These release notes describe improvements and functional changes to RSA Identity Governance and Lifecycle 7.2 and all released patches, as well as links to fixed issues for each release or patch. This page is updated with each patch.
To receive notifications about changes to this page, sign in to RSA Link, click Actions, and select Follow.
To view this page as a PDF, sign in to RSA Link, click Actions, and select View as PDF.
Note: Upgrading Java 1.8 JDK to u241 or higher prevents the AFX process from starting. This is exhibited by an error in the log file. The MMC console log reports: “java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5”. To resolve this issue, downgrade the JDK to an earlier version.
Feature |
What's New |
---|---|
Collector ACM-105131 |
In the Generic REST collector, the following warning message is displayed in the authorization page and parent page if refresh token is null: "Refresh Token unavailable in the response : This configuration may fail later as access token once expired will not be refreshed without a refresh token." |
Feature |
Description |
---|---|
Access Requests SF-01620864 ACM-107197 |
Role modification references in the T_AV_CHANGE_REQUEST_DETAILS now have references to the role RAW_NAME, and show ALT_NAME in the user interface. |
Role Management SF-01572945 ACM-104941 |
A new feature flag (FeatureFlag.PreventativeCheck) is introduced to allow customers to enable or disable the violation calculation. By default, FeatureFlag.PreventativeCheck is set to true, and violations are calculated only when a member/entitlement is added/removed from a role or when the role itself is deleted). When FeatureFlag.PreventativeCheck is set to false, violations are skipped for any change in Role.
|
Role Management SF-01635124 ACM-106884
|
A new filter has been added to role set policies to use "Business Source Raw name". This is helpful when Business Source Names (Display Name) have identical names that span Applications. That may cause technical roles as entitlements to be visible even when a role set policy is set to Deny. |
Rules
SF-01605709 ACM-105830 |
The suggested entitlements model for joiner/movers now includes the following updates to provide more relevant suggestions: · After the last rule processing, new users are not considered for suggested entitlements. The objective is to suggest entitlements for new users based on existing data. · Re-hires are ignored based on the rehire date. Rehired users after the last rule processing are not considered for suggested entitlements. · Movers within the system after the last rule processing are not considered for suggested entitlements.
|
Feature | What's New |
---|---|
Dashboard ACM-105817 |
"TargetObjectID" and "CurrentUserID" can now be used in the query in dashboard facts. CurrentUserID — The value of this parameter is automatically replaced by the ID of the currently logged in user. TargetObjectID — The target ID of the selected object. This parameter can only be used in object dashboards and is replaced by the selected object on that dashboard. For example: Using CurrentUserID in a Query(to get accounts count for the logged in user): select count(*) from T_AV_USER_ACCOUNT_MAPPINGS where user_id = :CurrentUserID Using TargetObjectID in a Query(to get change request items count for the selected user): select count(*) from t_av_change_request_details where affected_user_id = :TargetObjectID |
ASR ACM-107258
|
Change request and workflow health check queries are now included in ASR report generation. |
Issue |
Description |
---|---|
Import/Export Metadata SF-01623528 ACM-106458 |
The option to export member and entitlement attributes while exporting roles was previously available, however these attributes were for informational use and not intended for import. Export of this information is now disabled by default. During export, a message informs you that you can optionally continue the export process, but that member and entitlement data cannot be imported. |
Access Certification SF-01622140 ACM-106387 |
Business source “entity” and “attribute” were displayed as apps.name in the UI, leading to incorrect data being displayed in the business source popup. Now entity is associated with “Entity: Business Source," and “attribute” for Applications is associated with apps.name. |
Access Certification SF-01641299 ACM-107269 |
Terminated/deleted users that are part of a pending role membership are displayed with a line through them when listed as role members in the display. These users will not be part of the change request created for committing role changes and they are not added to the role after the change request is completed. Committed roles will contain only active users as members. |
Access Certification SF- 01634901 ACM-107348 |
Global role review member/entitlement counts were incorrect after migration. Migration now updates the role set ID for existing local roles and removes any duplicates. |
Access Requests SF-01600057 ACM-107184 |
Submission variables starting with avform are ignored in the Request Details page. 'avform' is an internal key word used for variables/form names. Variable/form names that start with avform are no longer allowed. Any existing variable starting with 'avform' must be renamed if the user wants to use the variables to display information in the change request details. |
Collections SF-01623406 ACM-106514 |
Duplicate resources were created when the system tried to match a name with a fully qualified name |
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 4 as the result of fixed issues.
Issue | Description |
---|---|
Business Descriptions SF-01636623 ACM-106850 |
Long business Descriptions were not being cut off in review. Long description for Business Source and Entitlement will now display on popup window when the user clicks the 'Show Description' icon |
Access Requests SF-1616176 ACM-106144 |
When trying to create a change request for an action that already has a pending change request, a warning message is now displayed, and the FINISH button is disabled. Previously you could create a new change request even though a pending change request existed. |
Role Management SF-01608246 ACM-105637ACM-105637 |
IG&L had allowed end-users to create simultaneous role modifications on the same role that was in an applied state. The Role “Actions” Menu allowed a role to be unlocked and allowed new change requests that included changes that were already included in other pending change requests. Roles->Actions or Role->Analysis were thereby able to create new change requests for a role already in an “Applied State” Roles in an applied state are no-longer allowed for actions that generate a Change Request. For example, on the Roles page, checkboxes are disabled for roles in the applied state, such as Roles->Actions->Add Entitlements, Roles->Actions->Remove Entitlements, Roles->Analysis->Suggest Options |
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 3 as the result of fixed issues.
Issue |
Description |
---|---|
Account Management ACM-103431 |
Previously, pending accounts associated with a Create Account change item were deleted for a change request when any duplicate account was found. Pending accounts are now deleted only for rejected change items for which the duplicate account is found, and the account will be renamed successfully based on the account template configuration for Create Account change item. |
Access Requests ACM-107018 |
RSA Identity Governance and Lifecycle automatically replaces spaces in account template parameter names with the underscore (_) character and removed all special characters other than underscore (_) and dollar sign ($). You should manually review AFX parameter mappings and request form fields after migration. |
Change Requests and Workflows ACM-105347 |
The Cancel button is no longer enabled when a change request is in the Undoing state. |
Change Requests and Workflows ACM-103802 |
An entire change request was rejected when it contained a change item related to a deleted role. This has been fixed to reject only items containing the deleted role reference. |
Connector ACM-103791 |
The RESTful webservices connector now retrieves and stores id_token, if available, in addition to the access_token when using the OAuth2 flow for authorization. This can be used while making API requests. |
Data Collection Processing and Management ACM-104994 |
Previously, unification occurred even when mandatory collections failed. Scheduled unification and IDC post-processing now only occurs after successful collections. |
Data Collection Processing and Management ACM-102397 |
When Collect Data (all) is selected from Collectors > Multi-App Collectors, the All Multi-App Account Collectors setting is now enabled by default. |
Role Management ACM-105029 |
When removing a role through a role review that has both members and entitlements, the system now calculates the indirects for the revocation. |
User Interface ACM-104556 |
The schema no longer allows null values for the CanRequest field when editing groups. |
Feature |
What’s New |
---|---|
Data Collection Processing and Management |
When a data collection run fails due to the circuit breaker, the circuit breaker is ignored when a user re-processes the data collection run. |
Server Core |
The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The Customer ID value is provided by RSA and is provided to all customers through email. These values are logged in the diagnostics and system data. |
User Interface |
Applications can now be sorted, filtered, and grouped by business owner, technical owner, and violation manager. |
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 2 as the result of fixed issues.
Issue |
Description |
---|---|
Access Requests ACM-100749 |
Added a new variable called “Display Name” that maps to the alt_name of the entitlement for global-role, app-role, and group, under the workflow status values. |
ACM Security Model ACM-105178 |
Supervisors have a new view privilege to see the details of change requests created for their subordinates. |
AFX ACM-103661 |
Remote AFX and agents do not work after upgrading Java 1.8 JDK to u241 or higher. This patch updates the generation of the self-signed certificates for RSA Identity Governance and Lifecycle. If you have applied this patch and upgraded to Java version JDK 8u241 or higher, you must download or regenerate the self-signed certificates for RSA Identity Governance and Lifecycle into your environment and restart the server.
|
AFX ACM-100698 |
The following improvements have been made to the process of uploading additional JAR files to connect to other databases using a generic database.
|
AFX ACM-101553 |
Memory management in ActiveMQ has been updated to handle bulk change request items. You may need to modify the following ActiveMQ settings.
|
Change Requests and Workflow ACM-103621 |
The insert time for the evaluation of canceled/reverted workflow jobs was changed from -1 day to -1 second. |
Connector ACM-104006 |
Data Definition Language (DDL) commands have been removed from the database connectors’ capability templates to prevent serious problems in the system. |
Database Management ACM-104549 |
Added additional workflow object auditing to include editing as well as create and delete. Also added auditing for edit, create, and delete workflow forms. |
Reports ACM-103677 |
Aveksa Statistics Report (ASR) generation has a new "Failed" state. These Failed reports can be deleted using the user interface. |
Role Management ACM-102991 |
Before creating a change request for role entitlements, the system checks whether adding these entitlements to the role would create cyclic dependencies. If the change request would create cyclic dependencies, the system does not allow the change request to be created, and the user interface displays the role entitlements that are causing the issue so that it can be corrected. |
User Interface ACM-103542 |
While creating a change request, if a user browses away from the page or closes the window before submitting, the user no longer has to log in a second time to see the pending change request submission. |
User Interface ACM-103539 |
Previously on the Request Summary page and Pending Submission page, users without Admin privileges were not allowed to cancel requests. The Cancel Pending Request button was never active for these non-Admin users. In this update, users without Admin privileges are now allowed to cancel requests on these pages. The checkboxes for change request selection are enabled and other checkboxes disabled based on the users’ privileges. Users can select change requests with enabled checkboxes and perform the Cancel action. The Cancel Pending Request button is active if the user selects the change request. |
Feature |
What’s New |
---|---|
Collector |
The extensible attribute functionality for the Workday collector now allows empty values. |
Collector |
A new User Filter has been added to the Workday collector, which allows the inclusion or exclusion of specific user types. |
Connector |
The validity and expiration date of an OAuth token is now displayed below the Get OAuth Token button. |
Dashboard |
The following dashboard components have been created for the System Admin Dashboard:
|
Rules |
The following improvements were made in rule post-processing:
|
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle 7.2 Patch 1 as the result of fixed issues.
Issue |
Description |
---|---|
Change Requests and Workflows ACM-103314 |
The RSA Identity Governance and Lifecycle user interface now allows the cancellation of change request items in a pending verification state when the change request and workflows are completed. |
Change Requests and Workflows ACM-103619 |
On an approval workflow node, users can now configure the approval due date to start either on the job start time or the node start time. |
Change Requests and Workflows ACM-103356 |
Added a tooltip to clarify that the "Max items per change request" setting does not affect change requests adding or removing entitlements from roles. Changes generated from roles are always in a single request to ensure that dependencies are clear to approvers. |
Change Requests and Workflows ACM-102222 |
Admin > Workflow > Settings has a new scheduled task to ensure that the workflow completes when a request has all watches closed. |
Local Entitlements ACM-103319 |
Change requests can now remove entitlements from deleted users, and users are prompted to enter a comment in the change request item. |
Role Management ACM-103544 |
RSA Identity Governance and Lifecycle no longer allows users to submit a new change request when a pending account in a pending submission already exists. |
Role Management ACM-100944 |
The following changes have been made in roles:
|
Web Services ACM-103573 |
Created a new user called System to call the createChangeRequest web service. |
User Interface ACM-103538 |
When a change request was blocked due to dependencies created by another change request, the user interface did not provide enough information to find the problematic dependencies. The user interface now provides clearer information. |
The following sections describe the new features and improvements in version 7.2:
Feature |
What’s New |
---|---|
Dashboard Facts |
Dashboard facts allow you to highlight high-level facts to end users, inviting action items requiring attention. These facts can be configured to redirect to specific pages providing additional insight. Dashboard facts are configured under Admin > Dashboards > Dashboard Components. The out-of-the-box System Administrator Dashboard provides a demonstration of dashboard facts. |
System Data and Diagnostics |
Diagnostic and system data information is collected either on demand or on a scheduled basis to use in dashboard and custom reports that show system details and trends. The data can also be shared with RSA to provide details on your environment and usage. These details provide RSA with insight that facilitates decisions such as providing extended support and deprecating certain versions, as well as what new features and enhancements to prioritize in upcoming releases. Administrators can change these settings in Admin > Diagnostics > Diagnostics and System Data. |
Generic REST Collectors |
The new Generic REST collectors support the collection of identity, accounts, and entitlements through REST APIs specific to the endpoint. |
Installer |
There are several improvements to the RSA Identity Governance and Lifecycle installation process:
|
Web Services |
Several improvements were made to web services:
|
Unauthorized Change Detection (UCD) Improvements | The Unauthorized Change Detection rule has been enhanced to detect when there is an unauthorized removal of entitlements from a user, and to allow you to filter on accounts. |
User Interface |
This release introduces many improvements to the user interface to provide a cleaner, faster, and more consistent user experience. These changes include:
|
User Pictures |
Each user can now have an associated image that is visible throughout the user interface, such as in the menu when logged in, user detail screens, and user pop-ups. To configure a user picture, navigate to a user's detail screen, click the default image, and upload a .PNG file. Administrators can upload images in bulk from the Admin > User Interface > Files > Users screen, or by using the setUserImage web service. |
Feature |
What’s New |
---|---|
Access Certification |
The following improvements have been made in access certification:
|
AFX Server |
Added a new SSH Connector which supports Public Key Authentication. |
Application Wizards |
Updated the application wizard for Active Directory to remove out-of-date references. |
Aveksa Statistics Report |
The Aveksa Statistics Report (ASR) has the following new columns for the Unified Users section:
|
Change Requests and Workflow |
The following changes have been made in Change Requests and Workflow:
|
Collectors |
Multi-app collectors now provide the option to collect Account Disabled Status and Account Lock Status in the collector configuration. |
Database Management |
Data pruning has been enhanced to remove unneeded workflow data from the system. |
|
The text in Approval and Rejection email replies have been updated to clearly indicate where the user may add additional comments. |
|
The default value for the maximum number of recipients for an email provider has been changed to 100. |
Platform |
Migrated the JDK from Open JDK to AdoptOpenJDK, and added support for Red Hat Enterprise Linux 7 and SUSE Linux Enterprise Server 12 SP 4. |
Feature |
Description |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Platform |
SUSE Linux Enterprise Server (SLES) 11 and Red Hat Enterprise Linux (RHEL) 6 have been deprecated. In hardware appliance and software bundle deployments, use the RSA Identity Governance and Lifecycle Appliance Updater to upgrade the operating system. |
||||||||||||
Reports |
The following views and associated reports have been deprecated:
Saved results from previous reports are still accessible. |
||||||||||||
Web Services |
The following path for the User Attribute Change web services command has been deprecated: http://<server name>:8443/aveksa/webservice/userAttributeChange This is accessible through the userAttributeChange command. For more information, go to Admin >Web Services. |
The following table describes changes that affect the user interface or behavior of RSA Identity Governance and Lifecycle as the result of fixed issues.
Issue |
Description |
---|---|
Access Certification ACM-100064 |
In a group review, RSA Identity Governance and Lifecycle no longer allows None for the state of a group whose members and entitlements are all marked as reviewed and maintained. When applying the state of None to multiple groups, the system ignores any group that has all entitlements and members reviewed and maintained. |
Access Certification ACM-98991 |
Coverage is now only refreshed in a review when the coverage option is selected. When review items are refreshed and the coverage option is not selected, a warning appears to remind the user that coverage will not be refreshed. |
Access Requests ACM-100749 |
Added a new variable called “Display Name” that maps to the alt_name of the entitlement for global-role, app-role, and group, under the workflow status values. |
Admin Errors ACM-92855 |
The Admin Error type "Account Load Data" can now contextually appear in the properties of a Create Admin Error workflow node. |
Change Requests and Workflows ACM-93462 |
The "Assign to" list no longer appears as available options for Resource Selection. |
Change Requests and Workflow ACM-94899 |
When a change request contains a change request item to remove an already-deleted role from a user, that change request item is rejected while the system proceeds with the other items in the change request. |
Change Requests and Workflow ACM-95849 |
The "Show job level variables" checkboxes are now selected by default and job variables explicitly shown in approval and fulfillment workflows. If these variables need to be hidden, the checkbox must be deselected. |
Change Requests and Workflow ACM-99913 |
The Entitlements Require Account field under Account Template now contains the options Always, Sometimes, and Never. Previously, the options were True and False. |
Change Requests and Workflow ACM-101380 |
In the workflow architect, the node’s runtime data indicates the number of times the node’s state has been changed using the Complete Node, Complete Work, or Skip actions and the number of times the node has been reset. After a node’s state is changed, the node’s color changes to orange. After a node has been reset, the node’s color changes to pink. |
Data Collection Processing and Management ACM-91761 |
The Last Reviewed Date OOTB attribute has been removed from the collector wizards. |
Change Requests and Workflow ACM-95472 |
The fix implemented to ensure that emails are sent to each approver when multiple approval activity nodes are configured to send an email to approvers appears in newly created nodes. Existing nodes are not affected by this fix to ensure that any custom email text is not overwritten. |
Collector ACM-93824 |
The Office365 Account Collector now has a configurable Block Size field during application creation. |
Data Collection Processing and Management ACM-94792 |
When an RDC’s HAS data is not configured or has an old value set to No, RSA Identity Governance and Lifecycle now ensures that, after collection, the User Access tab Direct view for a user correctly displays all collected roles of which the user is a direct member, and that the user has the correct nested sub-roles in the All view. |
Database Management ACM-74139 |
Data purging has been updated to ensure that workflow data with null change dates is purged. |
Platform ACM-78255 |
The configureSSLProtocols.sh and HardenHTTPSProtocols.sh scripts have been removed from RSA Identity Governance and Lifecycle. |
Role Management ACM-96925 |
Applications and Directories had incorrectly displayed the Raw Name instead of Display Name on the Access tab for users. The Access tab now correctly displays the Display Name of the Application or Directory. |
Role Management ACM-101549 |
Fixed the failure of roles explosion from change requests when duplicate roles are found in system. This addresses the issue of user entitlement discrepancies due to explosion failures. Additionally, multiple issues with roles import were addressed. During import, the system reuses the existing members and entitlements when overwriting a local role instead of fully deleting them and creating new entries. When importing roles, the system now looks only for active roles with similar names so that deleted roles are not reactivated. This change will avoid the creation of multiple active roles with role name. If a role being imported matches an existing active collected role, the system throws an exception instead of overwriting the role. Collected roles are not overwritten at any point. |
Security ACM-90370 |
Authorization validation added for file coverage uploads and to collector activate/deactivate buttons. A pop-up is presented if user does not have the proper privilege. |
Security ACM-99089 |
Error message was made more user-friendly. |
User Interface ACM-81142 |
Under Reviews > Activities, the Actions menu automatically scrolls so that all options are visible. |
User Interface ACM-94283 |
Added the columns Business Use, Functional Ownership, Locality, and Sensitivity in the Application, Directory, Data Resource Sets, Rule Sets, and Role Sets summary tables. Grouping is disabled on these columns. |
User Interface ACM-90208 |
Pop-up windows now appear in the center of the user’s viewing area. |
Web Services ACM-92041 |
Validation for webservice calls to add or remove accounts from a group can be requested using the collector or the business source, but not both. |
Web Services ACM-97802 |
Environments using the User Attribute Change command should change the URL to the following format: http://<server name>:8443/aveksa/command.submit?cmd=userAttributeChange |
RSA Identity Governance and Lifecycle 7.2.0.x Release Notes