Component

Version������������������������������������������������������������������������������������

Release Date

May 22, 2018

Version

7.0.7.5

Installation Guide

The installation procedures are described in the following TECH NOTE.

 Enhancement # (RFE)

Description

ISIGADI v7.0.7.5 (5/22/2018)

Load, Delta and ISIGToISIM assembly lines are enhanced to support multi-accounts per user on IGI. For the configuration, see Support of multiple accounts per user on IGI section below.

Starting from this version, IGI required minimum version is 5.2.2.

A set of database scripts are bundled to enable IGIUserToISIM. Use the README in IGIUserChangeLogTrigger.zip to enable and disable triggers on IGI 5.2.4.

ISIGADI v7.0.7.4 (12/14/2017)

New assembly line, IGIUserToISIM, is introduced to fulfill the user creation events from IGI to ISIM. See ISIGADI/IGIUSERTOISIM.properties file for detail.� For the configuration, see IGIUserToISIM Assembly Line section below.

ISIGADI v7.0.7.3.1 (11/24/2017)

None

ISIGADI v7.0.7.3 (10/26/2017)

New assembly line Validate is introduced in this fix pack. It will validate that the services, groups and accounts in ISIM exists in IGI.� See ISIGADI/VALIDATE.properties file for detail.

ISIGADI v7.0.7.2 (09/21/2017)

Internal

ITIM Service and its groups and accounts can be excluded for Load and Delta assembly line. The new property, isim.service.include.ITIMService is introduced in ISIG.properties.� See the comments for this property in ISIG.properties file for more detail.

Internal

Previously, if the account has the group and the group does not exist in ISIM or IGI, this account is not loaded to IGI.� Data Integrator is updated to load the account with the warning.

Internal

Previously, if the user has the role and this role does not exist in ISIM or IGI, the user is not loaded to IGI.� Data Integrator is updated to load the user with the warning.

Internal

The overall performance for Load and Delta is improved.� Especially when loading accounts with many groups and users with many roles, Data Integrator performed about 40% faster.� Previously, IGI API was used to lookup an entity in IGI and it was very expensive since it was the remote EJB method call.� The Data Integrator is now using the TDI JDBC connector to lookup the entity directly from IGI database table.

Internal

Logging Improvement.� Previous version of Data Integrator did not show the proper message about whether the entity would be created or updated.� Now, Data Integrator shows whether the entity will be added or updated with the user friendly message.

�Use right value as permission� feature for non-group permission in IGI 5.2.3 is supported.

ISIGADI v7.0.7.1 (03/23/2017)

None

ISIGADI v7.0.7 (For more information on these new features, see TECH NOTE.) (12/15/2016)

Improved logging:

-        The log file size and number of rollover files can be configured.

-        The information log file for Load assembly line will have the list of errors at the end of log file.

Supports ISIM 6 and ISIM 7 with required justification.

Supports loading entities by entity type.

Supports loading subset of services and its dependent entities.

Supports Non-Group Permission using Attribute-to-Permission Mapping on IGI 5.2.2

Supports RACF group rights.

Supports IGI 5.2.2 with DB2, Oracle, or PostgreSQL server.

Supports Oracle 12c database as Data Integrator system store.

ISIGADI v7.0.6 (06/17/2016)

Custom attributes for Account and Person are supported.

IGI OU mapping to ISIM entities is supported.

For ITIM 5.1, the mapping for service profile name to account profile name is not needed in ATTRIBUTES.properties file.� It is obtained automatically from the corresponding service profile in LDAP server.

ISIGADI v7.0.5.1 (04/29/2016)

The RACF adapter with complex attribute handler is supported.

ISIGADI v7.0.5 (03/25/2016)

IBM Security Identity Governance and Intelligence v5.2.1 is supported.

Automatic ISIM adapter support.

-        The adapter specific group metadata mapping is not needed anymore in ATTRIBUTES.properties file.

Multiple group types for ISIM service are supported.� For example, both AIX roles and groups are supported without any additional configuration on Data Integrator.

New property is introduced to set the maximum number of entries that ISIGtoISIM can process per iteration. The property isig.ISIGtoISIM.max.limit is added to ISIG.properties file.

ISIGADI v7.0.4 (12/10/2015)

Supports the ISIM adapters with the complex attribute handler such as Oracle EBS adapter.� See �Customizing� section in the TECH NOTE.

ISIGADI v7.0.3.1 (11/18/2015)

None

ISIGADI v7.0.3 (10/30/2015)

ISIM roles are synchronized as external roles instead of business roles.

ISIM Access information for role and group is synchronized to ISIGI.

ISIGADI v7.0.2.1 (09/10/2015)

None

ISIGADI v7.0.2 (07/23/2015)

IBM Tivoli Identity Manager 5.1 is supported.

ISIGADI v7.0.1.1 (06/29/2015)

ISIG 5.1.1 is supported.

ISIGADI v7.0.1 (04/16/2015)

Entitlement change fulfillment from ISIG to ISIM is supported.

Script files to start and stop TDI server and assembly line are provided.

ISIGADI v7.0 (12/04/2014)

Data synchronization from ISIM to ISIG is supported.

 PMR#

APAR#

PMR# / Description

ISIGADI v7.0.7.5

Internal

Load assembly line encounters "[AuthorizationException] ErrorCode: 11" after running some time.

175201

ISIGADI fails to synchronize from IGI into ISIM , the group membership when AD group name contains special character: & example : FP&A.

Internal

Rights of mapped attribute revoked during a campaigned is ignored by the ISIGADI ISIGtoISIM. Temp fix by setting page size to 1000 during IGI REST call.

ISIGADI v7.0.7.4

TS000054906

IJ02406

Delta assembly line removes those external roles from the user when the user is updated on ISIM.

ISIGADI v7.0.7.3.1

Internal

The Load assembly line didn�t load org units, roles, services, and groups.

ISIGADI v7.0.7.3

38773,004,000

IJ00456

The multiple accounts from same service on same person in ISIM are not handled as expected during load.

64459,L6Q,000

IJ00481

ISIGADI group search needs to properly delimit \#.

ISIGADI v7.0.7.2

82023,004,000

IV97150

Delta assembly line does not update account if its group has access defined.

84141,004,000

IV97347

Load and Delta does not load IBM Notes group if the group has multiple description attribute values in ISIM.

00041,004,000

IV98678

ISIGtoISIM should handle missing events in USER_EVNT_ERC table gracefully.

24047,082,000

IV97876

After ISIGtoISIM processes �Add Right� event, Delta assembly line added back the removed right value.� The new property isigToIsim.ignore.events.from.isigadiAdmin is introduced in ISIG.properties file. See the comments for this property in ISIG.properties for more detail.

62195,227,000

IV94698

The erpupervisor attribute for the person could not be used as the manager attribute.

21229,227,000

IV97246

Load and Delta assembly line do not load the account if the account does not have the value for eraccountstatus attribute in ISIM.

41172,227,000

IV98477

If the account has many groups then it takes too long to load the account.

03365,004,000

IV98252

ISIGADI should prevent multiple ISIGtoISIM assembly line getting started.

ISIGADI v7.0.7.1

94205,004,000

IV92099

ISIGtoISIM is not working if two groups in different type in a same application have same name.

13218,227,000

IV92017

Delta AL stops running when account expiration attribute deleted on ISIM side.

78778,082,000

IV92462

LoadPerson does not load person since ISIGADI could not find distinct OU in IGI.

10395,227,000

IV93340

Performance issue with "ISIM - Group - Lookup" while running Delta AL.

89260,082,000

IV93251

Delta AL is not honoring the isim.skipOUSynch=true property.

Internal

157086

Load AL throws Exception while a group named "Group%" is created if there are groups that are prefixed with "Group".

ISIGADI v7.0.7

94626,082,000

IV89533

Dynamic role should not be loaded from ISIM to IGI.

72466,004,000

IV89646

Prefix {protect}- does not encrypt ISIGADI properties.

74295,004,000

IV90373

ISIGtoISIM fails when ISIM v6 or ISIM v7 requires justification.

73221,004,000

IV90395

Verify does not report error when incorrect isim.username is used.

73378,004,000

When isig.db.user is set with DB2 admin user, the Verify succeeds but ISIGtoISIM fails when reading the IGI database table

Internal

153619

153621

With Version 7.0.6, when ISIGtoISIM processes Add or Remove Permission event, the error is thrown if the account is an orphan account on ISIM.� These events are processed as Ignored in Version 7.0.7.

Internal

153631

With Version 7.0.6, Delta does not remove the owner of any organizational unit once it was set.� This is fixed in Version 7.0.7.

ISIGADI v7.0.6

60901,227,000

IV84225

The group description is not synchronized to IGI.

ISIGADI v7.0.5.1

16445,004,000

IV83909

Load and Delta assembly line � loading or updating an account fails with StringIndexOutOfBoundsException if the service profile for this account has no group defined.

Internal

Delta stops running if the person has two accounts on a service and the second account is updated.� Since the Data Integrator will only load the first account to IGI, the second account will not be loaded to IGI.� When the second account is updated while Delta is running the Delta stops running.

Internal

Load and Delta does not work if the password of �admin� user on IGI is changed.

ISIGADI v7.0.5

07295,004,000

IV82053

Load / Delta � Wrong error is thrown when the group for an account is not found on ISIM while loading the account to IGI.

53799,004,000

IV81125

ISIGtoISIM should not synch back the events generated by Data Integrator.

70220,004,000

IV81046

Delta crashes with OutOfMemoryError.

ISIGADI v7.0.4

42457,004,000

IV79217

[ISIGtoISIM.WritePermissionToISIM/ISIM - Group � Lookup] assembly line fails because the multiple entries found.

Internal

ISIGtoISIM assembly line results in success, but request is still pending on ISIM side

ISIGADI v7.0.3.1

The Load assembly line does not synchronize the accounts to IGI if the account has the group with access enabled and the access name is different than the group name.

The Delta assembly line does not synchronize the access name of the group if the access is enabled with the new access name for existing permission.

The ISIGtoISIM assembly line does not fulfill the permission assignment if the IGI permission name is different than ISIM group name.

ISIGADI v7.0.3

81572,004,000

IV77143

Verify fails if the admin user password is changed on ISIG.

83901,004,000

IV77473

The TDI dashboard does not work.

ISIGADI v7.0.2.1

73009,004,000

IV76337

The StackOverflowError is thrown from System.getProperties() method while Delta assembly line is running.

IV76091

The ISIG User password is not set when ISIM person is synchronized to ISIG.� The user id is set as the password.

ISIGADI v7.0.2

None

ISIGADI v7.0.1.1

None

ISIGADI v7.0.1

10274,004,000

IV69098

Delta load fails after an ISIM schema change

30341,004,000

IV69555

Person load fails if the erroles attribute contains empty string

 Internal#

APAR#

PMR# / Description

122333

Warning message counts as error in summary statistics report

123331

Assigning an ISIM system group to a user in ISIG is not synchronized to ISIM. This is due to the defect on ISIM side.�

-        This is fixed in ISIM 6 fix pack 10 and ISIM VA v7.0.1.

123332

If a user is already a member of a role and this role is assigned with new permission or assigned with other roles with new permission, if the user does not have account for the Application associated with the permission, then the new assigned permission is not fulfilled since new account request is not initiated in ISIG. This defect is being investigated.

125775

When the password synchronization is not enabled on ISIM, the accounts being created or restored from ISIG does not fulfilled to ISIM.� This defect is being investigated.

153521

ISIM APAR IV86115: Unable to modify SAP/RACF sub-form attribute.

Due to this issue, you cannot modify RACF connect group sub-attribute values on ISIM. Delta assembly line will not work for this case until this ISIM ARAR is fixed.

-        This is fixed in ISIM 6 fix pack 17.

153522

ISIGtoISIM fails when RACF connect group is added to or removed from a user.� This problem is due to the issue in ISIM and/or RACF complex attribute handler.

-        The problem was found with ISIM 6 FP15 with RACF SSI Profile v6.0.24.

-        This is fixed in RACF adapter v6.0.28.

165985

From time to time, Delta assembly line gets stuck when the new organization is created.� This issue is due to the timing issue from TDI�s LDAP and IDS Changelog connectors.� This issue is fixed and the fix will be included in TDI�s next fix pack (7.1.1-TIV-TDI-FP0007).

 Internal#

APAR#

PMR# / Description

1

Support for synchronization of Role-Permission mapping and role hierarchy in Identity Manager is not available with this release.

2

Service groups in Identity Manager are mapped to permissions in Identity Governance.� Support for permissions that are not represented as service groups in Identity Manager is not available in this release.

-        Since IGI v5.2.2, the Non-group permission is supported by Attribute-to-Permission Mapping.� Since ISIGADI v7.0.7, the non- group permission is supported.

3

Support for mapping one Identity Manager service to multiple applications is not available in this release.

4

Support for multiple group types for each Identity Manager service is not available in this release. For example, POSIX AIX service supports AIX groups and AIX Role, in this release, it only supports user permissions mapping in Identity Governance for one of them but not both.

-        Since version 7.0.5, the multiple group types for the service are supported.

5

Support for multiple accounts of a person on same Identity Manager service is not available in this release.

-        Since version 7.0.7.5, multiple accounts of a person on same Identity Manager service is supported.

7

Support for permissions that map to hosted service groups in Identity Manager is not available in this release.

8

Support for password synchronization for ISIG accounts is not available in this release.

9

Support for define subset of Identity Manager entities for synchronization is not available in this release.

-        Since version 7.0.7,

o   The ISIM entities can be loaded by entity type.

o   The subset of services and its dependent entities can be loaded.

51

Consolidation of user permission change as result of role assignment change is not available in this release.

When a role is assigned to a user in ISIG, role assignment is updated in ISIM if the role exists in ISIM.  If the role is associated with list of permissions for targets managed by ISIM, the permissions are also assigned to user in ISIM. If Delta load is running, the user-permission changes will be synchronized into ISIG as direct user-permission association even though these assignments are already implied by the user-role assignment in ISIG.

When the account has required attributes, create account event is not fulfilled from ISIG to ISIM since ISIG does not know about these information.

Work-around:� The account default value for the service should be set on ISIM side.

On ISIM, if the groups on a service have the same name with different case letters Data Integrator will only load the first one since the IGI does not allow to crate permissions with the same name.� If this happens, you need to reorganize these groups on ISIM so that only one group can exists and rerun the Load assembly line.� For example, you cannot have groups named DEVELOPERS and developers on a same service on ISIM.

For the same reason, you cannot have roles with same name with different case letters on ISIM.