The following issues were fixed in RSA Identity Governance and Lifecycle version 7.2.
Access Certification
| Issue | Description |
|---|---|
| ACM-96153 SF-1332517 | After the scheduled run time for a review was changed, the task was duplicated in the memory and the review was run multiple times. |
| SF-1322438 ACM-95464 | Review escalations scheduled to run before or after the review due date were not triggered when either the escalation was scheduled after the review due date had passed or when the application was down during the due date. |
| SF-1261298 ACM-94057 | When a role containing app-roles was deleted in a role review, change items to remove the app-roles were not generated. |
| SF-1274991 ACM-92885 | The user interface took a long time to load certain tabs in reviews that had large data sets. |
| SF-1215357 ACM-89832 | Users were able to schedule reviews and collectors using a past date. |
| SF-1325510 ACM-95533 | Multi-step review generation failed when secondary step definitions enabled the user selection option "By selecting supervisors and using their subordinate users.” |
| SF-1292722 ACM-94322 | A review with a value for SIGN_OFF_ENABLED other than Y or N caused a server startup failure. |
| SF-968449 ACM-76811 | In a review definition that already had a coverage file that determined the monitors, if the definition was edited to deselect the coverage file option, the earlier coverage file was still saved with the review definition despite being displayed as unselected in the user interface. |
| SF-1284174 ACM-95654 | An SQL error occurred when changing a review state to complete. |
| SF-1382502 ACM-98334 | The reassign action in the review user interface took longer than expected. |
| SF-1255036 ACM-91744 | Review analysis failed with the ORA-01706 error. |
| SF-1400318 ACM-99052 | The review monitor/owner interface loaded slowly, even when no table data was displayed. |
| ACM-99046 | Clarification was required on the review definition user interface to indicate that user selection is not used for rule actions. |
| SF-1415644 ACM-99914 | Escalation workflows erroneously allowed the assignment of reviews to deleted supervisors. |
| SF-1395553 ACM-98860 | In an environment using AFX, when deleting review results that had the "Delete pending change requests" option selected, the "ORA-02292: integrity constraint violated" error occurred. |
| SF-1284145 ACM-93466 | Group review definitions erroneously displayed the Include Users option. |
| SF-1315720 ACM-95128 | A role review caused changes in the review state even when all review items were maintained. |
| SF-1397681 ACM-98952 | The By Monitor tab for group and role reviews showed incorrect display names. |
| SF-1373306 ACM-98532 | Account Review Change Preview tab did not download content when exporting the table. |
| SF-1454043 ACM-101533 | Completed Review Escalation Tasks and RefreshReview tasks were erroneously listed in the schedule information under Admin > Monitoring > Schedule Information. |
| SF-1451847 ACM-101388 | Coverage files were erroneously not applied to review items associated with deleted objects. |
| SF-1385200 ACM-98887 | Inefficient SQL statements were called with every move through the tabs of the Role screen. |
| SF-1355180 ACM-98148 | The EmailByMonitor message type did not consider the configured columns in the review. Instead, it had only considered the hard-coded columns. |
| SF-1372625 ACM-97914 | When performing review analysis, the ORA-30926 error could be generated when calculating unchanged review items because of the incorrect join that compared old review items to items in the current review. |
| SF-1383316 ACM-98384 | Account reviews that filtered accounts and groups could experience poor performance during review generation. |
| SF-1485254 ACM-102392 | A blocking session could occur as a result of the ORA-30926 error in the RULE_FUNCTIONS package in certain circumstances when a reviewer approved exceptional access for a user. |
| SF-1432487 ACM-100615 | Custom Attribute placeholders were not properly allocated and propagated for Review components and Rule Violations. |
| SF-1478947 ACM-102238 | In user access violation reviews, comments were always required for the revoke state even when the "Comments are required" option was not selected in the review definition. |
| SF-1469419 ACM-101995 | Delegation from the user interface created duplicate coverage entries resulting in reviewers seeing the same review item twice. |
| SF-1481931 ACM-102302 | Violations for terminated or deleted users were erroneously unassigned in the User Access Violation Review. |
| SF-1379553 ACM-98675 | Filtering on the Account User column in account reviews threw an IndexOutOfBound error when the accounts in review had changed from one of orphaned, single user, or shared to another during collections that occurred after the review is generated. |
| SF-1443568 ACM-93656 | A role review could not be completed if the role had a parent, due to review generation incorrectly adding the parent role as a sub role. |
| SF-1474519 ACM-102154 | When exceptional access granted from a violation review expired while the same review was still active, the violating entitlements were no longer excepted, and the remediator was unable to re-grant exceptional access. |
| SF-1196476 ACM-88715 | The new reviewer interface has been optimized to perform better in Internet Explorer 11. Previous browser memory issues experienced when selecting multiple reviews has been resolved. |
| SF-1359181 ACM-97300 | Duplicate role memberships caused the following error when running a user access review: "ORA-20126: The creation of reviews failed. Stored Procedure:Parse_Roles_In_User_Review execution aborted. ORA-01427: single-row subquery returns more than one row". |
Access Requests
| Issue | Description |
|---|---|
| SF-1286545 ACM-93599 | A "Remove account to group" change request from a webservice did not set the affected users in the request information. |
| SF-1299740 ACM-94324 | Change requests to remove a user from a group that were generated by a Group review did not complete if the fulfillment workflow was configured to “Create a Job per group.” |
| SF-1264368 ACM-93112 | Optimized statements for Change Requests involved with determining missing or extra indirect entitlements. |
| SF-964505 ACM-74785 | When a user is granted the same entitlement through both a role and an account and the account is deleted from the user, an error occurs when the role is later deleted from the user. |
| SF-1316456 ACM-96218 | Pre-processing for unauthorized change detection failed with the ORA-06402: PL/SQL: numeric or value error. |
| SF-1343435 ACM-96760 | Subject of email incorrectly contained HTML markup. |
| SF-1324409 ACM-97577 | When users clicked a link to a change request in an email, after logging in, they were redirected to the home page instead of the change request. |
| SF-1323250 ACM-97156 | The Revert Completed Changes option was missing from the cancellation pop-up when canceling a change request, even though completed items existed. |
| SF-1396177 ACM-98900 | When multiple sessions changed role-related items, such as users or entitlements, deadlocks could occur when refreshing role metrics, which interrupted processing. |
| SF-1374516 ACM-98212 | A change request in the Pending Submission state could not be canceled from the user interface when 'Allow Cancel in Fulfillment Phase' was set to false in the workflow. |
| SF-1332855 ACM-98331 | AFX incorrectly indicated a failure after removing entitlements from deleted accounts in SAP. |
| SF-1341142 ACM-96663 | Passwords and encrypted fields with a value starting with the characters "ENC" failed with the following error: "java.lang.IllegalStateException: An issue with handling encryption was encountered". |
|
ACM-89679 | If a user closed the browser or navigated away from the page using any function other than the cancel or back buttons, entries for pending accounts were left in T_AV_ACCOUNTS. |
| SF-1162529 ACM-87884 | The request button type Add/Remove Using Request Sources did not have an option for including terminated users. |
| SF-1277795 ACM-95117 | Local entitlements were not provisioned to the user when given through an account or when the directory for accounts was set in an application. |
| SF-1211444 ACM-89746 | The Workflow Architect failed to load when using SSO because the double slash // in the URL caused issues with some web agents. |
| SF-1398246 ACM-98991 | Refreshing any review data other than business descriptions resulted in coverage information automatically refreshing, even when the option to refresh coverage was not selected. |
| SF-1259341 ACM-95270 | Under Request > Activities > By Entitlement and Approvals > By Entitlement, table columns either were not properly displayed or displayed incorrect data from other attributes. |
| SF-1499545 ACM-102679 | When multiple roles exist with the same raw name due to deleted roles, creating a change request for that role failed because the system selected a deleted role entry instead of the active entry. |
| SF-1423357 ACM-100749 | In a change request, the role name is displayed inconsistently, at times using the role raw name. |
| SF-1490087 ACM-102516 | Some Role Names were unexpectedly changed to Role Raw Names without a change request. |
ACM Security Model
| Issue | Description |
|---|---|
| SF-1224247 ACM-90477 | Account information on the MAEDC wizard was not displayed as expected to users authorized to edit or administer the MAEDC. |
Account Management
| Issue | Description |
|---|---|
| SF-1302083 ACM-94348 | When saving the data from an application accounts table as a CSV file, the column name "Is Deleted" was displayed in the CSV output along with HTML code for an unneeded special character. |
| SF-1373606 ACM-99457 | Duplicate accounts were created when a pending account was created with the same name but different capitalization as another account in a case-insensitive ADC. The next time the accounts were collected for the case-insensitive ADC, the pending account’s name is updated to match the capitalization, which caused duplicate accounts in the system. The system will now take an ADC's case-sensitivity into consideration and result in an error when necessary. |
| SF-1301058 ACM-94501 | When generating a request, if a resolved pending account name already existed but was deleted, the reactivated account was not updated for all of the change items that depend on the pending account. |
| SF-1354678 ACM-97131 | Account creation change requests could fail when the account parameter was mapped with attributes of more than one type, because the code failed to group them based on the type. |
Admin Errors
| Issue | Description |
|---|---|
| SF-1265089 ACM-92855 | The Account Load Data error was not listed for available types in the properties of a Create Admin Error workflow node. |
AFX
| Issue | Description |
|---|---|
| SF-1297770 ACM-94271 | When the database suddenly went down or was unable to connect to AFX, AFX stopped running until the AFX service was restarted. |
| SF-1169677 ACM-87391 | In a clustered environment, afx start incorrectly checked for the application running in standalone mode. |
| SF-1240999 ACM-91585 | Improved error messages with regards to connector configuration. |
| SF-1033350 ACM-87007 | AFX requests were getting stuck after upgrading to 7.x.x with the error "Error handling AFX primary request java.lang.NullPointerException", due to the schema change. |
| SF-1368720 ACM-98673 | A provisioning command node stalled the workflow if the AFX request was in an invalid state. |
| SF-1363199 ACM-97530 | Unable to update the implementation JAR in a Java code based connector after migrating from 6.9.1 to 7.1.0 due to a due to a JAR-type mismatch. |
| SF-1381197 ACM-98389 | The AFX RESTful web service failed to process responses when the response body was empty. |
| SF-1300643 ACM-94655 | On a request form, when a form field was mapped to a provisioning parameter that contained encrypted values, the form did not properly substitute the correct value when generating the request. |
| SF-1304327 ACM-94413 | Hardened communication between AFX server and ActiveMQ JMX interface. |
| SF-873061 ACM-53444 | AFX logs reported that headers were not being used in JMS Message-compliant way. |
| SF-1416609 ACM-100119 | Parameters in provisioning with a value starting with the characters “ENC” failed with the following error: "java.lang.IllegalStateException: An issue with handling encryption was encountered". |
| SF-1191999 ACM-93039 | Output parameters were not resolved when DN suffix mapping was used for account creation. |
| SF-1341660 ACM-96646 | The ISIM 6.0 connector timed out when testing the connector, and Test Connector Capabilities indicated a "class not found" error. |
| SF-1436291 ACM-101311 | Removed unnecessary directories from AFX that contained demo and example files. |
| SF-1311774 ACM-94925 | Standalone AFX installation failed to start because of the missing file /etc/aveksa.conf. Because this file is only required when AFX is installed in a WildFly application server, this requirement has been removed. |
| SF-1110258 ACM-87246 | If the database goes down and causes AFX to require a restart, the logs do not display the correct reason for the AFX going down. |
Attribute Synchronization
| Issue | Description |
|---|---|
| SF-944325 ACM-74170 | Attribute synchronization change requests resulted in inconsistent updates in Active Directory. Now, when attribute synchronization requests are automatically fulfilled and missing mapped attributes for required command parameters, the system uses the last collected attribute values from the account. |
Authentication
| Issue | Description |
|---|---|
| SF-1309424 ACM-94936 | PV_AUDIT_EVENTS erroneously displayed logged users as AveksaAdmin instead of the user logged in through SSO. |
| SF-1329501 ACM-95778 | When multiple SSO User Headers authentication sources were configured, an authentication source was randomly picked without verifying the authentication source name during authentication. |
Change Requests and Workflows
| Issue | Description |
|---|---|
| SF-1266678 ACM-93462 | The "Assign to" list incorrectly showed as an option for Resource Selection. |
| SF-1277724 ACM-92992 | The REST Node POST request body mandated XML code that was not required. |
| SF-1281281 ACM-93288 | Changes to customerstrings.properties did not reflect in the change request milestone display. |
| SF-1275666 ACM-95849 | The workflow setting "Show job level variables" did not work as expected. |
| SF-1293434 ACM-95053 | In a fulfillment workflow, REST nodes did not display job variables as expected. |
| SF-1311025 ACM-94899 | A change request was canceled when an approver approved an indirect role that was deleted. |
| SF-1396080 ACM-99600 | In the Workflow Architect, the node editor displayed a role's raw name in the Resources panel of the node editor, but the Resource drop-down menu in the dialog displayed the role's alt name. |
| SF-1346399 ACM-98948 | Email-based rejection of approvals did not cancel all remaining tasks, resulting in inconsistent behavior compared to UI-based approval rejection. |
| SF-1416746 ACM-99841 | When changing the state of a change request item, the indirect items for that change request did not always have their states changed. |
| SF-1396244 ACM-98904 | When a change request workflow contained a decision that used the filter "Contains at least one violation", the change request did not go to the True transition when expected. |
| SF-1323017 ACM-95472 | In a change request with an approval phase that contained two approval activity notes configured to send an email to the approvers, an email was sent only to the first reviewer and not the second. |
| SF-1426513 ACM-100295 | In a workflow that is configured to group by business source, password resets skipped the workflow and the change request workflow completed with the item still in Pending Action status. |
| SF-1414918 ACM-99719 | Approval workflows randomly ran simultaneously in a change request. |
| SF-1405274 ACM-99718 | When entitlements were grouped by category, auto-approve did not work as expected. |
| SF-1320224 ACM-95340 | Unable to hide the attachments in change requests. |
| SF-1277646 ACM-93113 | Parallel Phase Nodes duplicated workflow and fulfillment jobs because of concurrency errors. |
| SF-1317500 ACM-95367 | After attempting to remove the Edit and Cancel buttons for change requests by deselecting options to Edit and Cancel within the request workflow, the buttons were still visible and actionable in certain circumstances. |
| SF-1322920 ACM-95537 | When change requests were split based on the Max Items settings, the generated requests did not have a set fulfillment date. |
| SF-1379276 ACM-98244 | After upgrading to 7.1.1, tables in email nodes in workflows were malformed. |
| SF-1366953 ACM-98397 | The error "RSA002: Invalid Configuration" was displayed during workflow runtime for a REST node, even though the node was successful. |
| SF-1372602 ACM-98859 | Reassign Escalation Workflow and Technical Approval nodes changed the watch Workflow ID to the escalation Workflow ID. |
| SF-1461377 ACM-101694 | An access request generated thousands of unrelated activities when a call to filter change request items for a subprocess returned an empty list. Now, if this occurs, an exception occurs and an error message is displayed for user interface operations. For operations that are not performed through the UI, the processing will go to the Error state. |
| SF-1445481 ACM-101508 | A pending change item with the type Container was erroneously displayed in the User Changes table. |
| SF-1436645 ACM-100872 | A user could submit a change request with a pending submission from the Additional Information submission screen. This fix disables the Finish and Next buttons in this use case. |
| SF-1429237 ACM-100448 | Admin > Workflow > Monitoring did not update the Pending Verification (Count) icon when the number of pending verification items changed. |
| SF-1211444 ACM-89746 | The Workflow Architect failed to load when using SSO because the double slash // in the URL caused issues with some web agents. |
| SF-1302839 ACM-96673 | Could not open workflows because the URL contained a double slash //. |
| SF-1344121 ACM-97053 | Variables were not populated in emails for account review change requests when revoking an account from a group. |
| SF-1391209 ACM-98951 | In the out-of-the-box Reassign to Supervisor node, the Comments field was missing from the Resource sections. |
| SF-1459859 ACM-101767 | Workflow emails removed hyperlinks upon saving if they contained variables. |
| SF-1220303 ACM-90557 | When workflow change grouping was set to "Create an individual job for each change", the list was limited to 100 change items on one page, rather than allowing for paging. |
| SF-1424622 ACM-102500 | Users who had previously been in a group but were no longer in the group were erroneously assigned activities and tasks. These users could see the tasks but not perform any action. |
| SF-1456201 ACM-101726 | Hyperlinks in the email template of a workflow node were not saved if the value contained a job-level variable. |
Collector
| Issue | Description |
|---|---|
| SF-1299910 ACM-94323 | The Salesforce ADC was missing attributes listed in the datasheet. |
| SF-1298037 ACM-94661 | The ServiceNow collector failed after certain plug-ins were activated. |
| SF-1131553 ACM-85344 | The Salesforce Entitlement Data Collector on versions 7.0.0 or 7.0.2 failed when collecting large data sets. |
| SF-1262200 ACM-92309 | The account data collector incorrectly processed the AD PwdLastSet attribute when the value was set to zero. |
| SF-1196283 ACM-90783 | Data on the account/entitlement collector page loaded more slowly than expected. |
| SF-1437194 ACM-101006 | An account collector had performance issues when searching for a cycle of groups in an environment with multiple ADCs when one ADC collected the majority of groups but the SQL explain plan was not appropriate for that collector. |
| SF-1453582 ACM-101456 | After modifying a collector, the Last Modified value was not updated. |
| SF-1348150 ACM-94653 | Updated the driver that does SQL processing of the CSV files involved in collections. This address bug fixes in the driver on earlier versions. |
| SF-1399784 ACM-99256 | Modified the Workday collector response group filter and attribute configuration to optimize response time. |
| SF-1437248 ACM-100836 | The Archer account data collector switched the values for email and phone numbers in collected data. |
| SF-1333739 ACM-95879 | An LDAP collector with an Active Directory endpoint was unable to collect group membership for groups with more than 1500 members. |
Connector
| Issue | Description |
|---|---|
| SF-1271097 ACM-92670 | AFX connectors were unable to handle role membership changes, and displayed an error that the command was not supported on the endpoint. |
| SF-1339473 ACM-96455 | The Configure Extensible Attributes fields for Workday did not handle the quote character properly. |
| SF-1388869 ACM-102065 | In the user interface, validation of XPath configuration using the Evaluate XPath button did not work properly, but is now fixed. |
| SF-1503298 ACM-102857 | Difficulty saving Active Directory connector after performing a migration. |
Custom Attributes
| Issue | Description |
|---|---|
| SF-1295911 ACM-94081 | After setting a specific user as a Backup Business Owner or Backup Technical Owner for any Directory, Application or Role set, when the user's name was changed through the IDC, the CAU1_NAME attribute was not updated and the application object showed an outdated name in details, tables, and pop-ups. |
| SF-1276994 ACM-94117 | After upgrading, custom attributes were missing from the PV_USER_ALL_ACCESS view. |
| SF-1276541 ACM-92962 | When editing an object on which a managed custom date attribute was previously set, the attribute field was blank. |
| SF-1414773 ACM-99715 | The field length of custom attributes did not match the field length in the base tables. |
Dashboard
| Issue | Description |
|---|---|
| SF-1156786 ACM-88676 | An object dashboard was not displayed in the order expected based on the specified Display Sequence value. |
| SF-769669 ACM-60805 | A dashboard using the component System Portlet: System Summary displayed incorrect values. |
| SF-1215915 ACM-89817 | Dashboard import and export created new dashboard topics instead of overriding previous topics. |
Data Collection Processing and Management
| Issue | Description |
|---|---|
| SF-1242815 ACM-91761 | The Last Reviewed Date OOTB attribute erroneously showed as an available collector mapping attribute in the UI. |
| SF-1333332 ACM-95877 | The “Is Terminated” attribute was not being displayed as collected for some unified users. |
| SF-1323406 ACM-95768 | Indirect relationship processing failed with the following error: "ORA-30926: unable to get a stable set of rows in the source tables." |
| SF-1409520 ACM-99595 | Optimized unification to reduce the use of TEMP tablespace. |
| SF-1393271 ACM-98822 | Unification cleanup for the User Mapping table took longer than expected due to the table containing excessive data. |
| SF-1423086 ACM-100161 | Unification failed with the “ORA-30926: unable to get a stable set of rows in the source tables” error when a IDC had join attributes change |
| SF-1176575 ACM-98306 | Identity collectors created duplicate entries for users after their accounts were terminated, reinstated, and then terminated again. |
| SF-1405466 ACM-99282 | Inactivating an IDC that creates users and moves a subset of users to another collector creating users could cause duplicates in the next Unification run. |
| SF-1469467 ACM-101996 | When a user record was terminated during an IDC full refresh, a duplicate identity record could be created during a user rehire scenario. |
| SF-1460577 ACM-102332 | Change Verification was not using an optimal Oracle execution plan for environments with many Accounts and Change Requests for new Accounts, and caused performance delays. |
| SF-1468789 ACM-102074 | Hyperlinks were removed from the comments section of a group collection. |
| SF-1447410 ACM-101223 | Role membership stopped working as expected when an IDC was disabled. |
| SF-1463297 ACM-102093 | After a role membership was removed from source data, the raw data reflected the change, but the user remained a member of the role. |
Database Management/Performance
| Issue | Description |
|---|---|
| SF-1280916 ACM-94602 | When running the data archiving function, the data archiving process completed as expected but the purging process fails due ORA errors. |
| SF-1380172 ACM-98282 | Reviewers performing a bulk revoke during a fine grain role review experienced performance issues. |
| SF-1353607 ACM-98233 | Users experienced performance issues with the email log page. |
| SF-839629 ACM-66800 | Source data tables had Oracle logging disabled, resulting in potential Oracle data file corruption. |
| SF-1403444 ACM-99867 | When database purging exceeded the threshold of four hours, the process did not exit and complete as expected. |
| SF-1445091 ACM-101159 | A database script (ACM-95711.sql) was not able to handle cases when Unicode characters appeared in strings, because the function "LENGTH" counts characters. |
| SF-1401651 ACM-99098 | The system performed slowly after upgrading and using Oracle 12.2. |
| SF-1291300 ACM-93837 | RSA Identity Governance and Lifecycle did not start during remote database switchover. |
| SF-1316146 ACM-95109 | Additional columns that were added to the Groups table were not exposed in all views. |
| SF-1350067 ACM-97048 | Data archiving runs failed. |
| SF-1367049 ACM-97770 | Migration from 7.0.x to 7.1.x failed with the following error: "ORA-01720: grant option does not exist for 'SYS.DUAL'" |
| SF-1367802 ACM-97881 | Users experienced performance issues with the overall user interface, workflows, and collections. |
| SF-1377550 ACM-98168 | Data purging failed due to the ORA-02292 error while deleting data from work point tables. |
| ACM-98488 | After creating 500 SoD rules using a correlation specification, rules processing exceeded 17 hours. |
| SF-1441958 ACM-100974 | During archive creation, the archive start date was calculated incorrectly resulting in the following error: "The archive Start and End dates can not be overlapping with the existing archives." |
| SF-1437637 ACM-100899 | After deleting archive runs from the monitoring page, the runs were deleted from the system and an error was displayed when trying to view the archive table. |
| SF-1292988 ACM-94898 | Performance problems could occur while accessing the raw data for a collection when there was a large amount of rejected data in the tab being accessed. |
| SF-1457793 ACM-102310 | After running the createSchema.sh script, initialization completed with errors. |
| SF-1405377 ACM-99347 | A Security Context's sub-query with embedded SQL hints was causing poor performance of another query. |
| SF-1338347 ACM-96730 | After upgrading, the default value of is_deleted in the T_MASTER_ENTERPRISE_USERS table was changed from 0 to null. |
| Issue | Description |
|---|---|
| SF-1293405 ACM-95236 | Special characters were not displayed properly in email subjects. |
Installer
| Issue | Description |
|---|---|
| SF-1235688 ACM-92268 | During virtual application installation, the following error could occur in environments with a customer-supplied database: “[Step 1 of 9] Error configuring certificates ('./configureSSLCertificates.sh')”. |
| SF-1099684 ACM-84154 | Installation of RSA Identity Governance and Lifecycle 7.1 for software bundles and hardware appliances with local databases failed because the installation script checked for packages that were not required. |
Metadata Import/Export
| Issue | Description |
|---|---|
| SF-1408780 ACM-99393 | All items on the metadata export screen were erroneously selected when browsing between pages. |
| SF-1395168 ACM-98888 | When a customer added a custom user-type attribute named Technical Owner, Business Owner, or Exception Manager, an ORA-00904 error occurred during the creation of public views. |
| SF-1355771 ACM-97215 | Deleted entitlements were referenced when importing a role definition. |
Migration
| Issue | Description |
|---|---|
| SF-1341401 ACM-96645 | Deprecated migrate_deleted_connectors code because it was failing during role migration. |
| SF-1373931 ACM-98050 | Database migration stalled with the ACM-76636_2.sql query processing for three days. |
| SF-1406053 ACM-101119 | Upgrading to a patch failed due to increased security restrictions on the "DUAL" table when it was used by Views. RSA Identity Governance and Lifecycle has now deprecated the use of this table in views. |
| SF-1342412 ACM-96551 | The migration script ACM-72719.sql failed with the ORA-19011 error. |
| SF-1419230 ACM-100075 | Migration from 6.9.1 failed due to locked statistics on some tables. |
Platform
| Issue | Description |
|---|---|
| SF-1019541 ACM-78253 | After running the HardenHTTPSProtocols.sh script in the /home/oracle/deploy directory, the following error occurred: “WARN: can’t find jboss-cli.xml. Using default configuration values.” |
| SF-1313737 ACM-95186 | The modifynetworksettings.sh script did not modify the /etc/hosts entry and instead added an additional line. |
| SF-1019541 ACM-78255 | The HardenHTTPSProtocols.sh script, which enabled TLS 1.2 protocols, did not successfully run. This script has been deprecated, because TLS 1.2 has been automatically enabled in RSA Identity Governance and Lifecycle since version 7.0.1. |
| SF-1313737 ACM-95191 | The modifyhostname.sh script attempted to run when the Oracle database was down, resulting in errors. It now only runs if the database is running. |
| SF-1216487 ACM-91090 | Sudo access as the aveksa or oracle user did not work after a fresh installation of RSA Identity Governance and Lifecycle. |
Provisioning
| Issue | Description |
|---|---|
| SF-1184940 ACM-88349 | An Oracle ORA-22835 “Buffer to small” error could occur while provisioning an account through AFX under high load. |
Reports
| Issue | Description |
|---|---|
| SF-1158510 ACM-88913 | The OOTB report using the template "Changes in User Global Roles by Date Range" could become stuck due to excessive query executions. |
| SF-1381866 ACM-98674 | System performance was affected by the report deletion process. |
| SF-1350816 ACM-98190 | The audit event name for REVIEW_DEFINITION had a typo. |
| SF-1347793 ACM-97050 | After specifying an equals filter for an application name, its alternate name was saved in the report XML while the underlying view contained the raw name. Because of this mismatch, the report did not generate results or load the filter properly when the report was reopened. This also occurred with other objects that had alternate names. The system now saves the raw name as expected to prevent this issue. |
| SF-1169924 ACM-87390 | Column display names in a report definition were not updated if the alias column name in the query was the same as the display header but with different capitalization. |
| SF-0688516 ACM-54534 | Old attributes in jrxml report definitions resulted in spam to the server logs. |
| SF-1334676 ACM-96179 | Reports that use styles did not retain the style when downloaded to an output file such as PDF or HTML. |
| SF-1356825 ACM-97280 | The default Drop Down Select with Web Service control was unable to pass a request token to a Web Service. |
| SF-1445499 ACM-101319 | ASR report generation failed when the Environment Name was 100 characters of longer. |
| SF-1406193 ACM-100547 | Reports did not display line breaks in the Long Description attribute of entitlements. |
| SF-1405003 ACM-99240 | ASR report generation failed with an ORA-06502 error when an environment name exceeded a length of 100 characters. |
| SF-1462313 ACM-101728 | ASR generation failed when the MultiAppAccount Collector collected data from internal tables. |
Request Forms
| Issue | Description |
|---|---|
| SF-1348816 ACM-96918 | Checkboxes on a form were not disabled when the form was disabled. |
| SF-1361380 ACM-97592 | Users were unable to submit a form that used an external validation URI, because the Next button was unusable. |
| SF-1278644 ACM-96541 | Request forms allowed the selection of entitlements for a user that they had already been indirectly granted. |
| SF-1402613 ACM-99476 | Unable to attach files to forms using Internet Explorer 11. |
| SF-1402613 ACM-99474 | Unable to attach files to forms if the filename contains spaces. |
| SF-1303005 ACM-95574 | When localizing the language of request form elements, the prefixes for the localized properties files were not updated to the correct form type when the entire form type was updated. |
| SF-1429864 ACM-100556 | After performing an upgrade, an error occurred loading the fields in a request form that had previously worked. |
| SF-1442831 ACM-101157 | When a JSP file was referenced in the Validation URI for a request form, an exception occurred. |
| SF-1262036 ACM-94030 | Could not open an associated request form from a change request. |
| SF-1346071 ACM-96978 | A form element of control type "Drop Down Select with Web Service" received an exception or error string as a value when the "URI from which to get options" is invalid or fails. |
| ACM-98192 | Validation URI JSPs did not work when uploaded to the secured JSP pages. |
| SF-1356824 ACM-98731 | Request forms that used additional filters were not isolated from the main query, which caused the user counts to be incorrect. |
| SF-1401041 ACM-99601 | Unable to create an out-of-office request when additional fields under Requests > Configuration > Submission were present but not enabled for display. |
| SF-1402613 ACM-99475 | An Invalid Content Type error appeared when uploading an attachment to a form if the filename contained spaces. |
| SF-1399968 ACM-99321 | An Insufficient Privileges to View This Page error appeared when a user attempted to use the password reset functionality. |
Role Management
| Issue | Description |
|---|---|
| SF-1331149 ACM-95790 | During role creation, users who were configured as the Other Technical Owner for some role sets and who had the Role Set: View All entitlement were erroneously able to create roles under any role set. |
| SF-1331250 ACM-95788 | The Role Creation wizard displayed a role set’s raw name instead of the role set name to technical and business owners. |
| SF-1332139 ACM-96219 | A role membership rule could not be removed or deleted after it was created. |
| SF-1377952 ACM-98164 | When the Apply Changes button was clicked on a changed global role, the View Changes link incorrectly showed the same entitlements as both added and removed. |
| SF-1208476 ACM-91790 | Under rare circumstances, Aveksa Entitlements became out of sync when the privileges were granted or revoked through a Role or a Group. |
| SF-1238763 ACM-97112 | The rule type Role Missing Entitlements did not capture missing Global Role entitlements in email. |
| SF-1460209 ACM-101676 | Role export failed with error ORA-12899 when role names exceeded 128 characters. |
| SF-1315908 ACM-101549 | Roles explosion from a change request failed when there were duplicate roles in the system. |
| SF-1471813 ACM-102072 | After making a change to a role and clicking the Apply Changes button, the role change was stuck for 20 hours as a result of a ClassCastException seen in the logs. |
| SF-1461755 ACM-101808 | A deadlock occurred when two sessions were both calculating role metrics at the same time. |
Rules
| Issue | Description |
|---|---|
| SF-1333143 ACM-95904 | A provisioning/termination rule did not create change requests to revoke entitlements when there are accounts to disable and delete. |
| SF-1253494 ACM-97325 | Segregation of duties rules did not work properly with child application roles. |
| SF-1326701 ACM-97109 | The unauthorized access rule detected and revoked legitimate account to group memberships that had been previously provisioned by RSA Identity Governance and Lifecycle as user changes or Add User to Group requests. |
| SF-1338165 ACM-97943 | User access rules failed during execution. |
| SF-1345900 ACM-98473 | When entitlements of different types had the same ID, suggested entitlements could include empty or invalid entitlements. The query has now been fixed to join on entitlement type as well as ID. |
| SF-1322268 ACM-95316 | The Attribute Change rule skipped users when multiple Rule runs were queued. |
| SF-1382297 ACM-98319 | A segregation-of-duties rule with a correlation attribute created violations with one bucket only. |
| SF-1394356 ACM-98992 | Testing a rule took significantly longer to display the results than the time the actual rule run took to generate violations. |
| ACM-95962 | Segregation-of-duties rules took an excessively long time to process. |
| SF-1195511 ACM-94151 | Movers rule processing time increased over time. |
Security
| Issue | Description |
|---|---|
| SF-1158051 ACM-87527 | Additional validation was required for JSP files uploaded in the Admin section. |
| SF-1213280 ACM-98087 | Improved security of X-Content-Type-Options headers in responses from RSA Identity Governance and Lifecycle. |
| SF-1213280 ACM-98085 | Improved security surrounding the session token for requests to Identity Governance and Lifecycle. |
| SF-1215185 ACM-90987 | Enhanced security in the Workflow Architect. |
Server Core
| Issue | Description |
|---|---|
| SF-1354187 ACM-97194 | Data purging failed with the following error: “ORA-02292: integrity constraint (AVUSER.FK_T_IDCAV_T_IDCA_ID) violated - child record found.” |
| SF-1419867 ACM-99916 | An error in pending workflow cleanup resulted in RSA Identity Governance and Lifecycle failing to start with the following error: Initialization operations completed with errors. Please resolve the problem(s) before the application server can accept requests. Unable to start service WorkflowService. java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 |
| SF-1396116 ACM-98953 | Data purging failed with the following error: "ORA-20001: No jobs were found to delete." |
| SF-1463337 ACM-101994 | Data archiving failed with the ORA-06512 error. |
| SF-1272396 ACM-92729 | The Wildfly application server log was not updating as expected after upgrading. |
User Interface
| Issue | Description |
|---|---|
| SF-1246951 ACM-91654 | Intermittent high CPU usage caused performance issues in the RSA Identity Governance and Lifecycle user interface. |
| SF-1048792 ACM-81142 | Under Reviews > Activities, when an Actions menu appeared at the bottom of the page, some menu options were cropped out of view. |
| SF-1324961 ACM-95538 | Users granted view access to a group's directory could not see the group members. |
| SF-1301016 ACM-94283 | In the list of applications, the Sensitivity column was not available in the table options under Displayed Columns. |
| SF-1330310 ACM-95789 | A custom help URL did not work immediately after logging into RSA Identity Governance and Lifecycle. |
| SF-1353826 ACM-97111 | Import incorrectly allowed values greater than the defined value of 256 for the short description of business descriptions. |
| ACM-96675 | A "request cannot be handled" error occurred when clicking on an external URL request button with a special character in its name. |
| SF-1154509 ACM-86405 | After clicking the back button in a web browser, the user interface displayed incorrect breadcrumbs to link back to parent pages. |
| SF-1403795 ACM-98899 | Menu tabs in the user interface did not load in certain circumstances. |
| SF-1409748 ACM-99458 | Nested items in a drop-down menu were capped at a 25 character limit, causing button names in the dashboard to be truncated. |
| SF-1393826 ACM-98939 | The reviewer interface did not display dates properly when the user interface was configured to use the Polish language. |
| SF-1330725 ACM-95798 | Unable to resize SQL data query boxes in the collector configuration screen. |
| SF-1274803 ACM-99479 | A request error occurred after clicking the History tab for any rule. |
| SF-1408780 ACM-99270 | When account summary table data was saved in CSV format, the data was exported along with HTML tags from the exported table. |
| SF-1042334 ACM-79532 | After specifying a sequence of attributes under Admin > Attributes, saving the sequence, and then editing any attribute, the sequence no longer displayed correctly. |
| SF-1446680 ACM-101222 | When viewing User > Requests or collection run details from the Collector History tab of a specific collector, the displayed breadcrumbs were incorrect. |
|
ACM-95187
| The search option for tables did not work if the string began with the special character #. |
| SF-1221939 ACM-90251 | When the environment name specified under Admin > System contained double quotes, metadata export in Firefox browsers generated an incorrect file name. |
| SF-673708 ACM-53828 | Under Resources > Applications, in the Accounts tab, custom attributes were not displayed for Application Roles or Entitlements. |
| ACM-92994 | Proxy protocol changes in a Rest Node could not be saved. |
| SF-1344459 ACM-96671 | When the Ignore Case option was selected, the "one of" search option erroneously remained case sensitive. |
| SF-1460981 ACM-101695 | After upgrading, the Business Source column was missing from the accounts table under the ADC collector. This column has now been added back to the accounts table. |
| SF-1374347 ACM-98126 | Loading the Review Definitions table took an excessive amount of time due to unnecessary fetching of reviewer/monitor coverage data that is not required to render the table. |
| SF-1220192 ACM-90208 | Pop-up windows appeared outside of the viewable area of a user’s screen when the screen had scrollable content. |
| SF-1440495 ACM-101268 | Grouping on the Requests > Requests page erroneously included change lists that were in the pending submission state, resulting in an error when a user expanded a grouping that included one or more pending submission change requests. Group queries now exclude partially submitted change requests. |
| SF-1456132 ACM-101510 | An Invalid Content Type error appeared when uploading a .msg file to a change request. |
| SF-1437772 ACM-101247 | An Invalid Content Type error appeared when uploading a valid file on a request form. |
| SF-1444601 ACM-101439 | The new review interface had some hard-coded text that could not be translated. The text has now been converted so that it can be translated. |
Web Services
| Issue | Description |
|---|---|
| SF-1253334 ACM-92041 | Duplicate group names on a multi app collector could cause the web service call that created a change request to choose the wrong group. |
| SF-983571 ACM-76016 | The User Attribute Change web service reported a "User Not Found" error when the User ID was on record. |
| SF-1264262 ACM-92518 | The documentation for the processRule Web Service did not state that a token was mandatory. |
| SF-1319168 ACM-95505 | Change requests created from a web service erroneously included a deleted account. |
| SF-1169306 ACM-87462 | When multiple records were found for userId, the web service failed to update the user's review items. |
| SF-1402236 ACM-99526 | When adding entitlements to a role, if the “one of” filter was used, the ORA-00904: “ENTITLEMENT_NAME”: invalid identifier error occurred. |