following security features:


OAuth 2.0 Authentication for Inbound and Outbound Connections

Today, all credentials for email servers (inbound and outgoing) rely on basic credentials. Mail servers are evolving and Office 365, in particular, is ending support for basic credentials and requiring OAuth 2.0 support instead.  Open Authentication (OAuth) is an open standard for authorization that provides administrators with an authorization method when connecting to incoming IMAP/POP and outgoing SMTP servers. OAuth enables the product to receive and send email from a third-party account, such as Gmail, without having to enter the credentials for that account.

 

The OAuth 2.0 implementation requires you to obtain access and refresh tokens from your third-party email provider for each third-party email account. The tokens are automatically saved to the database. They provide authorization for all email communication between the product and the authorized third-party account. In RSA Identity Governance and Lifecycle, a scheduled job regularly checks to see if email access tokens are valid. If the access token is not valid, but the refresh token is, the product automatically regenerates a new access token.

 


Before you begin

You should have

  • Basic knowledge of SMTP, POP & IMAP protocols to configure the email settings.
  • Understanding of configuring an OAuth 2.0 application as per the email service specification
  • Check the capabilities of your email server

 

RSA Identity Governance and Lifecycle user must have

  • Email Configuration Admin or System Edit privileges


Configuration

 A new improved user interface lets you select OAuth 2.0 as authentication method for inbound & outbound email account connections in email settings page.

 

Procedure

  • Log in to your third-party email account, such as Gmail, and enable/setup OAuth 2.0 app
  • Obtain the following from your third-party email provider application configured above
    • Client ID : The Application (client) ID that the provider assigned to your application
    • Client secret : A secret string that the application uses to prove its identity when requesting a token.
    • Authorization URL: OAuth 2.0 Authorization Server URL
    • Token URL : OAuth 2.0 Token Server URL
    • Scope: Space delimited string to get token having specific permissions to send/receive emails
  • Key in the above details to obtain the OAuth 2.0 access & optionally a refresh token
  • If a refresh token is also acquired a scheduled background job is started to refresh the access token before its expiration.

 

 

 

STARTTLS support for Outbound Connections

This release also enhanced the connection security for outbound email connection. If the email server supports the STARTTLS command and you select STARTTLS as the connection security, RSA Identity Governance and Lifecycle will use this protocol after making the connection, and before sending any login information. STARTTLS is an email protocol command that tells an email server that an email client, wants to turn an existing insecure connection into a secure one.

 

 

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the collection processes to save time and resources by allowing the re-processing of collected data, which was tripped by a circuit breaker threshold. For example, when collecting a significant number of valid changes to an application(s) and the Circuit Breaker is tripped, the reprocessing capability provide the ability to continue and process the already collected data.

 

This means that there will be no additional interactions with the endpoint to “re-collect” the data. The data that was collected before the circuit break being tripped is used for the processing phase. As part of the re-processing action, the Circuit Breaker will be suspended/ignored.

 

A collection process that is tripped by the Circuit Breaker will have a Status of “Aborted (Circuit Breaker)” and on the Details Page for the collection run, the ability to “Re-Process Data” button is now available if you want to just re-process the collected data. After the confirmation dialogue, and choosing to re-process, the data processing will continue (with the Circuit Breaker settings being ignored).

 

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced our Data Access Collectors with an open, flexible collection framework for unstructured data access governance capabilities. These improvements allow you to leverage the data crawler of your choice; including the ability to easily integrate with industry unstructured data solutions, such as from Varonis, using out-of-the-box templates.

 

Our Data Access Collectors have been enhanced in two major areas:

 

New End Point Support for Varonis DatAdvantage

 

The Varonis DatAdvantage solution aggregates permission information across the enterprise. A new out-of-the-box Data Access Collector for Varonis DatAdvantage allows you to collect permissions on folders for Domain Accounts and Domain Groups, along with the folder owners as Resource owners into your RSA Identity Governance and Lifecycle Solution. Our collector uses their REST API to collect information.

 

 

StealthAudit Collector Improvements

 

A new StealthAudit Data Access Collector has been added that leverages OOTB views from the StealthAudit platform. This new collector now allows organizations to collect from current StealthAudit versions.

 

Previously, RSA Compatibility views were required to be installed in the StealthAudit database. These compatibility views are no longer required, and all StealthAudit collectors created in prior releases will require a migration to leverage the new StealthAudit collector to leverage the OOTB views.  The migration of the collector is easily performed through the UI.

 

This new collector will no longer require an additional Activity Monitoring license for determining probable owners. While we will still continue to support the old version of the collector; we strongly encourage customers to migrate older collectors to this improved version as the compatibility views may be deprecated in the StealthAudit platform in the future.

 

As part of the updates to the StealthAudit collector, RSA will no longer provide a separate unstructured data access crawler component.

 

 

For additional information on this update - please check out this additional context:

 

DONT FORGET - please register for the upcoming septmber Webinar: 

RSA Identity Governance & Lifecycle Webinar - Wed Sept 30th 2020 

 

Our goal of this newsletter, is to help share more information about what's happening and key things for you to be aware of, specifically for RSA Identity Governance and Lifecycle.

This is a monthly release, so you can expect a new Newsletter at the start of each month.

Sorry we went a few months without sharing any updates, we have all been very busy!

 

Current Edition:

  • Issue #12, September 2020: See attachment below 
    • Note:you should be able to view this in a browser, or download/preview the document too. Any issues/questions, just reply to this!

Previous Newsletter Editions:

 

Previous Webinar Recordings: (Note: you must login to view these)

 

Summary here: RSA Identity Governance and Lifecycle - Monthly Webinar Summary 

Hey all,

We have been working on a new dashboard to help show the value driven from RSA Lifecycle (AFX) module, as per the example below.

We are looking for a customer who uses AFX and would like to spend an hour (or so) on an online meeting, to test this out on their environment. You will get to use dashboard pack yourself, once we have finished. 

If you are interested, please email jamie.pryer@rsa.com 

The dashboard uses the new v7.2x "dashboard facts" and some charts. 

  • The dashboard facts show summary information for "all time"
  • the dashboard charts show you information for the previous 10 weeks, to help understand recent benefit and current trending

This dashboard has 6 key elements, all driven from 2 key values.

 

Dashboard benefits:

  • Show the value the solution is providing your company
  • show how much time and $ your work is saving the company
  • Understand weekly trending
  • Simple dashboard to provide stakeholders key metrics.

 

Key values:

  1. Average time in minutes a request takes within your organisation to complete manually (eg. 15 minutes)
  2. Average $ in cost, that this request would cost (eg. $9 or £5)

 

Dashboard items: 

  1. Dashboard Fact: The total number of AFX requests completed, for all recorded time
  2. Dashboard Fact: The total Hours saved, because of all the AFX requests completed, for all recorded time
  3. Dashboard Fact: the total $ (or whatever currency you like) saved, because of all the AFX requests completed, for all recorded time.
  4. Chart: AFX Total Requests Completed each week (trending over the previous 10 weeks)
    • Eg. What is the total number of AFX requests that were completed, week over week
  5. Chart: AFX Total $ saved each week (trending over the previous 10 weeks)
    • Looking at the total number of completed requests, how much $ has this saved you, week over week
  6. Chart: AFX total hours saved each week (trending over the previous 10 weeks)
    • Looking at the total number of completed requests, how many hours has this saved you, week over week

 

 

Please drop me an email if you want to test this out on your environment too.

DONT FORGET - please register for the March RSA IGL Webinar - RSA Identity Governance & Lifecycle Webinar - March 25th 2020 

 

Our goal of this newsletter, is to help share more information about what's happening and key things for you to be aware of, specifically for RSA Identity Governance and Lifecycle.

This is a monthly release, so you can expect a new Newsletter at the start of each month.

Please feel free to leave comments/suggestions (positive or negative!) below and don't forget to hit that "like" button too 

Current Edition:

  • Issue #11, March 2020: See attachment below 
    • Note:you should be able to view this in a browser, or download/preview the document too. Any issues/questions, just reply to this!

Previous Newsletter Editions:

 

Previous Webinar Recordings: (Note: you must login to view these)

One of the strengths of the RSA Identity Governance and Lifecycle offering is the ability to model groupings of user access using our local role management solution. This provides the capability of combining different types of entitlements (access) that are collected from various end points.  These local roles, whether they are defined as business, technical or global roles, allow you to customize the necessary access that is required for different jobs in an organization.  These become the building blocks of access by allowing you to combine various local roles that will fully define the access needed for your user population.

 

A local role is different from a collected role.  A collected role, like other collected information, is access obtained from an endpoint which maintains that information externally from our system.  Like any collected items, a collected global role is suitable to use as an entitlement in a local role.  A potential problem can occur when a user attempts to add a local role as an entitlement to a collected role.  The endpoint that maintains the collected role definition doesn’t know anything about our internal (local) roles – which contain entitlements from a number of other types and sources, including other local roles and local entitlements.  This would make provisioning of the information difficult, if not impossible, and extremely confusing.

 

At this time, there are areas of the product which inadvertently allow the addition of local to collected roles.  This is not intentional, and we plan to remove that capability in future releases.

In earlier releases of RSA Identity Governance and Lifecycle, a feature to limit the expiration date chosen during rule remediation was made available under the Rules->Configuration menu.  Similar functionality has been introduced in the RSA Identity Governance and Lifecycle 7.2 release for reviews so review administrators can set the maximum number of days access can be maintained with an expiration date.  The settings can be changed under the Reviews->Configuration and Rules->Configuration menus.  The same setting is exposed in both places allowing administrators to specify the default number of days for exception access and also the maximum number of days.

 

 

Once configured, reviewers will be limited in the calendar control available to select expiration dates.  The default date will be selected based on the configuration and the user interface will not allow selections beyond the maximum number of days.

 

For additional information on this update – please check out this additional context:

In earlier release of RSA Identity Governance and LIfecycle, the Generic REST connector was introduced and is being used by many customers.  In the RSA Identity Governance and Lifecycle 7.2 release, we have introduced the matching connectors to allow you to collect entitlements, accounts, and identities from endpoints using REST API calls.  REST is becoming a standard way to interact with systems returning data in a well defined structure (JSON).  One of the key advantages is that if endpoints change implementations, you don't need an entirely new collector but instead simply adjust the REST API calls configured slightly.

 

To get started, create a new collector and select Generic REST as the data source type:

 

 

The following video dives deeper into what to consider when creating a collector and how to handle things like pagination, authentication, and how to debug the configuration.  A REST client like Postman is recommended to determine the right apis to call and how to parse the responses:

In the RSA Identity Governance and Lifecycle 7.2 release, we have introduced a new component that can be used on dashboards to display a single value "fact".  Dashboard Facts are a convenient way to provide high level information on a dashboard with click through support to dive into the details.  Combined with other dashboard components you can build very powerful dashboards targeted to specific users or roles.

 

To create a dashboard fact, you will need to decide on the fact you want to show.  For example, maybe I want to know how many applications have been onboarded into RSA Identity Governance and Lifecycle.  Dashboard facts can appear on any type of dashboard (Welcome, Object, or Topic level).  Along with the fact you will want some visualizations like a name, a colour for the fact, and some descriptive text to explain why anyone cares about the fact (or to give the context for the fact).  When creating a fact, the most important thing to keep in mind is what is the fact meant to convey.  For example, if I show a number of 100 is that a good thing or a bad thing someone may want to drill into more.  For this reason, keep your facts concise.  In addition to the fact itself, you can configure an url that allows the fact to be clicked on to get more details.  This is especially useful to provide a high level dashboard that links to a lot more content like a report or a detail screen within the product.

 

 

It is highly recommended you start with thinking about the fact you want to present and is there an efficient way to get the value to display.  Performance is the key as the query will be run everytime the dashboard is displayed.  RSA recommends using values that are not calculated at runtime.  For example, use counts for objects that are gathered daily and stored in the public view PV_TELEMETRY_DATA  rather than a query that does an actual count every time the query is executed.

 

To showcase this new feature and help system administrators, the 7.2 release includes a new dashboard available out of the box called 'System Admin' Dashboard.  Facts like the number of admin errors are shown on this dashboard with click through support to take the end user to the actual admin errors.

 

For additional information on this update – please check out this additional context:

Two new review analysis have been introduced in the RSA Identity Governance and Lifecycle 7.2 release:

 

 

 

 Never Reviewed

This new category finds any access that has not been reviewed by any reviewer in any review.  This helps reviewers to identify items that have never been reviewed in their list and take appropriate actions.  Other review items will likely have similar review actions to previous reviews unless a user's role or status has changed.

 

 Expiring Soon

Exceptional access given for access raised as a violation will be flagged by this category if the expiration date is within 30 days (default) from the time of the review generation.  The default value can be overridden by navigating to Admin->System->Settings.  This allows reviewers to review the access and make a decision before the access expires and goes through another round of remediation.

 

These new categories can be configured from the Analysis & Guidance page of the review definition along with the other existing categories:

 

For additional information on this update – please check out this additional context:

Sean Miller

New Feature: IMAP Support

Posted by Sean Miller Employee Feb 11, 2020

Email protocols have evolved and to remain modern and provide secure solutions theRSA Identity Governance and Lifecycle 7.2 release now includes IMAP/IMAPS as a supported protocol for receiving inbound emails.  This can be configured on the Admin->Email->Settings page.

 

 

IMAP is recommended to use for the inbound server protocol rather than POP3 and many organizations are now requiring the use of this protocol.

In the RSA Identity Governance and Lifecycle 7.2 release the user interface is cleaner, more consistent, and provides a more cohesive experience.  We have moved to a style guide based reusable component framework.

 

This release includes redesigned UI components and features such as:

  • Dialogs
  • Buttons
  • Tables
  • Charts
  • Links
  • Card based component layout
  • New icon set for high resolution displays

 

Color Palette and Fonts

A palette of named colors for styling components is used now rather than hex codes used in multiple places.  This means one css file controls all color palettes making it consistent across all the UI components in the application.  

The default font has now been set to "Open Sans" and a consistent font sized used based on the context (Title: 20px, Heading: 16px, SubHeading: 12px ....).


Buttons

Buttons are now shown as primary, secondary, and tertiary buttons to help highlight the primary action, secondary action, and other actions that a user might be interested in.  Some buttons are now associated with action icons providing a visual cue to help with accessibility.

 

Icons

A new icon set for higher resolution has been provided.  This improves the scalability leading to faster performance and browser loading, avoids pixelation on larger displays, and avoids image redundancy.

 

Similarly, loading icons have been replaced by a standard spinner icon that is more scalable.

 

Notification Panel

The notification panel accessible from the top right of the main menu now has a cleaner user interface incorporating card based component layout with notifications grouped by date.

 

Progress Bar

Progress bards have been redesigned to look cleaner and render better in browsers.  Several browsers experienced clipping issues and the component was not performant.

 

Dialogs

The layout of dialogs has been changed so the header background color to a primary color (blue), new button design is used for primary and secondary actions, and links are highlighted in blue. 

 

Tabs and Breadcrumbs

Tabs are now shown as a minimalist component where the selected tab is denoted by an underline.  Earlier iterations were much busier, required rendering time in browsers, and proved to be distracting in user interaction testing.

The title of the page is shown now above the breadcrumb, highlighted in blue.  The breadcrumb shows a detailed path and allows the user to navigate to any page present in the path (earlier versions just allowed navigation back to the home page).

 

Tables

Tables have been redesigned with a modern them and includes a redesigned pagination component that is consistent across the application.  The go to page functionality has been separated out by aligning it to the bottom right of the table.

Table filtering has changed so the active filter is blue and other available filters are white.  Disabled filters are shown with a gray background.  Grouping and searching fields have also been made more consistent and clean in this release.

 

Links

Links are not represented in a blue color and appear red when hovered over with an underlined font.

 

Charts

Charts now have a modern theme and layout with improved animations.  A standard color palette is used and new options have been added to download charts in the desired user format.

 

Form Elements

The active field is now more evident in forms using a blue border to highlight text box and text area controls.

 

What's New Page

The what's new page has been redesigned to showcase key features in the top card based slider.  Other features are also shown on this page in standard cards below the slider.  The features here are controlled by entries in the strings.properties and additional text/highlights can be added in customerstrings.properties for customer environment's.

 

These are just some of the exciting changes we have made in the user interface this release.

Filter Blog

By date: By tag: