4.1 SaaS version of Identity Governance and Administration solution includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Governance and Administration forum on the communities website, our online community that also includes product information, blogs, and links to helpful resources.
For more information about this release, see the Identity Governance Documentation website.
This release provides functional, infrastructure, and performance-related fixes and enhancements. It includes:
Ability to request business role membership
Ability to set effective and expiration dates for access requests
Enhanced CSV export of review list items that includes all details including fulfillment status
Ability to upgrade identity and application collector templates to a higher version while retaining custom configurations
Ability to import and export merge rules for identity sources
Fulfillment ticket number display on verified tasks
Connector upgrades related to security and compliance requirements
Identity Governance supports an upgraded version of the Cloud Bridge and includes enhanced integration with Cloud Bridge. For more information see, Cloud Bridge documentation on the Identity and Access Management Services website.
Identity Governance enables access to these more granular analytics dashboards and reporting by enabling integration with the Identity Intelligence service. For more information about the service, For more information see, Identity Intelligence Service documentation on the Identity Intelligence website.
This release includes miscellaneous security, compliance, performance, and monitoring-related infrastructure updates to provide additional governance capabilities. It includes:
Ability to reset Governance Overview view to the global default for self or retain local settings for self and restore default configuration for other users directly from the Governance Overview page in addition to from My Settings menu
Enhanced reports
Improved custom forms integration with REST API invocation in Identity Governance
Improved logging and navigation when using custom user-matching attribute
Identity Governance and Administration SaaS infrastructure improvements and upgrades
See below your browser requirements and supported components for this release of Identity Governance, and additional supported drivers and packages for accounts and permissions collection from the Identity Manager environment.
To log in to Identity Governance on their local devices, users must have one of the following browser versions at a minimum:
Computers
Apple Safari 16.1
Google Chrome 103.0.5060.114
Microsoft Edge Browser 103.0.1.1264.49
Mozilla Firefox 15.5
iPad (iOS 12 and later)
Apple Safari 15.5
Google Chrome 101.0
Mozilla Firefox 37
IMPORTANT:You must clear your browser cache and ensure that cookies are enabled. If cookies are disabled, the product will not work.
Cloud Bridge 1.9.0 and higher patched versions
Form Builder 1.5.0.0200
Identity Manager 4.8.6 and higher patched versions
Identity Reporting 7.1
Workflow Console 1.0.6.0300
Workflow Engine 1.0.6.0300
Identity Governance provides IDM entitlement application definition and application templates to collect account and permission entitlements from an on-premises Identity Manager environment. To successfully collect all accounts and permissions, the supported drivers must be running.
Find below a list of the Identity Manager and Identity Governance supported drivers.
Drivers in Identity Manager 4.7.5 and 4.8.5 and later patched versions
Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.20220110104142
|
Driver |
Minimum Driver Version |
Minimum Package Version |
|---|---|---|
|
Active Directory |
4.1.3.0 |
|
|
Azure AD |
5.1.4.0100 |
|
|
Bidirectional |
4.0.4.0 |
|
|
Groupwise REST |
4.0.1.1 |
|
|
JDBC |
4.2.2.0000 |
|
|
Lotus Notes |
4.1.2.0 |
|
|
SAP User Management |
4.0.4.0 |
|
|
SCIM |
1.0.1.0200 |
|
|
Workday |
1.3.0.0100 |
|
NOTE:Entitlements must be enabled for IDM entitlement connectors. When entitlements are disabled, IDM Entitlement connected systems will not display any error messages. When user entitlements are disabled, and an administrator tries to add the user to any application (such as Lotus Notes), though error message will not be displayed, the user will not added to that application.
We strive to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
SCIM Driver Fails to Update IDM Entitlement Fulfillment Status
Reimporting Previously Deleted Roles and Policies Might Fail Soon After Cleanup
Expressions In Workflow Rest Activity Does not Allow // in a Comment
IDM Entitlement JDBC Driver Fails to Verify Fulfillment After Successfully Inactivating an Account
IDM Entitlement Fulfillment Requests Might Not Display Fulfillment Status Correctly
Custom Forms Do Not Display Request Item Description in Bold Italics By Default
Navigating Away from Unchanged Page Might Result in Erroneous Prompt to Save Changes
Issue: Even if a change request, such as adding a user to a group in SAP application, is fulfilled successfully, Identity Governance displays the status as Pending Verification. This occurs because the SCIM Driver fails RFC 7644 pagination specifications and returns only limited entitlements to Identity Governance. This issue will be fixed in a future release.
Issue: Sometimes business roles, SoD policies, technical roles, applications, or review definitions are exported, deleted, and later reimported. If a cleanup operation purges the deleted business roles, SoD policies, technical roles, applications, or review definitions before they are reimported, you might get an error in the UI during the reimport process, depending on how soon after the purge the reimport takes place.
Workaround: If you see this kind of error, please wait at least 10 or 15 minutes and then try to reimport again.
Issue: While collecting team members using MS Teams collector, the collection fails and the following error message is displayed:
[com.netiq.daas.azuremsgraph.impl.TeamMembersDecorator] [DAAS] {"error": { "code": "BadGateway", "message": "Failed to execute backend request."
Issue: When multiple values are mapped using flowdata.getObject(), all the values are populated in a single field. For example, in the Workflow Administration Console, create a form that requires multiple values, such as text field, email, and phone number. Create a workflow with two approval activities and attach the form with the activities. In the pre-activity data mapping of the second approval activity, map the fields with multiple values from the first approval activity’s form using the flowdata.getObject(). In Identity Governance, request that workflow. Navigate to > Approvals > Workflow Approvals and select Approve or Deny to launch the approval form of the workflow. Type the values for the requested fields and launch the next approval form. The data mapped from the previous form using flowdata.getObject() displays all data in a single field.
This issue will be fixed in a future release.
Issue: Inability to publish workflows when the Request Content field in the Rest Activity contains the slash slash (//) expression in a comment.
Workaround: To save and publish the workflow, use the slash-star (/*) star-slash (*/) while adding a comment.
Issue: When you remove an account from the database, even though fulfillment is successful, Identity Governance displays the status as Not Fulfilled, Verification Error. This issue occurs because the value returned by the database might not be consistent with the values the JDBC driver expects.
Workaround: Ensure that the account status in the entitlement configuration for the driver displays the following values:
For MSSQL and Oracle: <account-status active="0" inactive="1" source="read-attr" source-name="Login Disabled"/>
For PostgreSQL: <account-status active="FALSE" inactive="TRUE" source="read-attr" source-name="Login Disabled"/>
Issue: When a request, such as the assignable role for Workday request, is sent to the IDM entitlement fulfiller, Identity Governance might display verification failed status even when the request displays fulfillment successful status.
Workaround: Access the driver logs, driver trace files, and audit events to view request details including status and error description.
Though Identity Governance supports markdown for permission and application descriptions, currently it does not have a markdown viewer for request forms. As a result, any markdown syntax in an application or permission form will display as it is instead of being rendered as expected.
Issue: If two business roles (BR1 and BR2) authorize the same permissions and specify auto-grant and auto-revoke on those permissions, and a manual or bulk data update (also known as curation) moves a user from BR1 to BR2, the user could lose the permission for a period of time between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.
This is possible because, after curation, separate detections are triggered for BR1 and BR2, instead of a single detection that does both together. If detection is first done on BR1 (the role the user lost membership in) followed by BR2 (the role the user gained membership in), Identity Governance would issue an auto-revoke, followed by a compensating auto-grant. If detection is first done on BR2 followed by BR1, auto-revoke or auto-grant request will not be issued. Based on your fulfillment approach (manual, workflow, automatic, custom), in the case where detection first occurs on BR1 and then BR2, causing an auto-revoke request and compensating auto-grant request to be issued, the user could lose the permission between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.
Workaround: It is recommended that you do not utilize curation if you have business roles with overlapping permissions that are enabled for auto grants and auto revocation. If data update occurs, check business role detections (Policy > Business Roles > Business Role Detections) to verify that a compensating grant request was issued, and if not, detect inconsistencies (Policy > Business Roles > Manage Auto Requests) and issue a grant request.
Issue: When using Chrome with autofill enabled, some product pages could prompt you to save changes when you navigate to another page, even if you have not made changes. This issue occurs when Chrome automatically populates configuration fields as soon as the page loads.
Workaround: Temporarily turn off autofill when accessing the product using Chrome browser, or ignore erroneous save prompts when you know you have not changed anything on the page.
Issue: In some cases, when you click a user in the Certification Policy Violation window when using Identity Governance with Mozilla Firefox, an unresponsive script error can occur.
Workaround: The issue lies with Firefox. For information about correcting the issue, see this Mozilla knowledge base article.
Some known issues lie within third-party applications that are integrated with Identity Governance. The following known issues can be tracked with the third-party vendor. Micro Focus provides links to those issues, where available.
In the Form Builder, text that appears on various component tabs cannot be localized, because Form.io does not support localization for this text. This will be fixed in a future release.
When adding an HTML Element Component to a form, the content of the HTML element component is shown differently in Form Builder and in Preview. A meaningful message is displayed in Preview, whereas the JSON data is displayed in Form Builder. The message should be the same in both places.
Issue: If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and you provided two or more phone numbers during the first approval activity, those phone numbers will not appear in the second approval activity. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Workaround: Click Add Another under the Phone Number field to make the provided phone numbers appear.
If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and multiple values were supplied during the first approval activity, those values will duplicate in the subsequent approval activity if you click the Add Another button. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
When creating a custom form, the Approval Address field accepts values from the request address field only if using the Calculate Value. The Approval Address field does not receive information if using the Custom Default Value. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Validations are not triggered if the ValidateOn property of a component is set to Validate on Blur, but will, instead, validate on change. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
When adding a layout component to a form and configuring Action Types, Value appears as an option, but this option is not applicable for a layout component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Online help does not exist for the tree component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
The default value does not return when you select the “Multiple Values” and “Clear Value on Refresh” options. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
Some event trigger types with the “Hidden” property set do not hide the configured component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.
The About page of Identity Governance and Identity Reporting reflects the versions correctly.
This issue has been fixed. You can now successfully use APIs.
Previously, while defining an account access review with selected mapped and unmapped account and also Last Login Date > within > days from now as the review item criteria, if the user navigated away from the page, the within criteria was not retained. This issue has now been resolved.
This issue is now fixed. Purge was failing for fulfillments generated through changeset processing scripts.
Identity Governance now displays the appropriate message when a user with no action items in Identity Governance tries to access the application.
This issue is fixed.
This issue has been resolved. Group addressees can now approve or deny approval tasks in Identity Governance for workflows which has Multiple or Quorum as Approver Type.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@microfocus.com. We value your input and look forward to hearing from you.
For support, visit the CyberRes by OpenText Support Website or email cyberressupport@microfocus.com.
For general corporate and product information, see the Micro Focus Website.
For interactive conversations with your peers and experts, become an active member of our community. The online community provides product information, useful links to helpful resources, blogs, and social media channels.
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Copyright 2023 Open Text.