The following issues were fixed in RSA Identity Governance and Lifecycle version 7.2.1.
Review bulk actions were not always persisted for items across all pages when comments were added or when the state of the review items was changed to NONE.
Review monitors with read and write privileges on a review were incorrectly able to edit and create escalations on reviews.
Alternate managers were able to self-review items even when the self-review option was not enabled on a review.
The help text for account review action buttons previously displayed help text for user access reviews. Now the correct help text is displayed.
The count on the view status bar is now displayed correctly based on whether the user is an admin or monitor.
When there were separate change requests to revoke accounts' entitlements and the account as a whole, canceling the for account entitlements reduced the account’s review progress from 100% when it should remain at 100% while the account as a whole is revoked in review.
The new review user interface did not display some Swedish characters properly.
The Backup Business Owner and Other Business Owner were not included as review monitors by default when Business Owner was selected. The system has been updated to include all types of business owners as monitors.
Revoking local entitlements were automatically completed by the system even when the ApplyImmediate tag was set to false. The system now correctly considers the ApplyImmediate tag when processing.
When a change request was created and the system restarted, if no workflow had been created and linked to the change request, the system created a request workflow based on the configuration. Previously in RSA Identity Governance and Lifecycle 7.1.1, the configuration was based on the workflow on the configuration screen. However, when using a request form with a request workflow assigned, the system did not use that assigned workflow. In 7.2.0, RSA Identity Governance and Lifecycle enabled the configuration of which request workflows to use at the role set level, and this fix takes that configuration into consideration.
Change requests displayed the wrong user name associated with a canceled change request message. Change requests now correctly display the user that initiated the canceled workflow job.
Pending submission change requests were not properly cleaned up.
Account names with spaces or special characters are not allowed, but migration from earlier versions did not convert the unsupported characters to underscores as expected.
An account that was disabled and then deleted could not be recreated for a rehire because the account name already existed in the system.
Unable to reject approvals for application role items.
Hardened code to prevent duplicate out-of-office entries for a given user.
A user had duplicate local entitlements when activity was assigned in Manual Activities.
During attribute synchronization, AFX had updated Active Directory with the text from a command parameter mapping instead of the actual value.
ACM Security Model
The security scope pop-up did not display "Report Result: Run" or "Report Result: View Report" when there was no result generated for those reports. Now the report name is displayed in the pop-up even if a report result does not yet exist.
Supervisors were unable to see the details of requests created by their subordinates or others.
When a change request in an RACF connector used the $ symbol in a value, the $ symbol and everything following it was skipped during execution.
After AFX restarted, the settings for a connector configured with a password vault configuration did not substitute the credentials correctly.
Changing the response timeout for RESTful web service connectors had no effect on non-GET requests.
When a single work item out of multiple work items in a change request was not fulfilled by AFX, change requests were kept in the fulfillment phase and their associated workflows were flagged as stalled. The work item was fulfilled only after restarting AFX.
Attribute synchronization request did not generate a workflow for managed attributes, because the system closed the connection before the request was processed.
The strings "Contains Privileged Access" and "Business Criticality" were not localized.
Change Requests and Workflows
The user interface previously allowed users to cancel change request items in a pending verification state only if the change request was in the open state and the workflows were in an active state.
The due date for an approval node was previously dependent on the start time of the job.
When an approval was rejected, the email incorrectly used the user ID instead of the ID for a dynamic role or group.
Clarification was needed that the "Max items per change request" setting does not affect change requests that add or remove entitlements from roles.
Requests with all watches closed incorrectly remained open.
When using the Cancel/Undoing workflow settings on the request-level workflow, when using an escalation workflow, a request could get stuck in the Canceling state.
Rejection of an escalation workflow could result in the Reject Items node becoming stuck.
An entire change request was rejected when it contained a change item related to a deleted role. This has been fixed to reject only items containing the deleted role reference.
Class cast exception occurred when using a selected role ID in a fulfillment node.
The Entitlements and Application Roles approval workflow was not triggered as expected.
Unable to save a hyperlink in a workflow email when the value contained a job-level variable.
The technical approval node email created an email with the incorrect thread name.
The change request milestone did not display approvals that were canceled due to escalations.
The Aveksa Statistics Report (ASR) displayed a larger number of pending activities than were actually pending in RSA Identity Governance and Lifecycle.
Admin error emails with incorrect warn-level log messages about queue depth were being sent.
Improved queries with large role modifications to avoid Oracle limits for the number of parameters.
The Last Successful Collection Date was incorrectly updated after a collection was aborted, for example by the circuit breaker. This value is now updated only after a successful run.
Running an SQL query with multiple CSV files in the group data query in Account Data Collector with the HXTT CSV Driver was getting incorrect results.
The Generic REST collector failed with an unexpected content-type error.
Optimized parsing of JSONPath for array of child elements in Generic REST EDCs.
The RESTful webservice connector had required a client secret when using OAUTH2 authentication. The client secret is now optional, because it is not required by OAUTH2 protocol.
Existing functionality for the Generic REST collector did not parse data using JSONPath for multi-level child attributes and partial match of account attributes.
When deleting older data runs, large groups of selected jobs are used and connections could exceed the maximum Oracle processes. This has been optimized to handle large groups of data properly.
After importing an AFX connector, the import displayed the raw name of the connector instead of the display name.
When cloning a connector after changing its name, a connector with a duplicate name was created.
When an Active Directory account was created with a slash (/) in the account name, change requests failed with a naming exception. Processing has been fixed to handle the slash character (/) in account creation.
During connector deployment, the substitution of connector settings of password value was not properly substituted to capability command code.
When using a regular expression within a RESTful connector that contained the plus (+) characte, the + was replaced by a space when saving the connector.
When using the Salesforce REST connector, the updateAccount command with additional parameters failed to update the new parameters on the endpoint.
When using Salesforce AFX connector, the proxy details to fetch the access token are not persisted, if not provided when connector is created first time.
The duplicate display names of custom attributes across objects has been fixed by prefixing them with the object name in the user entitlement search expression builder. This allows the user to pick the correct custom attribute when duplicate attributes exist.
Custom field pointing to an object was not usable in entitlement rules and content filters for user access reviews.
Data Collection Processing and Management
Scheduled unification ran even when the mandatory collector failed.
Deleting a collector did not clean up the t_av_job_stats data, causing data inconsistencies in the database.
After a supervisor's name was edited in a data source and then collected by RSA Identity Governance and Lifecycle, the new supervisor name was not shown in user records under the Supervisor field.
During the “Process Deleted Role Relationships” step of an indirect relationship processing run, some collections ran slowly on environments with Local Roles containing large number of entitlements and/or Collected Roles.
Duplicate identities were created for rehires that were moved to a different OU.
Some SQL associated with collections defined as DB Type CSV failing with java.sql.SQLException: java.lang.ClassCastException error.
CSV collector did not populate some joined fields.
NVL function in Account Mapping queries failed when the account length was more than 20 characters.
The Active Directory ADC rejected group memberships for accounts with distinguishedName values larger than 256 characters.
Added optimizations for databases with large data sets when doing change verification tasks.
Optimized the database index in the rule table to improve rule pre-processing.
Corrected the spelling of the state name "Invalid" in the State column of the public view PV_AV_AFX_REQUEST.
Improvements made to business description processing.
ArchivePurge_Pkg failed on t_av_rules.
Archive purging runs erroneously converted hours to days, causing the data purge to end prematurely.
The ASR report "Configuration Problems" did not identify 12.2 optimizer settings. Now, ASR report generation queries are reframed dynamically to find the recommended settings for specific Oracle versions.
Long-running data purging became stuck during cleanup of WP_WI_ALERT.
The public view PV_REVIEW_DEFINITION has been updated to exclude duplicate and deleted review definitions.
Caching of column values caused incorrect content written into email. Caching has been removed.
Upgrade Database migration failed if Database is configured with non-default Tablespace names.
Local entitlement did not appear in the total entitlements count in the directory/application.
A change request was unable to process the removal of a local entitlement from a deleted user.
Business users had been unable to edit role names and description after import.
When performing a migration of a very deep (multi-level node) workflow, the upgrade error ORA-01489 occurred.
After running an unscheduled report, the related email incorrectly attached the last scheduled report.
Aveksa Statistics Report (ASR) generation was stalling in the Generating state.
SF-1578947 SF-1587329 SF-1583489
Indirect entitlements held by a user were incorrectly available for selection in request forms when the control type was set to Entitlement Table.
After a user set a default value for the "Drop down select" field in a request form, the Next button appeared disabled while running the form.
After a user with non-administrator privileges clicked the Remove button to remove a role, the buttons did not refresh to say Removed as expected. This patch ensures that the buttons are correctly refreshed when the Remove button is clicked.
Role mining incorrectly considered deleted group membership.
Deleted or obsolete role versions were occasionally not properly removed from system tables.
Custom Attribute columns displayed an incorrect value during role analysis for suggested entitlements.
When exporting all roles, the entire export failed when an unexpected error occurred for any of the included roles.
The role management history table occasionally displayed two instances of the role to change request link instead of just one.
RSA Identity Governance and Lifecycle handled identical change requests differently when they were made for business roles or single entitlements.
Change requests generated from the Role Review role did not consider Accounts, causing entitlements to be missed.
Incorrect calculations occurred for local role dependencies related to multi-level roles and/or disabled roles.
When a role import failed, exception details were not displayed.
The role set drop-down is now sorted by name instead of raw name.
Pending change requests were updated if the associated role for the change request was moved from one role set to a different role set before the change request was completed.
A user was not removed from all nested roles when the user was removed from a parent role in the Members tab.
Change request creation failed because of a size limitation when bulk removing a user from a large number of roles, either by revoking them through a rule or explicitly requesting to remove them.
Users were able to see missing entitlements assigned to a user through a role, even after processing the Role Missing Entitlement Rule, because it was not recalculating required metrics.
After importing application metadata, the business and technical owners were not properly updated.
Unexpected behavior occurred when technical roles had a cyclic dependency.
After adding groups with the same name from different applications or directories to a role, the role remained with only one group.
Roles that were assigned to removed role sets were unable to be viewed or modified by the role owners, if the roles were moved to other role sets but not committed.
Role preview changes showed the wrong items when a role set was modified in a role.
Role import did not resolve business sources for groups collected from an MAADC, and the role export XML file did not have the application name attribute for group entitlements.
In segregation of duty (SoD) rule workflows, the decision node did not correctly transition to the true condition.
Unable to change the status of a rule when the rule action to send email contained deleted users.
User coverage in Segregation of Duties (SoD) rules did not filter users with a null attribute value.
After editing a joiner rule, the workflow reference was reset to the default out-of-the-box workflow.
Optimized queries related to violation tables to improve rendering.
SOD rules failed due to a data type conflict.
Rules pre-processing was triggered twice when a collector was triggered with an identity collector and unification. However, two rule pre-processing events cannot exist in the queue in a New or Running state at any point of time.
User access and SOD rules created incorrect violation and change requests when a user was a part of a group's child sub-group. The incorrect change request was created to remove the subgroup's account from the parent group. This patch ensures that the violation and change items are correctly created to remove the account from the sub-group.
Improved query performance when retrieving Rule Violation Data.
An Advance query in the search expression dialog that had the “IN” condition with multiple values resulted in an invalid relational operator error.
The Role Missing Entitlement Rule created a change request with duplicate items.
In workflow emails, hyperlinks that contain a dynamic workflow variable were removed.
Updated the Apache Tomcat library to address a vulnerability.
After importing a database from another system, the workflow monitoring tab displayed both the current node name and the original node name.
A "request could not be handled" error occurred when editing some groups.
The date format under Admin > Workflow > Monitoring > Queues now displays the same date format as is configured under the User option.
In the latest version of Firefox, frames in the user interface was sometimes reduced to a smaller area with scroll bars.
When displaying change requests that had an Escalation the Requests screen displayed an error in the first column when the Escalations column was used.
The All tab under User > Requests only displayed pending requests and not completed requests.
After creating a change request, if a user browses away from the page or closes the window before submitting, the pending change request submission was not visible in the user's UI until logging in a second time.