SecurID^® Governance & Lifecycle Product Documentation

A new tab has been added under Requests > Pending Submission, which displays a table of change requests that were not submitted successfully. When a change request has dependent items in a different change request, the dependent change request's detail displays a message about the dependency.

The dependency message information is displayed in the request form wizard, in case the request being created has account items that are dependent on an older request.

For a single user, if the parent's create account request item’s request is not successfully submitted, then further request creation for the user is prevented until the Pending Submission request is cleaned.

If the request has multiple users and one of the users has a pending submission request, a new request for all users can be created. The new request will display the dependency information for the user with a pending submission request.

The "Role Missing Entitlement Rule" email notification now adds group entitlements collected from the ADC.

The way in which request forms for applications prompt for account information from end users has been improved. Users with only one account are not prompted to select an account. Users with multiple accounts are prompted to select an account as the first step, before the rest of the form is displayed. All aspects of the displayed application request form take the selected account into consideration, eliminating the need to select an account after selecting entitlements.

The JavaScript block form control no longer allows Display conditions. The Display tab for this form control displays a message for the restriction.

When Enable conditions are set, the JavaScript block entered is executed only when the conditions are satisfied.

If there are no conditions set, then the JavaScript block is executed whenever the form runs.

Additional account parameters from an account template will now display in the Account info pop-up.

User access requests for entitlement changes apply the following rules:

• User entitlement changes that require accounts are always account changes.
• User entitlement changes with no assigned accounts remain user changes.
• User entitlement changes with one assigned account are created as account changes.
• User entitlement changes with multiple assigned accounts prompt for account selection and are created as account changes.

The IDC User Interface now shows the "Requires Full Refresh" status like the other collectors.

The entitlement type now displays in brackets next to the entitlement display name when setting an entitlement rule in a role set.

Coarse-grained role reviews no longer include a Remove button or allow edits for entitlements and members.

Users now require at least view permissions to see the properties of a workflow. Edit permissions are required for users to edit a workflow. These permissions also apply to parent or child jobs of a workflow.

The Workflow tab for an approval or fulfillment request will only display the workflow image.

User Access Reviews have a new reviewer experience. The new reviewer experience provides a streamlined look that includes the Review Analysis and Guidance panel and advanced filtering.

The Review Analysis and Guidance panel organizes review items into two sets of categories: Critical and General. Critical Categories identify review items that may pose a greater risk and that may require more attention during your review. General Categories group review items that may require less attention during a review.

When creating a review definition, you can select either the new reviewer experience or the legacy reviewer interface.

If your organization has processes in place to reduce the risk of providing exceptional access to users, you can enable mitigating controls for separation of duties (SoD) and user access rules. When enabled, when maintaining exceptional access during rule violation remediation, remediators are required to provide details about the mitigating control used.

The page at Admin > Workflow > Monitoring displays information about workflows, and helps to detect problems by displaying warning icons if the workflow engine is unable to communicate with the database, if there are a large number of changes pending verification, or if changes have been pending verification for an excessive amount of time, if a workflow queue is potentially backed up, and if a workflow appears to be stalled.

You can now create data archives to remove older data from active use within the RSA Identity Governance and Lifecycle system, while retaining a backup of the data to adhere to internal data retention policies or for auditing purposes. Archiving data reduces the size of the database and the resources needed by the database. Data archives can be used only for auditing purposes. Data archives cannot be restored to the RSA Identity Governance and Lifecycle system for troubleshooting purposes.

Support for using a third-party password vault to manage credentials for collectors, in addition to connectors, has been added. Support for several additional collectors and connectors has been added. To determine which collectors and connectors are supported by the password vault management, see the application guide or datasheet for the specific collector or connector.

RSA Identity Governance and Lifecycle can now be deployed as a virtual application. The virtual application installation includes the application server and RSA Identity Governance and Lifecycle. Virtual application installations require a remote database.

After you upgrade or install RSA Identity Governance and Lifecycle, the AveksaAdmin password is hashed and encrypted in a new, more secure format upon the AveksaAdmin user's first login.

After a new installation or upgrade, you can migrate data containing the older password format only once. Attempting subsequent migrations may lock out the AveksaAdmin, and require assistance from Customer Support to recover access.

File name validation has been added for connectors and connector templates. The following characters are not allowed in file names: \ / : * ? " < > |

The following changes have been made to change requests and workflows:

• The workflow editor has been updated to Workpoint 4.4.0 Patch 10.

• A category attribute has been added for workflow definitions and jobs that support grouping. The category value can be set in the workflow editor.

• RSA Identity Governance and Lifecycle now manages workflows within several queues, which are automatically assigned based on the type of workflow. Workflows within a queue are processed in order.

• The workflow editor now indicates the number of times a loop has been traversed.

• The workflow editor by default displays only the active path of a workflow job. To view the entire workflow, deselect the Show Active Path Only option from the workflow editor menu.

• SQL and Java node details are now only visible to users who can edit the workflow.

• Rule escalation workflows now include the following nodes: Update work item, Activity, and Complete Assigned Work.

The following changes have been made to collectors:

• The Google Apps collector now supports the nickname attribute. If multiple values exist for nickname, the first value is used.

• Users can now customize the Workday collector to configure attributes required for collection and map them to user attributes in RSA Identity Governance and Lifecycle.

The following improvements have been made for connectors:

• The audit log now includes events for creating, modifying, and deleting a connector.

• Enhancements were made to improve how the REST connector handles headers and logins.

The maximum number of custom string attributes for group objects and business source objects have increased from 10 to 35.

After upgrading to RSA Identity Governance and Lifecycle v7.1, the new dashboard is displayed to users by default. If the previous deployment used the old dashboard, the old dashboard is disabled, but not deleted.

The following changes have been made to database management:

• Database statistics now exclude externally defined tables.

• The public view PV_ACCOUNT now includes the collector name.

The following improvements have been made in data collection processing and management:

• The way in which the identity collection and unification processes handle deleted users has been updated. Some relationships for deleted users remain mapped in the system for governance and auditing purposes.

  RSA Identity Governance and Lifecycle handles deleted users as follows:

• When deleted users are detected, the following relationships remain mapped in the system:

  • Account mappings that have been collected

  • Entitlements that have been collected

  • Local entitlements that are mapped to the user

  • Global role memberships that have been collected

  • Existing change requests that are in progress

• Any new relationship that is subsequently collected and mapped to the deleted user in the source system is accepted and mapped to the deleted user in RSA Identity Governance and Lifecycle.

• Deleted users are removed from all local role memberships.

• Imports of local entitlements that are mapped to a deleted user are rejected.

• Deleted users are not displayed in user selection dialogs.

• When a data archiving job is suspended, an Admin Task alerts administrators that the data archive needs to be resumed.

• The public view PV_ACCOUNT now includes the collector name.

Changes have been made to the aveksa_cluster script to improve the troubleshooting of clustering communication issues.

The Additional System Information section of the Aveksa Statistics Report (ASR) now includes a list of any custom files that have been uploaded.

RSA Identity Governance and Lifecycle has made improvements to the export and import of roles.

• Role imports and exports are now executed in the background, allowing the import and export of large numbers of roles without preventing users from performing other tasks while the import or export runs.

• When you export roles, you download a .zip file that contains one or more XML files containing role definitions. When you import roles, you can import either an XML file or a .zip file that contains one or more XML files containing role definitions.

The following changes have been made to the user interface style:

• You can display a header that contains a customizable logo, details of the logged in user and last login, and the Options, Notifications, Help, and Logout links by enabling the Classic Style user interface setting.

• You can customize the look and feel of the user interface by uploading a custom CSS file.

• You can add a custom background image to the login page by uploading a custom login-background.jpg file.

• Custom files that are renamed are deleted are recorded under Audit Events.

The Grouped by Application tab for a user review is now labeled "Grouped By Business Source." It now includes groups and roles organized by their directory or role set in addition to entitlements and application roles.

Bulk Actions now apply to accounts with unreviewed entitlements whether or not they are signed off.

The SOAPAction header can be added through the UI or derived from the WSDL for each capability.

Required challenge responses are validated and cannot be submitted if left empty.

The external password reset tool will be case-insensitive when searching the following authentication sources:

• RemoteADLogin

• ActiveDirectoryAccountCollector

• ActiveDirectoryIdentityCollector

If more than one account name possibly matches the given identification for the sources above, the external password reset tool will then check for an exact match with case-sensitivity. If there is no exact match, an error message asks the user to type in the account name with the correct case.

The password reset tool will be case-sensitive when searching other authentication sources.

The request cancellation date displays the Job start date.

The Milestone Component now displays a change request approval step for canceled jobs.

The workflow editor components change size when resizing the window.

Group and role owner attributes can be added to subprocess node filtering.

You cannot change or reset read-only jobs.

Approvals and Activities, grouped by Business Source, and assigned to an application for "Directory for Account" use the application instead of the directory.

The event type "Reject Changes handled by this workflow" is now available for Cancel Change Request nodes.

An Edit button was added to the email body section of the email fulfillment handler configuration.

The Attribute category appears in the collector mapping page as intended.

AFX no longer enables a disabled user account after a successful password reset for LDAP connectors. However, AFX unlocks locked user accounts after a successful password reset.

The format of the metadata export file has changed to include additional custom attribute properties.

The Last Collected On field for individual accounts listed under an account collector now displays the last successful collection date, even if the data has not been updated since a prior collection. If an account has been deleted, the Last Collected On field displays the deletion date.

The HasData option is no longer supported for new role data collectors. Existing collectors that currently use this option are not affected.

RSA Identity Governance and Lifecycle now requires that business descriptions for groups contain an application scope. 

When you create a new business description for a group that does not apply to a set, you must select an application with which to associate the business description before you can select the group.

When you import business descriptions from an XML file, you must ensure that an application is specified for each business description that applies to a group.

When updating or migrating RSA Identity Governance and Lifecycle from a previous version, RSA Identity Governance and Lifecycle deletes group business descriptions that are not actively in use. Before you migrate, run the provided pre-migration queries to identify any group business descriptions that will be deleted by the migration process. If you still need these group business descriptions, you can re-import them with an application reference in the import file, or you can manually recreate them after migration. 

For more information, see the "Migration Queries for Group Business Descriptions" section in Install a Patch.

The User Attributes check box has been removed from the Import/Export dialog. All attributes, including user attributes, can be imported or exported by selecting the Attributes check box.

Report headers wrap column text to avoid hiding important information.

Support has been added for connecting to a web service using authentication when adding a field to an access request form.

When you add a field to an access request form and select the control type "Drop Down select with Web Service", under Options, you can now configure the Authentication Type, Authentication User, and Authentication Password for the connection to the web service.

The Password Reset form can now process all field components that would create a change item.

Users editing a role without access to the assigned roleset will see the assigned roleset but will not be able to change it.

32-bit installation of the AD Password Capture tool has been deprecated.