Release notes - IBM® Security Identity Governance and Administration Data Integrator v7.0.7.7.2
IBM
Security Identity Governance and Administration Data Integrator v7.0.7.7.2 is
available. Compatibility, installation, and other issues are addressed.
Contents
Installation,
Configuration and Operation Notes
The following abbreviations are used in this document.
ISIGADI: IBM Security Identity Governance and Administration Data Integrator, in short Data Integrator.
ITIM: IBM Tivoli Identity Manager. From the version 6.0, the product name is changed to IBM Security Identity Manager.
ISIM: IBM Security Identity Manager.
ISIG: IBM Security Identity Governance. From the version 5.2, the product name is changed to IBM Security Identity Governance and Intelligence.
ISIGI or IGI: IBM Security Identity Governance and Intelligence.
TDI: IBM Tivoli Directory Integrator.
AL: Assembly line
The defects fixed in this release are listed in Closed
Issues section.
|
Component |
Version |
|
Release Date |
Jul, 17 2020 |
|
Version |
7.0.7.7.2 |
|
Installation Guide |
The installation procedures are described in the following TECH NOTE. |
|
Enhancement # (RFE) |
Description |
|
ISIGADI
v7.0.7.7.2 (7/17/2020) |
|
|
|
Load and deltasynch are enhanced to support option for person tranfer from one ou to another. The transfer option can be set in AttrMapPerson.map as follow: |
|
ISIGADI
v7.0.7.7.1 (2/21/2020) |
|
|
|
None |
|
ISIGADI v7.0.7.7 (1/31/2020) |
|
|
|
ISIGtoISIM assembly line is enhanced to respect stale event date properties. There is a new property in ISIG.properties file. You can configure the property so that during ISIGtoISIM synchronization, out events generated by IGI are deemed expired if older then the configured number of days.
|
|
ISIGADI v7.0.7.6 (4/8/2019) |
|
|
|
Delta assembly line is enhanced to respect performance properties. There are 3 new properties in ISIG.properties file. You can configure the properties so that during delta, certain ldap changelog entry can be skipped by specifying the relevant IGI attributes on person and account object. |
|
ISIGADI v7.0.7.5 (5/22/2018) |
|
|
|
Load, Delta and ISIGToISIM assembly lines are enhanced to support multi-accounts per user on IGI. For the configuration, see Support of multiple accounts per user on IGI section below.
Starting from this version, IGI required minimum version is 5.2.2. A set of database scripts are bundled to enable IGIUserToISIM. Use the README in IGIUserChangeLogTrigger.zip to enable and disable triggers on IGI 5.2.4. |
|
ISIGADI v7.0.7.4 (12/14/2017) |
|
|
|
New assembly line, IGIUserToISIM, is introduced to
fulfill the user creation events from IGI to ISIM. See
ISIGADI/IGIUSERTOISIM.properties file for detail. For the configuration, see IGIUserToISIM Assembly Line section
below. |
|
ISIGADI
v7.0.7.3.1 (11/24/2017) |
|
|
|
None |
|
ISIGADI
v7.0.7.3 (10/26/2017) |
|
|
|
New assembly line Validate is introduced in this
fix pack. It will validate that the services, groups and accounts in ISIM
exists in IGI. See ISIGADI/VALIDATE.properties file for detail. |
|
ISIGADI
v7.0.7.2 (09/21/2017) |
|
|
Internal |
ITIM Service and its groups and accounts can be
excluded for Load and Delta assembly line. The new property, isim.service.include.ITIMService
is introduced in ISIG.properties. See the comments for this property in ISIG.properties file for more detail. |
|
Internal |
Previously, if the account has the group and the
group does not exist in ISIM or IGI, this account is not loaded to IGI. Data Integrator is updated to load the
account with the warning. |
|
Internal |
Previously, if the user has the role and this role
does not exist in ISIM or IGI, the user is not loaded to IGI. Data Integrator is updated to load the user
with the warning. |
|
Internal |
The overall performance for Load and Delta is
improved. Especially when loading accounts
with many groups and users with many roles, Data Integrator performed about
40% faster. Previously, IGI API was
used to lookup an entity in IGI and it was very expensive since it was the
remote EJB method call. The Data
Integrator is now using the TDI JDBC connector to lookup the entity directly
from IGI database table. |
|
Internal |
Logging Improvement. Previous version of Data Integrator did not
show the proper message about whether the entity would be created or
updated. Now, Data Integrator shows
whether the entity will be added or updated with the user friendly message. |
|
|
“Use right value as permission” feature for
non-group permission in IGI 5.2.3 is supported. |
|
ISIGADI
v7.0.7.1 (03/23/2017) |
|
|
|
None |
|
ISIGADI
v7.0.7 (For more
information on these new features, see TECH NOTE.)
(12/15/2016) |
|
|
|
Improved logging: -
The log file size and number of rollover files can be configured. -
The information log file for Load assembly line will have the list of
errors at the end of log file. |
|
|
Supports ISIM 6 and ISIM 7 with required
justification. |
|
|
Supports loading entities by entity type. |
|
|
Supports loading subset of services and its
dependent entities. |
|
|
Supports Non-Group Permission using
Attribute-to-Permission Mapping on IGI 5.2.2 |
|
|
Supports RACF group rights. |
|
|
Supports IGI 5.2.2 with DB2, Oracle, or PostgreSQL
server. |
|
|
Supports Oracle 12c database as Data Integrator
system store. |
|
ISIGADI
v7.0.6 (06/17/2016) |
|
|
|
Custom attributes for Account and Person are
supported. |
|
|
IGI OU mapping to ISIM entities is supported. |
|
|
For ITIM 5.1, the mapping for service profile name
to account profile name is not needed in ATTRIBUTES.properties
file. It is obtained automatically
from the corresponding service profile in LDAP server. |
|
ISIGADI
v7.0.5.1 (04/29/2016) |
|
|
|
The RACF adapter with complex attribute handler is
supported. |
|
ISIGADI
v7.0.5 (03/25/2016) |
|
|
|
IBM Security Identity Governance and Intelligence
v5.2.1 is supported. |
|
|
Automatic ISIM adapter support. -
The adapter specific group metadata mapping is not needed anymore in ATTRIBUTES.properties file. |
|
|
Multiple group types for ISIM service are
supported. For example, both AIX roles
and groups are supported without any additional configuration on Data
Integrator. |
|
|
New property is introduced to set the maximum
number of entries that ISIGtoISIM can process per
iteration. The property isig.ISIGtoISIM.max.limit
is added to ISIG.properties file. |
|
ISIGADI
v7.0.4 (12/10/2015) |
|
|
|
Supports the ISIM adapters with the complex
attribute handler such as Oracle EBS adapter.
See “Customizing” section in the TECH NOTE. |
|
ISIGADI
v7.0.3.1 (11/18/2015) |
None |
|
ISIGADI
v7.0.3 (10/30/2015) |
|
|
|
ISIM roles are synchronized as external roles
instead of business roles. |
|
|
ISIM Access information for role and group is
synchronized to ISIGI. |
|
ISIGADI
v7.0.2.1 (09/10/2015) |
|
|
|
None |
|
ISIGADI
v7.0.2 (07/23/2015) |
|
|
IBM
Tivoli Identity Manager 5.1 is supported. |
|
|
ISIGADI
v7.0.1.1 (06/29/2015) |
|
|
ISIG
5.1.1 is supported. |
|
|
ISIGADI
v7.0.1 (04/16/2015) |
|
|
Entitlement
change fulfillment from ISIG to ISIM is supported. |
|
|
|
Script
files to start and stop TDI server and assembly line are provided. |
|
ISIGADI
v7.0 (12/04/2014) |
|
|
Data
synchronization from ISIM to ISIG is supported. |
|
|
PMR# |
APAR# |
PMR# / Description |
|
ISIGADI v7.0.7.7.2 |
||
|
Internal |
-LoadPerson fails for some users due to duplicated CODE entries inside IGACORE.ORGANIZATIONAL_UNIT. |
|
|
ISIGADI v7.0.7.7.1 |
||
|
Internal |
-In IGI support multi accounts environment, all secondary accounts of the same service do not consider user's inherited entitlement. |
|
|
ISIGADI v7.0.7.7 |
||
|
IJ17669 |
Issue with removal of manager value from ISIM update on IGI side |
|
|
IJ19045 |
optional.ATTRIBUTE not updated correctly on LoadPerson |
|
|
ISIGADI v7.0.7.6 |
||
|
IJ07085 |
ISIG to ISIM is case sensitive with erglobalid of the roles |
|
|
IJ07125 |
OOM failure - LoadInit is using cn=* filter, upon retrieval of results, does nothing. Changing the filter to ou=itim. |
|
|
IJ07992 |
'&' special character on isim.password causes XML parsing issues |
|
|
IJ12532 |
If group contains recycleBin in the name ISIGADI will skip it |
|
|
Internal |
Delta AL performance issue |
|
|
ISIGADI v7.0.7.5 |
||
|
Internal |
|
Load assembly line encounters "[AuthorizationException] ErrorCode: 11" after running some time. |
|
|
175201 |
ISIGADI fails to synchronize from IGI into ISIM , the group membership when AD group name contains special character: & example : FP&A. |
|
Internal |
|
Rights of mapped attribute revoked during a campaigned is ignored by the ISIGADI ISIGtoISIM. Temp fix by setting page size to 1000 during IGI REST call. |
|
ISIGADI v7.0.7.4 |
||
|
TS000054906 |
IJ02406 |
Delta assembly line removes those external roles from the user when the user is updated on ISIM. |
|
ISIGADI v7.0.7.3.1 |
||
|
Internal |
|
The Load assembly line didn’t load org units, roles, services, and groups. |
|
ISIGADI v7.0.7.3 |
||
|
38773,004,000 |
IJ00456 |
The multiple accounts from same service on same person in ISIM are not handled as expected during load. |
|
64459,L6Q,000 |
IJ00481 |
ISIGADI group search needs to properly delimit \#. |
|
ISIGADI v7.0.7.2 |
||
|
82023,004,000 |
IV97150 |
Delta assembly line does not update account if its group has access defined. |
|
84141,004,000 |
IV97347 |
Load and Delta does not load IBM Notes group if the group has multiple description attribute values in ISIM. |
|
00041,004,000 |
IV98678 |
ISIGtoISIM should handle missing events in USER_EVNT_ERC table gracefully. |
|
24047,082,000 |
IV97876 |
After ISIGtoISIM processes “Add Right” event, Delta assembly line added back the removed right value. The new property isigToIsim.ignore.events.from.isigadiAdmin is introduced in ISIG.properties file. See the comments for this property in ISIG.properties for more detail. |
|
62195,227,000 |
IV94698 |
The erpupervisor attribute for the person could not be used as the manager attribute. |
|
21229,227,000 |
IV97246 |
Load and Delta assembly line do not load the account if the account does not have the value for eraccountstatus attribute in ISIM. |
|
41172,227,000 |
IV98477 |
If the account has many groups then it takes too long to load the account. |
|
03365,004,000 |
IV98252 |
ISIGADI should prevent multiple ISIGtoISIM assembly line getting started. |
|
|
|
|
|
ISIGADI v7.0.7.1 |
||
|
94205,004,000 |
IV92099 |
ISIGtoISIM is not working if two groups in different type in a same application have same name. |
|
13218,227,000 |
IV92017 |
Delta AL stops running when account expiration attribute deleted on ISIM side. |
|
78778,082,000 |
IV92462 |
LoadPerson does not load person since ISIGADI could not find distinct OU in IGI. |
|
10395,227,000 |
IV93340 |
Performance issue with "ISIM - Group - Lookup" while running Delta AL. |
|
89260,082,000 |
IV93251 |
Delta AL is not honoring the isim.skipOUSynch=true property. |
|
Internal |
157086 |
Load AL throws Exception while a group named "Group%" is created if there are groups that are prefixed with "Group". |
|
ISIGADI v7.0.7 |
||
|
94626,082,000 |
IV89533 |
Dynamic role should not be loaded from ISIM to IGI. |
|
72466,004,000 |
IV89646 |
Prefix {protect}- does not encrypt ISIGADI properties. |
|
74295,004,000 |
IV90373 |
ISIGtoISIM fails when ISIM v6 or ISIM v7 requires justification. |
|
73221,004,000 |
IV90395 |
Verify does not report error when incorrect isim.username is used. |
|
73378,004,000 |
|
When isig.db.user is set with DB2 admin user, the Verify succeeds but ISIGtoISIM fails when reading the IGI database table |
|
Internal |
153619 153621 |
With Version 7.0.6, when ISIGtoISIM processes Add or Remove Permission event, the error is thrown if the account is an orphan account on ISIM. These events are processed as Ignored in Version 7.0.7. |
|
Internal |
153631 |
With Version 7.0.6, Delta does not remove the owner of any organizational unit once it was set. This is fixed in Version 7.0.7. |
|
ISIGADI v7.0.6 |
||
|
60901,227,000 |
IV84225 |
The group description is not synchronized to IGI. |
|
ISIGADI v7.0.5.1 |
||
|
16445,004,000 |
IV83909 |
Load and Delta assembly line – loading or updating an account fails with StringIndexOutOfBoundsException if the service profile for this account has no group defined. |
|
Internal |
|
Delta stops running if the person has two accounts on a service and the second account is updated. Since the Data Integrator will only load the first account to IGI, the second account will not be loaded to IGI. When the second account is updated while Delta is running the Delta stops running. |
|
Internal |
|
Load and Delta does not work if the password of “admin” user on IGI is changed. |
|
ISIGADI v7.0.5 |
||
|
07295,004,000 |
IV82053 |
Load / Delta – Wrong error is thrown when the group for an account is not found on ISIM while loading the account to IGI. |
|
53799,004,000 |
IV81125 |
ISIGtoISIM should not synch back the events generated by Data Integrator. |
|
70220,004,000 |
IV81046 |
Delta crashes with OutOfMemoryError. |
|
ISIGADI v7.0.4 |
||
|
42457,004,000 |
IV79217 |
[ISIGtoISIM.WritePermissionToISIM/ISIM - Group – Lookup] assembly
line fails because the multiple entries found. |
|
Internal |
|
ISIGtoISIM assembly line results in success, but request
is still pending on ISIM side |
|
ISIGADI v7.0.3.1 |
||
|
|
|
The Load assembly line does not
synchronize the accounts to IGI if the account has the group with access
enabled and the access name is different than the group name. |
|
|
|
The Delta assembly line does not
synchronize the access name of the group if the access is enabled with the
new access name for existing permission. |
|
|
|
The ISIGtoISIM
assembly line does not fulfill the permission assignment if the IGI
permission name is different than ISIM group name. |
|
ISIGADI v7.0.3 |
||
|
81572,004,000 |
IV77143 |
Verify
fails if the admin user password is changed on ISIG. |
|
83901,004,000 |
IV77473 |
The TDI dashboard does not work. |
|
ISIGADI v7.0.2.1 |
||
|
73009,004,000 |
IV76337 |
The
StackOverflowError is thrown from System.getProperties() method while Delta assembly line is running. |
|
|
IV76091 |
The ISIG User password is not set
when ISIM person is synchronized to ISIG.
The user id is set as the password. |
|
ISIGADI v7.0.2 |
||
|
None |
|
|
|
ISIGADI v7.0.1.1 |
||
|
None |
|
|
|
ISIGADI v7.0.1 |
||
|
10274,004,000 |
IV69098 |
Delta load fails after an ISIM schema change |
|
30341,004,000 |
IV69555 |
Person load fails if the erroles
attribute contains empty string |
|
Internal# |
APAR# |
PMR#
/ Description |
|
122333 |
|
Warning message counts as error in summary
statistics report |
|
123331 |
|
Assigning
an ISIM system group to a user in ISIG is not synchronized to ISIM. This is
due to the defect on ISIM side. -
This is
fixed in ISIM 6 fix pack 10 and ISIM VA v7.0.1. |
|
123332 |
|
If
a user is already a member of a role and this role is assigned with new permission
or assigned with other roles with new permission, if the user does not have
account for the Application associated with the permission, then the new
assigned permission is not fulfilled since new account request is not
initiated in ISIG. This defect is being investigated. |
|
125775 |
|
When
the password synchronization is not enabled on ISIM, the accounts being
created or restored from ISIG does not fulfilled to ISIM. This defect is being investigated. |
|
153521 |
|
ISIM
APAR IV86115: Unable to modify SAP/RACF sub-form attribute. Due
to this issue, you cannot modify RACF connect group sub-attribute values on
ISIM. Delta assembly line will not work for this case until this ISIM ARAR is
fixed. -
This is fixed
in ISIM 6 fix pack 17. |
|
153522 |
|
ISIGtoISIM
fails when RACF connect group is added to or removed from a user. This problem is due to the issue in ISIM
and/or RACF complex attribute handler. -
The problem was
found with ISIM 6 FP15 with RACF SSI Profile v6.0.24. -
This is fixed
in RACF adapter v6.0.28. |
|
165985 |
|
From
time to time, Delta assembly line gets stuck when the new organization is
created. This issue is due to the
timing issue from TDI’s LDAP and IDS Changelog connectors. This issue is fixed and the fix will be
included in TDI’s next fix pack (7.1.1-TIV-TDI-FP0007). |
|
Internal# |
APAR# |
PMR#
/ Description |
|
1 |
|
Support for synchronization of
Role-Permission mapping and role hierarchy in Identity Manager is not
available with this release. |
|
2 |
|
Service groups in Identity Manager are
mapped to permissions in Identity Governance.
Support for permissions that are not represented as service groups in
Identity Manager is not available in this release. -
Since IGI v5.2.2, the Non-group permission is supported by
Attribute-to-Permission Mapping. Since
ISIGADI v7.0.7, the non- group permission is supported. |
|
3 |
|
Support for mapping one Identity
Manager service to multiple applications is not available in this release. |
|
4 |
|
Support for multiple group types for
each Identity Manager service is not available in this release. For example,
POSIX AIX service supports AIX groups and AIX Role, in this release, it only
supports user permissions mapping in Identity Governance for one of them but
not both. -
Since version 7.0.5, the multiple group types for the
service are supported. |
|
5 |
|
Support for multiple accounts of a person on same Identity Manager service is not available in this release. -
Since version 7.0.7.5, multiple accounts of a person on same Identity Manager service is supported. |
|
7 |
|
Support for permissions that map to hosted
service groups in Identity Manager is not available in this release. |
|
8 |
|
Support for password synchronization
for ISIG accounts is not available in this release. |
|
9 |
|
Support for define subset of Identity
Manager entities for synchronization is not available in this release. -
Since version 7.0.7, o
The ISIM entities can be loaded by entity type. o
The subset of services and its dependent entities can be
loaded. |
|
51 |
|
Consolidation
of user permission change as result of role assignment change is not available
in this release. When a role is assigned to a user in ISIG, role assignment is
updated in ISIM if the role exists in ISIM. If the role is associated
with list of permissions for targets managed by ISIM, the permissions are also
assigned to user in ISIM. If Delta load is running, the user-permission
changes will be synchronized into ISIG as direct user-permission association
even though these assignments are already implied by the user-role assignment
in ISIG. |
|
|
|
When the account has required
attributes, create account event is not fulfilled from ISIG to ISIM since
ISIG does not know about these information. Work-around: The account default value for the service
should be set on ISIM side. |
|
|
|
On ISIM, if the groups on a service
have the same name with different case letters Data Integrator will only load
the first one since the IGI does not allow to crate permissions with the same
name. If this happens, you need to
reorganize these groups on ISIM so that only one group can exists and rerun
the Load assembly line. For example,
you cannot have groups named DEVELOPERS and developers on a same service on
ISIM. For the same reason, you cannot
have roles with same name with different case letters on ISIM. |
There are 2 connector jar files bundled in the zip file in jars/connectors,
isigadi-connectors-igi.jar –
copy this file to TDI_HOME/jars/connectors/ if IGI release version is before 5.2.3 or below.
isigadi-connectors-ihi523.jar - copy this file to TDI_HOME/jars/connectors/ if IGI release version is 5.2.3.1 or later. If you are upgrading from previous IGI version, make sure the existing isigadi-connectors-igi.jar is removed from TDI_HOME/jars/connectors/.
isigadi-connectors-igi524.jar - copy this file to TDI_HOME/jars/connectors/ if IGI release version is 5.2.4 or later. If you are upgrading from previous IGI version, make sure the existing isigadi-connectors-igi.jar is removed from TDI_HOME/jars/connectors/.
Only one version of the connector jar should be present in TDI_HOME/jars/connectors/, one of isigadi-connectors-igi.jar. isigadi-connectors-igi523.jar or isigadi-connectors-igi524.jar
With the release of IGI 5.2.4, users can have multiple accounts on the same target application. With that capability, same entitlements and rights can be associated with multiple accounts on the same application.
Requirements:
IGIUserToISIM assembly line fulfills the “User Add” events from IGI to ISIM. The following files are created and updated for this assembly line.
Requirements:
After the user log is enabled, only the “add user” events are fulfilled by IGIUserToISIM assembly line. For more detail, see ISIGADI/IGIUSERTOISIM.properties file.
If you are using IGI
v5.2.3.x, you need to download SDK.zip file from IGI VA system, and copy all
the files in sdk/lib directory to
TDI_HOME/jars/3rdparty/IBM/IGI directory.
See the "Integration between
IBM Security Identity Manager and IBM Security Identity Governance and
Intelligence" TECH NOTE for detailed instructions.
The IBM Security Identity Governance and Administration Data
Integrator was built and tested on the following product versions.
Installation Platform
The
IBM Security Identity Governance and Administration Data Integrator installs into
Tivoli Directory Integrator (TDI) and may be installed on the following
platforms:
·
Red Hat Enterprise Linux 6.5
·
Windows 7
Required
TDI version:
· IBM Tivoli Directory Integrator v7.2 is now supported since ISIGADI 7.0.7.5.
The IBM Security Identity
Governance and Administration Data Integrator requires a database to store
information about entity mappings between integrated products.
Supported database includes:
·
IBM DB2 Universal
Database™ Enterprise Server Edition v10.1
·
IBM DB2 Universal
Database™ Enterprise Server Edition v10.5 with Fix Pack 3
or higher.
·
Oracle 12c Release 1
database.
·
IBM DB2 Universal
Database™
The
IBM Security Identity Governance and Administration Data integrator supports
the following product versions:
ISIM
Versions
·
IBM Security Identity
Manager v6.0.0.18 (version 6.0.0 with fix pack 18 or higher)
·
IBM Security Identity
Manager v7.0.1.7 VA (version 7.0.1 with fix pack 7 or higher)
IGI
Versions
·
IBM Security Identity
Governance and Intelligence v5.2.4 VA with DB2 or Oracle Database.
·
IBM Security Identity Governance
and Intelligence v5.2.3 VA with DB2, Oracle, or PostgreSQL Database.
·
IBM Security Identity
Governance and Intelligence v5.2.2 VA with DB2, Oracle, or PostgreSQL Database.
This
information was developed for products and services
offered in the U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it
is the user’s responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.
IBM
may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or
registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
End of Release Notes