RSA Identity Governance and Lifecycle 7.2.1.x Release Notes

Document created by RSA Information Design and Development Employee on Aug 17, 2020Last modified by RSA Information Design and Development Employee on Sep 15, 2020
Version 3Show Document
  • View in full screen mode

These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.2.1 and all released patches, as well as links to fixed issues for each release or patch. This page is updated with each patch.

To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.

To view this page as a PDF, sign in to RSA Link, click Actions, and select View as PDF.



What's New

Feature Highlights



What’s New

Data Access Governance: 
Varonis Collector

The Data Access Governance module now supports data access data collection from Varonis DatAdvantage using a new out-of-the-box collector template. The collector configuration wizard allows you to configure a connection to the Varonis API easily through the user interface.

The Varonis data access collector collects permissions for both domain accounts and domain groups. Folder owners are collected as suggested owners, and added as resource owners.

Data Access Governance:
StealthAudit Collector

RSA Identity Governance and Lifecycle 7.2.1 provides a new, out-of-the-box StealthAudit data access collector, which replaces the previous StealthAudit collector. The new StealthAudit collector encompasses the following changes:

  • Unlike the old StealthAudit collector, the new collector does not require the use of compatibility views delivered as an instance job within the StealthAudit product. The new version does support the use of compatibility views, but RSA recommends recreating views using the out-of-the-box views.
  • The new StealthAudit collector collects only the folders and shares to only those on which accounts or groups have direct permissions. The previous version of the collector collected all folders and shares that had been gathered by StealthAudit, and, as a result of the change, the first run with the new collector template may collect significantly fewer resources and entitlements than with the old.
  • The new StealthAudit collector calculates suggested owners based on users' activity for specific folders and shares. Previously, the calculation of suggested owners required a licensed product from Stealthbits that used a proprietary function to calculate suggested owners.

The deprecated StealthAudit collector template is no longer available when creating a new data access collector. However, existing implementations of the deprecated collector type continue to work and can be edited until migrated to the new template.

You can migrate an existing, active StealthAudit collector to the new template using the Migrate button next to the Data Source Type field on the collector's General page to open the collector configuration wizard. The wizard automatically changes the Data Source Type from Data Entitlement Aggregator to StealthAudit. To complete migration, follow the prompts to review the collector details, changing any configuration details if needed. For further details, see "Migrate to the New StealthAudit Collector" in the Online Help.

OAuth 2.0 Support

RSA Identity Governance and Lifecycle now supports OAuth 2.0 authentication for both inbound and outbound email connections. OAuth allows RSA Identity Governance and Lifecycle to receive and send mail using a third-party account, such as Gmail or Office 365, without knowing or providing the credentials for that account.

You configure OAuth 2.0 support by registering the RSA Identity Governance and Lifecycle client with your email provider, and then configuring authentication using the System Email Settings page. For more information, see "Managing System Email Settings" in the Online Help.


You can now configure the outbound email server to use the STARTTLS email protocol command to request to secure an insecure connection between the email server and client. STARTTLS must be supported by your email provider to use this feature.

When STARTTLS is enabled, it is invoked after the email server and client have connected but before any credentials are exchanged. You enable this command on the System Email Settings Page. For more information, see "Managing System Email Settings" in the Online Help.

Maintenance Mode

The way RSA Identity Governance and Lifecycle handles tasks when the system is in maintenance mode has been updated. The following table describes the way in which RSA Identity Governance and Lifecycle handles each type of task during maintenance mode.

TaskMaintenance Mode Behavior
Scheduled collectionsAborted when triggered during maintenance mode. The Data Runs page displays the aborted tasks.
Scheduled rules
Scheduled reviews
Scheduled rules-triggering reviews
Scheduled report generation, including ASR generationSkipped when triggered during maintenance mode. The system indicates this in aveksaServer.log.
Review-triggering workflows
Custom Tasks
Web-service calls

Not permitted. HTTP error 403 and the configured maintenance mode message appear in the response.

Manually triggered collections and other manual tasksFunctions normally
Scheduled AdminSystem tasks such as backups
Oracle 19c QualificationOracle 19c has been qualified for use in RSA Identity Governance and Lifecycle deployments with customer-supplied databases.

Additional Features and Improvements



What’s New

Access Certification

The new user and violation review user interface now allows users to display up to 20 columns.

Account Management

The configuration of Account Data Collectors (ADC) now provide an option to allow the reuse of accounts that have been disabled and then deleted. Previously, if an account was disabled before deletion, the account could not be moved back into a pending state if system-wide setting "Enable Disabled Accounts for Entitlement Requests" is enabled. Now, when the new Allow Account Reuse option is selected for an ADC, when disabled accounts are deleted, the disabled flag is removed from the account, which allows the accounts to be reused.

Data Collection Processing and Management

When a data collection run fails due to the circuit breaker, the circuit breaker is ignored when a user re-processes the data collection run.


The method of selecting recipients for report emails has been improved. Previously, email recipients had to be directly selected. With this improvement, you can filter users based on user IDs, attributes, and relationships to roles and groups.

Role Management

The way in which role metrics are calculated has been updated to improve performance for users.


The method of selecting roles for role membership change, role membership rule difference, role metric change, and role missing entitlements rules has been improved to allow the selection of roles using an advanced search filter.


The method of selecting groups for group membership change rules has been improved to allow the selection of groups using an advanced search filter.


The ordering of the tabs under RulesViolations has changed so that By Violation appears before Violation Remediation.

Server Core

The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The Customer ID value is provided by RSA and is provided to all customers through email. These values are logged in the diagnostics and system data.

Web Services

A new runReport web service has been added, which allows reports to be run by name.


Functional Changes

The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2.1 as the result of fixed issues.




Access Requests


When trying to create a change request for which a pending change request already existed, a warning message is now displayed and the Finish button is disabled. Previously, the system allowed the creation of a change request even when a pending submission existed.

Account Management


Previously, pending accounts associated with a Create Account change item were deleted for a change request when any duplicate account was found. Pending accounts are now deleted only for rejected change items for which the duplicate account is found, and the account will be renamed successfully based on the account template configuration for Create Account change item.

ACM Security Model


The security context CSV file has been updated to remove deprecated entries. Now, the Role, Role Set, Rule, Rule Set, Data Resource Set, and Directory objects are no longer associated with Business Units.



Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle.

If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.

  1. Log in to RSA Identity Governance and Lifecycle, and go to AdminSystemSecurity. In a clustered environment, perform this step on the single system operations node (SON).
  2. Click Change Certificate Store, and click OK to change the root certificate and CA.
  3. Click Download and save the server.keystore file to a location on your computer.
  4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
  5. Click Download and save the client.keystore file to a location on your computer.
  6. Stop the ACM and AFX servers.
  7. Copy the new server.keystore file to the location on the server where your web server reads the keystore. For example, $AVEKSA_HOME/keystore.
  8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
  9. Update the client.keystore files from the remote agents after you download the corresponding client.keystore from RSA Identity Governance and Lifecycle.
  10. Restart the ACM and AFX servers and verify connectivity with the endpoints.

Change Requests and Workflows


The RSA Identity Governance and Lifecycle user interface now allows the cancellation of change request items in a pending verification state when the change request and workflows are completed.

Change Requests and Workflows


The Cancel button is no longer enabled when a change request is in the Undoing state.

Change Requests and Workflows


On an approval workflow node, users can now configure the approval due date to start either on the job start time or the node start time.

Change Requests and Workflows


Added a tooltip to clarify that the "Max items per change request" setting does not affect change requests adding or removing entitlements from roles. Changes generated from roles are always in a single request to ensure that dependencies are clear to approvers.

Change Requests and Workflows


Admin > Workflow > Settings has a new scheduled task to ensure that the workflow completes when a request has all watches closed.



The RESTful webservices connector now retrieves and stores id_token, if available, in addition to the access_token when using the OAuth2 flow for authorization. This can be used while making the API requests.

Data Collection Processing and Management


Previously, unification occurred even when mandatory collections failed. Scheduled unification and IDC post-processing now only occurs after successful collections.

Database Management


Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms.

Local Entitlements


Change requests can now remove entitlements from deleted users, and users are prompted to enter a comment in the change request item.

Role Management


RSA Identity Governance and Lifecycle no longer allows users to submit a new change request when a pending account in a pending submission already exists.

Role Management


When removing a role through a role review that has both members and entitlements, the system now calculates the indirects for the revocation.

User Interface


The schema no longer allows null values for the CanRequest field when editing groups.
User InterfaceThe user interface now uses the terms trusted list and untrusted list instead of whitelist and blacklist.


Fixed Issues

Fixed Issues in 7.2.1

You are here
RSA Identity Governance and Lifecycle 7.2.1.x Release Notes