Release Notes for Oracle Identity Analytics
11g Release 1, Patch Set 1 (184.108.40.206)
This document contains release notes for Oracle Identity Analytics 11g Release 1 Patch Set 1 (Release 220.127.116.11). It contains the following sections:
Oracle Identity Analytics has dropped support for the MySQL, IBM DB2, and Microsoft SQL Server database servers.
Oracle Identity Analytics has dropped support for IBM Tivoli Identity Manager and CA eTrust Identity Access Management.
Oracle Identity Analytics no longer supports authenticating with LDAP. OIA has also dropped support for Intellitactics Security Manager (ISM).
Oracle Identity Analytics has dropped support for the JBoss and the GlassFish application servers, including both the Oracle GlassFish Application Server and the GlassFish Server Open Source Edition.
The following third-party files are no longer included with Oracle Identity Analytics. Third-party files may be downloaded separately and included in the
rbacx.war deployment file during installation.
CloverETL - OIA uses CloverETL for data import and export transformations.
jxl-2.5.9.jar - OIA uses the Java-Excel API to import data from an Excel spreadsheet file.
wsdl4j-1.6.1.jar - Oracle Identity Analytics Web Services requires the use of this JAR file.
For details, see the Installation and Upgrade Guide for Oracle Identity Analytics.
The Workflow page displays three approver fields that are populated with data if OIA has been integrated with the CA Identity Manager provisioning server. This page is now hidden by default. To enable the Workflow tab, see the steps in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the Oracle Identity Analytics User Interface" chapter, "Enabling Hidden Pages in the UI" section.
The Exclusion Roles page lists roles that are in conflict with one another from a segregation of duties standpoint. This page is now hidden by default. To enable the Exclusion Roles tab, see the steps in the System Integrator's Guide for Oracle Identity Analytics, "Customizing the Oracle Identity Analytics User Interface" chapter, "Enabling Hidden Pages in the UI" section.
There has been no change to the Exclusion Policies page in this release.
Upon logging in to Oracle Identity Analytics for the first time, the system now automatically expires the default password for the rbacxadmin account and prompts the administrator to create a new password.
The Business Administrator's Guide and the System Administrator's Guide have been combined into a single Administrator's Guide. Part one of the Administrator's Guide contains information for business administrators, and part two contains information for system administrators.
The product documentation for this release is not posted to a wiki. It is available in PDF and HTML formats.
The following features and enhancements were added in this release.
A number of risk properties have been added to Identity Warehouse objects. You can directly assign high, medium, and low risk levels to roles, resources, and resource-attribute values (entitlements), as well as to certain predefined risk factors. A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are needed to support the OIA Identity Certification feature. These objects include every User, User-Role assignment, Account, and Account-Attribute value in the Identity Warehouse. During identity certification, reviewers can now search for certification items based on a calculated Risk-Summary value and other risk properties.
For detailed information about risk, see the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Identity Warehouse" chapter, "Understanding How Risk Summaries are Calculated."
A new Filter-data-by feature has been added to Identity Certification pages. The Filter-data-by menu allows certifiers to filter items within a certification by various criteria, such as risk level, certification status, and so on. Certifiers who have a large number of records to review can quickly create expressions with multiple criteria to find records of interest.
The Filter-data-by feature is documented in the User's Guide for Oracle Identity Analytics, "Identity Certification" chapter, "Understanding the Certification Pages."
When completing a Role Entitlement Certification, role owners can now review a list of users who have the role assigned and then take action to certify or revoke each user's role access.
For details see the User's Guide for Oracle Identity Analytics, "Identity Certification" chapter, "Understanding the Certification Pages," "Role Entitlement Certification Help," "Role Entitlement Certification - Members Detail Page."
It is now possible to assign multiple certifiers to the same certification. Certifiers can review the same certification simultaneously.
Oracle Identity Analytics can be configured to capture provisioning and assignment information about the roles, accounts, and entitlements that are assigned to a user. This information needs to originate from authoritative sources, such as Oracle Identity Manager and file-based imports. Provisioning method categories include Reconciliation from target system, Direct provisioning by administrator, Access request, Provisioned by access policy, and Rule-based role-assignment. Assign a high, medium, or low risk values to each provisioning method category. For example, you might configure a risk level of High for objects that are provisioned directly by an administrator, and a risk level of Low for objects that are provisioned based on Policies that are tied to Roles. The OIA risk-aggregation job processes these risk levels when it calculates Risk Summaries for objects in the Identity Warehouse.
A "Disallow self-certification" option has been added to the Identity Certification Settings page. Select this option to prevent managers from being able to certify their own access. The certification is assigned to an alternate reviewer designated by the certification creator instead.
For more information see the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Configuration and Settings" chapter, "Identity Certification Configuration" section.
Note:By default, self-certification is allowed for Oracle Identity Analytics customers who upgrade to version 18.104.22.168.0. Self-certification is not considered a best practice, however, and upgrade customers are encouraged to select the Disallow Self-Certification option.
A "Prevent Self-Remediation" option has been added to the Identity Audit configuration page. Select this option to prevent users from being able to remediate their own violations if their attributes, roles, or entitlements are causing a segregation of duties violation.
For more information see the Administrator's Guide for Oracle Identity Analytics, "Oracle Identity Analytics Configuration and Settings" chapter, "Identity Audit Configuration" section.
Note:By default, self-remediation is allowed for Oracle Identity Analytics customers who upgrade to version 22.214.171.124.0. Self-remediation is not considered a best practice, however, and upgrade customers are encouraged to select the Prevent Self-Remediation option.
This section describes known issues in Oracle Identity Analytics Release 126.96.36.199.
To fix this issue, clean out the web server's cached directories. Refer to your server's documentation for further instructions.
If a user's browser is set to a language that OIA does not support, for example Arabic (ar-AE), the UI defaults to the language configured in the server's locale settings instead of English.
To work around this issue, change the server's locale to output English.
When an exported
.csv file is opened in Microsoft Excel, the multibyte characters become unrecognizable. This is because Oracle Identity Analytics uses a UTF-8 encoding for exported
.csv files, and Microsoft Excel cannot properly open UTF-8 encoded files.
To work around this issue, either open the
.csv file in Oracle Open Office Calc, or, if using Excel, follow these steps:
.csv file to a local folder.
Open Microsoft Excel and from the menu choose Data >Import CSV file.
65001: Unicode (UTF-8).
WebSphere honors the server locale when outputting exception error text. When this text is included in an exported CSV file, the text is rendered as garbage characters if the server locale is not UTF-8.
Currently there is not a workaround for this issue.
Report elements such as labels, column headers, and the report name are displayed in English instead of being displayed in the configured local language.
Currently there is not a workaround for this issue.
To work around this issue, export your report to a
.csv file or
.xls file and format the report in a desktop application that is capable of editing these file types (for example, Oracle Open Office Calc or Microsoft Excel). From your desktop application, save the file as a PDF.
If your environment includes any incomplete certifications, enable the Identity Certification Migration Job (
idcMigrationJob) after completing the upgrade process. This job updates active certification data to be compatible with version 188.8.131.52. This job only needs to run successfully one time in your environment, after which it can be disabled.
For more information, see the following topics in the Installation and Upgrade Guide for Oracle Identity Analytics:
"Enable the Identity Certification Migration Job in a Test Environment," located in the "Upgrading Oracle Identity Analytics in a Test Environment" chapter
"Enable the Identity Certification Migration Job in a Production Environment," located in the "Upgrading Oracle Identity Analytics in a Production Environment" chapter
This issue affects Safari 5 and Internet Explorer 8. To work around this issue, open the browser security options, edit the Local Intranet Group settings, and add either the host computer or the domain the host computer is a member of.
Clicking a More-Info link during the certification process will open either a Details pop-up or a Meta-Information pop-up that displays additional detail about roles, accounts, attributes, policies, and so on. Some pop-ups show snapshot data (that is, the data details as they existed at the moment that the Identity Certification was created), while others show real-time data (the data details as they exist in the Identity Warehouse at the moment that the More-Info link is clicked). Displaying real-time data in a pop-up may be confusing to users completing identity certifications (which use snapshot data) because the real-time data and snapshot data may not match.
The following pop-ups show snapshot data:
On the "Data Owner Certification - Summary" page, the Attribute-Values Detail pop-up, and the Value pop-up (which is displayed if there is a Glossary value)
On the "User Entitlement Certification - Entitlements Detail" page, the Value pop-up (which is displayed if there is a Glossary value)
On the "Role Entitlement Certification - Policies Detail" page, the Value pop-up (which is displayed if there is a Glossary value)
On the "Resource Entitlement Certification - Summary" page, the resource details pop-up (which displays if you click a resource)
On the "Resource Entitlement Certification - Accounts and Entitlements Detail" page, the Value pop-up (which is displayed if there is a Glossary value)
All other Identity Certification pop-ups show real-time data.
When you open the "Attribute" meta-information pop-up from the User Entitlement Certification - Entitlements Detail page, it displays a blank Risk Summary value. To work around this issue, view the Risk Summary value on the Entitlements Detail page.
On the Resource Entitlement Certification Summary page, the resource name and resource type column labels are switched. The values listed under resource name are actually the resource types and the values listed under resource type are actually the resource names.
On the Role Mining page, when you click Run to start a role mining task, OIA does not display a message informing you that the role mining task has started. To work around this issue, click View Results to view the task status.
When one or more roles are assigned or removed from the Identity Warehouse > Users > Roles page, OIA does not display a message informing you that the approval workflow process has started. The lack of immediate feedback may be confusing to new users.
When you add a role to a policy and click Save, OIA displays a message that says "role was requested for a policy," but the message does not tell the end-user what to do next. End-users need to click "Send to approval" to add the role to the policy.
OIA users who are limited to the "Configure Resource Type Definitions" system privilege can see the Administration > Settings option on the main menu even though the menu is empty. Because these users do not have the required access privileges to view the menu, the Settings option should be hidden from view.
When searching for users prior to running or previewing a role-management rule, OIA returns both active users and inactive users, even though a role-management rule can only assign roles to active users.
In a clustered environment, if an import is triggered by another member of the cluster, the Status column on the Administration > Import/Export > Completed Jobs page will not show the total number of imported accounts.
Some Identity Certification pages may have an excessive amount of vertical white space between the "Actions" button bar and the table of certification data. This is a cosmetic defect only.
On the "Identity Warehouse > Users > Account" page, the Cancel button slightly overlaps the footer menu when viewed in Internet Explorer 8. This is a cosmetic defect only.
When you click a Glossary value link in Internet Explorer 9, two of the image pieces that make up the "Word Balloon" image are not spaced properly. This is a cosmetic defect only. The Glossary information is still legible.
On the "My Requests > Pending Requests" Page, the buttons are askew by one pixel when viewed in Safari 5.0. This is only a cosmetic defect.
Because decommissioned roles cannot be edited, the Add and Remove buttons should be grayed out in the user interface. In Internet Explorer the buttons are grayed out, however, in Firefox and Safari they are not. The button functionality is properly disabled regardless of which browser is used.
If you have not selected an attribute on the Resource > Data Management page, Firefox and Google Chrome do not gray out the Search button even though the button is not active. Internet Explorer properly disables and grays out the Search button if you have not selected an attribute.
If using Chrome or Safari, the text "[object HTMLDivElement]" briefly displays at the top of the page when you navigate to the Identity Warehouse > Business Structures > Rules page.
Certain feedback messages that normally display in response to user actions are not displaying in Firefox, Safari, and Google Chrome. The affected feedback messages include the message that displays upon saving a role that you edited, and the message that displays when creating or sending a role-management rule for approval. These messages display properly in Internet Explorer.
This issue is limited to Safari 5.0.5 on Windows Server 2008. The drop-down menus still function properly, but the drop-down button is blank.
In Chrome and Safari, part of the menu on the Identity Warehouse > Roles page overflows the page boundary instead of wrapping when the window is re-sized to a smaller size. This is only a cosmetic defect.
The Oracle Identity Analytics documentation library includes the following titles:
Installation and Upgrade Guide for Oracle Identity Analytics
User's Guide for Oracle Identity Analytics
Administrator's Guide for Oracle Identity Analytics
System Integrator's Guide for Oracle Identity Analytics
API Guide for Oracle Identity Analytics
Documentation for other Oracle Identity and Access Management products (version 184.108.40.206.0) can be found here:
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at
Oracle customers have access to electronic support through My Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Fusion Middleware Release Notes for Oracle Identity Analytics 11g Release 1, Patch Set 1 (220.127.116.11)
Copyright © 2010, 2011 Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.