The following issues were fixed in RSA Identity Governance and Lifecycle version 7.2.1.
Access Certification
Issue | Description |
---|---|
SF-1475193 ACM-103400 | Review bulk actions were not always persisted for items across all pages when comments were added or when the state of the review items was changed to NONE. |
SF-1499829 ACM-102779 | Review monitors with read and write privileges on a review were incorrectly able to edit and create escalations on reviews. |
SF-1484596 ACM-102479 | Alternate managers were able to self-review items even when the self-review option was not enabled on a review. |
SF-1586270 ACM-104765 | The help text for account review action buttons previously displayed help text for user access reviews. Now the correct help text is displayed. |
SF-1606790 ACM-105569 | The count on the view status bar is now displayed correctly based on whether the user is an admin or monitor. |
SF-1438035 ACM-106042 | When there were separate change requests to revoke accounts' entitlements and the account as a whole, canceling the for account entitlements reduced the account’s review progress from 100% when it should remain at 100% while the account as a whole is revoked in review. |
SF-1582475 ACM-104736 | The new review user interface did not display some Swedish characters properly. |
SF-1278861 ACM-93485 | The Backup Business Owner and Other Business Owner were not included as review monitors by default when Business Owner was selected. The system has been updated to include all types of business owners as monitors. |
Access Requests
Issue | Description |
---|---|
SF-1022256 ACM-84860 | Revoking local entitlements were automatically completed by the system even when the ApplyImmediate tag was set to false. The system now correctly considers the ApplyImmediate tag when processing. |
SF-1606159 ACM-105676 | When a change request was created and the system restarted, if no workflow had been created and linked to the change request, the system created a request workflow based on the configuration. Previously in RSA Identity Governance and Lifecycle 7.1.1, the configuration was based on the workflow on the configuration screen. However, when using a request form with a request workflow assigned, the system did not use that assigned workflow. In 7.2.0, RSA Identity Governance and Lifecycle enabled the configuration of which request workflows to use at the role set level, and this fix takes that configuration into consideration. |
SF-1556834 ACM-104089 | Change requests displayed the wrong user name associated with a canceled change request message. Change requests now correctly display the user that initiated the canceled workflow job. |
SF-1616174 ACM-106063 | Pending submission change requests were not properly cleaned up. |
SF-1587581 ACM-105533 | Account names with spaces or special characters are not allowed, but migration from earlier versions did not convert the unsupported characters to underscores as expected. |
SF-1381633 ACM-98504 | An account that was disabled and then deleted could not be recreated for a rehire because the account name already existed in the system. |
SF-1604704 ACM-105756 | Unable to reject approvals for application role items. |
SF-1544144 ACM-103501 | Hardened code to prevent duplicate out-of-office entries for a given user. |
SF-1541463 ACM-104020 | A user had duplicate local entitlements when activity was assigned in Manual Activities. |
Account Management
Issue | Description |
---|---|
SF-1457802 ACM-102023 | During attribute synchronization, AFX had updated Active Directory with the text from a command parameter mapping instead of the actual value. |
ACM Security Model
Issue | Description |
---|---|
SF-1427402 ACM-101172 | The security scope pop-up did not display "Report Result: Run" or "Report Result: View Report" when there was no result generated for those reports. Now the report name is displayed in the pop-up even if a report result does not yet exist. |
SF-1591275 ACM-105178 | Supervisors were unable to see the details of requests created by their subordinates or others. |
AFX
Issue | Description |
---|---|
SF-1134811 ACM-85408 | When a change request in an RACF connector used the $ symbol in a value, the $ symbol and everything following it was skipped during execution. |
SF-1574539 ACM-104735 | After AFX restarted, the settings for a connector configured with a password vault configuration did not substitute the credentials correctly. |
SF-1590723 ACM-105499 | Changing the response timeout for RESTful web service connectors had no effect on non-GET requests. |
SF-1445248 ACM-101553 | When a single work item out of multiple work items in a change request was not fulfilled by AFX, change requests were kept in the fulfillment phase and their associated workflows were flagged as stalled. The work item was fulfilled only after restarting AFX. |
Attribute Synchronization
Issue | Description |
---|---|
SF-1593127 ACM-105245 | Attribute synchronization request did not generate a workflow for managed attributes, because the system closed the connection before the request was processed. |
SF-1589184 ACM-104937 | The strings "Contains Privileged Access" and "Business Criticality" were not localized. |
Change Requests and Workflows
Issue | Description |
---|---|
SF-1492500 ACM-103314 | The user interface previously allowed users to cancel change request items in a pending verification state only if the change request was in the open state and the workflows were in an active state. |
SF-1549340 ACM-103619 | The due date for an approval node was previously dependent on the start time of the job. |
SF-1399646 ACM-102701 | When an approval was rejected, the email incorrectly used the user ID instead of the ID for a dynamic role or group. |
SF-1472575 ACM-103356 | Clarification was needed that the "Max items per change request" setting does not affect change requests that add or remove entitlements from roles. |
SF-1477172 ACM-102222 | Requests with all watches closed incorrectly remained open. |
SF-01599922 ACM-105347 | When using the Cancel/Undoing workflow settings on the request-level workflow, when using an escalation workflow, a request could get stuck in the Canceling state. |
SF-1538952 ACM-105010 | Rejection of an escalation workflow could result in the Reject Items node becoming stuck. |
SF-1478898 ACM-103802 | An entire change request was rejected when it contained a change item related to a deleted role. This has been fixed to reject only items containing the deleted role reference. |
SF-1598634 ACM-105433 | Class cast exception occurred when using a selected role ID in a fulfillment node. |
SF-1577028 ACM-106051 | The Entitlements and Application Roles approval workflow was not triggered as expected. |
SF-1592259 ACM-105056 | Unable to save a hyperlink in a workflow email when the value contained a job-level variable. |
SF-1537522 ACM-104940 | The technical approval node email created an email with the incorrect thread name. |
SF-1566993 ACM-104864 | The change request milestone did not display approvals that were canceled due to escalations. |
SF-1539391 ACM-103523 | The Aveksa Statistics Report (ASR) displayed a larger number of pending activities than were actually pending in RSA Identity Governance and Lifecycle. |
SF-1544939 ACM-103621 | Admin error emails with incorrect warn-level log messages about queue depth were being sent. |
SF-1557572 ACM-103996 | Improved queries with large role modifications to avoid Oracle limits for the number of parameters. |
Collector
Issue | Description |
---|---|
SF-1594887 ACM-105142 | The Last Successful Collection Date was incorrectly updated after a collection was aborted, for example by the circuit breaker. This value is now updated only after a successful run. |
SF-1567476 ACM-104753 | Running an SQL query with multiple CSV files in the group data query in Account Data Collector with the HXTT CSV Driver was getting incorrect results. |
SF-1598577 ACM-105338 | The Generic REST collector failed with an unexpected content-type error. |
SF-1582343 ACM-104961 | Optimized parsing of JSONPath for array of child elements in Generic REST EDCs. |
SF-1439321 ACM-100947 | The RESTful webservice connector had required a client secret when using OAUTH2 authentication. The client secret is now optional, because it is not required by OAUTH2 protocol. |
SF-1589041 ACM-104046 | Existing functionality for the Generic REST collector did not parse data using JSONPath for multi-level child attributes and partial match of account attributes. |
SF-1561165 ACM-104088 | When deleting older data runs, large groups of selected jobs are used and connections could exceed the maximum Oracle processes. This has been optimized to handle large groups of data properly. |
Connector
Issue | Description |
---|---|
SF-1478347 ACM-103127 | After importing an AFX connector, the import displayed the raw name of the connector instead of the display name. |
SF-1478347 ACM-103128 | When cloning a connector after changing its name, a connector with a duplicate name was created. |
SF-1579875 ACM-104975 | When an Active Directory account was created with a slash (/) in the account name, change requests failed with a naming exception. Processing has been fixed to handle the slash character (/) in account creation. |
SF-1611994 ACM-105907 | During connector deployment, the substitution of connector settings of password value was not properly substituted to capability command code. |
SF-1601214 ACM-105330 | When using a regular expression within a RESTful connector that contained the plus (+) characte, the + was replaced by a space when saving the connector. |
SF-1403423 ACM-103358 | When using the Salesforce REST connector, the updateAccount command with additional parameters failed to update the new parameters on the endpoint. |
SF-1553830 ACM-104033 | When using Salesforce AFX connector, the proxy details to fetch the access token are not persisted, if not provided when connector is created first time. |
Custom Attributes
Issue | Description |
---|---|
SF-1587983 ACM-105009 | The duplicate display names of custom attributes across objects has been fixed by prefixing them with the object name in the user entitlement search expression builder. This allows the user to pick the correct custom attribute when duplicate attributes exist. |
SF-1469946 ACM-102090 | Custom field pointing to an object was not usable in entitlement rules and content filters for user access reviews. |
Data Collection Processing and Management
Issue | Description |
---|---|
SF-1590068 ACM-104994 | Scheduled unification ran even when the mandatory collector failed. |
SF-1542605 ACM-104538 | Deleting a collector did not clean up the t_av_job_stats data, causing data inconsistencies in the database. |
SF-1564521 ACM-104148 | After a supervisor's name was edited in a data source and then collected by RSA Identity Governance and Lifecycle, the new supervisor name was not shown in user records under the Supervisor field. |
SF-1580538 ACM-104589 | During the “Process Deleted Role Relationships” step of an indirect relationship processing run, some collections ran slowly on environments with Local Roles containing large number of entitlements and/or Collected Roles. |
SF-1591514 ACM-105117 | Duplicate identities were created for rehires that were moved to a different OU. |
SF-1626177 ACM-106467 | Some SQL associated with collections defined as DB Type CSV failing with java.sql.SQLException: java.lang.ClassCastException error. |
SF-1605864 ACM-105803 | CSV collector did not populate some joined fields. |
SF-1592985 ACM-105775 | NVL function in Account Mapping queries failed when the account length was more than 20 characters. |
SF-1592952 ACM-105059 | The Active Directory ADC rejected group memberships for accounts with distinguishedName values larger than 256 characters. |
SF-1470968 ACM-103361 | Added optimizations for databases with large data sets when doing change verification tasks. |
Database Management/Performance
Issue | Description |
---|---|
SF-1584073 ACM-104642 | Optimized the database index in the rule table to improve rule pre-processing. |
ACM-105383 | Corrected the spelling of the state name "Invalid" in the State column of the public view PV_AV_AFX_REQUEST. |
SF-1554010 ACM-103944 | Improvements made to business description processing. |
SF-1610940 ACM-105801 | ArchivePurge_Pkg failed on t_av_rules. |
SF-1603892 ACM-105448 | Archive purging runs erroneously converted hours to days, causing the data purge to end prematurely. |
SF-1581937 ACM-105346 | The ASR report "Configuration Problems" did not identify 12.2 optimizer settings. Now, ASR report generation queries are reframed dynamically to find the recommended settings for specific Oracle versions. |
SF-1582473 ACM-104885 | Long-running data purging became stuck during cleanup of WP_WI_ALERT. |
SF-1593317 ACM-104869 | The public view PV_REVIEW_DEFINITION has been updated to exclude duplicate and deleted review definitions. |
Issue | Description |
---|---|
SF-1610400 ACM-105875 | Caching of column values caused incorrect content written into email. Caching has been removed. |
Installer
Issue | Description |
---|---|
SF-1645748 ACM-107185 | Upgrade Database migration failed if Database is configured with non-default Tablespace names. |
Local Entitlements
Issue | Description |
---|---|
SF-1551011 ACM-103676 | Local entitlement did not appear in the total entitlements count in the directory/application. |
SF-1468644 ACM-103319 | A change request was unable to process the removal of a local entitlement from a deleted user. |
Metadata Import/Export
Issue | Description |
---|---|
SF-1510215 ACM-102938 | Business users had been unable to edit role names and description after import. |
Migration
Issue | Description |
---|---|
SF-1567387 ACM-104240 | When performing a migration of a very deep (multi-level node) workflow, the upgrade error ORA-01489 occurred. |
Reports
Issue | Description |
---|---|
SF-1483936 ACM-102582 | After running an unscheduled report, the related email incorrectly attached the last scheduled report. |
SF-1537039 ACM-103677 | Aveksa Statistics Report (ASR) generation was stalling in the Generating state. |
Request Forms
Issue | Description |
---|---|
SF-1578947 ACM-104553 | Indirect entitlements held by a user were incorrectly available for selection in request forms when the control type was set to Entitlement Table. |
SF-1492188 ACM-103789 | After a user set a default value for the "Drop down select" field in a request form, the Next button appeared disabled while running the form. |
Role Management
Issue | Description |
---|---|
SF-1539649 ACM-103719 | After a user with non-administrator privileges clicked the Remove button to remove a role, the buttons did not refresh to say Removed as expected. This patch ensures that the buttons are correctly refreshed when the Remove button is clicked. |
SF-1539762 ACM-103591 | Role mining incorrectly considered deleted group membership. |
SF-1539132 ACM-103354 | Deleted or obsolete role versions were occasionally not properly removed from system tables. |
SF-1518077 ACM-103240 | Custom Attribute columns displayed an incorrect value during role analysis for suggested entitlements. |
SF-1485467 ACM-102423 | When exporting all roles, the entire export failed when an unexpected error occurred for any of the included roles. |
SF-1134364 ACM-86976 | The role management history table occasionally displayed two instances of the role to change request link instead of just one. |
SF-1547382 ACM-103544 | RSA Identity Governance and Lifecycle handled identical change requests differently when they were made for business roles or single entitlements. |
SF-1592592 ACM-105029 | Change requests generated from the Role Review role did not consider Accounts, causing entitlements to be missed. |
SF-1583693 ACM-104431 | Incorrect calculations occurred for local role dependencies related to multi-level roles and/or disabled roles. |
SF-1610264 ACM-105804 | When a role import failed, exception details were not displayed. |
SF-1605559 ACM-105516 | The role set drop-down is now sorted by name instead of raw name. |
SF-1559134 ACM-105406 | Pending change requests were updated if the associated role for the change request was moved from one role set to a different role set before the change request was completed. |
SF-1575075 ACM-104536 | A user was not removed from all nested roles when the user was removed from a parent role in the Members tab. |
SF-1604855 ACM-105662 | Change request creation failed because of a size limitation when bulk removing a user from a large number of roles, either by revoking them through a rule or explicitly requesting to remove them. |
SF-1464633 ACM-101822 | Users were able to see missing entitlements assigned to a user through a role, even after processing the Role Missing Entitlement Rule, because it was not recalculating required metrics. |
SF-1467613 ACM-102474 | After importing application metadata, the business and technical owners were not properly updated. |
SF-1508343 ACM-102991 | Unexpected behavior occurred when technical roles had a cyclic dependency. |
SF-1543705 ACM-103471 | After adding groups with the same name from different applications or directories to a role, the role remained with only one group. |
SF-1561439 ACM-104041 | Roles that were assigned to removed role sets were unable to be viewed or modified by the role owners, if the roles were moved to other role sets but not committed. |
SF-1564610 ACM-104162 | Role preview changes showed the wrong items when a role set was modified in a role. |
SF-1563101 ACM-104295 | Role import did not resolve business sources for groups collected from an MAADC, and the role export XML file did not have the application name attribute for group entitlements. |
Rules
Issue | Description |
---|---|
SF-1491818 ACM-103345 | In segregation of duty (SoD) rule workflows, the decision node did not correctly transition to the true condition. |
SF-1419233 ACM-100266 | Unable to change the status of a rule when the rule action to send email contained deleted users. |
SF-1470661 ACM-102053 | User coverage in Segregation of Duties (SoD) rules did not filter users with a null attribute value. |
SF-1478081 ACM-102303 | After editing a joiner rule, the workflow reference was reset to the default out-of-the-box workflow. |
SF-1419556 ACM-98823 | Optimized queries related to violation tables to improve rendering. |
SF-1442843 ACM-103662 | SOD rules failed due to a data type conflict. |
SF-1615486 ACM-106007 | Rules pre-processing was triggered twice when a collector was triggered with an identity collector and unification. However, two rule pre-processing events cannot exist in the queue in a New or Running state at any point of time. |
SF-1382707 ACM-98587 | User access and SOD rules created incorrect violation and change requests when a user was a part of a group's child sub-group. The incorrect change request was created to remove the subgroup's account from the parent group. This patch ensures that the violation and change items are correctly created to remove the account from the sub-group. |
SF-1419556 ACM-99901 | Improved query performance when retrieving Rule Violation Data. |
SF-1540199 ACM-103519 | An Advance query in the search expression dialog that had the “IN” condition with multiple values resulted in an invalid relational operator error. |
SF-1547928 ACM-103574 | The Role Missing Entitlement Rule created a change request with duplicate items. |
Security
Issue | Description |
---|---|
SF-1618107 ACM-106164 | In workflow emails, hyperlinks that contain a dynamic workflow variable were removed. |
Server Core
Issue | Description |
---|---|
SF-1595163 ACM-105321 | Updated the Apache Tomcat library to address a vulnerability. |
User Interface
Issue | Description |
---|---|
SF-1488517 ACM-102504 | After importing a database from another system, the workflow monitoring tab displayed both the current node name and the original node name. |
SF-1512524 ACM-104556 | A "request could not be handled" error occurred when editing some groups. |
SF-1576856 ACM-104507 | The date format under Admin > Workflow > Monitoring > Queues now displays the same date format as is configured under the User option. |
SF-1546960 ACM-103552 | In the latest version of Firefox, frames in the user interface was sometimes reduced to a smaller area with scroll bars. |
SF-1602260 ACM-105500 | When displaying change requests that had an Escalation the Requests screen displayed an error in the first column when the Escalations column was used. |
SF-1587708 ACM-104907 | The All tab under User > Requests only displayed pending requests and not completed requests. |
SF-1547373 ACM-103542 | After creating a change request, if a user browses away from the page or closes the window before submitting, the pending change request submission was not visible in the user's UI until logging in a second time. |