This section describes the bugs fixed in Identity Manager 8.1, and the information is organized as follows:
Added the tabindex property to the DatePicker class. (ID-15244)
Removed an extraneous Search button on the page that displays after clicking the ... button on the Forward Remediations page. (ID-17236)
An error is no longer returned when you edit or update a user and try to assign an idmManager that does not yet exist or is missing, (ID-17339)
Removed a duplicate “Indicates a required field” from the Create Access Scan page. (ID-17417)
Click-to-focus and select issues with the MultiSelect display component have been fixed in the Mac OS X JRE. (ID-17938)
A user who can log in to multiple interfaces is no longer logged into the wrong interface when the same user credentials are being used to log into another interface at the same time. (ID-18204, 18506)
Deprovisioning a user with multiple accounts from the Administrator Interface now completes successfully. (ID-18314)
On the Awaiting Approval page and other pages that contain tables of work items, if you click an action button, such as Approve or Reject without selecting a work item, an error message is now displayed. (ID-18472)
The administrator interface was not enforcing the challenge option when administrators used the Change My Password screen to change their password. The problem has been fixed. (ID-18578)
Changing a user password through the administrative interface no longer unnecessarily generates the "The password may not be empty" error. (ID-18579)
Corrected a problem in the Identity/Lighthouse login module where the Forgot Password option returned the following error: Missing value for required field "User ID", when user provided User ID. (ID-18939)
Fixed the ability to query with user roles via the Find User form. (ID-18986)
Fixed UI containers so that nested fields properly inherit the required property and the noNewRow property. (ID-19040)
Identity Manager now refers to the MaximumNumberOfChildrenPerNode (default is 100) attribute in ResourceUIConfig object to display node levels. If the number of child nodes exceeds this value, Identity Manager displays only the first 100 nodes that are returned. (ID-19434)
Corrected an unrecoverable error that occurred when editing a user in a dynamic organization. (ID-19519)
Previously, when you removed a user's Modify rights for task permissions, the user could no longer select a task, even when that user still had Delete rights and needed to select tasks for deletion. Now, the checkbox column is shown in the tasks list user interface even after the Modify permission has been removed. (ID-19718)
Images now render in the user interface when you enable relative URLs. (ID-19771, 19868)
Fixed the query creator so that it handlse all logical ANDs correctly in the Find User tab. (ID-19898)
Pending work items can be viewed in the results page on the end user interface by enabling the endableEndUserProcessDiagrams flag in the System Configuration object.(ID-19919)
Audit log event reports now correctly indicate the interface that was used to respond to an attestation. (ID-16950)
When you set the xpress.traceFileOnly option to true in the Waveset.properties file, all XPRESS statement evaluations will generate trace messages to a file specified by xpress.traceFile. When the xpress.traceFile has a value, all trace messages will be redirected to both the Console and a file. (ID-19748)
Import/Export Administrators are no longer able to see administration pages and tabs they were not supposed to. (ID-19389)
The System Configuration Object is now blocked from being modified by unauthorized users. (ID-20224)
If you set the sortColumn value in a form that is invoked by a workflow, that value is no longer ignored. (ID-17781)
If an administrator has current Organization Approval, Role Approval, or Resource Approval delegation for an organization, role, or resource and loses control of that object, the Delegations page in the user UI no longer displays an error message. (ID-18951)
The Identity Manager IDE no longer modifies a role's primaryobjectclass when th eIdentity Manager IDE does not know about custom role types. (ID-19672)
Performing Display Schema operations for custom role types no longer returns a NullPointerException on thedebug pages. (ID-19686)
Registry key exchanges between the gateway and the Identity Manager server will no longer fail if the machine running the gateway does not have a registry for the gateway. (ID-17137)
A spurious error reported during the gateway shutdown has been resolved. As a side effect, the messages written during startup and shutdown are now written to the gateway trace logs if tracing is turned on, or to the console if tracing is not on. (ID-19310)
The system now logs the IP address of a client instead of the IP address of a load balancer that sends a request. (ID-17774)
Identity Manager trace logging now fills the maximum configured number of trace log files before beginning to overwrite existing log files. (ID-19102)
Activity Report pages now use the Message field to display any additional information about audit events. (ID-19257)
In previous releases, tasks that encountered resource account provisioning failures were sometimes logged as successes in activity reports. This problem is now corrected. (ID-19283)
An error message is now displayed when a delete is attempted on a Log or SysLog object, except when running the System Log Maintenance Task or the AuditLog Maintenance Task. (Those tasks use a different method to delete objects of these types.) (ID-19356)
The Resource Account Change Password and Resource Account Reset Password operations are now audit logged with the Change Password or Reset Password audit action. In addition, the "Change Resource Account Password" workflow is now changed so that the "Audit" activity is only called when a failure occurs before the call to the changeResourceAccountPassword workflow service. (ID-19359)
Fixed an issue where the results of an access review were not audited correctly. (ID-19548)
Operations on the Server object are now audited. (ID-19606)
Resource Group modifications (Create, Update, Delete) are now audited. The Resource Group object is also known as an Application object, so the ApplicationViewer is used to operate on an Application object. Therefore, the Application viewer is where the auditing occurs. (ID-19607)
An audit log record with a failure status is now published when a delete user operation fails. (ID-19722)
PasswordSync can now correctly send administrators e-mails when user e-mails have been disabled. (ID 18110)
A possible crash caused by a NULL reference in PasswordSync was fixed. (ID-19042)
Test connections using valid certificates and self-signed certificates now work correctly. (ID-19216)
Corrected two potential buffer overruns. In both cases, buffers of fixed length could be overrun by content that was larger than the buffer. These buffers are now dynamically allocated to ensure they are large enough. (ID-19358)
Password synchronization for computer accounts has been disabled. (ID-19366)
The default install directory for Password Sync files has been changed to match the product name. (ID-20276) By default, the application will now be installed in C:\Program Files\Sun Microsystems\Sun Identity Manager PasswordSync. The default directory on the 64–bit version of Windows is C:\Program Files (x86)\Sun Microsystems\Sun Identity Manager PasswordSync\
Password policy now correctly validates any extended ASCII characters that are entered for the "must not contain words" condition. This condition also now differentiates between a complete word match and a string attribute match when displaying a Policy Violation message. (ID-19384)
A NullPointerException no longer occurs during a retry task when a reprovision with retry fails on a secondary operation. (ID-19826)
Older versions of Risk Analysis reports produced a TaskResult object that contained XML that was not valid per the waveset.dtd. Consequently, these TaskResult objects could not be re-imported into Identity Manager. New executions of the Risk Analysis reports produce valid XML that can be re-imported. (ID-14419)
Use the following procedure to update and import old TaskResult objects:
Export the TaskRef to a file, such as object.xml
Run the following command from a UNIX shell. A corrected version of the file is written to object-fixed.xml.
cat object.xml | sed -e s/'
'//g | sed -e s/'
 '//g | sed -e s/'
 '//g | sed -e s/'
 '//g > object-fixed.xml
Import the object-fixed.xml file into Identity Manager
By default Audit records are placed in the same ObjectGroup that the Object the record refers to is in. The ApproverReportTask is in the All ObjectGroup, so the audit record indicating the report was run is also placed in the All ObjectGroup. (ID-16363)
This means the audit record is visible to all administrators. If this is not desirable, then either change the MemberObjectGroup of the ApproverReportTask TaskInstance to a more appropriate ObjectGroup, or add the following XML to the AuditReport Task:
<Field name='excludeAll'> <Display class='Hidden'> <Property name='value' value='true'/> </Display> </Field>
The "Interface" and "Attribute Changes" options for the X-Axis and Y-Axis for reports of type Usage Report are now mapped to valid queryable values, and a NullPointerException will not occur. "Attribute Changes" now maps to Attribute.ACCT_ATTR_CHANGES. "Interface" maps to the newly created Attribute.INTERFACE, which is a synonym for Attribute.CLIENT. (ID-16769)
The Account Index Report can now be generated properly for a user who doesn't control the Top organization. (ID-16643)
The Resource User report displays administrator names correctly. (ID-17650)
If an error occurs while generating a report in PDF format, an error message is now displayed correctly. (ID-17979)
Cloning a report now works correctly. (ID-18187)
Identity Manager no longer returns a NullPointerException when a User Report includes Extended User Attributes as its search options. (ID-19567)
Fixed an Access Denied error that occured when a user that has been assigned more than one AdminRole tried to create a report. (ID-20067)
Task reports now display column names correctly. (ID–20131)
The MySQL error "Column 'id' in field list is ambiguous" no longer occurs when a user clicks an audit policy link in the "All Compliance Violation" report. The repository now generates DML that qualifies this column name. (ID-19900)
The name of a Change Resource Password task is now displayed correctly. (ID-6947)
A problem has been corrected with the Sybase adapter that caused the adapter to attempt to reconcile with the default Sybase system database when the database defined in the resource adapter was not available. (ID-15867)
Tabs (\u0009) now work as field delimiters for Flat File Active Sync resources. (ID-16780)
Enhanced tracing capabilities in the Scripted JDBC resource adapter. (ID16900)
The gateway no longer overwrites the ServerKeyFileName value in the Domino Server's notes.ini file when Domino Server and the Lotus Notes client are installed on the same machine. (ID-17216)
Creating a new user with the force_change flag explicitly set to false now works correctly with Solaris resources. (ID-17401)
The Gateway service now re-establishes its database connection to SecurID in the event that SecureID is restarted. (ID-17443)
Corrected a problem where the gateway encryption key was not being updated when ScriptedGateway was the only gateway resource. (ID-17556)
Two error situations while creating a user in Active Directory now show the correct and readable error: the account already exist and the account ID has an improper format. (ID-17587)
The SecurId ACE Server UNIX adapter now tests whether pooled connections are viable. (ID-17673)
Identity Manager now ignores the use of Lotus Domino group name aliases and does not cause invalid object errors if they are used natively. (ID-17739)
The Domino adapter deletes script files that are created during create and post update actions.(ID-18136)
The Active Directory resource adapter now correctly processes non-zero exit codes from delete before actions. (ID-18241)
A Lotus Domino resource now returns connections to the connection pool properly. (ID-18417)
The Name account attribute for the Exchange 2007 adapter is a create only attribute. Modification of the attribute causes undefined side effects and could leave the user unmanageable from Identity Manager and is therefore no longer supported. (ID-18606)
Gateway resource adapters no longer overwrite read-only account attributes. (ID-18932)
The OracleERP resource adapter no longer returns a no data found error when looking up responsibilities that have not yet been provisioned to users. (ID-19056)
The OracleERP resource adapter no longer returns an error when looking up a responsibility that has a non-unique name. (ID-19057)
The LDAP resource adapter no longer requests a uniqueMember attribute when testing a group membership. (ID-19134)
Fixed a memory leak in the Domino Gateway adapter. (ID-19139)
The gateway no longer crashes when a "get info" message is sent to a Scripted Gateway resource (ID-19249).
The Manage Server Encryption task no longer corrupts objects of the type GatewayEncryptionKey when it stores a time stamped copy of the key. (ID-19250)
Corrected a problem where the SAP resource adapter could not unlock users who were locked after too many wrong logins. (ID-19252)
The deprecated DominoActiveSyncAdapter is no longer delivered. The Domino resource adapter now contains this functionality. (ID-19281)
The gateway no longer crashes when running a reconcile on a Windows NT resource. (ID-19295)
The NDS gateway no longer sends a false warning message about the User class when processing non-user NDS objects. (ID-19362)
Legacy Exchange 2000/2003-enabled mail users are now reported as AD-only users (RecipientType equals User) when Exchange 2007 support on the adapter is turned on. Exchange 2000/2003 users can be distinguished from AD-only users by the legacyExchangeDN and other Exchange 2000/2003 attributes. (ID-19393)
Now the Uid is not unique error is thrown when changing a user ID to the same value as another user ID in the Red Hat Linux resource. (ID-19395)
Identity Manager now correctly passes SAP Access Enforcer custom attributes to Access Enforcer. (ID-19427)
LDAP groups with multiple objectClasses are now stored correctly. (ID-19436)
The Solaris, HPUX, AIX, and Linux adapters running NIS now prevent you from creating an account with a uid in use or changing the uid to that of an account that already exists. (ID-19465)
The gateway now returns Exchange 2007 attributes correctly if they are requested as part of the getAllObjects() call on an Active Directory adapter. (ID-19492)
The AIX adapter no longer deletes all group members when updated with invalid users. (ID-19516)
Fixed an issue the occurred when deleting a user's primary group on Red Hat and AIX. If the resource threw an exception and failed to delete the group, the Administrator Interface would report a success. The error is now reported correctly. (ID-19520)
Identity Manager now correctly interprets the error code returned from Red Hat Enterprise Linux 5 when a user is assigned to a nonexistent group. (ID-19523)
Using non-root access through SSH from the shell script adapter now works correctly. (ID-19583)
Using the ExcludedAccountsRule for operation updates no longer yields a null accountID. (ID-19585)
Using LDAP reserved characters, such as an asterisk (*), for LDAP authentication no longer locks out all LDAP users. (ID-19588)
The AIX resource adapter updates secondary group list correctly. (ID-19628)
The Oracle resource adapter now allows you to use the question mark (?) and braces ({ }) characters in an account password. (ID-19653)
The SecurId ACE Server for Windows adapter has been enhanced to so that the adapter now confirms that both the gateway and the backing SecurId environment are responding to queries for work. (ID-19667)
Full reconciliation now correctly alters account disabled status. The LDAP resource adapter now checks disabled status during reconciliation. (ID-19708)
Now, when you create or modify a user with an invalid login shell for NIS resources, an error occurs. (ID-19755)
Identity Manager no longer loses updates in Active Directory while running synchronization. (ID-19905)
A disabled user's SiteminderLDAP account status will now be displayed correctly on the Edit User page using Tabbed User Form. (ID-19931)
The Windows NT resource adapter no longer supports groupType resource objects. (ID-19791)
The SecurId UNIX resource adapter processes comma-separated group values correctly. (ID-20152)
An administrator can assign more than one group and client to a user in the SecurId Windows adapter. (ID-20153).
The control characters (0x00-0x1f, 0x7f) in a user password will throw error for Linux, AIX, Solaris, HPUX, and ShellScript resource adapters. (ID-20174)
A contained role now must be removed from the role(s) to which it has been assigned before it can be deleted. (ID-18981)
A problem that prevented system deployers from saving and importing roles in the Identity Manager IDE has been fixed. (ID-19036)
Fixed a problem that caused Identity Manager running on JDK 1.6 to fail to assign roles assigned to a Business Role. A symptom of the problem included Identity Manager identifying a Business Role as an IT Role after the Business Role was assigned. This problem was limited to JDK 1.6. (ID-19086)
Corrected a problem where the SPML viewer threw a ClassCastException when setting a ResourceAttribute value to a String value while modifying a role. (ID-19177)
A problem that prevented roles from being assigned to users by way of custom user forms has been fixed. The problem occurred when roles were assigned using non-refreshable UI components, such as the text box. (ID-19241)
The following functions now work correctly for users with dynamic admin roles: (ID-19456)
Canceling approvals
Viewing the history of a work item
Running a report
RoleAttribute list values now perform correctly. (ID-19981)
An issue has been corrected that occurred when Identity Manager Service Provider is configured to use the organization attribute. An Identity Manager administrator that does not control Top was unable to update Service Provider end-users and received the following error: "User must have a value for the 'org' attribute." (ID-18329)
The EmailUtil API call and sendEmailToAddress() method now handle a null HTTP Request sent as arguments to the call. The method now checks for the null case when determining the locale from the HTTP Request and defaults correctly to the appropriate locale without a NullPointerException. (ID-17755)
When a server running Active Sync for a resource with startup type "Automatic with Failover" is not able to connect to the Identity Manager repository, the task will not poll the resource for changes. If the Active Sync task can establish a connection with the repository at a later scheduled polling time, it will exit if another Active Sync task for that resource has already been started on another Identity Manager server in the cluster. (ID-19452)
When the SystemConfiguration attribute named ProvisioningDisabledUserShouldThrow is set to true, any attempt to provision a disabled user to a resource will be prevented and will produce an error. When the attribute is not set to true, then the provisioning will still be prevented, but it will NOT produce an error. (ID-19433)
17055, 18242, 19019, 19065, 19244, 19288, 19651, 20352