The following issues were fixed in RSA Identity Governance and Lifecycle version 7.2.0.02.
The Backup Business Owner and Other Business Owner were not included as review monitors by default when Business Owner was selected. The system has been updated to include all types of business owners as monitors.
The new review user interface did not display some Swedish characters properly.
The 'Account Name' and 'Name' columns were blank for entitlements displayed under the 'Existing Entitlements for Accounts that will be enabled' table on the change request detail page. The query has been fixed to fetch these column values.
Review bulk actions were not always persisted for items across all pages when comments were added or when the state of the review items was changed to NONE.
A user was incorrectly able to select multiple users from a deletion request, because the table was not properly cleared when navigating back and forth.
Hardened code to prevent duplicate out-of-office entries for a given user.
A user had duplicate local entitlements when activity was assigned in Manual Activities.
Rejection of a change item through approval did not update the review item from which it was generated. Review items are now updated in the cases of change item or request cancellation.
When a user logged in with same user ID in multiple windows of the same browser to access the application, a "request could not be handled" message appeared while performing actions on Role and Review pages. This issue has been addressed as part of this ticket. Now users can access multiple browser windows with the same login without any error messages.
Revoking local entitlements were automatically completed by the system even when the ApplyImmediate tag was set to false. The system now correctly considers the ApplyImmediate tag when processing.
Import of account mappings failed with a UTF-8 encoded import file. This patch ensures that UTF-encoded files are handled correctly.
During attribute synchronization, AFX had updated Active Directory with the text from a command parameter mapping instead of the actual value.
ACM Security Model
Supervisors were unable to see the details of requests created by their subordinates or others.
The security scope pop-up did not display "Report Result: Run" or "Report Result: View Report" when there was no result generated for those reports. Now the report name is displayed in the pop-up even if a report result does not yet exist.
Error management for the Unauthorized (401) error in AFX authentication has been improved.
When a change request in an RACF connector used the $ symbol in a value, the $ symbol and everything following it was skipped during execution.
The system sent two password available emails for a single change request item, because an email was triggered after change request item completion and again after change request completion.
When a single work item out of multiple work items in a change request was not fulfilled by AFX, change requests were kept in the fulfillment phase and their associated workflows were flagged as stalled. The work item was fulfilled only after restarting AFX.
The strings "Contains Privileged Access" and "Business Criticality" were not localized.
Attribute synchronization request did not generate a workflow for managed attributes, because the system closed the connection before the request was processed.
Change Requests and Workflows
The Aveksa Statistics Report (ASR) displayed a larger number of pending activities than were actually pending in RSA Identity Governance and Lifecycle.
The technical approval node email created an email with the incorrect thread name.
The change request milestone did not display approvals that were canceled due to escalations.
Improved queries with large role modifications to avoid Oracle limits for the number of parameters.
Admin error emails with incorrect warn-level log messages about queue depth were being sent.
An entire change request was rejected when it contained a change item related to a deleted role. This has been fixed to reject only items containing the deleted role reference.
The security improvement to remove parameters for architect processes from the URL did not handle the situation in which the default ports 80 and 443 were removed from the browser but the application server provided them to the user interface, which prevented iframe communication from matching.
When a pending account had dependencies in another change request, and the pending account's change request was rejected by the approver, all of the items other than the pending account were rejected, and the pending account was provisioned.
The due date for an approval node was previously dependent on the start time of the job.
When an approval was rejected, the email incorrectly used the user ID instead of the ID for a dynamic role or group.
Accessing workflows using an HTTP proxy caused the application to continuously load the workflows.
The Generic REST collector failed with an unexpected content-type error.
Optimized parsing of JSONPath for array of child elements in Generic REST EDCs.
Existing functionality for the Generic REST collector did not parse data using JSONPath for multi-level child attributes and partial match of account attributes.
Running a SQL query with multiple CSV files in the Group Data Query for an Account Data Collector with HXTT CSV driver yielded incorrect results.
The RESTful webservice connector had required a client secret when using OAUTH2 authentication. The client secret is now optional, because it is not required by OAUTH2 protocol.
Could not change or update collectors when using a language other than English.
When using Salesforce AFX connector, the proxy details to fetch the access token are not persisted, if not provided when connector is created first time.
When trying to delete a cloned connector, the following error appeared: "Unable to Delete Connector."
When using the Salesforce REST connector, the updateAccount command with additional parameters failed to update the new parameters on the endpoint.
The REST connector login capability did not use input parameters when generating a session token.
The REST connector did not use the Accept header as expected to accept all content types.
In the AFX DB connector capabilities, the display of input parameter popup for SQL commands has been handled.
The REST connector used returned set-cookie headers in subsequent calls, resulting in failed login attempts.
The REST connector was adding unnecessary, unconfigured HTTP headers to configured capabilities.
Improved security of REST connector parameters.
While creating a REST connector, the application added an extra output parameter pattern after saving the connector.
Custom field pointing to an object was not usable in entitlement rules and content filters for user access reviews.
Data Collection Processing and Management
CSV collector did not populate some joined fields.
NVL function in Account Mapping queries failed when the account length was more than 20 characters.
Added optimizations for databases with large data sets when doing change verification tasks.
When an account was a direct member of both a parent group and one of its sub-groups, a change item to remove the account from the parent group was verified only after removing the account from the sub-group.
After deleting a collector, the entitlement count in the "Total Entitlements" column displayed the same number of entitlements as before the deletion.
The role data collector counted extra rejected role membership from all role collector runs.
SF-1537490 SF-1574041 SF-1566464 SF-151295
Unification did not properly update the Terminated Flag for a user causing Termination Rule to not work properly.
Indirect relationship processing runs took increasingly longer amounts of time on each subsequent day.
Database Management and Performance
The public view PV_REVIEW_DEFINITION has been updated to exclude duplicate and deleted review definitions.
Long-running data purging became stuck during cleanup of WP_WI_ALERT.
When deleting older data runs, large groups of selected jobs are used and connections could exceed the maximum Oracle processes. This has been optimized to handle large groups of data properly.
Business users had been unable to edit role names and description after import.
Aveksa Statistics Report (ASR) generation was stalling in the Generating state.
After a user set a default value for the "Drop down select" field in a request form, the Next button appeared disabled while running the form.
When the a form filter contained a variable to resolve in view/edit cases, when there was no valid context to resolve the variables, SQL errors appeared in the logs.
Unexpected behavior occurred when technical roles had a cyclic dependency.
Role import did not resolve business sources for groups collected from an MAADC, and the role export XML file did not have the application name attribute for group entitlements.
After adding groups with the same name from different applications or directories to a role, the role remained with only one group.
Role preview changes showed the wrong items when a role set was modified in a role.
Roles that were assigned to removed role sets were unable to be viewed or modified by the role owners, if the roles were moved to other role sets but not committed.
After a user with non-administrator privileges clicked the Remove button to remove a role, the buttons did not refresh to say Removed as expected. This patch ensures that the buttons are correctly refreshed when the Remove button is clicked.
Role Set Technical Owner/Other Technical Owner and Business Owner/Other Business Owner were unable to take bulk actions on their roles under Roles > Roles > Actions.
Role mining incorrectly considered deleted group membership.
Automatically generated revocation change requests for a role did not include role entitlements.
A change request to remove a user from several business roles completed but did not remove the user's access.
Automatically generated revocation change requests for a role did not include role entitlements.
After importing application metadata, the business and technical owners were not properly updated.
Users were able to see missing entitlements assigned to a user through a role, even after processing the Role Missing Entitlement Rule, because it was not recalculating required metrics.
The purging process now includes clean-up of abandoned RoleVersions.
Improved query performance when retrieving Rule Violation Data.
User access and SOD rules created incorrect violation and change requests when a user was a part of a group's child sub-group. The incorrect change request was created to remove the subgroup's account from the parent group. This patch ensures that the violation and change items are correctly created to remove the account from the sub-group.
The Role Missing Entitlement Rule created a change request with duplicate items.
An Advance query in the search expression dialog that had the “IN” condition with multiple values resulted in an invalid relational operator error.
In segregation of duty (SoD) rule workflows, the decision node did not correctly transition to the true condition.
A rule incorrectly tried to disable accounts without entitlements that were still pending or had in-progress change requests.
When an entitlement explained by a role was in violation, the remediation action was performed on the entitlement instead of the role. With this patch, remediations on violations of entitlements explained by roles are performed on the role.
A change request contained a violation even after the violating entitlement was removed from the role.
When performing a key rollover/re-encryption, the collector or connector passwords were not re-encrypted with the latest keys until the collector or connector was re-saved from the user interface, even when the option to re-encrypt stored data was selected.
System status notification events that were not processed before a restart were ignored and the indicator was not shown until the next occurrence.
The pruning process did not include canceled events.
The database SID and server name were logged into the T_ARCHIVE table as part of the archive process by reading the details from Aveksa_System.cfg. The Aveksa_System.cfg file is not available in WebSphere and WebLogic environments, so changes have been made to read the SID and server name directly from the database.
The All tab under User > Requests only displayed pending requests and not completed requests.
After creating a change request, if a user browses away from the page or closes the window before submitting, the pending change request submission was not visible in the user's UI until logging in a second time.
The user interface now adjusts the size of select boxes to display selected text properly.
The table options dialog box displayed a horizontal scroll bar when the text was longer than the dialog width. Longer lines of text are now wrapped to prevent the need for horizontal scrolling.
The Activities breadcrumb in My Activities did not work as expected.
Requests submitted using the createChangeRequest web service did not show violations when failOnViolation was set to false.
Calling the createChangeRequest web service did not work as expected from workflows.
The updateReviewItems web service did not work correctly for a user with multiple accounts.