Sun Java[TM] System Identity Manager 7.0 Release Notes |
Identity Manager 7.0 Features
What’s New in This ReleaseSun Identity Manager 7.0 merges three products: Identity Manager, Identity Manager SPE, and Identity Auditor into the single product Sun Java System Identity Manager 7.0. This integrated solution gives a consistent and scalable means to apply identity-based controls across provisioning and auditing processes.
Other new features include:
The Features Summary section provides additional information about new features provided in Identity Manager 7.0.
Features Summary
This section summarizes the new features in Identity Manager 7.0.
Installation and Update
- The license structure has been removed from the product. An upgrade to Identity Manager 7.0 will be fully functional for all products. There are no license panels or command-line options for the license. If you attempt to license the product, you will get the “command not found” error. (ID-13632 13501)
Administrator and User Interfaces
- The Identity Attributes page now displays a Passwords section, which describes the status of password generation with respect to the Identity attributes. You can configure Identity Manager to assign passwords to new users based on a default value, a rule, or by assigning an Identity System Account Policy that generates passwords. (ID-10274, 12560)
- The treetable component now supports adjustable columns. You can now set column widths in the user list and resource list tables via CSS to a fixed pixel or percentage value. You can also resize the columns using the mouse by clicking and dragging the right border of the column header. (ID-11474)
- The account and resource tree tables now allow sorting of their contents. (ID-12086)
- The menu hierarchy for the end-user pages is now customizable. (ID-12415)
- Identity Manager now includes a default Manager attribute, which provides support for a built manager-employee relationship. This information is stored on the Identity Manager user object. (ID-12416)
- All page-level error and informational messages are now displayed at the top of the page in a box with an error or information icon. Previously, these messages were displayed with either red text for errors or with a small icon for informational messages. (ID-12625)
- A user can now request that access be granted or removed for roles and resources memberships. A manager can also perform this function for a subordinate employee. (ID-13018)
- You can now change the polarity of the alternating gray and white row colors by adding the rowPolarity property to EditForm components in XPRESS. A value of true is the default behavior. A value of false inverts the polarity and gives the first form field a white background. (ID-13971)
- The User Interface now supports a Self Discovery link. The “Inform Identity system of other accounts” link has been moved from the end-user home page to the new Self Discovery tab in the navigation bar under Profile. (ID-14698)
- The following table lists how tabs and subtabs have been rearranged in this release:
Auditing
- Identity Manager and Identity Manager SPE have merged their two auditing frameworks, with the following changes: (ID-13148)
- Identity Manager and Identity Manager SPE no longer have separate audit logging frameworks.
- The audit logging interfaces of Identity Manager SPE have been deprecated.
- The unified audit logging service allows third parties to develop custom audit publishers to handle Identity Manager as well as Identity Manager SPE related audit events.
- Javadoc-style documentation of the new public interfaces is available in the reference kit.
- Sample code demonstrating the pluggable features of the audit logging framework has been added to the reference kit.
Auditor
Periodic Access Review provides the facility to automate the gathering and attestation to user's current access rights to critical systems and applications. This feature allows records to be created that contain the current access a user has to one or more systems and applications. Each of these records can be automatically attested by policy rules, or routed to the appropriate person for manual attestation. (ID-9719)
Access Review is typically performed on a regular basis to ensure that users have not accrued excessive access to critical systems. By keeping user access data for multiple systems and applications in a single record, the reviewers have a complete understanding of the user, which enhances their ability to make an accurate judgement. The automated process is supported by tracking tools that indicate how much work the review has completed, how much is left, and who is responsible for the remaining work. The review process is integrated with traditional audit policy scanning such that reviews can perform both compliance checking (audit policy scanning) and access review (reporting and attestation).
Access Review can be customized to provide additional automation, including:
- Rule-based determination if a user should be attested or not
- Rule-based determination if a user can be automatically attested/rejected
- Rule-based determination for who should perform manual attestation on a specific user
- Workflow-based manual attestation, including forwarding, delegation and escalation
- Attestors do not need to be IdM administrators - any IdM account will work
Separation of Duties reporting is also new to Auditor, providing the means to capture specific access conflicts that allow a user to bypass internal safeguards. (ID-12716) These conflicts are most serious in ERP and Financial systems where a conflict violation can result in financial errors. Auditor captures such conflicts with a violation record that indicates the user, system/application, and specific conflict including exact account settings that infer the conflict. Auditor Separation of Duties can detect conflicts with account settings on a single system/application or across multiple systems.
These conflicts are summarized in a conflict matrix report, with details available as drill-down information behind each cell in the matrix.
Forms
HTML Display Components
Identity Manager Integrated Development Environment (IDE)
The Identity Manager Integrated Development Environment (Identity Manager IDE) is Java application that enables you to view, customize, and debug Identity Manager objects in your deployment.
Major features of the Identity Manager IDE include:
- Integrated Explorer window that allows project, directory-based, or runtime views of a project
- Action menus for document modification
- Custom editors, including:
- Object property sheets and graphical value editors for enumerating XML object properties and editing basic object types, XPRESS, and XML objects without typing XML
- Drag and drop palette for adding workflow services, approvals, users and workflow tasks to XML source without typing XML
- Registered waveset.dtd definition file that enables syntax highlighting and auto-completion for XML elements and attributes
- Integrated debugger for workflows, forms, and rules
- Rule tester for verifying standalone and library rules
- Form previewer for previewing and troubleshooting forms in an external browser
- Checkout View feature allows you to check out, modify, and check in Identity Manager views (such as a user view).
- CVS integration
The Identity Manager IDE is a fully integrated NetBeans plugin that was designed to replace Identity Manager’s Business Process Editor (BPE) application. For more information about installing and using the Identity Manager IDE, refer to the chapter titled Using the Identity Manager IDE in Identity Manager Deployment Tools.
Identity Manager SPE
Instead, the Identity Manager SPE components access this data directly from the Identity Manager repository. Therefore, you no longer need to select and export the configuration objects needed by Identity Manager SPE. The Identity Manager installer can be used to update an Identity Manager SPE deployment in place.
If tracked event data is being stored in the Identity Manager SPE configuration directory, it should be exported as XML before the upgrade occurs. After upgrade, the tracked event data can be imported into Identity Manager. Also, after a successful upgrade, you can safely delete the configuration LDAP directory.
- Accessing objects through Identity Manager SPE no longer requires a separate type of context. Identity Manager SPE forms no longer need to set the needSpeContext property and refer to this context with :display.speContext. (ID-12171)
- Created a public interface to allow customers to invoke custom callouts before provisioning executed and after provisioning has completed. (ID-12173)
- Identity Manager SPE now provides better example end-user JSP pages. (ID-12175)
- Identity Manager now provides a customizable delegated administration and authorization model accessible both from Identity Manager and Identity Manager SPE User Server. This model leverages directory attributes and does not depend on Identity Manager Organizations and Capabilities. (ID-12176)
- You can now run Active Sync and SPE Synchronization on the same Identity Manager server. However, do not run both on the same resource. (ID-12178)
- The Identity Manager SPE User XML attribute can now be stored in a compressed format to reduce the SPE user directory footprint. (ID-12186)
- Identity Manager SPE transactions can now support configurable user update consistency levels. Existing transaction store databases will need to be modified to add an additional column, userId VARCHAR(N) where N is large enough to contain the maximum length expected for a Identity Manager SPE user DN, plus an additional 8 characters. This database change does not occur automatically when running the upgrade scripts. (ID-13830)
MetaView
- The new Identity Events feature has been added to the MetaView. This option allows you to define a model for determining when events occur on resources and how to appropriately respond to them. This feature also allows you to detect delete, disable, and enable events either natively on the resource or through the evaluation of a rule if the resource does not support detecting the event.
You can respond to events with any combination of deleting, unassigning, unlinking, enabling, and disabling users and resource accounts. Identity events are applied only during Active Sync. As with identity attributes, these events are applied only if Active Sync is selected as an enabled application for the MetaView. (ID-12561)
- In the Administrator interface, the Reports Deleted feature has been added. This feature applies to resource adapters that support Active Sync natively determining whether an account was deleted. (ID-13206)
- The MetaView now supports a new option for setting the values of target fields. Multi-valued attributes can also be merged. (ID-13212)
Reports
- The results of bulk actions can now be downloaded to a file in CSV format. (ID-9297)
- By default, the following reports are automatically scoped to the set of organizations controlled by the logged-in administrator, unless explicitly overridden by selecting one or more organizations against which the report should be run: Admin Role Summary, Administrator Summary, Role Summary, User Questions Summary, and User Summary. The org scope component has also been changed from a single select to a multi-select component. (ID-12116)
- Identity Manager now supports monitoring a variety of components using Java Management Extensions (JMX). (ID-12405)
- New reports now support manager-employee relationships: My Direct Reports Summary, My Direct Employee Summary, My Direct and Indirect Employee Summary, and My Direct Reports Individual. (ID-12416, ID-12689)
- A CSV report encoded with the UTF-8 character set and multibyte text can now be customized so it can be displayed in applications that do not support UTF-8 encoding, such as Microsoft Excel. (ID-13574)
Repository
- An administrator can disable an Identity Manager repository’s automatic internal connection pooling by setting the connectionPoolDisable attribute of the RepositoryConfiguration object to true. The older method of setting com.waveset.repository.ConnectionPoolDisable=true is now deprecated. (ID-10924)
- Identity Manager 7.0 removes the Repository method signature #getLastMod(Type, long). Identity Manager 5.0 SP2 deprecated this method signature in favor of #getLastMod(Type). Custom applications should not refer to this method or refer directly to any class or interface in the com.waveset.repository package. (ID-11761)
- The default JDBC driver for Microsoft SQL Server is now the Microsoft SQL Server 2005 JDBC Driver. This driver replaces the older Microsoft SQL Server 2000 JDBC Driver. This new default driver changes the JDBC driver class name and the format of SQL Server database URLs. It also removes the requirement to append “SelectMethod=Cursor” to such URLs. (ID-14136)
Resources
- Identity Manager 7.0 includes support for the following resources:
- The SecurId adapters can now retrieve tokens by status (for example, all LOST tokens or all ENABLED tokens). (ID-7646)
- Support is added for OS/400 v4r5, v5r2, v5r3, and v5r4 (5.2, 5.3, and 5.4). (ID-9928, 13122)
- Added multiple attributes to the Oracle ERP adapter to support auditing features. (ID-11725)
- The RACF adapter now includes search filter support for listAllObjects. (ID-10895)
- The SAP HR Active Sync adapter now supports mySAP ERP ECC 5.0 (SAP 5.0). (ID-12408)
- The SAP and SAPHR adapters now provide three new resource attributes that provide the parameters for a retry of an SAP operation when a network failure occurs: (ID-12579)
- The Oracle ERP adapter now supports set of books (SOB) functionality. (ID-12715)
- A VLV Sort is now configurable. The VLV sort attribute (vlvSortAttribute) has been added the to the LDAP resource. If the attribute is set, that value is used for the sort, but if it is not set, the “uid” value is used. (ID-13321)
Roles
Security
Server
SOAP
Workflow
Bugs Fixed in This ReleaseThis section describe the bugs fixed in Identity Manager 7.0.
Installation and Update
- Credentials can now be passed to com.waveset.install.UpgradePostProcess. This change facilitates the upgrade process, particularly when the Configurator’s password has been changed and you are performing a manual upgrade without access to a GUI. (ID-13006)
- The Auditor Login Interface has been removed. (ID-14481)
Considerations for upgrading include:
- Any existing account Policy that has questions defined for the Auditor application will be altered as follows:
- If the Policy also has questions defined for the Admin and/or default application, then the questions for the Auditor application will be discarded, and the Admin and/or default questions will be respected instead.
- If the Policy has no questions defined for the Admin or the default application, then the questions for the Auditor application will be re-designated as Admin questions.
- Any authentication answers for a user defined for the Auditor application will be altered as follows:
- If the user also has answers defined for the Admin and/or default application, then the answers for the Auditor application will be discarded.
- If the user has no answers defined for the Admin or the default application, then the answers for the Auditor application will be re-designated as Admin answers.
- Upgrades from a previous installation that had a Identity Auditor enabled will now see the Auditor organization in the account/organization table. New installations do not have an Auditor organization. (ID-14636)
- If you wrote a Audit Policy Rule for Separation of Duties in a previous release that caused you to customize the Conflict Violation Details Form, you will need to save that form before upgrading. (ID-14772)
Administrator and User Interfaces
- A meaningful error message is displayed if a user tries to log in while resource the user is defined on is down. (ID-1905)
- Messages for errors that are considered fatal can now be displayed with a configured default message, and additional information can be logged to syslog. The UNIX resource adapters have been modified to use this error message display. (ID-5495)
- You can now replace the product name string in the browser title bar with a localizable string of your choice. (ID-10905)
- The Completed Role Synchronization task no longer displays a message that the task is still executing. The task has also been enhanced with a statistics table. Errors and exceptions are now displayed for the completed task. (ID-11181)
- The “Change Answers to Authentication Questions” end-user page now handles a user who does not have authentication questions more gracefully. (ID-11773)
- The inbox link for an anonymous user login now points to the new end-user work item list table. (ID-12816)
- MultiSelect objects now sort the available values when the noApplet=true and sorted=true properties are set. (ID-12823)
- End users no longer get pop-up dialogs when entering or leaving a secure site. (ID-13054)
- Forms that display an account password policy summary by resource will now wrap the content within the table. Previously, the summary information would scroll off the right side of the browser window. (ID-13109)
- In the sysconfig file, the security.delegation.historyLength parameter now controls the number of previous delegations that are recorded. (ID-13141)
- The Admin version of continueLogin.jsp now displays catalog messages correctly. (ID-13193)
- A null pointer exception that was thrown when a user canceled an edit to a resource after searching or filtering does not occur now. (ID-13434)
- When you create a new role, “Available Resource Groups” no longer appears twice in both the left and right side of the panel. (ID-13573)
- Copying an existing resource by renaming the resource and selecting Create versus Rename now correctly duplicates resource facets, such as whether ActiveSync is enabled. (ID-14175)
- Account locking and unlocking now works correctly if the account policy in the Service Provider main configuration is not set. Previously, the lock button worked only on the Service Provider account edit page when an account policy was configured for the Service Provider. (ID-14181)
Forms
Identity Auditor
- An Audit Policy can now be configured to scan only a restricted set of resources. (ID-9127)
- Indirectly assigned policies can now be viewed. (ID-11886)
- UserViewConstants.OP_CALL_VIEW_VALIDATORS can be set for policy checking during provisioning. (ID-12757)
- Policy checks during user provisioning operations can be performed in the provisioning thread. Previous behavior always used a separate task to perform the check. If the task behavior had been customized, bypassing the task might cause the customizations not to be used. To fix this problem, set the System Configuration user.view.alwaysUseTask attribute to true, which will force the old behavior. (ID-14086)
Identity Manager SPE
- The transaction event timer is not restarted during a transaction. Previously, the transaction processing time in Identity Manager SPE did not include the time spent evaluating the account policy. (ID-14416)
- Identity Manager SPE now resumes processing transactions when the service is shutdown ungracefully (for example, the application server exits with an out-of-memory error). (ID-14579)
Localization
Mainframe
Reports
Repository
Resources
- The removeDenyGroupsDuringDelete resource attribute for the Domino resource adapter specifies if a user is to be removed from Deny Access Group memberships upon deletion through Identity Manager. Setting this attribute to true will indicate the removal from the groups should be processed. The default value for this attribute is false for backward compatibility. (ID-10466)
- The LDAP adapter no longer creates an illegal distinguished name (DN) for a new account. (ID-10951)
The escape method in com.sun.idm.util.ldap.DnUtil can now be used in forms to escape values to be inserted into identity templates of resource adapters with the LDAP DN format. Alternatively, an accountId policy with the “Required LDAP DN format” option checked can be used to validate LDAP distinguished names entering Identity Manager via input such as user input, ActiveSync, and reconciliation.
- The normalize method in RFC2253Parser now recognizes and reports an invalid LDAP distinguished name (DN). (ID-10952)
- The getNextIndex method of DblBufferIterator no longer accesses size information of the supporting arrays outside the object's synchronization. (ID-11129)
- Synchronization status in a clustered environment is improved. (ID-11250)
- The isPickListAttribute method within com.waveset.adapter.SiebelResourceAdapter is no longer misidentified as isMVGAttribute in the tracing system. (ID-11471)
- The default for the Objectclasses to synchronize Active Sync attribute on LDAP resources now defaults to inetorgperson. (ID-11644)
- The maximum number of Flat File Active Sync logs configured on an Active Sync resource are now created correctly. (ID-11848)
- The objectClass attribute mapping is no longer required in an LDAP resource schema map for Active Sync to function. Custom resource adapters extending com.waveset.adapter.LDAPResourceAdapter that override both the poll() and getUpdateRows(UpdateRow) methods should be modified to invoke LDAPResourceAdapterBase.ensureObjectClassInSchemaMap() in either method. (ID-11880)
- The Domino Resource Adapter now supports setting the “Store ID in a File” option to false as a resource attribute, which disables the creation of the user’s ID file locally on disk. The ID file must still be provided, however, when creating the user. (ID-12139)
- Solaris and Linux adapters now return a year on the last login information. (ID-12182)
- The Oracle ERP adapter now closes Oracle database cursors. Previously, the adapter failed to close the cursors, which after long periods, resulted in the “ORA-01000: maximum open cursors exceeded” error. (ID-12222)
- Errors for locked accounts or users from Active Sync are now logged. (ID-12446)
- For the Domino Resource Adapter, concurrent updates of HTTPPassword with several users with the NSFNoteComputeWithForm() API call no longer result in a “-551” gateway error. (ID-12466)
- Gateway crashes no longer occur for customers using APIs directly without going through Identity Manager. (ID-12481)
- The Flat File Active Sync adapter now provides a warning message in the Active Sync log (if enabled) whenever an error occurs preventing a diff action for synchronization. (ID-12484)
- The terminal emulation used to create a Natural resource adapter account has been modified so that an 8-character user name does not use a tab to select the Copy Links attribute. (ID-12503)
- Modifying the AttrParse objects do not require a restart for the new values to take effect. (ID-12516)
- The Siteminder LDAP adapter now performs the following operations correctly, even when the Siteminder user is locked due to failed login attempts. (ID-12824)
- Changing LDAP group membership now uses single adds and removes instead of rewriting the entire group (that is, replacing the entire uniqueMember attribute). (ID-13035)
- Identity Manager now clears Admin privileges, if any, before attempting to delete a Secure ID user. (ID-13053)
- A cursor leak in the Oracle table adapter (DatabaseTableResourceAdapter) has been fixed. (ID-13111)
- The auditorObject complex attribute syntax for the Oracle ERP resource has been modified to include a namespace to make it easier to fetch information from the GenericObject. The syntax of the attribute now includes a top-level “auditorResps” that contains a list of responsibility objects. (ID-13302)
- Performance improvements have been made to AttrParse. Normal parsing no longer throws and catches an exception for every character in a parsed buffer. (ID-13384)
- The SecurID for UNIX adapter now performs UTF-8 character encoding and decoding when interoperating with RSA. (ID-13451)
- When creating account on a Windows NT resource through the Windows NT resource adapter, the following error message is no longer displayed in the Create user result page: “Error requiring password: put_PasswordRequired(): 0X80004005:E_FAIL”. (ID-13618)
- The Active Directory PasswordNeverExpires attribute can now be set during an update. (ID-13710)
- Identity Manager 7.0 server now notifies waiting threads by calling notify after removing a connection over the gateway. (ID-14044)
Security
- A user who has “Organization Administrator” capability for an organization can no longer create organizations in other organizations, even if that user has “Account Administrator” and “Role Administrator” capabilities. (ID-10235)
- Password generation now works correctly for passwords that do not follow a policy. (ID-12275)
- A password expiration warning message is now displayed for the Admin interface. (ID-13236)
- Approver capability no longer has rights to Remediation WorkItems. (ID-14163)
For pre-Identity Manager 7.0 installations, Approver capability has full rights WorkItem. RemediationWorkItem and AttesationWorkItem authTypes are extended from WorkItem, so therefore Approver has full rights to RemediationWorkItems, and possible to other users’ Attestations.
This problem is fixed in new Identity Manager 7.0 installations and installations upgrading to Identity Manager 7.0. For backward compatibility, pre-Identity Manager 7.0 installations can fix this problem by following these steps:
- Any references to Approver capability would need to be changed to the new Approver Administrator. This includes user’s admin group references and any rules or workflows that might assign the Approver capability.
- Make sure any workitems getting created in workflows either have a specified authType, or it will default to Approval authType.
- Run WorkItemUpdater in update.xml to change any workitems with null authType to have Approval authType (actually flexible to set any authType required). The statements and instructions are in the file but commented out by default.
Server
- TaskInstance subobjects, like approvals, are now deleted properly when terminating the task. (ID-3258)
- In a form, using <set> within <Expansion> now works correctly. (ID-9617)
- The last audit record is no longer missing when a retry fails after a resource is renamed. (ID-9714)
- In a clustered environment, a failed login on the end-user pages no longer generates a serialization-related exception. (ID-10556)
- A server no longer attempts to detect itself as being non-responsive when it takes long periods of time to process task information. (ID-10920)
- IAPI Configuration migrated to IAPI XmlData, which is primarily used by ActiveSync resources to store information about the last processed change. (ID-11266)
- References to “session” server and viewers that were deprecated in the Identity Manager 5.0 SP1 release have been removed. (ID-11873)
- Delimiter processing is now suppressed between brackets. Consequently, all characters found within bracket sets will now be treated as either an index or as a filter. Note: there currently isn't a mechanism to escape the closing bracket "]". (ID-12384)
- The changelog filename can now contain periods (.) in the prefix. (ID-12470)
- Task instance terminations are now audited as Terminate actions instead of Modify actions. (ID-12791)
- The performance of the creation of Account objects has been improved, which should also result in the improved performance of reconciliations and provisioning. (ID-13341)
- A new server configuration setting under Configure->Servers allows you to set a limit for the maximum number of tasks that a server can run concurrently. (ID-13343)
Workflow
- A nested reference to a rule name located in the same library, but not prepended with the library name, can now be resolved, and an Unresolved Rule error does not occur. (ID-10265)
- If notification.rediret is used to redirect messages to a file, that file is now written using the emailNotifier.contentCharset, just as the message would, if it were emailed. This allows the file to contain non ISO-8859-1 characters. (ID-10331)
- More information is added to a workflow message when an approver is attempting to approve or reject a workitem that has already been approved or rejected. (ID-11045)
- The debugger is now enabled by default. For production deployments, it is recommended that you disable the debugger by setting the following system configuration property: “serverSettings.default.debugger.enabled=false”. (ID-14076)
Documentation
With the merging of the Identity Auditor features and Service Provider Edition features into Identity Manager for this release, the following publications have been deprecated:
These publications have been consolidated with the Identity Manager Administration guide.
Additional Defects Fixed
10475, 11052, 12452, 13434, 14178