Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog > 2020 > September
2020

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have made some improvements to how reports are emailed and added a web service to run reports.

 

In previous releases, you could only configure a report to send an email, and optional attach the report, to a specific list of users.  Each user had to be explicitly listed and the only recipients were collected identities.  In 7.2.1, the email configuration has been enhanced to support richer rules.  This still allows for the specific selection of users but you can also create filters to include all users in a group for example or to send it to all users with the vice president title.  Lastly, you can now also list explicit email addresses.  No longer do the recipients have to be collected identities.

 

  

 

The web service runReport has also been introduced this release to allow a report to be run from a REST call.  This allows for a better integration from a workflow or some external application that needs to run a report.

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the Maintenance mode feature. Maintenance mode ensures that the system is in a quiet state allowing for maintenance, diagnostics, or analysis.

 

We see some changes in system behavior when in Maintenance Mode as follows:

  • Only users with the System:Admin entitlement can log in to the system
  • Web services calls are blocked when system
  • From 7.2.1, Scheduled jobs will be aborted or skipped when the system

 

Maintenance Mode can be configured from Admin -> System -> Maintenance Tab.

 

When system is in maintenance mode, users will see a maintenance message on the login screen.  This message can be customized as per user need.

 

Similarly, if user try to access the system through web services, users will get a forbidden (HTTP 403) error with the message configured for maintenance mode. All users including user's with the System:Admin entitlement will be blocked.

 

From 7.2.1, all scheduled jobs will be aborted when started during maintenance mode. These tasks will show on the Data runs page as Aborted(Maintenance Mode). Tasks can still be manually run from the user interface.  This can be useful trigger and diagnose a collection for example.

 

Some scheduled jobs are allowed to run in Maintenance mode, which can’t be run manually or are required to run for performance:

  • Backup job (Admin -> System -> Backup)
  • Clean up jobs (Heartbeat task, WFStatistics and many others)

 

Note : When Maintenance Mode is enabled and any job already in progress state will be completed.

 

For additional information on this update – please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the email functionality to include the following security features:


OAuth 2.0 Authentication for Inbound and Outbound Connections

Today, all credentials for email servers (inbound and outgoing) rely on basic credentials. Mail servers are evolving and Office 365, in particular, is ending support for basic credentials and requiring OAuth 2.0 support instead.  Open Authentication (OAuth) is an open standard for authorization that provides administrators with an authorization method when connecting to incoming IMAP/POP and outgoing SMTP servers. OAuth enables the product to receive and send email from a third-party account, such as Gmail, without having to enter the credentials for that account.

 

The OAuth 2.0 implementation requires you to obtain access and refresh tokens from your third-party email provider for each third-party email account. The tokens are automatically saved to the database. They provide authorization for all email communication between the product and the authorized third-party account. In RSA Identity Governance and Lifecycle, a scheduled job regularly checks to see if email access tokens are valid. If the access token is not valid, but the refresh token is, the product automatically regenerates a new access token.

 


Before you begin

You should have

  • Basic knowledge of SMTP, POP & IMAP protocols to configure the email settings.
  • Understanding of configuring an OAuth 2.0 application as per the email service specification
  • Check the capabilities of your email server

 

RSA Identity Governance and Lifecycle user must have

  • Email Configuration Admin or System Edit privileges


Configuration

 A new improved user interface lets you select OAuth 2.0 as authentication method for inbound & outbound email account connections in email settings page.

 

Procedure

  • Log in to your third-party email account, such as Gmail, and enable/setup OAuth 2.0 app
  • Obtain the following from your third-party email provider application configured above
    • Client ID : The Application (client) ID that the provider assigned to your application
    • Client secret : A secret string that the application uses to prove its identity when requesting a token.
    • Authorization URL: OAuth 2.0 Authorization Server URL
    • Token URL : OAuth 2.0 Token Server URL
    • Scope: Space delimited string to get token having specific permissions to send/receive emails
  • Key in the above details to obtain the OAuth 2.0 access & optionally a refresh token
  • If a refresh token is also acquired a scheduled background job is started to refresh the access token before its expiration.

 

 

 

STARTTLS support for Outbound Connections

This release also enhanced the connection security for outbound email connection. If the email server supports the STARTTLS command and you select STARTTLS as the connection security, RSA Identity Governance and Lifecycle will use this protocol after making the connection, and before sending any login information. STARTTLS is an email protocol command that tells an email server that an email client, wants to turn an existing insecure connection into a secure one.

 

 

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the collection processes to save time and resources by allowing the re-processing of collected data, which was tripped by a circuit breaker threshold. For example, when collecting a significant number of valid changes to an application(s) and the Circuit Breaker is tripped, the reprocessing capability provide the ability to continue and process the already collected data.

 

This means that there will be no additional interactions with the endpoint to “re-collect” the data. The data that was collected before the circuit break being tripped is used for the processing phase. As part of the re-processing action, the Circuit Breaker will be suspended/ignored.

 

A collection process that is tripped by the Circuit Breaker will have a Status of “Aborted (Circuit Breaker)” and on the Details Page for the collection run, the ability to “Re-Process Data” button is now available if you want to just re-process the collected data. After the confirmation dialogue, and choosing to re-process, the data processing will continue (with the Circuit Breaker settings being ignored).

 

 

For additional information on this update - please check out this additional context:

In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced our Data Access Collectors with an open, flexible collection framework for unstructured data access governance capabilities. These improvements allow you to leverage the data crawler of your choice; including the ability to easily integrate with industry unstructured data solutions, such as from Varonis, using out-of-the-box templates.

 

Our Data Access Collectors have been enhanced in two major areas:

 

New End Point Support for Varonis DatAdvantage

 

The Varonis DatAdvantage solution aggregates permission information across the enterprise. A new out-of-the-box Data Access Collector for Varonis DatAdvantage allows you to collect permissions on folders for Domain Accounts and Domain Groups, along with the folder owners as Resource owners into your RSA Identity Governance and Lifecycle Solution. Our collector uses their REST API to collect information.

 

 

StealthAudit Collector Improvements

 

A new StealthAudit Data Access Collector has been added that leverages OOTB views from the StealthAudit platform. This new collector now allows organizations to collect from current StealthAudit versions.

 

Previously, RSA Compatibility views were required to be installed in the StealthAudit database. These compatibility views are no longer required, and all StealthAudit collectors created in prior releases will require a migration to leverage the new StealthAudit collector to leverage the OOTB views.  The migration of the collector is easily performed through the UI.

 

This new collector will no longer require an additional Activity Monitoring license for determining probable owners. While we will still continue to support the old version of the collector; we strongly encourage customers to migrate older collectors to this improved version as the compatibility views may be deprecated in the StealthAudit platform in the future.

 

As part of the updates to the StealthAudit collector, RSA will no longer provide a separate unstructured data access crawler component.

 

 

For additional information on this update - please check out this additional context:

 

DONT FORGET - please register for the upcoming septmber Webinar: 

RSA Identity Governance & Lifecycle Webinar - Wed Sept 30th 2020 

 

Our goal of this newsletter, is to help share more information about what's happening and key things for you to be aware of, specifically for RSA Identity Governance and Lifecycle.

This is a monthly release, so you can expect a new Newsletter at the start of each month.

Sorry we went a few months without sharing any updates, we have all been very busy!

 

Current Edition:

  • Issue #12, September 2020: See attachment below 
    • Note:you should be able to view this in a browser, or download/preview the document too. Any issues/questions, just reply to this!

Previous Newsletter Editions:

 

Previous Webinar Recordings: (Note: you must login to view these)

 

Summary here: RSA Identity Governance and Lifecycle - Monthly Webinar Summary 

Filter Blog

By date: By tag: