Identity Manager 7.0 Features

What’s New in This Release

Sun Identity Manager 7.0 merges three products: Identity Manager, Identity Manager SPE, and Identity Auditor into the single product Sun Java System Identity Manager 7.0. This integrated solution gives a consistent and scalable means to apply identity-based controls across provisioning and auditing processes.

Other new features include:

Enhanced Auditor features, including

Support for periodic access review

Summary and detailed Separation of Duty reports

Enhanced interface with single-click access to remediation and access review work items

Deployment-ready User Interface, including

Single-click access to work items

A tabbed panel for easy navigation and customization

Service Provider updates, including

Directory-based delegated administration

Support for workflow callouts and notifications

A new Identity Manager Integrated Development Environment built on NetBeans

Additional features, including

Support for SPML 2.0

Metrics reporting with tracked events

The Features Summary section provides additional information about new features provided in Identity Manager 7.0.

Features Summary

This section summarizes the new features in Identity Manager 7.0.

Installation and Update

Identity Manager now supports Oracle Database 10g Release2® as a repository. (ID-12908)

UserEntitlement objects are now stored in their own table in the database. (ID-13612)

For an upgrade to an existing Identity Manager installation, the appropriate upgradeto70.* database script must be run before Identity Manager 7.0 is upgraded. These scripts add the database tables needed to support the Identity Manager Periodic Access Review objects.

The license structure has been removed from the product. An upgrade to Identity Manager 7.0 will be fully functional for all products. There are no license panels or command-line options for the license. If you attempt to license the product, you will get the “command not found” error. (ID-13632 13501)

Administrator and User Interfaces

The Identity Attributes page now displays a Passwords section, which describes the status of password generation with respect to the Identity attributes. You can configure Identity Manager to assign passwords to new users based on a default value, a rule, or by assigning an Identity System Account Policy that generates passwords. (ID-10274, 12560)

The treetable component now supports adjustable columns. You can now set column widths in the user list and resource list tables via CSS to a fixed pixel or percentage value. You can also resize the columns using the mouse by clicking and dragging the right border of the column header. (ID-11474)

The account and resource tree tables now allow sorting of their contents. (ID-12086)

The menu hierarchy for the end-user pages is now customizable. (ID-12415)

Identity Manager now includes a default Manager attribute, which provides support for a built manager-employee relationship. This information is stored on the Identity Manager user object. (ID-12416)

All page-level error and informational messages are now displayed at the top of the page in a box with an error or information icon. Previously, these messages were displayed with either red text for errors or with a small icon for informational messages. (ID-12625)

A user can now request that access be granted or removed for roles and resources memberships. A manager can also perform this function for a subordinate employee. (ID-13018)

You can now change the polarity of the alternating gray and white row colors by adding the rowPolarity property to EditForm components in XPRESS. A value of true is the default behavior. A value of false inverts the polarity and gives the first form field a white background. (ID-13971)

The User Interface now supports a Self Discovery link. The “Inform Identity system of other accounts” link has been moved from the end-user home page to the new Self Discovery tab in the navigation bar under Profile. (ID-14698)

The following table lists how tabs and subtabs have been rearranged in this release:


Tabs in Previous Release		Tabs in This Release		Comments
Approvals		Work Items >	Approvals
			My Work Items	This new tab displays a summary of all work items and provides a launching point for resolving work items.
			Attestations	This new tab supports the Periodic Access Review feature; allows users to resolve attestation work items
			Other	This new tab allows users to resolve assigned work items other than Approvals, Attestations, or Remediations
			History	This tab displays a report of all approvals, rejections, mitigations, and remediations that have been performed by the user
			Delegate My Work Items	This new tab enables delegation of all work items to another user.
		Compliance >	Manage Policies Manage Access Scans Access Review	These new tabs are used to set up and manage audit policies and access reviews.
Configure >	Reports	Reports >	Configure	This tab change more closely aligns the reporting features.
Configure >	Managed Resources	Resources >	Configure Types	This tab change more closely aligns this function with resources.
Configure >	Admin Roles Capabilities Certificates Login Policies	Security >	Admin Roles Capabilities Certificates Login Policies	The Security tab is new in this release to realign the features related to secure account access and privileges.
Configure >	Meta View	Meta View >	Identity Attributes Identity Events	This tab enables you to directly edit identity attributes and events.
Risk Analysis >	Run Reports Manage Reports	Reports >	Run Risk Analysis View Risk Analysis	This tab change aligns these reports with other reports.
Service Provider Edition	Dashboard Graphs View Dashboards	Reports >	Dashboard Graphs View Dashboards	These new subtabs under Reports represent new features merged from the Service Provider Edition that enable viewing and grouping of graphical reports.
Service Provider Edition		Accounts	Manage Service Provider Users	This tab enables you to manage service provider user types in the Identity Manager interface.
Service Provider Edition >	Search Transactions	Server Tasks	Service Provider Transactions	The Search Transactions tab has been moved from the Service Provider tab in Service Provider Edition to the Service Provider Transactions tab under the Server Tasks tab
Tasks		Server Tasks		This tab is renamed to better reflect that tasks are processes to be run on the server.
Tab changes from Identity Auditor Interface to Identity Manager 7.0 Interface
Compliance >	Users Policy View Resource View Organization View	Accounts	User Actions menu	All user actions are performed from the Accounts tab in Identity Manager. The Policy View, Resource View and Organization View tabs have been removed; their corresponding reports are still available on Reports tab. The "View Compliance Violation Log" and "View Compliance Status" actions are now available in the User Actions.
Controls >	Manage Policies	Compliance >	Manage Policies
Configure >	Policies	Accounts >	User Actions menu	Edit User Audit Policies Edit Organization Audit Policies
Remediations>	Remediations Pending Completed	Work Items >	Remediations History	Pending and Completed tabs have been removed. Remediations tab displays pending remediations. History tab displays completed remediation work items.
Reports >	Run Reports Manage Reports	Reports >	Run Reports View Reports	All auditor reports are available from the Reports tab by choosing the Auditor Reports type.
Tasks		Server Tasks

Auditing

Identity Manager and Identity Manager SPE have merged their two auditing frameworks, with the following changes: (ID-13148)

Identity Manager and Identity Manager SPE no longer have separate audit logging frameworks.

The audit logging interfaces of Identity Manager SPE have been deprecated.

The unified audit logging service allows third parties to develop custom audit publishers to handle Identity Manager as well as Identity Manager SPE related audit events.

Javadoc-style documentation of the new public interfaces is available in the reference kit.

Sample code demonstrating the pluggable features of the audit logging framework has been added to the reference kit.

Auditor

Periodic Access Review provides the facility to automate the gathering and attestation to user's current access rights to critical systems and applications. This feature allows records to be created that contain the current access a user has to one or more systems and applications. Each of these records can be automatically attested by policy rules, or routed to the appropriate person for manual attestation. (ID-9719)

Access Review is typically performed on a regular basis to ensure that users have not accrued excessive access to critical systems. By keeping user access data for multiple systems and applications in a single record, the reviewers have a complete understanding of the user, which enhances their ability to make an accurate judgement. The automated process is supported by tracking tools that indicate how much work the review has completed, how much is left, and who is responsible for the remaining work. The review process is integrated with traditional audit policy scanning such that reviews can perform both compliance checking (audit policy scanning) and access review (reporting and attestation).

Access Review can be customized to provide additional automation, including:

Rule-based determination if a user should be attested or not

Rule-based determination if a user can be automatically attested/rejected

Rule-based determination for who should perform manual attestation on a specific user

Workflow-based manual attestation, including forwarding, delegation and escalation

Attestors do not need to be IdM administrators - any IdM account will work

Separation of Duties reporting is also new to Auditor, providing the means to capture specific access conflicts that allow a user to bypass internal safeguards. (ID-12716) These conflicts are most serious in ERP and Financial systems where a conflict violation can result in financial errors. Auditor captures such conflicts with a violation record that indicates the user, system/application, and specific conflict including exact account settings that infer the conflict. Auditor Separation of Duties can detect conflicts with account settings on a single system/application or across multiple systems.

These conflicts are summarized in a conflict matrix report, with details available as drill-down information behind each cell in the matrix.

Forms

MultiSelect now supports the new displayCase property, which can be set to either “upper” or “lower”. This feature is equivalent to defining a valueMap that maps each of the allowedValues to their uppercase or lowercase equivalents. (ID-8356)

HTML Display Components

The SortingTable component now respects the align, valign, and width properties of the children components that comprise the table when rendering to HTML. An InlineAlert component is also available to display error, warning, success, and informational messages in forms. (ID-12560)

Identity Manager Integrated Development Environment (IDE)

The Identity Manager Integrated Development Environment (Identity Manager IDE) is Java application that enables you to view, customize, and debug Identity Manager objects in your deployment.

Major features of the Identity Manager IDE include:

Integrated Explorer window that allows project, directory-based, or runtime views of a project

Action menus for document modification

Custom editors, including:

Object property sheets and graphical value editors for enumerating XML object properties and editing basic object types, XPRESS, and XML objects without typing XML

Drag and drop palette for adding workflow services, approvals, users and workflow tasks to XML source without typing XML

Registered waveset.dtd definition file that enables syntax highlighting and auto-completion for XML elements and attributes

Integrated debugger for workflows, forms, and rules

Rule tester for verifying standalone and library rules

Form previewer for previewing and troubleshooting forms in an external browser

Checkout View feature allows you to check out, modify, and check in Identity Manager views (such as a user view).

CVS integration

The Identity Manager IDE is a fully integrated NetBeans plugin that was designed to replace Identity Manager’s Business Process Editor (BPE) application. For more information about installing and using the Identity Manager IDE, refer to the chapter titled Using the Identity Manager IDE in Identity Manager Deployment Tools.

Identity Manager SPE

Identity Manager SPE configuration and tracked event data is no longer stored in an LDAP directory server. (ID-12170)

Instead, the Identity Manager SPE components access this data directly from the Identity Manager repository. Therefore, you no longer need to select and export the configuration objects needed by Identity Manager SPE. The Identity Manager installer can be used to update an Identity Manager SPE deployment in place.

If tracked event data is being stored in the Identity Manager SPE configuration directory, it should be exported as XML before the upgrade occurs. After upgrade, the tracked event data can be imported into Identity Manager. Also, after a successful upgrade, you can safely delete the configuration LDAP directory.

Accessing objects through Identity Manager SPE no longer requires a separate type of context. Identity Manager SPE forms no longer need to set the needSpeContext property and refer to this context with :display.speContext. (ID-12171)

Created a public interface to allow customers to invoke custom callouts before provisioning executed and after provisioning has completed. (ID-12173)

Identity Manager SPE now provides better example end-user JSP pages. (ID-12175)

Identity Manager now provides a customizable delegated administration and authorization model accessible both from Identity Manager and Identity Manager SPE User Server. This model leverages directory attributes and does not depend on Identity Manager Organizations and Capabilities. (ID-12176)

You can now run Active Sync and SPE Synchronization on the same Identity Manager server. However, do not run both on the same resource. (ID-12178)

The Identity Manager SPE User XML attribute can now be stored in a compressed format to reduce the SPE user directory footprint. (ID-12186)

Identity Manager SPE transactions can now support configurable user update consistency levels. Existing transaction store databases will need to be modified to add an additional column, userId VARCHAR(N) where N is large enough to contain the maximum length expected for a Identity Manager SPE user DN, plus an additional 8 characters. This database change does not occur automatically when running the upgrade scripts. (ID-13830)

MetaView

The new Identity Events feature has been added to the MetaView. This option allows you to define a model for determining when events occur on resources and how to appropriately respond to them. This feature also allows you to detect delete, disable, and enable events either natively on the resource or through the evaluation of a rule if the resource does not support detecting the event.

You can respond to events with any combination of deleting, unassigning, unlinking, enabling, and disabling users and resource accounts. Identity events are applied only during Active Sync. As with identity attributes, these events are applied only if Active Sync is selected as an enabled application for the MetaView. (ID-12561)

In the Administrator interface, the Reports Deleted feature has been added. This feature applies to resource adapters that support Active Sync natively determining whether an account was deleted. (ID-13206)

The MetaView now supports a new option for setting the values of target fields. Multi-valued attributes can also be merged. (ID-13212)

Reports

The results of bulk actions can now be downloaded to a file in CSV format. (ID-9297)

By default, the following reports are automatically scoped to the set of organizations controlled by the logged-in administrator, unless explicitly overridden by selecting one or more organizations against which the report should be run: Admin Role Summary, Administrator Summary, Role Summary, User Questions Summary, and User Summary. The org scope component has also been changed from a single select to a multi-select component. (ID-12116)

Identity Manager now supports monitoring a variety of components using Java Management Extensions (JMX). (ID-12405)

New reports now support manager-employee relationships: My Direct Reports Summary, My Direct Employee Summary, My Direct and Indirect Employee Summary, and My Direct Reports Individual. (ID-12416, ID-12689)

A CSV report encoded with the UTF-8 character set and multibyte text can now be customized so it can be displayed in applications that do not support UTF-8 encoding, such as Microsoft Excel. (ID-13574)

Repository

An administrator can disable an Identity Manager repository’s automatic internal connection pooling by setting the connectionPoolDisable attribute of the RepositoryConfiguration object to true. The older method of setting com.waveset.repository.ConnectionPoolDisable=true is now deprecated. (ID-10924)

Identity Manager 7.0 removes the Repository method signature #getLastMod(Type, long). Identity Manager 5.0 SP2 deprecated this method signature in favor of #getLastMod(Type). Custom applications should not refer to this method or refer directly to any class or interface in the com.waveset.repository package. (ID-11761)

The default JDBC driver for Microsoft SQL Server is now the Microsoft SQL Server 2005 JDBC Driver. This driver replaces the older Microsoft SQL Server 2000 JDBC Driver. This new default driver changes the JDBC driver class name and the format of SQL Server database URLs. It also removes the requirement to append “SelectMethod=Cursor” to such URLs. (ID-14136)

Resources

Identity Manager 7.0 includes support for the following resources:

Scripted JDBC (ID-7540)

BridgeStream SmartRoles (ID-12262)

Realm support in Sun Java System Access Manager (ID-12414)

The SecurId adapters can now retrieve tokens by status (for example, all LOST tokens or all ENABLED tokens). (ID-7646)

Support is added for OS/400 v4r5, v5r2, v5r3, and v5r4 (5.2, 5.3, and 5.4). (ID-9928, 13122)

Added multiple attributes to the Oracle ERP adapter to support auditing features. (ID-11725)

The RACF adapter now includes search filter support for listAllObjects. (ID-10895)

The SAP HR Active Sync adapter now supports mySAP ERP ECC 5.0 (SAP 5.0). (ID-12408)

The SAP and SAPHR adapters now provide three new resource attributes that provide the parameters for a retry of an SAP operation when a network failure occurs: (ID-12579)

SAP BAPI Retry Count: number of times to retry the operation.

SAP Connection Retry Count: number of times to attempt to re-connect to the SAP server.

SAP Connection Retry Wait Time: number of milliseconds to wait before attempting to re-connect to the SAP server.

The Oracle ERP adapter now supports set of books (SOB) functionality. (ID-12715)

A VLV Sort is now configurable. The VLV sort attribute (vlvSortAttribute) has been added the to the LDAP resource. If the attribute is set, that value is used for the sort, but if it is not set, the “uid” value is used. (ID-13321)

Roles

Roles and resource groups now provide the ability, both singly and in combination, to assign users multiple accounts on a resource. (ID-6684)

Security

Users with approver capabilities can now delegate their future approval requests to one or more users who are not Identity Manager approvers for a specified period of time. Users can delegate from three interfaces: (ID-8485)

End User Main Menu: Delegate Approvals link

Admin Approvals Tab: Delegate My Approvals subtab

Admin Create/Edit/View User: Security section

Server

Identity Manager 7.0 now supports JBoss Application Server. (ID-10620)

Identity Manager 7.0 now provides the capability to create and maintain a large numbers of similar resources. (ID-11325)

SOAP

Identity Manager 7.0 now supports Service Provisioning Markup Language (SPML) version 2.0. (ID-12417)

Workflow

Delegation of work items can now be set up by any user. This option can be configured in both the Admin interface and the new default end-user interface. (ID-14110)

Bugs Fixed in This Release

This section describe the bugs fixed in Identity Manager 7.0.

Installation and Update

Credentials can now be passed to com.waveset.install.UpgradePostProcess. This change facilitates the upgrade process, particularly when the Configurator’s password has been changed and you are performing a manual upgrade without access to a GUI. (ID-13006)

The Auditor Login Interface has been removed. (ID-14481)

Considerations for upgrading include:

Any existing account Policy that has questions defined for the Auditor application will be altered as follows:

If the Policy also has questions defined for the Admin and/or default application, then the questions for the Auditor application will be discarded, and the Admin and/or default questions will be respected instead.

If the Policy has no questions defined for the Admin or the default application, then the questions for the Auditor application will be re-designated as Admin questions.

Any authentication answers for a user defined for the Auditor application will be altered as follows:

If the user also has answers defined for the Admin and/or default application, then the answers for the Auditor application will be discarded.

If the user has no answers defined for the Admin or the default application, then the answers for the Auditor application will be re-designated as Admin answers.

Upgrades from a previous installation that had a Identity Auditor enabled will now see the Auditor organization in the account/organization table. New installations do not have an Auditor organization. (ID-14636)

If you wrote a Audit Policy Rule for Separation of Duties in a previous release that caused you to customize the Conflict Violation Details Form, you will need to save that form before upgrading. (ID-14772)

Administrator and User Interfaces

A meaningful error message is displayed if a user tries to log in while resource the user is defined on is down. (ID-1905)

Messages for errors that are considered fatal can now be displayed with a configured default message, and additional information can be logged to syslog. The UNIX resource adapters have been modified to use this error message display. (ID-5495)

You can now replace the product name string in the browser title bar with a localizable string of your choice. (ID-10905)

The Completed Role Synchronization task no longer displays a message that the task is still executing. The task has also been enhanced with a statistics table. Errors and exceptions are now displayed for the completed task. (ID-11181)

The “Change Answers to Authentication Questions” end-user page now handles a user who does not have authentication questions more gracefully. (ID-11773)

The inbox link for an anonymous user login now points to the new end-user work item list table. (ID-12816)

MultiSelect objects now sort the available values when the noApplet=true and sorted=true properties are set. (ID-12823)

End users no longer get pop-up dialogs when entering or leaving a secure site. (ID-13054)

Forms that display an account password policy summary by resource will now wrap the content within the table. Previously, the summary information would scroll off the right side of the browser window. (ID-13109)

In the sysconfig file, the security.delegation.historyLength parameter now controls the number of previous delegations that are recorded. (ID-13141)

The Admin version of continueLogin.jsp now displays catalog messages correctly. (ID-13193)

A null pointer exception that was thrown when a user canceled an edit to a resource after searching or filtering does not occur now. (ID-13434)

When you create a new role, “Available Resource Groups” no longer appears twice in both the left and right side of the panel. (ID-13573)

Copying an existing resource by renaming the resource and selecting Create versus Rename now correctly duplicates resource facets, such as whether ActiveSync is enabled. (ID-14175)

Account locking and unlocking now works correctly if the account policy in the Service Provider main configuration is not set. Previously, the lock button worked only on the Service Provider account edit page when an account policy was configured for the Service Provider. (ID-14181)

Forms

The sort feature of the SortingTable display class during a manual action no longer causes an error. (ID-12508)

Verification rule messages are now displayed in the locale of the client and not the server. (ID-12780)

Identity Auditor

An Audit Policy can now be configured to scan only a restricted set of resources. (ID-9127)

Indirectly assigned policies can now be viewed. (ID-11886)

UserViewConstants.OP_CALL_VIEW_VALIDATORS can be set for policy checking during provisioning. (ID-12757)

Policy checks during user provisioning operations can be performed in the provisioning thread. Previous behavior always used a separate task to perform the check. If the task behavior had been customized, bypassing the task might cause the customizations not to be used. To fix this problem, set the System Configuration user.view.alwaysUseTask attribute to true, which will force the old behavior. (ID-14086)

Identity Manager SPE

The transaction event timer is not restarted during a transaction. Previously, the transaction processing time in Identity Manager SPE did not include the time spent evaluating the account policy. (ID-14416)

Identity Manager SPE now resumes processing transactions when the service is shutdown ungracefully (for example, the application server exits with an out-of-memory error). (ID-14579)

Localization

Message keys used as authentication questions now display correctly in the results page. (ID-13076)

Mainframe

The RACF adapter no longer searches a large string once for every user retrieved in listAllObjects, which usually results in better performance in this function for a large number of users. (ID-12829)

Reports

Old attribute values are now correct in an audit report. (ID-12287)

The generation of TaskTemplate names that were too long (greater than MAX_NAME_LENGTH) has been corrected. (ID-13790)

Repository

When using Oracle 10g as the repository with a high load (for example, more than 100,000 users), a drop in performance for user creates and modifications can sometimes occur. To restore performance, try updating the statistics for the userobj table with the following SQL statement: (ID-14605)

analyze table waveset.userattr compute statistics;

Resources

The removeDenyGroupsDuringDelete resource attribute for the Domino resource adapter specifies if a user is to be removed from Deny Access Group memberships upon deletion through Identity Manager. Setting this attribute to true will indicate the removal from the groups should be processed. The default value for this attribute is false for backward compatibility. (ID-10466)

The LDAP adapter no longer creates an illegal distinguished name (DN) for a new account. (ID-10951)

The escape method in com.sun.idm.util.ldap.DnUtil can now be used in forms to escape values to be inserted into identity templates of resource adapters with the LDAP DN format. Alternatively, an accountId policy with the “Required LDAP DN format” option checked can be used to validate LDAP distinguished names entering Identity Manager via input such as user input, ActiveSync, and reconciliation.

The normalize method in RFC2253Parser now recognizes and reports an invalid LDAP distinguished name (DN). (ID-10952)

The getNextIndex method of DblBufferIterator no longer accesses size information of the supporting arrays outside the object's synchronization. (ID-11129)

Synchronization status in a clustered environment is improved. (ID-11250)

The isPickListAttribute method within com.waveset.adapter.SiebelResourceAdapter is no longer misidentified as isMVGAttribute in the tracing system. (ID-11471)

The default for the Objectclasses to synchronize Active Sync attribute on LDAP resources now defaults to inetorgperson. (ID-11644)

The maximum number of Flat File Active Sync logs configured on an Active Sync resource are now created correctly. (ID-11848)

The objectClass attribute mapping is no longer required in an LDAP resource schema map for Active Sync to function. Custom resource adapters extending com.waveset.adapter.LDAPResourceAdapter that override both the poll() and getUpdateRows(UpdateRow) methods should be modified to invoke LDAPResourceAdapterBase.ensureObjectClassInSchemaMap() in either method. (ID-11880)

The Domino Resource Adapter now supports setting the “Store ID in a File” option to false as a resource attribute, which disables the creation of the user’s ID file locally on disk. The ID file must still be provided, however, when creating the user. (ID-12139)

Solaris and Linux adapters now return a year on the last login information. (ID-12182)

The Oracle ERP adapter now closes Oracle database cursors. Previously, the adapter failed to close the cursors, which after long periods, resulted in the “ORA-01000: maximum open cursors exceeded” error. (ID-12222)

Errors for locked accounts or users from Active Sync are now logged. (ID-12446)

If a failure occurs with Active Sync because an account or user that should be updated is locked by another process, the account or user that failed is written to syslog, which allows you to re-run the transaction when the account is not locked.

For the Domino Resource Adapter, concurrent updates of HTTPPassword with several users with the NSFNoteComputeWithForm() API call no longer result in a “-551” gateway error. (ID-12466)

Gateway crashes no longer occur for customers using APIs directly without going through Identity Manager. (ID-12481)

The Flat File Active Sync adapter now provides a warning message in the Active Sync log (if enabled) whenever an error occurs preventing a diff action for synchronization. (ID-12484)

The terminal emulation used to create a Natural resource adapter account has been modified so that an 8-character user name does not use a tab to select the Copy Links attribute. (ID-12503)

Modifying the AttrParse objects do not require a restart for the new values to take effect. (ID-12516)

The Siteminder LDAP adapter now performs the following operations correctly, even when the Siteminder user is locked due to failed login attempts. (ID-12824)

Enable

Disable

Expire password (with enable/disable)

Unexpire password (with enable/disable)

Changing LDAP group membership now uses single adds and removes instead of rewriting the entire group (that is, replacing the entire uniqueMember attribute). (ID-13035)

Identity Manager now clears Admin privileges, if any, before attempting to delete a Secure ID user. (ID-13053)

A cursor leak in the Oracle table adapter (DatabaseTableResourceAdapter) has been fixed. (ID-13111)

The auditorObject complex attribute syntax for the Oracle ERP resource has been modified to include a namespace to make it easier to fetch information from the GenericObject. The syntax of the attribute now includes a top-level “auditorResps” that contains a list of responsibility objects. (ID-13302)

Performance improvements have been made to AttrParse. Normal parsing no longer throws and catches an exception for every character in a parsed buffer. (ID-13384)

The SecurID for UNIX adapter now performs UTF-8 character encoding and decoding when interoperating with RSA. (ID-13451)

When creating account on a Windows NT resource through the Windows NT resource adapter, the following error message is no longer displayed in the Create user result page: “Error requiring password: put_PasswordRequired(): 0X80004005:E_FAIL”. (ID-13618)

The Active Directory PasswordNeverExpires attribute can now be set during an update. (ID-13710)

Identity Manager 7.0 server now notifies waiting threads by calling notify after removing a connection over the gateway. (ID-14044)

Security

A user who has “Organization Administrator” capability for an organization can no longer create organizations in other organizations, even if that user has “Account Administrator” and “Role Administrator” capabilities. (ID-10235)

Password generation now works correctly for passwords that do not follow a policy. (ID-12275)

A password expiration warning message is now displayed for the Admin interface. (ID-13236)

Approver capability no longer has rights to Remediation WorkItems. (ID-14163)

For pre-Identity Manager 7.0 installations, Approver capability has full rights WorkItem. RemediationWorkItem and AttesationWorkItem authTypes are extended from WorkItem, so therefore Approver has full rights to RemediationWorkItems, and possible to other users’ Attestations.

This problem is fixed in new Identity Manager 7.0 installations and installations upgrading to Identity Manager 7.0. For backward compatibility, pre-Identity Manager 7.0 installations can fix this problem by following these steps:

Any references to Approver capability would need to be changed to the new Approver Administrator. This includes user’s admin group references and any rules or workflows that might assign the Approver capability.

Make sure any workitems getting created in workflows either have a specified authType, or it will default to Approval authType.

Run WorkItemUpdater in update.xml to change any workitems with null authType to have Approval authType (actually flexible to set any authType required). The statements and instructions are in the file but commented out by default.

Users without administrator capabilities can now see roles and resources. (ID-14745)

Previously, roles and resources were not available to users that did not have admin rights to organizations, and a user that selected “Update My Roles” or “Update My Resources” would not see any roles or resources available for selection.

Server

TaskInstance subobjects, like approvals, are now deleted properly when terminating the task. (ID-3258)

In a form, using <set> within <Expansion> now works correctly. (ID-9617)

The last audit record is no longer missing when a retry fails after a resource is renamed. (ID-9714)

In a clustered environment, a failed login on the end-user pages no longer generates a serialization-related exception. (ID-10556)

A server no longer attempts to detect itself as being non-responsive when it takes long periods of time to process task information. (ID-10920)

IAPI Configuration migrated to IAPI XmlData, which is primarily used by ActiveSync resources to store information about the last processed change. (ID-11266)

Loading update.xml will cause the ResourceUpdater to migrate existing "high water mark" data from the IAPI Configuration object to an XmlData object with a displayed name of SYNC_resourceName, and remove the original Configuration object.

References to “session” server and viewers that were deprecated in the Identity Manager 5.0 SP1 release have been removed. (ID-11873)

Delimiter processing is now suppressed between brackets. Consequently, all characters found within bracket sets will now be treated as either an index or as a filter. Note: there currently isn't a mechanism to escape the closing bracket "]". (ID-12384)

The changelog filename can now contain periods (.) in the prefix. (ID-12470)

Task instance terminations are now audited as Terminate actions instead of Modify actions. (ID-12791)

The performance of the creation of Account objects has been improved, which should also result in the improved performance of reconciliations and provisioning. (ID-13341)

A new server configuration setting under Configure->Servers allows you to set a limit for the maximum number of tasks that a server can run concurrently. (ID-13343)

Workflow

A nested reference to a rule name located in the same library, but not prepended with the library name, can now be resolved, and an Unresolved Rule error does not occur. (ID-10265)

If notification.rediret is used to redirect messages to a file, that file is now written using the emailNotifier.contentCharset, just as the message would, if it were emailed. This allows the file to contain non ISO-8859-1 characters. (ID-10331)

More information is added to a workflow message when an approver is attempting to approve or reject a workitem that has already been approved or rejected. (ID-11045)

The debugger is now enabled by default. For production deployments, it is recommended that you disable the debugger by setting the following system configuration property: “serverSettings.default.debugger.enabled=false”. (ID-14076)

Documentation

With the merging of the Identity Auditor features and Service Provider Edition features into Identity Manager for this release, the following publications have been deprecated:

Identity Auditor Administration

Identity Manager Service Provider Edition Administration Addendum

Identity Manager Audit Logging

These publications have been consolidated with the Identity Manager Administration guide.

Additional Defects Fixed

10475, 11052, 12452, 13434, 14178

Previous Next

Previous Next
Sun Java[TM] System Identity Manager 7.0 Release Notes