Previous      Next
Sun Java[TM] System Identity Manager 7.0 Release Notes

Known Issues

The following sections list known issues and workarounds for:

Identity Manager
Service Provider Edition
Auditor

---

Identity Manager

General

A login prompt is displayed when attempting to visit specific pages if cookies are disabled (ID-158).
Systems that are running the Sun Identity Manager Gateway should be configured so that Dr. Watson does not produce visual notifications. If this feature is set, then if the gateway encounters an error, the process will hang until the pop-up window is closed.
The display.session and display.subject variables are not available to Disable form elements. It is not recommended to create potentially long-running activities in Disable elements due to the fact that these expressions will run each time the form is recalculated. Instead, it is recommended that the calculation be done in another form element that will not run as frequently.
For best performance when working with the Identity Manager Web Interface, use the OpenSPML toolkit that is bundled with Identity Manager. Using the openspml.jar file from the openspml.org website may cause memory leaks. (ID-11889)
If you have a space in the path to the Identity Manager installation directory, you should specify the WSHOME environment variable without double quotes (") as shown below.

Note	Trailing slashes ( \ ) should not be used when specifying the path even if the path contains no spaces.

set WSHOME=c:\Program Files\Apache Group\Tomcat 4.1\lighthouse

or

set WSHOME=c:\Progra~1\Apache~1\Tomcat~1\lighthouse

The following will not work:

set WSHOME="c:\Program Files\Apache Group\Tomcat 4.1\lighthouse"

Required fields set on the resource schema map are only checked when a user account is created (ID-220). If a field is to be required on user updates, then the user form should be configured to ensure that the field is required.
No checking is done on organization name, administrator name, account name, user attribute name (left hand side of schema map), or task names for invalid characters (ID-1145, 1206, 1679, 1734, 1767, 2413, 3331). You cannot use a dollar ($), a comma (,), a period (.), an apostrophe ('), an ampersand (&), a left bracket ( [ ), a right bracket ( ] ), or a colon (:) in the name for these types of objects.
A misleading error message is given on the account page if you try to perform an action after your session has timed out (ID-1223).
The calendar object is not fully viewable if the browser is using large fonts
(ID-2120).
The Select All checkbox on the Find Results page and the List Task page does not become un-selected if one of the items in the list is un-selected (ID-5090). The selectAll checkbox is ignored during the resulting action if not all of the members in the list have their checkbox selected.
If you make a change to a custom message catalog, it is necessary to restart the server in order to see your changes. (ID-6792)
The sidebar tabs (such as Account List, Find User) do not appear on the confirmation page when enabling or disabling multiple users (ID-6866). Once the page is confirmed and the results are displayed, the tabs re-appear.
The current mechanism for detecting a failed Server assumes that all the systems in an Identity Manager cluster are synchronized with respect to time. (ID-7064) With the default failure interval of five minutes, if one server is five minutes out of sync with another, the server that is ahead will declare the server that is behind to be dead, causing unpredictable results. The workaround is to maintain better time synchronization, or to increase the failover interval.
On Windows, if you are logging in as a user whose name contains double-byte characters and the default encoding for the machine only supports single-byte characters, you must set the USER_JPI_PROFILE environment variable to an existing directory whose name contains only single byte characters. (ID-8540)

Install and Update

When installing Identity Manager from the idm.war file, the execute bits are not set on the UNIX shell scripts (ID-2371). Workaround is to perform a UNIX chmod command on the idm/bin directory.
When Identity Manager is installed in a Tomcat 5.x environment, running reports results in a java error (ID-6652). Workaround is to perform the following:

cd $WSHOME\WEB-INF\classes

jar xvf ..\lib\j2ee.jar javax/activation/DataSource.class

The AD Active Sync resource has been deprecated and replaced by the AD resource. Perform the following steps to migrate to the AD Active Sync to newer releases: (ID-11363)
Export the existing AD Active Sync resource object to an xml file (either from the command line or debug pages).
Delete the existing resource (this will not affect Identity Manager users or resource account users)
Create a new AD resource that is Active Sync.
Export this new resource object to an XML file.
Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the <Resource id='idnumber' name='AD' ...> tag.
Save the changes to the file.
Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
If you update from a 6.x install but want to start using the new end-user pages, you will need to manually change the system configuration ui.web.user.showMenu to "true" in order to get the horizontal navigation bar to appear. (ID-14900)

Account Management

It is possible to create NT accounts that have account names longer than 20 characters and that the NT native tools cannot manage (ID-710).
An administrator cannot save resources or roles that contain organizations that he does not manage (ID-839).
Sorting the columns on the Provisioning Results page adds additional empty rows to the results (ID-1105).
Approvals of several hundred user accounts take a considerable amount of time (ID-1149). Workaround is to approve user account records in smaller groups.
Approval records owned by an administrator who no longer has approval capability cannot be approved (ID-1150). Workaround is to remove administrator from resources, roles, and organizations in which he has approval rights, then approve any outstanding approval records prior to removing the administrator or the approval capability for that administrator.
Updating a user without making any modifications does not show detailed results page (ID-2327).
When creating a new user or adding a resource to an existing user, if the distinguished name for the user is incorrect, the incorrect value is cached until the administrator logs out (ID-2508). Attempts to re-create the user after fixing the distinguished name are not successful until after the administrator logs out.
Account locked out message does not display on the Identity Manager User Interface login screen on Netscape 4.7 (ID-2680). The error message appears in the page URL.
The name “name” is a view reserved word and should not be used as a Identity Manager User Attribute on resource schema maps (ID-2918).
Windows Active Directory requires the gateway to run as an administrator who can create directories (ID-2919). Identity Manager can create home directories on Windows 2000 systems. The home directory account creation is being performed by the user the gateway process is running as, instead of the administrator specified in the resource definition. Workaround is to change the user that the gateway is running as from Local System to an account that has permission to create remote shares and set permissions on those shares. This account will also need Bypass traverse checking and Act as operating system privileges.
The Windows NT resource incorrectly throws a warning message instead of an error message when errors occur when disabling a user account (ID-3222).
A java.lang.NullPointerException may be seen when removing all the resources from a user via the edit user page (ID-4811). A workaround for this problem is to use the user delete page to either unlink or delete these resource accounts from the user.
If an Identity Manager user is created and assigned to a Windows Active Directory resource where the user account already exists, the user will be created without a GUID attribute in the resource info (ID-5114). This GUID is used to detect changes to the user's organization or name in the Directory. Running reconcile from the resource will fix this problem.
When creating a user, a warning is given if you add a Role to the user that contains a resource that is directly assigned (ID-5385).
A “Forward To” administrator cannot be specified when a user is being created. This option can only be set when editing the user (ID-5695).

Approvals

When updating a user and selecting to run the update in the background, an approval activity appears on the task results page (ID-3301). This approval can be ignored.
Approval records for an administrator do not show up after the user is renamed (ID-3386). Workaround is to resolve all outstanding approvals before renaming the user.
Previously approved or previously rejected approval records cannot be viewed by an administrator if the user being approved belongs to an organization that the approver does not control (ID-3494).
Resource retries tasks appear in the pending approval list for Configurator (ID-3508).

Integrated Development Environment (IDE)

Most nodes have an associated property sheet in the Properties windows, and most of these nodes have a Name property for managing the value of the name. If you rename a particular object via its node, either by right-clicking and selecting Rename, or by clicking the node and typing text over the label, the node's label is updated and the XML changes. However, the property sheet fails to update. You can click another node and then reclick the renamed node and the property sheet updates to reflect the new name. You can also click the title of the property sheet to update to the correct values. (ID-13696)
Renaming objects using Identity Manager IDE should be done through the right-click context menu in the Projects explorer, instead of editing the XML using the editor. (ID-13828)
The XML Navigator has been disabled in IDM IDE. Windows ->Navigator opens the Navigator panel and <No view available> is displayed. (ID-13390)
Project delete functionality is not supported. (ID-14013)
Rule Libraries are not currently supported other than to perform basic XML editing and testing in the rule tester. Navigation and property support is not currently implemented. (ID-14093)
Form property values cannot be set with the property editor if the data type is Integer or Boolean. (ID-14128)

Workaround: Edit the value to the property directly in the XML.

Downloading, uploading or reloading an object causes a lock to be placed on the object in the repository. Consequently, attempts to access the object by users other than the one given in the project settings within the lock's time of expiration may fail. (ID-14132)
To avoid display problems with the design tab and the workflow toolbar, keep the Show ToolBar advanced option checked. (ID-14138)
When closing a project, the "Discard All" option does not work properly. If you wish to discard your changes to an object, you must close the editor window and select "Discard". This is a known issue with NetBeans (bug 84236) . (ID-14164)
Renaming an object from the context menu in NetBeans requires the change to be saved. After making the change, the user can save the change from File ->Save without opening the file. If the file is open, use File ->Save, or close the file and select to save the changes when prompted. (ID-14420)
When setting the displayClass for a field to InlineAlert, if the field has a name the value property of the InlineAlert will not display. (ID-14456)
Checking out a user view in Identity Manager IDE puts a lock on the object. Checking in the view or closing the view does not release the lock. The lock will be released automatically after 5 minutes. You can also release the lock by logging in to Identity Manager as the administrator that checked the view out in IDM IDE and viewing the user. (ID-14797)

Login Configuration

Pass-through authentication module does not work for the Domino resource (ID-1646).
Changes made to the Administrator Login Setup and User Login Setup pages are not visible to other administrators logged in (ID-3487). To see the changes, the other administrators will need to log out of the Administrator Interface and log back in.
If an Administrator logs in and selects “Change My Password” and then selects another tab, their account is locked until the lock expires. (ID-3705)

If another Administrator attempts to edit that locked Administrator, the “com.waveset.util.WavesetException: Unable to access account #ID#Configurator at this time. Please try again later.” message is displayed. If they click on the "OK" button, the workflow process diagram from the last action is displayed.

Organizations

When deleting multiple organizations, if the delete fails on one organization, all the remaining organizations are not deleted (ID-517).
Renaming an organization when there are provisioning requests pending that have users belonging to the organization will cause the provision request to fail (ID-564). Workaround is to ensure there are no outstanding requests before renaming an organization.
When creating a new organization, if the User Member Rules option is selected before specifying an org name, when the page is refreshed, an organization ID will appear in the Organization name field (ID-6302). The name can still be set prior to saving the new organization.

( ) - Warning: Parenthesized values in field 'Approvers' do not match any of the allowed values.

Policies and Capabilities

The Identity Manager account policy attribute Reset Notification Option has a value option of “administrator” that has no effect (ID-944). The only viable options are “immediate” and “user”.
When deleting multiple roles, if an error is encountered, the entire operation will stop instead of continuing to the other roles (ID-1168).
The minimum number of questions a user must answer can be set to a value greater than the number of defined questions (ID-1834). If this situation occurs, the user will not be able to log in using the “Forgot My Password” option.
The Default Lighthouse Account Policy cannot be cloned by editing the policy, changing the name, and selecting to create a new object (ID-5147). Workaround is to create a new account policy.

Reconcile and Import Users

Importing users from a CSV file does not update resource attributes if the user already exists in Identity Manager (ID-2041).
Comma-separated-value (CSV) file that is loaded with single quotes (') in the account IDs are translated to question marks (?) (ID-2100).
Scheduled tasks will not show up in a search on the "Find Tasks" page when using the "Is Scheduled" option (ID-5001).
Reconciliation fails when run against a Red Hat version 8 resource (ID-6087).
Reconciliation of an Oracle ERP resource will complete with errors if connection pooling on the resource is enabled (ID-6386). Workaround is to turn off connection pooling during reconciliation.

Reports

Security administrators cannot run or create reports (ID-1217). Workaround is to give administrators Report Administrator capability.
Risk analysis reports can be viewed by administrators other than report administrators (ID-1224).
Report results that are emailed with the plain text option are not formatted (ID-2191). Workaround is to use HTML option for the email.
Audit Log entries may not be recorded for large results (ID-5050).
The ticker will not display when selected if there are organizations with apostrophes (') in their name (ID-5653).
If you attempt to run an Administrator Report and select to Report only Administrators which belong to a specific organization which has no administrators, a java.lang.NullPointerException error is returned (ID-5722).

Resources

Resource test button does not test all fields (ID-51).
Resource port assignments can be set to values greater than 65535 (ID-59).
Bad error message displayed when setting incorrect Active Directory group name (ID-393). If you attempt to set an Active Directory group name to “groupname” instead of “cn=groupname,cn=builtin,dc=waveset,dc=com” an error message stating “array index out of bounds” is displayed.
Required account attributes are sometimes ignored if there is another resource with the same account attribute name that does not have the required flag set (ID-1161).
If an administrator attempts to add an organization to a resource that he does not have rights over, an error will appear. The edit of the resource must then be canceled and the resource edited again to make any other changes to the resource (ID-1274).
The error message when a resource account password or username is not correct on a PeopleSoft resource is not clear (ID-2235). The error message states:

bea.jolt.ApplicationException: TPESVCFAIL - application level service failure

Windows Active Directory resource actions that use the exit status %DISPLAY_INFO_CODE% cause the action to fail with errors (ID-2827).
Windows NT resource actions that return a non-zero exit code do not cause the action to fail (ID-2828).
Setting a user's primary group ID on Active Directory cannot be done when creating the user (ID-3221). Workaround is to create the user without setting the primary group ID, then edit the user and set the value. The primary group ID is also set by number and not by the distinguished name (DN) of the group.
Resource IP addresses are cached in the JVM after the hostname is resolved to an IP address. If a resource IP address is changed, the application server will need to be restarted for Identity Manager to detect the change (ID-3635). This is a setting in the Sun JDK (version 1.3 and higher) and can be controlled with the sun.net.inetaddr.ttl property which is typically set in jre/lib/security/java.security.
You cannot create multiple accounts for a single user on Oracle resources (ID-3832).
End-users cannot use the self-discovery feature for Domino resource accounts (ID-4775).
If a user is moved from or to a sub-container within the Active Directory organization, the Active Sync adapter will detect the change, but when you view the user on the edit page, (or make a change and view the confirmation page) the user's accountId is still displayed as the original DN (distinguished name) (ID-4950). Because we use GUID to modify the user, this will not cause any operational problems. Running a reconcile against the resource will fix the problem.
If a user is moved from an Organization (OU) to a sub-organization, the LDAP ChangeLog adapter will not recognize the change and assumes the user has been deleted. The user object is then locked in Identity Manager (if that is the current setting), and a “new” account is not created for the moved account (ID-4953).
The pooled connections used by the UNIX resource adapters can be left in an undetermined state if an error occurs while executing a command or script (ID-5406).
NDS organizations can be created in the top level of the tree only by setting the Base Context for the resource to "[ROOT]" (ID-5509).
On NDS, if you edit a field (such Grace Login Limit) on the initial provision, and do not provide values for the boolean fields, all the boolean fields are set to false (ID-6770). This prevents you from setting the other fields on the restriction tab which require certain check box values to be true. To avoid this, always ensure all your boolean fields are true when you expect them to be, so they are properly pushed when editing other fields.
If you change the password for a UNIX machine using the Manage Connection --> Change Resource Password feature, the task name that appears is:

_FM_PASSWORD_CHANGING_TASK null:null

A user-friendly name should be displayed. (ID-6947)

You cannot use the manage connection feature for UNIX resources that use NIS (ID-6948). An error is thrown because the password you are trying to change is for root, but NIS does not manage the root account.
When updating users by selecting update from an Identity Manager organization, users with a Sun One ID Server account will get an error if those users were created natively and loaded into Identity Manager (ID-7094). The work around is to update those users individually.
Identity Manager still contains the following deprecated classes:
com.waveset.object.IAPI
com.waveset.object.IAPIProcess
com.waveset.object.IAPIUser

Custom adapter classes should no longer refer to these classes, and should instead refer to the corresponding classes in package com.waveset.adapter.iapi. (ID-8246)

An error occurs when trying to delete a user who has an account on the PeopleSoft Component Interface resource. This resource currently does not support account deletions. (ID-9000)

Resource Object Management

A Windows Active Directory object (Group, Organizational Unit, or Container) cannot be renamed on the List Resources page (ID-3329).
Cannot create new LDAP groups if there are users with multi-valued CNs (ID-3848). Workaround is to manage the members of the group by DN instead of CN which is configured in the LDAP Create Group Form.

Resource Groups

Using the return key on the Create or Edit Resource Group page clears the changes made on the page (ID-3430).
Resource Group reports cannot be saved as a CSV file. (ID-8001)

Security

If you import an object containing any encrypted data and the data was encrypted with a encryption key that is not in the repository in which the data is being imported, the object will still be imported, but you will get a warning message stating that the data cannot be decrypted since the server encryption key is missing. (ID-12143)

Server

Views cannot be created via the RemoteSession interface out-of-the box. The deployment descriptor (web.xml) needs to be updated. (ID-14756)

Add the following servlet definition to the deployment descriptor

<servlet>
   <servlet-name>rpcrouter3</servlet-name>
   <display-name>OpenSPML SOAP Router</display-name>
   <description>no description</description>
   <servlet-class>
      org.openspml.server.SOAPRouter
   </servlet-class>

   <init-param>
      <param-name>handlers</param-name>
      <param-value>com.waveset.rpc.PasswordSyncHandler</param-value>
   </init-param>

   <init-param>
      <param-name>spmlHandler</param-name>
      <param-value>com.waveset.rpc.SpmlHandler</param-value>
   </init-param>

   <init-param>
      <param-name>rpcHandler</param-name>
      <param-value>com.waveset.rpc.RemoteSessionHandler</param-value>
   </init-param>
</servlet>

Add the following servlet mapping to the deployment descriptor:

<servlet-mapping>
   <servlet-name>rpcrouter3</servlet-name>
   <url-pattern>/servlet/rpcrouter3</url-pattern>
</servlet-mapping>

To use createView with RemoteSession, you need to use the rpcrouter3 servlet. To access the rpcrouter3 servlet, you need to use the RemoteSession(URL, String, EncryptedData) constructor.

Sun Identity Manager Gateway

The Sun Identity Manager Gateway occasionally will not stop when the Stop button is pressed on the NT Services screen (ID-590). Workaround is to cancel the stop service request (if it is still hanging) and stop the service again, or exit the NT services dialog and re-enter and attempt the stop operation again.
Users cannot be added to groups in an NT domain if the gateway is in a remote trusted domain (ID-711).
The gateway occasionally will not stop when using 'net stop "Sun Identity Manager Gateway"' (ID-2337).

Tasks

Administrators with Identity Manager Administrator privileges cannot view the manage tasks page if there is a Risk Analysis task in the list of tasks (ID-1225).
Administrators who do not control Top cannot create Discovery or ResourceScanner scheduled tasks (ID-1414).
The Find Task page does not display the number of tasks matching the search criteria (ID-5152).
When editing a scheduled task, the start date must be re-entered using MM/DD/YYYY format (ID-5675).
Delegated administrators who do not control Top can schedule tasks and view the task results, but cannot view the task after it has been created (ID-6659). The scheduled task was placed in Top and the delegated administrator does not have rights to view the object.
A field named Deferred Tasks was added to the library. It provides the ability to list deferred tasks on a user. To implement this field, the following line must be added the Tabbed User Form and Tabbed View User Form (ID-7660).

<FieldRef name='Deferred Tasks'/>

Workflow, Forms, Rules, and XPRESS

XPRESS <eq> function cannot be used to compare Boolean values to the strings TRUE or FALSE or the integers 1 or 2 (ID-3904). Workaround is to use:

<cond>
   <isTrue><ref>Boolean_variable</ref></isTrue>
   <s>True action</s>
   <s>False action</s>
</cond>

Path expressions do not work when iterating a list of generic objects via a dolist (ID-4920).

<dolist name='genericObj'>
   <ref>listOfGenericObjects</ref>
   <ref>genericObj.name</ref>
</dolist>

The workaround is to use <get> / <set> as shown:

<dolist name='genericObj'>
   <ref>listOfGenericObjects</ref>
   <get><ref>genericObject</ref><s>name</s>
</dolist>

If you use global.attrname variables for fields in your user form, and the attribute is shared among more than one resource, you should also define a Derivation rule (ID-5074). Otherwise, if the attribute has been changed natively on one of the resources, the attribute may or may not be picked up and propagated to the other resources.
Cannot use special strings beginning with & in HTML components of forms. For example, &nbsp; will no longer appear as a space. This issue was introduced because of a change to support special characters (&\<>') in Select lists (ID-5548).
Form, workflow and rule comments contained in <Comment> tags have &#xA; strings in them representing the line feed character (ID-6243). These characters are only seen when viewing the XML for these objects; the Identity Manager server and Business Process Editor will process these characters properly.
If you use the Resource Table User Form for editing users, when editing a user's resource, the resource attributes are not fetched when the form first appears. The work around is to click the "Refresh" button, which will fetch the attribute data. (ID-10551)

---

Service Provider Edition

Identity Manager SPE and Sun Java System Portal Server may not be compatible; there is a problem related to the encrypted libraries. (ID-10744)

This problem may be corrected by setting the following values in Portal Server’s /etc/opt/SUNWam/config/AMConfig.properties file, and then restarting the web container:

com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
   JSSESocketFactory
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
   SecureRandomFactoryImpl

When working with SPE dashboards: If graphs take several minutes to load the first time, then you should verify that your browser is not configured to use the Microsoft Java Virtual Machine (MSJVM). Identity Manager SPE does not support using MSJVM to run browser applets. (ID-10837)
Some configuration options that appear in the Identity Manager Administrator interface are not used with Identity Manager SPE. (ID-10843). Among these are:
Resource options: exclude accounts rule, approvers, and the organization that the resource is assigned to.
Role attributes
By default, auditing is not performed when using the checkinObject and deleteObject IDMXContext API calls. Auditing has to be explicitly requested by setting the IDMXContext.OP_AUDIT key to true in the option map passed to these methods. The createAndLinkUser() method in the ApiUsage class shows how to request auditing. (ID-11261)
When upgrading from 6.0, the main configuration page of Service Provider Edition may display warnings about invalid values for certain parameters (for example: SPE User Directory) even though these parameters show up as valid settings in the corresponding drop-down list. The workaround is to select the same value without parenthesis from the drop-down list and save the configuration. (ID-14818)
The default Service Provider login module group expects the Service Provider resource to be named 'SPE End-User Directory'. If the name of the resource is different, then the Service Provider end-user login page will not function properly. The page will not show the login related fields. (ID-14891)

To workaround this problem, the resource name in the UI_LOGIN_MOD_GRP_DEFAULT_SPE_PWD LoginModGroup object needs to be updated to reference the correct resource name.

---

Auditor

Administrative Interface

The Completed subtab of the Remediations tab does not change color when selected. (ID-9149)
The application server’s locale setting might cause two languages to be displayed when localization is enabled. (ID-9468)

Workaround: Setting the locale value to “C” might resolve this problem.

The help page for the Create and Edit Audit Policy page is missing. (ID-13040)

Audit Policies

During a scan, there is no support for retrying user accounts that could not be fetched from resources, or where other failures occur. These failures are reported when the scan is complete, but there is no automated way to rescan the accounts. (ID-9112)
Auditor attempts to keep users in compliance between policy scans by enforcing policy whenever the user is edited. If editing a user that has assigned audit policies and also is in violation of a policy, you cannot save changes to the user, even if the change is as simple as moving a user to another organization. (ID-9504)

Workaround: Use the right-click move (or find then move) functionality on the user applet, or temporarily disable the audit policy checks.

To disable the auditor policy checks, edit the system configuration and remove userViewValidators property. This property which has a value of a List of strings is added during the import of init.xml or upgrade.xml.

The Audit Policy wizard GUI allows the specification of 3 remediators, and an escalation period between them. If you specified the period, you must specify the remediator. Otherwise, the remediation will be deleted. (ID-14198)

Reports

In the AuditPolicy, Resource and Organization Violation History reports, implementing logarithmic scaling for a STACK chart type may result in unusual display behavior. (ID-9522)
The User Compliance Violation Log should not be displayed in the Reports dropdown under the Auditor Reports selector. This is the Default Compliance Audit Report task and should be hidden. (ID-14721)
If you customized the form Conflict Violation Details Form in an earlier release, you should export the form before upgrading to 7.0. Re-import the saved form if you prefer after upgrade. (ID-14772)
An Auditor Access Scan Report Administrator cannot schedule an Audit Policy Scan. (ID-14713)

Workaround is to assign the create privilege on TaskSchedule, or schedule the report with at least Auditor Administrator or Waveset Administrator capabilities.

If you have created Audit Policy Scan reports in previous versions of Identity Auditor, these reports will not be visible when you upgrade to Identity Manager 7.0. To correct this, an administrator with the Auditor Report Administrator capability (or higher) can edit these specific reports and change the visibility to run. (ID-14881)

Periodic Access Reviews

After launching a periodic access review, if you go to the access review page, you will not see your scan displayed on the list until you click the refresh button. (D-14169)
An error is displayed when you edit an Access Review Detail Report in which the specified access review target has been deleted. (ID-14805)

Workaround: Delete the report and create a new one.

It is not possible to perform an Audit Scan or Access Review with the user scope set to a dynamic org. This is due to a flaw in the scanning code, where the evaluation of the dynamic org rule fails because the scanning Subject has not been defined. (ID-14886)

The workaround (for Access Review) is to create a user scoping rule that has the same logic as the dynamic org rule, and use that rule for scoping of an Access Review.

Work Items

When an Attestation WorkItem is forwarded, any comments provided by the forwarding Attestor are included in WorkItem such that when the WorkItem is finally attested, the comments from other Attestors will be included. (ID-14643)

Previous      Next

---

Copyright 2006 Sun Microsystems, Inc. All rights reserved.