These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.1.1.0 and all released patches, as well as links to fixed issues for each patch. This page is updated with each patch.
To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.
To view this page as a PDF, click Actions and select View as PDF.
- Installation Information: Before You Install or Upgrade RSA Identity Governance and Lifecycle | Install a Patch
- 7.1.1 Patch 3: What's New | Functional Changes | Fixed Issues
- 7.1.1 Patch 2: What's New | Functional Changes | Fixed Issues
- 7.1.1 Patch 1: What's New | Functional Changes | Fixed Issues
- 7.1.1: What's New | Deprecated Items | Functional Changes | Fixed Issues
7.1.1 Patch 3
What's New
The following table lists the improvements and new features in 7.1.1 Patch 3.
Feature | What’s New |
---|---|
Access Certification | The display names for the Review and Revoke buttons for roles in fine-grained role reviews and for groups in group reviews are now specified within the review definition using two new text fields. Previously, the display names for these buttons were configured using the global resources strings RoleReview_Maintain, RoleReview_Revoke, GroupReview_Maintain, and GroupReview_Revoke. |
Functional Changes
The following table lists the functional changes in 7.1.1 Patch 3.
Issue | Description |
---|---|
Access Certification ACM-100064 | In a group review, RSA Identity Governance and Lifecycle no longer allows None for the state of a group whose members and entitlements are all marked as reviewed and maintained. When applying the state of None to multiple groups, the system ignores any group that has all entitlements and members reviewed and maintained. |
Access Certification ACM-100221 | Generated reviews for coarse-grained role reviews now use the specified display names for the Maintain and Revoke statuses. |
Change Requests and Workflow ACM-95472 | The fix implemented to ensure that emails are sent to each approver when multiple approval activity nodes are configured to send an email to approvers appears in newly created nodes. Existing nodes are not affected by this fix to ensure that any custom email text is not overwritten. |
Change Requests and Workflow ACM-95367 | The settings for Edit and Cancel buttons for change requests are now specified within the request workflow. The AveksaAdmin user is always allowed to cancel requests regardless of this setting, however. |
Change Requests and Workflow ACM-100295 | Password resets now group correctly when By Business Source is selected in the workflow. |
Change Requests and Workflow ACM-99913 | The Entitlements Require Account field under Account Template now contains the options Always, Sometimes, and Never. Previously, the options were True and False. |
Change Requests and Workflow ACM-95340 | The Attachment section for change requests is now controlled by the Request Settings options in the workflow editor. |
Security ACM-90370 | Authorization validation added for file coverage uploads and to collector activate/deactivate buttons. A pop-up is presented if user does not have the proper privilege. |
Security ACM-99089 | Error message was made more user-friendly. |
User Interface ACM-99458 | The user interface now wraps the drop-down text to the next line if it is longer than the drop-down width and added a separation line. The minimum width is now 150 pixels for both the select button and drop-down section. Both sections widths increase based on the text length entered by the user. The maximum height of the drop-down section is now 60% of screen size. A scroll bar is shown if the height exceeds the maximum height limit. |
User Interface ACM-90251 | When metadata is exported, generated file names are validated and double quotes " are converted to underscores _. |
Fixed Issues
7.1.1 Patch 2
What's New
The following table lists the improvements and new features in 7.1.1 Patch 2.
Feature | What’s New |
---|---|
Database Management | Data pruning has been enhanced to remove unneeded workflow data from the system. |
| The text in Approval and Rejection email replies have been updated to clearly indicate where the user may add additional comments. |
| The default value for the maximum number of recipients for an email provider has been changed to 100. |
Server Core | Added the ability to create an authentication source from any host in a clustered environment. |
Web Services | Several improvements were made to web services:
|
Functional Changes
The following table lists the functional changes in 7.1.1 Patch 2.
Issue | Description |
---|---|
Access Certification ACM-93466 | Removed the Include Users option from group review definitions, as users can no longer be collected as members of groups. |
Access Requests ACM-87884 | Request buttons for Add/Remove Using Request Source now includes an option to include terminated users. |
AFX Server ACM-96646 | The ISIM 6.0 connector template has been updated to include new dependency files (itim_ws_client.jar, itim_ws_model.itim_common.jar, jlog.jar) and a properties file (tmsProperties.properties) that must be uploaded when configuring the connector. In the Commands section, the new Justification parameter has been added to some commands. |
Change Requests and Workflow ACM-95849 | The "Show job level variables" check boxes are now selected by default and job variables explicitly shown in approval and fulfillment workflows. If these variables need to be hidden, the checkbox must be deselected. |
Change Requests and Workflow ACM-94899 | When a change request contains a change request item to remove an already-deleted role from a user, that change request item is rejected while the system proceeds with the other items in the change request. |
Database Management ACM-74139 | Data purging has been updated to ensure that workflow data with null change dates is purged. |
Database Management ACM-93837 | In WildFly ACM installations with a remote database and configured failover options, a new, optional ACM configuration property, REMOTE_ORACLE_JDCB_URL, has been added to Aveksa_system.cfg. This property is to be used by AveksaCli only to connect to the target database. Use it only if the default connection URL is not sufficient. When configured, the provided value should match the connection URL of the AVDB data source in aveksa-standalone-full.xml or domain.xml. Single-line example:
Multiple-line example:
For references and additional examples, see the Oracle Database JDBC Developer's Guide and Database Net Services Reference on the Oracle website. |
User Interface ACM-94283 | Added the columns Business Use, Functional Ownership, Locality, and Sensitivity in the Application, Directory, Data Resource Sets, Rule Sets, and Role Sets summary tables. Grouping is disabled on these columns. |
User Interface ACM-96671 | The "one of" operator now takes the Ignore Case option into account when filtering tables. |
User Interface ACM-53828 | The table options now lists custom attributes of the specific object type in the pop-up account details where the Entitlement table is displayed. |
Fixed Issues
7.1.1 Patch 1
What's New
The following table lists the improvements and new features in 7.1.1 Patch 1.
Feature | What’s New |
---|---|
Aveksa Statistics Report | The Aveksa Statistics Report (ASR) has the following new column for the Unified Users section:
|
Role Management | Improved performance on the Role Members tab, by improving the rendering of the Member table and the overall performance when adding or removing users. |
Functional Changes
The following table lists the functional changes in 7.1.1 Patch 1.
Issue | Description |
---|---|
Access Certifcation ACM-93895 | If a reviewer attempts to save or sign off changes while their earlier changes are processing, the user interface now displays a warning message that indicates that the review has another save or sign off in progress, and that the user can submit the changes after the previous changes have completed. |
Access Certification ACM-61543 | In the review definition, the "include sub-groups" label has been changed to "include sub-groups from selected groups". |
Access Requests ACM-92751 | The default out-of-office functionality will now process Global Common Submission Questions to complete a request submission. |
Account Management ACM-85881
| Change request approval and fulfillment processing has been enhanced to enforce uniqueness of account names with regard to both active and deleted accounts. Because all active accounts within a business source must have unique names, but deleted accounts within the same business source are not limited to unique names, these changes prevent a reactivated or pending account from having the same name as another active account. The behavior is as follows:
|
Change Requests and Workflows ACM-95063 | A workflow form not successfully deleted will prompt an error in the user interface. |
Change Requests and Workflows ACM-95214 | The conditional transition selection now saves properly through the drop-down selection button. |
Custom Attributes ACM-88462 | The accounts table now lists all custom user attributes. |
Metadata Import/Export ACM-92269 | The application metadata now exports information about mapped connectors. When the metadata is imported, if the specified connector is available, the application is mapped to the connector. |
Reports ACM-81849 | The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:
|
Reports ACM-90513 | The new public view PV_REQUEST_ITEM_COMP_DTLS has been added to the product. For more information, see the RSA Identity Governance and Lifecycle Public Database Schema Reference. |
Security ACM-94695 | Only users with edit privileges can view the debug properties and configuration for REST and SOAP Web Service nodes. |
Security ACM-92568 | The authentication model for web services has been updated to first perform IP validation, if configured, and then perform token validation. Token validation is not performed for commands that do not require token validation, such as the login, loginInstructions, and getLogo commands, but IP validation is still performed if allowed IP addresses are specified. |
User Interface ACM-92551 | To improve performance, a user interface table no longer calculates the number of items in a change request for each listed task. |
User Interface ACM-53828 | The table options now lists custom attributes of the specific object type in the pop-up account details where the Entitlement table is displayed. |
User Interface ACM-81142 | Under Reviews > Activities, the Actions menu automatically scrolls so that all options are visible. |
Fixed Issues
7.1.1
What's New
The following tables list the improvements and features in 7.1.1.
Feature Highlights
Feature | What’s New |
---|---|
Updated SOD Rules | Updated Segregation-of-Duty (SOD) rules and policy language, which includes additional analysis and detection capabilities to identify complex cross-application violations and reduce potential false positives. For information about the new SOD rules functionality, see "Using a Correlation Specification with a Segregation of Duties Rule" in the Online Help. |
New Violation Remediation Experience | SOD and user access violations can now be remediated using violation remediation reviews, which allow users to review violations and perform remediation actions directly through the reviewer user interface. The violation remediation reviewer experience uses the same user interface as the new user access reviewer experience, which provides advanced features such as Analysis and Guidance, a review progress monitor, advanced filtering, and the ability to manage multiple violations at the same time. This feature uses both an SOD or User Access Rule definition and a User Access Violation Remediation Review definition and seamlessly manages their association within the system. For more information, see "About the Violation Remediation Review Experience" in the Online Help. |
Display Views for User Access Reviews | Configurable display views are available in the new reviewer experience. |
User Access Reviews | During user access review analysis, any review items with a pending revoke operation in progress are automatically marked with a revoke status. |
Log Artifact Collection | Added automated log artifact collection and bundling capabilities to collect and send logs for support cases. This feature is available by going to Admin > Diagnostics and clicking the Log Artifact tab. For more information, see "Collect Logs to Review Artifacts" in the Online Help. |
Diagnostics and System Data | System usage data, diagnostics, and heuristics information is collected and available through newly provided reports and through a downloadable JSON file for offline analysis and troubleshooting. You can configure this feature by going to Admin > Diagnostics and clicking the Diagnostics and System Data tab. For more information, see "Diagnostics and System Data" in the Online Help. |
Web Services | The following changes have been made to Web Services:
|
Additional Features and Improvements
Feature | What’s New |
---|---|
Access Certification | The following changes have been made for Access Certification:
|
Access Requests | A password reset for a user can be done by that user, an administrator, a user having the Reset Password entitlement, or the business owner or technical owner of the business source. |
AFX | The AFX connector has improved performance when mapping unused variables in large environments. |
Change Requests and Workflow | The following changes have been made in Change Requests and Workflow:
|
Connectors | Introduced IBM Security Identity Manager 6.0 connector template for provisioning requests on ISIM. |
Custom Attributes | The following changes have been made for custom attributes:
|
Database Management | New custom attributes for strings and user data are available for resource objects:
For more information, see "Creating and Managing Attributes for RSA Identity Governance and Lifecycle" in the Administrator's Guide and the online Help. |
Request Forms | The following changes have been made for request forms:
|
Server Core | aveksaServerInfo.log now includes the node name and environment name of the system, to assist with identifying the system from which the log originates. |
User Interface |
|
Deprecated Items
The following table lists the items deprecated in 7.1.1.
Feature | Description |
---|---|
Password Management | 32-bit installation of the AD Password Capture tool has been deprecated. |
Server Core | As of RSA Identity Governance and Lifecycle V7.1.1, OpenJDK 1.7 is no longer supported. |
User Interface | Hardware appliance operations, such as edit, restart, reboot, and shutdown, can no longer be performed through the RSA Identity Governance and Lifecycle user interface. To perform these operations, use OS access level commands. |
User Interface | RSA Identity Governance and Lifecycle no longer supports Internet Explorer version 10, due to the use of new technologies that rely on modern browsers. For a complete list of supported browsers, see the RSA Identity Governance and Lifecycle Platform Datasheet and Support Matrix. |
Functional Changes
The following table lists the functional changes in 7.1.1.
Issue | Description |
---|---|
Access Certification ACM-88680 | The "Save Tab in Table" option has been removed from table pop-ups. |
Access Certification ACM-87169 | The new reviewer interface no longer includes access for terminated users as a low-risk category. |
Access Certification ACM-88254 | The user interface displays an “in-progress” indicator when general category bulk maintain actions are in progress. |
Access Requests ACM-79721 | Revocation change requests generated by account change requests will maintain the account property type. |
Access Certification ACM-88929 | Export operations are now limited to 5,000 records at a time. |
Admin Errors ACM-92855 | The Admin Error type "Account Load Data" can now contextually appear in the properties of a Create Admin Error workflow node. |
Change Requests and Workflows ACM-71049 | The default AFX Manual Fulfillment subprocess workflow now includes a job state node to cancel change items when cancelling fulfillment. |
Change Requests and Workflows ACM-80901 | The number of work items retained in the workflow history is now limited to reduce the amount of data loaded. |
Change Requests and Workflows ACM-88211 | Workflows cannot be selected across different types of modules and are only selectable for the appropriate module type. |
Change Requests and Workflows ACM-88351 | The Show Job Level Variables setting in request workflows will not overwrite the same setting in approval and fulfillment workflows. |
Change Requests and Workflows ACM-88384 | A workflow must be removed from configuration (phase nodes, subprocesses, and escalations) before it can be deleted. |
Change Requests and Workflows ACM-89649 | The Business justification character limit has increased to 4000 while editing exceptional access. |
Change Requests and Workflows ACM-89833 | The fulfillment workflow now uses the correct query to group fulfillments by business source. |
Change Requests and Workflows ACM-89860 | WorkItemURL selection is now available for manual nodes. |
Change Requests and Workflows ACM-90476 | A custom task must be removed from the schedule before it can be deleted. |
Change Requests and Workflows ACM-93462 | The "Assign to" list no longer appears as available options for Resource Selection. |
Collector ACM-75432 | The attribute "lastlogontimestamp", always collected as a date-type value, can be stored in a custom attribute of either string-type integer value or a date-type value. A string-type integer value is automatically converted to the date-type value formatted as “yyyy-MM-dd HH:mm:ss”. |
Data Collection Processing and Management ACM-74626 | The Application Metadata Collector will only update application business source objects. |
Data Collection Processing and Management ACM-81403 | If an agent cannot resolve the Member Type from the Account Data Collector’s source system for a group’s member, it assigns "unknown" to the Member Type column in the raw data instead of guessing the correct member type. When Member Type is “unknown", the collector’s database processing still attempts to resolve the member type. If successful, it assigns a member type in the new "Resolved Member Type" column in the raw data. If Member Type is "unknown" and the member type cannot be resolved by the account collector, then Resolved Member Type is left blank and the collected membership is rejected. |
Data Collection Processing and Management ACM-90663 | The date range of historical configuration information has been reduced in areas such as collector changes. |
Data Collection Processing and Management ACM-91761 | The Last Reviewed Date OOTB attribute has been removed from the collector wizards. |
Installer ACM-87123 | Applying a patch overwrites the configuration files for plugins except for the ITIM2FulfillmentHandler, NovellIMListener, and SunFulfillmentHandler plugins, which are copied from the customer's system instead. The patch application process backs up the original plug-in configuration files in the folder <location of the patch>/backup/<timestamp>/plug-ins/ so that you can restore them if needed. |
Provisioning ACM-88777 | The Workflow ValidReplyAnswers macro now populates and lists URLs in a consistent order. |
Reports ACM-81849 | The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:
|
Request Forms ACM-64863 | The Request Forms wizard disables the Next button until all form elements on a page are loaded. |
Request Forms ACM-70736 | User filters containing avform.user variables are not replaced with substitute values in the Compare Users field of the Provisioning form. |
Request Forms ACM-77882 | Drop-down, Multi-select, and Number fields can be populated by avform attribute selectors used as the default value. |
Request Forms ACM-83637 | The JavaScript block form control no longer allows Display conditions. The Display tab for this form control displays a message for the restriction. When Enable conditions are set, the JavaScript block entered is executed only when the conditions are satisfied. If there are no conditions set, then the JavaScript block is executed whenever the form runs. |
Request Forms ACM-88604 | Multiple account resolution can be configured on a request form to prompt for every change or per business source. |
Role Management ACM-75430 | The Role Import process warns that collected roles, if imported, will be converted into local roles. |
Role Management ACM-87106 | The Out of Constraint Users list in the Analytics tab has changed to use the same format as the Users list in the Users tab. |
Role Management ACM-74637 | The "Role Missing Entitlement Rule" email notification now adds group entitlements collected from the ADC. |
Rules ACM-90043 | An "Associate Remediation Job" button has been added to the Rule Details page for remediation actions. When clicked, remediation workflow jobs are created for identified and unassociated violations. This button is not enabled by default, but can be enabled by the "ViolationRemediationReProcess" feature flag. |
Rules ACM-95300 | Rules are now processed one at a time to avoid a system error. The monitoring page relays this new process as follows: Currently Processing Rule (X out of Y) |
Security ACM-73739 | Enhanced security for page access in RSA Identity Governance and Lifecycle. |
Server Core ACM-92902 | The JRE has been upgraded to Java 8. By default, Java 8 enforces endpoint identification on LDAPS connections to improve the robustness of the connections. After upgrading, Active Directory collectors that use SSL that were previously able to connect might be unable to connect. View the aveksaServer.log for details about connection failures. If this occurs, ensure that the certificate of the host configured in the collector settings has the correct subject alternative name attributes available that match the hostname. |
User Interface ACM-81449 | The Other type for owners is now usable in simple and advanced views. |
Web Services ACM-92041 | Validation for webservice calls to add or remove accounts from a group can be requested using the collector or the business source, but not both. |