RSA Identity Governance and Lifecycle 7.1.1.x Release Notes

Document created by RSA Information Design and Development Employee on Jul 12, 2019Last modified by RSA Product Team on Oct 15, 2020
Version 16Show Document
  • View in full screen mode

These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.1.1.0 and all released patches, as well as links to fixed issues for each patch. This page is updated with each patch.

 

To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.

 

To view this page as a PDF, ensure that you are logged in to RSA Link, click Actions and select View as PDF.

 

 

 

7.1.1 Patch 10

 


Functional Changes 

IssueDescription

Role Management

SF-01608246

ACM-105637

IG&L had allowed end-users to create simultaneous role modifications on the same role that was in an applied state.
The Role “Actions” Menu allowed a role to be unlocked and allowed new change requests that included changes that were already included in other pending change requests. Roles->Actions or Role->Analysis were thereby able to create new change requests for a role already in an “Applied State.”

Roles in an applied state are no-longer allowed for actions that generate a Change Request. For example, on the Roles page, checkboxes are disabled for roles in the applied state, such as Roles->Actions->Add Entitlements, Roles->Actions->Remove Entitlements, Roles->Analysis->Suggest Options.

Change Requests

SF-1577028

ACM-106051

Entitlement/App role selection on Approval Phase nodes will now consider accounts, but fulfillment is unchanged since an entitlement should only be able to handle one route for fulfillment.

Access Requests
SF-1616176

ACM-106144

When trying to create a change request for an action that already has a pending change request, a warning message is now displayed, and the FINISH button is disabled.

Previously you could create a new change request even though a pending change request existed.

 

Fixed Issues

Fixed Issues in 7.1.1.10 

 

 

7.1.1 Patch 9

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 9 as the result of fixed issues.

 

Issue

Description

Account Management

ACM-103431

Previously, pending accounts associated with a Create Account change item were deleted for a change request when any duplicate account was found. Pending accounts are now deleted only for rejected change items for which the duplicate account is found, and the account will be renamed successfully based on the account template configuration for Create Account change item.

Change Requests and Workflows

ACM-105347

The Cancel button is no longer enabled when a change request is in the Undoing state.

Data Collection Processing and Management

ACM-104994

Previously, unification occurred even when mandatory collections failed. Scheduled unification and IDC post-processing now only occurs after successful collections.

Role Management

ACM-105029

When removing a role through a role review that has both members and entitlements, the system now calculates the indirects for the revocation.

User Interface

ACM-104556

The schema no longer allows null values for the CanRequest field when editing groups.

User Interface

ACM-103538

When a change request was blocked due to dependencies created by another change request, the user interface did not provide enough information to find the problematic dependencies. The user interface now provides clearer information.

 

Fixed Issues

 

Fixed Issues in 7.1.1.09

 

 

 

7.1.1 Patch 8

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 8 as the result of fixed issues.

 

Issue

Description

AFX

ACM-103661

Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle.

If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.

  1. Log in to RSA Identity Governance and Lifecycle, and go to AdminSystemSecurity. In a clustered environment, perform this step on the single system operations node (SON).
  2. Click Change Certificate Store, and click OK to change the root certificate and CA.
  3. Click Download and save the server.keystore file to a location on your computer.
  4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
  5. Click Download and save the client.keystore file to a location on your computer.
  6. Stop the ACM and AFX servers.
  7. Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
  8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
  9. Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
  10. Restart the ACM and AFX servers and verify connectivity with the endpoints.

Role Management

ACM-102991

Before creating a change request for role entitlements, the system checks whether adding these entitlements to the role would create cyclic dependencies. If the change request would create cyclic dependencies, the system does not allow the change request to be created, and the user interface displays the role entitlements that are causing the issue so that it can be corrected.

User Interface

ACM-103542

While creating a change request, if a user browses away from the page or closes the window before submitting, the user no longer has to log in a second time to see the pending change request submission.

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 8

 

 

 

7.1.1 Patch 7

 

What's New

 

Feature

What’s New

Server Core

The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The Customer ID value is provided by RSA and is provided to all customers through email. These values are logged in the diagnostics and system data.

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 7 as the result of fixed issues.

 

Issue

Description

AFX

ACM-80377

The system has been updated to send only one email per change request item.

AFX

ACM-100698

The following improvements have been made to the process of uploading additional JAR files to connect to other databases using a generic database.

  • The driver field is now editable to support the addition of a new path and selecting the existing driver path from the list for the Generic Type Connector.
  • Under Generic Type Connector > File Content, add and delete options have been added for custom driver JARs.
  • Handled the upload and removal of custom drivers to and from AFX/esb/apps/connectorname/lib, where connectorname is the name of the connector.

AFX

ACM-101553

Memory management in ActiveMQ has been updated to handle bulk change request items. You may need to modify the following ActiveMQ settings.

  1. The queue can handle messages for a change request with about 500 change request items for an AFX connector. To handle a larger number of items than this default, update the settings as follows.
    1. Edit AFX\activemq\conf\activemq.xml.

    2. Find the policyEntry tag and modify the memoryLimit attribute value based on the requirement, as shown below, then save the changes.

      <policyEntry queue=">" producerFlowControl="true" useCache="false" memoryLimit="5mb">

  2. The queue can handle approximately 50 AFX connectors for provisioning the change request items in parallel with the default settings. To configure a larger number of connectors than default allows, based on the requirement modify memoryUsage value accordingly.

    Example:
    Memory usage for an AFX connector needs approximately 5 MB. 5MB multiplied by 50 connectors is a total of 250 MB, which is the default.
    The memory usage is calculated based on the memoryLimit values in point 1.

    1. Edit AFX\activemq\conf\activemq.xml.

    2. Find the memoryUsage tag and modify the limit attribute value based on the requirement.

      <memoryUsage>
      <memoryUsage limit="256 mb"/>
      </memoryUsage

    3. Find the tempUsage tag and modify the limit attribute value same as memoryUsage value.

      <tempUsage>
      <tempUsage limit="256 mb"/>
      </tempUsage>

    4. Find the storeUsage tag and modify the limit based on changes of memoryUsage value.

      <storeUsage>
      <storeUsage limit="1 gb"/>
      </storeUsage>

    5. Save changes.

  3. Based on the requirements and memory configuration changes, the ActiveMQ heap size must be updated. The recommended heap size is between 2 and 4 GB.

    1. Edit the AFX/bin/afx.sh script.
    2. Update the ACTIVEMQ_OPTS Xms and Xmx values.

    3. Edit the AFX/activemq/bin/activemq.sh script.

    4. Update the ACTIVEMQ_OPTS Xms and Xmx values.

Change Requests and Workflows

ACM-103619

On an approval workflow node, users can now configure the approval due date to start either on the job start time or the node start time.

Database Management

ACM-104549

Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms.

Metadata Import/Export

ACM-102938

When importing a role description, the system creates a new description instead of overwriting an existing description, or failing or skipping the import.

Role Management

ACM-104041

Role sets in which roles have been moved to other role sets but not committed cannot be deleted until the role changes have been committed. The user interface now presents a message alerting the user of the roles that need to be committed before proceeding.

User Interface

ACM-103539

Previously on the Request Summary page and Pending Submission page, users without Admin privileges were not allowed to cancel requests. The Cancel Pending Request button was never active for these non-Admin users. In this update, users without Admin privileges are now allowed to cancel requests on these pages. The checkboxes for change request selection are enabled and other checkboxes disabled based on the users’ privileges. Users can select change requests with enabled checkboxes and perform the Cancel action. The Cancel Pending Request button is active if the user selects the change request.

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 7

 

 

 

7.1.1 Patch 6

 

What's New

 

Feature

What’s New

Collector

The extensible attribute functionality for the Workday collector now allows empty values.

 

 

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 6 as the result of fixed issues.

 

Issue

Description

Access Requests

ACM-100749

Added a new variable called “Display Name” that maps to the alt_name of the entitlement for global-role, app-role, and group, under the workflow status values.

Change Requests and Workflows

ACM-103314

The RSA Identity Governance and Lifecycle user interface now allows the cancellation of change request items in a pending verification state when the change request and workflows are completed.

Change Requests and Workflows

ACM-103356

Added a tooltip to clarify that the "Max items per change request" setting does not affect change requests adding or removing entitlements from roles. Changes generated from roles are always in a single request to ensure that dependencies are clear to approvers.

Change Requests and Workflows

ACM-102222

Admin > Workflow > Settings has a new scheduled task to ensure that the workflow completes when a request has all watches closed.

Data Collection Processing and Management

ACM-101509

RSA Identity Governance and Lifecycle previously defined orphan accounts as accounts with no mapping regardless of the account status.

This patch introduces an additional scenario for orphan accounts. After creating a pending account with a pending mapping, if you collect just the account, the mapping remains pending. Pending mappings are not a trusted source, and therefore the account is listed as an orphan account even though its pending mapping is visible in the RSA Identity Governance and Lifecycle user interface. This account is listed in the orphan view of the accounts tab as well as in an orphan report. An icon is displayed next to the user component of the mapping to indicate that the mapping is pending.

To resolve an orphan account resulting from a pending mapping, perform one of the following actions:

  • Properly collect the user mapping to the account.
  • Manually unmap the pending account mapping, and manually map it to the appropriate user.

After the account is removed from its orphan status, all entitlements collected for the account appear under the mapped user.

Local Entitlements

ACM-103319

Change requests can now remove entitlements from deleted users, and users are prompted to enter a comment in the change request item.

Role Management

ACM-103544

RSA Identity Governance and Lifecycle no longer allows users to submit a new change request when a pending account in a pending submission already exists.

Role Management

ACM-100944

The following changes have been made in roles:

  • In the Members tab, Missing Direct Entitlements has been changed to Missing Direct Entitlements (Active).
  • In the Entitlements tab, Direct Members Missing has been changed to Direct Active Members Missing.
  • In the Analytics tab, Missing Entitlements has been changed to Missing Entitlements for Active Members.
  • In the Analytics tab, the new metric Number of Users (Terminated) has been added.

User Interface

ACM-103538

When a change request was blocked due to dependencies created by another change request, the user interface did not provide enough information to find the problematic dependencies. The user interface now provides clearer information.

 

 

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 6

 

 

 

7.1.1 Patch 5

 

What's New

 

Feature

What’s New

Collector

A new User Filter has been added to the Workday collector, which allows the inclusion or exclusion of specific user types.

 

 

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 5 as the result of fixed issues.

 

Issue

Description

Collector

ACM-93824

The Office365 Account Collector now has a configurable Block Size field during application creation.

Role Management

ACM-101549
ACM-101846
ACM-101585
ACM-98261
ACM-98346

Fixed the failure of roles explosion from change requests when duplicate roles are found in system. This addresses the issue of user entitlement discrepancies due to explosion failures. Additionally, multiple issues with roles import were addressed. During import, the system reuses the existing members and entitlements when overwriting a local role instead of fully deleting them and creating new entries. When importing roles, the system now looks only for active roles with similar names so that deleted roles are not reactivated. This change will avoid the creation of multiple active roles with role name. If a role being imported matches an existing active collected role, the system throws an exception instead of overwriting the role. Collected roles are not overwritten at any point.

 

 

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 5

 

 

 

7.1.1 Patch 4

 

What's New

 

Feature

What’s New

Access Certification

When determining unchanged items, RSA Identity Governance and Lifecycle considers only reviews generated in the past 365 days instead of all reviews. An item for a reviewer is tagged as unchanged when he or she has last reviewed it with the Maintain state in a review that was generated in the last 365 days, and none of the attributes of the reviewed entitlement have changed.

AFX Server

New SSH Connector which supports Public key Authentication added.

Change Requests and Workflow

The Workflow Architect has a new “Auto Complete Category” option when grouping by category that indicates whether the Category Manager automatically completes all other work items in a category. By default, this option is selected.

 

 

 

Functional Changes

 

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.1.1 Patch 4 as the result of fixed issues.

 

Issue

Description

Access Certification

ACM-98991

Coverage is now only refreshed in a review when the coverage option is selected. When review items are refreshed and the coverage option is not selected, a warning appears to remind the user that coverage will not be refreshed.

Change Requests and Workflows

ACM-100295

Password resets now group correctly for By Business Source grouping.

Change Requests and Workflows

ACM-100448

AdminWorkflowMonitoring now properly updates the Pending Verification (Count) icon when the number of pending verification items changes.

Change Requests and Workflows

ACM-100872

The Finish and Next buttons are now disabled on the Additional Information submission screen when there is a pending submission.

Collector

ACM-99256

Modified the Workday collector response group filter and attribute configuration to optimize response time.

Security

ACM-90370

Authorization validation added for file coverage uploads and to collector activate/deactivate buttons. A pop-up is presented if user does not have the proper privilege.

User Interface

ACM-76494

The code was fixed to ensure that when the Direct Subordinates view is used, it always uses the requestor and not the user for which access is requested.

User Interface

ACM-90208

Pop-up windows now appear in the center of the user’s viewing area.

 

 

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 4

 

 

 

7.1.1 Patch 3

 

What's New

 

The following table lists the improvements and new features in 7.1.1 Patch 3.

 

Feature

What’s New

Access Certification

The display names for the Review and Revoke buttons for roles in fine-grained role reviews and for groups in group reviews are now specified within the review definition using two new text fields. Previously, the display names for these buttons were configured using the global resources strings RoleReview_Maintain, RoleReview_Revoke, GroupReview_Maintain, and GroupReview_Revoke.

 

 

 

Functional Changes

 

The following table lists the functional changes in 7.1.1 Patch 3.

 

Issue

Description

Access Certification

ACM-100064

In a group review, RSA Identity Governance and Lifecycle no longer allows None for the state of a group whose members and entitlements are all marked as reviewed and maintained. When applying the state of None to multiple groups, the system ignores any group that has all entitlements and members reviewed and maintained.

Access Certification

ACM-100221

Generated reviews for coarse-grained role reviews now use the specified display names for the Maintain and Revoke statuses.

Change Requests and Workflow

ACM-95472

The fix implemented to ensure that emails are sent to each approver when multiple approval activity nodes are configured to send an email to approvers appears in newly created nodes. Existing nodes are not affected by this fix to ensure that any custom email text is not overwritten.

Change Requests and Workflow

ACM-95367

The settings for Edit and Cancel buttons for change requests are now specified within the request workflow. The AveksaAdmin user is always allowed to cancel requests regardless of this setting, however.

Change Requests and Workflow

ACM-100295

Password resets now group correctly when By Business Source is selected in the workflow.

Change Requests and Workflow

ACM-99913

The Entitlements Require Account field under Account Template now contains the options Always, Sometimes, and Never. Previously, the options were True and False.

Change Requests and Workflow

ACM-95340

The Attachment section for change requests is now controlled by the Request Settings options in the workflow editor.

Security

ACM-90370

Authorization validation added for file coverage uploads and to collector activate/deactivate buttons. A pop-up is presented if user does not have the proper privilege.

Security

ACM-99089

Error message was made more user-friendly.

User Interface

ACM-99458

The user interface now wraps the drop-down text to the next line if it is longer than the drop-down width and added a separation line. The minimum width is now 150 pixels for both the select button and drop-down section. Both sections widths increase based on the text length entered by the user. The maximum height of the drop-down section is now 60% of screen size. A scroll bar is shown if the height exceeds the maximum height limit.

User Interface

ACM-90251

When metadata is exported, generated file names are validated and double quotes " are converted to underscores _.

 

 

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 3

 

 

 

7.1.1 Patch 2

 

What's New

 

The following table lists the improvements and new features in 7.1.1 Patch 2.

 

Feature

What’s New

Database Management

Data pruning has been enhanced to remove unneeded workflow data from the system.

Email

The text in Approval and Rejection email replies have been updated to clearly indicate where the user may add additional comments.

Email

The default value for the maximum number of recipients for an email provider has been changed to 100.

Server Core

Added the ability to create an authentication source from any host in a clustered environment.

Web Services

Several improvements were made to web services:

  • All available commands are now organized across several tabs labeled by category. The Settings tab, which is the first tab the user sees, provides a high-level ability to toggle web services on and off, allows the user to specify a list of IP addresses that can be used for commands, and the import directory where some commands may look for content. Those commands will indicate in their details that they use the import directory.
  • The user interface that lists all commands has been redesigned to display the commands in a table format. A user can click the Click for Details link for a particular command to expand a command's row and view details about using the command. The new table includes a security column that uses icons to represent the current settings for the command, and a Configure button to change the security.
  • Security settings are now configured at the command-level. A user can only change the security for a particular command to be stronger than the default, out-of-the-box security setting.

 

Functional Changes

 

The following table lists the functional changes in 7.1.1 Patch 2.

 

Issue

Description

Access Certification

ACM-93466

Removed the Include Users option from group review definitions, as users can no longer be collected as members of groups.

Access Requests

ACM-87884

Request buttons for Add/Remove Using Request Source now includes an option to include terminated users.

AFX Server

ACM-96646

The ISIM 6.0 connector template has been updated to include new dependency files (itim_ws_client.jar, itim_ws_model.itim_common.jar, jlog.jar) and a properties file (tmsProperties.properties) that must be uploaded when configuring the connector. In the Commands section, the new Justification parameter has been added to some commands.

Change Requests and Workflow

ACM-95849

The "Show job level variables" check boxes are now selected by default and job variables explicitly shown in approval and fulfillment workflows. If these variables need to be hidden, the checkbox must be deselected.

Change Requests and Workflow

ACM-94899

When a change request contains a change request item to remove an already-deleted role from a user, that change request item is rejected while the system proceeds with the other items in the change request.

Database Management

ACM-74139

Data purging has been updated to ensure that workflow data with null change dates is purged.

Database Management

ACM-93837

In WildFly ACM installations with a remote database and configured failover options, a new, optional ACM configuration property, REMOTE_ORACLE_JDCB_URL, has been added to Aveksa_system.cfg. This property is to be used by AveksaCli only to connect to the target database. Use it only if the default connection URL is not sufficient. When configured, the provided value should match the connection URL of the AVDB data source in aveksa-standalone-full.xml or domain.xml.

Single-line example:

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=DB_PRIMARY_HOST)(PORT=DB_port))(ADDRESS=(PROTOCOL=TCP)(HOST=DB_SECONDARY_HOST)(PORT=DB_port)))(CONNECT_DATA=(SERVICE_NAME=avdb)(SERVER=DEDICATED)))

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)(DESCRIPTION=(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node1)(PORT=1555)))(CONNECT_DATA=(SERVICE_NAME=avdb)))(DESCRIPTION=(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node2)(PORT=1555)))(CONNECT_DATA=(SERVICE_NAME=avdb))))

Multiple-line example:

REMOTE_ORACLE_JDBC_URL=jdbc:oracle:thin:@(DESCRIPTION_LIST=(LOAD_BALANCE=off) (FAILOVER=on) \

(DESCRIPTION= \

(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3) \

(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node1)(PORT=1555))) \

(CONNECT_DATA=(SERVICE_NAME=avdb))) \

(DESCRIPTION= \

(CONNECT_TIMEOUT=10)(TRANSPORT_CONNECT_TIMEOUT=3)(RETRY_COUNT=3) \

(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=node2)(PORT=1555))) \

(CONNECT_DATA=(SERVICE_NAME=avdb))) \

)

For references and additional examples, see the Oracle Database JDBC Developer's Guide and Database Net Services Reference on the Oracle website.

User Interface

ACM-94283

Added the columns Business Use, Functional Ownership, Locality, and Sensitivity in the Application, Directory, Data Resource Sets, Rule Sets, and Role Sets summary tables. Grouping is disabled on these columns.

User Interface

ACM-96671

The "one of" operator now takes the Ignore Case option into account when filtering tables.

User Interface

ACM-53828

The table options now lists custom attributes of the specific object type in the pop-up account details where the Entitlement table is displayed.

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 2

 

7.1.1 Patch 1

 

What's New

 

The following table lists the improvements and new features in 7.1.1 Patch 1.

 

Feature

What’s New

Aveksa Statistics Report

The Aveksa Statistics Report (ASR) has the following new column for the Unified Users section:

  • terminatedUser.count — The total number of terminated users.
  • deletedUsers.total — The total number of deleted users.
  • user.total — The total number of users.

Role Management

Improved performance on the Role Members tab, by improving the rendering of the Member table and the overall performance when adding or removing users.

 

Functional Changes

 

The following table lists the functional changes in 7.1.1 Patch 1.

 

Issue

Description

Access Certifcation

ACM-93895

If a reviewer attempts to save or sign off changes while their earlier changes are processing, the user interface now displays a warning message that indicates that the review has another save or sign off in progress, and that the user can submit the changes after the previous changes have completed.

Access Certification

ACM-61543

In the review definition, the "include sub-groups" label has been changed to "include sub-groups from selected groups".

Access Requests

ACM-92751
ACM-93823

The default out-of-office functionality will now process Global Common Submission Questions to complete a request submission.

Account Management

ACM-85881

Change request approval and fulfillment processing has been enhanced to enforce uniqueness of account names with regard to both active and deleted accounts. Because all active accounts within a business source must have unique names, but deleted accounts within the same business source are not limited to unique names, these changes prevent a reactivated or pending account from having the same name as another active account. The behavior is as follows:

  • During Pending account creation, the system checks the account name for uniqueness within the business source in the following order:
    • If the name is already in use by an active account within the business source, the change request creation action does not proceed until the name is changed.
    • If the name is used by one of the deleted accounts within the business source, the most recently deleted account with that name is reactivated into a pending account and the change request preserves its history.
    • If the name is not used by any active or deleted accounts within the business source, a change request is created with that account name.
  • During the fulfillment phase, if a pending account is renamed, the system performs the following checks:
    • If the name is already in use by an active account in the same business source, the fulfillment does not proceed and the following exception occurs in the aveksaServer.log log file: “java.lang.IllegalArgumentException: Could not rename the Account due to a conflict.”
    • If the new name for this pending account (Account A) is used by a deleted account within the business source, the most recently deleted account with that name (Account B) is converted into a pending account. The old account (Account A) is replaced by the reactivated pending account (Account B) in the change request. The change request item (Account B) waits for verification and the old pending account for Account A reverts to its previous state by being removed from the system or reverted into a deleted account.
    • If the new name is not used by any active or deleted account within the business source, a new pending account with the new name is created and placed into the change request instead of the previous name, and the old account is either removed or reverted into a deleted account if it had been converted into a pending account.
  • When a pending account is waiting for verification, the first account collectors to collect it takes control of the account and marks it as verified.

Change Requests and Workflows

ACM-95063

A workflow form not successfully deleted will prompt an error in the user interface.

Change Requests and Workflows

ACM-95214

The conditional transition selection now saves properly through the drop-down selection button.

Custom Attributes

ACM-88462

The accounts table now lists all custom user attributes.

Metadata Import/Export

ACM-92269

The application metadata now exports information about mapped connectors. When the metadata is imported, if the specified connector is available, the application is mapped to the connector.

Reports

ACM-81849
ACM-94270

The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:

  • If invalid characters are detected the report file name, the detected characters are replaced with an underscore.
  • Consecutive strings of invalid characters are replaced with a single underscore.
  • The user interface allows characters not valid for the file name.
    • Invalid characters for Windows filenames are (separated by commas): ",\,/,:,*,?,<,>,|," "
    • Invalid characters for Unix filenames are (separated by commas): ",\,[,],{,},(,),',+,-,=,!,@,#,$,%,^,&,;,” "

Reports

ACM-90513

The new public view PV_REQUEST_ITEM_COMP_DTLS has been added to the product. For more information, see the RSA Identity Governance and Lifecycle Public Database Schema Reference.

Security

ACM-94695

Only users with edit privileges can view the debug properties and configuration for REST and SOAP Web Service nodes.

Security

ACM-92568

The authentication model for web services has been updated to first perform IP validation, if configured, and then perform token validation. Token validation is not performed for commands that do not require token validation, such as the login, loginInstructions, and getLogo commands, but IP validation is still performed if allowed IP addresses are specified.

User Interface

ACM-92551

To improve performance, a user interface table no longer calculates the number of items in a change request for each listed task.

User Interface

ACM-53828

The table options now lists custom attributes of the specific object type in the pop-up account details where the Entitlement table is displayed.

User Interface

ACM-81142

Under Reviews > Activities, the Actions menu automatically scrolls so that all options are visible.

 

Fixed Issues

 

Fixed Issues in 7.1.1 Patch 1

 

7.1.1

 

What's New

 

The following tables list the improvements and features in 7.1.1.

 

Feature Highlights

 

Feature

What’s New

Updated SOD Rules

Updated Segregation-of-Duty (SOD) rules and policy language, which includes additional analysis and detection capabilities to identify complex cross-application violations and reduce potential false positives.

For information about the new SOD rules functionality, see "Using a Correlation Specification with a Segregation of Duties Rule" in the Online Help.

New Violation Remediation Experience

SOD and user access violations can now be remediated using violation remediation reviews, which allow users to review violations and perform remediation actions directly through the reviewer user interface.

The violation remediation reviewer experience uses the same user interface as the new user access reviewer experience, which provides advanced features such as Analysis and Guidance, a review progress monitor, advanced filtering, and the ability to manage multiple violations at the same time.

This feature uses both an SOD or User Access Rule definition and a User Access Violation Remediation Review definition and seamlessly manages their association within the system. For more information, see "About the Violation Remediation Review Experience" in the Online Help.

Display Views for User Access ReviewsConfigurable display views are available in the new reviewer experience.
User Access ReviewsDuring user access review analysis, any review items with a pending revoke operation in progress are automatically marked with a revoke status.

Log Artifact Collection

Added automated log artifact collection and bundling capabilities to collect and send logs for support cases.

This feature is available by going to AdminDiagnostics and clicking the Log Artifact tab. For more information, see "Collect Logs to Review Artifacts" in the Online Help.

Diagnostics and System Data

System usage data, diagnostics, and heuristics information is collected and available through newly provided reports and through a downloadable JSON file for offline analysis and troubleshooting.

You can configure this feature by going to AdminDiagnostics and clicking the Diagnostics and System Data tab. For more information, see "Diagnostics and System Data" in the Online Help.

Web Services

The following changes have been made to Web Services:

  • A new series of web services are available for taking action on both approval and activity work items: performWorkItem, getWorkItemsForUser, and getWorkItemDetails.
  • The performApproval and performWorkItem web service commands allow any valid string as an action, which is validated against all supported transitions for the work item.
  • The getApprovalDetails and getWorkItemDetails web service commands now return the supported actions for the web service.

 

Additional Features and Improvements

 

Feature

What’s New

Access Certification

The following changes have been made for Access Certification:

  • User reviews now leverage business calendars to determine when the completion due date is calculated and displayed.
  • The confirmation dialog for enabling or disabling an email template is now presented in a pop-up.
  • When a Maintain with Expiration action is performed on a review item, the expiration date details are now included in the Comments and History section.

Access Requests

A password reset for a user can be done by that user, an administrator, a user having the Reset Password entitlement, or the business owner or technical owner of the business source.

AFX

The AFX connector has improved performance when mapping unused variables in large environments.

Change Requests and Workflow

The following changes have been made in Change Requests and Workflow:

  • The number of work items retained in the workflow history is now limited to reduce the amount of data loaded.
  • The protocol for the URL specified in workpoint-client properties is now a variable and can be configured along with the URL and port.

Connectors

Introduced IBM Security Identity Manager 6.0 connector template for provisioning requests on ISIM.

Custom Attributes

The following changes have been made for custom attributes:

  • Custom attributes now have a reference name column, which stores an attribute name that unique across all attributes of the same type. The reference name cannot contain spaces, and any spaces detected are converted into underscores. In a new custom attribute, the reference name is automatically populated with the Attribute Name in which the spaces are replaced by underscores. This value is available for mapping in both Account Templates and AFX Connector Capabilities. This value is stored in the T_AV_CUSTOM_ATTRIBUTES table.
  • When upgrading or patching from a previous version, the Attribute Name values for a custom attribute are migrated. The Reference Name column is populated with the values of the Attribute Name with spaces replaced by underscores.
  • The Reference Name can only be modified during the creation of a new custom attribute.

Database Management

New custom attributes for strings and user data are available for resource objects:

  • CAS11 and CAS12 (varchar2), limit 4000
  • CAS13 to CAS25 (varchar2), limit 256
  • cau1 to cau5 (int)
  • cau1_name to cau5_name (varchar2), limit 512

For more information, see "Creating and Managing Attributes for RSA Identity Governance and Lifecycle" in the Administrator's Guide and the online Help.

Request Forms

The following changes have been made for request forms:

  • The Entitlement Table, Entitlement Table with Action, and Entitlement Table (non-visual) request form controls can now filter entitlements by entitlement types: entitlements, groups, roles, and application roles. This allows a finer scope and improved performance for the request form controls when only specific entitlement types are needed.
  • The way in which request forms for applications prompt for account information from end users has been improved. Users with only one account are not prompted to select an account. Users with multiple accounts are prompted to select an account as the first step, before the rest of the form is displayed. All aspects of the displayed application request form take the selected account into consideration, eliminating the need to select an account after selecting entitlements.

Server Core

aveksaServerInfo.log now includes the node name and environment name of the system, to assist with identifying the system from which the log originates.

User Interface

  • New introductory text on the user interface clarifies how custom security contexts are implemented by RSA Identity Governance and Lifecycle.
  • Prominent warnings are now displayed if the reserved Custom Tasks capability is enabled.

 

Deprecated Items

 

The following table lists the items deprecated in 7.1.1.

 

Feature

Description

Password Management

32-bit installation of the AD Password Capture tool has been deprecated.

Server Core

As of RSA Identity Governance and Lifecycle V7.1.1, OpenJDK 1.7 is no longer supported.

User Interface

Hardware appliance operations, such as edit, restart, reboot, and shutdown, can no longer be performed through the RSA Identity Governance and Lifecycle user interface. To perform these operations, use OS access level commands.

User InterfaceRSA Identity Governance and Lifecycle no longer supports Internet Explorer version 10, due to the use of new technologies that rely on modern browsers. For a complete list of supported browsers, see the RSA Identity Governance and Lifecycle Platform Datasheet and Support Matrix.

 

Functional Changes

 

The following table lists the functional changes in 7.1.1.

 

Issue

Description

Access Certification

ACM-88680

The "Save Tab in Table" option has been removed from table pop-ups.

Access Certification

ACM-87169

The new reviewer interface no longer includes access for terminated users as a low-risk category.

Access Certification

ACM-88254

The user interface displays an “in-progress” indicator when general category bulk maintain actions are in progress.

Access Requests

ACM-79721

Revocation change requests generated by account change requests will maintain the account property type.

Access Certification

ACM-88929

Export operations are now limited to 5,000 records at a time.

Admin Errors

ACM-92855

The Admin Error type "Account Load Data" can now contextually appear in the properties of a Create Admin Error workflow node.

Change Requests and Workflows

ACM-71049

The default AFX Manual Fulfillment subprocess workflow now includes a job state node to cancel change items when cancelling fulfillment.

Change Requests and Workflows

ACM-80901

The number of work items retained in the workflow history is now limited to reduce the amount of data loaded.

Change Requests and Workflows

ACM-88211

Workflows cannot be selected across different types of modules and are only selectable for the appropriate module type.

Change Requests and Workflows

ACM-88351

The Show Job Level Variables setting in request workflows will not overwrite the same setting in approval and fulfillment workflows.

Change Requests and Workflows

ACM-88384

A workflow must be removed from configuration (phase nodes, subprocesses, and escalations) before it can be deleted.

Change Requests and Workflows

ACM-89649

The Business justification character limit has increased to 4000 while editing exceptional access.

Change Requests and Workflows

ACM-89833

The fulfillment workflow now uses the correct query to group fulfillments by business source.

Change Requests and Workflows

ACM-89860

WorkItemURL selection is now available for manual nodes.

Change Requests and Workflows

ACM-90476

A custom task must be removed from the schedule before it can be deleted.

Change Requests and Workflows

ACM-93462

The "Assign to" list no longer appears as available options for Resource Selection.

Collector

ACM-75432

The attribute "lastlogontimestamp", always collected as a date-type value, can be stored in a custom attribute of either string-type integer value or a date-type value. A string-type integer value is automatically converted to the date-type value formatted as “yyyy-MM-dd HH:mm:ss”.

Data Collection Processing and Management

ACM-74626

The Application Metadata Collector will only update application business source objects.

Data Collection Processing and Management

ACM-81403

If an agent cannot resolve the Member Type from the Account Data Collector’s source system for a group’s member, it assigns "unknown" to the Member Type column in the raw data instead of guessing the correct member type.
When Member Type is “unknown", the collector’s database processing still attempts to resolve the member type. If successful, it assigns a member type in the new "Resolved Member Type" column in the raw data.
If Member Type is "unknown" and the member type cannot be resolved by the account collector, then Resolved Member Type is left blank and the collected membership is rejected.

Data Collection Processing and Management

ACM-90663

The date range of historical configuration information has been reduced in areas such as collector changes.

Data Collection Processing and Management

ACM-91761

The Last Reviewed Date OOTB attribute has been removed from the collector wizards.

Installer

ACM-87123

Applying a patch overwrites the configuration files for plugins except for the ITIM2FulfillmentHandler, NovellIMListener, and SunFulfillmentHandler plugins, which are copied from the customer's system instead. The patch application process backs up the original plug-in configuration files in the folder <location of the patch>/backup/<timestamp>/plug-ins/ so that you can restore them if needed.

Provisioning

ACM-88777

The Workflow ValidReplyAnswers macro now populates and lists URLs in a consistent order.

Reports

ACM-81849
ACM-94270

The following changes were made to how RSA Identity Governance and Lifecycle handles report file names:

  • If invalid characters are detected the report file name, the detected characters are replaced with an underscore.
  • Strings of invalid characters are replaced with a single underscore. o
  • The user interface allows characters not valid for the file name.
    • Invalid characters for Windows filenames are: " \ / : * ? < > | "
    • Invalid characters for Unix filenames are: " \ [ ] { } ( ) ' + - = ! @ # $ % ^ & ; ”

Request Forms

ACM-64863

The Request Forms wizard disables the Next button until all form elements on a page are loaded.

Request Forms

ACM-70736

User filters containing avform.user variables are not replaced with substitute values in the Compare Users field of the Provisioning form.

Request Forms

ACM-77882

Drop-down, Multi-select, and Number fields can be populated by avform attribute selectors used as the default value.

Request Forms

ACM-83637

The JavaScript block form control no longer allows Display conditions. The Display tab for this form control displays a message for the restriction.

When Enable conditions are set, the JavaScript block entered is executed only when the conditions are satisfied.

If there are no conditions set, then the JavaScript block is executed whenever the form runs.

Request Forms

ACM-88604

Multiple account resolution can be configured on a request form to prompt for every change or per business source.

Role Management

ACM-75430

The Role Import process warns that collected roles, if imported, will be converted into local roles.

Role Management

ACM-87106

The Out of Constraint Users list in the Analytics tab has changed to use the same format as the Users list in the Users tab.

Role Management

ACM-74637

The "Role Missing Entitlement Rule" email notification now adds group entitlements collected from the ADC.

Rules

ACM-90043

An "Associate Remediation Job" button has been added to the Rule Details page for remediation actions. When clicked, remediation workflow jobs are created for identified and unassociated violations. This button is not enabled by default, but can be enabled by the "ViolationRemediationReProcess" feature flag.

Rules

ACM-95300

Rules are now processed one at a time to avoid a system error. The monitoring page relays this new process as follows:

Currently Processing Rule (X out of Y)
Steps 1-3

Security

ACM-73739

Enhanced security for page access in RSA Identity Governance and Lifecycle.

Server Core

ACM-92902

The JRE has been upgraded to Java 8.

By default, Java 8 enforces endpoint identification on LDAPS connections to improve the robustness of the connections. After upgrading, Active Directory collectors that use SSL that were previously able to connect might be unable to connect. View the aveksaServer.log for details about connection failures. If this occurs, ensure that the certificate of the host configured in the collector settings has the correct subject alternative name attributes available that match the hostname.

User Interface

ACM-81449

The Other type for owners is now usable in simple and advanced views.

Web Services

ACM-92041

Validation for webservice calls to add or remove accounts from a group can be requested using the collector or the business source, but not both.

 

Fixed Issues

 

Fixed Issues in 7.1.1

 

You are here

RSA Identity Governance and Lifecycle 7.1.1.x Release Notes

Attachments

    Outcomes