Summary:
The Identity Management and Governance (IMG) product team is currently working hard to prepare the next major release for the IMG product. In preparation for this release we wanted to ensure our customer base is aware of product changes that may impact your current deployment. This message identifies actions you can take to assess potential impacts as well as tools that we are making available to assist with this assessment and get a jump on data cleanup prior to upgrading.
Customers should review the details provided below on the following changes that are coming as part of the next major IMG release:
¥ Database upgrade from Oracle 11.x Standard Edition(SE) to Oracle 12c Enterprise Edition (EE)
¥ Deprecation of support for earlier Internet Explorer (IE) versions
¥ Deprecation of support for original Aveksa Security Model
¥ Deprecation of Identity Collector (IDC) groups
¥ Rejection of duplicate entitlements
¥ Rejection of cyclic groups
¥ Significant role data collector changes
Details:
Database Upgrade from Oracle 11.x SE to Oracle 12c EE
In order to better support existing and future memory utilization, our 7.0.0 release will require you to upgrade to Oracle 12c EE. We will be shipping version 12.1.0.2 of the Oracle 12c EE database with the appliance form factors of the IMG 7.0.0 release. During installation, you will be prompted to create a valid backup of your most recent data before proceeding. Additionally, please note that if you are using a remote database, you will not be permitted to upgrade to IMG 7.0.0 unless that database is Oracle 12.1.0.2. (Oracle has announced end-of-support for their 11.x database - http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf).
Deprecation of Support for Older Versions of Windows Internet Explorer (IE)
If you use IE to access your IMG 7.0.0 application, you will be required to use IE 10 or higher. There are numerous reasons for this, but a central one remains security. Microsoft has announced end-of-life for IE8 and security support will end in January 2016. Moreover, Chrome, Firefox and IE10 forward are considered ""evergreen browsers"" - thus, browser providers will auto-update their respective browsers on a regular basis.
Dropping Support for Original Security Model
The pre-6.5 version of our security model will no longer function - it has been replaced by an updated model. 6.5 systems and newer are already using the new security model unless you explicitly changed the configuration to the older model. When you start the 7.0.0 system, it will check if the pre-6.5 security model has been migrated to the current security model - if it has not, it will migrate what it can of the previous security model to the current model. Please note that you will no longer be permitted to re-invoke the pre-6.5 security model.
Deprecation of Identity Collector (IDC) Groups
IDC Groups have been deprecated since the 6.0 release, although we did grandfather in existing configurations, we are now changing the system so that it will no longer collect IDC Groups. In order to still have the groups in the system a similarly configured Account Data Collector will have to be configured to collect the groups and its members. Any Entitlement Data collector will have to then be reconfigured to resolve its collected group information to the new ADC.
Duplicate Entitlement Rejection
Multiple collectors can be configured to collect objects for an Application (account, entitlements, application roles, etc), previously if more than one collector collected an application role it would show up twice in the system causing confusion among users. Now when a subsequent collector collects a duplicate name within an application it will be rejected.
Cyclic Group Rejection
Previously we allowed cycles in groups to be collected and stored in the system. We will no longer allow cycles to be collected. If we now collect a group to sub-group relationship and find that it causes a loop with any other group data in the system we will reject the collected group relationship.
Significant Changes to Role Data Collector (RDC)
- There is a new configuration wizard to make the RDC consistent with the other collectors.
- We will no longer allow for the collection of Groups as members of a role, but still allow groups to be part of the role definition.
- We have also broken the relationship between the RDC and the Entitlement Data Collector (EDC). The new EDC will no longer collect any entitlements for an RDC. The RDC is now responsible for collecting all of its members and its entire definition. This will require a reconfiguration of the RDC and the EDC as well as a change in the order of their execution. Now an RDC will need to run last after all the other collections have occurred.
- The RDC no longer has an application mapping, instead we advise you collect a reference to the application for any entitlements in the Roles definition and then specify which attribute of an application is used for the translation.
Migration Report Assistance
In order to help our customers identify potential issues with many of the changes mentioned above, we will be posting a migration report tool to SCOL. This will either indicate your data is already in compliance and ready for an upgrade or the report tool will identify problems along with steps to fix the data problems. We will send out another notification when this tool is available.
Recommendation:
We strongly recommend that customers review the information and actions identified above to assist with preparations for the next major release of the IMG platform (V7.0.0).
