Identity Manager 14.3 CP2
New Features and enhancements in Identity Manager 14.3 CP2
Identity Manager 14.3 CP2 includes the following new features, enhancements, and certifications.
Load Balancing with Provisioning Servers
Identity Manager can now use round-robin load balancing support, without any restrictions on either types of provisioning operations or existing runtime limitations. This load balancing approach distributes client requests across a group of Provisioning servers.
For more information, see Adding Load-Balancing Provisioning Servers.
Section 508 requires that the website content is accessible to people with disabilities. This applies to Web applications, Web pages and all attached files on the Intranet, as well as, the Internet.
Section 508 Compliance and Accessibility Features
In accordance with Section 508 of the Rehabilitation Act (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998, introduced a new Identity Manager User Console skin named
ui7-508,which caters to the needs of people with disabilities.
For more information about the accessibility and compliance enhancements offered by the new ui-508 skin, see Section 508 Compliance and Accessibility Features.
Support for JBoss 7.2 and WildFly 15.0.x
To migrate to the latest version of these application servers, refer to Support for JBoss EAP 7.2 and WildFly 15.0.x.
Identity Manager supports JBoss 7.2 and WildFly 15.0.x as application servers.
Link User Information from Your HR Data Source Using HR Feed
The HR Feed feature allows you to use a defined Workday™ endpoint instance to link user information from the HR data source to streamline the user provisioning process in Identity Manager.
With this release, we are moving the release and management of this feature out of our validation site. Customers who participated in the validation program are now required to install this CP to gain access to support and new enhancements.
For more information, see HR Feed.
HR Feed has two additional Worker Attribute Mappings that you can edit in the Workday.xml file:
Additional Worker Attribute Mappings for HR Feed
- Custom Request Criteria:For deployments that need to add additional request criteria to fetch data from workday, edit this element to include other request criteria.
- Custom Response Group:If theCustomHRUserAttributesdefined in theCustomHRUserAttributessection of your Workday.xml are not retrieved by the standard set of Response Group,thenyou can use thisCustomHRResponseGroupssection to define the response groups.
For more information, see Create an HR Feed in the
The HR Feed feature is only available in version 14.3 CP2 or later.
Additional Worker Attribute Mappingssection.
New Voice Message Support When Retrieving a One Time Password
Users can now request a one-time password from the login screen and receive it as a voice message.
You can only recover a one-time password with a voice message if you are using Twilio.
For more information, see Recover the Password or LoginId with a One-Time Password with a Text or Voice Message.
Full Support for Endpoint Outages
Identity Manager provides full support for endpoint outages. The outages can include planned outages that are managed by administrators and unplanned outages.
This enhancement will update the Database Schema.
You can configure the new
Configure the New
maxElementsInMemoryProperty to Improve Performance
maxElementsInMemoryproperty in the ehcache.xml file to help improve performance. Ehcache governs the access to cached data with minimal costs of time and system resources. Editing Ehcache improves performance by reducing the load on the underlying resources. Ehcache primarily concerns itself with Java Objects, but is also used for SOAP and RESTful server caching, application persistence, and distributed caching.
For more information, see Configuring the Cache Using the ehcache File.
Increasing these values also increases heap space utilization. You must consider your system configuration and resources before updating these values appropriately. Increasing these values without consideration may degrade system performance.
SwitchTabWhenInvalidProperty to Better Display Error Messages
Identity Manager numbers all validation failures that appear in any Identity Manager screens that display failures. The failures are not sortable. Validation messages shown in a task context are now hyperlinked to the screen pages where the attribute is shown.
You can install and use the following custom group membership tabs:
New Custom Group Membership Tabs
- TheGroup Membership DNtab allows you to manage and view all members of a group via their associated DN. To ensure good performance when fetching members in large groups, this tab fetches the member’s unique identifier (DN) instead of the member’s complete record. This reduces the number of calls that Identity Manager makes to the user directory.
- TheGroup Membership Filtertab allows you to search for the members of a group that match a certain query filter. Identity Manager then displays members whose unique identifier matches the filter.
The most common way for users to access z/OS systems is by the use of passwords or password phrases. Simplicity of passwords can pose a threat for exploitation as users tend to choose common passwords, write down their passwords or unintentionally install malware that can key log passwords. A more secure option for systems is to apply multiple authentication factors to verify the user’s identity. With multiple authentication factors, a user account cannot be compromised if one of the factors is discovered.
RACF v2 and CA Top Secret v2 Connectors Support IBM MFA for z/OS Systems
To amplify logon security, RACF v2 and CA Top Secret v2 connectors are enhanced to support IBM Multi-Factor Authentication (MFA) for z/OS systems. RACF v2 and CA Top Secret v2 users can now be entailed for authentication through IBM MFA.
To accomplish user configuration for MFA, a new tab
MFAis introduced in the
Modify User Accountaction of the RACF v2 and CA Top Secret V2 user accounts. Given below is a sample screen of the Modify RACF v2 User Account with MFA attributes:
For more information about the MFA attributes, see the RACF v2 and CA Top Secret v2 attributes list.
Unauthorized RACF v2 user access to NetView programs on z/OS systems can lead to changing or destroying vital system information. To prevent unauthorized system use and ensure that users are responsible for the actions taken by their operator task, RACF v2 connector is enhanced to support IBM NetView segment of a user profile on z/OS systems. RACF v2 users can now be configured with access authorization to z/OS systems through IBM NetView. Access authorization restricts or enables RACF v2 users to view or change information, issue commands and perform operator duties on NetView programs.
RACF v2 Connector Supports IBM Netview for z/OS Systems
To configure access authorization for NetView programs, a new tab
NETVIEWis introduced in the
Modify User Accountaction of the RACF v2 user accounts.
Given below is a sample screen of the Modify RACF v2 User Account with Netview attributes:
For more information about the Netview attributes, see the RACF v2 attributes list.
RACF v2 Connector Supports IBM CSDATA for z/OS Systems
RACF v2 connector is enhanced to support IBM CSDATA segment of a user profile on z/OS systems. Using IBM CSDATA, RACF v2 users can now be assigned RACF custom fields that store security information about a user as defined by the security administrator on z/OS systems.
As part of this enhancement, a new container
User Defined Fieldsis added to the Explore operation so that the user defined fields can be stored locally. To assign custom fields to RACF v2 users, a new tab
User Defined Fieldsis introduced in the
Modify User Accountaction of the RACF v2 user accounts.
Given below are the sample screens of the Explore operation and the Modify RACF v2 User Account with CSDATA attributes:
For more information about the CSDATA attributes, see the RACF v2 attributes list.
The custom attributes for Dynamic endpoint are increased from 800 to 1500.
Schema Extension for Dynamic Connector
Password Synchronization Agent is now compatible to work with Local Security Authority Server Service (LSASS) protection mode enabled on Active Directory and WindowsNT endpoints.
Active Directory Password Synchronization Agent Supports LSASS Protection Mode
Manage Active Directory Unix NIS Domain
Microsoft has deprecated Identity Management for Unix (IDMU) and NIS Server role starting from Window Server 2016.
As a result, starting from Active Directory 2016, the NIS domain is not applicable for managing Unix attributes. Going forward, you must manually provide the Unique Identification (UID) value in the Active Directory template to create UID for Unix domain users.
For more details, see Manage Active Directory Unix NIS Domain.
Increased Active Connections from C++ Connector Server (CCS) to Active Directory
Identity Manager now supports multiple active connections from the C++ Connector Server (CCS) to the Active Directory Domain Server. The default maximum connections allowed in a connection pool per endpoint are 10. The extended connection support allows multiple operations to be run in parallel and improves the overall scalability of the application.
Ability to Unlock Oracle E-Business Suite (EBS) Account
For more information, see Oracle Applications Connector.
Oracle Applications connector is enhanced to retrieve the locked state of an Oracle E-Business Suite (EBS) account.
User Role Certification
For more information, see User Roles Certification.
The Identity Manager User Role Certification feature allows an administrator to run user roles (Admin, Access, and Provisioning) certification directly from Identity Manager, including the ability to perform close-loop-remediation (de-provisioning) activities based on the certification reviewer decisions.
Identity Manager 14.3 CP2 certifies support for the following:
For the list of defects that are fixed in Identity Manager 14.3 CP2, view the following link: