What's new in Version 5.2.4

What's new in Version 5.2.4 Fix Pack 3

Infrastructure and platform upgrades

This release uses the upgraded versions of the following key components:

• IBM DB2 Server version 11.5.0. You are recommended to upgrade to DB2 version 11.5.6.
• IBM Security Directory Integrator version 7.2 Fix Pack 8

Bug fixes and documentation updates

This release delivers various bug fixes and documentation updates. For detailed information, see the readme file for IBM Security Identity Governance and Intelligence version 5.2.4 Fix Pack 3 (5.2.4.0-ISS-SIGI-FP0003) available on the IBM Fix Central.

Support for FIPS 140-2 specifications is modified in this product version

Identity Governance and Intelligence Version 5.2.4 does not provide full support for FIPS 140-2 specifications on new installations. However, customers who are upgrading from a FIPS installation can proceed. Product functionality remains in FIPS mode.

On a new installation, ignore any FIPS-related features that you encounter in the Version 5.2.4 user interfaces and command lines, including the step to enable FIPS 140-2 Mode in the setup of the initial virtual appliance.

Added support for Microsoft Hyper-V

The IBM Security Identity Governance and Intelligence virtual appliance can be installed on a Microsoft Hyper-V Server 2016.

The virtual appliance for Microsoft Hyper-V is distributed as a preinstalled disk image of the virtual appliance in the VHD format.

See Installing the virtual appliance by using Microsoft Hyper-V for installation instructions.

Support for IBM DB2 Enterprise Server Edition version 11.1.2.2 added

You can run this version of Identity Governance and Intelligence with IBM DB2 Enterprise Server Edition version 11.1.2.2, but you must first install an APAR fix on the DB2 server. The APAR fix is IT24308: BUG IN COLUMN COMMAND CLPPLUS. Contact the DB2 support team to obtain this APAR fix.

Log Forwarder feature to route logs to a Logstash host

You can use the new Log Forwarder to route the virtual appliance and system logs to an external Logstash host. If you are provided with an ELK stack, you can then run analytics on your log files.

Select Manage > Maintenance > Log Forwarder Configuration in the virtual appliance to configure the Log Forwarder.

For more information, see Routing your logs to a Logstash host with the Log Forwarder.

Virtual appliance Export/Import feature enhancements

When you create a configuration package in Manage > Manage Export/Import > Export/Import Settings in the exporting virtual appliance, you can pack some or all configuration types.

See Exporting or importing configuration settings for details.

Option to generate heap dumps is added in the virtual appliance

You can choose to request the generation of a heap dump in addition to the standard JavaCore dump of a selected server type. The choice is available in the Core/Heap Dumps page that you open with Manage > Maintenance > Core/Heap Dumps.

For more information, see Managing core and heap dump files.

Packet tracing feature in the virtual appliance to capture internet traffic data

You can capture in dump files the TCP traffic that goes through the virtual appliance. TCP dump files contain summary information for every internet packet that is received or transmitted by the virtual appliance. TCP dump files can help diagnose problems in the system.

You can start and stop tracing from the local management interface or from the command-line interface of the virtual appliance.

When you start tracing, you have the option of narrowing down and selecting the type of internet traffic that you want to record. The dump files are included in the support.zip files of the virtual appliance, or can be downloaded individually from the local management interface.

From the local management interface, you can delete the files that you no longer need. You can also specify the maximum size and the rollover number of the files.

See Capturing TCP traffic in the local management interface and Capturing TCP traffic in the command-line interface.

Open VM Tools enablement in the virtual appliance

The Open VM Tools are now bundled in the virtual appliance.

To take advantage of Open VM Tools, you must first enable them in the local management interface. Go to Manage > System Settings > Advanced Tuning Parameters, select the vmtoolsd.enabled parameter, and change its value to true.

You can also configure the vmtoolsd.timesynch.enable parameter to enable or disable clock synchronization between the virtual appliance and the ESXi server, independently of Open VM Tools, unless you already have a configured Network Time Protocol (NTP) server.

For more information, see Advanced tuning parameters for the virtual appliance.

New tool migrates your data to another database management system

Identity Governance and Intelligence provides a tool for migrating all your data from one database management system to another.

You can migrate your existing data from PostgreSQL to DB2® or Oracle.

The target DB2 or Oracle database must be already installed with the Identity Governance and Intelligence Version 5.2.4 fresh installation procedure.

For more information, see Migrating your data to another database.

New CLI command for changing the maximum size of the JVM heap memory

You can use a new set of commands in the virtual appliance command-line interface to view and change the maximum heap size of the Java™ virtual machine (JVM) for the Security Identity Governance and Intelligence and Identity Brokerage servers.

The heap memories for either server are created at the JVM start-up with a default value of 4096 MB. If the default value is insufficient to suit the memory consumption of either server, you can change the maximum heap size to a value that ranges 4096 - 8192 Mbytes.

For more information, see Changing the JVM heap size.

Internal OpenID Connect authentication

Starting from this version, Identity Governance and Intelligence uses an internal OpenID Connect authentication server to administer the login to the virtual appliance local management interface, the Administration Console, and the Service Center.

The internal OpenID Connect authentication server is enabled by default after you set up the initial virtual appliance, following the fresh install of this version of the product.

The server is disabled when you upgrade from an older version. You can enable it after the upgrade.

With the internal OpenID Connect authentication server enabled, all the components use the same login and logout pages.

For more information, see Managing internal OpenID Connect authentication.

Customization of the login and logout pages

You can edit the custom files in the virtual appliance local management interface.

For more information, see Customizing the login and logout pages.

New optional parameter for using reverse proxy in the external OpenID Connect configuration for Service Center

The RedirectToRPHostandPort parameter was added to optionally specify the host and the port number of a redirect OpenID relying party in the external OpenID Connect configuration for Service Center.

See Managing OpenID connect configuration for details.

Button added to view the logs in the Custom File Management page of the virtual appliance local management interface

The logs directory in the Custom File Management page lists a number of log files that record Administration Console and Service Center activities.

In previous versions, to read a log, you first had to select the file, download it, and open it with an editor on your computer.

Now, when you select a log file, a View button is displayed. Select View to display the log content directly on the local management interface window without downloading the file.

New pane to upload product upgrade packages on the virtual appliance

With a new pane that is accessible from the top-level menu of the virtual appliance dashboard, you can upload product upgrade packages directly on the virtual appliance.

You can first upload a package file that you downloaded from Fix Central, and then install it with the igi > upgrade > install command sequence of the virtual appliance command-line interface.

For more information, see Uploading product upgrade packages on the and Upgrading the with a previously uploaded package file.

Password synchronization in the Administration Console and Service Center

Video demonstration of the password synchronization feature

You can view a video that demonstrates the password synchronization feature. To view the video, see Configuring Password Synchronization in the IBM Security Learning Academy.

New rule to update the target account with synchronized password

The password synchronization feature is new in this release. If you have a new installation of the product, the new rule named "Update target account with synchronized password" is already available to you.

If you are upgrading to V5.2.4 from a previous release, you must manually add the rule. For the account matching function, the accounts that are assigned to a user do not use the synchronized password unless the new rule is added.

For more information about viewing or adding the new rule, see Adding the rule for target account password synchronization.

For more information about other rules that are updated with this release, see Updating and adding product rules that are affected by the Multiple Accounts feature.

HR feed profiles must use the Set Random Password rule during account creation

Beginning with Identity Governance and Intelligence 5.2.4, the password policies for Ideas accounts are more restrictive than in previous releases. To successfully load users from an HR feed profile, the user ID and password cannot be the same. Instead, the password must be set to a random password.

The scenario for importing HR feed users is updated to include the Set Random Password rule. For more information, see Importing HR feed profiles and adding HR feed connectors.

For more information about using the Set Random Password rule, see Adding or removing a rule within a rule class.

Password synchronization is supported by Desktop Password Reset Assistant (DPRA)

Password synchronization is supported for password change requests by Desktop Password Reset Assistant (DPRA) users. If the user changes the password for an account that is part of a password sync group, the new password is synchronized with the user's other accounts that belong to the same password sync group. For more information about DPRA integration with Identity Governance and Intelligence , see Desktop Password Reset Assistant.

Reverse password synchronization for the Windows Active Directory (AD) adapter plug-in

When passwords are changed on a Windows Active Directory target, the password is synchronized for the accounts that are included in the same password sync group as the target.

For more information about this feature, see Reverse password synchronization for the Windows Active Directory plug-in.

For more information about installing and configuring the plug-in, see the Password Synchronization for Active Directory Plug-in Installation and Configuration Guide.

Password policies can be created for account configurations or password sync groups

You can create password policies in two different places in Identity Governance and Intelligence : account configurations and password sync groups.

To define password policies that apply to account configurations, log in to the Administration Console and navigate to Access Governance Core > Manage > Account Configurations. Use the Password Policy tab. For more information, see Defining a password policy for an account configuration.

To define password policies that apply to password sync groups, log in to the Administration Console and navigate to Access Governance Core > Manage > Password Sync Configurations. Use the Password Policy tab. For more information, see Defining a password policy for a password sync group.

Connector reset / clear cache option for Identity Brokerage connectors

You might need to clean up the Identity Brokerage cache entries to sync up the state of Identity Governance and Intelligence connector with the remote target. To do this operation, a connector reset / clear cache option is available. Use this option as a last resort for resetting the Identity Brokerage connector and clearing the target cache. This option results in getting the target and Identity Governance and Intelligence  in sync.

For more information about this feature, see Resetting the Identity Brokerage connector and clearing the cache.

Multiple Accounts

An account is a user (a digital identity) with associated authentication attributes (in the most common case, a User ID and a Password) that are used to log on to a target system. A target system can be considered as a container of different applications. The properties for managing a target system are specified in an account configuration.

An account configuration can now include several accounts. This feature is referred to as Multiple Accounts.

With multiple accounts, you can associate a user with different accounts on the same target.

In previous versions, a user had only one account that was associated to a specific account configuration. Thus, only one account on a specific target.

The individual accounts of an account configuration have differing properties. Regardless of how many accounts are defined in a configuration, there is always a default account.

Multiple accounts come into play when users are assigned an account, an entitlement, or a right. For a multiple accounts configuration, the administrator, campaign reviewer, or manager with an administrative role is asked to select an account within the configuration.

The Ideas account is an exception. It is a single account configuration where the addition of other accounts is precluded.

For more information, see Accounts.

Bulk load template updates for attribute-to-permission mappings

The "Insert Attribute Permission Mapping" template is enhanced with the addition of the column named USE_RIGHTS_VALUE_AS_PERMISSION. For more information, see Insert Attribute Permission Mapping.

Nongroup permissions are highlighted in the list of attributes during attribute discovery

System admins can change the account name for targets that support it

When you edit an account, the Account ID value can be modified only for targets that support an account ID change. The Account ID field is disabled if the mutability of the eruid attribute of the connector profile = immutable or readOnly. The Account ID field is enabled (editable) if the mutability = writeOnly or readWrite.

Dump and Query buttons removed for Identity Brokerage connector configurations

The Dump and Query buttons are not used for Identity Brokerage connectors, so they are removed from the EConn > Manage > Connectors > Driver Configuration. Accordingly, this help file is updated: Driver Configuration.

New Identity Governance and Intelligence and virtual appliance ReST APIs

The new Identity Governance and Intelligence APIs encompass the Entitlement, Hierarchy, and Request resources. See REST APIs.

The new virtual appliance APIs reproduce the commands of the command-line interface. To view their documentation, select Help > Web Services in the local management interface

User interface enhancements in the Service Center

Video for Service Center user interface enhancements

You can view a video that demonstrates some of the user interface enhancements for the Service Center. To view the video, see What's new in the V5.2.4 user interface in the IBM Security Learning Academy. The video demonstrates the following enhancements:

Column customization in certification campaigns

In the Service Center, certification campaign reviewers can customize the information that they see on a user's pending revalidation. For example, a user manager selects a running certification campaign and sees information about each user that is undergoing certification. The user manager can add or remove information from view and can rearrange the columns to make the reevaluation faster and more effective. For example, you can move the Risk column next to the User ID column.

At any time during certification process, the reviewer can monitor the overall progress for the team. The Report Progress column shows how many users are reviewed. The Signoff Progress column shows how many users are signed off.

Risk-aware request management

The Service Center reports if an access or a combination of accesses creates a risk. For example, a user manager uses the Request Center application to manage accesses by granting one or more roles to a user. If conflicting businesses roles are selected for the user, the Service Center identifies a potential high-risk violation by a flashing red flag.

Password policy enforcement

Syntax rules are enforced when a user changes the password for an account in the Service Center. Initially, the Identity Governance and Intelligence administrator sets the syntax rules (password policy) in the Administration Console. Then, when a user changes the password for an account in the Self Care application in the Service Center, the new password must comply with the password policy. As the user types in the new password, green check marks show when a particular syntax rule is met. When all check marks are green, the password satisfies all the requirements.

User interface updates in the Administration Console

Search users by attributes

In the Access Governance Core module, the administrator can search users by attributes by selecting Manage > Users, and then clicking the Filter icon . The Advanced Search option is available for searching more user attributes. For more information, see Manage > Users.

Option to change column headings in the campaign details of Access Certification

The Administration Console administrator can customize the column headings of campaigns.

The option applies to general headings, headings that are specific to types of campaigns, and headings for individual campaigns. After the customization task goes into effect, reviewers and supervisors view campaign details with the customized column headings in the Access Certification application in the Service Center.

To change the column headings, the administrator must download and edit a custom file from the virtual appliance local management interface. Therefore, this person must have administrative access to the virtual appliance, or involve a virtual appliance administrator in this task.

The feature includes options for different languages.

See Customizing the column headings of campaigns for details.

Admin can configure the User View and Entitlement View for the Access Certification application

In the Access Governance Core module, the administrator can enable and configure the views that are used by reviewers and supervisors who use the Access Certification application in Service Center. For more information, see Setting the view.

Entitlement icons and illustrations are updated for campaign certification

IBM Security Learning Academy

The IBM Security Learning Academy provides additional learning resources for this product. For information about Identity Governance and Intelligence learning resources, see Identity, Access and Governance at IBM Security Learning Academy.

Other documentation updates

In addition to the documentation that supports the new product features, the following sections of the documentation are either new or significantly updated:

• Insert Entitlements Record Track
• Defining a password dictionary
• Creating custom password rules
• Adding an account to a user. A Password tab is added, and the New Account page is dynamic.