Sun[TM] Identity Manager 8.0 Release Notes |
Identity Manager 8.0 Features
This section of the Identity Manager 8.0 Release Notes provides information about
What’s New in This ReleaseThis section provides additional information about the new features provided in Identity Manager 8.0, and the information is organized into the following sections:
Sun’s New Patch Process
Beginning with the release of Identity Manager 7.1 Update 1, updates containing major and critical customer-reported bug fixes are now delivered through a patch process, which replaces the older hot-fix process.
Patches are developed, tested, and released in six-week intervals. These patches have a GUI installer as well as a manual installation option, and they update the files in /WEB-INF/lib . Instructions for installing the patch will be included in the patch Release Notes, which are distributed in PDF format. Any fixes to the Gateway or to Password Sync will be described in the Release Notes and will require updating with the installation of the patch.
Identity Manager patches are cumulative, so you can expect fewer problems with unique fixes. You should plan to update to the latest patch level when installing or upgrading to a major or minor release. For example, if patch 3 is available when you install or upgrade to 8.0, you should apply patch 3 after installing or upgrading to 8.0. You would not be required to install patches 1 and 2 because patch 3 contains all the functionality in the previous patches.
The patch process also makes it easier for you to track a fix by its actual bug number. However, it is still possible that a fix made against an older version may not yet be available in a newer version. Regardless of which process your current version of Identity Manager follows, you must confirm that the new, target Identity Manager version contains all of the bug fixes that you need.
When a new patch is released, an announcement is sent to all of customer support. Patches are available through customer support. Please contact Sun customer support at http://www.sun.com/service/online/us for the latest patch available.
Major Features
Identity Manager 8.0 provides the following major new features:
Role Enhancements
Identity Manager 8.0 adds Role life cycle management providing the ability to require change approval on Role creates, edits and deletes as well as apply Role changes to all assigned Users. In addition, User-to-Role Life cycle management has been improved enabling support for future and temporary Role assignments. Role types with configurable features, including by default, Business Roles, IT Roles, Applications, and Assets, are now provided to encourage best practices with regards to Role management. For example, Business Roles can contain roles required by all, conditional for some, and optional (by request and may require approval) for others. This enables the ability for the Business Role designer to define coarse grain access, while delegating to the user or the user's manager the ability to fine tune the access assigned to each user, within the scope of a single Business Role.
Enhanced Reporting with Data Exporter
The Data Exporter feature has been added to allow the operational data used and produced by Identity Manager to become available for use by other processes and applications . Data Exporter allows data held by and flowing through Identity Manager to be periodically exported to a customer-managed data warehouse or third-party business intelligence and reporting tools. Data Exporting is optional, and when enabled customers can configured when and what data is exported. The exported data can be used to answer historical questions regarding 'Who had access to Resource X, and who approved that access?'. It can also be used to provide reports on IdM's operational behavior over time, such as 'Provision Operations by Resource' and 'Workflow Manual Action Response Times'. Decoupling the operational data (held inside the Identity Manager repository) and the historical data (exported by Data Exporter) gives the user explicit control over the lifecycle of this data. Providing the data in a documented, schema-conformant manner gives the user the ability to construct and execute analysis processes that will remain valid across future releases of Identity Manager.
Attribute Configuration
Extended, queryable, and summary attributes can now be configured for roles as well as users. The new extended attribute configuration supports specification of value syntax (STRING, INT, DATE, or BOOLEAN), whether the attribute can have a single or multiple values, and a text description for the attribute.
Administrator and User Interfaces
- Users now can specify a custom form for the Question Login form and Anonymous Login form through the Configure Form and Process Mappings page. (ID-4697)
- The role administration interface has been enhanced to support the new roles functionality. See the “Roles and Resources” chapter in the Identity Manager Administration 8.0 publication for details. (ID-15518)
- By default, process diagrams have been turned off in this release of Identity Manager. Process diagrams can be turned on by modifying the System Configuration object and restarting your application server(s). For instructions, see the “Enabling Process Diagrams” section in Identity Manager Administration 8.0. (ID-16337)
- An optional safe-guard has been added to the Edit Reconciliation Policy page. This option evaluates the number of missing accounts on a resource and, if a threshold is exceeded, prevents the reconciler from unlinking them. See the “Data Loading and Synchronization” chapter in the Identity Manager Administration 8.0 publication for details. (ID-16391)
- Identity Manager's behavior has changed with regards to users with pending work items who need to be deleted from Identity Manager. For details, see Identity Manager Administration 8.0, "Administration" chapter, "Managing Work Items" section, "Delegations to Deleted Users" subsection. (ID-16417)
- When defining an AdminRole, the scope of control can be specified to exclude all controlled child organizations and their contained objects by selecting the Exclude All Controlled Child Organizations and Contained Objects checkbox. If not selected, a user assigned the AdminRole will be granted the associated capabilities on all child organizations and their contents. (ID-16859)
- Admin roles now will be displayed as names in search results. (ID-17130)
- Identity Manager 8.0 simplified the results pages in the End User Interface to display a status message. The default upgrade setting is to retain the original process diagrams, while new installations display the status message. The process diagram option can be set to default by clicking Configure->User Interface and enabling the Enable End-User Process Diagrams setting.
To enable process diagrams for the end user interface, process diagrams must be enabled for the product as a whole. For more information on enabling process diagrams for the product as a whole, please reference ID-16337 in Administrator and User Interfaces. (ID-17365)
- The end-user login form has been simplified and rearranged to improve usability.
The JSP user/login.jsp has been modified, so any user customizations to this file will need to be manually merged on upgrade. (ID-17368)- The new default End User Password Change form allows users to change their password. The password policies for all resources assigned to the user are aggregated and summarized in this form, and password changes apply to all assigned resources. The original Basic Change Password form should be specified for deployments in which the user needs to select which resources to apply the password change. (ID-17371)
- The error message presented to users at login indicating the need to answer authentication questions is now rendered as a warning. (ID-17549)
- When the Anonymous Enrollment feature is enabled, the end-user User Interface no longer displays a "Request Account" button. Instead, the text "First time user?" displays, followed by a "Request Account" link. Additional information is displayed below the link. The text on this page is customizable. See the Identity Manager Technical Deployment Overview publication for details. (ID-17582)
- The DatePicker display component now has a disableTextInput property that can be utilized to prevent user input via a text field, which forces the user to select a date via the pop-up calendar. (ID-17586)
Auditing
- Audit log entries that describe resource account provisioning actions will now be visible to audit administrators in the object groups that contain the affected resources, whether or not these groups contain the user that is the subject of the action. (ID-17724)
- Email notification events are now audited. In the Administrator interface, there is a new Audit Group on the Audit Configuration page (Configure > Audit) named Event Management. (ID-17734)
Data Exporter
Forms
- Fields having a “confirm” property value referring to a source component (for example, the Confirm Password field of the tabbed user form) no longer have their values automatically set to the source component’s value when the form is submitted to the server and the confirm component’s value is null. Because of this change, ensure that any source/confirm field pairs having a default expression apply the expression to both the source field as well as the confirm field. (ID-17838)
Identity Manager Business Process Editor (BPE)
Identity Manager Integrated Development Environment (Identity Manager IDE)
- The Identity Manager Integrated Development Environment (Identity Manager IDE) application is now provided on https://identitymanageride.dev.java.net. Instructions for installing, configuring, and migrating projects are also provided on this site. (ID-17700)
Installation
Password Synchronization
- There are separate installers for the 32-bit and 64-bit versions of PasswordSync. The 32-bit installer will now only run on 32-bit versions of Windows, and the 64-bit version will only run on 64-bit versions of windows. Attempting to run the incorrect version of the installer will cause an error. (ID-17290)
Reports
- Identity Manager Usage Reports and Identity Auditor Policy Violation Reports now include charts when downloaded in PDF format. (ID-10719)
- A new report named “Individual User Audit Log Report" is now available. As with the AuditLog reports, the Individual User AuditLog report is based on events captured in the system audit log. This report, however, prompts for a user to report on, and returns a list of activities that have been performed on that user. For more information, see the “Reporting” chapter in the Identity Manager Administration 8.0 publication. (ID-16976)
- The AuditReportTask (and any report that uses the LogRecordFormatter) can now select which columns appear on the report. Use the useCustomColumns and customColumns attributes in the TaskDefinition and the TaskTemplate. (ID-17712)
- You can now customize reports so that administrators who have only run-report capabilities can specify report parameters before running a report. (ID-17733) This change allows these administrators to set the report parameters before running the report or before downloading a .csv or .pdf file. Identity Manager does not save changes to the report definition that are generated this way.
To use this feature for existing reports, add alwaysProcessForm (set to true) to the TaskTemplate. To add this feature to new reports other than the Individual User Auditlog Report, add a field named alwaysProcessForm (set to true) to the TaskDefinition launch form.
The administrator who is executing a report with alwaysProcessForm (set to true), should have the appropriate capabilities to fetch the desired data from the repository. For example, if the report will report on roles, the administrator must have the capability to obtain a list of available roles.
- You can select which columns appear in the Individual User Audit Report Task report (and any report whose executor is com.waveset.report. AuditReportTask) by working with the useCustomColumns and customColumns attributes in the Task Definition and the Task Template. Any report other than the Individual User Audit Report will require taskDefinition and TaskTemplate objects to be updated to include the customColumns feature. (ID-17744)
Repository
- Identity Manager installations that use Oracle as the repository have the option of converting the accountAttrChanges field in the audit log table from VARCHAR(4000) to CLOB. This change is optional, and should only be performed if you have noticed truncation errors in the audit log. The sample DDL script is in web/sample/convert_log_acctAttrChangesCHAR2CLOB.oracle.sql. Be sure to back up the affected tables before running the conversion script. (ID-17343)
Resources
New Resource Adapters
The following new resource versions have been added this release:
Resource Adapter Updates
- The mainframe adapters support IBM Host on Demand V10. (ID-6419)
- The Microsoft SQL Server adapter resource wizard now simplifies the selection of databases and automatically maintains the userName$(dbname) and roles$(dbname) attributes in the schema accordingly. (ID-8546)
- The SAP adapters can now display internationalized messages. (ID-9077)
- The com.waveset.adapter.AttrParse class has been removed. Use com.waveset.object.AttrParse instead. (D-11870)
- The UNIX adapters now support SSHPubKey connections. This new feature allows users to connect to remote hosts without entering a password for a trusted workstation. (ID-11959)
- The SAP adapter can provision to any SAP table called by BAPI_USER_CREATE1 and BAPI_USER_CHANGE, most notably the GROUPS and PARAMETER tables. (ID-12217)
- The name of an Account can now include "@" symbols as long as the resource that defines the account allows this. (ID-12383)
- The RACF and RACF LDAP adapters can be configured to support attributes that are not in the segments supported by default. (ID-13351)
- The SAP Resource Adapter now returns the list of available user types and user groups. (ID-16123)
- The same gateway can now be used for provisioning and pass-through authentication. NetWare accounts. See the Identity Manager Resources Reference for information about implementing this feature. (ID-16584)
- The Ignore Siebel 8.0 nextRecord() Error resource parameter allows the Siebel CRM adapter to ignore the nextRecord() error that occurs on Siebel 8.0. For more information about this error, refer to Siebel Alert 1315. (ID-16779, 18159)
- The SAP adapter does not attempt to rename accounts when the Enable CUA resource attribute is set to true. (SAP does not support renames when in CUA mode.) (ID-16986)
- The database table resource adapter now supports renaming accounts. (ID-16993)
- Added the Number of Users Read per Connection resource parameter to the SAP adapter. This parameter ensures that memory is being released in a timely manner. (ID-17017)
- The Solaris resource adapter can now force users to change their passwords upon next login. To enable this feature, add expirePassword to the Identity System User Attribute column of the schema map and force_change to the Resource User Attribute column. This attribute type must be set to string. (ID-17032)
- The SAP, SAP HR, and AccessEnforcer (underlying SAP implementation) adapters now support Secure Network Communications (SNC). See the Identity Manager Resources Reference for information about implementing this feature. (ID-17059)
- The built-in Identity Manager pool for JDBC connections has been improved to support a maximum idle timeout. Connections which are held unused in the pool longer than the maximum idle timeout are closed and discarded. (ID-17107)
During an upgrade to 8.0, existing resource instances of the following adapters will be altered to use a setting of 600 seconds (10 minutes) for the maximum idle timeout:
Custom resource adapters that extend JdbcResourceApapter can also take advantage of the new feature by adding a new resource attribute named idleTimeout.
The debug/Show_JDBC.jsp page has been enhanced to display additional related to idle timeouts.
- Identity Manager SAP adapter now provides the accountLockedNoPwd and accountLockedWrngPwd account attributes. The accountLockedNoPwd attribute indicates whether the account is locked because the user has no password. The accountLockedWrngPwd attribute indicates whether the account is locked because of failed login attempts. (ID-17296)
- The sendKeys(EncryptedData) method has been added to the HostAccess class and can be used to avoid logging passwords. (ID-17544)
- The database table adapter handles the Oracle timestamp datatype properly if you select the Native Timestamps check box on the Resource Parameters page. (ID-17551)
- A new resource parameter, Receive Timeout, is now available on the JMS Listener adapter. It allows you to configure how long the adapter will wait for an incoming message before terminating the poll. It is defaulted to 10 seconds. (ID-17935)
- The JMS Listener adapter now establishes a new connection for each poll. (ID-17941)
- The JMS Listener adapter can now be monitored with Java Management Extensions (JMX). (ID-17943)
- Password updates to NDS Groupwise now handle encrypted passwords correctly. (ID-18020)
- A resource parameter, Search Scope, has been added for Sun Access Manager resources in legacy mode. This attribute specifies the scope for searches of Access Manager objects. Valid values are oneLevel and subTree. subTree is the default value. (ID-18079)
Roles
Identity Manager detects and creates links from existing super roles back to the subroles that reference them. During upgrade, Identity Manager invokes the RoleUpdater class used to repair the roles.
You can update roles outside the upgrade process by importing a new RoleUpdater.xml file found in sample/forms/RoleUpdater.xml. By default, Identity Manager adds the subrole links during upgrade or when you import RoleUpdater.xml.
To disable this new functionality, set the RoleUpdater attribute nofixsubrolelinks to true. For example,
- Role management in Identity Manager has undergone a major revision. New functionality has been added that greatly enhances the ability to do Role life-cycle management, as well as User-to-Role life-cycle management. Identity Manager now supports four role types: Business Roles, IT Roles, Applications, and Assets. Organizations that upgrade from an earlier version of Identity Manager to version 8.0 will automatically have their legacy roles converted to IT Roles. For detailed information on how roles work in Identity Manager 8.0, see the “Roles and Resources” chapter in Identity Manager Administration 8.0. (ID-17677)
- The role administration interface now supports the ability to apply role changes to assigned users. (ID-17719)
- The user summary and role reports now report more information about roles and role assignments. (ID-17751)
- Identity Manager now supports extended attribute values on roles. (ID-17770)
Scenarios
- Identity Manager 8.0 does not include the Sun Communications Services scenario previously located in idm/sample/scenario1, and the HR Database/Active Directory Deployment scenario previously located in idm/sample/scenario2. References to these scenarios are no longer included in the Identity Manager Technical Deployment Overview. (ID-18519)
Security
- The question login interface now works naturally when used with pass-through authentication using LDAP and AD resources. Previously, when users forgot their passwords, they were required to enter their Identity Manager account ID (which they might not have known) instead of the resource account ID. The interactive challenge page now requires the user to re-enter both their resource account ID and password, where previously only the password was required. (ID-9616)
- SSH authentication now allows private/public key pairings. This new feature allows users to connect to remote hosts without entering a password for a trusted workstation. (ID-11959)
- Passwords stored in the password history section of the user object will now be stored in original case. The comparison made during enforcement of the password policy remains case-insensitive, so this change will not affect product behavior. (ID-12705)
- This release includes a security feature to prevent Cross-site Request Forgery (CSRF) attacks. The feature is not enabled by default. Cookies are required to use this feature. If you have cookies disabled for security reasons, do not enable this feature as it will prevent you from using Identity Manager. There is no user-sensitive data present in the cookie, and it only lives in memory during a user's session. (ID-16703)
To enable the security guard, edit the system configuration object and change security.csrfGuardToken.enable to true. See Identity Manager Administration 8.0 for instructions on how to edit the system configuration object.
- Identity Manager now includes a new task-based capability named Debug that the Identity Manager debug pages require before users can access and execute operations. Previously, users with certain capabilities could potentially access and execute operations from the debug pages without proper permissions. Now, users who do not have the Debug capability will be sent to an error page. By default, the administrator and configurator users are assigned this capability. Additionally, the Waveset Administrator and Security Administrator capabilities include this new Debug capability. (ID-16999)
- The ability to set an expiration period for accounts that have been locked due to multiple errors in answering questions to login has been added. To implement this feature select the following options:
- Failed password and question login counters are not cleared during automatic account lockout expiry. Both failed password and failed question login attempts are correctly displayed in end-user and administrator interfaces. (ID-17412)
- Waveset.properties now includes the ui.web.baseHrefURL property to support configuration using relative URLs. (ID-17763)
- Identity Manager now supports configuration of PKCS#11 keystores. To incorporate the keystores, it was necessary to make a non-backwards-compatible change to the TransactionSigner HTML component. (ID-17769)
The display property supportedKeyStoreTypes is no longer supported. There is now a single-valued supportedKeyStoreType. This can be one of the following: JKS, PKCS12, PKCS11. The default is determined by the system configuration property security.nonrepudiation.defaultKeystoreType. In general, it should be sufficient to simply set the system-wide property security.nonrepudiation.defaultKeystoreType.
In order to add PKCS11 signing support, the TransactionSigner applet must use functionality only available in JRE 1.5. Any clients using the TransactionSigner applet must have JRE1.5 installed and configured as the JRE for their browser.
Server
- Performance now significantly increases as the number of users that are dynamic members of an object group increases. (ID-17561)
- Identity Manager 8.0 consolidates the locations where an administrator specifies extended, queryable, and summary attributes for user objects into the new IDM Schema Configuration object. (ID-17784) In prior versions of Identity Manager, an administrator edited the User Extended Attributes configuration object to add extended attributes for user objects and the UserUIConfig configuration object to specify additional queryable or summary attributes for user objects. An administrator now edits the IDM Schema Configuration object for these purposes.
Changes to the IDM Schema Configuration object are not effective for an Identity Manager server until the next time the server starts. The presence of the IDM Schema Configuration object inhibits re-conversion. For more information, see the Upgrade Issues section of the Release Notes.
SPML
- The OpenSPML implementation now includes a SPML timeout setting for Web Service calls. (ID-17687)
- Those who used SPMLv2 in previous releases, and depended on the value of the "objectclass" attribute, should be aware that the value of that attribute is now maintained under the "spml2ObjectClass" attribute. (ID-17757)
Synchronization
- Previously, the idmManager attribute was not showing up under the activesync namespace on certain adapters during Active Sync form processing. In this release, the toHashMap method has been modified to append the idmManager attribute to the returned Map so that it can be synced against during Active Sync. (ID-16717)
Other
- The com.waveset.server.Server functions public Map getResourceObjectListCache() and public Map getResourceObjectGetCache() have been deprecated. These caches are internal data structures. Code depending on these structures will no longer function. (ID-14790)
- Identity Manager now has a product registration feature. To register, you will need a Sun Online Account and password. If you do not have a Sun Online Account, you can register for one by completing the form at this address: (ID-17133)
Identity Manager can be registered from the console or by using the Administrator interface. Registering from the console allows you to also create a local service tag, which can be used with Sun Service Tag software to track your inventory of Sun systems, software, and services. For more information, see the “Registering Identity Manager” section in Identity Manager Administration 8.0.
Bugs Fixed in This ReleaseThis section describe the bugs fixed in Identity Manager 8.0, and the information is organized as follows:
Administrator and User Interfaces
- Users now can specify a custom form for the Question Login form and Anonymous Login form through the Configure Form and Process Mappings page. (ID-4697)
- The DatePicker form UI component now supports action=true. (ID-4930)
- The NetCharts applet has been replaced by a JGraph image. (ID-14736)
- The Server Tasks table now sorts correctly based on type. (ID-14850)
- When enforcing a password policy, Identity Manager was not including the initial user password in the password history. Instead, only changed password values were being tracked. This meant that if a policy stated that the past three passwords could not be reused, and a user had only changed their password twice, Identity Manager would still allow the initial password to be reused. This bug has been fixed in this release. (ID-15026)
- When unassigning resource accounts from a user using the Edit User functionality in the UI, the SITUATION of the accounts in the account index are now properly updated in all cases. (ID-15310)
- Previously, the end-user interface menu that allowed approval work-items to be forwarded to another approver was not populated correctly. This has been fixed. Now this list is populated with a list of approvers that is within the scope of control of the user logged into the end-user interface. (ID-15935)
- Previously, when a timeout occured on a ManualAction WorkItem, the timeout error was not returned to the user. Instead, the user would receive a stale workflow process diagram that would give the impression that the form was processed correctly. This has been fixed. Now, the user is redirected to the workItemTimeout.jsp page unless the IgnoreTimeout option is enabled. (ID-16467)
- You can now edit and save current or previous workItem delegations. (ID-16564)
- When an administrator creates delegations on behalf of a user, the administrator cannot select delegates outside of the user's scope of control. The administrator’s scope of control is now the same as the user on whose behalf the delegation is being made. Previously, when creating delegations on behalf of a user, administrators could select delegates that users could not. (ID-16561)
- The UI will now display failed password login and failed authentication question login numbers when Sun Identity Manager is unable to authenticate a user. (ID-17188)
- Sorting in the user interface Pending Approvals table works correctly. (ID-17304)
- The results page following an operation now always includes an OK button. (ID-17482)
- A confirmation page indicting success or failure always displays after setting a password through the Forgot My Password button for new installations and upgrades where the System Configuration.forgotPasswordChangeResults.User has not been explicitly set. If the System Configuration.forgotPasswordChangeResults.User was explictly set, the behavior remains unchanged. (ID-17619)
- Drop-down boxes for month values now display a complete list of months in all browsers. (ID-17740)
- Several cross-site scripting (XSS) vulnerabilities are now fixed. (ID-17748, 18054)
- Tables generated by the SimpleTable UI display component and the gentable.jsp file now correctly close <TH> tags in the rendered HTML. (ID-17945)
- When a single browser is connected to both the end user interface and the administrative interface, forms are now displayed only at the appropriate interface. (ID-18039)
- JavaScript is not allowed in the Status column of the resource lists, but safe HTML markup is allowed in the string content and is now displayed correctly. (ID-18050)
- An error in the bulk operations Form now generates an InlineAlert without visible HTML markup. (ID-18338)
- A directory traversal vulnerability has been fixed in the UI, which allowed users to gain unauthorized access to files residing on the Identity Manager server. (ID-18653)
- The List Accounts page now displays in more quickly. (ID-18751)
Auditing
- The Audit log now properly logs “Prioritize” actions. (ID-16924)
- Previously, when creating an Audit Policy where the policy is restricted to a resource with an account type, a NullPointerException would occur in the user interface. This problem has been fixed. (ID-16977)
- Previously, creating an Audit Policy rule using “isTrue” would result in an error stating the rule requires a comparison value. This problem has been fixed. (ID-17041)
- Attestation comment text is no longer cleared inappropriately. (ID-17418)
- Email notification events are now audited. (ID-17708)
- Duplicate database keys are now removed from the audit log. The duplicate keys are extended type (AV) and extended action (PE). (ID-18642)
The actions that are logged with the PE key are EndProcess and PreOperation. The PreOperation action now uses a DB key of PP. The types that are logged with AV are AccessReview and AccessReviewWorkflow. The AccessReviewWorkflow type now uses a DB key of AW.
Existing audit records with PE are interpreted as EndProcess actions by auditlog reports. Existing records with AV are now interpreted as AccessReview.
Updating audit records in the database with SQL can be a security concern (because the records will appear to have been tampered with), so it is recommended that these records (with PE or AV as the logDb Key) created before version 8.0 be ignored.
Delegations
- Delegation cycles are now checked at execution time and at creation time. (ID-17387)
- In a two-hop delegation, any existing remediation work items now revert back to the first delegator when the first delegator ends the delegation for remediation work items. (ID-18435)
- All possible work item types that can be delegated now appear in the drop down list when delegation is being configured. In the Administrator UI, the delegation drop down no longer filters the work item types that appear, so all possible work item types that can be delegated are now listed. In the end user UI, only the five basic work item types are listed in the drop down list. (ID-18496)
- Identity Manager 8.0 added role type and role change approvals (including role type specific change approval), along with the ability to delegate these work item types. Support was also added to allow specific roles to be designated when delegating new role type or role change work item types. (ID-18558)
Forms
Installation
lh Console
Logging
- The com.waveset.ui.FormUtil class now prints a brief message to the application server log that refers to the system log when ClassNotFoundException errors (and other errors, when encountered in this class) occur. The System log now contains the details of the error. Previously, the stack traces of these exceptions were printed the application server log. (ID-18473)
Organizations
- The User and ObjectGroup objects were enhanced (defect 14973) to support multiple per-user/per-objectgroup custom forms, extending the two (View User, Edit User) that they previously supported. These new forms are stored in a <CustomForms> element in the XML for both User and ObjectGroup. waveset.dtd did not declare <CustomForms> as an element of <ObjectGroup>, so an ObjectGroup XML with custom forms would not validate. This defect adds <CustomForms> as an element to waveset.dtd. (ID-17812)
Provisioning
- If multiple resources fail to provision on the initial provisioning attempt and they have different retry periods, all resources where provisioning failed are now retried as specified by retry period and retry count. Previously, only the resources with the shortest retry period were actually retried. (ID-18190)
Reports
- You can now concurrently execute Reports that have the same Task name by clicking the Allow Reports to Execute Concurrently? checkbox on the Report page. (ID-14631)
- When editing a report, the report can now be executed with the Run button without the side effect of saving the report changes automatically. Use the Save button to save the changes to a report. (ID-17212)
- Some html email reports now correctly contain non-null column headings (Empty links in these columns have been removed). (ID-17369)
- Audit Log reports show all relevant records when a date range is selected for Report Timeline. (ID-17621)
- Generating Group Reports for Active Directory servers that contain security groups with an ampersand (&) in their names now render as expected, without an XMLParserException. (ID-17942)
- The Resource User Report, Resource Group Report, and User Access Report (and any custom reports that use com.waveset.report.IndividualUserReport or com.waveset.report.GroupMemberReport) no longer print "No records were found" between report entries. (ID-18049)
- Report viewer now processes the form property refType correctly when a report is edited and then executed with the "Run" button. The refType property in the form tells the viewer to create an ObjectRef with the type specified in the value of the refType property. This ObjectRef is used as the value as the attribute value for the query instead of the object name. (ID-18107)
- The reports that use IndividualUserReport.java (Resource User Report and Detailed User Report) now obtain reports correctly when the username field is set to a correct value (ID-18260)
- The Access Review Summary Report now uses the parInstanceName attribute instead of the parTaskInstanceName attribute in the conditions for obtaining the list of Access Reviews. Also, the report now correctly reports that no records are found when no Access Review objects are selected. (ID-18282)
- The Individual User AuditLog Report now has a help page. (ID-18539)
- Reports with long non-ASCII task names now download with the correct filename. (ID-18550)
- The Recent Sytem Messages report now truncates the data to 128 characters for display in the main report table to produce a more readable report when the message column contains much data. The details of the report record still contains all the data as before. This fix also applies to any reports that use com.waveset.report.SyslogReportTask as the executor in the TaskDefinition. (ID-18657)
Repository
- When role is configured as a summary attribute in the UserUIConfig object, only three roles will be included in the summary string by default. Use the SummaryAttrrResourceCountLimit attribute in UserUIConfig to change the default value. (ID-13291)
- Identity Manager no longer closes and removes valid connections from the connection pool. Previously, a non-fatal exception could cause Identity Manager to close a working connection. (ID-13719)
- Fixed the NullPointerException (NPE) in Today/Weekly Activity audit report for CLOB log.acctAttrChanges. (ID-17346)
- An Audit Log with a large table size no longer causes a significant performance impact when writing audit events. (ID-18053)
Resources
- The getResourceObjects() method of com.waveset.ui.FormUtil properly returns multi-value attributes for an Active Directory resource when invoked from XPRESS. (ID-11965)
- The skeleton test included with the Resource Extension Facility (REF) kit no longer depends on classes not delivered with the product. Previously, the skeleton test depended on com.waveset.junit.WavesetRunner and com.waveset.junit.WavesetSuite (which were not included with the product), but the test has been refactored to eliminate this dependency. (ID-12370)
- The Resource.getAccountAttributeType(name,mapName) method now functions correctly when the name or mapName attribute is null. (ID-13598)
- When you cancel "Edit Synchronization Policy" for a resource, Identity Manager no longer creates artifacts in the repository and an error no longer occurs for Remedy resources. (ID-14356)
- Identity Manager displays an error message if an invalid group name is specified when updating Solaris NIS accounts. (ID-15841)
- Previously, users of the ExampleSPML2ResourceAdapter have reported that Modify Requests are not executed. Now the SPML v2 Modification Request is processed when the change elements are nested in data elements. (ID-16646)
- Previously, error handling for LDAP Resource Adapters used a number of hardcoded strings and message formats. In this release error messages that originate in exceptions by LDAP-based resource adapters are localized. (ID-16721)
- A possible buffer overrun in the gateway trace module has been fixed. (ID-17093)
- If the Copy Realm Configuration option is set in the Sun Access Manager data store, the admin user for a sub-realm (instead of amAdmin) provisions to that sub-realm. This is because when this option is set, identities technically exist only the realm or sub-realm in which they are created. (ID-17101)
- There is no single-threaded mode for the 8.0 version of the Identity Manager NDS gateway, so the ExclusiveNDSContext Registry key is no longer used. This eliminates the error that was formerly seen when provisioning GroupWise users through a single-threaded NDS gateway. (ID-17144)
- The LDAP resource adapter will not cause an IndexOutOfBoundsException during reconciliation. (ID-17454)
- The Scripted Gateway adapter does not support password changes. The adapter now blocks attempts to circumvent this if you add a password account attribute to the schema map. (ID-17533)
- Fixed an issue where turning tracing on for the LDAPResourceAdapterBase class would throw a null pointer exception. (ID-17588)
- Referencing accounts[os400].accountId will no longer return waveset.accountId. It will instead return the correct value for the accountId of the OS400 account. (ID-17632)
- The SAP resource adapter no longer throws a JCO_ERROR_FUNCTION_NOT_FOUND error when the SAP system that it is connecting with does not contain the PASSWORD_FORMAL_CHECK function module. (ID-17665)
- You can now successfully connect to a VMS resource via SSH. If you are upgrading, you must either run update.xml or re-import resourceWizardForms.xml for changes to apply to VMS resource wizard. (ID-17695)
- The Shell Script resource adapter now honors exit codes for Disable, Enable and Rename operations. (ID-17749)
- When shut down properly, Identity Manager Gateway no longer triggers an "abnormal termination" message to appear in Domino 7.x Server Console logs. (ID-17782)
- The UNIX resource adapters have been modified so that they create temporary files with user read/write permissions only. (ID-17835)
- Encrypted passwords for Netware NDS GroupWise accounts are now updated correctly. (ID-18020)
Roles
- Rules used to calculate resource attributes from roles are no longer applied when a user logs into the End User page. (ID-13338)
- Based on the UI logged into, all possible work item types that can be delegated now appear in the drop down list when delegation is being configured. In the Administrator UI, the delegation drop down no longer filters the work item types that appear, so all possible work item types that can be delegated are now listed. In the end user UI, only the five basic work item types are listed in the drop down list. (ID-18496)
Security
- A user must now have the appropriate rights to delete another user's account, otherwise an exception will be thrown and the account deletion will be prevented. In addition, an audit record containing the details of the attempted deletion will be logged. (ID-15552)
- Setting a correlation rule with X509 Login Module will no longer cause an error during login. (ID-17128)
- This release includes fixes for several cross-site scripting (XSS) bugs. (ID-17830, 18015)
Server
- Timestamps are no longer ambiguous and now use timezone specifications like GMT +/- <num>. (ID-8297)
- The default LocalFiles repository now works under GlassFish. (ID-15589)
- A problem that was causing repository deadlocks during end-user approvals and administrator edit operations has been resolved. (ID-16926)
- Application servers no longer log a warning message if the Character Encoding is set after calling getReader(). (ID-17900)
- A user view no longer contains work items for the subject obtaining the view if the subject is not the user in the view. (ID-18430)
Service Provider
- If a user authenticates to a single sign-on (SSO) realm configured for use with a Service Provider Edition instance, but the user does not exist in the Server Provider Edition instance, the user will be presented with an appropriate error message. Previously, the user would be presented with the Service Provider Edition home page, but would be unable to perform any of the listed actions. (ID-13194)
- When Service Provider is configured, the export all command of lh console no longer fails with java.lang.UnsupportedOperationException. In the debug page, IDMXUser is no longer displayed as an option for List Objects. (ID-16141)
- Previously, two login audit events would be submitted when a service provider user logged on to the service provider end-user interface. This has been fixed so that only a single audit event is submitted. (ID-16742)
- Prior to this release, audit records did not track attribute-level changes for Service Provider users. Identity Manager now audits changes to Service Provider attributes, the name of the server where the transaction was executed, and the login interface name. (ID-16837)
Note that unlike Identity Manager, Service Provider does not record the old values for attribute changes, only attempted and new values. Service Provider does not record changes to resource assignments and authentication answers either.
- Previously, when tracked events were enabled, the task table in the repository would grow very large. This problem has been corrected. (ID-16923)
- Service Provider Service Provisioning Markup Language (SPML) modify requests no longer delete extended attributes that have not been specified in the request. (ID-17145)
- Transaction data in memory and in the persistent data store are now correctly synchronized. (ID-17384)
Synchronization
- Identity Manager logs an error when you delete a non-existent user, but does not create an audit event for reporting. Now, Identity Manager logs a delete operation of a non-existent user accordingly. Note that this log is available in the system logs and the audit log reports in versions 6.0 SP4 and later. (ID-13284)
- The AD Sync Recovery Collector Task works correctly on Global Catalog servers (ID-17851)
- When a Global Catalog is used for Active Sync against an Active Directory resource, each hostname in the AD Sync Recovery Collector Task, against that Active Directory resource, is now considered to be a Global Catalog. (ID-18597)
Workflow
- Sunrise date now properly calculates the past time. (ID-11247)
- Fixed a java.lang.NullPointerException error in the post-reconciliation workflow. (ID-16893)
- The sample post-reconcile workflow, Notify Reconcile Finish, has been changed to remove the waitForCompletion option from the call to getView on the ReconcileStatus view. (ID-17151) Customers should also remove the waitForCompletion option in any post-reconcile workflows. This option is never needed from within the workflows, because the reconciler flushes results prior to launching the workflow. If a post-reconcile workflow does set waitForCompletion=true, the workflow will hang.
Additional Defects Fixed
17111, 17242, 17269, 17414, 17668, 18555