8.4 IdentityIQ Release Notes
8.4 IdentityIQ Release Notes
Version: 8.4
This document and the information contained herein is SailPoint Confidential Information
Copyright and Trademark Notices
“SailPoint Technologies,” (design and word mark), “SailPoint,” (design and word mark), "Identity IQ,” “IdentityNow,”
“SecurityIQ,” “Identity AI,” “Identity Cube,” and “SailPoint Predictive Identity” are registered trademarks of SailPoint
Technologies, Inc. “Identity is Everything,” “The Power of Identity,” and “Identity University” are trademarks of
SailPoint Technologies, Inc. None of the foregoing marks may be used without the prior express written permission of
SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons
indicated.
SailPoint Technologies, Inc. makes no warranty of any kind regarding these materials or the information included
therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or con-
sequential damages in connection with the furnishing, performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written consent
of SailPoint Technologies. The information contained in this document is subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and sub-
paragraphs (c)(1) and (c)(2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.
Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign
export laws and regulations as they relate to software and related documentation. Licensee will not export or re-
export outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and
will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a
U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party
involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S.
Department of Commerce’s Entity List in Supplement No. 4 to 15 C.F.R. § 744; a party prohibited from participation in
export or re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government’s Office
of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that
licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations.
Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as
they relate to software and related documentation.
Contents
IdentityIQ Release Notes 1
Supported Platforms 16
SailPoint IdentityIQ is a complete identity and access management solution that integrates governance and pro-
visioning into a single solution leveraging a common identity repository and governance platform. Because of this
approach, IdentityIQ consistently applies business and security policy and role and risk models across all identity and
access-related activities - from access requests to access certifications and policy enforcement, to account pro-
visioning and user lifecycle management. Through the use of patent-pending technologies and analytics, IdentityIQ
improves security, lowers the cost of operations, and improves an organization's ability to meet compliance and pro-
visioning demands.
l Supported Platforms
l Resolved issues
Feature/Enhancement Description
Access History gives your organization the ability to view historical access data for iden-
tities.
Access History
Access History tracks user access over time to reveal patterns of historical access, giving
you the ability to see and report on past access changes in your business. Access history
Feature/Enhancement Description
shows you the “who, what, when, why, and how” of changes to user’s access over time.
l Seeing a user's timeline of access so that I can see how it has evolved over time
l Exporting the changes in a user's access over a time period to understand what
was provided at time of hire
l Seeing list of accounts a given user has, so that I can ensure it is appropriate per
provided guidelines
l Seeing when access was removed for a terminated employee, so that I can con-
firm it was done in a timely manner
l Finding out when an identity received a specific entitlement, so that I can confirm it
was provisioned when expected
The Access History feature adds a new database to IdentityIQ. The database for
storing Access History data is separate from the IdentityIQ database. The IdentityIQ
install and upgrade scripts will create separate databases for IdentityIQ and Access His-
tory data. The databases can be within the same instance for convenience, but separate
database instances are recommended for production environments to avoid an impact
on IdentityIQ performance. Depending on your environment setup and on the number of
daily changes to your identities, the Access History database can be large, and will con-
tinue to grow.
The Access History feature is enabled by default for new installations but is disabled by
default when upgrading to version 8.4, due to configuration requirements. Refer to the
IdentityIQ Access History guide for information on how to configure and enable this fea-
ture.
Data Extract lets you extract data from the IdentityIQ database and store it in a format
that common business intelligence (BI) tools can use. Data extract gives you added flex-
ibility to analyze your data, and helps you provide key data for addressing business and
Data Extract security questions.
To extract data, IdentityIQ administrators create and configure a Data Extract Task,
which calls the functionality to extract and transform data, and defines the message des-
tination (a queue where data is available to be picked up by BI systems).
Feature/Enhancement Description
Administrators can also customize which types of objects are extracted and define which
properties of those objects to include by configuring criteria for the extraction and trans-
formation tasks.
IdentityIQ customers can now mine and automatically create roles containing the
baseline access needed for a given population, and exclude that access from future
Access Modeling role mining/role insights.
Create Common From an Identity search in Advanced analytics, you can use the new Discover Common
Access Access Roles option to send your search-results population to AI Services to discover
roles containing broadly-held access.
A new capability gives users the ability to view but not edit Objects via the Debug Pages
Object Browser. This can help technical users who are not system administrators see
IdentityIQ object XML for debugging and troubleshooting purposes. For example, data-
base administrators can view database properties in order to confirm configurations, and
certification or task administrators can review definition object XML to confirm that con-
figurations are correct.
Read only rights for Each page within the Debug menu (Memory, Objects, Caches, etc) has an associated
Admin Debug pages SPRight which grants read-only access, allowing you to create custom capabilities to
limit view-only Debug access to specific areas for specific users. These SPRights are
also bundled together in one out-of-the-box capability, DebugPagesReadOnlyAccess,
which makes it easy for you to allow complete view-only access to users as needed.
Users with read-only access can copy or download object XML, but cannot save changes
or upload XML.
Changes made on Debug pages can now be be audited. To enable logging, navigate to
gear > Global Settings > Audit Configuration > General Actions and select the
Audit changes made Debug Object Browser Change checkbox.
through the Debug Audit data is viewed through the Advanced Analytics > Audit search, and includes the
Object Browser date and time a change was made, the identity that made the change, and the target
object that was changed (such as identity, bundle, or configuration). Audit results can be
exported in PDF, CSV, or CEF formats
Feature/Enhancement Description
The audit log does not detail what the changes were. Internal versioning or tracking
should be used if you need to track the specific changes that are made.
With this release, IdentityIQ begins an upgrade from Angular JS to Angular 15. UIs that
have been updated include the Login screen, the Identity Preferences UI, and the API
Authentication Global Settings page. More UI pages will be upgraded in future releases.
Users upgrading from an earlier version of IdentityIQ should be aware that custom wid-
Updates to Angular
gets and installed plugins may be impacted by the Angular upgrade. Verifying any
needed changes to custom widgets and installed plugins should be part of your upgrade
planning; widgets and plugins should first be evaluated in a non-production environment,
prior to being deployed in production.
In version 8.4, new libraries have been added, and some existing libraries have been
upgraded or removed. When you upgrade, be sure to test any custom forms in your imple-
Security Upgrades and
mentation, to ensure compatibility with the updated libraries.
Library Updates
A complete list of libraries is provided in the Important Upgrade Considerations for Iden-
tityIQ section below.
Security Upgrades
With this release, new libraries have been added, and some existing libraries have been upgraded, or removed.
Due to an increased overall industry focus on supply chain attacks and product security, SailPoint has become more
aggressive in updating third party libraries contained in IdentityIQ. SailPoint has always aggressively monitored the
security of all components of our products regardless of the source of the component and will continue to do so, and
SailPoint has always treated security issues found in all components of our products the same following our Product
Vulnerability Management Policy which defines remediation and/or mitigation timelines based on the severity of a vul-
nerability. It is important to note that the severity of a vulnerability in a standalone library encompasses every possible
use of the library. The severity of a finding or vulnerability in IdentityIQ due to a vulnerability in a library may be dif-
ferent due to the use of the library in IdentityIQ.
Many updates to third party libraries are not backward compatible, both at the API and functional level. Because of
this, the changes required are often not simple a replacement of the library, but also changes to the component in the
product that is a consumer of the library. Sometimes, a change to IdentityIQ behavior and/or APIs to accommodate
these changes is required. Given that IdentityIQ is a platform that many of our customers and deployment partners
use to build identity management solutions, the impact of these types of changes can be very high and our preference
based on customer demand and feedback remains to introduce library changes in releases and not in patches unless
remediation for a security vulnerability is required in which case updates can be introduced in patches.
A list of libraries that have been added or upgraded in this release is provided below. These are separated into the lib-
raries in the IdentityIQ server layer and those in the IdentityIQ connector layer. Some libraries in the connector layer
are bundled into larger packages and therefore the changes are not as visible when inspecting product file names.
For connector library upgrades, see Important Upgrade Considerations for Connectors.
Starting in recent IdentityIQ releases and patches, a list of the libraries embedded in a connector bundle are contained
in a file named SBOM.txt at the root of the bundle jar file.
IdentityIQ should not be thought of as a collection of independently upgradeable components, but instead a complete
solution supported by SailPoint as it is delivered. Customers and deployment partners should not remove, modify, or
update components of IdentityIQ outside of official releases by SailPoint.
Important: When upgrading, be sure to test any custom forms in your implementation, to ensure
compatibility with the updated libraries.
l ActiveMQ 5.17.4
l Byte-buddy 1.12.10
l Easymock 5.1.0
l Ehcache 3.10.0
l Failsafe 2.4.4
l Gson 2.9.0
l Httpcore 4.4.15
l Jersey 2.35
l junit 4.13.1
l mimepull 1.9.15
l jackson 2.13.2
l jakarta.json 2.0.1
l jakarta.json-api 2.1.0
l jasperreports-javaflow 6.19.1
l jakarta.activation 1.2.1
l jakarta.mail1.6.7
l javassist 3.29.0
l jcommon 1.0.24
l jakarta.servlet-api 4.0.4
l junit 4.13.2
l JJWT 0.11.5
l Jline 3.21.0
l Joda-time 2.10.14
l Json-path 2.7.0
l Json-smart 2.4.8
l Java-jwt 3.19.1
l jwks-rsa 0.21.1
l mysqlconnector-java 8.0.33
l okhttp 4.9.3
l okio 2.8.0
l kotlin-stdlib
l openpdf 1.3.27
l cryptacular 1.2.5
l java-support 7.5.2
l OpenSAML 3.4.6
l javaee-api 8.0.1
l slf4j 1.7.32
l Spring 5.2.24
l twillio 8.14.0
l sshj0.31.0
l asn-one 0.5.0
l xmlschema 2.2.5
l xmlsec 2.2.2
l objenesis 3.2
l ngdbc 2.8.12
l lucene 8.8.2
l jquery 3.5.1
l json 20210307
More than the maximum number of request parameters (GET plus POST) for a single request ([1000]) were detected.
Any parameters beyond this limit have been ignored.
To resolve this, set the maxParameterCount parameter to a higher value (default - 1000) in server.xml and restart the
Tomcat server.
JasperReports Update
The JasperReports library has been updated to version 6.19.1. Any custom forms should be tested prior to the Jasper-
Reports upgrade.
Java 11
IdentityIQ 8.4 is compiled with Java 11. Plugins and other integrations must be compiled under Java 11 to be com-
patible with IdentityIQ 8.4.
Angular 15
The Angular framework has been upgraded from AngularJS to Angular 15 on the following pages.
l Login
l Identity Preferences
These upgrades could potentially impact installed plugins, if the plugins use AngularJS and/or modify the rendering of
the affected page. After upgrade to 8.4, we recommend that any plugins are first evaluated in a non-production envir-
onment, prior to being deployed in production.
As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix for IIQSR-727
available in the Product Download Center on Compass as soon as possible.
l Prune events where the old and new values only differ by case
A new option, detectNativeIdentityChangeCaseSensitive, is now supported that improves performance. This option
defaults to false. When enabled, it triggers creation of a NativeIdentityChangeEvent in IdentityIQ even if the native
identifier for Account or Group only differs by case from the value in IdentityIQ. To enable this option, add the following
to the Attributes Map of the System Configuration:
There is no separate System Configuration key to enable Access Modeling apart from identityAIEnabled. The
Access Modeling configuration will be visible on the AI Services Configuration page to IdentityIQ customers with AI
subscriptions, regardless of whether they subscribe to the Access Modeling module specifically. However, in such
cases the Access Modeling functionality will still be disabled in their IdentityNow tenant.
This release contains a fix for an important security vulnerability that was previously announced. This vulnerability
allows an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map
argument in any Java class available in the IdentityIQ application classpath. This vulnerability in IdentityIQ is assigned
CVE-2023-32217. As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix
for IIQFW-655 available in the Product Download Center on Compass as soon as possible.
This vulnerability allows access to arbitrary files in the application server filesystem due to a path traversal vul-
nerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability con-
tained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN
IIQSAW-3585. This vulnerability in IdentityIQ is assigned CVE-2022-46835.
As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix for IIQFW-336
available in the Product Download Center on Compass as soon as possible.
This will move approval completion to background processing to free the user from waiting until the workitem is pro-
cessed by the workflow before returning to the home page.
This will only move the approval completion process to the background if the workitem or workflow is locked by
another user or another process. This will prevent the user from seeing a popup and return the user to the home page.
1. Extract configBeans.xml out of the lib/identityiq.jar, and copy that file into the WEB-INF/classes
directory.
l The Salesforce connector now supports API version 56.0, For existing applications, remove the User- Per-
missionsMobileUser attribute from the schema for the connector to work with the new 56.0 API version
l The Salesforce connector now supports creating new Portal and Partner Users as well as assigning Portal and
Partner Licenses to existing Salesforce Users using their respective user profiles. Ensure that the service
account user has the "Manage Contacts" object [ R || W] added to the administrative user profile.
l The Salesforce connector now supports creating, updating and deleting Public Groups. Ensure that the service
account user has "Public Groups" object [ R || W] added to the administrative user profile.
l The IQService version must match the IdentityIQ server version, including the major release and patch ver-
sions. When one is upgraded, the other must also be upgraded, so that the version and patch levels match. For
more information on upgrading the IQService, see the IdentityIQ Installation guide chapter on upgrading
l The Zoom connector no longer supports API Token Authentication. Configure your Zoom application to use
Oauth2 Authentication, to avoid any failures.
l accessors-smart-2.4.8
l bcel-6.6.1
l commons-fileupload-1.4
l hk2-api-3.0.3
l hk2-locator-3.0.3
l hk2-utils-3.0.3
l hibernate-core-6.1.5.Final
l jersey-hk2-3.0.4
l jackson-databind-2.13.3
l jakarta.annotation-api-2.1.0
l jakarta.validation-api-3.0.1
l jakarta.ws.rs-api-3.1.0
l jersey-hk2-3.0.4
l jersey-client-3.0.4
l jersey-common-3.0.4
l jersey-container-servlet-core-3.0.4
l jersey-media-jaxb-3.0.4
l jersey-media-multipart-3.0.4
l jersey-server-3.0.4
l jersey-apache-connector-3.0.4
l jasperreports-javaflow-6.19.1
l jackson-core-2.13.3
l javax.faces-2.4.0
l javax.mail-1.6.2
l kotlin-stdlib-1.7.10
l mysql-connector-java-8.0.30
l mysql-connector-java-8.0.30
l org.jacoco.ant-0.8.8
l spring-core-5.3.20
l spring-core-5.3.22.RELEASE
l spring-web-5.2.22.RELEASE
l testng-7.6.1
IMPORTANT: SailPoint does not support anything beyond the compatibility of the platform
vendors. Confirm the interoperability and support from those vendors when deciding on your plat-
forms.
Operating Systems
l Solaris 11 and 10
Note regarding Linux Support: The distributions and versions of Linux highlighted below have
been verified by IdentityIQ Engineering, but any currently available and supported distributions
and versions of Linux will be supported by SailPoint. Implementers and customers should verify
that the distribution and version of Linux of choice is compatible with the application server, data-
base server, and JDK also being used.
Application Servers
l MySQL 8.0
l Oracle 19c
l PostgreSQL 15
Message Brokers
l ActiveMQ 5.17.4
Cloud Platforms
l AWS EC2
l AWS Aurora
Java Platform
l Sun, Oracle or IBM JDK 11 and JDK 17 for all application servers that support those versions
l OpenJDK11 is now supported on all environments, but we have specifically tested against Adopt OpenJDK 11
and 17 for Windows and Red Hat OpenJDK 11 and 17 for Linux
Browsers
l Safari 16
Languages
l Brazilian Portuguese
l Chinese (Taiwan)
l Danish
l Dutch
l English
l Finnish
l French
l French Canadian
l German
l Hungarian
l Italian
l Japanese
l Korean
l Norwegian
l Polish
l Portuguese
l Simplified Chinese
l Spanish
l Traditional Chinese
l Turkish
New Connectors
IdentityIQ 8.4 delivers new, out-of-the-box connectors for the following enterprise applications, which simplifies the
connectivity of these systems.
New Con-
Description
nectors
BMC Helix The BMC Helix Remedyforce ITSM Service Desk Integration module is designed to provide the
Remedyforce service desk experience in Identity IQ. The integration supports creation of tickets within Identity
Service Desk IQ for manual provisioning operations and status checks. Service desk integration module
Integration ensures synchronization of ticket status between Identity IQ and the BMC Helix Remedyforce Ser-
Module vice Desk system.
The new SailPoint Coupa connector provides the capability for seamless and secure connection
Coupa Con- to the Coupa system, and manages user access and groups throughout the user’s lifecycle. This
nector integration also manages user-groups, content-groups, account-groups and approval-groups
membership as entitlements.
The Generic Service Desk integration offers connectivity with different IT Service Management
Generic Ser-
(ITSM) solutions. It supports the creation of tickets, which can be configured to align with the spe-
vice Desk
cific service request types of the target ITSM solution. This integration brings the service desk
Integration
experience into the SailPoint platform, enabling users to raise and track service desk tickets to
Module
their logical closure from SailPoint IdentityIQ.
The Epic SER connector provides the capability to manage Epic Provider (SER) records. It sup-
IdentityIQ for
ports aggregation of Provider records as accounts and lifecycle capabilities including create
EPIC SER
account, update account, and enable/disable account.
The Cherwell connector offers seamless connectivity to the Cherwell ITSM solution, enabling
Ivanti Cherwell
aggregation and provisioning of two distinct Cherwell user types: 'users' & 'customers'. This integ-
Connector
ration enables robust user access management and governance in the Cherwell System.
Ivanti Cherwell The Cherwell Service Desk Integration Module (SDIM) brings the service desk experience into the
Service Desk SailPoint platform, enabling users to raise and track service desk tickets (Service Request & Incid-
ent) to their logical closure in Cherwell ITSM solution from SailPoint IdentityIQ.
Azure SQL Database connector provides connectivity with Azure SQL Database for user access
Microsoft
governance and management. The connector supports the management of Microsoft Azure SQL
Azure SQL
database logins as accounts and users associated to login accounts. It supports aggregation, pro-
Database
visioning and full account management.
Oracle Fusion HCM Accounts connector provides the capabilities to manage HCM users’
Oracle Fusion accounts. It supports the aggregation of accounts and roles. The connector also provides for full
HCM Accounts lifecycle capabilities including account creation, updation, and role assignment/revocation with
accounts.
Oracle Enter-
prise Per-
The new Oracle Enterprise Performance Management (EPM) Cloud governance connector
formance
provides the capability for managing user accounts, predefined roles, application roles, and
Management
groups. The integration supports EPM Cloud Services for Financial Consolidation and Close
(EPM) Cloud
(FCCS), Account Reconciliation (AR), Planning, Narrative Reporting (NR).
governance
Connector
The new Oracle HCM Cloud connector provides read capability from Oracle Fusion HCM for "per-
son" details when Oracle Fusion HCM is the HR data source for the organization. This new con-
Oracle HCM
nector’s capabilities include operations such as full account aggregations using recommended
Cloud Con-
designs from Oracle to use performance-based file extract methods, and any incremental user
nector
data changes to be detected via delta aggregation using “Oracle’s Atom Feeds”. The connector
also provides capabilities to refresh any accounts coming in, as well as discover new schemas.
The new SAP Concur Connector provides Identity Governance on Expense management ser-
SAP Concur vices provided by Concur. The integration supports enforcing policies and permissions for grant-
Connector ing and revoking access to systems and data based on user identities, roles, and associated
groups for Expense, Request, Invoice, and Reporting.
SailPoint’s Integration for the SAP Fieldglass Vendor Management System offers governance cap-
SAP Fieldglass abilities for contingent workers. It offers seamless governance of external users management for
Connector joiners, movers, leaver workflows, and separation of duty (SOD) checks based on user roles,
attributes, and entitlements.
Snowflake Con-
A new Snowflake Connector is now available to govern identities for Snowflake Data Lake.
nector
Active Directory
l Supports aggregation of domain NetBIOSName as part of account and group aggregation. You need to add
NetBIOSName as a schema attribute with the type as String in the Account and Group schema to leverage this
feature.
l Supports certificate based modern authentication to communicate with Exchange Online that is more secure
and is the Microsoft recommendation.
l Supports Continuous Access Evaluation (CAE), which leverages the Azure Active Directory real-time enforce-
ment of conditional access location and risk policies, along with instant enforcement of token revocation events
for an enterprise application (service principal).
l Supports read and write of Azure Multi-Factor Authentication attributes required for various authentication
methods.
l Supports User and Group advanced filters through the application UI.
l Supports giving visibility to read-only group hierarchy information during group aggregation.
l Supports managing Service Principal for enterprise Applications as an Account (Service Principal as Account).
l Supports creating SAML based applications and corresponding Service Principals using the Gallery applic-
ation templates.
BMC Helix
l Supports BMC Helix IT Service Management Suite version 22.1
l Supports version 21.3. With this new version, the connector supports service requests via the digital workplace
with a new ticket type called DWP Service Request.
Cloud Gateway
l Supports using load balancer with sticky-bit configuration.
l Supports new configuration to enable all operations for target collectors to be executed in Cloud Gateway.
l RHEL 9.0
Duo
l Supports proxy setting from the application server settings and can also bypass the proxy for hosts listed in the
nonProxyHosts list.
EPIC
l The following Epic user fields are now supported as account attributes:
l PrimaryManager
l UsersManagers
EPIC SER
l Enhanced to display provisioning failures at an attribute level.
HCL Domino
l Supports HCL Domino version 12.0.2.
l Supports IBM Security Verify Access 10.0.6 with support for backend servers: IBM Security Directory Suite ver-
sion 10.0.
Jack Henry
l Supports enabling and disabling accounts.
LDAP
l Supports Modify Time Stamp as a new delta aggregation mode.
l The UI has been updated to provide more fields for configuring the connection details to various LDAP Dir-
ectory servers.
Linux
l Supports Red Hat Enterprise Linux versions 8.5 and 8.8.
Okta
l Enhanced to respect the password policy set in the Okta target system (in terms of password age and pass-
word history).
l Supports the addition and removal of custom roles directly associated with accounts.
l Supports aggregation of custom roles directly associated with accounts and groups.
l Enhanced to provide an option for multi-threading when aggregating groups and applications connected to
Okta accounts during account aggregation.
Oracle E-Business
l Supports the 12.2.11 Oracle EBS environment.
l Account aggregation will now fail when there is a planned outage (maintenance) on the Oracle system.
l Account aggregation will now fail when there is a planned outage (maintenance) on the Oracle system.
RACF
l Supports resource aggregation and provisioning as additional group schema, and requesting permissions for
accounts and groups.
RSA
l Supports RSA Authentication Manager version 8.7 and 8.6.
SAP Direct
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.
SAP GRC
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.
l Enhanced to support additional attributes that are now configurable through the provisioning policy.
l Enabling and disabling accounts is now possible for all the GRC-connected systems and not just limited to the
master. This enables deeper governance and clean audit capabilities.
l Enhanced to support Additional Settings in the UI, which includes Access Request Type Mapping, Provisioning
Actions for Role, and Provisioning Actions for System sections.
l Supports access management requests that are configured for auto approval in the SAP GRC system.
SAP HANA
l Enhanced to support get and provisioning of external type users.
SAP HR/HCM
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.
Salesforce
l Supports creating, updating, and deleting public groups (ensure that your service account user has the “Public
Groups” object [R || W] added into the administrative user profile).
l No longer supports Salesforce API version 48.0 or prior. The connector will only work on API version 56.
l Supports creating new portal and partner users, as well as assigning portal and partner licenses to existing
Salesforce users using their respective user profiles (ensure that your service account user has “Manage
Contacts” object [R||W] added into the administrative user profile).
l Enhanced to populate the access request comment on the ServiceNow ticket. Existing service desk integ-
rations need to modify the provisioning task definition to include the comments for access request comments.
This feature is automatically included for all new configurations.
SharePoint Online
l Supports configurable endpoints when Azure Active Directory is deployed on a non-public national cloud
server.
SharePoint Server
l Supports managing Microsoft SharePoint Server Subscription Edition.
Siebel
l Supports Siebel server version 22.8.0.0.
Slack
l Supports creation of a guest user to have access to a single or multiple channels in Slack Enterprise Grid Plan.
SuccessFactors
l Enhanced to support account delta aggregation.
l Supports additional attributes and custom attributes related to user entities via the ODATA API.
Web Services
l Supports Create, Update, and Delete for Group objects.
l Supports removing entitlements while disabling accounts and enabling entitlements while enabling accounts.
l Now provides example rules to show the use of Web Services operation rules to help configure the searchAfter
attribute for pagination.
Windows Local
l Supports Microsoft Windows Server 2022.
Workday
l Supports adding proxy level parameters in the Workday application.
Workday Accounts
l Enhanced to integrate with Workday Learning Module and aggregate the training information associated with
users.
l Supports filtering of accounts based on the Organization Type and Organization Reference ID.
l Supports aggregation and provisioning of future accounts ahead of their hire date.
l Enhanced to provide an option for multi-threading, which will improve the account aggregation performance.
l Authentication Type “API Token” is no longer supported. Set up your Zoom application to configure Oauth2.0
Authentication to avoid any failures.
Supports API version 56.0 (For existing applications, you must remove the User-
Salesforce Connector PermissionsMobileUser attribute from the schema for the connector to work with the
new 56.0 API version.)
ServiceNow IdentityIQ for
Supports the ServiceNow Tokyo and Utah release.
Service Desk
ServiceNow Catalog
Supports the ServiceNow Tokyo and Utah release.
Integration
l Enhanced to support the account delta aggregation
SAP SuccessFactors
Connector
l Enhanced to exclude PII data for employees.
l Oracle Fusion HCM Connector - On December 31, 2023, Oracle Fusion HCM Connector will no longer be sup-
ported. Use the newly-released Oracle HCM Cloud Connector. For documentation on the new connector, refer
to Integrating SailPoint with Oracle HCM Cloud.
l IdentityIQ for Oracle Identity Manager - IdentityIQ for Oracle Identity Manager Version 1: Connection via OIM
Integration Web Application is no longer supported. Use the newly-released Identity IQ for Identity Manager
Version 2: Connecting Oracle Identity Manager via Oracle Client API. For documentation on the new con-
nector, refer to IdentityIQ for Oracle Identity Manager V2.
l IBM Tivoli Access Manager - Support for REST API for IBM Tivoli Access Manager connectors is no longer sup-
ported.
Issue ID Description
When an assigned role that has been added by an assignment rule is removed from an
IIQETN-11203 identity through a revoke or remove action, Access History will not recognize that there
is a negative assignment. As a result, role removal events are not created consistently
and some data and counts may be incorrect.
In the Access History feature, if any of the roleAssignments for an identity capture are
IIQETN-11209
set to negative=”true”, then the counts shown in the UI for Roles and Entitlements
may be inaccurate.
Issue ID Description
IIQSR-
Entitlements are now revoked completely when revoking through Policy Violations.
761
IIQCB-
<Includes></Includes> tags can now be used for scripts in workflows.
4662
IIQCB- When the Assigned Role field on the Advanced Identity Search page is set to "is not equal to" now will
4680 exclude identities with multiple assigned roles if one of those roles matches the supplied value.
IIQCB-
Certification bulk delegated items with line item delegations no longer show errors.
4686
IIQCB-
Workflow exceptions are now localized.
4697
IIQCB-
Access Request Emails now uses EmailTemplate SessionProperties.
4699
IIQCB- When 'Show Password' option is enabled, we now disable historical passwords autofill as a hint when
4708 entering the next password.
IIQCB- On the Rapid Setup Leaver / Identity Operations pages, the Reassigned Artifacts Types pulldown no
4710 longer contains "Alert", "Classification", "Plugin", and "Task and Report Schedules".
IIQCB-
Importing an application no longer deletes and orphans schemas when running aggregation
4759
IIQCB- SAML Electronic Signatures can now be used with custom approval forms the same way that SAML
4792 Electronic Signatures are used with Approvals.
IIQCB- The Entitlement Catalog now displays when a Boolean type extended attribute is included in the search-
4825 able attributes.
IIQCB-
Running a RequestObjectSelector Rule no longer errors when filtering for extended attributes.
5042
IIQCB- On the Role Search page when filtering by profile the filter type will now include "Entitlement" value in
5374 the dropdown when there is at least one Role-Entitlement Association that is not of type "Permission".
[SECURITY] SailPoint Form sections with type `text` or `datatable` no longer render HTML by default.
IIQFW-1 Fields that need to display HTML must now provide the `contentIsEscaped` attribute and set it to `true`.
Any dynamic or user-entered content in the field must be escaped in order to be secure.
[SECURITY] HTML embedded in entitlement or role names will no longer be rendered as part of sur-
IIQFW-2
rounding formatting HTML.
[SECURITY] When MFA authorization workflow is configured and the user clicks on Forgot Password
IIQFW-7
for reset, the security authorization questions page can not be skipped until the reset workflow action is
successful.
[SECURITY] On the Approvals page, HTML embedded in entitlements and roles will no longer render in
IIQFW-36
the browser.
IIQFW- [SECURITY] The server now escapes potentially harmful HTML contained in message parameters
224 before being displayed in the UI.
IIQCB-
The Policy Violations Details no longer displays HTML tags
4992
IIQCB- Processing a role that cannot be processed no longer results in a NullPointerException. As part of this
5034 change, IdentityIQ has improved diagnostic logging when unable to analyze a role for profile relations.
IIQFW- [SECURITY] IdentityIQ allows deserialization of classes from the sailpoint package by default. If the
287 jdk.serialFilter property is provided, it is recommended that it also specifies the sailpoint package.
IIQFW-
[SECURITY] A file traversal vulnerability in the JavaServer Faces (JSF) library has been fixed.
336
IIQFW- Added role="alert" to the message element, so the screen reader can now detect and read the mes-
369 sages displayed on the home page.
IIQFW- [SECURITY] IdentityIQ no longer supports an empty WebResource config. Running IdentityIQ without
584 a WebResource config will prevent the site from working for any non-SysAdmin user.
IIQFW- A 'data is still loading' alert message is now displayed during revocation of certification items, when the
634 items haven't finished loading, instead of throwing an exception.
IIQFW- Resolved issue where the Load More option was not being presented for certification campaigns con-
654 taining multiples of 5 + 1. For example: 6, 11, 16, 21, etc.
IIQFW-
[SECURITY] Updated UI so that instead of the actual client secret value we will send a dummy value.
728
IIQFW- [Security] Removed option to view security authentication question answers in clear text. The answer
729 fields are treated as password values. Actual answer values are no longer sent back to browser.
IIQFW-
[Security] The Spring library is now updated to version 5.2.24
833
With the upgrade to the JasperReports 6.19.1 library, the HtmlExporter.exportText() method in the sail-
IIQSR-836
point.reporting.export package is now deprecated and will be removed in a future release.
IIQSR-825 The option to select Class Action "Identity" in the Audit Configuration page is now available.
[SECURITY] Users who have no access to scoped Identities are no longer allowed to make requests
IIQSR-818
for those Identities.
A custom filter in a CertificationDefinition is now always copied to a new Certification created from that
IIQSR-815
CertificationDefinition as a template.
IIQSR-810 Classification Filter Rules are now exposed as task arguments. The number of records fetched with
each SCIM call is now configurable via the "Page Size" argument on the FAM Classifications task. The
FAM Classification task is now more tolerant of errors. The "Retry Limit," "Retry Gap," and "Max Errors"
arguments have been added to the FAM Classification task to allow users to adjust how tolerant it is.
Role Profile synchronization now leverages the proxy Application, if needed, when fetching the enti-
IIQSR-808
tlement attribute.
A "source" attribute value of AttributeAssignment is no longer changed to "Rule" after native deletion
IIQSR-807
and re-provisioning.
[SECURITY] The Apache Commons Net library was updated to version 3.9.0 to mitigate a potential vul-
IIQSR-804 nerability in Nets FTP client that will by default trust a host from a PASV response. The updated library
will by default ignore such hosts.
[SECURITY] OAuth secrets are no longer fetched en-masse and will only be fetched with each indi-
IIQSR-803
vidual request for the secret of each OAuth client.
The Jasper Report for an unpartitioned Account Aggregation task is now rendered successfully on task
IIQSR-801
completion if a partitioned aggregation task is executed concurrently.
[SECURITY] Unauthorized server responses (error code 401) that result in browser login prompts can
IIQSR-800
now be overridden to prevent popups.
The message "Skipping aggregation of application in maintenance window" now appears for an applic-
IIQSR-799
ation in maintenance mode during a partitioned aggregation.
IIQSR-798 Identity Snapshots with unordered entitlement lists no longer cause an error in the Identity Warehouse.
Exporting a certification no longer generates an exception if an Identity was deleted after the cer-
IIQSR-796
tification was created.
IIQSR-794 An error no longer occurs when an entitlement owner removes an owned entitlement from another user.
Identities with more than 2100 entitlements will no longer throw a Microsoft SQL Server error when view-
IIQSR-785
ing the Access list in the View Identity quicklink.
IIQSR-780 Sequential tasks will run accordingly when selected to execute on an alternate host.
IIQSR-779 Errors when loading an object from the database no longer have the potential to cause data corruption.
Approving a single work item via My Work -> Work Items, when configured to require comments, no
IIQSR-777
longer generates an exception.
Fixed a problem that prevented hierarchical groups from being properly created during partitioned
IIQSR-773
group aggregation.
An entitlement provisioned via role is no longer certified as an additional entitlement when the role
IIQSR-771
includes entitlements from multiple applications.
IIQSR-770 The last UI page viewed is now properly restored after a SAML SSO timeout.
IIQSR-767 A revoked entitlement is no longer displayed under Entitlements in the Identity UI.
IIQSR-766 Fixed issue where selecting permitted roles can cause a Hibernate exception when using custom quick-
links to manage access requests and dynamic scopes are associated with the quicklink.
Loading the Manager User Access page no longer makes duplicate calls to REST resource: rest.ui.re-
IIQSR-765
questaccess.IdentityIdNameListResource.
LinkEdit AttributeRequests in the ProvisioningPlan are now ignored during provisioning, avoiding gen-
IIQSR-763
eration of a manual workitem.
IIQSR-758 Permitted roles may now be deprovisioned via Batch Requests.
IIQSR-756 Application schemas now correctly handle '#' characters in attribute names.
IIQSR-755 Indirectly controlled Scopes are checked when accessing task and report results.
Business roles that expire but have a pending expiration extension are now properly adding IT role
IIQSR-752
when the extension is approved.
The text displayed in a certification message pop-up is now localized based on the browser's configured
IIQSR-750
language.
IIQSR-747 Auditing the delete of a WorkItem object no longer causes a LazyInitializationException error.
IIQSR-745 Reports downloaded as CSV no longer have repeated headers with misaligned column data.
The Manager column is now present in the Certification .csv export after launch of an Entitlement
IIQSR-744
Owner certification.
IIQSR-742 Inherited capabilities are now considered when adding capabilities to groups.
IIQSR-740 Login timeouts no longer cause a cascade of HTTP 408 errors leading to the filling of server logs.
[SECURITY] The LCM Manage Password workflow for self-service password reset no longer logs the
IIQSR-739
password in clear text with tracing enabled.
IIQSR-737 The selected QuickLink is now considered during LCM removal of current access items.
The "Last Action Status" column in the Manage Accounts identity details table now shows "Failed
IIQSR-735
Enable/Disable" status when the related access request is expired.
An error no longer occurs when submitting an access request for an identity in an assigned workgroup
IIQSR-733
with an advanced policy containing a capability.
A user with multiple roles which share one or more entitlements no longer provokes a dependency error
IIQSR-732
when the roles are removed after expiration.
The status for a completed access request item will now move from "Provisioning" to "Completed" with
IIQSR-729
split provisioning enabled.
[SECURITY] Resolved a vulnerability that allows users to change settings on identities who are outside
IIQSR-727
of their control. Refer to the Upgrade Considerations section for more information.
The script pre-parser no longer throws a StringIndexOutOfBoundsException for rules with a large num-
IIQSR-724
ber of variable expansions using the $(...) notation.
IIQSR-723 Remediators are now determined for all requests in unmanaged provisioning plans.
IIQSR-722 An error no longer occurs when selecting a saved search in Identity Advanced Analytics.
IIQSR-717 Entitlements included in IT roles are now successfully removed using a sunset date.
Removing classifications from Classifiable objects (Entitlements, Roles) now cleans up unneeded
IIQSR-711
records from the spt_object_classification table.
IIQSR-710 Reports that fail now clean up persisted database objects that would otherwise be orphaned.
The displayName attribute is now correctly set on an account when the account is created during the
IIQSR-706
provisioning of an entitlement.
Attribute sync no longer fails when an Identity has multiple accounts on an application and the target
IIQSR-699
mapping does not have 'Provision to all accounts' selected.
IIQSR-697 The assigned scope for a TaskDefinition is now transferred to the TaskResult for tasks and reports.
When running incremental exports, the Data Exporter task now correctly exports objects that had been
IIQSR-696
modified while the previous instance of the Data Exporter task was running.
IIQSR-694 Filtering on Role Source Value during Manage Access no longer causes an error.
Sequential Task execution is no longer handled by an active long-running parent task and is instead
IIQSR-692
part of the native function of the TaskManager.
IIQSR-689 Clarified the javadoc comments for the Util.stringToDate() method.
IIQSR-688 Permitted roles that are assigned now show as an assignedRole in the Access Request.
Access Request deep links no longer redirect to the self-service page repeatedly or lose track of query
IIQSR-686
parameters.
IIQSR-682 The processing of scheduled assignments no longer generates errors and duplicate requests.
Added check in query options to fetch quicklinks for identities with system administrator capability to
IIQSR-681
avoid incorrect roles and entitlements filtering.
A log error no longer occurs during Identity Refresh when calculating which Roles to auto-assign via a
IIQSR-679
Population with a multi-value Identity attribute.
Initializing date fields in forms with existing values no longer results in errors that prevent the date picker
IIQSR-678
from functioning.
An email notification is no longer sent to an owner if the "Email Owner on Pre-Delegation Completion"
IIQSR-676
option is disabled in the Certification configuration.
The submit button is now disabled when generating an Access Request, eliminating the possibility for
IIQSR-674
duplicate requests to be created via multiple selects of the ENTER or SPACE keys.
Fixed an access request issue that prevented roles from being assigned to the same identity multiple
IIQSR-673
times even when the option to allow it is enabled.
IIQSR-670 A validation error message is now displayed on empty required Date fields after a form submit.
IIQSR-668 System level tasks now allow concurrency where applicable.
The 'Perform Maintenance' task now properly releases SailPoint contexts that are used when pro-
IIQSR-666
cessing background workflow events.
The Managed Attributes of type Identity now store the name of the selected identity to keep consistent
IIQSR-663
with other Managed Attributes.
IIQSR-662 Performance of activity scans with large data sets has been improved.
When moving a Link from an Identity, both the target and source Identity will have the 'needsRefresh'
IIQSR-661
flag enabled.
When a new certification is created using the “Use Certification as Template” feature to clone an exist-
IIQSR-660 ing certification that has "Require Electronic Signature" enabled, that option can now be disabled in the
new certification.
Possible database cursor leaks were fixed for situations when the "Aggregate Correlated Applications"
IIQSR-659
task encounters duplicate links.
Requests that create an account in which the native id is generated by an application in maintenance
IIQSR-658
mode will now have the corresponding identity request updated with that native id.
In a transient Workflow, any XHTML-based forms following the first form are now successfully dis-
IIQSR-657
played.
IIQSR-656 The Identity Entitlements Detail report now successfully incorporates filtering by Assigners.
IIQSR-654 Fixed an issue in the Role Archive report that caused the Profiles section to be excluded.
IIQSR-651 Added audit details for certification revoke for provisioning and remediation of certification's item.
The CheckedPolicyViolations SCIM API endpoint now consistently returns a description for all policy
IIQSR-645
types.
Improved extensibility of Upgrade and Patch framework for modules, including ensuring rswork-
IIQSR-637
flows.xml is imported when required.
Improved performance for applying manual decisions to items within Certifications containing several
IIQSR-635
entities with very few items each.
When configuring a forwarding user for an identity, the Submit button is now disabled if the "Select User
IIQSR-634
to Forward to" field is empty with "Start Date" and "End Date" specified.
IIQSR-630 CertificationDefinition assigned scope is now applied to the Certification schedule object.
When using a custom form, the form owner is now correctly assigned when the name of the identity
IIQSR-622
launching the workflow contains a comma.
An Entitlement Owner certification will now revoke all attribute assignments under the same owner of
IIQSR-617
an application instead of only a single entitlement from a group of entitlements.
IIQSR-615 Tracing of the SCIM classes is now possible from the log4j2.properties file.
The "Created on" and "Created By" fields are now updated in Identity Events for changes in sun-
IIQSR-614
set/sunrise dates.
A TaskDefinition is now exported from the console without errors when it contains arguments without a
IIQSR-613
type.
Using a forgot password link when multiple passthrough applications are configured no longer results in
IIQSR-609
incorrect authentication questions.
IIQSR-608 IT role mining panels now scale better when several Identity Populations are present.
IIQSR-605 The Role Details report no longer throws an error when thousands of roles are reported on.
The owner dropdown on the edit entitlement page now properly displays names containing a "&" rather
IIQSR-604
than "&".
Defining an instance attribute in an application no longer results in duplicate attributeAssignments in an
IIQSR-601
Identity.
IIQSR-598 Grouping certification details by display name no longer results in excessive wait times.
IIQSR-584 Identity create forms with postback fields are properly executed before validation.
Timings for the following meters no longer produce negative statistics: "PlanEvaluator.execute phase
IIQSR-583
1", "ServiceRequestExecutor.execute"
The AuditLog source for provisioning expansion operations is now displayed correctly instead of
IIQSR-568
"unknown".
IIQSAW- [SECURITY] Values in the displayName field of Identities are now properly sanitized to avoid malicious
4960 content.
IIQSAW-
Account unlock is now properly translated to Danish.
4889
IIQSAW-
The user interface now properly displays Italian language prompts and labels.
4888
IIQSAW- Provisioning no longer fails in cases where an Active Directory account is moved, then deleted, and sub-
4880 sequently added again.
A defect in processing objects with nonstandard object IDs (since corrected in IdentityIQ 8.4 and 8.3p2)
caused NativeIdentityChange propagation to fail, and events to remain in the queue, blocking pro-
IIQSAW-
visioning. A new task template was added that re-processes these events. The new task "Reset Failed
4675
NativeIdentityChange Events" can be used to: report the number of failed events, prune events where
the old and new values only differ by case, and reset failed events and launch tasks to re-process them.
[SECURITY] The Apache Commons Text library was updated to version 1.10.0 to mitigate a potential
IIQSAW-
vulnerability for remote code execution or unintentional contact with remote servers if untrusted con-
4644
figuration values are used.
Changes made to Distinguished Name that are initiated within IdentityIQ (through Rapid Setup or cus-
IIQSAW-
tomizations) now result in appropriate updates to all IdentityIQ objects, and are no longer treated as
4311
new identities, but are instead recognized as moves or renames.
IIQSAW-
Running group aggregation on a renamed group hierarchy no long produces errors.
4221
IIQSAW-
Replaced all uses of the JSON-java library with Jackson.
4206
lookupByName now works properly for the LaunchedWorkflows SCIM endpoint, and error handling is
IIQSAW-
improved for endpoints that do not support lookupByName, namely Accounts, Entitlements and Poli-
4201
cyViolations.
IIQPB- Workgroups Detail Report no longer show error that indicates a ResultSet closed and now displays the
1646 workgroup members list.
IIQPB-
Revoke Access no longer creates an account for missing accounts.
1637
IIQPB- When using custom forms for approvals and using e-signatures, form validation now occurs before e-
1535 signature prompt.
IIQPB- In Compliance Manager settings, changes to "Require Electronic Signature" are now saved suc-
1490 cessfully.
IIQPB- The identityai-recommender-plugin.zip version is now tied to the IdentityIQ version. For example, 8.4
1340 includes identityai-recommender-plugin.zip version 8.4
IIQPB-
The JasperReports library has been updated to version 6.19.1
1210
IIQPB- Elevated Access icons no longer display under Additional Options in Request Access when LCM Man-
1203 ager has unchecked `Show Elevated Access in Access Requests`.
IIQPB- The Capabilities to Identities Report no longer duplicates identities when they have a capability directly
1166 applied and is a member of a workgroup.
IIQMAG-
Cloning a role now updates the created and modified dates to the current date.
4688
In IdentityIQ 8.3 a new feature was introduced to create Native Change Events and process them to
update existing accounts and account groups when an application object was renamed or changed by
IIQMAG-
being moved to a different container. This behavior is now limited to Active Directory applications. For
4617
all other applications, the behavior in IdentityIQ for object renames will be the same as it was prior to
8.3.
New Installations or Upgrades will add the new Access History/Data Extract/Broker configuration
IIQMAG-
pages/rights entries into webresources.xml. Clients should review the changes and merge theirs if dif-
4591
ferent from OOTB.
IIQMAG-
SCIM update-account PUT now properly assigns the source attribute in the provisioning plan.
4430
Requesting a new entitlement with sunrise and sunset dates for a user without an account on the applic-
IIQMAG-
ation now successfully adds the entitlement on sunrise date and removes the entitlement on sunset
4428
date.
IIQMAG- During a partitioned Account Group Aggregation, if any partition fails, the check deleted phase will be
4349 skipped.
IIQMAG-
Bad data no longer causes a NullPointerException during a role search in Advanced Analytics.
4336
Account aggregation no longer treats accounts that differ only with blank UUID vs. NULL UUID as a
IIQMAG-
renamed native identity. Instead, accounts with blank UUIDs are treated the same as accounts with
4316
NULL UUIDs.
IIQMAG- Native Change Detection is now triggered if aggregated values are different than requested values in
4310 Create Account Request.
NativeIdentityChange propagation no longer fails with the exception ”Attempt to generate refresh event
with null object” when the objectID of the object being processed is non-standard. When this error
IIQMAG- occurred, the failing NativeIdentityChangeEvents blocked provisioning. Customers previously on 8.3
4247 GA or 8.3p1 who encountered this error can resolve this issue using a newly introduced task template,
"Reset Failed NativeIdentityChange Events". Refer to the Upgrade Considerations section for more
information.
IIQMAG-
[SECURITY] Jackson-Databind library updated to resolve security vulnerabilities.
4223
IIQMAG- [SECURITY] The Password Reset process no longer attempts to reset a password for accounts that
4211 don't support it.
IIQMAG-
'Description' column is now populated in the 'Role Composition Access Review Live Report'.
4087
IIQFW- Account Group Membership Certification now includes an entitlement assignment update option, that
946 will update identity assignments.
IIQFW- Updated Identity request maintenance task, now correctly calculate statuses when doing 'approval and
938 provision split'.
IIQFW-
Roles By Application report now completes and does not throw a lazy initialization exceptions.
919
IIQFW- [SECURITY] Form Beans used to process SailPoint Form submissions must now implement the
655 FormBean interface. Anything else will throw an exception and block submission of the form.
IIQCB-
The Teams bot now contains translation files to match IdentityIQ.
4932