Sun Java[TM] System Identity Manager 7.1 Release Notes

This section of the Identity Manager 7.1 Release Notes provides information about

What’s New in This Release

This section provides additional information about the new features provided in Identity Manager 7.1, and the information is organized into the following sections:

Installation and Update

Use the waveset.serverId system attribute to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server. (ID-11578)

Install and update can be run on a system without a display. (ID-14258)

A script for creating a Identity Manager Service Provider transaction database for MySQL is now provided at sample/create_spe_tables.mysql. (ID-14666)

For localization: The RAMessage_l10n.jar previously required for the Upgrade Pre-Process procedure has been removed and you must download translations for the adapters. (ID-16272)

Administrator and User Interfaces

When a user forgets their user ID, they can now click Forgot My User ID on the login.jsp or user/login.jsp to open a new Lookup User ID page. From this page, the user can provide a notification email address and some additional identity attribute values (such as phone number, first and last name, employee ID, etc.) and Identity Manager will try to find a single user who matches the specified identity attribute values. (ID-4924)

If successful, Identity Manager sends an email containing the user’s Identity Manager user ID to the notification email address specified. (A new User ID Recovery Email Template was created for this purpose. The subject and body of this template are message keys, so that they can be customized and internationalized.)

If unsuccessful, an error message reports that Identity Manager could not locate a user matching the specified information or that it found more than one user who matched the specified information.

Now, when editing a Resource Login Module (non-Identity System User ID/Pwd Login Module) within the scope of a Login Module Group (from the Security > Login subtab) you can select a Login Correlation Rule to map login information provided by the user to an Identity Manager user.

Synchronization status is no longer provided in the Description column of the resource tree table. The Status column now provides a combined status for reconciliation and synchronization. (ID-12465, ID-14005)

The server configuration and email templates have been modified to allow the administrator to determine if SSL or authentication should be done on the SMTP server. (ID-14899)

Auditing

You can now prioritize policy violations by assigning them a priority, severity, or both. Prioritize violations from the remediations page. For more information, see “Prioritizing Policy Violations” in Identity Manager Administration. (ID-11703)

Audit policy scans now scan members of dynamic organizations. (ID-12437)

Audit policy scans can now be scheduled. (ID-12474)

Audit scans now have a test mode, which disables remediation and deletes all violations upon completion of the scan. (ID-12522)

The Violation Summary Report has been extended to allow selection of violations to be made by the violation state. The report can be configured to only report violations that are in one or more of the possible states. (ID-12612)

Audit log entries that are related to access review approvals, rejections, and remediations can now be digitally signed. (ID-13264)

After launching a periodic access review, if you go to the access review page, you will not see your scan displayed on the list until you click the refresh button. (D-14169)

Directory junctions and virtual organizations now support audit policy assignment. (ID-14591)

You can now define the Access Scan user scope based on assigned resources. (ID-14654)

You can now quickly show Identity Manager Compliance by installing the demonstration environment. (ID-14970)

Attestors and remediators can now specify forms that show exactly the detail they need to increase efficiency when attesting and remediating. For more information, see the Documentation Additions and Changes section of these Release Notes. (ID-14973)

During remediation, you can now re-evaluate a compliance violation to determine if it is still in effect. You can edit a user so that the audit policy won't be violated again. (ID-15019)

Pending access review entitlements can now be refreshed with current entitlement data. (ID-15027)

An access review remediator can edit (re-provision) a user directly using a new Edit button on the remediation form. (ID-15172)

A compliance review remediator can edit (re-provision) a user directly using a new Edit button on the remediation form. (ID-15173)

An access review can now alter user entitlements either of these ways: (ID-15180)

The access review attestor requests a rescan by clicking Rescan, which causes the user entitlement to be refreshed and re-evaluated.

The access review remediator clicks Remediated, which causes the user entitlement to be refreshed and re-evaluated.

A user entitlement created in the REMEDIATING state now automatically creates a remediation work item. (ID-15423)

Auditor scans can now specify target resources more explicitly for multi-account resources. (ID-15485)

The management page for Audit Policy objects is now form-based and customizable. You can now select either the “full view -- an information-dense display -- or restrict the level of detail to a partial view. For more information, see the Documentation Addendum of these Release Notes. (ID-15486)

The management page for Access Scans is now form-based and customizable. For more information, see the Documentation Addendum of these Release Notes. (ID-15515)

Audit log reports now show the details of role modifications. (ID-15587)

By default, only the following user entitlement events are logged (ID-15735):

Attestor Approved

Attestor Rejected

Remediation Requested

Rescan Requested

Terminate

Forms

The TabPanel display class now supports the execution of validation expressions on a per-tab basis. If you set the validatePerTab display property to true, Identity Manager performs validation expressions as soon as the user switches to a different tab. (ID-12442)

A sample VMS form is now provided in the sample/forms folder. (ID-12835)

Identity Manager Integrated Development Environment (IDE)

The Identity Manager Integrated Development Environment (Identity Manager IDE) is Java application that enables you to view, customize, and debug Identity Manager objects in your deployment.

The following new features have been added to (or changed in) the Identity Manager IDE for the Identity Manager 7.1 release:


Note	For more information about these features, see Identity Manager Deployment Tools

The Identity Manager IDE now supports GenericObjects. (ID-12952, 12991)

There is now an IdM menu on the NetBean's top level menu bar from which you can select actions that are appropriate for selected object nodes. (ID-13158)

The Identity Manager IDE 7.0 project has been replaced with the following two project types, both of which are NetBeans ant projects: (ID-14587)

Identity Manager Project: Used as the primary development environment for deployers as it is the most fully featured project type, including:

Java/JSP editing, building, debugging

Ability to launch Identity Manager in a Netbeans' embedded application server

Ability to manage an embedded repository

This project type provides a simple repository that you can use for testing in your sandbox. When you create this project type, you can specify an embedded repository for the project. In addition, you can enable a Manage Embedded Repository option to re-initialize the repository. The Identity Manager IDE provides an auto-publish feature that automatically loads the embedded repository anytime you run or debug the project.

A sample CBE (Configuration Build Environment) and import file generator.
For more information about the CBE, refer to the README.txt file provided with the Identity Manager project.

Identity Manager Project (Remote): Used for making small changes and for debugging a remote project on an external server. A lightweight, quick set-up project type has all the editing functionality of the Identity Manager project, but lacks the build environment and the ability to launch the war file.

The Identity Manager IDE now provides version independence. (ID-14723)

The 7.1 version of the Identity Manager IDE .nbm has been decoupled from the Identity Manager classes. The version 7.1 .nbm supports Identity Manager 7.0 and 7.1, and it is planned to support Identity Manager 6.0 SP3.

Each Identity Manager IDE project is tied to a specific Identity Manager version, and the Identity Manager IDE now requires a compatibility bundle (ide-bundle.zip) that provides Identity Manager jar files and some XML registries containing version-specific information for each supported Identity Manager version. The compatibility bundle is specified when you create a project:

For Identity Manager Projects: The compatibility bundle is included in the idm.war file, and Identity Manager IDE automatically accesses this file during project setup.

For Identity Manager Projects (Remote): Because you do not specify a war file location for remote projects, you must provide the compatibility bundle’s location, which is:

Identity Manager install root/sample/ide-bundle.zip



Note	Identity Manager version 7.0 did not provide an IDE Compatibility Bundle, but you can download this file from the Identity Manager 7.0 download site.

Library objects have been added to the list of object types displayed in the Explorer window, and these objects have Property Sheets, Palette features, and navigation nodes. (ID-14817)

The Identity Manager IDE plugin now requires JDK 1.5 and Netbeans 5.5. (ID-14950)

You can now compare (diff) a single object or a folder of objects (recursively) in a local directory with those in the repository. You can use this feature to view the differences between your local copies and those on the server. In addition, you can use this feature to upload and reload one or more modified objects. (ID-15151, 15206)

When you select Design view for a Rule object, an Expression Builder now displays in the Editor window to make it easier for you to see the logical structure of a rule and to modify the rule’s properties. (ID-15104)

Features and functionality were added to the Identity Manager IDE Expression Builder dialogs. You can now do the following:

Edit simple data types (integers and strings) directly in the Expression Builder table. (ID-15528)

View JavaDoc for Identity Manager API methods when defining XPRESS invoke statements (static or instance) in the Expression Builder dialogs. (ID-12961)

When you select classes or methods from Class Name and Method Name menus in the Expression Builder, the related JavaDoc displays in a pop-up alongside the dialog. (ID-12960)

Edit property values that support expressions and primitive values (such as strings) directly in a property table. (ID-13763)

Create a specific expression rather than first creating a BLOCK and then changing it to the expression you want. (ID-15932)

Include or “wrap” an expression element in another element, which enables you to build expressions from the inside out.

Change an element’s expression type using a new Change To button and dialog. (ID-15933)

The Identity Manager IDE now provides separate nodes for files, persistent objects, and extensions to better reflect the actual underlying XML content. In addition, you can re-order nodes and insert nodes into other locations (before, after, or into other nodes in the Project tree). (ID-14689)

You can now delete objects from the Identity Manager IDE repository. (ID-14081, 15031)

You can now upload an object in the Identity Manager IDE to an Identity Manager 7.0 server and manually assign an ID to the object. (ID-15474)

To facilitate moving objects from one repository to another, you can now configure Identity Manager IDE to remove all auto-generated repository IDs before it downloads objects from the repository. (ID-15307, 15347)

Now, when editing forms you can follow references to forms and fields. In addition, when editing workflows, you can follow external processes. The Identity Manager IDE opens the referenced file and finds the reference. (ID-14428, 15406)

You can now specify a root context, by leaving the Context field blank when you create the project. (ID-15912)

Identity Manager SPE

Identity Manager Identity Manager SPE now supports link correlation and link confirmation rules. (ID-10500) For more information, see the description of bug 15760 in the Documentation Addendum of these Release Notes.

Authentication answers for Service Provider users can now be edited in the administrative interface. (ID-12781)

LDAP deleted attributes are now propagated after a downed resource is once again available. (ID-15471)

Reports

You can now globally control the font used when generating reports by editing the settings on the Configure > Reports page. You can override this by editing the configuration for each report. By default, only fonts available to all PDF viewers are shown.

Add additional fonts to the system by copying font definition files into WEB-INF/fonts directory under the directory where IDM is deployed (for example, /var/opt/
SUNWappserver/domains/domain1/applications/j2ee-modules/idm/WEBINF/fonts ). You must then restart the server. Accepted font definition formats include .ttf, .ttc, .otf, and .afm. If one of these fonts is selected, then the same font must be available at the machine where the report is viewed or the font must be embedded in the report.

Since the default set of fonts does not support all character sets (for example, Asian characters), you must install an additional font in the fonts/directory and select it in the configuration pages to generate reports that can display alternate character sets. (ID-10641/14376)



Note	TrueType fonts are licensed with different levels of possible embedding. The font that you have selected to generate the PDF with must be licensed to allow the font to be embedded for printing and previewing in the PDF. If the font is not correctly licensed for embedding in the PDF, the PDF will be generated with a standard font. This will cause the content of the PDF to be corrupted. Identity Manager currently does not log a failure to alert you to this issue.

Repository

Information about repository object size is now available. You can access this information through the web pages and from the console command line. (ID-9896)



Note	For upgrades, existing objects will report a size of 0 until they have been updated or otherwise refreshed.

Resources

New Resource Adapters

RACF-LDAP

SAP Governance, Risk, and Compliance (GRC) Access Enforcer

See the Identity Manager Resources Reference for details about these resource adapters.

Resource Adapter Updates

You should now configure servers that will run ActiveSync in the synchronization policy for the resource. The use of waveset.properties has been deprecated, but can still be used. Migration to configuring in the synchronization policy is strongly encouraged. (ID-10167)

Configuring the Flat File Active Sync adapter has been simplified; especially for delimited files. (ID-11678)

Active Sync can be terminated before all updates have been processed on the LDAP adapter. (ID-13695)

Identity Manager now provides PeopleSoft HRMS 9.0 support. (ID-14195)

The Domino adapter now supports setting the explicit policy attribute for Domino 7.0 resources. (ID-14315)

The Oracle ERP resource adapter now supports before and after actions. (ID-14659)

The default RACF List User AttrParse mechanism has been extended to handle large numbers of “CLASS AUTHORIZATIONS” and template users with group entries such as “GROUP SYS1 USER CONNECTION NOT INDICATED”. (ID-15021)

Two resource attributes, Default Primary Group and Login Shell, have been added to the Solaris, AIX, HP-UX, Red Had Linux, and SuSE Linux resource adapters. (ID-15034)

The NDS adapter has improved support for GroupWise:

The adapter can now manage post offices in secondary domains. (ID-15122)

GroupWise users can subscribe to any known distribution list. (ID-15707)

The adapter no longer uses the Delete Pattern parameter as its mechanism for signifying that a post office should be removed from a GroupWise user. The new method requires that the post office field merely be set to "" (two double quotation marks). If you have legacy forms or workflows that programmatically remove post offices, change them to set the field to "". (ID-15970)

The Domino resource adapter supports roaming users for Domino 7.0 servers. (ID-15157)

Activity groups (roles) and profiles in a CUA environment can now be updated with a start and end date. (ID-15613)

The ACF2 adapter supports ACF2 8.0 SP2. (ID-15833)

The sample NDSUserForm includes working examples of all seven techniques for fetching post offices and distribution lists. (ID-15872)

The PeopleSoft Component Interface adapter now supports specifying separate keys for GET, FIND, and CREATE operations on a component interface. (ID-16055)

The PeopleSoft Component Interface adapter now supports PeopleTools 8.1 through 8.48. (ID-16128)

The Top Secret resource adapter now correctly handles ASUSPEND, PSUSPEND, VSUSPEND and XSUSPEND when enabling and disabling users.(ID-16295)

Roles

When you import roles containing links to back to existing super roles, Identity Manager now updates the existing roles with links back to the newly imported roles. (ID-15482)

The delegation model is changed as follows: (ID-15440)

If you are editing a user who has delegated to one or more users or a rule that has been deleted after the delegation was originally established, the user or rule delegated to is now be displayed enclosed in parentheses, indicating that it has been deleted. For example: “(auser)”

If the user's delegate to list is changed but still includes the deleted delegate, an exception will be thrown and the save will fail. If the user's delegate to list is not changed but other attributes of the user are changed, the save will succeed, because there is no change to the delegate info.

If you are creating or updating a user and the approver has delegated to a user who no longer exists, a create or update will fail with a message indicating that the approval work item could not be delegated as configured because the delegate was deleted.

Work items that were delegated to a user who was subsequently deleted can still be recovered by the delegating user. The delegating user can then end the delegation to the deleted user.

For more information, see the Sun Java™ System Identity Manager Administration.

Security

Identity Manager now allows users to define different delegation configurations for different work item types (such as attestations, remediations, approvals, and so forth). (ID-14152)

A new, built-in ObjectGroup/Organization called End User has been added to Identity Manager. (ID-14630)

This new ObjectGroup/Organization is a member of Top. Initially, it does not have any memberobjects. This ObjectGroup/Organization is not displayed in the tree table under the Accounts tab in the Administrator user interface, and it cannot have child organizations. However, you can make any object available to the End User ObjectGroup/Organization using the Administrator user interface when you are editing objects (such as Roles, AdminRoles, Resources, Policy, or Tasks).

Previously, when users logged into the End User interface, they were automatically assigned the rights to object types specified in the EndUser capability (such as AdminRole, EndUserConfig, or EndUserTask). Now, Identity Manager also automatically assigns them control of the new EndUser ObjectGroup and evaluates a built-in End User Controlled Organizations rule. If any organization names are returned, Identity Manager automatically gives those users control of those organizations as well. Identity Manager uses the authenticating user's view as the input argument to the End User Controlled Organizations rule. The rule can return one organization (as a string) or more organizations (as a list) for which the user logging into the End User Interface will have the EndUser capability.

In addition, a new End User Administrator capability has been added to manage the new objects. Users with this capability can view and modify the rights to object types specified in the EndUser capability and to the contents of the End User Controlled Organizations rule. This capability is assigned to Configurator by default. Any changes to the list, or to the organizations returned by evaluation of the End User Controlled Organizations rule, will not be dynamically reflected for logged in users. These users must log off and then login again to view the changes.

You should consider this new ObjectGroup/Organization as the best practice method for giving end users access to Identity Manager configuration objects such as Roles, Resources, Tasks, and so forth.

In future, you should use this method instead of using End User Tasks, End User Resources, System Configuration:EndUserAccess, and End User authTypes; however, these methods are still supported for backward compatibility.

You can now add passwords to a user's password history when creating a user. (ID-15179)

When listing objects (such as roles or resources) and there are more than six memberObjectGroups for any of the returned objects, Identity Manager no longer filters out the truncated memberObjectGroups from the results. (ID-15181)



Note	This behavior does not apply to the USER type because it can be a member of only one ObjectGroup.

If a user who owns any pending work items is deleted, Identity Manager now ensures that the work items are not lost, as follows: (ID-15868)

If a pending work item was delegated and the delegator has not been deleted, the pending work item is returned to the delegator, and the delegator will then be the new work item owner.

If a pending work item was delegated and the delegator has also been deleted or if a pending work item was not delegated, the delete attempt fails until the user's pending work item has been either resolved or forwarded to another user.

Server

You can now configure tracing to trace a method and all of its subcalls (both direct and indirect), which can be useful if you are debugging problems known to happen at some level below a specific entry method. (ID-13436)

The following methods have been added to WSUser. See the JavaDoc shipped in the REF kit for more information on this class. (ID-15468/14152)

**WSUser Object Methods**
Method	Description
getWorkItemDelegates()	Returns the current set of Delegate objects for the specified user
getWorkItemDelegate(String workItemType)	Returns a Delegate object of the requested workItem type from _delegates
addWorkItemDelegate(Delegate delegate)	Adds a Delegate object of the specified work item type to _workItemDelegates. If one of the specified workItem types already exists, it will be replaced
removeWorkItemDelegate(String workItemType)	Removes the specified workItemType from the set of work item Delegate objects
setWorkItemDelegates(Map workItemDelegates)	Sets the set of work item delegate objects for this user
getWorkItemDelegateHistory()	Returns the specified user’s list of Delegate history objects
setWorkItemDelegateHistory (List workItemDelegateHistory)	Sets the specified user’s list of Delegate history objects

Work Items

When an Attestation WorkItem is forwarded, any comments provided by the forwarding Attestor are included in WorkItem such that when the WorkItem is finally attested, the comments from other Attestors will be included. (ID-14643)

Bugs Fixed in This Release

This section describe the bugs fixed in Identity Manager 7.1, and the information is organized as follows:

Administrator and User Interfaces

On the debug pages, ObjectGroups no longer appears in the dropdown list of item types that can be bulk deleted. (ID-13324)

You can now unlock an organization object that becomes locked after a user with insufficient rights tries to delete it. (ID-14942)

Custom end-user tasks that need to checkout the view of the logged-in user no longer get an error about the account being unavailable because the account is locked. (ID-15040)

You can now find Roles with lots of Organizations from the Find Roles page without an ObjectGroup error being displayed. (ID-15303)

The Roles tab > Find Roles > Approvers menu can now show users with the "Role Approver" capability. (ID-15373)

If you use a customEdit.jsp form for your own custom edit form, you no longer get a page with no navigation bar and two copies of your custom form. (ID-15460)

Internet Explorer 6 or 7 with security update 912812 users are no longer required to double click a multi-select box to highlight the box or double click an item to move it. (ID-15824)

When you specify true for IAPI.cancel (which cancels any pending updates detected for the user being processed) on the ActiveSync Input form, the user's view no longer remains locked after being processed. (ID-15912)

Editing a user in the Top organization, which is the result of a user list search, now works correctly without generating an error. (ID-15977)

The default rules provided to support access scans are all members of the Top organization by default. If your deployment wants to allow administrators edit access scans or audit policies without controlling the Top organization, you must add the following rules to the other organizations: (ID-15996)

Review Everyone

Review Changed Users

Reject Changed Users

Default Remediator

Default Attestor

Default Escalation

AttestorAll

Non-Administrators

All Administrators

Users Without a Manager

Auditing

A new policy, the IDM Role Comparison audit policy, is available for checking that users' resource attributes match the role attributes defined in their assigned roles. If there isn't a match, a compliance violation is created when a non-compliant user is scanned using this new policy. (ID-11225)

An error is no longer displayed when you edit an Access Review Detail Report in which the specified access review target has been deleted. (ID-14805)

For a new Identity Manager 7.1 installation, the default Auditor Report for All Compliance Violations now uses the resourceNames display attribute to allow compliance violations to reflect more than one resource. Previously, this report used the resourceName attribute, which generated a warning message. (ID-15915)

The Audit Policy wizard GUI allows the specification of 3 remediators, and an escalation period between them. If you specified the period, you must specify the remediator. Otherwise, the remediation will be deleted. (ID-14198)

You can now perform an Audit Scan or Access Review with the user scope set to a dynamic org. (ID-14886)

Audit log reports show the details of role modifications (ID-15587)

The Identity ManagerCompliance features provide tasks, policies and rules that you can use as is. (ID-16127) Identity Manager initially creates these objects in either the Top or All object groups as appropriate. For deployments that choose to use delegated administration with administrators that do not control the Top object group, you may want to add some or all Auditor objects to other object groups. Identity Manager provides a script that lists and add or remove object groups from the Auditor objects. (For a complete list of Auditor objects, see $WSHOME/sample/scripts/AuditorObjects.txt.)

To list objects:

The Identity Manager auditing component provides workflows that you can use directly and that are potentially long-running. (ID-16173) To allow an upgrade from 7.0 to 7.1, you must rename any suspended TaskInstances of these workflows.

Identity Manager provides a script that you can run before the 7.1 upgrade to perform this rename operation automatically. These scripts are in the util_scripts directory of the installation image. To execute the scripts, you must change to the directory that contains them, and the Identity Manager server must be running. Specify the -h idm-url option, even if running the script locally on the Identity Manager server. The expected form of idm-url is= required. If the Identity Manager server is bound to the default URL path, you can omit this. This script changes the Identity Manager repository, so it only needs to be run on a single Identity Manager server.

To list the tasks that need to be renamed

./beanshell.sh taskUpdate.bsh -u Configurator -p configurator -h idm-url -action list

To perform the rename operation

./beanshell.sh taskUpdate.bsh -u Configurator -p configurator -h idm-url -action rename

The renamed TaskDefinition objects will have the form old-name-7.1-update[N]

When terminating or deleting an Access Review, termination or deletion tasks might encounter errors that prevent the tasks from completing. If that happens, the Access Review will be put into the TERMINATE ERROR or DELETE ERROR state. To see the specific error information, you will need to look at the Task results from System Tasks -> All Tasks (ID-16211)

Integrated Development Environment (IDE)

Most nodes have an associated property sheet in the Properties windows, and most of these nodes have a Name property for managing the value of the name. If you rename a particular object via its node, either by right-clicking and selecting Rename, or by clicking the node and typing text over the label, the node's label is updated and the XML changes. However, the property sheet fails to update. You can click another node and then re-click the renamed node and the property sheet updates to reflect the new name. You can also click the title of the property sheet to update to the correct values. (ID-13696)

Rule Libraries are not currently supported other than to perform basic XML editing and testing in the rule tester. Navigation and property support is not currently implemented. (ID-14093)

Form property values cannot be set with the property editor if the data type is Integer or Boolean. (ID-14128)

Downloading, uploading or reloading an object causes a lock to be placed on the object in the repository. Consequently, attempts to access the object by users other than the one given in the project settings within the lock's time of expiration may fail. (ID-14132)

Renaming an object from the context menu in NetBeans requires the change to be saved. After making the change, the user can save the change from File ->Save without opening the file. If the file is open, use File ->Save, or close the file and select to save the changes when prompted. (ID-14420)

When setting the displayClass for a field to InlineAlert, if the field has a name the value property of the InlineAlert will not display. (ID-14456)

Checking out a user view in Identity Manager IDE puts a lock on the object. Checking in the view or closing the view does not release the lock. The lock will be released automatically after 5 minutes. You can also release the lock by logging in to Identity Manager as the administrator that checked the view out in IDM IDE and viewing the user. (ID-14797)

It is now possible to specify a root context, by leaving the Context field blank on project creation. (ID-15925)

Identity Manager SPE

You can now terminate the SPE Synchronization task prior to processing all updates. (ID-15077)

You can now configure SPE to use an SSL-enabled End User Directory. (ID-15773)

The Identity Manager SPE configuration page no longer allow you to set non-SPE account policies. (ID-14833)

MetaView

The idmManager attribute is now stored properly in the user attribute when using MetaView. (ID-14445)

Password Synchronization

The password synchronization configuration application (Configure.exe) no longer truncates the JMS properties at an equal sign (=) when reading from the repository. (ID-12658)

Passwords intercepted with characters outside of the 7-bit ASCII range are now correctly encoded as UTF-8 before encryption. (ID-15829)

Reconciliation

Reconciliations no longer stop when resources have duplicate users. (ID-14949)

Some ambiguous account matches during reconcile are now considered a preferred match to avoid unnecessary reconciliation errors. (ID-14965)

Reconciliations no longer stop when user normalizations remove all resource information from a user. (ID-15028)

Using the checkDynamicallyAssignedAdminRolesAtLoginTo option no longer causes Reconcile Policy Editor errors when updating the reconcile schedule. (ID-15338)

Reports

Audit logging is now supported for the creation, modification, and deletion of admin roles. (ID-12514)

User Reports show the resource accountID for all accounts on the resource in a semicolon-separated list. Accounts and resources that are indirectly assigned through a role or resource group are also listed. If there is only one resource account, the accountID will display only if it is not equal to the Identity Manager accountID. (ID-12820)

Changes to a user's authentication questions are now logged in the audit logs. (ID-13082)

The User Compliance Violation Log should not be displayed in the Reports menu under the Auditor Reports selector. This is the Default Compliance Audit Report task and should be hidden. (ID-14721)

If you customized the form Conflict Violation Details Form in an earlier release, you should export the form before upgrading to 7.0. Re-import the saved form if you prefer after upgrade. (ID-14772)

Emailed PDF reports now honor the font and font embedding settings specified at any level. (ID-15328)

Repository

The ObjectSource.OP_ALLOW_NOT_FOUND (allowNotFound) option is now honored correctly in calls to getView and checkoutView for an IDMXUserView, and in calls to getObject through a LighthouseContext in Identity Manager. (ID-11900)

The Identity Manager Repository now closes (rolls back) an active database connection whenever the repository encounters a Java Error (that is, an instance of java.lang.Error). Previously, the repository closed the active database connection whenever it caught a declared Exception or a Runtime Exception (but not an Error). This change guards against leaving an open (uncommitted) transaction when the Java Virtual Machine throws an error (such as an OutOfMemoryError). (ID-14411)

The setRepo command’s -n option now correctly prevents checking for the current repository location. The -n option allows the setRepo command to succeed when the current repository location is invalid (or the database instance at the current location is unavailable). This change fixes a regression that was introduced in Identity Manager 2005Q4M3 (Identity Manager 6.0). (ID-14809)

The Identity Manager repository now initializes faster because the RelationalDataStore now generates an SQL statement that executes faster against larger database tables. (ID-14937)

Slow Oracle database systems can no longer cause suspended tasks to execute on more than one Scheduler simultaneously. (ID-15372)

Removing a role from one user in a similar group of users no longer affects the repository entries of the other users, and no longer prevents you from finding those users when searching by role. (ID-15584)

Resources

Added the Failover Servers resource parameter field for the LDAP resource adapter. This field allows the user to list multiple servers for failover if the preferred server fails. The LDAP Resource adapter uses JNDI to maintain the connection to the LDAP directory. JNDI therefore will automatically attempt to connect to each server in order until a connection is found. Once a connection is found, JNDI will continue to use this server until it fails and then the process will be repeated. Replication across all of the failover servers is the responsibility of the customer. (ID-10889)

The LDAPActiveSync search filter that searches for changes in the changelog has been optimized for performance. The filter part (objectClass=changelogEntry) has been removed from the default search filter. (ID-11722)


Note	You cannot change this setting from the GUI.

The NDS Resource Adapter now allows you to merge groups contained in the NDS Template with those groups not defined in the NDS Template. This action is performed from the user interface with user form changes. See NDSUserForm.xml for details. (ID-12083)

Linux adapters can now return a year on last login. (ID-12182)

In order to use a view from a different Oracle user, you must establish an alias, so that the view can be referred to without qualifying it with a user name. Identity Manager did not detect this, and allowed you to specify such a view in the resource adapter. Identity Manager now detects the error, and provides a message. (ID-12643)

When viewing users on a Solaris NIS resource, the setting for the primary group is now displayed as the group name. (ID-12667)

You can now set passwords to not expired when using CUA mode on the SAP resource. (ID-13355)

The VMS resource adapter now has reconcile abilities. (ID-13425)

Provisioning now recognizes when an error from a ResourceAction script has been captured during user create and update functions. (ID-13465)

Identity Manager now provides a resource configuration parameter called enableEmptyString. You can use this parameter to write an empty string (instead of a NULL value) in character-based columns defined as not-null in the table schema. The enableEmptyString parameter does not influence the way strings are written for Oracle-based tables. (ID-13737)

Using the Oracle ERP Resource Adapter to update an Oracle ERP account's responsibility no longer causes all of the account’s other responsibilities to be updated. (ID-13889)

NDS adapter Active Sync no longer polls for changes based on the User object's lastModifiedTimeStamp. Previously, this attribute was updated whenever a user logged in or logged out. Now, the last modified value is calculated based on the lastModifiedTimestamp of a user's attributes that are defined in the Identity Manager schema. If an attribute's lastModifiedTimestamp is greater than the high-water mark presented by the adapter, the gateway sends this user back to the server as modified. (ID-13896)

The Shell Script adapter now supports the rename, disable and enable functions. (ID-14472)

Resolved an issue where Active Directory Active Sync would hang because connections to the gateway were not being closed. Connections would grow to the maximum, and open connections would stay in CLOSED_WAIT state. Once the maximum number of connections is met and are connections all in the CLOSED_WAIT state, Active Sync will halt until these connections are cleaned up. (ID-14597)

The attributes map that the adapter sends to the customer's update script will now contain an entry for the null-ed attribute, and the map entry value will be null. Specifically, this condition (an empty value in the attribute map) means that an attribute is being cleared. (ID-14655)

For some resource adapters, exclusion rules are now applied before users are fetched during reconciling, which allows specific users to be excluded, prevents errors generated by the resource, and can improve performance for a large number of users. (ID-14436)

Writing SAP activity groups and profiles in a Central User Administration (CUA) environment no longer splits a new table row into two rows when the information is separated by a colon. (ID-14371)

The LDAP resource adapter will again use the VLV control when listing and searching user accounts, if the LDAP server supports the VLV control and the server is correctly configured. (ID-14526)

The Oracle ERP User Form now has a Person Name field. This read-only field shows the Oracle HR person's fullname if an Oracle ERP account is linked to the Oracle HR system using the employee number. (ID-14675)

The SAP adapter now properly reports Disabled status. (ID-14834)

The nsaccountlock activation shortcut can now use logic based on value presence/absence to determine whether an LDAP user is disabled. (ID-14925)

Identity Manager now honors the Supported Features deny, ignore combination setting for a resource. If you select ignore the action will not be performed, but in some circumstances it could be shown as a message in the GUI. (ID-14948)

The Oracle ERP resource adapter now prevents the unlinking of resource accounts if the Oracle ERP resource is inaccessible during full reconciliation. (ID-14960)

Passwords with characters outside of the 7-bit ASCII range are now set correctly by the gateway (create and update) when Identity Manager is deployed with Tivoli Access Manager and Active Directory. (ID-15006)

If common resources are configured in System Configuration for use by login, and a common resource login fails, logins no longer fail when there is another resource in the login module stack that is not a common resource and it requires different authentication properties than any of the previous login module resources. (ID-15047)

If you do a Create Resource Object for a Solaris NIS server resource, select multiple accounts in Users, and then click Save, all of the accounts are now added to the group file in the NIS password source directory in the managed NIS server. Previously, this operation worked only if one account was selected. (ID-15085)

The ADSIResourceAdapter now closes connections when querying for resource objects. (ID-15098)

ACF2 connection properties (such as a wider and deeper virtual screen size) can now be specified. (ID-15158) To implement this feature you must import your own an update.xml script that contains:

There is a new corresponding Oracle ERP schema resource attribute: person_fullname. The sample $WSHOME/sample/other/CreateLHERPAdminUser.oracle script has been updated to include an ICX* table and to provide views to the synonyms created for the non-APPS user. (ID-15188)

The example JDBC scripts did not close ResultSets and Statements when they were no longer needed. In a large application, this could lead to some resource leakage. The example scripts have been modified to close such objects when they are no longer needed. (ID-15254)

Identity Manager now “traps” and reports output from Delete scripts that overtly return with an error. (ID-15340)

A storage allocation issue involving character translations has been resolved. (ID-15341)

The temporary file names that are used when running shell scripts for resource actions have been changed to be more unique over time. (ID-15348)

For Solaris NIS, Identity Manager no longer adds the netid target, which was not required and caused error messages in the traces. (ID-15503)

For Solaris NIS, Identity Manager no longer prevents use of the sudo command if the directory containing Solaris NIS passwd, shadow, and group template files are read-protected from the admin user. (ID-15505)

For Solaris NIS, an account is no longer partially created if the default primary group is either missing entirely or is a name not found in the group file. (ID-15509)

A bug has been corrected that caused Solaris NIS user or group ID generation to fail when beginning with an environment with no users or groups, and template passwd and group files are in a directory other than /etc. (ID-15510)

For Solaris NIS, if two accounts are created in a row and a shell is specified for the first account but not the second (either it is not defined in the defadduser file or there is no defadduser file), the second account no longer is created with the first account's shell. (ID-15511)

For Solaris NIS, defgname in the /usr/sadm/defadduser file is now used to set the default primary group instead of defgroup, as an optional source for default values for newly created accounts. (ID-15512)

Identity Manager no longer stores the Solaris NIS and HP-UX NIS encrypted passwords in both the passwd and shadow NIS template files when an account is updated. Now, the placeholder value “x” is stored in the passwd file. (ID-15593)

Active Sync no longer continues running when Create Unmatched Accounts is set to true and the Allowed Error Count is exceeded. (ID-15662)

The PeopleSoft Component Interface adapter can now report disabled status. (ID-15674)

Identity Manager no longer reads write-only account attributes from an LDAP directory or Active Directory. (ID-15838)

The Scripted Gateway resource adapter can now correctly capture non-zero return codes from scripts and report an error. (ID-15860)

Clearing a RACF attribute in a form did not cause Identity Manager to clear the attribute on the user when the form was submitted, it was a noop. Identity Manager now clears the attribute. (ID-15971)

The NDS Template Resource Attribute now displays the pop-up help (i-Help) rather than the NDS_TEMPLATE_HELP message key. (ID-15986)

The Enable and Disable resource actions are now supported for the Scripted Gateway resource adapter. (ID-16066)

The ScriptedGateway resource adapter now passes Resource Attributes to the scripts implementing the getInfo and listAllObjects actions. (ID-16149)

The GroupWise resource adapter has been deprecated. The NDS adapter should be used instead to manage GroupWise users. (ID-16308)

Scheduler

Suppressed the output of the syslog entry, 'EVNT00', LockedByAnother error. This caused excessive output into the sysLog in a clustered environment. (ID-15714)

Security

End user password changes initiated by administrators (through SPML or otherwise) are now added to the password history if it is enabled. This fix introduces both a System Configuration option and a View (form) option that enables administrators to toggle the desired behavior. (ID-13029)

Administrators can toggle the System Configuration option, based on the login application, which provides a greater amount of flexibility because administrators may not want a behavior that affects all applications.

The View option always overrides any system configuration setting.

A delegated administrator with only report administrator capability can no longer remove out-of-scope organizations (which are being reported on) from a report. (ID-14765)

An audit log for an organization now includes organizational approvers who are added to or deleted from the organization. (ID-15232)

An Admin Role administrator now has sufficient privileges to create an Admin Role. When creating a new Admin Role or Capability, the creator might be required to select one or more users who can assign the Admin Role or Capability to other users. This situation occurs when a creator is not authorized to assign Admin Roles or Capabilities. The set of users from which the creator can select assigners is not subject to Identity Manager authorization scoping, since the creator might need to choose one or more users outside their scope of control. The set of available users will now have been granted the “Assign Capability” right. (ID-15980)

Server

The SPML server now returns errors if requests contain filters using operators that are not yet implemented. (ID-11343)

Dropping attributes from the "User Extended Attributes" Configuration object did not cause them to be dropped from the WSUser's attributes; old values were retained in the XML. This has been corrected, and the values are now removed from the XML. (ID-11721)

When you are specifying commands or users for bulk operations via the input area of the GUI, the operation no longer fails with the “An object name must be specified.” even though you actually did specify a user name. (ID-15112)

The problems that caused OutOfMemory errors when processes intensively accessed a resource (such as reconciliation) have been addressed. (ID-16222)

To return a workItem-specific list of delegates, Identity Manager now provides the following new public methods, which take the workItemType argument. (ID-15787/14152)

Tasks

When editing a scheduled task, the start date must be re-entered using MM/DD/YYYY format (ID-5675).

Workflow

Identity Manager’s sample Notify Reconcile Finish task definition now completes and sends email notification upon completion (ID-9259).

Additional Defects Fixed

8691, 8961, 9913, 10100, 10802, 11538, 12509, 12571, 12585, 12872, 13223, 13251, 13258, 13701, 13741, 13965, 14282, 14334, 14459, 14564, 14663, 14748, 14893, 15036, 15098, 15234, 15345, 15424, 15746, 15798, 15851, 15864, 16041, 16087, 16121, 16171, 16177, 16215, 16288,

Identity Manager 7.1 Features

What’s New in This Release

Installation and Update

Administrator and User Interfaces

Auditing

Forms

Identity Manager Integrated Development Environment (IDE)

Identity Manager SPE

Reports

Repository

Resources

New Resource Adapters

Resource Adapter Updates

Roles

Security

Server

Work Items

Bugs Fixed in This Release

Administrator and User Interfaces

Auditing

Integrated Development Environment (IDE)

Identity Manager SPE

MetaView

Password Synchronization

Reconciliation

Reports

Repository

Resources

Scheduler

Security

Server

Tasks

Workflow

Additional Defects Fixed