Identity Manager 14.3 CP2

New Features and enhancements in Identity Manager 14.3 CP2
Identity Manager 14.3 CP2 includes the following new features, enhancements, and certifications.
Load Balancing with Provisioning Servers
Identity Manager can now use round-robin load balancing support, without any restrictions on either types of provisioning operations or existing runtime limitations. This load balancing approach distributes client requests across a group of Provisioning servers.
Section 508 Compliance and Accessibility Features
Section 508 requires that the website content is accessible to people with disabilities. This applies to Web applications, Web pages and all attached files on the Intranet, as well as, the Internet.
In accordance with Section 508 of the Rehabilitation Act (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998, introduced a new Identity Manager User Console skin named
which caters to the needs of people with disabilities.
For more information about the accessibility and compliance enhancements offered by the new ui-508 skin, see Section 508 Compliance and Accessibility Features.
Support for JBoss 7.2 and WildFly 15.0.x
Identity Manager supports JBoss 7.2 and WildFly 15.0.x as application servers.
To migrate to the latest version of these application servers, refer to Support for JBoss EAP 7.2 and WildFly 15.0.x.
Link User Information from Your HR Data Source Using HR Feed
The HR Feed feature allows you to use a defined Workday™ endpoint instance to link user information from the HR data source to streamline the user provisioning process in Identity Manager.
With this release, we are moving the release and management of this feature out of our validation site. Customers who participated in the validation program are now required to install this CP to gain access to support and new enhancements.
For more information, see HR Feed.
Additional Worker Attribute Mappings for HR Feed
HR Feed has two additional Worker Attribute Mappings that you can edit in the Workday.xml file:
  • Custom Request Criteria:
    For deployments that need to add additional request criteria to fetch data from workday, edit this element to include other request criteria.
  • Custom Response Group:
    If the
    defined in the
    section of your Workday.xml are not retrieved by the standard set of Response Group,
    you can use this
    section to define the response groups. 
The HR Feed feature is only available in version 14.3 CP2 or later.
For more information, see Create an HR Feed in the
Additional Worker Attribute Mappings
New Voice Message Support When Retrieving a One Time Password
Users can now request a one-time password from the login screen and receive it as a voice message.
You can only recover a one-time password with a voice message if you are using Twilio.
Full Support for Endpoint Outages
Identity Manager provides full support for endpoint outages. The outages can include planned outages that are managed by administrators and unplanned outages.
This enhancement will update the Database Schema.
Configure the New
Property to Improve Performance
You can configure the new
property in the ehcache.xml file to help improve performance. Ehcache governs the access to cached data with minimal costs of time and system resources. Editing Ehcache improves performance by reducing the load on the underlying resources. Ehcache primarily concerns itself with Java Objects, but is also used for SOAP and RESTful server caching, application persistence, and distributed caching.
Increasing these values also increases heap space utilization. You must consider your system configuration and resources before updating these values appropriately. Increasing these values without consideration may degrade system performance.
For more information, see Configuring the Cache Using the ehcache File.
Property to Better Display Error Messages
Identity Manager numbers all validation failures that appear in any Identity Manager screens that display failures. The failures are not sortable. Validation messages shown in a task context are now hyperlinked to the screen pages where the attribute is shown.
For more information, see either Validation Objects, or the
property in Task Configuration Properties.
Switch Tab When Invalid Property Example
New Custom Group Membership Tabs
You can install and use the following custom group membership tabs:
  • The
    Group Membership DN
    tab allows you to manage and view all members of a group via their associated DN. To ensure good performance when fetching members in large groups, this tab fetches the member’s unique identifier (DN) instead of the member’s complete record. This reduces the number of calls that Identity Manager makes to the user directory.
  • The
    Group Membership Filter
    tab allows you to search for the members of a group that match a certain query filter. Identity Manager then displays members whose unique identifier matches the filter.
For more information, see Using Custom Group Membership Tabs.
RACF v2 and CA Top Secret v2 Connectors Support IBM MFA for z/OS Systems
The most common way for users to access z/OS systems is by the use of passwords or password phrases. Simplicity of passwords can pose a threat for exploitation as users tend to choose common passwords, write down their passwords or unintentionally install malware that can key log passwords. A more secure option for systems is to apply multiple authentication factors to verify the user’s identity. With multiple authentication factors, a user account cannot be compromised if one of the factors is discovered.
To amplify logon security, RACF v2 and CA Top Secret v2 connectors are enhanced to support IBM Multi-Factor Authentication (MFA) for z/OS systems. RACF v2 and CA Top Secret v2 users can now be entailed for authentication through IBM MFA.
To accomplish user configuration for MFA, a new tab
is introduced in the
Modify User Account
action of the RACF v2 and CA Top Secret V2 user accounts. Given below is a sample screen of the Modify RACF v2 User Account with MFA attributes:
MFA Attributes for User Accounts
For more information about the MFA attributes, see the RACF v2 and CA Top Secret v2 attributes list.
RACF v2 Connector Supports IBM Netview for z/OS Systems
Unauthorized RACF v2 user access to NetView programs on z/OS systems can lead to changing or destroying vital system information. To prevent unauthorized system use and ensure that users are responsible for the actions taken by their operator task, RACF v2 connector is enhanced to support IBM NetView segment of a user profile on z/OS systems. RACF v2 users can now be configured with access authorization to z/OS systems through IBM NetView. Access authorization restricts or enables RACF v2 users to view or change information, issue commands and perform operator duties on NetView programs.
To configure access authorization for NetView programs, a new tab
is introduced in the
Modify User Account
action of the RACF v2 user accounts.
Given below is a sample screen of the Modify RACF v2 User Account with Netview attributes:
NETVIEW Attributes for User Accounts
For more information about the Netview attributes, see the RACF v2 attributes list.
RACF v2 Connector Supports IBM CSDATA for z/OS Systems
RACF v2 connector is enhanced to support IBM CSDATA segment of a user profile on z/OS systems. Using IBM CSDATA, RACF v2 users can now be assigned RACF custom fields that store security information about a user as defined by the security administrator on z/OS systems.
As part of this enhancement, a new container
User Defined Fields
is added to the Explore operation so that the user defined fields can be stored locally. To assign custom fields to RACF v2 users, a new tab
User Defined Fields
is introduced in the
Modify User Account
action of the RACF v2 user accounts.
Given below are the sample screens of the Explore operation and the Modify RACF v2 User Account with CSDATA attributes:
CSTA Explore Operation
CSTA Attributes
For more information about the CSDATA attributes, see the RACF v2 attributes list.
Schema Extension for Dynamic Connector
The custom attributes for Dynamic endpoint are increased from 800 to 1500.
Active Directory Password Synchronization Agent Supports LSASS Protection Mode
Password Synchronization Agent is now compatible to work with Local Security Authority Server Service (LSASS) protection mode enabled on Active Directory and WindowsNT endpoints.
Manage Active Directory Unix NIS Domain
Microsoft has deprecated Identity Management for Unix (IDMU) and NIS Server role starting from Window Server 2016.
As a result, starting from Active Directory 2016, the NIS domain is not applicable for managing Unix attributes. Going forward, you must manually provide the Unique Identification (UID) value in the Active Directory template to create UID for Unix domain users.
Increased Active Connections from C++ Connector Server (CCS) to Active Directory
Identity Manager now supports multiple active connections from the C++ Connector Server (CCS) to the Active Directory Domain Server. The default maximum connections allowed in a connection pool per endpoint are 10. The extended connection support allows multiple operations to be run in parallel and improves the overall scalability of the application.
Ability to Unlock Oracle E-Business Suite (EBS) Account
Oracle Applications connector is enhanced to retrieve the locked state of an Oracle E-Business Suite (EBS) account.
For more information, see Oracle Applications Connector.
User Role Certification
The Identity Manager User Role Certification feature allows an administrator to run user roles (Admin, Access, and Provisioning) certification directly from Identity Manager, including the ability to perform close-loop-remediation (de-provisioning) activities based on the certification reviewer decisions.
For more information, see User Roles Certification.