SecurID^® Governance & Lifecycle Product Documentation

Specifying date-type attributes for user review criteria resulted in the following error: ORA-01840: input value not long enough for date format.

The Grouped by Application tab for a user review did not display groups and roles by their directory or role set as expected.

"Update Un-Reviewed Items" action in review item history showed AveksaAdmin instead of the actual user who performed the action.

Reviewer delegation or reassignment comments greater than 4,000 characters in length prevented saving a review change with the JDBCException - ORA-01461 error.

Reviewers with only "save" privileges and not sign-off privileges could not properly see review items queried by V_AVR_ER_ITEM_DETAIL.

The accounts and entitlements count displayed incorrect values when a reviewer applied more than one grouping.

The review results for user access reviews did not include the role entitlements for all users.

Bulk Actions did not apply to accounts with unreviewed entitlements if the accounts were signed off.

In a form-based workflow where forms were approved and then fulfilled, the workflow intermittently skipped the approval step.

Revocation change requests did not display work items.

Rejecting one user in a request with multiple users during the approval phase removed too many pending accounts.

Under Requests > Activities > By Entitlement and Requests > Approvals > By Entitlement, the Monitoring Policy view does not display activities for deleted accounts.

The CSV file exported from Requests > Activities was corrupted.

Account removal triggered for a user with "Complete Manual Activity before collection" set to "Yes" did not completely remove accounts from user access before the collection.

On the By Entitlement tab of the My Activities page, an account's custom attributes were not populated.

The Fulfillment Handler was using the XML configuration instead of the internal configuration.

Manual workflow activity showed an incorrect timestamp when an escalation canceled the workflow.

A "Request could not be handled" error occurred when clicking on a submitted form request created via web service.

The "last reviewed" or "completed on" date collected in a user access review was not displayed in the user access tab.

After deleting account mappings, entitlements associated with the mapped accounts were still displayed under the User Access tab.

Accounts that were mapped manually from an import file before upgrading could not be unmapped in bulk.

The AFX SOAP Connector used the wrong SOAPAction Header from the WSDL when multiple SOAPActions shared the same SOAP XML request body.

Users that were deleted and then re-activated could not login using ADC authentication.

A login with invalid credentials reported an error message with "account: {0}" instead of the account that could not log in.

The query parameter SSOLogin=false, used to bypass SSO, no longer worked after upgrading to 7.0.2.

An error stopped the password reset if the Challenge Questions page did not validate mandatory questions that were skipped.

In the new Workflow Editor, the context menu for workflow variables was missing the options Previous Node Assigned To and Previous Node Completed By.

The number of escalations in a workflow was incorrectly limited.

When creating a workflow for custom tasks, using the automatically populated Reference Name resulted in an error.

Tooltip messages on a rejected change request incorrectly indicated that there was an error.

When accounts were disabled, an incorrect change request item was created.

When creating a change request, the user selection screen appeared twice when multiple forms were configured.

The Cancel Change Request node for manual fulfillment workflows listed Reject Change Request selections that were not actually available for use.

A sub-process node still expanded the workflow when the Enabled setting was unchecked.

A high workflow volume of excessive Oracle transactions could, due to a race condition, cause some workflow requests to be stuck in open state, stall on nodes like the Manual Fulfillment Node, or generate an ORA-02291 integrity constraint error.

In a manual activity workflow, a Mark Verified Node could erroneously complete verification of manual fulfillments.

The user using the REST Web Services Node was unable to set "Content-Type", which instead defaults to "text/plain".

When “Wait for Result” was selected, workflows were stuck in the Provisioning Command phase.

Workflow Java node was unable to save configuration.

After pending submission change requests were removed by a clean-up task, the pending accounts were deleted but the dependent change request items remained.

A group entitlement was not included in a change request when added from a role review.

The workflow job history did not filter out jobs that were being deleted by the purge process, causing an ORA-01722 invalid number error.

An error could occur when all line items were rejected in a change request if the system processed the workflow before it could process the line item changes.

Large workflows usually with more than 23 nodes could not be saved.

The drop-down list of processes in a child workflow could not show a list of more than 100 processes.

Duplicate 'remove' change items appeared from a request to remove a role from a user that had duplicated entitlements.

The REST Web Service node could not use user data to process a response variable.

The workflow editor would not allow an invalid workflow condition to be displayed on a decision node.

Passing null or undefined workflow variables between nodes may have been stopped by a null pointer exception error.

Importing a workflow with the overwrite option did not update the workflow name.

Conversions of decision nodes did not succeed unless performed during a patch upgrade.

A subprocess node did not handle the ability to add group and role owner attributes.

An unprivileged end user could edit the workflow to approve requests.

Account data change verification for the Windows Server accounts collector would abort after running for more than 16 hours.

Non-numeric values in the wp_proci table's lu_id field caused the workflow job table to not display properly.

The URL workflow variable didn’t resolve correctly when an escalation was raised on a request workflow.

Performance optimizations for AFX queries in Oracle 12c.

A business owner assigned to an application could approve and reject other, unassigned applications kept in the same directory for accounts grouped by business fields.

In a workflow, a resource could not be modified when a dependent Group, User, or Role could not be found on an imported server.

In the Workflow Editor, saving SQL nodes with the variable type Public could result in the Oracle error: "ORA-00972: Identifier is too long."

When configuring a decision node to check whether a workflow variable exists, the Right Operand field is incorrectly required.

Concurrent processing of a role management database update and change requests risked an indefinite open state for change requests.

Workflow Editor SQL windows did not resize.

A user could edit a workflow email node and save changes with the Refresh button without the required privileges for both actions.

A collector node in the workflow editor did not validate for a selected account data collector.

The save button did not enable for changing the "Evaluated to true" checkbox on a decision transition unless another change was made to the transition.

Exclusion rules for a node did not properly apply to employees designated as a delegate by an out-of-office supervisor.

Workflow form compilation errors occurred due to conflicts with ports secured by SSL.

A change request did not successfully complete if a business owner's rejection re-mapped the account name derived from the account template to the account's unique ID.

A rejected change request approval step did not display when the workflow had completed.

Workflow decision nodes always evaluated manually entered variables as false.

An SQL error occurred when saving changes to an existing workflow process if it contained a delay node that was created in an earlier version of the product.

A workflow copied from another workflow did not carry over the email body of the "Send Email" node.

Changes to due dates, priorities, and status could use cached data instead of the updated data.

Email approval templates incorrectly encoded the Email Approval Reply text.

The Workflow configuration to select 'Use Process configured on' was not available in the drop-down options after they paged.

The event type "Reject Changes handled by this workflow" was not available for Cancel Change Request nodes.

The email fulfillment handler did not contain an option to edit the email body or add workflow variables.

A Delete Account change request could be marked as complete but still show a status of "Pending Action".

When a collected date did not match a supported date format, the entire collection fails, and the error ORA-01830 is displayed.

Lotus Notes collections failed when attempting to use SSL communication.

The Accounts data table for an ADC incorrectly displayed the Last Collected Date after a successful run.

The example string for the Oracle Database collector URL had a typo that replaced a forward-slash with a colon.

The App Metadata collector was case sensitive when referencing the owner ID fields.

The App Metadata collector did not update a business owner reference when the business owner information was deleted and then added back since the last collection.

Identity collection removed an account from the Access tab when a user was marked as deleted.

Testing the connection for the Airwatch collector resulted in a JSON error.

The activity owner did not save when creating a local entitlement collector. An edit was required to add the activity owner.

After installing RSA Identity Governance and Lifecycle, the identity collector would not connect to Novell IDM.

For a change request that failed due to an invalid CR_ID, the review submission did not roll back updates to the database as expected.

The application metadata collector could not use the "category" attribute of an application for collections.

Deactivating an existing data access collector from the General tab discarded settings for user and group resolution rules.

ADCs are failing with the following error: “Unprocessed Continuation Reference”.

Application metadata collections of wrong date formats for date attributes caused collection failures.

When using the Test button on a SQL query for a database collector, the screen incorrectly displayed a SQLException for a valid SQL statement.

The transformer did not correctly create a CSV file for the CyberArk application.

The Salesforce collector did not collect LastLoginDate as expected due to an invalid date format error.

When a chain of certificates was involved in the handshake, the SOAP connector failed over 2-way SSL.

Attribute values edited to be blank did not carry over to the connector in attribute synchronization.

Stored procedures called using a DB2 connector returned a null pointer exception.

Unable to create a connector with a generic database using the DB2 connector template.

AFX Connectors did not deploy when the connector dependency file ID exceeded 999.

Disabled users were enabled after a password reset.

The Archer connector did not deploy when the password to access had $ in the string.

AFX requests for account creation fulfillment did not succeed due to "no signature of method" errors on the SOAP webservice connector caused by an encrypted password.

The SAP AFX Connector did not decrypt passwords when creating an account, preventing login with the password assigned.

The Lieberman EDC did not save the value for the Domain Name parameter.

Users with multiple accounts in the same Active Directory database could not sync their passwords.

The PV_USERS view did not update with new custom user attributes.

Some custom attribute properties, such as "In Detail," "In Popup," and "In Table" risked reverting to their default values because they did not copy to an exported file.

The My Requests dashboard displayed incorrect values for All Requests, Pending, and Completed.

When a single expiration date for an account was collected in an unsupported format, the Active Directory collections failed.

When an Active Directory account collection contained an attribute with a date value in an unsupported format, the entire collection failed.

After enabling the Complete Manual Activity Before Collection feature, duplicate user entitlements appeared when the collector collected the added entitlements.

When unifying multiple IDCs, some attributes are not populated.

During collection, some groups could not be created when attribute values were null.

After a collection failed, the Last Collection Date displayed the date of the last successful collection, but the Last Collection Status flag displayed the status of the most recent collection, regardless of its success. This could result in the Last Collection Date displaying the date of a successful collection, while displaying a red (failure) flag to indicate a more recent unsuccessful run.

After upgrading, indirect processing failed due to duplicate entries of manually mapped accounts in the T_CE_EXPLICIT_RELATIONS table.

Pagination was not working on the Attribute Synchronization page.

When applying entitlements to a group and finding either sub-group members or groups that are entitlements in Collected Global Roles, group resolution was incorrectly case-sensitive.

Identity collector could fail when USER_ID is used in a Unification Join.

Indirect Relationship processing did not reliably succeed because of Oracle error ORA-30926.

A custom user-type attribute of a business source could get resolved to a terminated user if the custom attribute value did not distinguish the active or terminated user status.

The MAEDC did not reject references to local applications.

Indirect relationship processing of account changes for an ADC had performance issues and did not succeed when processing new account relationships.

The collector did not allow edits because one of the collection data run tasks showed “in progress,” but no collection was actually happening.

When a moved column value was too large for the new field, indirect relationship Processing for the Data Access Collector did not succeed due to error ORA-12899.

A data type difference between two tables caused IDC Collector to not successfully collect due to ORA-01722: invalid number.

A Change Verification job ran a long time for the Attribute Synchronization watches.

The "Collect Identity" dialog box for selecting only non-mandatory collectors incorrectly implied that unification would run after collection.

Collector configuration could not be modified, even when collection was not actively running.

Identity unification did not succeed because duplicate users caused unstable rows in the source tables.

The group owner had to be processed again in later collections after a group collection did not resolve group owner values to a user.

A collector may not finish processing due to error "java.lang.ArithmeticException: / by zero" when one of its internal processing files was between 8192 and 8195 bytes in size.

Collected IDC attributes were not being properly applied to the unified user.

The entitlement collector, when using a MySQL database as a source, did not correctly collect the approle memberships and entitlement relationships.

The application metadata collector did not successfully run on a database with a large history of data runs.

During IDC processing, new users were sometimes not properly processed into the table T_RAW_USER, and this caused missing unified user attributes.

Collected user accounts mapped to unique identity attributes, such as email address, were not unmapped and orphaned when the value of the identity attributes changed.

When the truncate data option is selected, strings with multi-byte data are not properly parsed.

Benign errors stating "unable to find an attribute length" displayed in the logs when running collections.

In some cases, users moved from lower priority IDC to higher priority IDC (and vice versa) created duplicate identities in the data.

When importing a user account mapping for an orphan account, the new mapping was not reflected in the Total Orphan count in the application’s General tab.

Unification did not complete due to duplicate entries that caused unstable rows in the source tables.

The ADC occasionally performed poorly in runtime when validating data on step 2 of pre-processing.

User access table could not show entitlements of manually mapped accounts.

Collection of AD date-time attribute values did not properly convert to the Aveksa server time zone.

User type attributes did not correctly display the User name, but showed the ID instead.

Excessive memory usage during RDC processing caused the Oracle error "ORA-04030: out of process memory”.

After an upgrade, an Oracle error for an oversized column occurred when running the ADC and calculating relationship changes.

The long business description of an application did not show on the editing screen after it was collected.

Unification performance issues occurred in an IDC hierarchy with multiple joins.

Unification duplicated users with new records and terminated the original users when users moved from one IDC to another.

During the merge users step of the unification process, performance was degraded.

The fulfillment_phase_start_date and approval_phase_completed_date columns in the CHANGE_REQUEST public schema were not populated correctly until the request was completed.

After clicking the Add Members button in a role, the Suggested Members view took over 20 minutes to load the list of users.

Performance issues occurred when attempting to load entitlement records for a change request form.

The Aveksa Statistics Report incorrectly reported the system hostname and IP when the remote database was updated with a database dump from another machine.

Exporting the activity table could cause "Out of Memory" errors when there was a large amount of activity data.

If columns for user data such as the first or last name were used, a user accounts table may not have displayed properly after an upgrade to 7.0.1 or later.

File import data filtering enhancement.

Backup Jobs scheduled through the UI would stay in-progress and not complete.

The Aveksa Statistics Report did not report the correct sizes in the internal table summary.

The V_DC_LATEST_FAILED_RUN view did not include collections that failed on circuit-breaker.

Business descriptions for groups were deleted by the system during post-collection processing.

Imported group business descriptions disappeared after collection.

Emails containing non-ASCII (UTF) character encoding were not sent properly.

When a multi-step review was generated, the SecondStep Review triggered the NewReviewGeneratedEvent twice, resulting in duplicate e-mails.

When the approver node in an access request workflow used Email Reply Processing, an HTML email response could not be parsed correctly.

After a workflow update using the Workflow Editor, activity nodes in the workflow could not send email.

Email nodes in a request workflow, which were not processed within an approval workflow, sent messages with blank role names.

Source edit attempts for workflow email HTML did not consistently work.

When multiple reassignments were done at once to different users with different comments in a review, only one of the comments was included in emails sent to the users.

When using the OptionalComments variable in an email template, approval comments were repeated within the email for each work item in the request.

International characters in HTML data prevented saves of email templates and email nodes.

Excessive PasswordResetEvent and PasswordExpirationEvent ERRORs filled the aveksaServer.log file and delayed startup and shutdown.

Password resets issued by the administrator sometimes incorrectly displayed a 3-character password for the user accounts due to special characters in the view page.

When the email template AdminErrorNotificationMail is modified, that template could not populate the variable fields in the body when sending the admin Error email.

Email events generating emails in a non-English could not change the language of the hyperlink text from English.

Installer and uninstaller removed Aveksa_System.cfg, which rendered the staging folder unusable for reinstallation.

ITIM Agent 7.0.1 did not start after installation due to a Java class error.

Could not complete the migration to version 7.0.2 Patch 1 when Oracle 12c database compatibility is set to a value lower than 12.1.

During a new installation, if the Oracle UID, oinstall GID, or both are not the default value of 500, the install script performs chown -R /tmp/Aveksa/staging to oracle:oinstall, regardless of the current ownership.

An XML parsing error occurred in UI settings data for a given user when applying a patch.

The Oracle error ORA-01439 stopped initialization due to custom attributes with incorrect data types.

The patch build number did not update after applying a patch, which caused patch processing to reoccur at startup.

Duplicate files in aveksa.ear caused errors when deployed.

Large amounts of workflow data in gigabytes risked a server time-out that disrupted a workflow import task.

The custom user attribute SUPERVISOR_NAME conflicted with an existing, identical attribute during a schema migration.

During migration, the file ACM-60520.sql was running for several hours.

An upgrade from 7.0.1 p2 to 7.0.1 p3 caused error “ORA-30926: unable to get a stable set of rows in the source tables” while executing the script database/migration/migrateReviewData.sql.

Database migration to 7.0+, when applying the ACM-61839.sql patch, did not succeed due to Oracle error ORA-30926 because groups with duplicate names are no longer allowed when collected for the same application by different collectors.

The migration screen did not clarify that the build versions shown refer to the database schema versions.

A null pointer exception error could occur while viewing the migration webpage after clicking the “Follow Output” link.

In a RedHat environment with a remote database, users experienced slow user interface performance when updating challenge questions.

Password policy was failing when the hyphen (-) character was included in the list of minimum required characters.

Resetting a password using the Forget my Password link incorrectly sent daily reminders to the user, forcing the user to reset the new password again.

Password challenge questions allowed duplicate responses because they used to be case-sensitive.

A typo appeared in an error message.

A Windows Registry Notification Packages change for AD Password Capture tool caused a windows crash on a reboot.

The scheduled report sent an empty report when using SQL parameters in the query and choosing CSV attachment types.

ASR report generation from the UI did not succeed because the database hostname could not be resolved.

The Reports tab was missing for users granted permission through the 'Run Report' and 'View Report Results' options on report definitions.

Filter criteria did not save when switching between the Query tab and the Filter Criteria tab.

A generated report did not use a new filter after it was applied.

The Aveksa Statistics Report generation stalled indefinitely after an XML parsing error.

Text in the header row of a report was cropped and unreadable when a large number of columns were present.

Sorting the reports table by the “Last Modified” column resulted in no reports being listed.

A custom scheduled report displayed results without applying requested modifications to the SQL query.

A user summary table took longer than expected to download from the UI.

When trying to filter by group name in the Group Memberships report, the popup picker showed the list of report definitions instead of group names.

Change request form could not be submitted if it contained required hidden tables.

The values of fields displayed but not enabled on a form did not show after the form was submitted.

Could not access the Account Management form when the browser was configured to use a different default language than the RSA Identity Governance and Lifecycle server.

Non-visual entitlement and account management tables incorrectly handled the shopping cart functionality.

Action buttons on some entitlement screens had minor code performance issues when calculated.

Newly created Provisioning forms did not have user variables available in the list of form fields.

Fields could not be added to a request form using a web service with basic authentication.

A change request would not reflect a change in previously checked entitlements when using the back button to change the entitlements table filter provided from another component.

When the user interface was displayed in Portuguese, the date selector did not work.

When associating a role with a role set, the drop-down menu listed the raw names of the role sets, instead of the display names.

The user interface displayed the Role Set Raw Name, instead of the expected Role Set Name.

A change to a Role in a Role Set could not be reverted.

Performance issues occurred when adding users and entitlements to a Role with active rules.

The Add entitlements button became hidden in unnecessary contexts.

When entitlements were added to roles through the Add Entitlements option in Actions, roles in role sets that restricted available entitlements could be displayed as selected, despite that the option was designed to pick only roles that allowed all Entitlements.

Filters for entitlements and application roles did not function as intended on the second step of a multi-step user review.

Role Discovery is not working in cases where entitlement matching criteria is not specified

Users granted a role to edit entitlements could not remove entitlements.

The role set table under Roles > Role Set showed the wrong values in the custom attribute columns.

Role owner and group owner attributes were not available for selection when viewing all entitlements.

Role status remains in Applied or Applied New State, even after change request is complete.

The exports of a large number of roles timed out before successfully completing the task.

A user without access to a role's assigned roleset could remove the unseen roleset when editing the role.

The UI incorrectly displayed the raw role name instead of the role name on the Apply Changes and Commit Changes To Roles screens.

Local Entitlements could be deleted when associated with a role in the "New" state.

Entitlements could not be added to business roles due to an internal Oracle error.

The Termination rule did not submit change requests to disable accounts for deleted users.

Rule processing fails when a rule name contains a colon.

Implicit Account Removal was not working as expected.

The Confirm dialog box did not reflect any background data changes and allowed data submission that did not match the confirmation.

Termination rule processing would not detect terminated users if multiple identity collections and unifications were scheduled sequentially through Web Services.

Provisioning termination rule did not generate change requests for Disable Accounts and Revoke Entitlements.

A rule with an assigned remediator or a deleted email recipient caused a UI error when trying to view the rule details.

The termination rule did not generate the expected change request to disable manually mapped accounts.

The termination rule incorrectly generated change requests to disable accounts that were not assigned to a user.

The Attribute Change rule failed with an exception when generating a change request to add a local entitlement.

Multiple sanitization passes were required to fully remove disallowed HTML markup.

The file upload function under Admin > User Interface did not restrict the types of files, potentially allowing unsafe files to be uploaded.

Parameters containing URLs needed additional cross-site scripting filtering mechanisms applied.

Users can bypass disabled buttons in the Diagnostics screen to view, download, and delete ASRs.

After enabling secure session cookie configuration on a WildFly cluster setup, the Enable Secure Session Cookie setting displays No on the Security tab.

Color coding set as default by all users for rows defined by Control Type: Entitlement Table was lost if the user unchecked the Entitlement Type field in the table options.

When using Internet Explorer 11 with Compatibility View or Enterprise Mode, the violation Revoke and Maintain buttons were disabled.

Could not log in to version 6.9.1 using Compatibility View in Internet Explorer 11.

Initialization status message contained a typo.

A review definition could not be deleted if either the associated rule had a defined remediator or the email recipient was a deleted user.

The error displayed when a Multi-App Account Collector was not configured to collect the business source reference did not clarify the collector at fault.

A Lotus Notes resource in the Create Directory process described the directory component as an application in error.

The advanced search did not properly display the unequal sign if the browser or application language was not set to English.

When the initial Register User web service was under load, it periodically failed to correctly pass variables into the workflow.

SOAP requests sent to the ServiceNow Cloud through the SOAP web service node using proxy authentication were failing.

A request to create an account from a Web service did not succeed when only one parameter was used.