Identity Governance and Administration as a Service Release Notes

September 2022

This version of Identity Governance and Administration solution includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Identity Governance and Administration forum on Micro Focus Communities website, our online community that also includes product information, blogs, and links to helpful resources.

For more information about this release, see the Identity Governance as a Service Documentation website.

1.0 What’s New

This release provides functional, infrastructure, and performance-related fixes and enhancements. It includes:

1.1 Access Request and Approval

New out-of-the-box workflow templates for generic and specific Identity Governance access requests

1.2 Access Reviews

New review type that provides the ability to define and review an organization’s technical role definitions

1.3 Data Collection and Fulfillment

  • Ability to configure multiple non-merging change event identity sources. For more information, see Collecting from Identity Sources with Change Events in the Identity Governance as a Service User and Administration Guide.

  • New collector and fulfillment target templates that provide the:

    • Ability to collect accounts and permissions to access organizations, teams, and repositories from GitHub using respective new REST GitHub collector templates.

    • Ability to add and remove members from a GitHub organization or a team, or add and remove collaborators from a GitHub repository using a new REST GitHub fulfillment template.

    • Ability to collect team and channel permissions from Microsoft Teams using a new MS Teams Permission collector template.

    • Support for fulfillment using new JDBC Generic, Oracle, PostgreSQL, and SQL Server fulfillment target templates.

    • New REST Generic fulfillment template that supports OAuth 2.0 and provides the ability to fulfill any request for a REST-based application using REST endpoints. It has replaced the previously provided REST Service fulfillment template.

    For more information, see Understanding Variations for Application Sources and Understanding Service Desk and Other Fulfillment Targets in the Identity Governance as a Service User and Administration Guide.

1.4 Data Policies

  • Enhanced data policy and governance control user interface and ability to monitor identity lifecycle events such as joiners, leavers, and movers using default policies. For more information, see in the Identity Governance as a Service User and Administration Guide.

  • Ability to use multiple remediation actions including workflow for data policy violations.

1.5 Dashboards

Ability to download custom widget data from the Governance dashboard. For more information, see Downloading Custom Governance Widget Data in the Identity Governance as a Service User and Administration Guide.

1.6 Reporting

New Approval Policy Definitions – CSV report and miscellaneous updates to existing reports.

1.7 Separation of Duties

Enhanced Separation of Duties (SoD) policy that supports the four-eyes principle and allows for a multiple-step approval process for SoD violations. For more information, see Creating and Managing Separation of Duties Policies in the Identity Governance as a Service User and Administration Guide.

1.8 Workflow

  • New out-of-the-box workflow templates for generic and specific Identity Governance access requests and fulfillment workflows

  • Ability to audit forms, workflows, and email notifications related to create, update, and delete operations

IMPORTANT:The ability to edit custom workflows and create new advanced workflows using the Workflow Builder component of the Workflow Service is for preview and provided on an AS IS and AS AVAILABLE basis. We recommend that you do not use advanced workflows in your production environments. Workflow Service’s advanced capabilities will be supported and available for general use in a future release.

For more information about workflows, see Workflow Service Administration Guide.

1.9 Miscellaneous

Miscellaneous security, compliance, performance, and monitoring related infrastructure updates to provide additional governance capabilities

2.0 Technical Requirements

This release requires, at a minimum, the following requirements.

2.1 Browser Requirements for Identity Governance

To log in to Identity Governance on their local devices, users must have one of the following browser versions, at a minimum:

Computers

  • Apple Safari 12.1.12 - 15

  • Google Chrome 80 - 94

  • Microsoft Edge Browser 44 - 93

  • Mozilla Firefox 74 - 92

iPad (iOS 12 and later)

  • Apple Safari 13 - 15

  • Google Chrome 78 - 94

  • Mozilla Firefox 20 - 37

IMPORTANT:The browser must have cookies enabled. If cookies are disabled, the product does not work.

2.2 Cloud Bridge Agent Requirements

You must have administrator privileges to install the Cloud Bridge Agent.

  • Hardware Requirements

    • CPUs: 4

    • Memory: 16 GB

    • Disk Space: 200 GB

  • Operating System Requirements

    • Debian 10

    • RHEL 8.3

    • SUSE Linux Enterprise Server 15.1 or later patched version of 15.x

    • Ubuntu 18.04 LTS Server Edition or later

  • Container Requirements

    • Docker 19.03.x or later

    • Podman 1.6.4

2.3 Supported Cloud Bridge Version

To collect data from on-premises data centers and fulfill change requests using Cloud Bridge-enabled collectors and fulfillers, at a minimum, you will need Cloud Bridge 1.8.x.

2.4 Supported Identity Manager Drivers and Packages

Identity Governance provides IDM entitlement application definition and application templates to collect account and permission entitlements from an on-premises Identity Manager environment. To successfully collect all accounts and permissions, the supported drivers must be running. Find below a list of the Identity Manager and Identity Governance supported drivers.

  • Drivers in Identity Manager:

  • Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.20220110104142

    Driver

    Version

    Package

    Active Directory

    4.1.3.0

    • NOVLADENTEX_2.5.7.20190610155012

    Azure AD

    5.1.4.0100

    • MFAZUREENTL_1.0.2.20211118165327

    • MFAZUREXROLE_1.0.2.20211125114229

    Bidirectional

    4.0.4.0

    • NOVLEDIR2ENT_2.2.7.20211118165416

    Groupwise REST

    4.0.1.1

    • NOVLGRPWRAEN_3.1.1.20211209173838

    JDBC

    4.2.2.0000

    • NOVLJDBCBISN_2.0.0.20211208134901

    • NOVLJDBCENTI_2.4.4.20211208135336

    • NOVLORAINSYN_2.1.0.20211208135824

    • NOVLSQSIDSYN_2.1.1.20211220115351

    • NOVLPGSINSYN_2.1.1.20211220124959

    Lotus Notes

    4.1.2.0

    • NOVLNOTEENT_2.4.1.20211118113748

    SAP User Management

    4.0.4.0

    • NOVLSAPUFENT_2.3.5.20211217153914

    • NOVLSAPUMIG_1.0.0.20211217153953

    SCIM

    1.0.1.0200

    • NETQSCIMENT_1.0.1.20211223151040

    • NETQSCIMBASE_1.0.1.20211223151032

    Workday

    1.3.0.0100

    • NETIQWDENT_1.0.0.20210505165701

3.0 Known Issues

We strive to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

3.1 MS Teams Collector Intermittently Fails to Collect Data

Issue: Sometimes while collecting data using the MS Teams collector the application times out and the collection fails. The following error message is displayed. [com.netiq.iac.persistence.dcs.dce.thread.DataCollectionServiceThread] [IG-DTP] DaaS connector returned error during collection: Command failure: Type: find+chunked: [The parameter 'value' is missing in 'Graph API Response'.]

3.2 MS Teams Collection Fails with the Error "Failed to execute backend request.", While Collecting Team Members

Issue: While collecting team members using MS Teams collector, the collection fails and the following error message is displayed:

[com.netiq.daas.azuremsgraph.impl.TeamMembersDecorator] [DAAS] {"error": { "code": "BadGateway", "message": "Failed to execute backend request."

3.3 Workflow Issues

Multiple Value Mapping with flowdata.getObject() Populates all Values in a Single Field

Issue: When multiple values are mapped using flowdata.getObject(), all the values are populated in a single field. For example, in the Workflow Administration Console, create a form that requires multiple values, such as text field, email, phone number. Create a workflow with two approval activities and attach the form with the activities. In the pre-activity data mapping of the second approval activity, map the fields with multiple values from the first approval activity’s form using the flowdata.getObject(). In Identity Governance, request that workflow. Navigate to > Approvals > Workflow Approvals and select Approve or Deny to launch the approval form of the workflow. Fill the values for the requested fields and launch the next approval form. The data mapped from the previous form using flowdata.getObject() fills all data in a single field.

This issue will be fixed in a future release.

Expressions In Workflow Rest Activity Does not Allow // in a Comment

Issue: Inability to publish workflows when the Request Content field in the Rest Activity contain the slash slash (//) expression in a comment.

Workaround: To save and publish the workflow, use the slash-star (/*) star-slash (*/) while adding a comment.

Workflows with a Loop Displays Flowdata Incorrectly and gets the Error "too much recursion" in the Browser Console

Issue: Workflows with a loop does not do the post activity mapping for activities which fall within the loop. The flowdata tree for these activities display the post activity mapping of the map activity within the loop. This is observed in the Workflow Administration Console Expression Builder. As a result, the error, “too much recursion” is displayed in the browser console.

3.4 IDM Entitlement Connected Systems Fail to Display Error Messages When Entitlements Are Disabled

When user entitlements are disabled, but an administrator tries to add the user to any application (such as Lotus Notes), as expected the user is not added to that application. However, no error message stating entitlement is disabled appears in the logs. This issue cannot be fixed, because entitlements must be enabled for IDM entitlement connectors.

3.5 IDM Entitlement Collection and Fulfillment Test Connection Fails If User Password Contains a Colon

Issue: When configuring the IDM entitlement collectors or fulfillment target templates, the test connection fails if the user password contains a colon.

Workaround: Log into IDM iManager and exclude colons from any administrator account passwords.

3.6 IDM Entitlement JDBC Driver Fails to Verify Fulfillment After Successfully Inactivating an Account

Issue: When you remove an account from the database, even though fulfillment is successful, Identity Governance displays the status as Not Fulfilled, Verification Error. This issue occurs, because the value returned by the database might not be consistent with the values the JDBC driver expects.

Workaround: Ensure that the account status in the entitlement configuration for the driver displays the following values:

  • For MSSQL and Oracle: <account-status active="0" inactive="1" source="read-attr" source-name="Login Disabled"/>

  • For PostgreSQL: <account-status active="FALSE" inactive="TRUE" source="read-attr" source-name="Login Disabled"/>

3.7 IDM Entitlement Fulfillment Requests Fail Without Communicating the Error to Identity Governance

Issue: When a request, such as the assignable role for Workday request, is sent to the IDM entitlement fulfiller, the fulfiller modifies the value of the LDAP Attribute DirXML-EntitlementRef. After modification, it depends on Identity Manager to automatically send an entitlement modification event to the driver. If the driver fails to handle fulfillment requests, the error is reported to Identity Manager, but Identity Manager does not report the error to Identity Governance. Identity Governance assumes the request was fulfilled. However, after collection and publication, Identity Governance marks the status as “verification failed”.

Workaround: Access the driver logs for more details about the error.

3.8 Unexpected Error When Accessing Application Default Forms or the Permission Default Forms tabs

Issue: When an authorized user selects Policies > Access Request Policies and clicks on the Application Default Forms tab or the Permission Default Forms tab, Identity Governance could display an Encountered unexpected error message.

Workaround: Click the browser refresh icon to refresh the page, or navigate to another page and access the tabs again. If the problem occurs every time you access these tabs, please contact Technical Support.

3.9 Custom Forms Do Not Display Request Item Description in Bold Italics By Default

Though Identity Governance supports markdown for permission and application descriptions, currently it does not have a markdown viewer for request forms. As a result, any markdown syntax in an application or permission form will display as it is instead of being rendered as expected.

3.10 Moving a User from One Business Role to Another Using Curation Causes the User to Lose Authorized Permissions

Issue: If two business roles (BR1 and BR2) authorize the same permissions and specify auto-grant and auto-revoke on those permissions, and a manual or bulk data update (also known as curation) moves a user from BR1 to BR2, the user could lose the permission for a period of time between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.

This is possible because after curation, separate detections are triggered for BR1 and BR2, instead of a single detection that does both together. If detection is first done on BR1 (the role the user lost membership in) followed by BR2 (the role the user gained membership in), Identity Governance would issue an auto-revoke, followed by a compensating auto-grant. If detection is first done on BR2 followed by BR1, auto-revoke or auto-grant request will not be issued. Based on your fulfillment approach (manual, workflow, automatic, custom), in the case where detection first occurs on BR1 and then BR2, causing an auto-revoke request and compensating auto-grant request to be issued, the user could lose the permission between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.

Workaround: It is recommended that you do not utilize curation if you have business roles with overlapping permissions which are enabled for auto grants and auto revocation. If data update occurs, check business role detections (Policy > Business Roles > Business Role Detections) to verify that a compensating grant request was issued and if not, detect inconsistencies (Policy > Business Roles > Manage Auto Requests) and issue a grant request.

3.11 Navigating Away from Unchanged Page Might Result in Erroneous Prompt to Save Changes

Issue: When using Chrome with autofill enabled, some product pages could prompt you to save changes when you navigate to another page, even if you have not made changes. This issue occurs when Chrome automatically populates configuration fields as soon as the page loads.

Workaround: Temporarily turn off autofill when accessing the product using Chrome browser, or ignore erroneous save prompts when you know you have not changed anything on the page.

3.12 Cannot Recognize Date Values that Are Not in Default Java Format

Issue: If a date attribute in your data source uses a non-Java format, Identity Governance does not recognize the data as a date. For example, if the StartDate attribute uses “YYYY/MM/DD” fixed-length format and you want to collect it in date format, the collection will show an error. Identity Governance uses only the default format for Oracle Java for date attributes.

Workaround: Use one of the following workarounds:

  • Before collecting from the data source, “clean” the data by converting the attribute values to Java’s default date format, which uses the number of milliseconds that have elapsed since midnight, January 1, 1970.

  • Collect the value in string format so that you will be able to see the native value. This method also guarantees that the data does not have to be clean to be collected. For more information, contact Technical Support.

3.13 Unresponsive Script Error in Firefox Can Occur When Clicking a User in the Certification Policy Violation Popup Window

Issue: In some cases, when you click a user in the Certification Policy Violation window when using Identity Governance with Mozilla Firefox, an unresponsive script error can occur.

Workaround: The issue lies with Firefox. For information about correcting the issue, see this Mozilla knowledge base article.

3.14 Third-party Issues

Some known issues lie within third-party applications that are integrated with Identity Governance. The following known issues can be tracked with the third-party vendor. Micro Focus provides links to those issues, where available.

Form Builder Issues

  • Issue: If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and you provided two or more phone numbers during the first approval activity, those phone numbers will not appear in the second approval activity. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

    Workaround: Click Add Another under the Phone Number field to make the provided phone numbers appear.

  • If Form Builder was used from the Workflow console to create an approval workflow that requires two approval activities, and multiple values were supplied during the first approval activity, those values will duplicate in the subsequent approval activity if you click the Add Another button. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • When creating a custom form, the Approval Address field accepts values from the request address field only if using the Calculate Value. The Approval Address field does not receive information if using the Custom Default Value. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • Validations are not triggered if the ValidateOn property of a component is set to Validate on Blur, but will, instead, validate on change. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • When adding a layout component to a form and configuring Action Types, Value appears as an option, but this option is not applicable for a layout component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • Online help does not exist for the tree component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • The Date/Time values appear as “Invalid” in Firefox. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • The default value does not return when you select the “Multiple Values” and “Clear Value on Refresh” options. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • Using the JS editor to set a check box component to appear selected by default does not function as expected. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

  • Some event trigger types with the “Hidden” property set do not hide the configured component. The issue lies with Form.io, who is aware of the issue and is working toward a solution.

4.0 Resolved Issues

4.1 Resolved Reporting Issues

In a previous release the Catalog Curated Data Details report did not display all attributes and values for all entities. This issue has been fixed.

4.2 Resolved Workflow Issues

Required data item exceptions were observed in the server log when a request was approved or denied from the Workflow Administration Console, using the email-based approval feature. These exceptions are no longer observed.

4.3 Users Automatically Logged Out When Active in the Product

Identity Governance could sometimes automatically log out users actively working in the product. This issue no longer occurs, and users are automatically logged out only if they are inactive for the specified session timeout period.

4.4 System Errors During Collection Do Not Appear in the Product

Prior to this release, Identity Governance displayed error messages that did not describe errors that caused failed collections. With this release, Identity Governance provides details about errors that cause collections to fail.

5.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For support, visit the CyberRes Support Website or email cyberressupport@microfocus.com.

For general corporate and product information, see the Micro Focus Website.

For interactive conversations with your peers and Micro Focus experts, become an active member of our community. The Micro Focus online community provides product information, useful links to helpful resources, blogs, and social media channels.

6.0 Legal Notices

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.

© Copyright 2022 Micro Focus or one of its affiliates.