The following issues were fixed in RSA Identity Governance and Lifecycle version 7.1 Patch 1.
Change Requests in Open status without a workflow ID defaulted to the Explicit Access workflow after restarting the application.
A review opened through an email link, then canceled, opened a null page after confirmation instead of the home page.
Comments for review items could not be applied as part of a bulk update.
The email link to view a role review opened to an error page.
Non-existent access to a group appeared for users in a User Access Review.
Multiple Account Review attributes did not properly translate to other languages.
Access Requests with violations could be submitted by requestors when the filter was defined with more than one role attribute.
Approval nodes assigned access requests to out-of-office supervisors if those supervisors were part of the approval workflow at another level.
Custom attribute value lists degraded the performance of rendering the User Access pages.
Attributes with “on” and no date caused an exception error during the display of the milestone on the Change Request Detail page.
An error occurred identifying the application name in a change request when the application had a Directory For Accounts setting.
A pending change request with a large number of new accounts could cause a cleanup issue when restarting.
A Review query was not optimized for large datasets and used too much database memory.
Business Sources excluded from Add Access and Suggestions were visible under Requests > Create Requests > Add Access, but their entitlements could not be requested.
The manual activity assignment link became disabled after a few hours if dynamic groups or roles were in use.
AFX logs were not filtered as relevant to a request.
When a web service was assigned for a request, an error occurred when clicking on the default form under "Additional Information".
SF-837790 SF-694892 SF-828508 SF-1044336
An account template configured with additional account parameters failed to add those parameters to a created account.
Imported mapping that had been deleted and recollected from the account data collector source would create duplicate mapping.
The Users count under Applications > General did not update after importing or updating the mapping.
Change Requests and Workflows
If Enable Email Reply Processing was unchecked and saved, then related options were not properly hidden.
A Delete Account change request could be marked as complete but still show a status of "Pending Action".
Manual Request Additional Info escalations could prevent an automatic Reassign to Supervisor escalation from running as expected.
The save button did not function properly when a resource, escalation, job variable, or webservice response was added, edited, or deleted.
A Change request generated using an unowned group and an owned group would incorrectly assign all of the change request items to the second group’s owner for approval.
When generating a change request with users who had outstanding change requests, the generated change request incorrectly excluded any users who did not have an outstanding change request.
Imported legacy workflows created before version 7.0.1 had a legacy value not handled by the new architect editor.
The Provisioning Command node did not display job variables in the node properties.
A user access request with multiple entitlement changes did not reliably create account change items for adding entitlements depending on the order of selected actions.
After an upgrade, transition were not displayed in processing workflows that were created in the previous product version.
After completing an activity, users could see all completed activity on the By Entitlement tab instead of just their own.
An exception error occurred when evaluating fulfillments with dynamic roles and group resources.
An entire change request would be rejected at the fulfillment phase if it had an entitlement deleted by a partial rejection in the approval phase.
Activity nodes in a workflow were skipped if AFX fulfillment came back as Completed.
SOAP and REST web service nodes could not be exited if the code window was expanded.
Collection failed when the internal data file was larger than 2.15 gigabytes.
A line break character in search filters caused the test collection to fail for the LDAP collector.
A custom string attribute used for collection did not collect the LastLogonTimestamp attribute as expected.
The Salesforce collector did not collect LastLoginDate as expected due to an invalid date format error.
After an upgrade, attribute synchronization on the AD connector applied the attribute_sync prefix to non-empty & non-account variables, which updated values not required as well.
Account template parameters did not correctly expand variables in password type attribute fields.
Dashboard links containing a query parameter that included a bind variable did not return the expected results.
Data Collection Processing and Management
The IDC User Interface did not show whether the IDC required a Full Refresh.
Pending User Account mapping and subsequent local mapping were removed every time the ADC ran collection.
A collection that failed on the circuit breaker update did not remove the green check mark from the Last Successful Collection Date field.
After unmapping users from the accounts, the users sometimes erroneously retained access.
Procedures to purge older raw datasets caused circuit breaker failures when they erroneously purged raw datasets for collectors queued for processing.
Internal data files such as STX tables and temporary data files in the server/default/deploy/aveksa.ear/aveksa.war/WEB-INF/AveksaDataDir directory were not removed as expected if the "Remove Internal Data Files After Upload" option was set to Yes.
For users making role changes, role data collection would sometimes cause deadlocks due to database-stored procedures making unnecessary row updates to roles, even when they were not changed.
SF-596501 SF-714442 SF-820106
Collection fails with an unclear error message when the collection source contains a special character that cannot be parsed.
Starting a unification run with migrated user records from before 7.x failed with "ORA-30926: unable to get a stable set of rows in the source tables" in 7.0.2 p2.
Unifying data with duplicate values caused failed collections with the message "ORA-30926: unable to get a stable set of rows in the source tables".
The "Who Has Access" tab for Data Resources was not populated after a long-running data collection by the primary DAC that was misidentified as secondary.
The DAG collector stalled after pre-processing a large data validation query.
The account and entitlement data collectors did not collect user attributes CAS6 through CAS10 for indirect group entitlements.
The account and entitlement data collectors did not collect CAS user attributes in the correct order and could not properly assign the value of CAS10 as a result.
Unifications could fail due to improper clean-up of the tables used for prior data collections.
Unification sometimes assigned a deletion date for users that prevented them from logging in.
Temporary STX tables were left behind if the circuit breaker was triggered.
User access to data resources could not be reviewed if assigned only through a group that was not properly tagged after data collection.
When a user was moved from one IDC to another, unification terminated the original user and created a duplicate user.
Data archiving had a processing failure.
The database slowed, reported multiple errors, and then used up all resources when conducting bulk reviews on thousands of items.
SF-1067879 SF-1069696 SF-1134843
If the special character % was in the e-mail content, then the email could not be generated.
Emails generated for exported reports incorrectly capitalized the report file extension.
Reports exported to an Excel spreadsheet did not restore a previously deleted temporary folder and, as a result, returned blank rows instead of the expected data.
Email processing failed and displayed the error "Wrong user replied" for approvals sent to dynamically assigned approvers in a role.
Aveksa.ear contained duplicate files that caused zip errors during deployment.
SF-1137353 SF-1142351 SF-1138013
The installer checked for unneeded packages and caused installation in a WildFly environment to fail.
A typo appeared in the installOracle.sh script.
SF-1129043 SF-1139113 SF-1136656
Installation or upgrade on Red Hat 6.5 and 6.8 failed when IPv6 was disabled.
The installation or upgrade process would get stuck when one or more required install packages were missing.
SF-1130896 SF-1139955 SF-1150455
The aveksaWFArchitect.ear file could not be deployed on WebLogic 18.104.22.168.0 due to a conflict in the Java Spring-Boot library.
A schema could not be created or migrated when using non-default tablespace names.
The View Password URL could not be correctly configured through the User Interface.
Password validation did not work consistently from the user interface and from an external password reset link.
The / character in a report file name created a report schedule that failed if the option to send attachments was enabled.
A new chart could not be created with the same name as an existing tabular report.
Reports exported using the .xls file extension were not properly formatted.
After upgrading, reports containing Cyrillic characters still did not display correctly when exported as .xls or .csv filetypes.
The report template "Entitlement Review Item Details by Reviewer" did not display the custom review state.
The order of the list columns available in the Report Column tab changed randomly.
Imported Custom Report templates copied unnecessary attributes that caused errors.
The validation URL did not work for the "Drop Down Select from Web Service" control type.
The form tooltip for tables did not display when added to a question.
A question with a multi-select drop-down control did not trigger a display condition tied to selecting a drop-down option unless the same condition was also assigned to a secondary control.
Forms did not display terminated users when a custom form or form list was opened by a request button action.
On request and approval forms, when using a submission question with a Select Drop Down list, only the first value was used.
Non-visual entitlement tables were displayed on a submitted request form.
Out-of-the-box Application Business Source attributes returned null values when called through variables in request forms.
An entitlement table field on an existing request form with a "Show child entitlements of" attribute did not retain its value when copied to a new request form.
An option in a Drop Down Select control could not be deleted if the user put single quotation marks around the value.
Multiple entitlement tables that used Display conditions, Enable conditions, and Form variables in their entitlement rules sometimes displayed improperly.
The user interface for coarse-grained role reviews provided options to remove or edit members and entitlements, even though coarse-grained role reviews are intended for high-level review and not to make individual changes.
Custom attributes created with the same name but assigned to different entitlement types appeared identical and did not work correctly when setting an entitlement rule in a role set.
Out-of-the-box Application Business Source attributes returned null values when called through variables in request forms.
SF-1149895 SF-1083679 SF-1123786
Fixes to the role set persistence of a role caused problems with entitlements when there were role set changes.
A Null pointer exception error occurred when creating a new role while logged in as the business role owner of a role set.
Cascaded roles were missing to be added as entitlements while creating a change request from the Role Missing Entitlements rule execution.
After importing a modified XML file of existing global roles, the Long Description was not updated.
A new role with no members or entitlements did not appear in search results when the search filter was set with the member or entitlement count as zero.
Collected roles that were exported did not fully import when imported into same environment.
When the Attribute Change rule for Managed Attributes used the "Set to old value of" argument, the rule sometimes failed to set values after the first user matched by the rule.
During access request creation, when a user views the Accounts selection screen and then goes back to the previous screens to make changes, violations by the new changes were sometimes not displayed.
Out-of-the-box workflow form controls were listed in the Violation Remediation node that did not work for the node.
Changing the User Access/Separation of Duty Rule definition closed some violations but left their remediation workflows active.
New violations could incorrectly be added to existing remediation workflows, when a new workflow was necessary.
The number of violations did not appear correctly in the status column.
The user interface did not display violations that were not in sync with the remediation workflow to remediators.
A rule violation remained in Pending Revocation status after rejection of a corresponding change request item.
An Out of Memory error occurred while processing a large number of Role Membership Rule Difference rules.
When a change request was created by a role change, decision Nodes ignored the "Contains at least one violation" condition.
SF-1025263 SF-1026091 SF-1073300 SF-1126913
Change requests created by an unauthorized change detection rule identified the wrong user in the details.
Applied security fixes for workflow editor properties.
A domain controller node in a hardware appliance with a local database could not stop, start, restart, or status-check the database using the aveksa_cluster script.
When editing review definitions, the Allow Expiration and Comments are Required checkboxes were cleared if the user switched tabs.
SF-843449 SF-931419 SF-932453
Logging out led to a blank screen if confirmations for logging out were disabled.
After adjusting table options, some columns did not display as configured when switching from a Group review result to a User review result.
The Max Users Per Change Request setting in Access Configuration disappeared from the Settings tab if not assigned a value.
Performance issues occurred on the General tab of a role set after applying entitlement and membership rules.