Previous Features and Bug Fixes

This section describes features added in previous service packs for Identity Installation Pack 2005Q4M3.

Installation and Update

If you use SQL Server 2000 SP4 as a repository and are using Microsoft's JDBC driver, you must use the SQL Server 2000 Driver for JDBC SP3 driver. (ID-9917)

The waveset.serverId system attribute has been added. Use this attribute to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server. (ID-11578)

Identity Manager now supports Oracle Database 10g Release2® as a repository. (ID-12908)

The installer now supports upgrading installations that have renamed, deleted, or disabled the default Configurator account. The installer now prompts for the proper user name and password that can import the update.xml during the upgrade post process. If the incorrect user or password is entered, the user is prompted up to three times to enter the correct password. The error should be displayed in the text box behind it. (ID-13006)

For manual installation you must provide the -U <username> -P <password> flags to pass the credentials to UpgradePostProcess procedure.

Identity Manager installs correctly on machines without a graphics card. (ID-14258)

Administrator and User Interfaces

The Configure > Servers > Edit Server Settings/Edit Default Server Settings panels now include an Email Templates tab. This tab includes the default/per server SMTP host variable that all email templates with the $(smtpHost) variable will use as their default. This tab also uses the server configuration variable if the SMTP host field is blank. (ID-3574)

When you click on Reset Query in the Find Users screen, the name drop down and the results limit are now reset to their initial state.(ID-8961)

The Change User Password and Reset User Password pages in the Identity Manager Administrator Interface now contain menu options for search type. These drop-down options include starts with, contains, and is as operands to search for user whose password needs changing or resetting. (ID-8965)

The Debug page now provides export default and export all options. These options operate similar to console options, except that the Debug page options do not provide a choice for the exported file name. Instead, Identity Manager creates a file named export<date>.xml that you can save from the Debug page. (ID-9270)

Importing an email template that contains a "cc" address is now supported. (ID-9768)

The Identity Attributes page now displays a Passwords section, which describes the status of password generation with respect to the Identity attributes. You can configure Identity Manager to assign passwords to new users based on a default value, a rule, or by assigning an Identity System Account Policy that generates passwords. (ID-10274, 12560)

Revised error messages associated with policy editing. (ID-12187)

Identity Manager now includes a default Manager attribute, which provides support for a built manager-employee relationship. This information is stored on the Identity Manager user object. For more information, see the Documentation Additions and Corrections section of these release notes. (ID-12416)

You can now configure Identity Attributes based on recent changes to resources (either edit or create operations). (ID-12678) If resources have changed since the last time the Identity Attributes were saved in the Identity Manager Administrator Interface, the Identity Attributes page displays this message: "One or more resources have been modified since the Identity Attributes were last saved. If these changes affect the Identity Attributes, they should be assimilated through the Configure Identity Attributes from Resource Changes page." Identity Manager provides a link to the Configure Identity Attributes from Resource Changes page that allows selecting which attributes from the modified resources' schema maps should be used as sources or targets for the Identity Attributes.

After saving a resource from the Resource Wizard or the Account Attributes page, Identity Manager displays a page asking whether you wish to configure Identity Attributes based on recent resource changes. Select Yes to forward to the Configure Identity Attributes from Resource Changes page. Select No to return to the resource list.

To disable this page, select Do not ask me again. This disable the page by setting the idm_showMetaViewFromResourceChangesPage property on the logged-in user to false.

MultiSelect objects now sort the available values when the noApplet=true and sorted=true properties are set. (ID-12823)

Changes to a configuration object containing a static list did not get detected by the accounts Treetable. For example, an administrator's controlled organizations were determined by a rule which fetched a static list from a configuration object. Before, the server would have to be rebooted to detect changes to the configuration object. Now the treetable changes to configuration objects after users log out of their current session and log in again. (ID-14442)

The DatePicker can now have a date range set to allow for only certain dates to be picked from the calendar.(ID-10100)

The Server Configuration and Modify Email Templates have been modified to allow the administrator to determine if SSL or authentication should be done on the SMTP server. (ID-12465)

The continueLogin.jsp page now displays message correctly. (ID-13193)

The following changes were made to the Identity Manager 7.1 Identity Manager Integrated Development Environment (IDE) to provide support for Identity Manager version 2005Q4M3 SP3: (ID-14089, 15211)

The Identity Manager debugger is now enabled by default.

If you are deploying to production, it is recommended that you set the system configuration property to serverSettings.default.debugger.enabled=false.

The Identity Manager debugger now supports setting breakpoints in rule libraries.

Direct-mode password synchronization requires SimpleRpcHandler to be configured in web.xml. The SimpleRpcHandler interferes with certain RemoteSession calls. If you are not using direct-mode password synchronization and are experiencing problems with RemoteSession calls, you can remove the SimpleRpcHandler configuration from the rpcrouter2 servlet to resolve the RemoteSession problems.

Change these entries In web.xml:

<init-param>

<param-name>handlers</param-name>

<param- value>com.waveset.rpc.SimpleRpcHandler,com.waveset.rpc.Passwor dSyncHandler</param-value>

</init-param>

to this:

<init-param>

<param-name>handlers</param-name>

<param-value>com.waveset.rpc.PasswordSyncHandler</param-value>

</init-param>

If you want to use RemoteSession and direct-mode password synchronization, configure a separate servlet for handling the RemoteSession calls.

Fixed an issue where an organization object would not be unlocked when a user with insufficient rights tried to delete it. (ID-14942)

Forms

In a form, using <set> within <Expansion> now works correctly. (ID-9617)

Verification rule messages now appear in the locale of the client, not the server. (ID-12780)

Gateway

The Gateway now runs on both Windows 2000 SP4 and Windows 2003 SP1 vmware images. (ID-12826)

HTML Display Components

The DatePicker display class has the new strict property. If set, this property causes manually entered dates to be validated. (ID-11037)

You can now disable the forced regeneration of the End User Menu by adding of the doNotRegenerateEndUserMenu property on the End User Menu form. (ID-11327)

The SortingTable component now respects the align, valign, and width properties of the children components that comprise the table when rendering to HTML. An InlineAlert component is also available to display error, warning, success, and informational messages in forms. (ID-12560)

The treetable component now supports adjustable columns. You can now set column widths in the user list and resource list tables via CSS to a fixed pixel or percentage value. You can also resize the columns using the mouse by clicking and dragging the right border of the column header. (ID-11474)

Identity Auditor

An Audit Policy can now be configured to scan only a restricted set of resources. (ID-9127)

Database Table and Microsoft Identity Information Server now uses the custom forms specified for these two resources.(ID-10302)

The title of the User Access Report displays correctly. (ID-11538)

The Access Scan task now works on dynamic organizations. (ID-12437)

The user view option CallViewValidators (UserViewConstants.OP_CALL_VIEW_VALIDATORS) can be set to the string "true "or "false" to enable or disable (respectively) audit policy checking during provisioning. (ID-12757)

The upgrade process no longer overwrites the Access Review Notice email template (ID-13216)

Identity Manager SPE

Identity Manager SPE 2005Q4M3 SP1 introduced the following new features. For detailed information about these features, see Identity Manager Service Provider Edition Administration Addendum and Identity Manager SPE Deployment.

Enhanced End User Pages

Enhanced end user pages are now available. The example pages include the following features:

Registration and enrollment

Password and user name changing

Challenge questions and notification address editing

Forgotten password and user name handling

E-mail notification

Auditing

The pages can be customized for your deployment. You can customize the following:

Branding

Configuration options (for example, the number of failed login attempts)

Adding and removing pages

Password and Account ID Policy

There are now account ID and password policies for Identity Manager SPE and resource accounts. These policies are implemented with the same policy infrastructure as Identity Manager. (ID-12556)

Active Sync and Identity Manager SPE Sync Co-existence

You can now run Active Sync and SPE Synchronization on the same Identity Manager server. Do not run both on the same resource. (ID-12178)

Separate LDAP User and Configuration Directories

User and configuration information can now be stored on separate LDAP instances. These instances are selected during initial configuration. (ID-12548)

Access Manager Integration

You can now use Sun Java System Access Manager 7 2005Q4 for authentication on Identity Manager SPE end user pages. Access Manager ensures that only authenticated users can access the end user pages.

Other Fixes

Identity Manager SPE now resumes processing transactions when the service is shutdown ungracefully (for example, the application server exits with an out-of-memory error). (ID-14579)

Identity Manager SPE transactions can now support configurable user update consistency levels. Existing transaction store databases will need to be modified to add an additional column, userId VARCHAR(N) where N is large enough to contain the maximum length expected for a Identity Manager SPE user DN, plus an additional 8 characters. This database change does not occur automatically when running the upgrade scripts. (ID-13830)

Localization

Message keys used as authentication questions now display correctly in the results page. (ID-13076)

Logging

Active Sync events are now recorded in the system log. (ID-12446)

Changing the user's authentication questions are now logged in the audit logs. (ID-13082)

Direct and indirect method subcalls can now be traced. (ID-13436) This can be useful in debugging problems known to happen at some level below a specific entry method. To enable this feature, set the trace level for a scope with the subcalls modifier, as in the following example:

trace 4,subcalls=2
com.waveset.recon.ReconTask$WorkerThread#reconcileAccount

This will trace the reconcileAccount() method at level 4 and all subcalls at level 2.

Errors that occur in Scheduler are now written to the system log, rather than preserved in the TaskSchedule object. (ID-14261)

Reconciliation

The Notify Reconcile Finish task definition completes successfully when it is specified as the Post-Reconciliation Workflow (ID-9259)

When a large number of Account objects exist (these are created as a result of reconciliations and provisions), reconciliation and provisioning performance can decrease drastically.

To address this, an index should be created on the "name" column of the "account" table in the repository. Some scripts to aid in this have been provided under the sample directory. account_index.sqlserver is for Microsoft SQL Server; account_index.sql is for all other databases. (ID-14478)

Reports

Identity Manager now creates audit events when Capabilities are created and modified. (ID-9734).

Identity Manager now provides a new Roles option named in the Select which Identity Manager attributes you would like to display for each user field. Selecting this option for new and existing reports results in the display of a comma-separated list of roles in the report. (ID-9777)

You can now specify a list of attributes to display on their own column in CSV and PDF reports. If you do not specify the list, all attributes are shown in a single column named Auditable attributes. (ID-10468)

By default, the following reports are now automatically scoped to the set of organizations controlled by the logged-in administrator, unless explicitly overridden by selecting one or more organizations against which the report should be run. (ID-12116)

Admin Role Summary

Administrator Summary

Role Summary

User Questions Summary

User Summary

To support this feature, the organization scope component has been changed from a single Select to a MultiSelect component.

Two new reports support the introduction of built-in support for manager-employee relationships: My Direct Reports Summary, My Direct Employee Summary, My Direct and Indirect Employee Summary, and My Direct Reports Individual. (ID-12416, ID-12689)

The Resource User Report now generates CSV and PDF files correctly. (ID12509, 13701)

Audit logging is now supported for the creation, modification, and deletion of admin roles. (ID-12514)

User Report now contains a search attribute to facilitate running a report based on User's manager. (ID-12689)

User Reports now show the resource accountId for all the accounts on the resource in a semicolon separated list.(ID-12820) Accounts and resources indirectly assigned, via a role or resource group, are also listed. If there is only one resource account, the accountId will be displayed only if it is not equal to the Identity Manager accountId.

Column names are now displayed correctly in PDF reports. (ID-12794)

The generation of TaskTemplate names that were too long (greater than MAX_NAME_LENGTH) has been corrected. (ID-13790)

Repository

Identity Manager now supports Oracle Database 10g Release2® as a repository. (ID-12908)

SQL Server 2005 is now supported as a repository. (ID-14755) Perform the following steps to use this version of SQL Server.

Download the JDBC driver for SQLServer 2005 (version 1.2) from the Microsoft web site.

Archive the previous version of the driver, located in the $WSHOME/WEB-INF/lib directory. Then replace the old version with the sqljdbc.jar driver in the same directory.

Review the database creation script. When creating the database, you may want to uncomment the lines:

ALTER DATABASE waveset SET READ_COMMITTED_SNAPSHOT ON

See SQLServer 2005 documentation for information on this setting.

When setting the repository with lh setup or lh setRepo command, use the following settings:

type = SQLServer

jdbc driver = com.microsoft.sqlserver.jdbc.SQLServerDriver

url = jdbc:sqlserver://MachineName:Port;DatabaseName=waveset

You will need to replace the machine name and port in the URL with valid settings.

IDM Repository now initializes more quickly. (ID-14937)

Resources

New Resources

Support for the following resources has been added since Identity Manager 2005Q4M3: See the Identity Manager Resources Reference Addendum for more information.

HP OpenVMS (ID-8556)

BridgeStream SmartRoles (ID-12262)

OS/400 v4r5, v5r2, v5r3, and v5r4 (5.2, 5.3, and 5.4).

Shell Script (ID-11906, ID-9866)

Scripted JDBC (ID-7540)

Siebel 7.8

Realm support in Sun Java System Access Manager (ID-12414)

General

Identity Manager now supports storing binary account attributes The following adapters support this feature: (ID-8851, 12665)

Active Directory

LDAP

Flat File Active Sync

Database Table

Scripted JDBC

Sun Java System Communications Services

Active Directory now supports the thumbnailPhoto (Windows 2000 Server and greater) and jpegPhoto (Windows 2003) binary attributes. The other adapters now support attributes such as jpegPhoto, audio, and userCertificate.

Identity Manager throws an exception if you attempt to send binary or complex attributes to a resource that does not support binary attributes.

Binary attributes should be kept as small as possible. If you load a binary attribute that is too large (for example, 200 KB), you might encounter an error message that states that you have exceeded the maximum allowed packet size. Contact Customer Support for guidance if you need to manage larger-sized attributes.

Agent resource adapters now provide an optional resource attribute that supports the retention of connections during block operations: RA_HANGTIMEOUT. This attribute specifies the timeout value, in seconds, before a request to the gateway times out and is considered hung. The default value for this is 0, which indicates not to check for a hung connection.
(ID- 12455)

Modifications to AttrParse objects can now take effect without restarting Identity Manager. (ID-12516)

Performance improvements have been made to AttrParse. Normal parsing no longer throws and catches an exception for every character in a parsed buffer. (ID-13384)

Identity Manager now supports connections to mainframe resources using the Attachmate Reflection for the Web Emulator Class Library. See the Documentation Additions and Corrections section of these release notes for information about setting up this feature. (ID-14815)

Active Sync

The Active Sync Wizard is now more fully internationalized. (ID-10504)

The system now supports Active Sync retries on a resource. To enable this feature, update the resource XML to include two additional resource attributes of the form:

syncRetryCountLimit is the number of times to retry the update, and syncRetryInterval is the number of milliseconds to wait between retries. These values will then appear as custom resource settings when configuring Active Sync. Specifying a displayName is advisable, using a custom catalog key if localization is desired. (ID-11255)

The maximum number of Active Sync logs configured on an Active Sync resource are now honored correctly. (ID-11848)

Domino

You can now create a Domino user without an ID file or email address, but with only an entry in the Domino directory. (ID-11201)

On Domino 6.x resources, you can now disable accounts without providing a Deny Groups list. When no Deny Groups are specified, Identity Manager uses the CheckPassword attribute for enabling and disabling on the Domino resource. A value of 2 disables the account. (ID-12088)

For the Domino adapter, concurrent updates of HTTPPassword with several users with the NSFNoteComputeWithForm() API call no longer result in a “-551” gateway error. (ID-12466)

Directory

Identity Manager now provides a more scalable mechanism for editing large list-valued resource object attributes. Example forms for using this approach to manage LDAP groups are provided in sample/forms/LDAPgroupScalable.xml. (ID-9882)

LDAP Resource Adapter now directly uses JSSE Provider. (ID-9958) The minimum supported Java version on Identity Manager is now 1.3, which allows third-party security providers to be used for SSL communication in case of the Domino, LDAP and NDS SecretStore resource adapters. You can register third-party security provider libraries using the standard java.security file.

For more information, see http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#ProviderInstalling

You can now edit LDAP groups whose names contain forward slashes. (ID-9872)

The ldapJndiConnectionFactory.alwaysUseNames configuration attribute has been added to the Waveset.properties file.

By default, this property is enabled. When enabled, all String names will be parsed into a Name using the NameParser of the context. This helps to avoid JNDI escaping issues. This option is meaningful only if the ldapJndiConnectionFactory.wrapUnpooledConnections option is set to true.

Relying on the default value (true) or explicitly setting this value to true requires a 1.4 or later JVM. Due to a problem with JNDI, in earlier JVMs, some rename operations can fail when this option is enabled.

The LDAP adapter no longer creates an illegal distinguished name (DN) for a new account. (ID-10951)

The escape method in com.sun.idm.util.ldap.DnUtil can now be used in forms to escape values to be inserted into identity templates of resource adapters with the LDAP DN format. Alternatively, an accountId policy with the “Required LDAP DN format” option checked can be used to validate LDAP distinguished names entering Identity Manager via input such as user input, ActiveSync, and reconciliation.

The default for the Objectclasses to synchronize Active Sync attribute on LDAP resources now defaults to inetorgperson. (ID-11644)

The LDAPActiveSync search filter that searches for changes in the changelog has been optimized for performance. The filter part (objectClass=changelogEntry) has been removed from the default search filter. (ID-11722)

You can restore the old behavior by adding the Remove objectClass from Search Params Filter resource attribute directly to the resource definition with a value of false, as follows:

Note: You cannot change this setting from the GUI.

Changing LDAP group membership now uses single adds and removes instead of rewriting the entire group (that is, replacing the entire uniqueMember attribute). (ID-13035)

The LDAP adapter can be configured so that a VLV Sort is performed on a value other than uid. (ID-13321) To change this value, add the following to the resource definition:

The Active Directory PasswordNeverExpires attribute can now be set during an update. (ID-13710)

The NDS Active Sync adapter no longer polls for changes based on the User object's lastModifiedTimeStamp. This attribute was getting updated when ever a user logged in/out. To remedy this issue, the last modified value is now calculated based on the lastModifiedTimestamp of a user's attributes defined in the schema map. If an attribute's lastModifiedTimestamp is greater than the highwater mark presented by the adapter, the gateway will send this user back to the server as modified.(ID-13896)

Corrected a problem that caused newly-created NDS users to be unable to access their home directories. (ID-14208)

Active Directory data retrieval timeouts will no longer cause a premature end to reconcilations.(ID-14564)

Corrected a problem that caused Active Directory Active Sync adapter to hang due to connections to the gateway not getting closed. (ID-14597)

The LDAP adapter permits the nsaccountlock activation short cut to use logic based on value presence/absence when determining if an LDAP user is disabled. (ID-14925) See the Documentation Additions and Corrections section of these release notes for more information

Oracle ERP

Added multiple attributes to the Oracle ERP adapter to support auditing features. (ID-11725) See the Documentation Additions and Corrections section of these release notes for more details.

The Oracle ERP adapter no longer fails to close Oracle data base cursors. Previously, the failure caused the following error: (ID-12222)

In forms for Oracle ERP adapters, the listResourceObjects method in the com.waveset.ui.FormUtil class can now return a user's specific responsibilities and can be filtered to return all responsibilities, or active responsibilities only. (ID-12629)

The options passed in are:

key id - (String) Identifies the resource identity whose responsibilities are returned

activeRespsOnly - (String) true or false. This value defaults to false if not sent.

The Oracle ERP adapter now provides a sysdate or SYSDATE keyword. You use this keyword with to_date to specify an expiration date for a responsibility with the local time of an Oracle E-Business Suite (EBS) server. (ID-12709)

Identity Manager’s Oracle ERP adapter now provides a new employee_number account attribute. This attribute represents an employee_number from the per_people_f table. See the Documentation Additions and Corrections section of these release notes for more information. (ID-12710).

Updating an Oracle ERP account's responsibility using the Oracle ERP adapter no longer causes other responsibilities associated with the account to be updated. (ID-13889) As a result, only the Oracle ERP audit timestamp for the responsibility modified is updated. The Oracle ERP audit timestamps for the other account responsibilities remain unchanged.

Added the person_fullname account attribute to the schema map for the Oracle ERP adapter. In the Oracle ERP user form, this attribute is used to display the Person Name field. This field is read-only and will show the user’s fullname if an Oracle ERP account is linked to the Oracle HR system using the employee number. (ID-14675)

The Oracle ERP adapter now prevents the unlinking of resource accounts if the Oracle ERP Resource is inaccessible during full reconciliation. (ID-14960) (The resource could be inaccessible for many reasons including incorrect resource connection configuration.)

The Oracle ERP adapter now supports Oracle E-Business Suite 12. Refer to Documentation Additions and Corrections in these release notes for more information. (ID-15062, 16705)

Added the npw_number account attribute to the Oracle ERP adapter in order to support contingent worker accounts. (ID-16507)

SAP and SAP HR

You can now configure the SAP HR adapter to process IDOCs of any message type. Previously, only IDOCs of type HRMD_A could be processed. (ID-12120)

ORA-01000: maximum open cursors exceeded

The SAP and SAP HR adapters now provide three new resource attributes that provide the parameters for a retry of an SAP operation when a network failure occurs.(ID-12579) These attributes are:

SAP BAPI Retry Count - The number of times to retry the operation

SAP Connection Retry Count - The number of times to attempt to re-connect to the SAP server

SAP Connection Retry Wait Time - The number of milliseconds to wait before attempting to re-connect to the SAP server.

Passwords can now be set as not expired when using CUA mode on an SAP resource. (ID-13355)

The SAP adapter will no longer throw a JCO_ERROR_FUNCTION_NOT_FOUND exception when the SAP system does not contain the PASSWORD_FORMAL_CHECK function module. (ID-14663)

The SAP adapter now properly reports the status of Disabled accounts. (ID-14834)

Activity groups (roles) and profiles in a CUA environment can now be updated with a start and end date. (ID-15613)

For roles, map the activityGroups attribute in the adapter to:

CUA->directLocalActivityGroupObjects

For Profiles, map profiles to:

CUA->directLocalProfileObjects

The SAP adapter now supports updating the ALIAS field in SAP. The attribute mapping in the schema configuration is ALIAS->USERALIAS. (ID-16320)

UNIX

UNIX-based adapters now contain a Home Base Directory resource attribute. When present, this attribute overrides the setting of the home directory on the native resource for the account being created. The setting is the value set on this attribute appended with the accountID. If you set the user's home directory in the account attributes, then that setting will take precedence over the Home Base Directory. (ID-8587)

You can now set timeout defaults via Resource Type Policy. In addition, you can also use the maxWaitMilliseconds property to control the polling frequency that Identity Manager’s scripted adapter uses when waiting for the resource to complete a task. (ID-11906)

Solaris and Linux adapters now return a year on the last login information. (ID-12182)

When viewing account information from a Solaris resource configured with NIS, group membership information is displayed with the group name, instead of the numeric group ID. (ID-12667)

Two resource attributes, Default Primary Group and Login Shell, have been added to the Solaris, AIX, HP-UX, Red Had Linux, and SuSE Linux resource adapters. (ID-15034)

Other Adapters

The RACF Resource Adapter now allows you to control dataset rules directly, rather than have Identity Manager administer them. This enables you to create dataset rules different from those native to Identity Manager. (ID-10446)

The following example 'after create' rule creates a dataset rule of <user id>.test1.**, rather than the Identity Manager default of <user id>.**.

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceAction PUBLIC 'waveset.dtd' 'waveset.dtd'>

<act>

var TSO_PROMPT = " READY";

var TSO_MORE = " ***";

var cmd1 = "addsd '"+identity+".test1.**' owner('"+identity+"')[enter]";

var result1 = hostAccess.doCmd(cmd1, TSO_PROMPT, TSO_MORE);

</act>

</ResTypeAction>

</ResourceAction>

The RACF adapter now includes search filter support for listAllObjects. (ID-10895)

You can now create and update objects in Siebel that require parent/child business component navigation. See Documentation Additions and Corrections in these release notes for more information. (ID-11427)

The isPickListAttribute method within the Siebel adapter is no longer misidentified as isMVGAttribute in the tracing system. (ID-11471)

For SecurId resources, the clients attribute is now treated as an optional attribute. (ID-11509)

The Flat File Active Sync adapter now provides a warning message in the Active Sync log (if enabled) whenever an error occurs preventing a diff action for synchronization. (ID-12484)

If you are configuring Identity Manager to provision to a RSA Clear Trust 5.5.2 resource, additional libraries are not required for SSL communication as with previous Clear Trust versions. (ID-12499)

The Database Table wizard no longer permits you to configure tables you cannot access. (ID-12643)

The Siteminder LDAP Adapter now performs the following operations correctly, even when the Siteminder user is locked due to failed login attempts:
(ID-12824)

enable

disable

expire password (with enable/disable)

unexpire password (with enable/disable)

The RACF adapter no longer searches a large string once for every user retrieved in listAllObjects, which usually results in better performance in this function for a large number of users. (ID-12829)

Temporary tablespaces do not honor quota settings and if attempted from Oracle 10gR2, a SQL exception occurs. (ID-12843)

Until now, the resource adapter would set a quota on a temporary tablespace — even if the oracleTempTSQuota account attribute was not mapped. This behavior has changed. If you map the oracleTempTSQuota attribute, the old behavior is maintained (no change), but if you remove the mapping, no quota will be set on the temporary tablespace.

On Oracle 10gR2 resources, remove the oracleTempTSQuota attribute from the resource adapter.

Identity Manager now clears Admin privileges, if any, before attempting to delete a Secure ID user. (ID-13053)

Corrected a problem encountered when performing a reconciliation on VMS. (ID-13425)

The SecurID for UNIX adapter now performs UTF-8 character encoding and decoding when interoperating with RSA. (ID-13451)

The Shell Script adapter can now detect errors generated from a ResourceAction during user create and update functions.(ID-13465)

When creating account on a Windows NT resource through the Windows NT resource adapter, the following error message is no longer displayed in the Create user result page: “Error requiring password: put_PasswordRequired(): 0X80004005:E_FAIL”. (ID-13618)

A new resource configuration parameter, enableEmptyString, has been added to the Database Table adapter to allow writing an empty string, instead of a NULL value, in character-based columns defined as not-null in the table schema. This option does not influence the way strings are written for Oracle-based tables. (ID-13737)

The Shell Script adapter now supports the rename, disable and enable functions. (ID-14472)

The Scripted JDBC adapter now correctly updates an attribute in which the original value was null but is being set to a non-null value. (ID-14655)

Roles

Roles and resource groups now provide the ability, both singly and in combination, to assign users multiple accounts on a resource. See the Documentation Additions and Corrections section of these release notes for more information. (ID-6684)

When you import roles containing links to back to existing super roles, Identity Manager now updates the existing roles with links back to the newly imported roles. (ID-15482)

Identity Manager detects and creates links from existing super roles back to the subroles that reference them. During upgrade, Identity Manager invokes the RoleUpdater class used to repair the roles.

You can update roles outside the upgrade process by importing a new RoleUpdater.xml file found in sample/forms/RoleUpdater.xml. By default, Identity Manager adds the subrole links during upgrade or when you import RoleUpdater.xml.

To disable this new functionality, set the RoleUpdater attribute nofixsubrolelinks to true. For example,

See ID-15053 described in “Known Issues” for related information about automatically updating roles during import.

Security

Users with approver capabilities can now delegate their future approval requests to one or more users, who themselves are not Identity Manager approvers, for a specified period of time. Users can delegate from three interfaces: (ID-8485)

End User Main Menu - "Delegate Approvals" link

Admin Approvals Tab - "Delegate My Approvals" Subtab

Admin Create/Edit/View User - Security section

Password generation now works correctly, and fails as expected when passwords are not correctly generated. (ID-12275)

Identity Manager now provides the end user EndUserLibrary authorization type (authType). The EndUser capability (AdminGroup) now has List and View access to Libraries whose authType is EndUserLibrary. (ID-12469)

To give end users access to the contents of a Library, set authType='EndUserLibrary' and ensure the Library's MemberObjectGroup is All.

An Identity Manager user can have concurrent login sessions. However, you can limit concurrent sessions to one per login application by changing the value of the security.authn.singleLoginSessionPerApp configuration attribute in the System Configuration object. This attribute is an object that contains one attribute for each login application name (for example, the Administrator Interface, User Interface, or BPE). Changing the value of this attribute to true enforces a single login session for each user. (ID-12778)

If enforced, then a user can log in to more than one session. However, only the last logged-in session remains active and valid. If the user performs an action on an invalid session, then he is automatically forced off the session and the session terminates.

End user password changes initiated by administrators, via SPML or otherwise, will not get added to password history. There are now two ways to configure the application to save a password into the users history. Only one way is necessary. (ID-13029)

View option (takes precedence if present or true) Set the 'savePasswordHistory' attribute on the target form. For example:

Use the following System Configuration Settings and toggle the behavior for the desired interface. This will need be added to the System Configuration Object if not already present.

<Attribute name='security'>
  <Object>
    <Attribute name='admin'>
      <Object>
        <Attribute name='changePassword'>
          <Object>
            <Attribute name='Administrator Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='Command Line Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='IVR Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>false</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='SOAP Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
            <Attribute name='User Interface'>
              <Object>
                <Attribute name='savePasswordHistory'>
                  <Boolean>false</Boolean>
                </Attribute>
              </Object>
            </Attribute>
          </Object>
        </Attribute>
      </Object>
    </Attribute>
....

Server

TaskInstance subobjects, like approvals, are now deleted properly when terminating the task. (ID-3258)

Identity Manager now requires access to the tmp directory. (ID-7804) In order to accommodate this, if your application server uses a security policy, you need to add the following permission:

permission java.io.FilePermission "$(java.io.tmpdir)$(/)*", "read,write,delete";

The Find User page now handles deeply nested hierarchies of many organizations. (ID-10352)

In a clustered environment, a failed login on the end-user pages no longer generates a serialization-related exception. (ID-10556)

A server no longer triggers failover mechanism on itself and terminates its own tasks if the server takes too long to process task information. (ID-10920)

User Extended Attributes are now deleted from user objects correctly. (ID-11721)

The ResourceConnectionManager is now notified of pending shutdowns. Consequently, the server no longer has to wait for SSH connections to timeout before it can exit. (ID-12214)

Corrected the condition that caused a "no cache error" on the All Tasks page for users in sub-organizations that do not have admin access to parent organizations. (ID-12288)

Delimiter processing is now suppressed between brackets. Consequently, all characters found within bracket sets will now be treated as either an index or as a filter. Note: there currently isn't a mechanism to escape the closing bracket "]". (ID-12384)

Task instance terminate actions are now audited as Terminate actions instead of Modify. (ID-12791)

User actions can be performed on users after deleting a resource directly assigned to them. (ID-14806)

SOAP

SPML support has been extended to cover roles and resource groups in addition to persons. (ID-8850)

The new SPMLAccess capability allows account administrators access to the SPML interface. (ID-10854)

The SPML server now returns errors for requests containing filters that use operators that are not yet implemented. (ID-11343)

The Identity Manager SPML interface provides a login ExtendedRequest that allows callers to log in as an administrator. As of this release, the SPML interface also provides a loginUser ExtendedRequest that allows the caller to get a session for user self-provisioning. This loginUser ExtendedRequest supports logging in with a password or with answers to security questions.
(ID-12103)

Views

The User view now provides the following control attribute: (ID-4383)

accounts[resname].waveset.forceUpdate

where resname represents the name of the resource. The value of this attribute is a list of resource account attributes that will always be sent to the resource for update when a user is modified.

The Resource Account views (DeprovisionViewer, DisableViewer, EnableViewer, PasswordViewer, RenameUserViewer, ReprovisionViewer, and UnlockViewer) now support two new options to fetch resource account attributes for the user: (ID-10176)

fetchAccounts - a Boolean that causes the view to include account attributes for the resources assigned to the user

fetchAccountResources - a List of resource names to fetch from. If this is not specified, Identity Manager uses all assigned resources.

Workflow

Invalid checkReference warning are no longer returned when running workflows. (ID-10802)

If notification.redirect is used to redirect messages to a file, that file is now written using the emailNotifier.contentCharset, just as the message would, if it were emailed. This allows the file to contain non ISO-8859-1 characters. (ID-10331, 14984)

More information is added to a workflow message when an approver is attempting to approve or reject a workitem that has already been approved or rejected. (ID-11045)

Identity Manager now provides the auditPolicyScan workflow service. You can use this workflow service call to scan a user for Audit Policy Violations based on the policies assigned to the user. If no policy is assigned to the user, a policy assigned to the organization, if exists, is used. See the Documentation Additions and Corrections section of these release notes for more information. (ID-12589)

Assigned the RoleAdminTask authType to the Manage Role TaskDefinition and assigned the ResourceAdminTask authType to the Manage Resource TaskDefinition. (ID-12768)

Defects Fixed in Previous Releases

Installation and Update

The upgrade process no longer overwrites the Access Review email template. (ID-13216)

Administrator Interface

When you configure a new User Action for the User Applet menu, text keys are now displayed correctly. (ID-8400)

Identity Manager now correctly handles help displays that triggered errors when they contained special characters. (ID-8747)

When a login application's singleLoginSessionPerApp attribute is set to true, Identity Manager behaves as follows: a user can log in to the same application more than once. However, the last session the user logged in as will be the only active, valid session. If the user tries to perform a task during another logged-in session as the same Identity Manager user, he is automatically forced off, and the session is terminated. (ID-9543)

When a user is directly assigned to an organization, and a UserMemberRule also assigns this user to the same organization, the user will no longer be duplicated in the list. (ID-10410)

The session timeout login page can now be localized and will be displayed in the language specified by the user locale. (ID-10571)

The sample LDAP Password Sync form (sample/forms/LDAPPasswordActiveSyncForm.xml) now sets the waveset.password field instead of password.password and password.confirmpassword. (ID-11660)

The Identity Manager Administrator Interface no longer generates errors when search results include a user name that contains a single quote, and that name is used in a link for a subsequent command. (ID-11123)

MultiSelect components now correctly display single strings. (ID-11979)

Identity Manager now displays the correct error message when you attempt to edit a resource object type that does not support update. (ID-12242)

When using the tree table to list resources, nodes with names containing underscore characters now expand properly. (ID-12478)

Online help now displays the correct help pages when non-Wizard options are selected from the ActiveSync configuration submenu. (ID-12597)

You can now successfully delete users when using the French language locale. (ID-12642)

The treetable, Account page, and Find Results page now display an unresolved Manager attribute as the Identity Manager manager's name wrapped in parentheses. Each time the user is updated, Identity Manager tries to resolve the unresolved Manager attribute. If it resolves the attribute, Identity Manager strips off the parentheses, and performs constraint checking on the new value. (ID-12726)

The inbox link for anonymous user login now points to the new end user work item list table. (ID-12816)

You can now position TabPanel component buttons. (ID-12797)

Identity Manager now converts the email templates that have the default mail.example.com to the new server config variable functionality. (ID-12720)

Password fields are now conditionally displayed when the Identity Manager User Interface does not include the LH login module, and the user is assigned an AdminRole. (ID-12692)

Identity Manager now displays resource group lists that are accessed from the Resources tab in the order in which the list was saved. (Previously, resources were sorted.) (ID-14117)

You can now find Roles with lots of Organizations from the Find Roles page without an ObjectGroup error being displayed. (ID-15303)

When unassigning resource accounts from a user via the edit user functionality, the SITUATION of the accounts in the account index are now properly updated in all cases. (ID-15310)

The Roles tab > Find Roles > Approvers menu can now show users with the "Role Approver" capability. (ID-15373)

Corrected a problem where Internet Explorer fails when a URL has over 2000 characters in it. (ID-15801)

Internet Explorer 6 or 7 with security update 912812 users are no longer required to double click a multi-select box to highlight the box or double click an item to move it. (ID-15824)

When you specify true for IAPI.cancel (which cancels any pending updates detected for the user being processed) on the ActiveSync Input form, the user's view no longer remains locked after being processed. (ID-15912)

Performing a user search in which you select the "Users organization" option as well as other search options now returns valid results. (ID-16076)

On the Find Role page, the list of approvers is now sorted. (ID-16392)

The DatePicker component works correctly in all time zones. (ID-16618)

Business Process Editor

You can display and edit negative values (in seconds) for manual action timeouts. (ID-9715)

Selecting Store attribute in Identity Manager repository when editing a MetaView attribute now works as planned. (ID-12396)

Forms

Identity Manager provides new sample LDAP Create and Update Group forms to allow non-unique member names. (ID-8831)

MultiSelect components now correctly handle items with identical labels (display names). (ID-10964)

The Text component default maxlength is now unlimited (changed from 256 characters) (ID-11995).

NTForm and NDSUserForm Groups fields now correctly implement the ListObjects rule. (ID-12301)

Host adapter resource wizards now manage affinityAdmin fields better, preventing duplicates and null entries. (ID-12024)

LDAP Update Group form no longer ignores edits when net membership remains the same. (ID-12162)

The listResourceObjects method of com.waveset.ui.FormUtil now properly executes defined filters. Please refer to the JavaDocs for additional information concerning this method. (ID-14422)

Identity Auditor

Policy checking during user creation no longer results in the creation of extra task instances. (ID-10489)

Identity Manager SPE

When creating a resource account, if that resource is down, Identity Manager SPE remembers the resource attribute values. The next time that user is edited in Identity Manager SPE, the account will be created on the resource if it is available. (ID-11168)

You can now disable Tracked Events in SPE by unselecting "Enable tracked event collection" on the Service Provider > Edit Main Configuration page. You can also selectively disable from the same page Collecting Tracked Event data for each Time Scale. Like with all settings on this page, the modified configuration objects must be exported to the SPE master directory before they take effect. (ID-12033)

The SPE IDMXContext deleteObjects method now correctly deletes objects from the directory store. (ID-11251)

Service Provider Edition auditing subsystem no longer throws a null pointer exception at container shutdown. (ID-12845)

IDMXUserViewer used to throw a null pointer exception if the form associated with the view-specified properties other than include or targets and the option map passed to the view handler methods (create/checkin/checkout/refresh) was null. (ID-12861)

LDAP deleted attributes are now propagated after a downed resource is once again available. (ID-15471)

Launching a custom task during login no longer slows down login excessively. (ID-12377)

Identity Manager now correctly logs failed administrator log-in attempts for users that do not possess capabilities, organizations, or capabilities/organizations. (ID-12497)

Password Synchronization

The password synchronization configuration application (Configure.exe) no longer truncates the JMS properties at an equal sign (=) when reading from the repository. (ID-12658)

The passwordsync.dll now returns the correct error messages for connection failures. This change will also fix possible handle leaks during connection failures. (ID-15451)

Passwords intercepted with characters outside of the 7-bit ASCII range are now correctly encoded as UTF-8 before encryption. (ID-15829)

Reconciliation

Reconciliations no longer stop when resources have duplicate users. (ID-14949)

Some ambiguous account matches during reconcile are now considered a preferred match to avoid unnecessary reconciliation errors. (ID-14965)

Reconciliations no longer stop when user normalizations remove all resource information from a user. (ID-15028)

Reports

Windows 2000 Active Directory Inactive Account Scan (a task that resides under the Risk Analysis top menu bar) now completes successfully. (ID-11148)

You can now use the Resource User Report with more than one user. (ID-11420)

When a delegated administrator runs a User Report, users that are members of an organization due to a UserMembersRule are now included. (ID-11871)

When a resource name is selected for the y-axis of a usage report, the value is now used in the query. (ID-12035)

By default, the following reports will be automatically scoped to the set of organizations controlled by the logged in administrator, unless explicitly overridden by selecting one or more organizations against which the report should be run. To support this, the organization scope component has been changed from a single Select component to a MultiSelect. (ID-12116)

Identity Manager now correctly audits modifications of LDAP group membership. (It now includes both old and new values.) (ID-12163)

A CSV report encoded with the UTF-8 character set and multibyte text can now be customized so it can be displayed in applications that do not support UTF-8 encoding, such as Microsoft Excel. (ID-13574, 15407)

Emailed PDF reports now honor the font and font embedding settings specified at any level. (ID-15328)

HTML <b></b> tags are now removed from the following PDF reports: (ID-15408)

All Admin Roles

All Administrators

All Roles

Forms for usage reports are now required to specify an X-axis attribute value. (ID-15777)

Repository

The Identity Manager Repository now performs Oracle-proprietary handling for BLOB columns. The sample scripts for Oracle now define the xml column as data type BLOB (rather than LONG VARCHAR). For new installations, all tables will be created with BLOB xml columns. During an upgrade, only new tables will have a BLOB xml column, but the remaining tables can be converted to BLOBs by making the changes noted in the upgrade script (For large deployments, this upgrade process can take several hours). You should upgrade to the latest Oracle JDBC driver to get the best performance with BLOBs. (ID-11999)

The Identity Manager repository has been changed to avoid a deadlock that is specific to Microsoft SQL Server 2000. The repository now uses the ID (rather than the name) of the LAST_MOD_ITEM when it selects the last modified value for a Type. (ID-12297)

Slow Oracle database systems can no longer cause suspended tasks to execute on more than one Scheduler simultaneously. (ID-15372)

Removing a role from one user in a similar group of users no longer affects the repository entries of the other users, and no longer prevents you from finding those users when searching by role. (ID-15584)

Resources

Gateway

The gateway no longer crashes when using Identity Manager APIs directly without going through the Identity Manager interface. (ID-12481)

General

You can safely use single quotes in passwords. (ID-10043)

Host adapter resource wizards now manage affinityAdmin fields better, which prevents duplicates and null entries. (ID-12024)

Active Sync processes that are running on a Websphere cluster using "Automatic with Failover" startup no longer hang. (ID-12540)

For some resource adapters, exclusion rules are now applied before users are fetched during reconciling, which allows specific users to be excluded, prevents errors generated by the resource, and can improve performance for a large number of users. (ID-14436)

Identity Manager now honors the Supported Features deny, ignore combination setting for a resource. If you select ignore, the action will not be performed, but in some circumstances it could be shown as a message in the GUI. (ID-14948)

If common resources are configured in System Configuration for use by login, and a common resource login fails, logins no longer fail when there is another resource in the login module stack that is not a common resource and it requires different authentication properties than any of the previous login module resources. (ID-15047)

Active Sync no longer continues running when Create Unmatched Accounts is set to true and the Allowed Error Count is exceeded. (ID-15662)

Directories

The Active Directory resource adapter now throws an exception if an invalid encryption type is specified. Valid values are nothing (empty), "none", "kerberos" and "ssl". (ID-9011)

Identity Manager now pools LDAP connections. (ID-10219)

Managing Out of Office attributes of a mail-enabled Active Directory (Exchange) user will no longer fail if msExchHideFromAddressLists is set to true. In addition, the sample Active Directory user form has been updated to prevent Identity Manager from displaying Out of Office attributes when msExchHideFromAddressLists is enabled. (ID-12231)

LDAP Changelog Active Sync processing now handles MODIFY changetype that have no values. (ID-12298)

The ADSIResourceAdapter now closes connections when querying for resource objects. (ID-15098)

Identity Manager no longer reads write-only account attributes from an LDAP directory or Active Directory. (ID-15838)

Mainframe

In the RACF adapter, a change to DFLTGRP now results in adding (if necessary) DFLTGRP to the GROUPS to ensure that the DFLTGRP can be set as the new default group. (ID-9987)

Mainframe resource adapter connections are correctly pooled and no longer cause mainframe operations to hang. (ID-12388)

The terminal emulation now used to create a NaturalResourceAdapter account permits an 8-character user name that does not use a tab to select the Copy Links attribute. (ID-12503)

The default RACF List User AttrParse mechanism has been extended to handle large numbers of “CLASS AUTHORIZATIONS” and template users with group entries such as “GROUP SYS1 USER CONNECTION NOT INDICATED”. (ID-15021)

If a Resource Affinity account on RACF has insufficient privileges to list a user, Identity Manager will provides an appropriate error message. (ID-15331)

When deleting RACF accounts, the system will now query, via a search mask, the data set profiles the user has, enumerate over these profiles, and delete the individual data sets (as opposed to trying to remove them all via a DELDSD .**). (ID-15413)

Clearing a RACF attribute in a form did not cause Identity Manager to clear the attribute on the user when the form was submitted, it was a noop. Identity Manager now clears the attribute. (ID-15971)

The Top Secret resource adapter now correctly handles ASUSPEND, PSUSPEND, VSUSPEND, and XSUSPEND when enabling and disabling users.(ID-16295)

Corrected a problem within the Top Secret adapter that caused incomplete user attributes to be loaded. (ID-16334)

Oracle and Oracle ERP

During a session with the OracleResource adapter, all Oracle cursors are closed, even when exceptions occur. (ID-10357)

For the Oracle and Oracle ERP resource adapters connecting to Oracle RAC environments using a thin driver, use the following format: (ID-10875)

jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=host01)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=host02)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=host03)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=PROD)))

The Oracle ERP can optionally limit accounts returned by the account iterator and listObjects interfaces by setting the resource attribute activeAccountsOnly to TRUE. The default is FALSE. When set to FALSE, all accounts on the resource are returned. When TRUE, only accounts with START_DATE and END_DATE spanning SYSDATE (now) are returned. (ID-12303)

Oracle ERP adapters have been updated to close PreparedStatements more consistently, reducing the number of open cursors. (ID-12564)

SAP

The SAP adapter now handles cases where duplicate Activity Groups are returned from listAllObjects(). (ID-7776)

The SAP adapter provides the capability to return the temporary, generated password in the WavesetResult object if the adapter was unable to set a password as unexpired. This occurs only under the following conditions:

an administrator password change is requested and expirePassword = false

the desired password fails SAP password policy

Failure most likely occurs when the desired password is already in the SAP password history.

The Return SAP Temporary Passwords on Failure resource attribute was created to enable this capability, but the attribute does not work at this time. (ID-12185)

The SAP adapter now more robustly checks a user's password against his current password when the request is an Administrator password change and the expirePassword flag is false. This prevents an error condition when the desired password and the user's current password are the same. (ID-12447)

Writing SAP activity groups and profiles in a Central User Administration (CUA) environment no longer splits a new table row into two rows when the information is separated by a colon. (ID-14371)

UNIX

The UNIX adapters provide basic sudo initialization and reset functionality. However, if a resource action is defined and contains a command in the script that requires sudo authorization, then you must specify the sudo command along with the UNIX command. (For example, you must specify sudo useradd instead of just useradd.) Commands requiring sudo must be registered on the native resource. Use visudo to register these commands. (ID-10206)

The Red Hat Linux and SuSE Linux adapters now populate the primary group, secondary group, and last login fields during bulk list processes such as Load from Resource and Export to File. (ID-11627)

If the schema map indicates that the last login field is to be tracked, then the bulk list process can slow down considerably, because the adapter must individually request the last login information for each user.

You can now map the time_last_login resource attribute on Solaris, HP-UX, and Linux adapters to an attribute name other than the default (Last login time). (ID-11692)

If you perform a Create Resource Object for a Solaris NIS server resource, select multiple accounts in Users, and then click Save, all of the accounts are now added to the group file in the NIS password source directory in the managed NIS server. Previously, this operation worked only if one account was selected. (ID-15085)

For Solaris NIS, Identity Manager no longer adds the netid target, which was not required and caused error messages in the traces. (ID-15503)

For Solaris NIS, Identity Manager no longer prevents use of the sudo command if the directory containing Solaris NIS passwd, shadow, and group template files are read-protected from the admin user. (ID-15505)

For Solaris NIS, an account is no longer partially created if the default primary group is either missing entirely or is a name not found in the group file. (ID-15509)

Corrected a problem that caused Solaris NIS user or group ID generation to fail when beginning with an environment with no users or groups, and template passwd and group files are in a directory other than /etc. (ID-15510)

For Solaris NIS, if two accounts are created in a row and a shell is specified for the first account but not the second (either it is not defined in the defadduser file or there is no defadduser file), the second account no longer is created with the first account's shell. (ID-15511)

On Solaris NIS, the /usr/sadm/defadduser file is used as an optional source for default values for newly created accounts. In previous versions of Identity Manager, the system used an incorrect element of this file to set the default primary group for a new Identity Manager user. It is now properly the defgname element that sets the default primary group. This default primary group value is overridden by the Default Primary Group resource attribute, which is in turn overridden by the similarly-named account attribute. (ID-15512)

Identity Manager no longer stores the Solaris NIS and HP-UX NIS encrypted passwords in both the passwd and shadow NIS template files when an account is updated. Now, the placeholder value “x” is stored in the passwd file. (ID-15593)

Corrected a a problem that allowed you to create a group on a Solaris NIS resource with a name or ID of an existing group. (ID-15755)

When deleting a user from a Solaris resource, Identity Manager no longer gives a false positive result if the user is currently logged on to the resource and the deletion fails. (ID-15761)

Other

The SecurID UNIX adapter correctly processes Identity System User Account attributes when the default names are changed. (ID-10521)

If you have a PeopleSoft Component Active Sync resource that is using the LH_AUDIT_RANGE_COMP_INTF component interface, you must make changes to the resource if you wish to continue using the LH_AUDIT_RANGE_COMP_INTF component interface. (ID-11226)

Confirm that your resource has an auditLegacyGetUpdateRows resource attribute set to true.

<ResourceAttribute name='auditLegacyGetUpdateRows'

value='true'

displayName='Use Legacy Get Update Rows'

type='boolean'

multi='false'

facets='activesync' >

</ResourceAttribute>

You can now delete Sun Access Manager Organization objects from the Identity Manager resources applet. (Identity Manager subsequently deletes all child objects without confirmation.) (ID-11516)

When managing SecurId users, Identity Manager now supports three tokens per user. (ID-11723)

For the Database Table adapter, database connections are now closed as soon as possible during iteration and polling, which prevents unused connections from being held unnecessarily. (ID-11986)

The JMS Listener adapter no longer fails on Websphere 6.0. A change from asynchronous to synchronous message processing now permits JMS Listener to work on J2EE servers that prohibit asynchronous JMS message processing within a web application. The polling frequency should now be defined for JMS Listener resources. (ID-12654)

The SecurID adapters enforce the RSA requirement that the default login attribute be comprised of single-byte English characters only.(!D-13805)

Passwords with characters outside of the 7-bit ASCII range are now set correctly by the gateway (create and update) when Identity Manager is deployed with Tivoli Access Manager and Active Directory. (ID-15006)

The Shell Script adapter now “traps” and reports output from Delete scripts that overtly return with an error. (ID-15340)

The database table adapter allows you to specify the Rethrow all SQLExceptions resource parameter. If this is not checked, SQL statements that throw SQLExceptions with a 0 ErrorCode will have the exception caught and suppressed. (ID-15390)

Fixed an issue that caused deadlocks to occur when using Active Sync and the PeopleSoft resource. (ID-16109)

Reconciliation

Setting a ControlledOrganizationRule on the User AdminRole no longer prevents the Reconciler daemon from starting. (ID-12695)

Repository

Error messages of the form, com.waveset.util.InternalError: Summary String length (2185) exceeds maximum (2048) no longer occur when saving users or other objects. (ID-12492)

Roles

Role names that contain apostrophes are no longer truncated during Role edit. (ID-8806)

Identity Manager now correctly handles the addition and subtraction of assigned groups through role attributes. (ID-10832)

Roles that were created in Identity Manager 5.0 and were sub-roles of other roles now include links to their super roles. (ID-11477)

If a resource is renamed, Role Attributes will now correctly continue to reference the appropriate resource. (ID-11689)

Bulk actions are able to remove the role from waveset.roles when it contains only one role. (ID-14568)

The system now properly updates sub/super roles during a SaveAs. (ID-16010)

Security

You can suppress the detailed debugging information that is hidden in HTML comments by setting the ui.web.disableStackTraceComments property in the Waveset.properties file to true. If you are upgrading from a previous version of Identity Manager, you will need to add this property to config/Waveset.properties. The property is ignored (equivalent to setting the property to false) if it is not present in the properties file.(ID-10499)

Anonymous users can now access various object types, such as rules, without setting the deprecated endUserAccess attribute in the System Configuration object. (ID-11248)

To configure this release to provision to a Clear Trust 5.5.2 resource, you must install the ct_admin_api.jar from the Clear Trust 5.5.2 installation CD. You do not need additional libraries for SSL communication. (ID-12449)

During AdminRole creation, Identity Manager now correctly handles the inclusion and exclusion of all object types. (ID-12491)

Administrators with the following capabilities now have access to the List Resources page: (ID-12647)

Resource Password Administrator

Change Resource Password Administrator

Reset Resource Password Administrator

Change Active Sync Resource Administrator

Control Active Sync Resource Administrator

Reconcile Administrator

Reconcile Request Administrator

You can now add passwords to a user's password history when creating a user. (ID-15179)

An approver who does not control the Top organization can now view previously approved/rejected approvals.(ID-15271)

If a user who owns any pending work items is deleted, Identity Manager now ensures that the work items are not lost, as follows: (ID-15868)

If a pending work item was delegated and the delegator has not been deleted, the pending work item is returned to the delegator, and the delegator will then be the new work item owner.

If a pending work item was delegated and the delegator has also been deleted or if a pending work item was not delegated, the delete attempt fails until the user's pending work item has been either resolved or forwarded to another user.

Server

The application server no longer crashes when using Oracle OCI drivers with SSL (ID-7109)

You no longer receive a null pointer exception when attempting to log in to the End User Menu if the Identity Manager user has a role on a resource in which the user does not exist. (ID-12379)

The session is now correctly set during expansions and derivations while processing resource account creations during a bulk action. (ID-16181)

Under certain conditions, it was possible for a scheduled task to be processed by multiple servers for a given scheduled start time. This is now prevented. (ID-16318)

SOAP

You can now monitor SPML 1.0 calls through the debug/callTimer.jsp facility. The outermost call, the doRequest() method of com.waveset.rpc.SpmlHandler, is most useful for determining SOAP/SPML performance. The individual SPML methods (for example, addRequest) are also timed for monitoring convenience. (ID-8463)

Workflow

Under certain conditions, an expired work item could be edited without an error. Now an error indicating the work item was invalid will be returned. (ID-15439)

The workflow variable WF_ACTION_ERROR is now set correctly when an error in the Remedy resource adapter occurs. (ID-16360)

A customized emailTemplate can now be used for forwarded approvals. The emailTemplate to be used must be specified in the Approval subprocesses, by ID. (ID-16468)

Additional Defects Fixed

6496, 8586, 8739, 8958, 8960, 9936, 10235, 10475, 10483, 10832, 11232, 11642, 11767, 11979,12135, 12203, 12234, 12274, 12368, 12377, 12464,12483, 12510, 12585, 12611, 12614, 12673, 12967, 13054, 13338, 13434, 13965, 14044, 14178, 14334, 14792, 14874, 14893, 14899, 15036, 15073, 15219, 15474, 16107, 16282, 16389, 16395, 16610, 17346

Previous Contents Next
Sun Java System Identity Installation Pack 2005Q4M3 SP4 Release Notes