In News, Product Releases, RAC/M Identity
0


RAC/M Identity™ is our simple and effective identity governance (IAM) solution that enables businesses large and small to understand and manage the complex relationships between users and their access to physical and digital resources, on-premise or in cloud computing.

SIGNIFICANT IMPROVEMENT

New email templates.

Brand new versions of the email templates are now provided with the solution.

Here are some examples of these email templates:

1. Example of an access review campaign notification email

2. Example of a task email for an access request

3. Example of a provisionning email for the arrival of a new employee

When updating the solution, the new email templates will be dropped into the following directory: [Installation Directory]\Okiok Data\RACM Identity\conf\templates\notifications_update. This allows you to validate differences and integrate new elements of distributed templates into custom templates.

IMPROVEMENT

New email variables

  • {request.requestUrl} Allows you to embed a URL in the email that will redirect the user directly to RAC/M in the right context once authenticated

    • Available in the following templates:

      • /notifications/profile/[lang]/task.html
      • /notifications/add_accesses_request/[lang]/notification.html
      • /notifications/add_accesses_request/[lang]/task.html
      • /notifications/identity/[lang]/notification.html
      • /notifications/identity/[lang]/task.html
      • /notifications/identification_termination/[lang]/notification.html
      • /notifications/identification_termination/[lang]/task.html
      • /notifications/identification_transfer/[lang]/notification.html
      • /notifications/identification_transfer/[lang]/task.html
      • /notifications/profile/[lang]/notification.html
      • /notifications/profile/[lang]/task.html
      • /notifications/remove_accesses_request/[lang]/notification.html
      • /notifications/remove_accesses_request/[lang]/task.html
      • /notifications/role/[lang]/notification.html
      • /notifications/role/[lang]/task.html
      • /notifications/written/[lang]/notification.html
      • /notifications/written/[lang]/task.html
    • For ‘notification.html’ files, the link is controlled by the ‘mail.notification.request.notification.url’ variable in the ‘config.properties’ file
    • For ‘task.html’ files, the link is controlled by the ‘mail.notification.request.task.url’ variable in the ‘config.properties’ file

  • @{requestUrl}Allows you to embed a URL in the email that will redirect the user directly to RAC/M in the right context once authenticated

    • Available in the following templates:

      • /notifications/provisioning/[lang]/automaticProvisioning_accesses.html
      • /notifications/provisioning/[lang]/automaticProvisioning_account.html
      • /notifications/provisioning/[lang]/manualProvisioning_admin.html
      • /notifications/provisioning/[lang]/manualProvisioning_owner.html
      • /notifications/provisioning/[lang]/manualProvisioning_reconciliation.html
    • This link is controlled by the variable ‘mail.notification.login.url’ in the ‘config.properties’ file

  • @{loginUrl}Allows you to embed a URL in the email that will redirect the user directly to RAC/M Identity

    • Available in the following templates:

      • /notifications/provisioning/[lang]/writtenRequestProvisioning.html
      • /notifications/provisioning/[lang]/provisioning_request_onboarding.html
      • /notifications/provisioning/[lang]/provisioning_requested_onboarding.html
      • /notifications/provisioning/[lang]/renewal_identity.html
      • /notifications/provisioning/[lang]/cancelAccountProvisioning.html
    • This link is controlled by the variable ‘mail.notification.login.url’ in the ‘config.properties’ file

  • /notifications/[context]/[lang]/tasks.html and notification.html:

    • Added new display variables to all templates named tasks.html and notification.html:

      • @{request.groupsToAddMaxReachedLeftOver} et @{request.groupsToRemoveMaxReachedLeftOver}: Used in a condition to know if more than 4 items are returned by the list of groups to add or remove. It is also used to display the number of extra items that are not displayed in the email.
      • @{request.rolesToAddMaxReachedLeftOver} et @{request.rolesToRemoveMaxReachedLeftOver} : Used in a condition to know if more than 4 items are returned by the list of roles to add or remove. It is also used to display the number of extra items that are not displayed in the email.
      • @{request.writtenRequestsMaxReachedLeftOver} : Used in a condition to know if more than 4 items are returned by the list of written requests to process. It is also used to display the number of extra items that are not displayed in the email.

  • @{startDate} and @{endDate} displays the start and end dates of an identity

    • Available in the following templates:

      • notifications/provisioning/[lang]/provisioning_requested_onboarding.html
      • notifications/provisioning/[lang]/identity_onboarding_account_information.html

  • /notifications/campaign/[lang]/changed.html and extended.html:

    • Added three new display variables when transferring a review campaign to another reviewer, it is possible to display the information of the original reviewer.

      • @{displayCampaign.originalReviewerFirstName} : Shows the first name of the original approver
      • @{displayCampaign.originalReviewerLastName} : Displays the last name of the original approver
      • @{displayCampaign.originalReviewerEmail} : Displays the original approver’s email

  • /notifications/identification_transfer/[lang]/notification.html

    • Added new display variables. These variables are used to display the modifications requested during a transfer request.

      • @{request.modifiedJobName}: Title of the identity
      • @{request.modifiedWorkLocationName}: Work location
      • @{request.modifiedSupervisorName}: Supervisor
      • @{request.modifiedOrganisationName}: Organisation

  • /notifications/provisioning/[lang]/cancelGroupProvisioning.html

    • Added a new display variable.

      • @{cancelledByEmail}: Displays the email address of the person who cancelled the supply.

  • /notifications/campaign/[lang]/provisioning_requested_onboarding.html

    • Added the @{identity} variable that displays all the information of an identity. Here is how it is used in this template:

      • @{identity.fullName}: Full name
      • @{identity.email}: Email
      • @{identity.jobs.name}: Title
      • @{identity.organisational.name}: Organisation
      • @{identity.structural.name}: Department
      • @{identity.workLocation.name}: Work location
      • @{identity.employmentStatus.name}: Employment status
      • @{identity.employmentType.name}: Employment type

Other Improvements

  • /notifications/campaign/[lang]/reminder.html

    • Correction of the name of the recipient at the top after the Hi/Bonjour
    • When reviewing by a delegate from a delegation group, to see the delegate’s name in the ‘Reviewer/Approver’ section, use the @{recipient.firstName} and @{recipient.lastName} variables.
      Moreover, it is possible to display this value only if this email is sent to a delegate with the following condition:
      @if{displayCampaign.isDelegatedRecipient == true}(delegated to @{recipient.firstName} @{recipient.lastName})@end{}
  • Added an ICF connector for XML files. #2703
  • Added ModuleReorganizeIndexDatabase module that rebuilds indexes. #2407
  • Modification of the default config.properties file to no longer allow encryption algorithms weaker than TLS 1.2. #2538
  • Added information in the request screens: ‘Automatically approved’, ‘Description’, ‘Reason’ and ‘Other details’. #2663

CORRECTIONS

  • When editing a request during approval, it was possible to submit an approval after granularly rejecting one, or more, of the groups or roles without pressing the “Confirm” button. An error message will be presented if a user causes this situation. #2758
  • In the editing screen of a sequence, the button that allows to edit a selected block has been corrected. #2793
  • The timeout for a write to the audit log has been increased from 5 to 10 seconds to allow overloaded systems to write. #2796
  • There was a display error when saving identities. The supervisor and reviewer were not displayed with their new values. #2767
  • It will no longer be possible to create groups without a name. Existing groups without a name will be converted to ‘Vide, Empty’. #2595
  • When two requests were made for the same accesses and one was rejected, both requests were cancelled. This has been fixed. #1924
  • It is no longer possible to create a module without putting a name. #2658
  • When updating a delegation group that is used by workflow tasks, an error would occur. This has been fixed. #2781
  • In the Sequence screen, an error in editing a block occurred when a “+” is part of the name. This problem was also detected in other types of links in RAC/M Identity. All identified cases have been corrected. #2789
  • When requesting a role or group, if no owner is configured and owner approval is required, an error occurred at the time of the request. #2649
  • When a group is added to a role, if requests are opened to remove that group at a future date for any member(s) of the role, they will be cancelled. #2386
  • Added a standardized error page when an unexpected error occurs. This prevents information leakage about the technologies used in the application. #2541
  • Added a security attribute to the cookie used by the RAC/M Identity web server. #2542
  • Some minor issues have been fixed in the account matching screen. #2583
  • When a request was made for an identity that is the sole approver of the access, the access was not approvable/cancelable. This has been fixed and the provisioning of this access is now et to an error status to indicate the configuration issue. #2385
  • A cross site scripting vulnerability has been fixed in the login page. #2535
  • A vulnerability allowing user enumeration from the Login page has been fixed. #2540
  • Optimized the HSTS header of RAC/M Identity web pages. The default lifetime has been extended. #2536
  • When removing roles in bulk from an identity page, situations could arise where not all accesses of the role were removed for that identity. This has been fixed. #2511
  • Displaying the list of campaigns for a given certifier was causing a slow request and performance problems. Indexes have been added to some revision tables. #2797
  • The link at the top of the account details page that leads to the corresponding account provisioning list was wrong. The link restricted the list to “Open” requests which would often lead to an empty list. #2617
  • When importing and exporting a static role configuration, an error occurred. This has been fixed. #2430
  • A correction has been made in the authorization for roles. A profile that only has “read” rights cannot generate roles now. #2433
  • New help texts on the context of a review campaign have been added at the top of their pages. #2411
  • Fixed the way that indicators are written in the database to fix a race condition that prevented some of them from being saved. #2408
  • Mail servers using STARTTLS are now supported. Added the configuration property ‘mail.server.starttls.enable’ in the ‘config.properties’ file. #2822
  • The access rights to the navigation menu for the role sessions and the additional functions management screen have been corrected. #2433
  • Importing a sequence containing several blocks that contain the same module caused an error that duplicated the module fields. This has been fixed. #2829
  • It is now possible to restart a workflow that was cancelled. #2823.
  • Minor corrections of display texts #2757, #2635
  • Self-service
    • An error occurred when taking an action to renew an identity. This has been corrected. #2726
    • Removal of the old self-service which is no longer supported. #2522
    • Two fixes in the SOD modal detail window:
      • A special character display error has been corrected. #2849
      • The description of a SOD rule is now displayed. #2851
  • Review campaigns
    • An error occurred when creating a campaign when several extended attributes are used in the search criteria filter. This has been corrected. #2689
    • When an error occurred when switching a review campaign to preview mode, the campaign was changing to “PROCESSING” status instead of “ERROR”. This has been corrected. #2674
    • In a role content review campaign, the filter button that switches to “By included role” mode has been fixed because it was not displaying anything. #2693
    • The role campaigns were causing a performance problem in the processing of the role hierarchy. This has been fixed by optimizing the SQL query involved. #2750
    • In a campaign by asset manager, service accounts are now always reviewed by the asset owner. #2414
    • A condition error has been corrected to ensure that incremental campaigns include all required organizations, departments and titles. #2701
    • Added a message to a campaign reminder that is 100% reviewed but not completed. #2437
    • The possibility to make a temporary approval in the past is no longer allowed. #2537
    • Correction of the counter of completed elements in a campaign by account trustees. #2852
    • The modal window of the reports had an error of behavior when the subwindow of a filter was opened. This behavior has been corrected. #2848
    • When creating a campaign report, if an identity associated with this campaign is deleted, this caused an error. This behavior has been corrected. #2840
    • A correction has been made to allow the start of a review campaign with person extended attributes. #2842.
    • The relative dates displayed in the review campaigns will correctly display the absolute date when the cursor is placed over the relative date. #2836
    • Non-trustee service accounts were not included in the ‘Trustee Account Review – All Entitlements’ campaigns. Non-trustee service accounts are now included. #2838
  • Modules
    • ModuleCopyColumnsAndInsertSQL: A validation has been added to ensure that elements in an import table that are pending provisioning are not copied. #2401
    • ModuleExternalSCPGet: Update of the SCP and SFTP transfer library to use more recent encryption algorithms. #2779
    • ModuleHRTerminationDate: An identity can now be terminated even if another identity associated with the same person becomes active soon. #2197
    • ModuleExplodeAccountMngRole: This module has been corrected to now take into account the elements of the ACCOUNT_MNG_ROLE table in the order of creation. #2512
    • ModuleSendEmailFolder: This module has been modified to allow the configuration of the email subject. #2608
    • ModuleDeleteNonUpdatedSinceDate : This module no longer deletes unimported groups when the module is configured to delete accounts. #2811

BREAKING CHANGES

  • A new email template is now used for campaign extensions. The template is called ‘extended.html’ and is located in the ‘templates/notification/[lang]/campaign’ directory. Previously, the template ‘changed.html’ was used for the campaign extension. You should therefore introduce a new template into your directory structure and adapt it to the theme of your organization or use the new template provided.

  • Added three properties to the config.properties file that control the links in the emails described above. These properties must be added to the configuration file for RAC/M Identity to start.

    • mail.notification.login.url=http://[host]:[port]/gui/login.action
    • mail.notification.request.notification.url=http://[host]:[port]/gui/login.action?redirectURL=selfServiceProvisioningRequest.action
    • mail.notification.request.task.url=http://[host]:[port]/gui/login.action?redirectURL=selfServiceDashboard.action

Leave a Comment

Start typing and press Enter to search