SecurID® Governance & Lifecycle Product Documentation
- RSA Community
- :
- Products
- :
- SecurID Governance & Lifecycle
- :
- Documentation
- :
- Product Documentation
- :
- Fixed Issues in 7.1.1
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Fixed Issues in 7.1.1
The following issues were fixed in RSA Identity Governance and Lifecycle version 7.1.1.
Access Certification
| Issue | Description |
|---|---|
| SF-1044154 ACM-82969 | Change Requests in Open status without a workflow ID defaulted to the Explicit Access workflow after restarting the application. |
| SF-839034 ACM-66789 | A review opened through an email link, then canceled, opened a null page after confirmation instead of the home page. |
| SF-855955 ACM-68187 | Comments for review items could not be applied as part of a bulk update. |
| SF-1058478 ACM-82186 | Triggering the Escalation Workflow of Review Reassign sent two emails to the user. |
| SF-1120715 ACM-84607 | The email link to view a role review opened to an error page. |
| SF-1124917 ACM-84693 | A null pointer exception occurred when a reviewer opened the review using the email link, performed an action, then saved. |
| SF-1008666 ACM-79783 | Non-existent access to a group appeared for users in a User Access Review. |
| SF-597513 ACM-51149 | Multiple Account Review attributes did not properly translate to other languages. |
| SF-1153118 ACM-86633 | Revoking a user during a fine-grained role review resulted in a long delay before the status bar was updated. |
| SF-1110632 ACM-84590 | Application coverage statistics showed incorrect values by not including roles and groups. |
| SF-1083271 ACM-83163 | After uploading a coverage file to delegate a sign-off to another user, duplicate Entitlements appeared in a User Access Review. |
| SF-1144992 ACM-85868 | An on-hold role review that was closed without changes incorrectly marked a role as "changed". |
| SF-924608 ACM-72958 | Group review results for monitors incorrectly displayed the member count for all groups as zero. |
| SF-1184310 ACM-88254 | After performing bulk maintain actions on general category items, the user interface did not indicate that any action was in process. This caused the user to attempt to perform the action multiple times, even though it was already in progress. |
| SF-1167341 ACM-87169 | The new reviewer interface included access for terminated users in the low-risk category by default. |
| SF-1190649 ACM-88508 | The global table options for filters, groups, and columns did not work for the Reassign and Share Review functions in the new User Access Review interface. |
| SF-1195963 ACM-88680 | A reviewer without required privileges could download the full list of users and attributes from any User Picker pop-up. |
| SF-1202327 ACM-89970 | Large-scale reviews used all available memory and crashed the server with OutOfMemory errors. |
| SF-1202327 ACM-88929 | Out of Memory errors occurred during large reviews. |
| SF-1205481 ACM-89536 | A privilege column added to the reviewer coverage file of an account review definition did not appear in a .csv file saved from the data. |
| SF-1157646 ACM-86823 | Reviews erroneously generated sign off reminder emails when reviewers were not allowed to sign off for themselves. |
| SF-1176460 ACM-87929 | A reassigned review configured to allow a delegated user to sign off did not enable a delegate to sign off as intended. |
| SF-1239517 ACM-91180 | Review Generation for large datasets slowed in performance after an upgrade. |
| SF-1173057 ACM-88464 | Account reviews that generated change requests explicitly by owner did not properly create revoke item change requests if application business owners and directory technical owners were granted monitor access. |
| ACM-88164 | A fine-grained role review for bulk revokes of role memberships with large user counts performed slower than expected. |
| ACM-92706 | A bulk revoke action during a fine-grained role review on a role's user member or entitlement that was already revoked caused an error. |
| SF-1071410 ACM-81974 | After disabling bulk actions on review items, bulk actions were not disabled on all review tabs. |
| SF-829112 ACM-66227 | Reviews were not generated for users with no last name. |
| SF-1172050 ACM-87433 | The default introductory text on the review escalation configuration screen was unclear. |
| SF-839401 ACM-66836 | In the legacy reviewer UI, the Review Item Comments and History window did not display special characters properly. This issue is resolved for the new review experience. |
| SF-1178009 ACM-90758 | A reviewer listed in the Escalations Tab could not be found by the search tool. |
Access Requests
| Issue | Description |
|---|---|
| SF-964684 ACM-76816 | Access Requests with violations could be submitted by requestors when the filter was defined with more than one role attribute. |
| SF-1021090 ACM-78198 | Approval nodes assigned access requests to out-of-office supervisors if those supervisors were part of the approval workflow at another level. |
| SF-1102047 ACM-83563 | Custom attribute value lists degraded the performance of rendering the User Access pages. |
| SF-01110863 ACM-84248 | Attributes with “on” and no date caused an exception error during the display of the milestone on the Change Request Detail page. |
| SF-1066622 ACM-83225 | An error occurred identifying the application name in a change request when the application had a Directory For Accounts setting. |
| SF-1122693 ACM-84601 | A pending change request with a large number of new accounts could cause a cleanup issue when restarting. |
| SF-1098397 ACM-83297 | A Review query was not optimized for large datasets and used too much database memory. |
| SF-818651 ACM-64918 | Business Sources excluded from Add Access and Suggestions were visible under Requests > Create Requests > Add Access, but their entitlements could not be requested. |
| SF-1042229 ACM-80274 | The manual activity assignment link became disabled after a few hours if dynamic groups or roles were in use. |
| SF-1103472 ACM-84436 | AFX logs were not filtered as relevant to a request. |
| SF-1133285 ACM-85099 | When a web service was assigned for a request, an error occurred when clicking on the default form under "Additional Information". |
| SF-1049128 ACM-79721 | A change in property types, caused by change requests for accounts that generated revocation change requests for users, led to incomplete information for revocation that failed on fulfillment errors. |
| SF-1081182 ACM-83561 | Change requests could be skipped by the processing workflow. |
| SF-1122086 ACM-84828 | An automatically generated revocation request would fail when using a directory for an account. |
| SF-1189389 ACM-88467 | The system did not generate change requests from violation remediation actions for revoked accounts when simultaneously revoking and giving exceptional access for multiple accounts that belonged to the same app role. |
| SF-1223556 ACM-90304 | When reverting a pending account, an Oracle error “ORA-19279” prevented successful completion of the action. Also, restarting RSA Identity Governance and Lifecycle while some change requests were not finalized could result in the same Oracle error “ORA-19279” and prevent server initialization that resulted in users not being able to log in. |
| SF-1162322 ACM-75782 | A change request could not be performed because it misnamed the account name for the requested entitlements. |
| SF-1156659 ACM-86562 | The Entitlement View did not filter correctly as instructed by "Initial set of entitlements to show" when triggered by a request button. |
| SF-1193655 ACM-89679 | If a user closes the browser or navigates away from the page using any function other than the cancel or back buttons, entries for pending accounts are left in T_AV_ACCOUNTS. |
| SF-1189546 ACM-92989 | An added submission field did not appear in Additional Information while creating a Change Request for an application with groups. |
Account Management
| Issue | Description |
|---|---|
| SF-837790 ACM-78326 | An account template configured with additional account parameters failed to add those parameters to a created account. |
| SF-1104583 ACM-84929 | Imported mapping that had been deleted and recollected from the account data collector source would create duplicate mapping. |
| SF-1109146 ACM-83939 | If the names of created or pending accounts were changed during fulfillment, duplicate accounts formed for returning users with deleted accounts. |
| SF-1143132 ACM-85968 | A pending account cancelled in the fulfillment phase still created an account if the name matched to a previously deleted account. |
| SF-1085269 ACM-83004 | An account template for role and rule changes could be improperly mapped to a request form through a workaround. |
| SF-1147941 ACM-86123 | The user interface did not allow users to remove pending accounts with names that were incorrectly entered. |
| SF-892981 ACM-71073 | The Who Has Access tab did not display any users. |
Admin Errors
| Issue | Description |
|---|---|
| SF-1223251 ACM-90384 | A Notification rule that used Identity Unification as an error source did not send an email to the specified users as expected. |
| SF-1265089 ACM-92855 | The Account Load Data error was not listed for available types in the properties of a Create Admin Error workflow node. |
AFX
| Issue | Description |
|---|---|
| SF-1046014 ACM-83743 | When SOAP AFX connector had an external dependency, it failed to load WSDL over SSL or with basic authentication. |
| SF-1101671 ACM-83564 | The AFX connector accepted and tested a password, but then failed to use it if the password was saved with "<" in the character string. |
| SF-1055876 ACM-80902 | The Database Driver field for the SQLServer connector template did not appear after migration. |
| SF-1194056 ACM-88781 | The maximum length of the JDBC URL field was too short for AFX connectors. |
| SF-1064046 ACM-84535 | The Oracle Directory Server connector failed to create an account when the userPassword attribute was required for account creation. |
| SF-812176 ACM-64806 | AFX command output parameters did not work if the attribute name contained a space. |
| ACM-63928 | The afx_server getlogs command did not produce a gzipped file containing logs. |
| SF-897298 ACM-76107 | After exporting an AFX connector with enabled capabilities, if the capabilities did not have any defined mappings, the capabilities were disabled upon import. |
| SF-936411 ACM-73373 | AFX erroneously resent requests that had previously failed or been canceled. |
Application Wizards
| Issue | Description |
|---|---|
| SF-839184 ACM-67710 | The Users count under Applications > General did not update after importing or updating the mapping. |
| SF-1142271 ACM-85633 | Two or more users with the same name and different user IDs could not be added to a business unit's Other Business Owner field. |
Authentication
| Issue | Description |
|---|---|
| SF-856151 ACM-65647 | Accessing an approval URL when logged in through SSO caused a NullPointerException error. |
| SF-1059226 ACM-84670 | The Forgot Password feature did not work after a change in the user locale by the browser language settings. |
| SF-1215963 ACM-90219 | The Active Directory objectGUID and objectSID were not properly supported attributes from authentication sources for either account or identity data collection. |
| SF-899125 ACM-71387 | A null pointer exception occurred when parsing SAML responses. |
Aveksa Statistics Report
| Issue | Description |
|---|---|
| SF-1165448 ACM-86990 | The ASR did not pull data for Web Application Machine Information. |
| SF-810446 ACM-64920 | A null pointer exception error occurred when creating an ASR with "Include database performance statistics" enabled. |
Change Requests and Workflows
| Issue | Description |
|---|---|
| SF-1053443 ACM-83569 | If Enable Email Reply Processing was unchecked and saved, then related options were not properly hidden. |
| SF-1101627 ACM-83545 | A Delete Account change request could be marked as complete but still show a status of "Pending Action". |
| SF-1069608 ACM-81876 | Manual Request Additional Info escalations could prevent an automatic Reassign to Supervisor escalation from running as expected. |
| SF-1104201 ACM-83552 | The save button did not function properly when a resource, escalation, job variable, or webservice response was added, edited, or deleted. |
| SF-1022154 ACM-78550 | A Change request generated using an unowned group and an owned group would incorrectly assign all of the change request items to the second group’s owner for approval. |
| SF-4036115 ACM-82463 | When generating a change request with users who had outstanding change requests, the generated change request incorrectly excluded any users who did not have an outstanding change request. |
| SF-1098925 ACM-83236 | Imported legacy workflows created before version 7.0.1 had a legacy value not handled by the new architect editor. |
| SF-1110903 ACM-84016 | The Provisioning Command node did not display job variables in the node properties. |
| SF-1118999 ACM-84554 | A user access request with multiple entitlement changes did not reliably create account change items for adding entitlements depending on the order of selected actions. |
| SF-1143477 ACM-85731 | After an upgrade, transition were not displayed in processing workflows that were created in the previous product version. |
| SF-684868 ACM-55740 | After completing an activity, users could see all completed activity on the By Entitlement tab instead of just their own. |
| SF-1077691 ACM-81947 | An exception error occurred when evaluating fulfillments with dynamic roles and group resources. |
| SF-1040676 ACM-79305 | An entire change request would be rejected at the fulfillment phase if it had an entitlement deleted by a partial rejection in the approval phase. |
| SF-867542 ACM-74045 | Activity nodes in a workflow were skipped if AFX fulfillment came back as Completed. |
| SF-929278 ACM-73194 | The Provisioning Command node did not save attribute values correctly when commas were used. |
| SF-1138470 ACM-86190 | Imported workflows could not send email after an upgrade because of email body errors and Send Email node errors. |
| SF-1116690 ACM-85129 | SOAP and REST web service nodes could not be exited if the code window was expanded. |
| SF-1077035 SF-1146372 ACM-83585 | Approval or Fulfillment nodes sometimes skipped when retrying after a concurrency error did not update the job with new node and sub-process data. |
| SF-1156274 ACM-86559 | The workflow reference ID appeared for a subprocess instead of the workflow name when "Only show workflows similar to the current workflow" was checked. |
| SF-1045572 ACM-79675 | The provisioning node mapping misaligned nodes when mapping a hardcoded value to a parameter value with a comma. |
| SF-1176466 ACM-88269 | AFX Requests with the "Entitlements Require Account" setting enabled would stall in the "Waiting for Dependencies" state. |
| SF-1083779 ACM-82500 | Change requests with Joiner rules could experience a deadlock error caused by a Workpoint bug when the workflow is under a heavy load. |
| SF-1043713 ACM-79531 | Workflow variables containing multiple rows of data displayed with the comma delimiters. |
| SF-1192752 ACM-88582 | Change request variables did not appear when fulfillment workflow edits updated the wrong variable. |
| SF-889452 ACM-71049 | The default AFX manual fulfillment subprocess did not have a job state node to cancel change items, which caused change items in a canceled fulfillment to be stuck in "pending verification" status. |
| SF-1173926 ACM-88384 | Custom workflows could not be deleted. |
| SF-981459 ACM-75938 | Accounts and entitlements added through the "Complete Manual Activity Before Collection" feature would not appear in the user interface when referenced outside of the Users page. |
| SF-1152348 ACM-86911 | When a Workpoint license check failed due to a connection issue, the user was required to restart the system or reload the license. |
| SF-1127411 ACM-86163 | The workflow business calendar did not consider holiday hours when assigning due dates to workflow actions. |
| SF-1058844 ACM-83640 | The Show Job Level Variables checkbox did not appear for Escalation workflows. |
| SF-1059087 ACM-81419 | Canceling a change request that added a role with entitlements or groups reverted the role but did not remove indirect entitlements. |
| SF-1168903 ACM-89833 | A change request generated from a termination rule bypassed a custom fulfillment workflow. |
| SF-1217300 ACM-89860 | The URL parameter variables ${ValidReplyAnswers} and ${WorkItemURL} did not show in the workflow design page as available shortcuts. |
| SF-981092 ACM-84977 | The decision node for workflow conditions on a request escalation was always set as "true". |
| SF-1181059 ACM-88351 | The Show Job Level Variables setting in request workflows overwrote the same setting in approval and fulfillment workflows. |
| SF-1192314 ACM-90476 | A custom task could not be deleted if it was scheduled. |
| SF-1204867 ACM-89649 | When editing existing exceptional access, the user interface limited the business justification to 500 characters while it allowed 4000 characters for new entries. |
| SF-1258377 ACM-92069 | After applying a patch, Workflow SQL nodes periodically failed with null pointer exceptions. |
| SF-01171991 ACM-88211 | Non-Access Request workflows had inconsistent behavior dealing with Activities. |
| SF-1138522 ACM-85418 | Decision Node settings changed automatically in the Out of Office workflow when any other node was changed and saved. |
| SF-1222578 ACM-90665 | The variable value ${access_request_cri_app_cas2} did not successfully populate after a patch was applied. |
| SF-1158316 ACM-90489 | Workflow variable names showed unexpected format changes after an upgrade. |
| SF-774980 ACM-66372 | When a role is set as a resource for fulfillment, a member of the role could not use the Upload Attachment option. |
| SF-1266678 ACM-93462 | The "Assign to" list incorrectly showed as an option for Resource Selection. |
| SF-1294015 ACM-94309 | The Jobs tab in Admin > Workflow showed a UI error when evaluating errors with over 4000 characters. |
| SF-1304407 ACM-94532 | A subprocess node condition applied to nodes without following configured settings. |
| SF-1297357 ACM-94126 | The Group by Category approvals were skipped in Joiner workflows. |
| SF-1277724 ACM-92992 | The REST Node POST request body mandated XML code that was not required. |
| SF-1161187 ACM-90147 | An Errors link in the run history of a Custom Task job summary table did not show the logged errors when clicked. |
| SF-1293969 ACM-94160 | The AFX create account action failed when a change request with multiple “Create Account” items for multiple applications and for a single user has one of the “Create Account” items rejected. |
| SF-1281281 ACM-93288 | Changes to customerstrings.properties did not reflect in the change request milestone display. |
Collector
| Issue | Description |
|---|---|
| SF-1110276 ACM-83742 | Collection failed when the internal data file was larger than 2.15 gigabytes. |
| SF-964259 ACM-75432 | A custom string attribute used for collection did not collect the LastLogonTimestamp attribute as expected. |
| SF-844956 ACM-67283 | Referrals were not ignored when "Ignore Referral" was checked in the connection settings. |
| SF-833758 ACM-66892 | When an IDC collected the accountExpires date attribute from an Active Directory source, the time value varied on every collection based on the time zone. |
| SF-1116606 ACM-84173 | The ADC query test button reported an exception error. |
| SF-1164164 ACM-86975 | Multi-app collectors slowed down when older data was not removed as expected and instead accumulated with each run. |
| SF-1185812 ACM-88921 | An LDAP search initiated by RSA Identity Governance and Lifecycle asked for the same AD attribute multiple times if it was mapped to more than one of the attributes for RSA Identity Governance and Lifecycle. |
| SF-1218345 ACM-90039 | A new IDC for SQL Server could not locate the correct driver when selecting the DB Type. |
| SF-1190006 ACM-88607 | When testing a role collector query, syntax errors occurred. |
| SF-1299910 ACM-94323 | The Salesforce ADC was missing attributes listed in the datasheet. |
Connector
| Issue | Description |
|---|---|
| SF-953019 ACM-74103 | A line break character in search filters caused the test collection to fail for the LDAP collector. |
| SF-1111150 ACM-84090 | After an upgrade, attribute synchronization on the AD connector applied the attribute_sync prefix to non-empty & non-account variables, which updated values not required as well. |
| SF-976731 ACM-79126 | Account template parameters did not correctly expand variables in password type attribute fields. |
| SF-1136239 ACM-85602 | The Generic Database template with db2 type selected resulted in an error. |
| SF-1162980 ACM-87472 | Active Directory attribute synchronization was unsuccessful in some environments when the account attribute values were set to null. |
| SF-894746 ACM-71014 | The Active Directory AFX Connector could not set the PASSWD_CANT_CHANGE Active Directory attribute. |
| SF-1059478 ACM-80536 | The SAP connector did not support the USERTYP account attribute. |
| SF-1202432 ACM-88958 | When an AFX connector template and a connector had identical names, an error occurred when attempting to export the template and connector at the same time. |
| SF-1205499 ACM-89197 | After performing a migration, the Federated Salesforce connector template and Microsoft Exchange connector template remained in a migration required state. |
| SF-1214862 ACM-89813 | The ServiceNow AFX Connector lacked command output parameter settings for the "Check Ticket Status" and "Check Request Status" capabilities. |
Dashboard
| Issue | Description |
|---|---|
| SF-1167801 ACM-87247 | A custom user link in a dashboard appended "&width=null&height=null" to the URL, which caused some external pages to not load properly. |
| SF-1032894 ACM-80335 | Dashboard links containing a query parameter that included a bind variable did not return the expected results. |
Data Collection Processing and Management
| Issue | Description |
|---|---|
| SF-1088219 ACM-82998 | The IDC User Interface did not show whether the IDC required a Full Refresh. |
| SF-1104583 ACM-83603 | Pending User Account mapping and subsequent local mapping were removed every time the ADC ran collection. |
| SF-1100515 ACM-83254 | A collection that failed on the circuit breaker update did not remove the green check mark from the Last Successful Collection Date field. |
| SF-1063378 ACM-82700 | After unmapping users from the accounts, the users sometimes erroneously retained access. |
| SF-1100498 ACM-83252 | Procedures to purge older raw datasets caused circuit breaker failures when they erroneously purged raw datasets for collectors queued for processing. |
| ACM-53235 | Internal data files such as STX tables and temporary data files in the server/default/deploy/aveksa.ear/aveksa.war/WEB-INF/AveksaDataDir directory were not removed as expected if the "Remove Internal Data Files After Upload" option was set to Yes. |
| SF-1068551 ACM-83338 | For users making role changes, role data collection would sometimes cause deadlocks due to database-stored procedures making unnecessary row updates to roles, even when they were not changed. |
| SF-596501 ACM-50485 | Collection fails with an unclear error message when the collection source contains a special character that cannot be parsed. |
| SF-1115169 ACM-84129 | Starting a unification run with migrated user records from before 7.x failed with "ORA-30926: unable to get a stable set of rows in the source tables" in 7.0.2 p2. |
| SF-1121551 ACM-84547 | Unifying data with duplicate values caused failed collections with the message "ORA-30926: unable to get a stable set of rows in the source tables". |
| SF-1103183 ACM-84750 | The "Who Has Access" tab for Data Resources was not populated after a long-running data collection by the primary DAC that was misidentified as secondary. |
| SF-1059311 ACM-83235 | The DAG collector stalled after pre-processing a large data validation query. |
| SF-988361 ACM-83488 | The account and entitlement data collectors did not collect user attributes CAS6 through CAS10 for indirect group entitlements. |
| SF-1133387 ACM-85100 | The account and entitlement data collectors did not collect CAS user attributes in the correct order and could not properly assign the value of CAS10 as a result. |
| SF-1101593 ACM-83516 | Unifications could fail due to improper clean-up of the tables used for prior data collections. |
| SF-1131773 ACM-85098 | Unification sometimes assigned a deletion date for users that prevented them from logging in. |
| SF-1097757 ACM-85534 | Temporary STX tables were left behind if the circuit breaker was triggered. |
| ACM-85488 | User access to data resources could not be reviewed if assigned only through a group that was not properly tagged after data collection. |
| SF-1131077 ACM-85203 | A sub-group to group membership was rejected because the name of the group had a space at the end that was not consistently trimmed at the source and when collected. |
| ACM-85608 | Calculated totals for applications did not include group memberships as entitlements. |
| SF-1145208 ACM-86417 | Role collectors aborted runs for groups that were role entitlements because of a case-insensitive search. |
| SF-934435 ACM-73247 | Reused user_id attributes in an IDC caused unification with other IDCs to fail. |
| SF-1159109 ACM-86620 | The DAG collector queries took many hours longer than expected to complete. |
| SF-1120976 ACM-86422 | Collected subgroups from an LDAP were resolved as accounts instead of as groups. |
| SF-942302 ACM-74626 | The Application Metadata Collector updated some non-application business source objects, such as role sets, in error. |
| SF-1160713 ACM-87431 | User type attributes did not consistently appear for a unified user after a unification. |
| SF-1126909 ACM-85023 | Pressing Enter on the Forgot Password screen canceled the process. |
| SF-1166339 ACM-88505 | After the ADC ran, the Foreign Security Principal (FSP) membership changes in Active Directory did not update in RSA Identity Governance and Lifecycle. |
| SF-1165478 ACM-87066 | Unification sometimes terminated users and duplicated them into new User IDs. |
| SF-981459 ACM-75980 | Accounts and entitlements added through the "Complete Manual Activity Before Collection" feature were not reconciled or removed after running collection. |
| SF-1176684 ACM-87842 | Performance issues occurred for indirect relationship processing when processing deleted role relationships. |
| SF-1193983 ACM-88706 | The Role Data Collector failed with an Oracle error that reported unstable rows in the source tables. |
| SF-1213227 ACM-89674 | The Account Data Collector could not call custom code prior to loading the raw data. |
| SF-1197266 ACM-88960 | Any unprivileged user could export or save data in a table displayed within a pop-up. |
| SF-1220029 ACM-90277 | Manually mapping a user account submitted a new indirect relationship processing job whether or not the job was already in queue. |
| SF-1062777 ACM-81403 | Group collection rejected the nested group relationships and misidentified groups as accounts when listed as members of other groups. |
| SF-1175678 ACM-87948 | Collections from a .csv file returned too many rows after an upgrade. |
| SF-1224169 ACM-91121 | Collection added duplicate Aveksa access entitlements to the account and user. |
| SF-1228554 ACM-90663 | A data table stored historical configuration information in clear text. |
| SF-1201069 ACM-89785 | Duplicates created in the T_SCHEDULED_TASKS table prevented unification from completing. |
| SF-1058100 ACM-80563 | When a user was moved from one IDC to another, unification terminated the original user and created a duplicate user. |
| SF-1260229 ACM-92496 | Unification failed with unknown error after an upgrade. |
| SF-1242815 ACM-91761 | The Last Reviewed Date OOTB attribute erroneously showed as an available collector mapping attribute in the UI. |
| SF-1300333 ACM-94263 | Running two MAEDCs failed with error ORA-30926 if they overlapped in applications and IDs. |
| SF-1312022 ACM-93036 | The App Metadata collector failed with the “character string buffer too small” error. |
| SF-1236885 ACM-91586 | An ADC User Resolution with more than 3 attributes from the same source left an account unmapped and without an ORPHANED_DATE value. |
| SF-1231311 ACM-91584 | Unification removed user account mapping when one of many resolution attributes was changed. |
Database Management/Performance
| Issue | Description |
|---|---|
| SF-01123301 ACM-84609 | Data archiving had a processing failure. |
| SF-1150006 ACM-86789 | The GATHER_DATABASE_STATISTICS task failed on a buffer overflow error. |
| SF-1164598 ACM-86987 | The database slowed, reported multiple errors, and then used up all resources when conducting bulk reviews on thousands of items. |
| ACM-90149 | A backup started with a backup already in progress stopped with a warning but did not return with a failed status. |
| SF-1164598 ACM-88699 | Illegal TXN State errors were reported in the user interface after applying a patch. |
| SF-892279 ACM-72284 | The PV_USER_DIRECT_ACCESS view did not have a join condition on the entitled ID to show correct information. |
| SF-1190864 ACM-88534 | Slow SQL query performance occurred after upgrading from version 6.9.1. |
| SF-1224207 ACM-90323 | A Data purge job that ran through the backend repeatedly failed to complete the custom task purge. |
| SF-1201744 ACM-89849 | Performance issues occurred when revoking entitlements from a role during a fine-grained role review. |
| SF-1074740 ACM-85409 | An error occurred after a CLOB was converted into a varchar in the CHANGE_REQUEST_VARIABLE view. |
| SF-1203774 ACM-88976 | Performance issues occurred when editing roles. |
| SF-1110258 ACM-87245 | When the database unexpectedly shut down, ACM and AFX continued to run but did not function after the database was started. |
| SF-1128305 ACM-85934 | User interface page-loading time and collections took an unusually long time. |
| SF-1312843 ACM-94891 | Rule pre-processing performance significantly slowed after adding segregation-of-duty rules for a large environment. |
Descriptions
| Issue | Description |
|---|---|
| SF-1209242 ACM-89625 | During the import of business descriptions, the status pop-up that appears when importing business descriptions did not appear when choosing to overwrite or skip existing entries. |
| Issue | Description |
|---|---|
| SF-1067879 ACM-81341 | If the special character % was in the e-mail content, then the email could not be generated. |
| SF-1039470 ACM-79253 | Emails generated for exported reports incorrectly capitalized the report file extension. |
| SF-1086751 ACM-83216 | Email processing failed and displayed the error "Wrong user replied" for approvals sent to dynamically assigned approvers in a role. |
| SF-1136705 ACM-85359 | Escalation emails were not updating the value used by the runtime to send with proper priority. |
| SF-1004034 ACM-80529 | A Review Reminder email configured for 24-hour intervals generated at 12-hour intervals instead. |
| SF-1162253 ACM-86909 | Security access request approval email links did not work. |
| SF-1038728 ACM-79982 | The user interface became unresponsive when an emailed tabular report bounced due to size limitations of the recipient’s mailbox server and the aveksaServer.log file recorded the email along with the entire attachment in encrypted format. |
| SF-978800 ACM-75696 | Email server configuration needed to allow for separate authentication configuration for inbound and outbound servers. |
| SF-1056837 ACM-80572 | A requestor still received approval emails despite being on the Exclude list. |
Installer
| Issue | Description |
|---|---|
| SF-970037 ACM-76001 | Aveksa.ear contained duplicate files that caused zip errors during deployment. |
| SF-1141841 ACM-86014 | A supported database version could not be confirmed during migration. |
| SF-1137353 ACM-85438 | The installer checked for unneeded packages and caused installation in a WildFly environment to fail. |
| SF-1115317 ACM-84107 | A typo appeared in the installOracle.sh script. |
| SF-1129043 ACM-85437 | Installation or upgrade on Red Hat 6.5 and 6.8 failed when IPv6 was disabled. |
| SF-1130896 ACM-85021 | The aveksaWFArchitect.ear file could not be deployed on WebLogic 12.2.1.3.0 due to a conflict in the Java Spring-Boot library. |
| SF-1150455 ACM-86894 | A schema could not be created or migrated when using non-default tablespace names. |
| SF-1182857 ACM-88297 | Schema patching errors occurred when upgrading a WebSphere installation. |
| SF-1166648 ACM-87123 | After patching RSA Identity Governance and Lifecycle, the user interface did not display an Edit button for the Email Fulfillment Handler as expected. |
| SF-1193541 ACM-88761 | The oracle error "ORA-30657: operation not supported on external organized table" occurred when applying an upgrade or patch. |
| SF-973587 ACM-75344 | The Patch installation process did not stop to show an error message when an issue occurred with the archived .ear file. |
| SF-1205479 ACM-89296 | The Database-Only installation did not check for sufficient disk space to complete installation. |
| SF-1189209 ACM-89224 | In a database-only installation, the installer does not check resolv.conf for prerequisites. |
| SF-942673 ACM-73935 | The installation or upgrade process would get stuck when one or more required install packages were missing. |
Metadata Import/Export
| Issue | Description |
|---|---|
| ACM-84989 | Metadata sometimes exported with random, duplicated objects on subsequent attempts after the first export. |
| SF-1077965 ACM-82017 | Incorrect error message was displayed when importing a rule with an invalid global role reference. |
Migration
| Issue | Description |
|---|---|
| SF-1220848 ACM-90260 | The ViewPasswordUrl setting in the t_system_settings table failed to update when using the oracle dbms_lob utility with a large customerstring.properties file. |
Password Management
| Issue | Description |
|---|---|
| SF-1069908 ACM-81479 | Password validation did not work consistently from the user interface and from an external password reset link. |
| SF-1022835 ACM-79684 | The process to add or change a password policy to an application stalled when table views accessed a very large number of records. |
| SF-1173793 ACM-88150 | The current password could not be validated against a stored password history hash during a password change. |
Provisioning
| Issue | Description |
|---|---|
| SF-1192284 ACM-88777 | The Workflow ValidReplyAnswers macro did not populate and list URLs in a consistent order. |
Reports
| Issue | Description |
|---|---|
| SF-1004352 ACM-79058 | A new chart could not be created with the same name as an existing tabular report. |
| SF-1043556 ACM-81849 | The / character in a report file name created a report schedule that failed if the option to send attachments was enabled. |
| SF-826817 ACM-67195 | Reports exported using the .xls file extension were not properly formatted. |
| SF-1101300 ACM-83537 | Reports exported to an Excel spreadsheet did not restore a previously deleted temporary folder and, as a result, returned blank rows instead of the expected data. |
| SF-767212 ACM-60522 | After upgrading, reports containing Cyrillic characters still did not display correctly when exported as .xls or .csv filetypes. |
| SF-838887 ACM-71716 | The report template "Entitlement Review Item Details by Reviewer" did not display the custom review state. |
| SF-01143644 ACM-85658 | The order of the list columns available in the Report Column tab changed randomly. |
| SF-647482 ACM-52763 | Imported Custom Report templates copied unnecessary attributes that caused errors. |
| SF-949068 ACM-76876 | Reports exported into the CSV or XLS format occasionally did not retain any data. |
| SF-882602 ACM-71754 | An Out of Role Entitlements report did not show the expected results. |
| SF-1219878 ACM-90510 | The T_AV_AFX_LOG_MESSAGE and T_EMAIL_LOG tables lacked a public view of their data. |
| SF-1271093 ACM-92667 | Scheduled reports in XLS-format could not be opened after migration. |
| SF-1258049 ACM-92226 | After an upgrade, reports using the PV_USER_ALL_ACCESS view failed with an error if the report had custom value integer attributes. |
| SF-782401 ACM-63770 | After applying a style template to a report or report template, the Apply Style Template to Report screen did not indicate the currently applied style. |
| SF-729074 ACM-56680 | The Review Item Details Report could not be filtered using the Status attribute. |
| SF-1130030 ACM-88494 | A Report with a non-standard column defined with TO_DATE/TO_TIMESTAMP functions in a select statement could fail to extract the date and showed the "jasperreports.engine.JRRuntimeException" error instead. |
| SF-1174014 ACM-87747 | The OOTB "Leavers or Terminated Users" report did not show deleted users as expected. |
Request Forms
| Issue | Description |
|---|---|
| SF-1025815 ACM-82420 | The validation URL did not work for the "Drop Down Select from Web Service" control type. |
| SF-1084223 ACM-82486 | The form tooltip for tables did not display when added to a question. |
| SF-1059905 ACM-82742 | A question with a multi-select drop-down control did not trigger a display condition tied to selecting a drop-down option unless the same condition was also assigned to a secondary control. |
| SF-992540 ACM-76461 | Forms did not display terminated users when a custom form or form list was opened by a request button action. |
| SF-1065124 ACM-81155 | On request and approval forms, when using a submission question with a Select Drop Down list, only the first value was used. |
| SF-792046 ACM-65018 | Non-visual entitlement tables were displayed on a submitted request form. |
| SF-1112926 ACM-85657 | Out-of-the-box Application Business Source attributes returned null values when called through variables in request forms. |
| SF-931948 ACM-74069 | An entitlement table field on an existing request form with a "Show child entitlements of" attribute did not retain its value when copied to a new request form. |
| SF-1013039 ACM-77523 | An option in a Drop Down Select control could not be deleted if the user put single quotation marks around the value. |
| SF-1143371 ACM-85654 | The text area field was not validated for the maximum character limit if the related question had an apostrophe. |
| SF-1109812 ACM-83706 | The Drop Down Select control type for request forms was not disabled as intended if Enable conditions were set. |
| SF-1094196 ACM-83637 | In request forms, the Display and Enable conditions for the Javascript field in request forms did not work as expected. |
| SF-968958 ACM-76010 | The "Allow Multiple Selections" setting did not work correctly in a User Account Table field in a form. |
| SF-1100787 ACM-84628 | Custom dropdowns did not retain selections with web service fields. |
| SF-1127904 ACM-85244 | A request form did not handle user details containing "\" properly for user pickers and the provisioning command. |
| SF-840034 ACM-67318 | A request form did not show the correct entry when an apostrophe is present in the value of a variable. |
| SF-1097313 ACM-83168 | The selected value for a radio button appeared as ??? when passed to other form controls through the avform variable. |
| SF-815680 ACM-64863 | Request forms allowed users to move to the next page before all the form fields had finished loading. |
| SF-1131084 ACM-85886 | Child entitlements of pre-selected entitlements did not load in an entitlement table form control. |
| SF-960379 ACM-74603 | Form text fields with a long entry did not show the complete text in request or approval screens. |
| SF-1168573 ACM-87946 | The password generator URI field did not resolve form variables. |
| SF-1151669 ACM-86387 | A warning message on change requests needed clarification. |
| SF-1184989 ACM-88383 | After changing the value of an avform variable, related form controls with display conditions did not update. |
| SF-1889550 ACM-88604 | Multiple account resolution prompts for every entitlement change created as account changes could lead to excessive prompts. |
| SF-887157 ACM-70736 | User filters with avform.user variables added to the Compare Users field of the Provisioning form removed all users instead. |
| SF-1038696 ACM-79773 | The form did not correctly show certain colors to highlight target users depending on their access. |
| SF-1210320 ACM-89468 | When Multiple Account Resolution is set to “per business source” and the request form adds entitlements from multiple applications that are tied to the same underlying directory, account prompts appear for each application instead of once for the directory. |
| SF-1188323 ACM-88507 | When the User Selection screen for an Access Request form has a grouping that contains more than 100,000 users, the following error occurred when expanding and collapsing the grouping: “Error - java.land.IndexOutOfBoundsException: Index: 100000, Size: 100000”. |
| SF-1194256 ACM-88878 | The Display and Enabled conditions for an entitlement table did not work as expected. |
| SF-1239355 ACM-91122 | The conditions to display or enable an entitlement table form control could not be properly verified in the form. |
| SF-912473 ACM-72112 | The request form did not properly validate a direct request for entitlements that were already granted indirectly through a role. |
| SF-1086944 ACM-83740 | Multiple entitlement tables that used Display conditions, Enable conditions, and Form variables in their entitlement rules sometimes displayed improperly. |
| SF-1263329 ACM-92257 | A request form associated with a business source could not be edited because of an error. |
| SF-1212317 ACM-90015 | Email sent with an External URL link that contains the externalURL and title parameters caused "request could not be handled" errors. |
| SF-968478 ACM-76164 | When a form was designed with an application name that did not match the business source raw name, the account filter did not work correctly. |
| SF-1212748 ACM-91669 | The entitlement table with display conditions did not appear when the dynamic variable value changed. |
Role Management
| Issue | Description |
|---|---|
| SF-1069369 ACM-81602 | The user interface for coarse-grained role reviews provided options to remove or edit members and entitlements, even though coarse-grained role reviews are intended for high-level review and not to make individual changes. |
| SF-817316 ACM-65297 | Custom attributes created with the same name but assigned to different entitlement types appeared identical and did not work correctly when setting an entitlement rule in a role set. |
| SF-1142958 ACM-85634 | A Null pointer exception error occurred when creating a new role while logged in as the business role owner of a role set. |
| SF-1112926 ACM-85657 | Out-of-the-box Application Business Source attributes returned null values when called through variables in request forms. |
| SF-1149895 ACM-86112 | Fixes to the role set persistence of a role caused problems with entitlements when there were role set changes. |
| SF-1078256 ACM-82957 | After importing a modified XML file of existing global roles, the Long Description was not updated. |
| SF-839546 ACM-66820 | A new role with no members or entitlements did not appear in search results when the search filter was set with the member or entitlement count as zero. |
| SF-22039 ACM-48746 | The Request Hierarchy Children entitlement selector allowed selected entitlements to exceed the actual total. |
| SF-1071138 ACM-74902 | The error "Unable to find RoleSet ID" appeared in logs while creating a role collector with the raw name and alt name roleset attributes as different entries. |
| SF-963152 ACM-63734 | Collected roles that were exported did not fully import when imported into same environment. |
| SF-1067111 ACM-66489 | When a change request removed a child technical role from a parent business role, it also erroneously removed group entitlements that were shared from a different child technical role with common entitlements. |
| SF-1190065 ACM-88496 | The user interface did not display a role in a role set due to a query error. |
| SF-1113010 ACM-84589 | The displayed number of suggestions and violations did not correctly update collection when membership rules changed for a role and the role moved to the pending state. |
| SF-1089845 ACM-85357 | The Role analytics table for missing required entitlements incorrectly showed technical roles as global roles. |
| SF-911444 ACM-77583 | Terminated users were erroneously granted indirect role memberships when they were still part of a role that added an entitlement. |
| SF-927983 ACM-73210 | Role Discovery stalled and timed out on a database query when using a high-load HASH-JOIN view on the GTT_CLUSTER_ENT_COUNTS table. |
| SF-901924 ACM-73623 | A specific role showed a "could not execute query" error in the user interface instead of the role data. |
| SF-1213844 ACM-90265 | A null pointer exception error occurred when viewing the Out of Constraints users section in Analytics if "Remove" is the only column in the table. |
| SF-1166227 ACM-87106 | On the Analytics tab, the Out of constraint user table disappeared and the UI locked up and displayed incorrectly when a user was removed from the table. |
| SF-1089845 ACM-84396 | Cascaded roles were missing to be added as entitlements while creating a change request from the Role Missing Entitlements rule execution. |
| SF-950510 ACM-74637 | The "Role Missing Entitlement Rule" email notification did not include the group entitlement collected from ADC. Code was missing to add the group entitlement to the email notifications. |
| SF-882193 ACM-70716 | When creating roles using the Discover Roles functionality, the suggested entitlements do not match the suggested entitlements condition. |
Rules
| Issue | Description |
|---|---|
| SF-1095861 ACM-83120 | When a change request was created by a role change, decision Nodes ignored the "Contains at least one violation" condition. |
| SF-1052613 ACM-84945 | When the Attribute Change rule for Managed Attributes used the "Set to old value of" argument, the rule sometimes failed to set values after the first user matched by the rule. |
| SF-1120488 ACM-84536 | During access request creation, when a user views the Accounts selection screen and then goes back to the previous screens to make changes, violations by the new changes were sometimes not displayed. |
| SF-1127651 ACM-84810 | Out-of-the-box workflow form controls were listed in the Violation Remediation node that did not work for the node. |
| SF-1114903 ACM-83574 | Changing the User Access/Separation of Duty Rule definition closed some violations but left their remediation workflows active. |
| ACM-83212 | New violations could incorrectly be added to existing remediation workflows, when a new workflow was necessary. |
| SF-1105975 ACM-83937 | The number of violations did not appear correctly in the status column. |
| SF-1057748 ACM-84105 | The user interface did not display violations that were not in sync with the remediation workflow to remediators. |
| SF-1125118 ACM-84592 | A rule violation remained in Pending Revocation status after rejection of a corresponding change request item. |
| SF-1121216 ACM-84791 | A condition for access containing IN for a rules definition could not be re-edited for attributes with case-insensitive "name" in the label. |
| SF-774383 ACM-63346 | After migration, violations appeared with the wrong state. |
| SF-1139602 ACM-85892 | After modifying a collector, a UCD rule detected changes that had already been validated following a previous detection. |
| SF-1169066 ACM-87411 | Provisioning Termination and Attribute Sync rules incorrectly processed local user mapping for pending accounts. |
| SF-1147687 ACM-87267 | Renaming a Notification Rule left an orphaned item in the scheduled tasks for that rule. |
| SF-1180940 ACM-88634 | A Termination Rule with the 'or' condition for a Delete Accounts action did not create the expected change requests to revoke entitlements. |
| SF-1080104 ACM-52576 | The termination rule created a duplicate request that could not be completed when a user was terminated and then deleted. |
| SF-1208949 ACM-90043 | Detected violations did not associate with remediation workflow jobs during rule processing due to an Oracle buffer overflow error. |
| SF-1000621 ACM-77042 | Scheduled rules ran multiple times when the rule name or type had been changed. |
| SF-1025263 ACM-78589 | Change requests created by an unauthorized change detection rule identified the wrong user in the details. |
| SF-1262986 ACM-92256 | Violation detection information on the User Request Details page worked only when a User Access Rule was configured with a single user for all entitlements scenario. |
| SF-1101217 ACM-83760 | An Out of Memory error occurred while processing a large number of Role Membership Rule Difference rules. |
| ACM-95300 | Rules processing failed with Oracle error ORA-01652 when all rules were processed simultaneously. |
Security
| Issue | Description |
|---|---|
| SF-1095483 ACM-84155 | Applied security fixes for workflow editor properties. |
| SF-940772 ACM-73739 | Users could access pages in RSA Identity Governance and Lifecycle without required privileges. |
| SF-1213459 ACM-90322 | The patch includes an updated version of JDK 8, which addresses some known security vulnerabilities. |
| SF-1087041 ACM-83001 | A bind mount of the /var/tmp directory to the /tmp directory was needed in hardware appliance deployments. |
| SF-1215126 ACM-90300 | Users were able to edit the sender’s email address in the Send Email to Users form for reviews if permitted by the review definition. The setting that allows the sender's email address to be changed has been deprecated. |
| SF-1087041 ACM-83000 | The setDeployEnv.sh script added a . to the root $PATH. |
| SF-1223436 ACM-91372 | Users granted the "View All" role could not see group and role members in the What Access tab. |
| SF-1022650 ACM-78259 | Applied properties to enhance security for an internal communications port used by a mule agent. |
Server Core
| Issue | Description |
|---|---|
| SF-903632 ACM-71675 | A domain controller node in a hardware appliance with a local database could not stop, start, restart, or status-check the database using the aveksa_cluster script. |
| SF-1128205 ACM-84894 | Heavy change request activity increased the ADC processing time for longer than expected. |
| SF-1061884 ACM-83205 | Scheduled and manually initiated tasks required improved handling and diagnostics. |
User Interface
| Issue | Description |
|---|---|
| SF-596472 ACM-51112 | When editing review definitions, the Allow Expiration and Comments are Required checkboxes were cleared if the user switched tabs. |
| SF-843449 ACM-67243 | Logging out led to a blank screen if confirmations for logging out were disabled. |
| SF-791436 ACM-62724 | After adjusting table options, some columns did not display as configured when switching from a Group review result to a User review result. |
| SF-1001038 ACM-77791 | The Max Users Per Change Request setting in Access Configuration disappeared from the Settings tab if not assigned a value. |
| ACM-84410 | Performance issues occurred on the General tab of a role set after applying entitlement and membership rules. |
| SF-884453 ACM-73706 | Heartbeats, which help to avoid server timeouts when using forms and the Architect workflow editor, generated benign errors in the server log. |
| SF-1127021 ACM-85554 | Changes in the customerstrings.properties file were not saved after an application server restart. |
| SF-768669 ACM-65157 | A truncated file size limit error was displayed for the attachments control type when using Internet Explorer. |
| SF-830319 ACM-66283 | The Owner attribute did not appear in the table options of the What Access tab under Resources. |
| SF-620510 ACM-52883 | Underscores and spaces incorrectly replaced Hebrew characters in the user interface. |
| SF-1086944 ACM-85029 | Performance issues occurred on the General tab of a role set after applying entitlement and membership rules. |
| SF-19207 ACM-45115 | The date in the European format of DD/MM/YYYY did not properly appear for the English (UK) locale. |
| SF-904694 ACM-72163 | Benign errors appeared when a web service authenticated the AveksaAdmin user when no Aveksa system authentication source was defined for AveksaAdmin. |
| SF-1065497 ACM-81449 | An invalid identifier error in request forms appeared when using the Other type for owners in a business source filter. |
| SF-1152397 ACM-86298 | Clicking the Back button in the web browser did not load the previous page. |
| SF-954920 ACM-87252 | Different security context configurations in the same .csv file did not work as expected. |
| SF-1073714 ACM-81669 | After changing the name of a business unit, the user interface showed the old business unit name when grouping users by business unit. |
| SF-913568 ACM-75393 | The User Change data table still showed the User ID field when not selected as a displayed column in Table Options. |
| SF-612632 ACM-51311 | The What Access tab did not disable the filter to show pending entitlements when switching to another application. |
| SF-1158799 ACM-86788 | The Accounts table in the Directories Resource Accounts Tab showed a "Backup Supervisor" column in Table Options that is never populated in an accounts table. |
| SF-1072223 ACM-83584 | Multiple clicks on a form could select one item multiple times to create duplicate selections. |
| SF-967960 ACM-76184 | Attributes did not display when searching in the Business Units or Application list. |
| SF-969882 ACM-75372 | The notification button opened a blank window with a disabled Complete button if no tasks were available to the user. |
| SF-1178116 ACM-87998 | The user interface did not properly display the long description for an application. |
| SF-1110294 ACM-85141 | The unique_ID attribute was not displayed on the summary page after changing the language under user options. |
| SF-1104724 ACM-84228 | Extended user attributes were not displayed on the summary page after changing the language under user options. |
| SF-1042710 ACM-79980 | The log page in Admin > Email did not show results correctly when sorted by Processing Result. |
| SF-1233063 ACM-91269 | The database view V_ROLE_TO_APPS did not include local roles in addition to collected roles. |
| SF-1257307 ACM-93514 | The UI became unresponsive when using French language settings. |
| SF-947231 ACM-75230 | Disabled accounts on the Submit Request > Available Accounts page were not crossed out. |
Web Services
| Issue | Description |
|---|---|
| SF-1035349 ACM-81967 | Web service requests did not show affected users. |
| SF-1264262 ACM-92518 | The documentation for the processRule Web Service did not state that a token was mandatory. |
