The following issues were fixed in RSA Identity Governance and Lifecycle version 7.1.1 Patch 7.
Review bulk actions were not always persisted for items across all pages when comments were added or when the state of the review items was changed to NONE.
The 'Account Name' and 'Name' columns were blank for entitlements displayed under the 'Existing Entitlements for Accounts that will be enabled' table on the change request detail page. The query has been fixed to fetch these column values.
A user was incorrectly able to select multiple users from a deletion request, because the table was not properly cleared when navigating back and forth.
Revoking local entitlements were automatically completed by the system even when the ApplyImmediate tag was set to false. The system now correctly considers the ApplyImmediate tag when processing.
Rejection of a change item through approval did not update the review item from which it was generated. Review items are now updated in the cases of change item or request cancellation.
When a user logged in with same user ID in multiple windows of the same browser to access the application, a "request could not be handled" message appeared while performing actions on Role and Review pages. This issue has been addressed as part of this ticket. Now users can access multiple browser windows with the same login without any error messages.
During attribute synchronization, AFX had updated Active Directory with the text from a command parameter mapping instead of the actual value.
ACM Security Model
The security scope pop-up did not display "Report Result: Run" or "Report Result: View Report" when there was no result generated for those reports. Now the report name is displayed in the pop-up even if a report result does not yet exist.
When a change request in an RACF connector used the $ symbol in a value, the $ symbol and everything following it was skipped during execution.
The system sent two password available emails for a single change request item, because an email was triggered after change request item completion and again after change request completion.
Error management for the Unauthorized (401) error in AFX authentication has been improved.
When a single work item out of multiple work items in a change request was not fulfilled by AFX, change requests were kept in the fulfillment phase and their associated workflows were flagged as stalled. The work item was fulfilled only after restarting AFX.
Change Requests and Workflows
The due date for an approval node was previously dependent on the start time of the job.
When an approval was rejected, the email incorrectly used the user ID instead of the ID for a dynamic role or group.
When a pending account had dependencies in another change request, and the pending account's change request was rejected by the approver, all of the items other than the pending account were rejected, and the pending account was provisioned.
Accessing workflows using an HTTP proxy caused the application to continuously load the workflows.
The security improvement to remove parameters for architect processes from the URL did not handle the situation in which the default ports 80 and 443 were removed from the browser but the application server provided them to the user interface, which prevented iframe communication from matching.
The RESTful webservice connector had required a client secret when using OAUTH2 authentication. The client secret is now optional, because it is not required by OAUTH2 protocol.
Could not change or update collectors when using a language other than English.
The REST connector login capability did not use input parameters when generating a session token.
The REST connector did not use the Accept header as expected to accept all content types.
The REST connector was adding unnecessary, unconfigured HTTP headers to configured capabilities.
While creating a REST connector, the application added an extra output parameter pattern after saving the connector.
In the AFX DB connector capabilities, the display of input parameter popup for SQL commands has been handled.
Data Collection Processing and Management
After deleting a collector, the entitlement count in the "Total Entitlements" column displayed the same number of entitlements as before the deletion.
The role data collector counted extra rejected role membership from all role collector runs.
SF-1537490 SF-1574041 SF-1566464 SF-151295
Unification did not properly update the Terminated Flag for a user causing Termination Rule to not work properly.
When an account was a direct member of both a parent group and one of its sub-groups, a change item to remove the account from the parent group was verified only after removing the account from the sub-group.
Indirect relationship processing runs took increasingly longer amounts of time on each subsequent day.
Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms.
When deleting older data runs, large groups of selected jobs are used and connections could exceed the maximum Oracle processes. This has been optimized to handle large groups of data properly.
Business users had been unable to edit role names and description after import.
After importing application metadata, the business and technical owners were not properly updated.
When the a form filter contained a variable to resolve in view/edit cases, when there was no valid context to resolve the variables, SQL errors appeared in the logs.
After a user with non-administrator privileges clicked the Remove button to remove a role, the buttons did not refresh to say Removed as expected. This patch ensures that the buttons are correctly refreshed when the Remove button is clicked.
Role mining incorrectly considered deleted group membership.
Automatically generated revocation change requests for a role did not include role entitlements.
Users were able to see missing entitlements assigned to a user through a role, even after processing the Role Missing Entitlement Rule, because it was not recalculating required metrics.
Role Set Technical Owner/Other Technical Owner and Business Owner/Other Business Owner were unable to take bulk actions on their roles under Roles > Roles > Actions.
Roles that were assigned to removed role sets were unable to be viewed or modified by the role owners, if the roles were moved to other role sets but not committed.
A change request to remove a user from several business roles completed but did not remove the user's access.
The purging process now includes clean-up of abandoned RoleVersions.
In segregation of duty (SoD) rule workflows, the decision node did not correctly transition to the true condition.
When an entitlement explained by a role was in violation, the remediation action was performed on the entitlement instead of the role. With this patch, remediations on violations of entitlements explained by roles are performed on the role.
A change request contained a violation even after the violating entitlement was removed from the role.
The Role Missing Entitlement Rule created a change request with duplicate items.
An Advance query in the search expression dialog that had the “IN” condition with multiple values resulted in an invalid relational operator error.
A rule incorrectly tried to disable accounts without entitlements that were still pending or had in-progress change requests.
When performing a key rollover/re-encryption, the collector or connector passwords were not re-encrypted with the latest keys until the collector or connector was re-saved from the user interface, even when the option to re-encrypt stored data was selected.
System status notification events that were not processed before a restart were ignored and the indicator was not shown until the next occurrence.
The database SID and server name were logged into the T_ARCHIVE table as part of the archive process by reading the details from Aveksa_System.cfg. The Aveksa_System.cfg file is not available in WebSphere and WebLogic environments, so changes have been made to read the SID and server name directly from the database.
The pruning process did not include canceled events.
The Activities breadcrumb in My Activities did not work as expected.
The table options dialog box displayed a horizontal scroll bar when the text was longer than the dialog width. Longer lines of text are now wrapped to prevent the need for horizontal scrolling.
Calling the createChangeRequest web service did not work as expected from workflows.
The updateReviewItems web service did not work correctly for a user with multiple accounts.
Requests submitted using the createChangeRequest web service did not show violations when failOnViolation was set to false.