This version of Identity Governance and Administration solution includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Governance and Administration forum on Micro Focus Communities website, our online community that also includes product information, blogs, and links to helpful resources.
For more information about this release, see the Identity Governance as a Service Documentation website.
This release provides functional, infrastructure, and performance-related fixes and enhancements. It includes:
Ability to enable or disable new user creation when merging identities from multiple sources. Additionally, you can now also view merge histories. For more information see, Identity Governance as a Service User and Administration Guide.
Separation of Duties (SoD) policies that include SoD approval policies that specify approval and denial criteria, including the ability to prevent users from submitting requests for specified combinations of permissions labeled as forbidden or “toxic”. For more information, see Designating an SoD Violation as Toxic in the Identity Governance as a Service User and Administration Guide.
NOTE:This new capability changes Potential SoD Violations in Access Request, so the GET and PUT REST APIs for psodvpolicy are no longer part of the product.
Integration with Workflow service (Workflow Administration Console) that enables you to create and monitor complex custom approval and fulfillment workflows for your Identity Governance and Administration (IGA) system. Specifically, authorized users can perform one or more of the following tasks:
Approve, deny, and fulfill change requests in Identity Governance using custom workflows
Select out-of-the box templates for custom approval workflows
Configure a new fulfillment target template to fulfill change requests using custom workflows
View workflow dashboard from the Identity Governance Overview page
Edit out-of-the box approval and fulfillment workflows and associated forms and create new forms and workflows using Workflow Builder and Form Builder embedded in the Workflow service
Monitor the running workflows and notify approvers of pending workflows
For more information about enhanced Identity Governance approval and fulfillment capabilities, see Identity Governance as a Service User and Administration Guide. For more information about the Workflow service, see the Workflow Administration Guide.
Ability to select Technical Role owner as the reviewer for user access review that has technical role as the review item criteria
Ability to collect data and fulfill change requests using Azure AD Microsoft Graph APIs. For more information, see Identity Governance as a Service User and Administration Guide.
New reports such as:
Custom Form Changes - CSV
Fulfillment Target Changes
Reviews with Deleted Stakeholders
Additionally, the Account Ownership Report has been renamed as Account Ownership Statistics Reports, and Catalog Extended Attributes Report has been renamed as Extended Attribute Definitions.
Miscellaneous infrastructure updates to improve deployment time and process, and updates to existing reports to provide additional governance capabilities.
This release requires, at a minimum, the following requirements.
To log in to Identity Governance on their local devices, users must have one of the following browser versions, at a minimum:
Apple Safari 12.1.12 - 15
Google Chrome 80 - 94
Microsoft Edge Browser 44 - 93
Mozilla Firefox 74 - 92
iPad (iOS 12 and later)
Apple Safari 13 - 15
Google Chrome 78 - 94
Mozilla Firefox 20 - 37
IMPORTANT:The browser must have cookies enabled. If cookies are disabled, the product does not work.
You must have administrator privileges to install the Cloud Bridge Agent.
Memory: 16 GB
Disk Space: 200 GB
Operating System Requirements
SUSE Linux Enterprise Server 15.1 or later patched version of 15.x
Ubuntu 18.04 LTS Server Edition or later
Docker 19.03.x or later
To collect data from on-premises data centers and fulfill change requests using Cloud Bridge-enabled collectors and fulfillers, at a minimum, you will need Cloud Bridge 1.6.2.
Identity Governance provides IDM entitlement application definition and application templates to collect account and permission entitlements from an on-premises Identity Manager environment. To successfully collect all accounts and permissions, the supported drivers must be running. Find below a list of the Identity Manager and Identity Governance supported drivers.
Drivers in Identity Manager:
Identity Governance Assignment collection: MFIGASGMTCOL_18.104.22.16820110104142
SAP User Management
We strive to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The following issue appears in the Catalog Curated Data Details report:
The Catalog Curated Data Details report does not display all attributes and values for all entities. For example, if you update attribute values for three users, then run the Curated Data Details report, the report correctly reflects that three users were curated, but does not display the attributes and values that were curated.
Issue: When multiple values are mapped using flowdata.getObject(), all the values are populated in a single field. For example, in the Workflow Administration Console, create a form that requires multiple values, such as text field, email, phone number. Create a workflow with two approval activities and attach the form with the activities. In the pre-activity data mapping of the second approval activity, map the fields with multiple values from the first approval activity’s form using the flowdata.getObject(). In Identity Governance, request that workflow. Navigate to > > and select or to launch the approval form of the workflow. Fill the values for the requested fields and launch the next approval form. The data mapped from the previous form using flowdata.getObject() fills all data in a single field.
This issue will be fixed in a future release.
Issue: Inability to publish workflows when the //) expression in a comment.field in the Rest Activity contain the slash slash (
Workaround: To save and publish the workflow, use the slash-star (/*) star-slash (*/) while adding a comment.
When user entitlements are disabled, but an administrator tries to add the user to any application (such as Lotus Notes), as expected the user is not added to that application. However, no error message stating entitlement is disabled appears in the logs. This issue cannot be fixed, because entitlements must be enabled for IDM entitlement connectors.
Issue: When you remove an account from the database, even though fulfillment is successful, Identity Governance displays the status as Not Fulfilled, Verification Error. This issue occurs, because the value returned by the database might not be consistent with the values the JDBC driver expects.
Workaround: Ensure that the account status in the entitlement configuration for the driver displays the following values:
For MSSQL and Oracle: <account-status active="0" inactive="1" source="read-attr" source-name="Login Disabled"/>
For PostgreSQL: <account-status active="FALSE" inactive="TRUE" source="read-attr" source-name="Login Disabled"/>
Issue: When a request, such as the assignable role for Workday request, is sent to the IDM entitlement fulfiller, the fulfiller modifies the value of the LDAP Attribute DirXML-EntitlementRef. After modification, it depends on Identity Manager to automatically send an entitlement modification event to the driver. If the driver fails to handle fulfillment requests, the error is reported to Identity Manager, but Identity Manager does not report the error to Identity Governance. Identity Governance assumes the request was fulfilled. However, after collection and publication, Identity Governance marks the status as “verification failed”.
Workaround: Access the driver logs for more details about the error.
Issue: When configuring the IDM entitlement collectors or fulfillment target templates, the test connection fails if the user password contains a colon.
Workaround: Log into IDM iManager and exclude colons from any administrator account passwords.
Issue: When an authorized user selects could display an Encountered unexpected error message.> and clicks on the tab or the tab, Identity Governance
Workaround: Click the browser refresh icon to refresh the page, or navigate to another page and access the tabs again. If the problem occurs every time you access these tabs, please contact Technical Support.
Though Identity Governance supports markdown for permission and application descriptions, currently it does not have a markdown viewer for request forms. As a result, any markdown syntax in an application or permission form will display as it is instead of being rendered as expected.
Issue: If two business roles (BR1 and BR2) authorize the same permissions and specify auto-grant and auto-revoke on those permissions, and a manual or bulk data update (also known as curation) moves a user from BR1 to BR2, the user could lose the permission for a period of time between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.
This is possible because after curation, separate detections are triggered for BR1 and BR2, instead of a single detection that does both together. If detection is first done on BR1 (the role the user lost membership in) followed by BR2 (the role the user gained membership in), Identity Governance would issue an auto-revoke, followed by a compensating auto-grant. If detection is first done on BR2 followed by BR1, auto-revoke or auto-grant request will not be issued. Based on your fulfillment approach (manual, workflow, automatic, custom), in the case where detection first occurs on BR1 and then BR2, causing an auto-revoke request and compensating auto-grant request to be issued, the user could lose the permission between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.
Workaround: It is recommended that you do not utilize curation if you have business roles with overlapping permissions which are enabled for auto grants and auto revocation. If data update occurs, check business role detections ( > > ) to verify that a compensating grant request was issued and if not, detect inconsistencies ( > > ) and issue a grant request.
Issue: When using Chrome with autofill enabled, some product pages could prompt you to save changes when you navigate to another page, even if you have not made changes. This issue occurs when Chrome automatically populates configuration fields as soon as the page loads.
Workaround: Temporarily turn off autofill when accessing the product using Chrome browser, or ignore erroneous save prompts when you know you have not changed anything on the page.
Issue: If a date attribute in your data source uses a non-Java format, Identity Governance does not recognize the data as a date. For example, if the StartDate attribute uses “YYYY/MM/DD” fixed-length format and you want to collect it in date format, the collection will show an error. Identity Governance uses only the default format for Oracle Java for date attributes.
Workaround: Use one of the following workarounds:
Before collecting from the data source, “clean” the data by converting the attribute values to Java’s default date format, which uses the number of milliseconds that have elapsed since midnight, January 1, 1970.
Collect the value in string format so that you will be able to see the native value. This method also guarantees that the data does not have to be
clean to be collected. For more information, contact Technical Support.
Issue: In some cases, when you click a user in the Certification Policy Violation window when using Identity Governance with Mozilla Firefox, an unresponsive script error can occur.
Workaround: The issue lies with Firefox. For information about correcting the issue, see this Mozilla knowledge base article.
Some known issues lie within third-party applications that are integrated with Identity Governance. The following known issues can be tracked with the third-party vendor. Micro Focus provides links to those issues, where available.
Issue: If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and you provided two or more phone numbers during the first approval activity, those phone numbers will not appear in the second approval activity. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Workaround: Clickunder the field to make the provided phone numbers appear.
If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and multiple values were supplied during the first approval activity, those values will duplicate in the subsequent approval activity if you click the working toward a solution.button. The issue lies with Form.io, who is aware of the issue and is
When creating a custom form, the Approval Address field accepts values from the request address field only if using the Calculate Value. The Approval Address field does not receive information if using the Custom Default Value. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Validations are not triggered if the ValidateOn property of a component is set to Validate on Blur, but will, instead, validate on change. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
When adding a layout component to a form and configuring Action Types, working toward a solution.appears as an option, but this option is not applicable for a layout component. The issue lies with Form.io, who is aware of the issue and is
Online help does not exist for the tree component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
The Date/Time values appear as “Invalid” in Firefox. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
The default value does not return when you select the “Multiple Values” and “Clear Value on Refresh” options. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Using the JS editor to set a check box component to appear selected by default does not function as expected. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Some event trigger types with the “Hidden” property set do not hide the configured component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
The permissions were not rolling up for User Access review when the review definition had account filters set, such as Last Login more than 90 days old. Now this issue has been fixed.
In reviews, the Add CC link was missing on email notification templates where the name of the notification was modified and used in a review. This issue has now been fixed.
Previously reminder mails were not sent to the Review Owner and Auditor at the scheduled interval. Now the reminder mails are sent as per the schedule configured in the review definition.
This issue has now been fixed. The server REST API was modified to do special handling of the appDisplayName attribute when it is specified for sorting.
The Load Certificate button now correctly appears or is hidden on the collector or fulfillment target page based on the related service parameter.
Fulfillment is now successful.
When the Technical Role Administrator creates a new technical role, then clicks, analysis failed and Identity Governance displayed Denied access error message. This issue has now been fixed.
In a previous release, customer administrator was unable to import email templates. This issue has now been fixed.
In a previous release, customer administrator was unable to delete an application source. This issue has now been fixed.
In a previous release, a customer administrator received denied access error when retrying a fulfillment error task. With this release, the issue no longer occurs.
In a previous release, a selected data source was not used when running a report. The generated report and the Report Definition page in Identity Reporting reflected different data sources. With this release, this issue no longer occurs.
In a previous release, the Review Details PDF erroneously displayed “undefined” as a filter to use as a Review Item in the report. With this release, this issue no longer occurs.
In a previous release, under some scenarios, the account name did not appear in the Fulfillment Status and Closed Loop PDF. With this release, this issue no longer occurs.
In a previous release, the Catalog Curated Data Overview report erroneously displayed the message, “This report contains no data for Catalog Data Update in the collected sources” if the entity contained data but had no curated records. With this release, if the entity contains data, but has no curated records for that entity, the report correctly displays the values of zero (0) for curated and the percent in the report.
In a previous release, if you installed and ran the Catalog Curated Data Details report, it displayed (0) users, accounts, and permissions collected and curated. This issue has now been fixed.
In a previous release, if you curated data, edited the Catalog Curated Data Details report to limit the number of curated items per section, then ran the report, the results were not limited as expected. This issue has now been fixed.
In a previous release, the Fulfillment Status and Closed Loop PDF duplicated the results of each fulfillment request item in the status list. This issue has now been fixed.
A custom form configured for multiple phone numbers displays only a single phone number field. This issue no longer occurs.
In the Form Builder, text that appeared on various component tabs could not be localized, because Form.io did not support localization for this text. Affected text is now correctly localized.
This release also includes infrastructure and SaaS operations related fixes such as the following resolved issues.
In a previous release, SaaS Operations Administrator was unable to import email templates. This issue has now been fixed.
In a previous release, in a clustered environment, Access Request flows did not move and threw a NullPointerException. This issue has now been fixed.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For general corporate and product information, see the Micro Focus Website.
For interactive conversations with your peers and Micro Focus experts, become an active member of our community. The Micro Focus online community provides product information, useful links to helpful resources, blogs, and social media channels.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.
© Copyright 2022 Micro Focus or one of its affiliates.