What's new in this release
The documentation is updated for IBM Security Identity Manager version 7.0.1 Fix Pack 17 release.
- IBM Security Identity Manager Version 7.0.1.15
- IBM Security Identity Manager Version 7.0.1.14
- IBM Security Identity Manager Version 7.0.1.13
- IBM Security Identity Manager Version 7.0.1.11
- IBM Security Identity Manager Version 7.0.1.10
- IBM Security Identity Manager Version 7.0.1.8
- IBM Security Identity Manager Version 7.0.1.7
- IBM Security Identity Manager Version 7.0.1.3
- IBM Security Identity Manager Version 7.0.1
- IBM Security Identity Manager 7.0.0.2
- IBM Security Identity Manager Version 7.0
IBM Security Identity Manager Version 7.0.1 Fix Pack 17
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.17.
- Middleware, platform and open-source component updates
- Version 7.0.1 Fix Pack 17 uses the upgraded versions of the key middleware, platform and open-source components: IBM Java version 8.0.7.10 and IBM WebSphere Liberty version 22.0.0.6 For detailed system requirements, see Hardware and software requirements.
- Manual removal of Log4j version 1.2.8 files
- You must manually remove the Log4j version 1.2.8 files from your IBM Security Identity Manager setup to avoid vulnerabilities reported for this Log4j version. Perform the steps in this technote: https://www.ibm.com/support/pages/node/6603649
- Uninstallation of SSUI
- IBM Security Identity Manager continues to include the self-service user interface. IBM suggests that you uninstall the self-service user interface (SSUI) using the steps described in this technote: https://www.ibm.com/support/pages/node/6402467
- Defect fixes and documentation updates
- This product version delivers various defect fixes and documentation updates. For more information, see the readme file available on IBM Fix Central.
IBM Security Identity Manager Version 7.0.1.15
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.15.
IBM Security Identity Manager Server
- General fixes
-
General fixes and corrections to known documentation issues.
IBM Security Identity Manager Version 7.0.1.14
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.14.
IBM Security Identity Manager Server
- Updated signer certificate for JARs that are required to run Java™ Web Start based designers
-
The JAR files that are required to launch Java Web Start based designers are now signed with a new certificate. The new certificate is valid until May 23, 2022. The old certificate, that was used to sign JAR files shipped in earlier releases, expire on January 1, 2021. After this date, you cannot launch workflow designer, form designer and policy join directive panels.
- Browser support
-
- Added Microsoft Edge Chromium browser support for the IBM Security Identity Manager virtual appliance.
For more information, see Hardware and software requirements.
IBM Security Identity Manager Version 7.0.1.13
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.13.
IBM Security Identity Manager Server
- SOAP web services enhancements
- Enhanced the SOAP web service API so that you can add, delete, and modify the Dynamic Role.
- Middleware, platforms, and open source component support
-
- Added Oracle 18c support.
For more information, see Hardware and software requirements.
- Identity Service Center enhancements
-
- Added support for compliance alerts, simple re-certification approvals and Request For
Information (RFI). The following topics are updated:
- Addressed some reported performance issues.
- Added support for compliance alerts, simple re-certification approvals and Request For
Information (RFI).
- Java API enhancements
- Enhanced the Java APIs so that you can add, search, modify, and delete a lifecycle rule.
- Other enhancements
-
- In the IBM Security Identity Manager administrative console and Service Center, the text widgets are now re-sizable so that the entire object name is visible.
Virtual appliance
- Enhancement for managing the Oracle Automatic Storage Management configuration
-
You can now configure, reconfigure or unconfigure the Oracle Automatic Storage Management path for the Oracle Data Store Configuration for the IBM Security Identity Manager virtual appliance. See Managing the Oracle data store configuration.
- New pages for configuring cipher suites for WebSphere® Application Server
- Administrators can now restrict the number of allowed cipher suites that are used by the IBM Security Identity Manager. See Configuring cipher suites.
- The administrative console Logon folder is now available for customization from the Custom File Management page
- Administrator can now view or customize files that are within the Logon folder, which are related to the IBM®® Security Identity Manager administrator console. To customize the files from the appliance dashboard, select . You can navigate to the directory in the following location:
directories |-[itim_console.war] |- [jsp] |- [logon]See Managing custom file paths.
IBM Security Identity Manager Version 7.0.1.11
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.11.
IBM Security Identity Manager Server
- Identity Service Center enhancements
-
- Work order activities in Identity Manager Service Center are now directly supported.
- You can now customize the maximum limit for entities that are allowed in the filter query parameter while resolving large numbers of multi-valued attributes by using a form.
- Enhanced the Identity Manager Service Center request access screen to let you enable or disable default search that is based on a configuration property. See UIConfig.properties.
- Enhanced the Identity Manager Service Center view for modifying and removing access to display access of preconfigured categories only rather than displaying all the items.
- API enhancement
- Added Public API for Business Unit Transfer web service and REST APIs.
Virtual appliance
- Open VM Tools support
- To enable Open VM Tools support, you must enable the feature in the local management interface.
See Configuring Open VM Tools support.With Open VM Tools enabled, you can use the following services:
- Shut down and restart the virtual appliance gracefully from the hypervisor console.
- Synchronized clocks between the virtual appliance and the ESXi server.
- Support for VMware statistics with the vmware support command.
You can also configure the vmtoolsd.timesync.enable parameter to toggle clock synchronization between the virtual appliance and the ESXi server. This synchronization is independent of Open VM Tools, unless you have already configured a Network Time Protocol (NTP) server. See Advanced tuning parameters for the virtual appliance.
- New java.security CLI command for changing Java security properties
- Administrators can now change the value of the networkaddress.cache.ttl parameter. See java.security commands.
- Serviceability enhancements
- The virtual appliance support file package now includes a highdiskusagedetails.txt file as an Identity Governance Intelligence appliance support file package.
IBM Security Identity Manager Version 7.0.1.10
The following functions are new or changed for IBM Security Identity Manager Version 7.0.1.10:
IBM Security Identity Manager Server
- Enhanced search for Persons in Identity Manager Service Center for a login user's subordinates
- You can now search for Persons in Identity Manager Service Center for a login user's subordinates.
- SOAP web services enhancements
-
- SOAP web services that return a Request as a response now contain result details in the response object.
WSService
SOAP web service is enhanced to add a method for deleting a service.
- REST API enhancements
-
- You can now specify the attribute
erlastmodifiedtime
in search filters. - You can now create, modify, delete services, and trigger policy enforcement on services.
- You can now specify the attribute
Virtual appliance
- Option for authenticating users from an external user registry to the Local Management Interface
- The new option enables the virtual appliance administrator to use an external user registry to
designate which users can authenticate to the local management interface (LMI) of the virtual
appliance.
The administrator can specify users or groups of users that are defined in a directory server. The directory servers that are provided by IBM Security Directory Server or by Microsoft Active Directory are supported.
See Authenticating users from an external user registry to the Local Management Interface.
- New CLI command for changing the maximum size of the JVM heap memory
- You can use a new set of commands in the virtual appliance command-line interface to view and
change the maximum heap size of the Java™ virtual machine
(JVM) for the IBM Security Identity Manager
WebSphere profiles like IBM Security Identity Manager DMGR, Application and Message Member.
See jvm_heapsize command.
- Manage IBM Security Identity Manager logging properties
- You can use the Log Retrieval and Configuration panel to manage the IBM Security Identity Manager logging properties (enRoleLogging.properties). See Configuring logs.
IBM Security Identity Manager Version 7.0.1.8
These functions are new or changed for IBM Security Identity Manager Server Version 7.0.1.8.
Virtual appliance
- SMTP authentication enhancement
-
IBM Security Identity Manager now supports SMTP authenticated Java mail sessions to send notifications. The Local Management Interface allows you to configure mail server authentication user ID and password. See Managing the mail server configuration.
IBM Security Identity Manager Version 7.0.1.7
These functions are new or changed for IBM Security Identity Manager Server Version 7.0.1.7.
IBM Security Identity Manager Server
- Manage Accounts enhancements
- New accounts-related tasks are now available for administrators and users. Administrators can configure account categories. Users can change account categories on managed accounts, such that, accounts with categories that are configured correctly are excluded from password synchronization. See Account category management.
Virtual appliance
- TLS 1.2 support
- TLS v1.2 is now supported between the virtual appliance and middleware servers such as the Identity data store and the directory server. See Managing server settings.
- Custom directories and files
- You can now create and delete subdirectories from the Custom File Management page. You can also upload files to these custom subdirectories. See Managing custom files.
- DBPurge scheduling
- You can now schedule the frequency of running the DBPurge utility. You can use the new schedule option for the dbpurge command line interface. Alternatively, use the RESTful API to run DBPurge and then schedule when to run the dbpurge RESTful API by using an external solution.
IBM Security Identity Manager Version 7.0.1.3
Virtual appliance
The new features in the Identity Manager virtual appliance are as follows.
- Customization of the Service Center user interface through the virtual appliance.
-
- Login page. See Login page
customization.
- Customize the text of the Login page. See Customizing the Login page text.
- Customize the company image. See Customizing the compony or product image on the Login page.
- Customize the copyright information. See Customizing the copyrigtht information.
- Customize site information. See Customizing the site information on the Login page.
- Advanced customization. See Advanced customization of the login page and headers.
- Cascading style sheets. See Customizing cascading styles.
- Server settings. See Managing server settings.
- Select me option. See Customizing the Select Me option.
- Login page. See Login page
customization.
- Software firewall port settings
- A list of software firewall port settings is provided for installation. See Managing firewall configuration in the virtual appliance.
- Database connection pool management
- You can use the virtual appliance to manage the database connection pool. See Managing database connection pool settings.
- HADR for database
- High availability and disaster recovery is available for the database. See Managing DB2 automatic client reroute settings.
- Management information bases for SNAP
- A list of the management information bases is added to the SNMP documentation. See Managing the SNMP monitoring.
IBM Security Identity Manager Server
- Manage Activities enhancements
- Enhancement includes displaying more information for activities for operations such as suspend, restore, modify. Earlier, activities for these operations displayed limited information. Now, you can see more and detailed information. Another enhancement about activities include the display of batch activities. To view details in a batch request, go to the activity details page.
- Transfer of organizations and roles
- You can transfer a business unit to an existing business unit that is under the same organization root. Optionally, you can also create a new business unit and then transfer an existing business unit for people and roles. However, there are few restrictions to transfer a business unit. For detailed information about transferring a business unit, see Transferring a business unit.
- Customization of styles, icons, and labels in the Identity Service Center
- Identity Service Center user interface is customizable to change icons, fonts, color, and
labels. You can customize Identity Service Center user interface in the following ways:
- Copying and modifying the customizable files that are installed with IBM Security Identity Manager.
- Replacing icons and graphics.
- Applying customized styles.
- Modifying labels.
- Customized self-approval for requestee and requester
- Using JavaScript code, administrator can enable self-approval by requestee or requester for specific workflow even though the global configuration is set to disable the self-approval. See Customized self-approval for requestee and requester.
- Running applets outside of a browser
- Applets now run in the Java Web Start instead of a browser. Since Java Web Start applications can be launched independently of a browser, users need not to rely on browser plug-in.
IBM Security Identity Manager Version 7.0.1
Virtual appliance
The new features in the Identity Manager virtual appliance are as follows:
For information about Identity Manager virtual appliance, see IBM Security Identity Manager overview.IBM Security Identity Manager Server
- Federal Information Processing Standards (FIPS)
- By the end of 2015 because of changes in National Institute of Standards and Technology (NIST) rules, the use of IBMSecureRandom results in non-compliance with FIPS140-2 random number rules. IBM Security Identity Manager Server code is updated to use the new random number generation algorithm SHA2DRBG to be compliant with new FIPS 140-2 rule. The new algorithm is available in that default Java virtual machine (JVM) that ships with WebSphere Application Server 8.5.5.7.
- Skip delegation
- A new property has been added to skip delegation if the delegated approver is also the requestee. See Skip delegation when requestee is the delegated approver.
- Oracle eBS responsibility support
- Some adapters such as the Oracle eBS adapter support complex group attribute requests. Support
for these requests requires the installation of a service profile-specific handler. For more
information about handlers, see your specific adapter guide. For accesses that are related to such
complex group values, typically the default subattribute values are obtained from the handler
plug-in. However, if the provisioning policy for the service has a mandatory enforcement on the
group attribute, that value is used instead.Note: If you are upgrading to IBM Security Identity Manager version 7.0.1, you must perform a full reconciliation of the Oracle BS service to support Oracle eBS responsibility access requests.
- Visual indication of adapter profile import
- The administrative console provides a visual indicator for the adapter profile during the import process.
- Administrative console tabbing enhancement
- When too many windows were open in the administrative console, some were hidden in the toolbar tabs and could not be selected. You can now access the overflow windows, by clicking the arrow icons that are displayed when the overflow condition occurs.
- New Javascript APIs are added to support assigning access by roles
- The new UserAccessAccount Javascript APIs are added to get the access ID, name, description and owner information in workflows. See UserAccess. The new Role Javascript APIs get the parent and child roles of a role in a workflow. See Role.
- Integration between IBM Security Identity Manager and IBM Security Identity Governance
- IBM Security Identity Governance and Administration Data Integrator version 7.0.3.1 allows synchronization between IBM Security Identity Governance and IBM Security Identity Manager. The connector must be installed and configured separately. For instructions and further documentation, see technote 1968516 at http://www.ibm.com/support/docview.wss?uid=swg21968516.
Identity Manager Service Center user interface
- View Requests enhancements
-
- When access is added, modified, or deleted from the administrative console, you can view the details in the View Requests wizard of the Identity Manager Service Center.
- If the requests are initiated from the Identity Manager Service Center, then you can view all requests that are raised either by you or someone else on behalf of you.
- Web services API enhancement
- IBM Security Identity Manager web services APIs are updated. The upgraded web services APIs are available in any fix pack that is later to the IBM Security Identity Manager 6.0.0.6.
IBM Security Identity Manager 7.0.0.2
Virtual appliance
- A virtual appliance form factor, making it much simpler to deploy IBM Security Identity Manager. As a new customer, use this new form factor. As an existing customer, continue to receive software stack support through IBM Security Identity Manager V6.0.0.x fix packs.
- Expansion of the Identity Manager Service Center user interface to support new user scenarios.
- Improvements to IBM Security Identity Manager adapters include new support for Oracle 12c, Microsoft SQL Server 2014, SharePoint 2013, and Red Hat® Enterprise Linux® 7.
- Configure the Identity Manager virtual appliance to send system audit events over emails.
- Use SNMP monitoring to monitor the Identity Manager virtual appliance.
- Enable and simplify workflow extension configuration.
- Configure an external library in the Identity Manager virtual appliance.
- Enable separate application interfaces for the virtual appliance and the application consoles.
- Use of log file management.
- Use export and import configurations. You can also export, import, access, or download report files.
- Download and view core dumps to diagnose or debug virtual appliance errors.
- Configure static routes to the paired protection interfaces on your virtual appliance.
- Manage hosts file.
Identity Manager Service Center user interface
- View and Edit Profile
- Depending upon the configured view, you can view or edit user profiles.
- Change Password
- Depending upon the configured view, you can change or reset the password, and recover the forgotten password.
- Delegate Activities
- Depending upon the configured view, you can delegate activities, view, edit, and delete the delegation schedule.
- Enhancements to My Activities
- You can view the notification on Identity Service Center home page for your pending activities. The count of pending activities is displayed.
IBM Security Identity Manager Server Version 7.0.0.2
- Virtualization support for VMWare 5.5
- IBM Security Identity Manager now supports VMWare 5.5. See Hardware and software requirements.
- Java Runtime Environment (JRE) support
- The JRE is installed with WebSphere Application Server. Some JRE versions are not supported. See Hardware and software requirements.
- New password complexity category: "3 of 4"
- A new password complexity category specifies that a user's password contain characters from three of four categories. The complexity category enables password complexity requirements in Microsoft Active Directory. Documentation for this capability is in the online help where you set password requirements.
- Auditing: Excluding long attributes from the audit process
- An auditing process fails if it encounters attribute values longer than 4000 bytes. You can now
modify entities of type Person, Business Partner
Person, and Account to exclude long attributes from the auditing
process. This action is typically necessary if an attribute value contains a long description or an
image (for example, a picture of a person).
See Attribute auditing for details.
- Workflow options
-
Options are added to nodes to allow finer control over workflow processing.
The following options are added for approval, RFI, and work order nodes:
- Skip Escalation
- No Timeout Action
- Complete on Timeout
See Common attributes for workflow activities.
The following options are added for loop nodes:
- Asynchronous Processing of the Loop Body
See Loop node.
A flow diagram that details the influence of the properties is added to Escalation.
A new workflow extension is added that pauses a workflow for a specified time. When the specified time is reached, the extension activity is complete and the workflow continues.
See Wait extension.
A new option is added to enable requesters to self-approve their requests. Previously, if the requester is also the approver or in the approver group, the requester is always skipped by the workflow for approval. With the new property
enrole.workflow.selfapproval
, users can set its value to true so the workflow routes the approval request to the requester.
IBM Security Identity Manager Version 7.0
Virtual appliance
- A virtual appliance form factor, making it much simpler to deploy IBM Security Identity Manager. As a new customer, use this new form factor. As an existing customer, continue to receive software stack support through IBM Security Identity Manager V6.0.0.x fix packs.
- Expansion of the Identity Manager Service Center user interface to support new user scenarios.
- Improvements to IBM Security Identity Manager adapters include new support for Oracle 12c, Microsoft SQL Server 2014, SharePoint 2013, and Red Hat Enterprise Linux 7.
Identity Manager Service Center user interface
- Edit and Delete Access
- Depending upon the configured view, you can edit and delete the access for yourself and others. For more information, see the following documentation.
- Subform support for the Identity Manager Service Center
- You can use subforms in the Identity Manager Service Center to customize the user interface for complex multivalued attributes.
- Enhancement to Manage Activities and View Access
- With the Manage Activities flow, you can view the activities in the summary view and detailed view.
- Launch the IBM Security Identity Governance home page from the Identity Manager Service Center home page
- The Security Identity Governance capabilities are achieved through the IBM Security Identity Governance adapter. The capability can be linked into the Identity Manager Service Center through a custom task. You can create a custom task to link to the Security Identity Governance home page from the Identity Manager Service Center. For more information, see Launching the IBM Security Identity Governance home page from the Service Center.
- Custom tasks in the Identity Manager Service Center
- The following scenarios are shown as custom tasks in the Identity Manager Service Center home page:
- Change Password
- View and Edit Profile
- Delegate Activities
IBM Security Identity Manager Server
- Creating a new service: turning off provisioning policies
- You can now choose to defer provisioning a new service with a default policy. You might not want to create a default policy when a new service is created if the amount of time to evaluate the default policy for all users is significant. For more information, see Default settings for provisioning policy when a new service is created.
- Concurrency: handle conflict resolution during account provisioning
- In certain cases multiple simultaneous operations on the same account during auto-provisioning might result in an undesired result or a failed request to add an account. Options are added to specify what to do when conflicts are encountered. For more information, see Concurrency properties.
- Workflows: new scenario supports role removal requests
- The
ApproveRolesWithOperation
workflow now handles role removal requests. See the workflows sample file that is provided with the product for information on how to set it up. For more information and other sample workflows, see Sample workflows. - Reconciliation properties: new extension allows you to determine how information about detected account changes is stored
- A new extension allows you to determine how to store account change information that is detected
during reconciliation. This aspect can help you customize the format of attribute value changes. It
can improve reconciliation report readability.
The new property enrole.reconciliation.accountChangeFormatter takes a fully qualified class name that you created to handle how account change information is handled. For more information, see Reconciliation properties.
- Integration between IBM Security Identity Manager and IBM Security Identity Governance
- IBM Security Identity Governance and Administration Data Integrator version 7.0.1 allows access to IBM Security Identity Governance from IBM Security Identity Manager. The connector must be installed and configured separately. For instructions and further documentation, see technote 1688802 at http://www.ibm.com/support/docview.wss?uid=swg21688802.
- Integration with IBM® Control Desk
- The IBM Security Identity Manager integration for IBM® Control Desk section now points to Chapter 19 of the Redbook Tivoli® Integration Scenarios for instructions in setting up the integration.
- Migration from Microsoft SQL Server database to IBM DB2® database
- Consult technote 1695611 for instructions on how to migrate your IBM Security Identity Manager database from Microsoft SQL Server to IBM DB2.
Shared Access
Shared Access Reports
Support of shared access reports is now available in the IBM Security Privileged Identity Manager reporting package. For more information, see the "Report administration" section of the IBM Security Privileged Identity Manager Administrator Guide at http://www.ibm.com/support/knowledgecenter/SSRQBP_1.0.1.1/com.ibm.ispim.doc_1.0.1.1/admin_guide/concepts/cpt_ic_reports_oview.html.
Reports
- New access audit model and report for Identity Manager Service Center
- The new access audit model and report are developed for the Identity Manager Service Center. An old access audit model is renamed to Access Audit (Deprecated).
Documentation
- PDF documentation available in English only
- PDF copies of the documentation are provided as a convenience, and thus linking in the PDF files is not fully functional. When you click a cross-reference link that is in another PDF file, the link does not work. The PDF documentation is available at http://www-01.ibm.com/support/docview.wss?uid=swg21902271.
- Instructions for creating PDF files from the Knowledge Center
- You can create PDF files from the content collections in the IBM Knowledge Center. For more information, see https://www.ibm.com/support/knowledgecenter/help.