on Aug 17, 2020These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.2.1 and all released patches, as well as links to fixed issues for each release or patch. This page is updated with each patch.
To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.
To view this page as a PDF, sign in to RSA Link, click Actions, and select View as PDF.
- Installation Information: Before You Install or Upgrade RSA Identity Governance and Lifecycle
- 7.2.1: What's New | Functional Changes | Fixed Issues
7.2.1
What's New
Feature Highlights
| Feature | What’s New | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Data Access Governance: | The Data Access Governance module now supports data access data collection from Varonis DatAdvantage using a new out-of-the-box collector template. The collector configuration wizard allows you to configure a connection to the Varonis API easily through the user interface. The Varonis data access collector collects permissions for both domain accounts and domain groups. Folder owners are collected as suggested owners, and added as resource owners. | ||||||||||||||||
| Data Access Governance: StealthAudit Collector | RSA Identity Governance and Lifecycle 7.2.1 provides a new, out-of-the-box StealthAudit data access collector, which replaces the previous StealthAudit collector. The new StealthAudit collector encompasses the following changes:
The deprecated StealthAudit collector template is no longer available when creating a new data access collector. However, existing implementations of the deprecated collector type continue to work and can be edited until migrated to the new template. You can migrate an existing, active StealthAudit collector to the new template using the Migrate button next to the Data Source Type field on the collector's General page to open the collector configuration wizard. The wizard automatically changes the Data Source Type from Data Entitlement Aggregator to StealthAudit. To complete migration, follow the prompts to review the collector details, changing any configuration details if needed. For further details, see "Migrate to the New StealthAudit Collector" in the Online Help. | ||||||||||||||||
| Email: | RSA Identity Governance and Lifecycle now supports OAuth 2.0 authentication for both inbound and outbound email connections. OAuth allows RSA Identity Governance and Lifecycle to receive and send mail using a third-party account, such as Gmail or Office 365, without knowing or providing the credentials for that account. You configure OAuth 2.0 support by registering the RSA Identity Governance and Lifecycle client with your email provider, and then configuring authentication using the System Email Settings page. For more information, see "Managing System Email Settings" in the Online Help. | ||||||||||||||||
| Email: | You can now configure the outbound email server to use the STARTTLS email protocol command to request to secure an insecure connection between the email server and client. STARTTLS must be supported by your email provider to use this feature. When STARTTLS is enabled, it is invoked after the email server and client have connected but before any credentials are exchanged. You enable this command on the System Email Settings Page. For more information, see "Managing System Email Settings" in the Online Help. | ||||||||||||||||
| Maintenance Mode | The way RSA Identity Governance and Lifecycle handles tasks when the system is in maintenance mode has been updated. The following table describes the way in which RSA Identity Governance and Lifecycle handles each type of task during maintenance mode.
| ||||||||||||||||
| Oracle 19c Qualification | Oracle 19c has been qualified for use in RSA Identity Governance and Lifecycle deployments with customer-supplied databases. |
Additional Features and Improvements
| Feature | What’s New |
|---|---|
| Access Certification | The new user and violation review user interface now allows users to display up to 20 columns. |
| Account Management | The configuration of Account Data Collectors (ADC) now provide an option to allow the reuse of accounts that have been disabled and then deleted. Previously, if an account was disabled before deletion, the account could not be moved back into a pending state if system-wide setting "Enable Disabled Accounts for Entitlement Requests" is enabled. Now, when the new Allow Account Reuse option is selected for an ADC, when disabled accounts are deleted, the disabled flag is removed from the account, which allows the accounts to be reused. |
| Data Collection Processing and Management | When a data collection run fails due to the circuit breaker, the circuit breaker is ignored when a user re-processes the data collection run. |
| | The method of selecting recipients for report emails has been improved. Previously, email recipients had to be directly selected. With this improvement, you can filter users based on user IDs, attributes, and relationships to roles and groups. |
| Role Management | The way in which role metrics are calculated has been updated to improve performance for users. |
| Rules | The method of selecting roles for role membership change, role membership rule difference, role metric change, and role missing entitlements rules has been improved to allow the selection of roles using an advanced search filter. |
| Rules | The method of selecting groups for group membership change rules has been improved to allow the selection of groups using an advanced search filter. |
| Rules | The ordering of the tabs under Rules > Violations has changed so that By Violation appears before Violation Remediation. |
| Server Core | The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The Customer ID value is provided by RSA and is provided to all customers through email. These values are logged in the diagnostics and system data. |
| Web Services | A new runReport web service has been added, which allows reports to be run by name. |
Functional Changes
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2.1 as the result of fixed issues.
| Issue | Description |
|---|---|
| Access Requests ACM-106144 | When trying to create a change request for which a pending change request already existed, a warning message is now displayed and the Finish button is disabled. Previously, the system allowed the creation of a change request even when a pending submission existed. |
| Account Management ACM-103431 | Previously, pending accounts associated with a Create Account change item were deleted for a change request when any duplicate account was found. Pending accounts are now deleted only for rejected change items for which the duplicate account is found, and the account will be renamed successfully based on the account template configuration for Create Account change item. |
| ACM Security Model ACM-104748 | The security context CSV file has been updated to remove deprecated entries. Now, the Role, Role Set, Rule, Rule Set, Data Resource Set, and Directory objects are no longer associated with Business Units. |
| AFX ACM-103661 | Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle. If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.
|
| Change Requests and Workflows ACM-103314 | The RSA Identity Governance and Lifecycle user interface now allows the cancellation of change request items in a pending verification state when the change request and workflows are completed. |
| Change Requests and Workflows ACM-105347 | The Cancel button is no longer enabled when a change request is in the Undoing state. |
| Change Requests and Workflows ACM-103619 | On an approval workflow node, users can now configure the approval due date to start either on the job start time or the node start time. |
| Change Requests and Workflows ACM-103356 | Added a tooltip to clarify that the "Max items per change request" setting does not affect change requests adding or removing entitlements from roles. Changes generated from roles are always in a single request to ensure that dependencies are clear to approvers. |
| Change Requests and Workflows ACM-102222 | Admin > Workflow > Settings has a new scheduled task to ensure that the workflow completes when a request has all watches closed. |
| Connector ACM-103791 | The RESTful webservices connector now retrieves and stores id_token, if available, in addition to the access_token when using the OAuth2 flow for authorization. This can be used while making the API requests. |
| Data Collection Processing and Management ACM-104994 | Previously, unification occurred even when mandatory collections failed. Scheduled unification and IDC post-processing now only occurs after successful collections. |
| Database Management ACM-104549 | Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms. |
| Local Entitlements ACM-103319 | Change requests can now remove entitlements from deleted users, and users are prompted to enter a comment in the change request item. |
| Role Management ACM-103544 | RSA Identity Governance and Lifecycle no longer allows users to submit a new change request when a pending account in a pending submission already exists. |
| Role Management ACM-105029 | When removing a role through a role review that has both members and entitlements, the system now calculates the indirects for the revocation. |
| User Interface ACM-104556 | The schema no longer allows null values for the CanRequest field when editing groups. |
| User Interface | The user interface now uses the terms trusted list and untrusted list instead of whitelist and blacklist. |