RSA Identity Governance and Lifecycle 7.2.0.x Release Notes

Document created by RSA Information Design and Development Employee on Dec 12, 2019Last modified by RSA Information Design and Development Employee on Aug 20, 2020
Version 17Show Document
  • View in full screen mode

These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.2 and all released patches, as well as links to fixed issues for each release or patch. This page is updated with each patch.

To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.

To view this page as a PDF, sign in to RSA Link, click Actions, and select View as PDF.

Note: Upgrading Java 1.8 JDK to u241 or higher prevents the AFX process from starting. This is exhibited by an error in the log file. The MMC console log reports: “java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5”. To resolve this issue, downgrade the JDK to an earlier version.

7.2 Patch 3

Functional Changes

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 3 as the result of fixed issues.

                                               

Issue

Description

Account Management

ACM-103431

Previously, pending accounts associated with a Create Account change item were deleted for a change request when any duplicate account was found. Pending accounts are now deleted only for rejected change items for which the duplicate account is found, and the account will be renamed successfully based on the account template configuration for Create Account change item.

Access Requests

ACM-107018

RSA Identity Governance and Lifecycle automatically replaces spaces in account template parameter names with the underscore (_) character and removed all special characters other than underscore (_) and dollar sign ($). You should manually review AFX parameter mappings and request form fields after migration.

Change Requests and Workflows

ACM-105347

The Cancel button is no longer enabled when a change request is in the Undoing state.

Change Requests and Workflows

ACM-103802

An entire change request was rejected when it contained a change item related to a deleted role. This has been fixed to reject only items containing the deleted role reference.

Connector

ACM-103791

The RESTful webservices connector now retrieves and stores id_token, if available, in addition to the access_token when using the OAuth2 flow for authorization. This can be used while making API requests.

Data Collection Processing and Management

ACM-104994

Previously, unification occurred even when mandatory collections failed. Scheduled unification and IDC post-processing now only occurs after successful collections.

Data Collection Processing and Management

ACM-102397

When Collect Data (all) is selected from  CollectorsMulti-App Collectors, the All Multi-App Account Collectors setting is now enabled by default.

Role Management

ACM-105029

When removing a role through a role review that has both members and entitlements, the system now calculates the indirects for the revocation.

User Interface

ACM-104556

The schema no longer allows null values for the CanRequest field when editing groups.

Fixed Issues

Fixed Issues in 7.2.0.03

7.2 Patch 2

What's New

                       

Feature

What’s New

Data Collection Processing and Management

When a data collection run fails due to the circuit breaker, the circuit breaker is ignored when a user re-processes the data collection run.

Server Core

The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The Customer ID value is provided by RSA and is provided to all customers through email. These values are logged in the diagnostics and system data.

User Interface

Applications can now be sorted, filtered, and grouped by business owner, technical owner, and violation manager.

Functional Changes

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 2 as the result of fixed issues.

                                                           

Issue

Description

Access Requests

ACM-100749

Added a new variable called “Display Name” that maps to the alt_name of the entitlement for global-role, app-role, and group, under the workflow status values.

ACM Security Model

ACM-105178

Supervisors have a new view privilege to see the details of change requests created for their subordinates.

AFX

ACM-103661

Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle.

If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.

  1. Log in to RSA Identity Governance and Lifecycle, and go to AdminSystemSecurity. In a clustered environment, perform this step on the single system operations node (SON).
  2. Click Change Certificate Store, and click OK to change the root certificate and CA.
  3. Click Download and save the server.keystore file to a location on your computer.
  4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
  5. Click Download and save the client.keystore file to a location on your computer.
  6. Stop the ACM and AFX servers.
  7. Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
  8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
  9. Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
  10. Restart the ACM and AFX servers and verify connectivity with the endpoints.

AFX

ACM-100698

The following improvements have been made to the process of uploading additional JAR files to connect to other databases using a generic database.

  • The driver field is now editable to support the addition of a new path and selecting the existing driver path from the list for the Generic Type Connector.
  • Under Generic Type Connector > File Content, add and delete options have been added for custom driver JARs.
  • Handled the upload and removal of custom drivers to and from AFX/esb/apps/connectorname/lib, where connectorname is the name of the connector.

AFX

ACM-101553

Memory management in ActiveMQ has been updated to handle bulk change request items. You may need to modify the following ActiveMQ settings.

  1. The queue can handle messages for a change request with about 500 change request items for an AFX connector. To handle a larger number of items than this default, update the settings as follows.
    1. Edit AFX\activemq\conf\activemq.xml.

    2. Find the policyEntry tag and modify the memoryLimit attribute value based on the requirement, as shown below, then save the changes.

      <policyEntry queue=">" producerFlowControl="true" useCache="false" memoryLimit="5mb">

  2. The queue can handle approximately 50 AFX connectors for provisioning the change request items in parallel with the default settings. To configure a larger number of connectors than default allows, based on the requirement modify memoryUsage value accordingly.

    Example:
    Memory usage for an AFX connector needs approximately 5 MB. 5MB multiplied by 50 connectors is a total of 250 MB, which is the default.
    The memory usage is calculated based on the memoryLimit values in point 1.

    1. Edit AFX\activemq\conf\activemq.xml.

    2. Find the memoryUsage tag and modify the limit attribute value based on the requirement.

      <memoryUsage>
      <memoryUsage limit="256 mb"/>
      </memoryUsage

    3. Find the tempUsage tag and modify the limit attribute value same as memoryUsage value.

      <tempUsage>
      <tempUsage limit="256 mb"/>
      </tempUsage>

    4. Find the storeUsage tag and modify the limit based on changes of memoryUsage value.

      <storeUsage>
      <storeUsage limit="1 gb"/>
      </storeUsage>

    5. Save changes.

  3. Based on the requirements and memory configuration changes, the ActiveMQ heap size must be updated. The recommended heap size is between 2 and 4 GB.

    1. Edit the AFX/bin/afx.sh script.
    2. Update the ACTIVEMQ_OPTS Xms and Xmx values.

    3. Edit the AFX/activemq/bin/activemq.sh script.

    4. Update the ACTIVEMQ_OPTS Xms and Xmx values.

Change Requests and Workflow

ACM-103621

The insert time for the evaluation of canceled/reverted workflow jobs was changed from -1 day to -1 second.

Connector

ACM-104006

Data Definition Language (DDL) commands have been removed from the database connectors’ capability templates to prevent serious problems in the system.

Database Management

ACM-104549

Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms.

Reports

ACM-103677

Aveksa Statistics Report (ASR) generation has a new "Failed" state. These Failed reports can be deleted using the user interface.

Role Management

ACM-102991

Before creating a change request for role entitlements, the system checks whether adding these entitlements to the role would create cyclic dependencies. If the change request would create cyclic dependencies, the system does not allow the change request to be created, and the user interface displays the role entitlements that are causing the issue so that it can be corrected.

User Interface

ACM-103542

While creating a change request, if a user browses away from the page or closes the window before submitting, the user no longer has to log in a second time to see the pending change request submission.

User Interface

ACM-103539

Previously on the Request Summary page and Pending Submission page, users without Admin privileges were not allowed to cancel requests. The Cancel Pending Request button was never active for these non-Admin users. In this update, users without Admin privileges are now allowed to cancel requests on these pages. The checkboxes for change request selection are enabled and other checkboxes disabled based on the users’ privileges. Users can select change requests with enabled checkboxes and perform the Cancel action. The Cancel Pending Request button is active if the user selects the change request.

Fixed Issues

Fixed Issues in 7.2.0.02

 

7.2 Patch 1

What's New

                               

Feature

What’s New

Collector

The extensible attribute functionality for the Workday collector now allows empty values.

Collector

A new User Filter has been added to the Workday collector, which allows the inclusion or exclusion of specific user types.

Connector

The validity and expiration date of an OAuth token is now displayed below the Get OAuth Token button.

Dashboard

The following dashboard components have been created for the System Admin Dashboard:

  • System Admin: System Information
  • System Admin: Enabled Modules
  • System Admin: Collections Status
  • System Admin: Workflow Jobs Status
  • System Admin: Admin Errors
  • System Admin: User Sessions

Rules

The following improvements were made in rule post-processing:

  • The post-processing script is displayed in view mode, even if the feature flag is set to false.
  • The monitoring page for a rule run includes a separate step to display the time taken for rule post-processing.

Functional Changes

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 1 as the result of fixed issues.

                                               

Issue

Description

Change Requests and Workflows

ACM-103314

The RSA Identity Governance and Lifecycle user interface now allows the cancellation of change request items in a pending verification state when the change request and workflows are completed.

Change Requests and Workflows

ACM-103619

On an approval workflow node, users can now configure the approval due date to start either on the job start time or the node start time.

Change Requests and Workflows

ACM-103356

Added a tooltip to clarify that the "Max items per change request" setting does not affect change requests adding or removing entitlements from roles. Changes generated from roles are always in a single request to ensure that dependencies are clear to approvers.

Change Requests and Workflows

ACM-102222

Admin > Workflow > Settings has a new scheduled task to ensure that the workflow completes when a request has all watches closed.

Local Entitlements

ACM-103319

Change requests can now remove entitlements from deleted users, and users are prompted to enter a comment in the change request item.

Role Management

ACM-103544

RSA Identity Governance and Lifecycle no longer allows users to submit a new change request when a pending account in a pending submission already exists.

Role Management

ACM-100944

The following changes have been made in roles:

  • In the Members tab, Missing Direct Entitlements has been changed to Missing Direct Entitlements (Active).
  • In the Entitlements tab, Direct Members Missing has been changed to Direct Active Members Missing.
  • In the Analytics tab, Missing Entitlements has been changed to Missing Entitlements for Active Members.
  • In the Analytics tab, the new metric Number of Users (Terminated) has been added.

Web Services

ACM-103573

Created a new user called System to call the createChangeRequest web service.

User Interface

ACM-103538

When a change request was blocked due to dependencies created by another change request, the user interface did not provide enough information to find the problematic dependencies. The user interface now provides clearer information.

Fixed Issues

Fixed Issues

 

7.2

What's New

The following sections describe the new features and improvements in version 7.2:

Feature Highlights

                                           

Feature

What’s New

Dashboard Facts

Dashboard facts allow you to highlight high-level facts to end users, inviting action items requiring attention. These facts can be configured to redirect to specific pages providing additional insight. Dashboard facts are configured under AdminDashboardsDashboard Components. The out-of-the-box System Administrator Dashboard provides a demonstration of dashboard facts.

System Data and Diagnostics

Diagnostic and system data information is collected either on demand or on a scheduled basis to use in dashboard and custom reports that show system details and trends. The data can also be shared with RSA to provide details on your environment and usage. These details provide RSA with insight that facilitates decisions such as providing extended support and deprecating certain versions, as well as what new features and enhancements to prioritize in upcoming releases.

Administrators can change these settings in AdminDiagnosticsDiagnostics and System Data.

Generic REST Collectors

The new Generic REST collectors support the collection of identity, accounts, and entitlements through REST APIs specific to the endpoint.

Installer

There are several improvements to the RSA Identity Governance and Lifecycle installation process:

  • The installation process has been improved to allow installation using either the root user or oracle user, depending on the specific environment and requirements.

    Installation as the root user is required for deployments in which you use an RSA-supplied database or in which you want to run RSA Identity Governance and Lifecycle as a service. Root user installation is required for any deployment in which sudo functionality is needed.

    Installation as the oracle user is an option for environments that use a remote database and do not require the use of services or sudo functionality.

    For instructions for each of these installation options, see the RSA Identity Governance and Lifecycle Installation Guide.

  • The installation script now prompts users to confirm passwords entered when configuring a remote database.

Web Services

Several improvements were made to web services:

  • All available commands are now organized across several tabs labeled by category. The Settings tab, which is the first tab the user sees, provides a high-level ability to toggle web services on and off, allows the user to specify a list of IP addresses that can be used for commands, and the import directory where some commands may look for content. Those commands will indicate in their details that they use the import directory.
  • The user interface that lists all commands has been redesigned to display the commands in a table format. A user can click the Click for Details link for a particular command to expand a command's row and view details about using the command. The new table includes a security column that uses icons to represent the current settings for the command, and a Configure button to change the security.
  • Security settings are now configured at the command-level. A user can only change the security for a particular command to be stronger than the default, out-of-the-box security setting.
  • Added the deleteCollector web service, which allows users with appropriate privileges to delete a collector from the system.
  • Added support for using a bearer token in request headers instead of passing the token in the URL.
Unauthorized Change Detection (UCD) ImprovementsThe Unauthorized Change Detection rule has been enhanced to detect when there is an unauthorized removal of entitlements from a user, and to allow you to filter on accounts.

User Interface

 

This release introduces many improvements to the user interface to provide a cleaner, faster, and more consistent user experience. These changes include:

  • An improved notification panel with notifications grouped by date.
  • Redesigned UI components, such as dialogs, buttons, and navigation.
  • Card-based component layout.
  • New icon set for high-resolution displays.
  • Charts now have a modern theme and layout with improved animation. You can now download charts.
  • Added auto-refresh functionality to the pages at AdminDiagnosticsGeneral and AdminDiagnosticsLogs.
  • Added support to upload JavaScript files in the Files tab under AdminUser Interface, which may be used to perform custom validation for request forms or may be referenced from JSP pages. Consult Professional Services before using this feature.
User Pictures

Each user can now have an associated image that is visible throughout the user interface, such as in the menu when logged in, user detail screens, and user pop-ups.

To configure a user picture, navigate to a user's detail screen, click the default image, and upload a .PNG file. Administrators can upload images in bulk from the AdminUser Interface > Files > Users screen, or by using the setUserImage web service.

Additional Features and Improvements

                                                   

Feature

What’s New

Access Certification

The following improvements have been made in access certification:

  • The display names for the Review and Revoke buttons for roles in fine-grained role reviews and for groups in group reviews are now specified within the review definition using two new text fields. Previously, the display names for these buttons were configured using the global resources strings RoleReview_Maintain, RoleReview_Revoke, GroupReview_Maintain, and GroupReview_Revoke.
  • When the Allow expiration option is selected for the Maintain state in a review definition, the Display Name text field now appears, allowing users to enter a display name for this state.

  • In a review, the Expiration date field displayed in the flyout for the Maintain with Expiration state, which indicates the date on which the exceptional access expires, has been renamed to Expires on, to avoid confusion with other fields.
  • You can now limit the maximum number of days in the future that a reviewer can set as the expiration date when choosing the Maintain with Expiration state for a review item. The Default and Maximum Expiration Days setting can be configured under both ReviewsConfiguration and RulesConfiguration.
  • When determining unchanged items, RSA Identity Governance and Lifecycle considers only reviews generated in the past 365 days instead of all reviews. An item for a reviewer is tagged as unchanged when he or she has last reviewed it with the Maintain state in a review that was generated in the last 365 days, and none of the attributes of the reviewed entitlement have changed.

  • The Expiring Soon tooltip now includes the expiration date.

  • The order of categories for Review Analysis and Guidance in the review and review definition have been reordered to prioritize.

AFX Server

Added a new SSH Connector which supports Public Key Authentication.

Application Wizards

Updated the application wizard for Active Directory to remove out-of-date references.

Aveksa Statistics Report

The Aveksa Statistics Report (ASR) has the following new columns for the Unified Users section:

  • terminatedUser.count — The total number of terminated users.
  • deletedUsers.total — The total number of deleted users.
  • user.total — The total number of users.

Change Requests and Workflow

The following changes have been made in Change Requests and Workflow:

  • The Workflow Architect has a new “Auto Complete Category” option when grouping by category that indicates whether the Category Manager automatically completes all other work items in a category. By default, this option is selected.
  • The Processing Workflow link in change requests is now visible to users with the Access Request Admin: Administrator entitlement.

Collectors

Multi-app collectors now provide the option to collect Account Disabled Status and Account Lock Status in the collector configuration.

Database Management

Data pruning has been enhanced to remove unneeded workflow data from the system.

Email

The text in Approval and Rejection email replies have been updated to clearly indicate where the user may add additional comments.

Email

The default value for the maximum number of recipients for an email provider has been changed to 100.

Platform

 

Migrated the JDK from Open JDK to AdoptOpenJDK, and added support for Red Hat Enterprise Linux 7 and SUSE Linux Enterprise Server 12 SP 4.

Deprecated Items

                       

Feature

Description

Platform

SUSE Linux Enterprise Server (SLES) 11 and Red Hat Enterprise Linux (RHEL) 6 have been deprecated.

In hardware appliance and software bundle deployments, use the RSA Identity Governance and Lifecycle Appliance Updater to upgrade the operating system.

Reports

The following views and associated reports have been deprecated:

                               
ViewReport
V_AVR_APPROLE_ENTS_DELTA

Changes in User Application Roles by Date Range
Changes in User Application Roles in the Last n Days

V_AVR_ENTITLEMENT_DELTA

Changes in User Entitlements by Date Range
Changes in User Entitlements in the Last n Days

V_AVR_GLOBALROLE_ENTS_DELTA

Changes in User Global Roles by Date Range
Changes in User Global Roles in the Last n Days

V_AVR_GROUP_MEM_DELTA_N_DAYSChanges in User Group Memberships in the Last n Days
V_AVR_GROUP_MEMBERSHIPS_DELTAChanges in User Group Memberships by Date Range

Saved results from previous reports are still accessible.

Web Services

The following path for the User Attribute Change web services command has been deprecated:

http://<server name>:8443/aveksa/webservice/userAttributeChange

This is accessible through the userAttributeChange command. For more information, go to Admin >Web Services.

Functional Changes

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle as the result of fixed issues.

                                                                                                           

Issue

Description

Access Certification

ACM-100064

In a group review, RSA Identity Governance and Lifecycle no longer allows None for the state of a group whose members and entitlements are all marked as reviewed and maintained. When applying the state of None to multiple groups, the system ignores any group that has all entitlements and members reviewed and maintained.

Access Certification

ACM-98991

Coverage is now only refreshed in a review when the coverage option is selected. When review items are refreshed and the coverage option is not selected, a warning appears to remind the user that coverage will not be refreshed.

Access Requests

ACM-100749

Added a new variable called “Display Name” that maps to the alt_name of the entitlement for global-role, app-role, and group, under the workflow status values.

Admin Errors

ACM-92855

The Admin Error type "Account Load Data" can now contextually appear in the properties of a Create Admin Error workflow node.

Change Requests and Workflows

ACM-93462

The "Assign to" list no longer appears as available options for Resource Selection.

Change Requests and Workflow

ACM-94899

When a change request contains a change request item to remove an already-deleted role from a user, that change request item is rejected while the system proceeds with the other items in the change request.

Change Requests and Workflow

ACM-95849

The "Show job level variables" checkboxes are now selected by default and job variables explicitly shown in approval and fulfillment workflows. If these variables need to be hidden, the checkbox must be deselected.

Change Requests and Workflow

ACM-99913

The Entitlements Require Account field under Account Template now contains the options Always, Sometimes, and Never. Previously, the options were True and False.

Change Requests and Workflow

ACM-101380

In the workflow architect, the node’s runtime data indicates the number of times the node’s state has been changed using the Complete Node, Complete Work, or Skip actions and the number of times the node has been reset. After a node’s state is changed, the node’s color changes to orange. After a node has been reset, the node’s color changes to pink.

Data Collection Processing and Management

ACM-91761

The Last Reviewed Date OOTB attribute has been removed from the collector wizards.

Change Requests and Workflow

ACM-95472

The fix implemented to ensure that emails are sent to each approver when multiple approval activity nodes are configured to send an email to approvers appears in newly created nodes. Existing nodes are not affected by this fix to ensure that any custom email text is not overwritten.

Collector

ACM-93824

The Office365 Account Collector now has a configurable Block Size field during application creation.

Data Collection Processing and Management

ACM-94792

When an RDC’s HAS data is not configured or has an old value set to No, RSA Identity Governance and Lifecycle now ensures that, after collection, the User Access tab Direct view for a user correctly displays all collected roles of which the user is a direct member, and that the user has the correct nested sub-roles in the All view.

Database Management

ACM-74139

Data purging has been updated to ensure that workflow data with null change dates is purged.

Platform

ACM-78255

The configureSSLProtocols.sh and HardenHTTPSProtocols.sh scripts have been removed from RSA Identity Governance and Lifecycle.

Role Management

ACM-96925

Applications and Directories had incorrectly displayed the Raw Name instead of Display Name on the Access tab for users. The Access tab now correctly displays the Display Name of the Application or Directory.

Role Management

ACM-101549
ACM-101846
ACM-101585
ACM-98261
ACM-98346

Fixed the failure of roles explosion from change requests when duplicate roles are found in system. This addresses the issue of user entitlement discrepancies due to explosion failures. Additionally, multiple issues with roles import were addressed. During import, the system reuses the existing members and entitlements when overwriting a local role instead of fully deleting them and creating new entries. When importing roles, the system now looks only for active roles with similar names so that deleted roles are not reactivated. This change will avoid the creation of multiple active roles with role name. If a role being imported matches an existing active collected role, the system throws an exception instead of overwriting the role. Collected roles are not overwritten at any point.

Security

ACM-90370

Authorization validation added for file coverage uploads and to collector activate/deactivate buttons. A pop-up is presented if user does not have the proper privilege.

Security

ACM-99089

Error message was made more user-friendly.

User Interface

ACM-81142

Under Reviews > Activities, the Actions menu automatically scrolls so that all options are visible.

User Interface

ACM-94283

Added the columns Business Use, Functional Ownership, Locality, and Sensitivity in the Application, Directory, Data Resource Sets, Rule Sets, and Role Sets summary tables. Grouping is disabled on these columns.

User Interface

ACM-90208

Pop-up windows now appear in the center of the user’s viewing area.

Web Services

ACM-92041

Validation for webservice calls to add or remove accounts from a group can be requested using the collector or the business source, but not both.

Web Services

ACM-97802

Environments using the User Attribute Change command should change the URL to the following format: http://<server name>:8443/aveksa/command.submit?cmd=userAttributeChange

Fixed Issues

Fixed Issues

Known Issues and Limitations

Known Issues and Limitations

 

You are here
RSA Identity Governance and Lifecycle 7.2.0.x Release Notes
1 person found this helpful

Outcomes