NetIQ Identity Governance 3.5.1 and 3.5 include new features, improve usability, and resolve several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the NetIQ Identity Governance forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
For more information about this release and for the latest release notes, see the Identity Governance Documentation Web site.
The following outlines the key features and functions provided by this version, as well as issues resolved in this release:
This release includes performance tuning of analytics and fact (metric) collection.
This release includes several enhancements to business role policies behavior and management:
Enhanced auto-request processing including automatic compensation for business role request latency and fulfillment issues
Ability to enable compensating requests for requests generated by other processes such as access request, reviews, and Separation of Duties (SoD) violations administration
Ability to detect and resolve auto request inconsistencies
Ability to monitor business role detections
Database schema updates
This release includes the ability to specify user selection as mapped users, account custodians, or either mapped users or account custodians in an account review definition. For more information, see NetIQ Identity Governance Administrator Guide.
This release includes new certification policy types, ability to manually calculate certification policy violations for partial reviews, and database schema changes. For more information, see NetIQ Identity Governance Administrator Guide.
This release includes three new reports supporting risk policy configuration, review delegation assignments, and certification policy violations. It also includes advanced filtering and modifications to several reports.
The following issue has been fixed in Identity Governance 3.5.1:
Cannot Use Identity Collectors with Change Events That Were Upgraded or Converted in Identity Governance 3.5.0
The following outlines the key features and functions provided by this version, as well as issues resolved in this release:
This release has top navigation instead of left navigation to improve readability and enable better usage of page width to display content. It also includes the ability to easily navigate from sub-page to the related main pages by clicking on the page header link.
Because of changed or additional element IDs and the different navigation settings, customizations you made to your previous environment might not work as expected. After installing this version, review and adjust any customizations as needed.
This release introduces interactive audit query support, analytics data extraction, and governance metrics calculations.
This release enables you to detect and approve or resolve SoD (Separation of Duties) violations that might occur in the future if a set of access requests are fulfilled.
This release provides focused certification capabilities to allow for immediate review and remediation of identity life cycle events, control violations, and audit exceptions.
This release includes additional review definitions that enable business users to verify and correct direct report assignments and identity profile information.
This release automates and simplifies the process of archiving data from the operational governance system. In addition, the Data Purge utility from previous releases has been included in the product as part of new database maintenance features accessible through the> administrative console menu.
This release includes 10 new reports supporting direct reports reviews, user profile reviews, authorization assignments, business role memberships, performance logs, and data source changes. The release also includes the ability to connect to Vertica to store reporting data.
In addition to the above new features and enhancements, this release also includes:
Import and export capabilities in additional areas such as roles and policies
Advanced search capabilities using filter icon in additional areas.
Ability to authorize permissions from an IDM application and from an IDM role that contains other IDM roles and/or IDM resources using Identity Governance business or technical role authorization policies.
For more information, see Defining Business Roles.
Ability to view hierarchy of contained permissions in reviews
Ability to select groups and business roles as Escalation Reviewers
Ability to configure fulfillment targets for catalog update requests related to profile attributes, reporting relationships, and policy violation remediation change requests
Ability to connect to Vertica to store custom metrics data
Ability to select supervisor of the reviewer in the TO field of the review definition for escalation notifications
The following issues have been fixed in Identity Governance 3.5.0:
When Utilizing the Active Directory, eDirectory, or Identity Manager Identities with Changes Collectors, Certain Mappings Do Not Change
When Utilizing the Active Directory, eDirectory, or Identity Manager Identities with Changes Collectors a Full Collect and Publish Is Required After a Move or Rename
Cannot Use Quote Characters for Passwords during the Install
Purging All Analytical Facts and Reviews
This release requires the following minimum components:
Red Hat Enterprise Linux (RHEL) 7.4, SUSE Linux Enterprise Server (SLES) 12 SP3, or Windows Server 2016
Microsoft SQL Server 2017, Oracle 12c SP2 with latest patches, or PostgreSQL 10.5
Apache Tomcat 9.0.12
An authentication service (One SSO Provider (OSP) 6.3.0 or NetIQ Access Manager 4.4)
LDAP authentication server (Microsoft Active Directory, NetIQ eDirectory 9.1.1, or NetIQ Identity Manager 4.7.2)
Java Runtime Environment (JRE) Zulu JRE 8u181
ActiveMQ 5.15.6 (if you require notifications guaranteed to be sent using SMTP)
A supported Web browser (Microsoft Internet Explorer is not supported in Compatibility View)
NOTE:To fully integrate Identity Governance 3.5 features with NetIQ Identity Manager, you must have NetIQ Identity Manager 4.7.2, at a minimum. For Single Sign On (SSO) between Identity Governance 3.5 and NetIQ Identity Manager 4.7, you must have OSP 6.3.1 available in 4.7.x patch and later versions of NetIQ Identity Manager, at a minimum.
The following components are optional:
NetIQ Identity Reporting
NetIQ Identity Manager
NOTE:Identity Governance requires the igops schema to have the additional privileges of create public synonym and drop public synonym.
For your convenience, NetIQ provides sample installation scripts to help you install components needed for Identity Governance, such as Tomcat, ActiveMQ, PostgreSQL, and OSP. For more information see Identity Governance Sample Installation Scripts - Linux or Identity Governance Sample Installation Scripts - Windows on the Identity Governance Documentation Web site.
NOTE:NetIQ no longer provides Tomcat, ActiveMQ or PostgreSQL software as part of the Identity Governance release.
You can upgrade to Identity Governance 3.5.1 from Identity Governance 3.0. As part of the upgrade process you must also migrate data since some of the collector templates and database tables and views have changed in this release. For more information, see NetIQ Identity Governance Installation Guide.
IMPORTANT:Ensure you have the DNS names to identify server hosts before beginning the upgrading procedure. Because of new standards-based authentication, using IP addresses might not work correctly in all circumstances. The side effect is that the OSP integration with Identity Governance and Identity Reporting will not work correctly in these circumstances.
If you installed the current or previous version of Identity Governance using IP addresses, you must replace the IP addresses with the fully qualified DNS names for these hosts in several configuration files. You can do this either before or after the upgrading procedure. For more information, see NetIQ Identity Governance Installation Guide.
If you are upgrading and changing database platforms, you cannot migrate your existing data to the new platform. For example, if you are running Identity Governance with PostgreSQL as your database and you plan to upgrade and use Microsoft SQL Server as your database, your existing data is not migrated to the new database.
For more information about the supported versions of Identity Governance components, see Section 3.0, System Requirements.
If you have not previously installed Identity Governance or want to create a new environment, see the NetIQ Identity Governance Installation Guide.
Existing customers can upgrade to this version after preparing their current environment for a successful migration of data to the new version. For information about the upgrade process, see “Upgrading Identity Governance” in the NetIQ Identity Governance Installation Guide.
With this release of Identity Governance, the Data Purge utility has been moved to be part of the product administrative console. As a result:
The data-purge-utility.(sh or bat) file will no longer be in the idgov/bin directory.
The data-purge-utility.jar file will no longer been the in the idgov/lib directory.
The REST API used by this version of the Data Purge utility will no longer be included in the product. If you had written code to use those REST endpoints, it will no longer work.
The REST APIs that no longer exist are those where the URL matches this pattern: /api/data/mgt/*.
The NetIQ Custom Collector SDK helps with custom collector and fulfillment template creation and maintenance. The Custom Collector SDK is available as a separate download package on the Identity Governance download page.
Go to the Identity Governance page on the NetIQ download link from your sales representative.
Extract the files for the operating system you have.
Locate and run the idgov-sdk application for your environment.
NetIQ Corporation strives to ensure that our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: When installing Identity Governance using the GUI mode on Linux, any message dialog box might contain unreadable text. The issue occurs because the installation program (InstallAnywhere) is preferring another font for the san-serif font family. (Bug 1137118)
Workaround: We recommend that you edit a configuration file for the fonts named 60-family-prefer.conf on the Linux server before starting the Identity Governance GUI installer. The 60-family-prefer.conf file configures or defines the preferred fonts when the programs use the standard aliases serif, san-serif, and monospace.
Use the following steps to configure the proper fonts file:
SSH to the Linux server as a user with read and write rights to the /etc/fonts/conf.d/60-family-prefer.conf file.
Open /etc/fonts/conf.d/60-family-prefer.conf file in a text editor.
Search the /etc/fonts/conf.d/60-family-prefer.conf file for the following block:
<match target="pattern"> <test name="family"> <string>sans-serif</string> </test> <test name="force_bw"> <bool>true</bool> </test> <edit name="family" mode="prepend"> <string>Liberation Sans</string> </edit> </match>
NOTE:This block prefers the Liberation Sans font when the font family alias is set to san-serif and force_bw is true.
Add the following block below the block you found:
<match target="pattern"> <test name="family"> <string>sans-serif</string> </test> <test name="force_bw"> <bool>false</bool> </test> <edit name="family" mode="prepend"> <string>DejaVu Sans</string> </edit> </match>
NOTE:The new block prefers the DejaVu Sans font when the font family alias is set to san-serif and force_bw is false. Together both blocks provide a preferred font to use for the san-serif font family alias, whether or not force-bw is enabled.
Save and close the file.
Execute the script /usr/sbin/fonts-config to reload the /etc/fonts/conf.d/60-family-prefer.conf file and the fonts so that the system sees the changes.
To execute the script access the sbin directory and from the command line, enter:
You can now start the installation again and the fonts are readable.
Identity Governance includes REST API documentation. To access this documentation, go to http://localhost:8080/doc/ where localhost represents your Identity Governance server.
Issue: When selecting entities from a list in Identity Governance, the custom columns available for selection are not filtered by user access. If the logged in user does not have access to view the full catalog attributes, columns which are not designated as Quick Info may show an error in the value. (Bug 1129401)
Workaround: Global or Data administrator should enable display of Quick Info view for all custom column attributes usingmenu by selecting the Quick info check box in the attribute settings page.
When compensating revoke requests are issued, they cannot be sent through any automated fulfillment process. The system will not have enough information about the permission assignment to determine the path upon which to fulfill the request. Revoke requests will be sent to the configured manual fallback for that type of request.
Issue: If two business roles (BR1 and BR2) authorize the same permissions and specify auto-grant and auto-revoke on those permissions, and a manual or bulk data update (also know as curation) occurs which moves a user from BR1 to BR2, the user could lose the permission for a period of time between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request.
This is possible because after curation, separate detections are triggered for BR1 and BR2, instead of a single detection that does both together. If detection is first done on BR1 (the role the user lost membership in) followed by BR2 (the role the user gained membership in), Identity Governance would issue an auto-revoke, followed by a compensating auto-grant. If detection is first done on BR2 followed by BR1, auto-revoke or auto-grant request will not be issued. Based on your fulfillment approach (manual, workflow, automatic, custom), in the case where detection first occurs on BR1 and then BR2, causing an auto-revoke request and compensating auto-grant request to be issued, the user could lose the permission between the fulfillment of the auto-revoke request and the fulfillment of the compensating auto-grant request. (Bug 1128704)
Workaround: It is recommended that you do not utilize curation if you have business roles with overlapping permissions which are enabled for auto grants and auto revocation. If data update occurs, check business role detections ( > > ) to verify that a compensating grant request was issued and if not, detect inconsistencies ( > > ) and issue a grant request.
Issue: When using Chrome with autofill enabled, some product pages could prompt you to save changes when you navigate to another page, even if you have not made changes. This happens when Chrome automatically populates configuration fields as soon as the page loads. (Bug 1106253)
Workaround: Temporarily turn off autofill when accessing the product using Chrome browser, or ignore erroneous save prompts when you know you have not changed anything on the page.
Issue: The configuration settings for fact publication to Vertica do not include a schema name field.
Workaround: If you want to configure Vertica fact publication into a specific schema, use the table name field and use a comma to separate the schema name from the table name.
Issues: Because of new standards-based authentication, using IP addresses during installation might not work correctly in all circumstances. The side effect is that the OSP integration with Identity Governance and Identity Reporting will not work correctly in these circumstances.
Workaround: If you installed the current or previous version of Identity Governance using IP addresses, you must replace the IP addresses with the fully qualified DNS names for these hosts in several configuration files. You can do this either before or after the upgrading procedure. For more information, see NetIQ Identity Governance Installation Guide.
Issue: If you try to install Identity Governance or OSP in directories containing spaces, the installer fails with an error message. (Bug 1115423)
Workaround: Do not install the products in directories containing spaces.
Issue: Installing Identity Governance on a minimal install RHEL server could fail due to known issues in openJDK: (Bug 1115625)
Workaround: Install the following files before installing the product on a minimal install RHEL server:
If you run a GUI-mode installer via ssh -Y and the installer appears to hang, then either run the installer in console mode or try a different client machine. (Bug 1116795)
If you are using the Active Directory Azure collector, complete the following steps:
Enable the Azure Active Directory Graph API for your site and grant the following permissions to an account to access the API:
Generate an OAuth2 client and secret for API access.
Check that you can browse your Azure domain with the graph explorer using the account from Step 1. For more information, see https://developer.microsoft.com/en-us/graph/graph-explorer.
This is a browse upstream issue. The browser displays the prompt. To download the file accept the leave page prompt.
If you wish to utilize the data source (Bug 1069031)or feature, take note that extended characters should not be utilized in the names of your collectors. Collector names are utilized in the naming of the files that are created during download and the ZIP creation tools do not allow file entry names with extended characters.
To accept the license agreement a user must first scroll to the bottom of the EULA. In the past it was possible to Tab to the scrollbar and press PageDown to scroll but now a mouse must be used. This is a known Flexera InstallAnywhere 2017 issue. (Bug 1059164)
When using Oracle 12c SP2, you could see the following error message at various times (Bug 1011628):
ORA-01792: maximum number of columns in a table or view is 1000
Workaround: Apply all the patches available from Oracle.
The Oracle or PostgreSQL database server should be in the same subnetwork or data center as the Identity Governance server to avoid delays during installation, start-up, and runtime. (Bug 986222)
Issue: If you log in to Identity Governance as an administrator and allow the browser to remember your login credentials, the browser might apply those credentials to the values for connecting to the Identity Manager server. As a result, you might inadvertently change the wrong credentials for Identity manager.
You can observe this issue in Administration > Identity Manager System Connection Information. When the browser replaces the values for Identity Manager username and password, Identity Governance erroneously enables the save icon. (Bug 971939)
Workaround: Either do not allow the browser to remember your login credentials for Identity Governance or ignore the option to change and save the settings in> .
Issue: User authorizations fail with the following error if you are using an Identity Manager Collector:
You are authenticated and logged in, but you do not have access to the Identity Governance application. This means you logged in as a user who was valid in your authentication source, but has never been collected in Identity Governance or does not have access to the Identity Governance application.
Identity Governance expects the Identity Manager Collector to be the first collector in the list of Identities Collectors. (Bug 963011)
Workaround: There are two different ways resolve the error.
Login to Identity Governance as the Bootstrap Administrator.
In the LDAP Distinguish Name field, change it fromto .
Select, then publish the change.
Login to Identity Governance as the Bootstrap Administrator.
Drag and drop the Identity Manager Identities Collector to be first in the list.
Select, then publish the change.
Issue: If a date attribute in your data source uses a non-Java format, Identity Governance does not recognize the data as a date. For example, if the StartDate attribute uses “YYYY/MM/DD” fixed-length format and you want to collect it in date format, the collection will show an error. Identity Governance uses only the default format for Oracle Java for date attributes. (Bug 824779)
Workaround: Use one of the following workarounds:
Before collecting from the data source, “clean” the data by converting the attribute values to Java’s default date format, which uses the number of milliseconds that have elapsed since midnight, January 1, 1970.
Collect the value in string format so that you will be able to see the native value. This method also guarantees that the data does not have to be
clean to be collected. For more information, contact NetIQ Technical Support.
After you restart the server for the Identity Governance database, you must restart Identity Governance. Otherwise, Identity Governance might fail to complete processes such as data source publication. For more information, see NetIQ Identity Governance Installation Guide.(Bug 954090)
Issue: You are using Identity Governance with an Oracle database and you see the following error in the administrative console or in the catalina.out file:
ORA-01653: unable to extend table ARDCS.BASIC_COLLECTED_ENTITY by 1024 in tablespace USERS
The problem is the tablespace that Access Review uses for schemas has run out of space. (Bug 989425)
Workaround: Ensure that you connect to the correct instance if you are using the User tablespace. For example:
SQL> connect sys/oracle as SYSDBA Connected. SQL> alter session set container=pdborcl;
After issuing the commands, then you can alter the tablespace by adding data files.
Downloading a review definition with a large number of permissions, and then importing it causes application to become extremely slow or even unresponsive because permission ID is not an indexed attribute. (Bug 1062652)
If one is performing a silent install and setting all of the passwords in the environment as compared to in the silent properties file, value for install_smtp_secret_auth_user will not be read. (Bug 1072414)
NOTE:Although using silent mode is the most likely scenario for reading passwords from environment variables, the installer reads each defined variable regardless of the mode being used (GUI, Console, or Silent).
If you have customized the Risk level settings in Identity Governance, you must export these setting before upgrading or you will lose your customized settings. You export the settings to use as a reference when you are configuring the Risk settings again on the new version of Identity Governance. (Bug 1066689)
This is resolved with the ability to import and export all risk settings in Identity Governance 3.5.
The following additions have been made to the documentation after the documentation was released.
Changed OpenJDK JRE 8 to be Zulu OpenJDK 8 from Azul.
Changed the text to provide more information and added a procedure while updating the contents of the blocks.
Added missing information.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
© 2019 NetIQ Corporation. All Rights Reserved.