What's new in this release

General fixes

General fixes and corrections to known documentation issues.

Updated signer certificate for JARs that are required to run Java™ Web Start based designers

The JAR files that are required to launch Java Web Start based designers are now signed with a new certificate. The new certificate is valid until May 23, 2022. The old certificate, that was used to sign JAR files shipped in earlier releases, expire on January 1, 2021. After this date, you cannot launch workflow designer, form designer and policy join directive panels.

Browser support

• Added Microsoft Edge Chromium browser support for the IBM Security Identity Manager virtual appliance.

For more information, see Hardware and software requirements.

SOAP web services enhancements

Enhanced the SOAP web service API so that you can add, delete, and modify the Dynamic Role.

Middleware, platforms, and open source component support

• Added Oracle 18c support.

For more information, see Hardware and software requirements.

Identity Service Center enhancements

• Added support for compliance alerts, simple re-certification approvals and Request For Information (RFI).
  The following topics are updated:

  • UIConfig.properties
  • Managing activities
  • Managing multiple activities
• Addressed some reported performance issues.

Java API enhancements

Enhanced the Java APIs so that you can add, search, modify, and delete a lifecycle rule.

Other enhancements

• In the IBM Security Identity Manager administrative console and Service Center, the text widgets are now re-sizable so that the entire object name is visible.

Enhancement for managing the Oracle Automatic Storage Management configuration

You can now configure, reconfigure or unconfigure the Oracle Automatic Storage Management path for the Oracle Data Store Configuration for the IBM Security Identity Manager virtual appliance. See Managing the Oracle data store configuration.

New pages for configuring cipher suites for WebSphere® Application Server

Administrators can now restrict the number of allowed cipher suites that are used by the IBM Security Identity Manager. See Configuring cipher suites.

The administrative console Logon folder is now available for customization from the Custom File Management page

Administrator can now view or customize files that are within the Logon folder, which are related to the IBM®® Security Identity Manager administrator console. To customize the files from the appliance dashboard, select Configure > Advanced Configuration > Custom File Management. You can navigate to the directory in the following location:

directories
  |-[itim_console.war]
   |- [jsp]
    |- [logon]

See Managing custom file paths.

Open VM Tools support

To enable Open VM Tools support, you must enable the feature in the local management interface. See Configuring Open VM Tools support.

With Open VM Tools enabled, you can use the following services:

• Shut down and restart the virtual appliance gracefully from the hypervisor console.
• Synchronized clocks between the virtual appliance and the ESXi server.
• Support for VMware statistics with the vmware support command.

You can also configure the vmtoolsd.timesync.enable parameter to toggle clock synchronization between the virtual appliance and the ESXi server. This synchronization is independent of Open VM Tools, unless you have already configured a Network Time Protocol (NTP) server. See Advanced tuning parameters for the virtual appliance.

New java.security CLI command for changing Java security properties

Administrators can now change the value of the networkaddress.cache.ttl parameter. See java.security commands.

Serviceability enhancements

The virtual appliance support file package now includes a highdiskusagedetails.txt file as an Identity Governance Intelligence appliance support file package.

Enhanced search for Persons in Identity Manager Service Center for a login user's subordinates

You can now search for Persons in Identity Manager Service Center for a login user's subordinates.

SOAP web services enhancements

• SOAP web services that return a Request as a response now contain result details in the response object.
• WSService SOAP web service is enhanced to add a method for deleting a service.

REST API enhancements

• You can now specify the attribute erlastmodifiedtime in search filters.
• You can now create, modify, delete services, and trigger policy enforcement on services.

Option for authenticating users from an external user registry to the Local Management Interface

The new option enables the virtual appliance administrator to use an external user registry to designate which users can authenticate to the local management interface (LMI) of the virtual appliance.

The administrator can specify users or groups of users that are defined in a directory server. The directory servers that are provided by IBM Security Directory Server or by Microsoft Active Directory are supported.

See Authenticating users from an external user registry to the Local Management Interface.

New CLI command for changing the maximum size of the JVM heap memory

You can use a new set of commands in the virtual appliance command-line interface to view and change the maximum heap size of the Java™ virtual machine (JVM) for the IBM Security Identity Manager WebSphere profiles like IBM Security Identity Manager DMGR, Application and Message Member.

See jvm_heapsize command.

Manage IBM Security Identity Manager logging properties

You can use the Log Retrieval and Configuration panel to manage the IBM Security Identity Manager logging properties (enRoleLogging.properties). See Configuring logs.

These functions are new or changed for IBM Security Identity Manager Server Version 7.0.1:

Federal Information Processing Standards (FIPS)

By the end of 2015 because of changes in National Institute of Standards and Technology (NIST) rules, the use of IBMSecureRandom results in non-compliance with FIPS140-2 random number rules. IBM Security Identity Manager Server code is updated to use the new random number generation algorithm SHA2DRBG to be compliant with new FIPS 140-2 rule. The new algorithm is available in that default Java virtual machine (JVM) that ships with WebSphere Application Server 8.5.5.7.

Skip delegation

A new property has been added to skip delegation if the delegated approver is also the requestee. See Skip delegation when requestee is the delegated approver.

Oracle eBS responsibility support

Some adapters such as the Oracle eBS adapter support complex group attribute requests. Support for these requests requires the installation of a service profile-specific handler. For more information about handlers, see your specific adapter guide. For accesses that are related to such complex group values, typically the default subattribute values are obtained from the handler plug-in. However, if the provisioning policy for the service has a mandatory enforcement on the group attribute, that value is used instead.

Note: If you are upgrading to IBM Security Identity Manager version 7.0.1, you must perform a full reconciliation of the Oracle BS service to support Oracle eBS responsibility access requests.

Visual indication of adapter profile import

The administrative console provides a visual indicator for the adapter profile during the import process.

Administrative console tabbing enhancement

When too many windows were open in the administrative console, some were hidden in the toolbar tabs and could not be selected. You can now access the overflow windows, by clicking the arrow icons that are displayed when the overflow condition occurs.

New Javascript APIs are added to support assigning access by roles

The new UserAccessAccount Javascript APIs are added to get the access ID, name, description and owner information in workflows. See UserAccess. The new Role Javascript APIs get the parent and child roles of a role in a workflow. See Role.

Integration between IBM Security Identity Manager and IBM Security Identity Governance

IBM Security Identity Governance and Administration Data Integrator version 7.0.3.1 allows synchronization between IBM Security Identity Governance and IBM Security Identity Manager. The connector must be installed and configured separately. For instructions and further documentation, see technote 1968516 at http://www.ibm.com/support/docview.wss?uid=swg21968516.

• A virtual appliance form factor, making it much simpler to deploy IBM Security Identity Manager. As a new customer, use this new form factor. As an existing customer, continue to receive software stack support through IBM Security Identity Manager V6.0.0.x fix packs.
• Expansion of the Identity Manager Service Center user interface to support new user scenarios.
• Improvements to IBM Security Identity Manager adapters include new support for Oracle 12c, Microsoft SQL Server 2014, SharePoint 2013, and Red Hat® Enterprise Linux® 7.

The new features in the Identity Manager virtual appliance are as follows:

• Configure the Identity Manager virtual appliance to send system audit events over emails.
• Use SNMP monitoring to monitor the Identity Manager virtual appliance.
• Enable and simplify workflow extension configuration.
• Configure an external library in the Identity Manager virtual appliance.
• Enable separate application interfaces for the virtual appliance and the application consoles.
• Use of log file management.
• Use export and import configurations. You can also export, import, access, or download report files.
• Download and view core dumps to diagnose or debug virtual appliance errors.
• Configure static routes to the paired protection interfaces on your virtual appliance.
• Manage hosts file.

These functions are new or changed for the Identity Manager Service Center user interface in IBM Security Identity Manager Version 7.0.0.2:

View and Edit Profile

Depending upon the configured view, you can view or edit user profiles.

Change Password

Depending upon the configured view, you can change or reset the password, and recover the forgotten password.

Delegate Activities

Depending upon the configured view, you can delegate activities, view, edit, and delete the delegation schedule.

Enhancements to My Activities

You can view the notification on Identity Service Center home page for your pending activities. The count of pending activities is displayed.

These functions are new or changed for IBM Security Identity Manager Server Version 7.0.0.2:

Virtualization support for VMWare 5.5

IBM Security Identity Manager now supports VMWare 5.5. See Hardware and software requirements.

Java Runtime Environment (JRE) support

The JRE is installed with WebSphere Application Server. Some JRE versions are not supported. See Hardware and software requirements.

New password complexity category: "3 of 4"

A new password complexity category specifies that a user's password contain characters from three of four categories. The complexity category enables password complexity requirements in Microsoft Active Directory. Documentation for this capability is in the online help where you set password requirements.

Auditing: Excluding long attributes from the audit process

An auditing process fails if it encounters attribute values longer than 4000 bytes. You can now modify entities of type Person, Business Partner Person, and Account to exclude long attributes from the auditing process. This action is typically necessary if an attribute value contains a long description or an image (for example, a picture of a person).

See Attribute auditing for details.

Workflow options

Options are added to nodes to allow finer control over workflow processing.

The following options are added for approval, RFI, and work order nodes:

• Skip Escalation
• No Timeout Action
• Complete on Timeout

See Common attributes for workflow activities.

The following options are added for loop nodes:

• Asynchronous Processing of the Loop Body

See Loop node.

A flow diagram that details the influence of the properties is added to Escalation.

A new workflow extension is added that pauses a workflow for a specified time. When the specified time is reached, the extension activity is complete and the workflow continues.

See Wait extension.

A new option is added to enable requesters to self-approve their requests. Previously, if the requester is also the approver or in the approver group, the requester is always skipped by the workflow for approval. With the new property enrole.workflow.selfapproval, users can set its value to true so the workflow routes the approval request to the requester.

See Self-approval for requester

• A virtual appliance form factor, making it much simpler to deploy IBM Security Identity Manager. As a new customer, use this new form factor. As an existing customer, continue to receive software stack support through IBM Security Identity Manager V6.0.0.x fix packs.
• Expansion of the Identity Manager Service Center user interface to support new user scenarios.
• Improvements to IBM Security Identity Manager adapters include new support for Oracle 12c, Microsoft SQL Server 2014, SharePoint 2013, and Red Hat Enterprise Linux 7.

These functions are new or changed for the Identity Manager Service Center user interface in IBM Security Identity Manager Version 7.0:

Edit and Delete Access

Depending upon the configured view, you can edit and delete the access for yourself and others. For more information, see the following documentation.

• Editing accesses in Identity Service Center
• Deleting accesses in the Identity Service Center

Subform support for the Identity Manager Service Center

You can use subforms in the Identity Manager Service Center to customize the user interface for complex multivalued attributes.

For more information about the deployment path of the Identity Manager Service Center subforms, see the IBM Security Identity Manager adapters documentation for Oracle eBS and PeopleTools at http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0.

Enhancement to Manage Activities and View Access

With the Manage Activities flow, you can view the activities in the summary view and detailed view.

With the View Access flow, you can view the access list with the refined categories.

Launch the IBM Security Identity Governance home page from the Identity Manager Service Center home page

The Security Identity Governance capabilities are achieved through the IBM Security Identity Governance adapter. The capability can be linked into the Identity Manager Service Center through a custom task. You can create a custom task to link to the Security Identity Governance home page from the Identity Manager Service Center. For more information, see Launching the IBM Security Identity Governance home page from the Service Center.

Custom tasks in the Identity Manager Service Center

The following scenarios are shown as custom tasks in the Identity Manager Service Center home page:

• Change Password
• View and Edit Profile
• Delegate Activities

After you select a custom task, the self-care user interface is displayed, in which you can complete the tasks. You cannot start the self-service user interface directly.

These functions are new or changed for IBM Security Identity Manager Server Version 7.0:

Creating a new service: turning off provisioning policies

You can now choose to defer provisioning a new service with a default policy. You might not want to create a default policy when a new service is created if the amount of time to evaluate the default policy for all users is significant. For more information, see Default settings for provisioning policy when a new service is created.

Concurrency: handle conflict resolution during account provisioning

In certain cases multiple simultaneous operations on the same account during auto-provisioning might result in an undesired result or a failed request to add an account. Options are added to specify what to do when conflicts are encountered. For more information, see Concurrency properties.

Workflows: new scenario supports role removal requests

The ApproveRolesWithOperation workflow now handles role removal requests. See the workflows sample file that is provided with the product for information on how to set it up. For more information and other sample workflows, see Sample workflows.

Reconciliation properties: new extension allows you to determine how information about detected account changes is stored

A new extension allows you to determine how to store account change information that is detected during reconciliation. This aspect can help you customize the format of attribute value changes. It can improve reconciliation report readability.

The new property enrole.reconciliation.accountChangeFormatter takes a fully qualified class name that you created to handle how account change information is handled. For more information, see Reconciliation properties.

Integration between IBM Security Identity Manager and IBM Security Identity Governance

IBM Security Identity Governance and Administration Data Integrator version 7.0.1 allows access to IBM Security Identity Governance from IBM Security Identity Manager. The connector must be installed and configured separately. For instructions and further documentation, see technote 1688802 at http://www.ibm.com/support/docview.wss?uid=swg21688802.

Integration with IBM® Control Desk

The IBM Security Identity Manager integration for IBM® Control Desk section now points to Chapter 19 of the Redbook Tivoli® Integration Scenarios for instructions in setting up the integration.

Migration from Microsoft SQL Server database to IBM DB2® database

Consult technote 1695611 for instructions on how to migrate your IBM Security Identity Manager database from Microsoft SQL Server to IBM DB2.

Shared Access functions have moved to the IBM Security Privileged Identity Manager product. For information about integrating Privileged Identity Manager with Security Identity Manager, see:

• Features overview
• Integration with IBM Security Identity Manager
• Scenario: Integration with IBM Security Identity Manager

The following function is new or changed for the IBM Security Identity Manager Version 7.0:

New access audit model and report for Identity Manager Service Center

The new access audit model and report are developed for the Identity Manager Service Center. An old access audit model is renamed to Access Audit (Deprecated).

For more information, see Access Audit namespace.