Release Notes

Version: 8.4

Revised: September 2023

This document and the information contained herein is SailPoint Confidential Information
Copyright and Trademark Notices

Copyright © 2023 SailPoint Technologies, Inc. All Rights Reserved.

All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written
materials or in this Internet website are protected under United States and international copyright and trademark laws
and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Tech-
nologies, Inc.

“SailPoint Technologies,” (design and word mark), “SailPoint,” (design and word mark), "Identity IQ,” “IdentityNow,”
“SecurityIQ,” “Identity AI,” “Identity Cube,” and “SailPoint Predictive Identity” are registered trademarks of SailPoint
Technologies, Inc. “Identity is Everything,” “The Power of Identity,” and “Identity University” are trademarks of
SailPoint Technologies, Inc. None of the foregoing marks may be used without the prior express written permission of
SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons
indicated.

SailPoint Technologies, Inc. makes no warranty of any kind regarding these materials or the information included
therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or con-
sequential damages in connection with the furnishing, performance, or use of this material.

Patents Notice. https://www.sailpoint.com/patents

Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written consent
of SailPoint Technologies. The information contained in this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and sub-
paragraphs (c)(1) and (c)(2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.

Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign
export laws and regulations as they relate to software and related documentation. Licensee will not export or re-
export outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and
will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a
U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party
involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S.
Department of Commerce’s Entity List in Supplement No. 4 to 15 C.F.R. § 744; a party prohibited from participation in
export or re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government’s Office
of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that
licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations.
Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as
they relate to software and related documentation.
Contents
IdentityIQ Release Notes 1

IdentityIQ 8.4 Updates and Enhancements 1

IdentityIQ 8.4 Feature Updates 1

Important Upgrade Considerations for IdentityIQ 4

Important Upgrade Considerations for Connectors 13

Supported Platforms 16

Connectors and Integration Modules Enhancements 19

Connectivity Supported Platform and Language Updates 30

Connectivity Dropped Platform Support 32

Dropped Connector Support 33

Known Issues - IdentityIQ 33

Resolved Issues - IdentityIQ 34

Resolved Issues - Connectivity 43

IdentityIQ Release Notes

IdentityIQ Release Notes

These are the release notes for SailPoint IdentityIQ, 8.4

SailPoint IdentityIQ is a complete identity and access management solution that integrates governance and pro-
visioning into a single solution leveraging a common identity repository and governance platform. Because of this
approach, IdentityIQ consistently applies business and security policy and role and risk models across all identity and
access-related activities - from access requests to access certifications and policy enforcement, to account pro-
visioning and user lifecycle management. Through the use of patent-pending technologies and analytics, IdentityIQ
improves security, lowers the cost of operations, and improves an organization's ability to meet compliance and pro-
visioning demands.

This release note contains the following information:

l IdentityIQ Feature Updates

l Connectors and Integration Modules Enhancements

l Dropped Connector Support

l Important Upgrade Considerations

l Supported Platforms

l Resolved issues

IdentityIQ 8.4 Updates and Enhancements

IdentityIQ 8.4 provides new features and capabilities across the product, including Compliance Manager, Lifecycle
Manager, the Governance Platform, and Connectivity. Key enhancements in the release include:

IdentityIQ 8.4 Feature Updates

IdentityIQ 8.4 introduces the following new features or enhancements.

Feature/Enhancement Description

Access History gives your organization the ability to view historical access data for iden-
tities.
Access History
Access History tracks user access over time to reveal patterns of historical access, giving
you the ability to see and report on past access changes in your business. Access history

SailPoint Release Notes 1

IdentityIQ Release Notes

Feature/Enhancement Description

shows you the “who, what, when, why, and how” of changes to user’s access over time.

Key benefits for identity governance stakeholders include:

l Seeing a user's timeline of access so that I can see how it has evolved over time

l Exporting the changes in a user's access over a time period to understand what
was provided at time of hire

l Seeing list of accounts a given user has, so that I can ensure it is appropriate per
provided guidelines

l Seeing when access was removed for a terminated employee, so that I can con-
firm it was done in a timely manner

l Finding out when an identity received a specific entitlement, so that I can confirm it
was provisioned when expected

The Access History feature adds a new database to IdentityIQ. The database for
storing Access History data is separate from the IdentityIQ database. The IdentityIQ
install and upgrade scripts will create separate databases for IdentityIQ and Access His-
tory data. The databases can be within the same instance for convenience, but separate
database instances are recommended for production environments to avoid an impact
on IdentityIQ performance. Depending on your environment setup and on the number of
daily changes to your identities, the Access History database can be large, and will con-
tinue to grow.

The Access History feature is enabled by default for new installations but is disabled by
default when upgrading to version 8.4, due to configuration requirements. Refer to the
IdentityIQ Access History guide for information on how to configure and enable this fea-
ture.

Data Extract lets you extract data from the IdentityIQ database and store it in a format
that common business intelligence (BI) tools can use. Data extract gives you added flex-
ibility to analyze your data, and helps you provide key data for addressing business and
Data Extract security questions.

To extract data, IdentityIQ administrators create and configure a Data Extract Task,
which calls the functionality to extract and transform data, and defines the message des-
tination (a queue where data is available to be picked up by BI systems).

SailPoint Release Notes 2

IdentityIQ Release Notes

Feature/Enhancement Description

Administrators can also customize which types of objects are extracted and define which
properties of those objects to include by configuring criteria for the extraction and trans-
formation tasks.

IdentityIQ customers can now mine and automatically create roles containing the
baseline access needed for a given population, and exclude that access from future
Access Modeling role mining/role insights.

Create Common From an Identity search in Advanced analytics, you can use the new Discover Common
Access Access Roles option to send your search-results population to AI Services to discover
roles containing broadly-held access.

This feature requires a subscription to Access Modeling.

A new capability gives users the ability to view but not edit Objects via the Debug Pages
Object Browser. This can help technical users who are not system administrators see
IdentityIQ object XML for debugging and troubleshooting purposes. For example, data-
base administrators can view database properties in order to confirm configurations, and
certification or task administrators can review definition object XML to confirm that con-
figurations are correct.

Read only rights for Each page within the Debug menu (Memory, Objects, Caches, etc) has an associated
Admin Debug pages SPRight which grants read-only access, allowing you to create custom capabilities to
limit view-only Debug access to specific areas for specific users. These SPRights are
also bundled together in one out-of-the-box capability, DebugPagesReadOnlyAccess,
which makes it easy for you to allow complete view-only access to users as needed.

Users with read-only access can copy or download object XML, but cannot save changes
or upload XML.

Changes made on Debug pages can now be be audited. To enable logging, navigate to
gear > Global Settings > Audit Configuration > General Actions and select the
Audit changes made Debug Object Browser Change checkbox.
through the Debug Audit data is viewed through the Advanced Analytics > Audit search, and includes the
Object Browser date and time a change was made, the identity that made the change, and the target
object that was changed (such as identity, bundle, or configuration). Audit results can be
exported in PDF, CSV, or CEF formats

SailPoint Release Notes 3

IdentityIQ Release Notes

Feature/Enhancement Description

The audit log does not detail what the changes were. Internal versioning or tracking
should be used if you need to track the specific changes that are made.

IdentityIQ version 8.4 adds support for PostgreSQL version 15

Support for PostgreSQL

With this release, IdentityIQ begins an upgrade from Angular JS to Angular 15. UIs that
have been updated include the Login screen, the Identity Preferences UI, and the API
Authentication Global Settings page. More UI pages will be upgraded in future releases.

Users upgrading from an earlier version of IdentityIQ should be aware that custom wid-
Updates to Angular
gets and installed plugins may be impacted by the Angular upgrade. Verifying any
needed changes to custom widgets and installed plugins should be part of your upgrade
planning; widgets and plugins should first be evaluated in a non-production environment,
prior to being deployed in production.

In version 8.4, new libraries have been added, and some existing libraries have been
upgraded or removed. When you upgrade, be sure to test any custom forms in your imple-
Security Upgrades and
mentation, to ensure compatibility with the updated libraries.
Library Updates
A complete list of libraries is provided in the Important Upgrade Considerations for Iden-
tityIQ section below.

Important Upgrade Considerations for IdentityIQ

IdentityIQ 8.4 is a major release that contains numerous new features and capabilities across all areas of the product.
A comprehensive plan should be created when upgrading that includes becoming familiar with the new features and
changes, identifying use cases and how they are affected by the changes, creating a detailed strategy for migration of
configuration and customizations, testing the upgrade process using data and system resources that are as close to
the production environment as possible, and performing a complete deployment test cycle.

Security Upgrades
With this release, new libraries have been added, and some existing libraries have been upgraded, or removed.

Due to an increased overall industry focus on supply chain attacks and product security, SailPoint has become more
aggressive in updating third party libraries contained in IdentityIQ. SailPoint has always aggressively monitored the
security of all components of our products regardless of the source of the component and will continue to do so, and

SailPoint Release Notes 4

IdentityIQ Release Notes

SailPoint has always treated security issues found in all components of our products the same following our Product
Vulnerability Management Policy which defines remediation and/or mitigation timelines based on the severity of a vul-
nerability. It is important to note that the severity of a vulnerability in a standalone library encompasses every possible
use of the library. The severity of a finding or vulnerability in IdentityIQ due to a vulnerability in a library may be dif-
ferent due to the use of the library in IdentityIQ.

Many updates to third party libraries are not backward compatible, both at the API and functional level. Because of
this, the changes required are often not simple a replacement of the library, but also changes to the component in the
product that is a consumer of the library. Sometimes, a change to IdentityIQ behavior and/or APIs to accommodate
these changes is required. Given that IdentityIQ is a platform that many of our customers and deployment partners
use to build identity management solutions, the impact of these types of changes can be very high and our preference
based on customer demand and feedback remains to introduce library changes in releases and not in patches unless
remediation for a security vulnerability is required in which case updates can be introduced in patches.

A list of libraries that have been added or upgraded in this release is provided below. These are separated into the lib-
raries in the IdentityIQ server layer and those in the IdentityIQ connector layer. Some libraries in the connector layer
are bundled into larger packages and therefore the changes are not as visible when inspecting product file names.

For connector library upgrades, see Important Upgrade Considerations for Connectors.

Starting in recent IdentityIQ releases and patches, a list of the libraries embedded in a connector bundle are contained
in a file named SBOM.txt at the root of the bundle jar file.

IdentityIQ should not be thought of as a collection of independently upgradeable components, but instead a complete
solution supported by SailPoint as it is delivered. Customers and deployment partners should not remove, modify, or
update components of IdentityIQ outside of official releases by SailPoint.

Important: When upgrading, be sure to test any custom forms in your implementation, to ensure
compatibility with the updated libraries.

The following is a list of the current libraries:

l ActiveMQ 5.17.4

l ActiveMQ (geronimo-j2ee-management-1.1-spec) 1.0.1

l ActiveMQ (hawtbuf) 1.11

l Apache Ant 1.10.12

l Bouncy Castle 1.70

SailPoint Release Notes 5

IdentityIQ Release Notes

l Byte-buddy 1.12.10

l dbcp2 (Part of Commons) 2.9.0

l net.tascalate.javaflow.api (Part of Commons) 2.7.1

l Lang (Part of Commons) 3.12.8

l Net (Part of Commons) 3.9.0

l Pool2 (Part of Commons) 2.11.1

l Text (Part of Commons) 1.10.0

l Easymock 5.1.0

l Ehcache 3.10.0

l Failsafe 2.4.4

l Gson 2.9.0

l Guice servlet 5.1.0

l Httpcore 4.4.15

l Jersey 2.35

l junit 4.13.1

l mimepull 1.9.15

l Java JSON Web Token (jjwt) 0.11.2

l jackson 2.13.2

l Jackson (jackson-dataformat-yaml) 2.13.2

l Jackson (snakeyaml) 1.30

l jakarta.json 2.0.1

SailPoint Release Notes 6

IdentityIQ Release Notes

l jakarta.json-api 2.1.0

l jasperreports-javaflow 6.19.1

l jakarta.activation 1.2.1

l jakarta.mail1.6.7

l javassist 3.29.0

l jcommon 1.0.24

l jakarta.servlet-api 4.0.4

l junit 4.13.2

l JJWT 0.11.5

l Jline 3.21.0

l Joda-time 2.10.14

l Json-path 2.7.0

l Json-smart 2.4.8

l Java-jwt 3.19.1

l jwks-rsa 0.21.1

l mysqlconnector-java 8.0.33

l okhttp 4.9.3

l okio 2.8.0

l kotlin-stdlib

l openpdf 1.3.27

l cryptacular 1.2.5

SailPoint Release Notes 7

IdentityIQ Release Notes

l java-support 7.5.2

l OpenSAML 3.4.6

l OpenSAML (metrics-core) 4.2.9

l OpenSAML (xmlsec) 2.3.0

l javaee-api 8.0.1

l slf4j 1.7.32

l Spring 5.2.24

l twillio 8.14.0

l sshj0.31.0

l asn-one 0.5.0

l xmlschema 2.2.5

l xmlsec 2.2.2

l objenesis 3.2

l ngdbc 2.8.12

l testng (jcommander) 7.5

l lucene 8.8.2

l primefaces 8.0.12 (paid)

l jquery 3.5.1

l json 20210307

l XML Unit 2.9.0

SailPoint Release Notes 8

IdentityIQ Release Notes

Unable to Create Applications with Tomcat 9.0.78

When IdentityIQ is running with Tomcat 9.0.78 or higher, we are unable to create applications for few of the con-
nectors (like ACF2-Full, Top Secret) and the following error is seen on the Tomcat screen:

More than the maximum number of request parameters (GET plus POST) for a single request ([1000]) were detected.
Any parameters beyond this limit have been ignored.

To resolve this, set the maxParameterCount parameter to a higher value (default - 1000) in server.xml and restart the
Tomcat server.

New Database Added with Access History Feature

The Access History feature adds a new database to IdentityIQ. The database for storing Access History data is sep-
arate from the IdentityIQ database. The IdentityIQ install and upgrade scripts will create separate databases for Iden-
tityIQ and Access History data. The databases can be within the same instance for convenience, but separate
database instances are recommended for production environments to avoid an impact on IdentityIQ performance.
Depending on your environment setup and on the number of daily changes to your identities, the Access History data-
base can be large, and will continue to grow.

ActiveMQ Table Casing

If a user changes the standard ActiveMQ casing for tables, this may result in problems with the embedded brokers
falsely claiming that the tables do not exist on start up.

JasperReports Update
The JasperReports library has been updated to version 6.19.1. Any custom forms should be tested prior to the Jasper-
Reports upgrade.

Java 11
IdentityIQ 8.4 is compiled with Java 11. Plugins and other integrations must be compiled under Java 11 to be com-
patible with IdentityIQ 8.4.

Angular 15
The Angular framework has been upgraded from AngularJS to Angular 15 on the following pages.

l Login

l Identity Preferences

l Global Settings → API Authentication

SailPoint Release Notes 9

IdentityIQ Release Notes

These upgrades could potentially impact installed plugins, if the plugins use AngularJS and/or modify the rendering of
the affected page. After upgrade to 8.4, we recommend that any plugins are first evaluated in a non-production envir-
onment, prior to being deployed in production.

Deserialization of Untrusted Data

[SECURITY] Deserialization of untrusted data is a security risk that should be avoided. Java introduced a serialization
filtering feature in JDK 9 and later backported to versions 6, 7 and 8 which allows for serialization of classes specified
in a filter via the "jdk.serialFilter" system security property. IdentityIQ now only allows deserialization of classes from
the sailpoint package. String, primitive classes, and arrays are allowed by default. Support for the configurable filters
has been included in the CPU releases for JDK 8u121, JDK 7u131, and JDK 6u141.

Security Fix for SetIdentityForwarding Right

[SECURITY] This release contains a fix for an important security vulnerability that was previously announced. The vul-
nerability allows authenticated users assigned the Identity Administrator capability or any custom capability that con-
tains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones
that should be allowed by Lifecycle Manager Quicklink Population configuration. This vulnerability in IdentityIQ is
assigned CVE-2022-45435.

As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix for IIQSR-727
available in the Product Download Center on Compass as soon as possible.

JSON Libraries Replaced with Jackson

All uses of the JSON-java library have been replaced with Jackson.

Processing Objects with Non-Standard Object IDs

In 8.3 GA and 8.3p1, processing objects with nonstandard object IDs caused NativeIdentityChange propagation to fail
with the exception “Attempt to generate refresh event with null object”. When this error occured, the failed Nat-
iveIdentityChangeEvents blocked provisioning. This issue has been resolved. For customers impacted by it in earlier
versions, a new task template, “Reset Failed NativeIdentityChange Events”, has been added in this release that re-
processes these events to:

l Report the number of failed events

l Prune events where the old and new values only differ by case

l Reset failed events and launch tasks to re-process them

A new option, detectNativeIdentityChangeCaseSensitive, is now supported that improves performance. This option
defaults to false. When enabled, it triggers creation of a NativeIdentityChangeEvent in IdentityIQ even if the native

SailPoint Release Notes 10

IdentityIQ Release Notes

identifier for Account or Group only differs by case from the value in IdentityIQ. To enable this option, add the following
to the Attributes Map of the System Configuration:

<entry key=“detectNativeIdentityChangeCaseSensitive” value=“true”/>

AI Role Mining Plugin Functionality Moved to Base IdentityIQ Product

In 8.4, the functionality previously available in the IdentityAI Role Mining plugin is now in the base IdentityIQ product.
Upon upgrade to 8.4, if the IdentityAI Role Mining plugin was previously installed, the plugin will be uninstalled and
any configuration from that plugin will be added to the AI Services Configuration under a new section, "Access Model-
ing".

There are two new SPRights: ManageIAISpecializedRoleDiscovery and ManageIAICommonAccessDiscovery.

There is one new capability, AIAccessModelingAdministrator, containing those two SPRights and also having
ViewIdentity, which is necessary for Access Modeling.

There is no separate System Configuration key to enable Access Modeling apart from identityAIEnabled. The
Access Modeling configuration will be visible on the AI Services Configuration page to IdentityIQ customers with AI
subscriptions, regardless of whether they subscribe to the Access Modeling module specifically. However, in such
cases the Access Modeling functionality will still be disabled in their IdentityNow tenant.

New Configuration Page/Rights Entries Added to webresources.xml

New Installations or Upgrades will add the new Access History/Data Extract/Broker configuration pages/rights entries
into webresources.xml. Customers should review the changes and merge theirs if different from the out-of-the-box
configuration.

Form Beans Required in Form Submissions

[SECURITY] Form Beans used to process SailPoint Form submissions must now implement the FormBean interface.
Anything else will throw an exception and block submission of the form.

This release contains a fix for an important security vulnerability that was previously announced. This vulnerability
allows an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map
argument in any Java class available in the IdentityIQ application classpath. This vulnerability in IdentityIQ is assigned
CVE-2023-32217. As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix
for IIQFW-655 available in the Product Download Center on Compass as soon as possible.

Security Fix to JavaServer Faces (JSF) Library

[SECURITY] A file traversal vulnerability in the JavaServer Faces (JSF) library has been fixed.

This vulnerability allows access to arbitrary files in the application server filesystem due to a path traversal vul-
nerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability con-

SailPoint Release Notes 11

IdentityIQ Release Notes

tained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN
IIQSAW-3585. This vulnerability in IdentityIQ is assigned CVE-2022-46835.

As with all software vulnerabilities, we recommend that all customers apply this upgrade or the e-fix for IIQFW-336
available in the Product Download Center on Compass as soon as possible.

Workflow Approval Arguments to Prevent ObjectAlreadyLocked Exceptions

Two new approval arguments are available on an Approval step in a workflow so that end users will not see
ObjectAlreadyLocked exceptions after completing an approval workitem and the workitem is locked. Using either of
these options will disable the automatic display of the next workitem in a "wizard" workitem scenario:

<Arg name="backgroundApprovalCompletion" value="script:true"/>

This will move approval completion to background processing to free the user from waiting until the workitem is pro-
cessed by the workflow before returning to the home page.

<Arg name="backgroundApprovalCompletionIfLocked" value="script:true"/>

This will only move the approval completion process to the background if the workitem or workflow is locked by
another user or another process. This will prevent the user from seeing a popup and return the user to the home page.

JDNI Datasources for Access History Database

If you are using a JNDI datasource for your access history database, you will need to make a few configuration
changes.

1. Extract configBeans.xml out of the lib/identityiq.jar, and copy that file into the WEB-INF/classes
directory.

2. Add a new bean to configBeans.xml as follows:

<!--
App-server managed data source for accessHistory database that is looked up in
JNDI. The location of the data source is configured with jndiName in
iiq.properties.
-->
<bean id="jndiAccessHistoryDataSource"
class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="jdbc/overrideInIIQProperties"/>
<property name="lookupOnStartup" value="false"/>
<property name="cache" value="true"/>
<property name="proxyInterface" value="javax.sql.DataSource"/>
</bean>

3. In iiq.properties, define the datasource as follows:

SailPoint Release Notes 12

IdentityIQ Release Notes

jndiAccessHistoryDataSource.jndiName=[insert your data source here. For example,

java:comp/env/jdbc/testDataSourceAccessHistory]
configuredDataSourceAccessHistory.targetBeanName=jndiAccessHistoryDataSource

Important Upgrade Considerations for Connectors

General Updates for Connectors

l Microsoft has announced that Basic Authentication for exchange Online is no longer available after October 1,
2022. You can update your Azure Active Directory applications configured to manage Exchange Online using
modern authentication supported by connector. Be sure to upgrade the IQService to the one which is bundled
with the release. For more details regarding Microsoft announcement, refer Basic Authentication Deprecation
in Exchange Online – May 2022 Update

l The Salesforce connector now supports API version 56.0, For existing applications, remove the User- Per-
missionsMobileUser attribute from the schema for the connector to work with the new 56.0 API version

l The Salesforce connector now supports creating new Portal and Partner Users as well as assigning Portal and
Partner Licenses to existing Salesforce Users using their respective user profiles. Ensure that the service
account user has the "Manage Contacts" object [ R || W] added to the administrative user profile.

l The Salesforce connector now supports creating, updating and deleting Public Groups. Ensure that the service
account user has "Public Groups" object [ R || W] added to the administrative user profile.

l The IQService version must match the IdentityIQ server version, including the major release and patch ver-
sions. When one is upgraded, the other must also be upgraded, so that the version and patch levels match. For
more information on upgrading the IQService, see the IdentityIQ Installation guide chapter on upgrading

l The Zoom connector no longer supports API Token Authentication. Configure your Zoom application to use
Oauth2 Authentication, to avoid any failures.

Connector Security Upgrades

With this release, new libraries have been added, and some existing libraries have been upgraded, or removed. The
following is a list of the current libraries:

l accessors-smart-2.4.8

l bcel-6.6.1

l commons-fileupload-1.4

l hk2-api-3.0.3

SailPoint Release Notes 13

IdentityIQ Release Notes

l hk2-locator-3.0.3

l hk2-utils-3.0.3

l hibernate-core-6.1.5.Final

l jersey-hk2-3.0.4

l jackson-databind-2.13.3

l jakarta.annotation-api-2.1.0

l jakarta.validation-api-3.0.1

l jakarta.ws.rs-api-3.1.0

l jersey-hk2-3.0.4

l jersey-client-3.0.4

l jersey-common-3.0.4

l jersey-container-servlet-core-3.0.4

l jersey-media-jaxb-3.0.4

l jersey-media-multipart-3.0.4

l jersey-server-3.0.4

l jersey-apache-connector-3.0.4

l jasperreports-javaflow-6.19.1

l jackson-core-2.13.3

l javax.faces-2.4.0

l javax.mail-1.6.2

l kotlin-stdlib-1.7.10

SailPoint Release Notes 14

IdentityIQ Release Notes

l mysql-connector-java-8.0.30

l mysql-connector-java-8.0.30

l org.jacoco.ant-0.8.8

l spring-core-5.3.20

l spring-core-5.3.22.RELEASE

l spring-web-5.2.22.RELEASE

l testng-7.6.1

SailPoint Release Notes 15

Supported Platforms

IMPORTANT: SailPoint does not support anything beyond the compatibility of the platform
vendors. Confirm the interoperability and support from those vendors when deciding on your plat-
forms.

Operating Systems

l Windows Server 2022 and 2019

l Solaris 11 and 10

l IBM AIX 7.3 and 7.2

Note regarding Linux Support: The distributions and versions of Linux highlighted below have
been verified by IdentityIQ Engineering, but any currently available and supported distributions
and versions of Linux will be supported by SailPoint. Implementers and customers should verify
that the distribution and version of Linux of choice is compatible with the application server, data-
base server, and JDK also being used.

l Red Hat Linux 9.1 and 8.8

l SuSe Linux 15 and 12

Application Servers

l Apache Tomcat 9.0

l Oracle WebLogic 14c

l JBoss Enterprise 7.4 and 7.3

l IBM WebSphere Liberty 21.0 and 22.0

Databases (On Site)

l IBM DB2 11.5

l MySQL 8.0

SailPoint Release Notes 16

 l MS SQL Server 2022 and 2019

l Oracle 19c

l PostgreSQL 15

Message Brokers

l ActiveMQ 5.17.4

Cloud Platforms

l AWS EC2

l AWS Aurora

l AWS RDS (MySQL, MS SQL, Oracle)

l Azure (VM, Azure SQL)

l Google Cloud Platform – Google Compute Engine

Java Platform

l Sun, Oracle or IBM JDK 11 and JDK 17 for all application servers that support those versions

l OpenJDK11 is now supported on all environments, but we have specifically tested against Adopt OpenJDK 11
and 17 for Windows and Red Hat OpenJDK 11 and 17 for Linux

l Eclipse Temurin JDK 11, 17

l IBM Semeru 17.0.5.0

Browsers

l Google Chrome Latest Version

l Microsoft Edge Latest Version

l Safari 16

l Firefox Latest Version

SailPoint Release Notes 17

Mobile User Interface OS / Browser Support

l Android with Chrome 13

l iOS with Safari 16

Languages

l Brazilian Portuguese

l Chinese (Taiwan)

l Danish

l Dutch

l English

l Finnish

l French

l French Canadian

l German

l Hungarian

l Italian

l Japanese

l Korean

l Norwegian

l Polish

l Portuguese

l Simplified Chinese

l Spanish

SailPoint Release Notes 18

 l Swedish

l Traditional Chinese

l Turkish

Connectors and Integration Modules Enhancements

IdentityIQ 8.4 provides various enhancements in the following connectors and integration modules.

New Connectors
IdentityIQ 8.4 delivers new, out-of-the-box connectors for the following enterprise applications, which simplifies the
connectivity of these systems.

New Con-
Description
nectors

BMC Helix The BMC Helix Remedyforce ITSM Service Desk Integration module is designed to provide the
Remedyforce service desk experience in Identity IQ. The integration supports creation of tickets within Identity
Service Desk IQ for manual provisioning operations and status checks. Service desk integration module
Integration ensures synchronization of ticket status between Identity IQ and the BMC Helix Remedyforce Ser-
Module vice Desk system.
The new SailPoint Coupa connector provides the capability for seamless and secure connection
Coupa Con- to the Coupa system, and manages user access and groups throughout the user’s lifecycle. This
nector integration also manages user-groups, content-groups, account-groups and approval-groups
membership as entitlements.
The Generic Service Desk integration offers connectivity with different IT Service Management
Generic Ser-
(ITSM) solutions. It supports the creation of tickets, which can be configured to align with the spe-
vice Desk
cific service request types of the target ITSM solution. This integration brings the service desk
Integration
experience into the SailPoint platform, enabling users to raise and track service desk tickets to
Module
their logical closure from SailPoint IdentityIQ.
The Epic SER connector provides the capability to manage Epic Provider (SER) records. It sup-
IdentityIQ for
ports aggregation of Provider records as accounts and lifecycle capabilities including create
EPIC SER
account, update account, and enable/disable account.
The Cherwell connector offers seamless connectivity to the Cherwell ITSM solution, enabling
Ivanti Cherwell
aggregation and provisioning of two distinct Cherwell user types: 'users' & 'customers'. This integ-
Connector
ration enables robust user access management and governance in the Cherwell System.
Ivanti Cherwell The Cherwell Service Desk Integration Module (SDIM) brings the service desk experience into the
Service Desk SailPoint platform, enabling users to raise and track service desk tickets (Service Request & Incid-

SailPoint Release Notes 19

New Con-
Description
nectors

ent) to their logical closure in Cherwell ITSM solution from SailPoint IdentityIQ.
Azure SQL Database connector provides connectivity with Azure SQL Database for user access
Microsoft
governance and management. The connector supports the management of Microsoft Azure SQL
Azure SQL
database logins as accounts and users associated to login accounts. It supports aggregation, pro-
Database
visioning and full account management.
Oracle Fusion HCM Accounts connector provides the capabilities to manage HCM users’
Oracle Fusion accounts. It supports the aggregation of accounts and roles. The connector also provides for full
HCM Accounts lifecycle capabilities including account creation, updation, and role assignment/revocation with
accounts.
Oracle Enter-
prise Per-
The new Oracle Enterprise Performance Management (EPM) Cloud governance connector
formance
provides the capability for managing user accounts, predefined roles, application roles, and
Management
groups. The integration supports EPM Cloud Services for Financial Consolidation and Close
(EPM) Cloud
(FCCS), Account Reconciliation (AR), Planning, Narrative Reporting (NR).
governance
Connector
The new Oracle HCM Cloud connector provides read capability from Oracle Fusion HCM for "per-
son" details when Oracle Fusion HCM is the HR data source for the organization. This new con-
Oracle HCM
nector’s capabilities include operations such as full account aggregations using recommended
Cloud Con-
designs from Oracle to use performance-based file extract methods, and any incremental user
nector
data changes to be detected via delta aggregation using “Oracle’s Atom Feeds”. The connector
also provides capabilities to refresh any accounts coming in, as well as discover new schemas.
The new SAP Concur Connector provides Identity Governance on Expense management ser-
SAP Concur vices provided by Concur. The integration supports enforcing policies and permissions for grant-
Connector ing and revoking access to systems and data based on user identities, roles, and associated
groups for Expense, Request, Invoice, and Reporting.
SailPoint’s Integration for the SAP Fieldglass Vendor Management System offers governance cap-
SAP Fieldglass abilities for contingent workers. It offers seamless governance of external users management for
Connector joiners, movers, leaver workflows, and separation of duty (SOD) checks based on user roles,
attributes, and entitlements.
Snowflake Con-
A new Snowflake Connector is now available to govern identities for Snowflake Data Lake.
nector

SailPoint Release Notes 20

ACF2
l Supports z/OS 2.5

Active Directory
l Supports aggregation of domain NetBIOSName as part of account and group aggregation. You need to add
NetBIOSName as a schema attribute with the type as String in the Account and Group schema to leverage this
feature.

l Supports Microsoft Windows Server 2022.

Amazon Web Services

l Supports AWS GovCloud (US) Regions.

Atlassian Suite - Server

l Supports the following new versions:

l Supports Jira Service Management version 5.2

l Supports Jira Software Server version 9.6

l Supports Confluence version 8.1

l Supports Bitbucket version 8.8

l Supports Bamboo version 9.2

Atlassian Server Jira Service Management

l Supports Atlassian Jira Service Management (Server) version 5.2.0

Azure Active Directory

l Supports managing Azure PIM Role memberships to Azure Active Directory groups.

l Supports certificate based modern authentication to communicate with Exchange Online that is more secure
and is the Microsoft recommendation.

l Now provides visibility into user’s sign-in (last login) activity.

SailPoint Release Notes 21

 l Supports managing Azure Active Directory Role as a group object.

l Supports Continuous Access Evaluation (CAE), which leverages the Azure Active Directory real-time enforce-
ment of conditional access location and risk policies, along with instant enforcement of token revocation events
for an enterprise application (service principal).

l Support management of access packages.

l Supports managing user-assigned identities.

l Supports read and write of Azure Multi-Factor Authentication attributes required for various authentication
methods.

l Supports EXO V3 module for Exchange Online management feature.

l Supports filters for channels during entitlement aggregation.

l Supports User and Group advanced filters through the application UI.

l Supports giving visibility to read-only group hierarchy information during group aggregation.

l Supports managing Service Principal for enterprise Applications as an Account (Service Principal as Account).

l Supports creating SAML based applications and corresponding Service Principals using the Gallery applic-
ation templates.

l Supports creation of Service Principals for existing Applications.

BMC Helix
l Supports BMC Helix IT Service Management Suite version 22.1

BMC Helix ITSM Service Desk

l Supports OAuth 2.0 authentication.

l Supports version 21.3. With this new version, the connector supports service requests via the digital workplace
with a new ticket type called DWP Service Request.

l Supports BMC Helix IT Service Management Suite version 22.1

SailPoint Release Notes 22

BMC Remedy
l Supports BMC Helix 21.3 systems.

Cloud Gateway
l Supports using load balancer with sticky-bit configuration.

l Supports new configuration to enable all operations for target collectors to be executed in Cloud Gateway.

l Supports the following new versions:

l Oracle JRE for Java version 17 and OpenJDK 17 platforms

l RHEL 9.0

l Microsoft Windows Server 2022

Duo
l Supports proxy setting from the application server settings and can also bypass the proxy for hosts listed in the
nonProxyHosts list.

EPIC
l The following Epic user fields are now supported as account attributes:

l PrimaryManager

l UsersManagers

l Supports Epic version May 2023

EPIC SER
l Enhanced to display provisioning failures at an attribute level.

Generic Service Desk

l Supports retrieving the ticket number from the URL if the create ticket response returns the URL instead of the
ticket number. The new attribute is Process Response Element Expression, and it should be populated with
parsing logic to fetch the ticket number from the response URL.

SailPoint Release Notes 23

Google Workspace
l Supports archiving and unarchiving users.

HCL Domino
l Supports HCL Domino version 12.0.2.

IBM Security Verify Governance

l Supports delta aggregation.

l Supports IBM Security Verify Governance version 10.0

IBM Security Verify Access

l Supports IBM Security Verify Access 10.0.3

l Supports IBM Security Verify Access 10.0.6 with support for backend servers: IBM Security Directory Suite ver-
sion 10.0.

l Deprecating REST API support.

Jack Henry
l Supports enabling and disabling accounts.

LDAP
l Supports Modify Time Stamp as a new delta aggregation mode.

l The UI has been updated to provide more fields for configuring the connection details to various LDAP Dir-
ectory servers.

Linux
l Supports Red Hat Enterprise Linux versions 8.5 and 8.8.

SailPoint Release Notes 24

Mainframe Connectors - RACF, ACF2, TopSecret
l Enhanced to support mutual TLS authentication for communication between IdentityIQ Connector Gateway
and the mainframe connector itself. You must upgrade to the latest version of Connector Gateway to leverage
this feature.

Microsoft SQL Server

l Supports Azure Managed Instances.

l Supports Microsoft SQL Server 2022.

Okta
l Enhanced to respect the password policy set in the Okta target system (in terms of password age and pass-
word history).

l Supports the addition and removal of custom roles directly associated with accounts.

l Supports aggregation of custom roles directly associated with accounts and groups.

l Enhanced to provide an option for multi-threading when aggregating groups and applications connected to
Okta accounts during account aggregation.

Oracle E-Business
l Supports the 12.2.11 Oracle EBS environment.

Oracle ERP Cloud

l Enhanced to support aggregation of data access information (security context and security context values)
even when not assigned to a role.

Oracle Fusion HCM

l Supports aggregation of additional attributes from the WORKERS API responses using a JSON Path.

l Enhanced account aggregation performance.

l Account aggregation will now fail when there is a planned outage (maintenance) on the Oracle system.

SailPoint Release Notes 25

Oracle Fusion HCM Accounts
l Oracle Fusion HCM Accounts connector provides the capabilities to manage HCM users’ accounts. It supports
the aggregation of accounts and roles. The connector also provides for full lifecycle capabilities including
account creation, updation, and role assignment/revocation with accounts.

l Account aggregation will now fail when there is a planned outage (maintenance) on the Oracle system.

Oracle Identity Manager

l Supports the Oracle Identity Manager 12C version.

Oracle PeopleSoft ERP

l Supports PeopleTool versions 8.60 to 8.60.05.

Oracle PeopleSoft HCM

l Supports PeopleTool version 8.60 to 8.60.05.

RACF
l Supports resource aggregation and provisioning as additional group schema, and requesting permissions for
accounts and groups.

l Supports z/OS 2.5

RSA
l Supports RSA Authentication Manager version 8.7 and 8.6.

SAP Direct
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.

SAP GRC
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.

SailPoint Release Notes 26

 l Enhanced to support account partitioning for SAP Basis version 751 and later.

l Enhanced to support additional attributes that are now configurable through the provisioning policy.

l Enabling and disabling accounts is now possible for all the GRC-connected systems and not just limited to the
master. This enables deeper governance and clean audit capabilities.

l Enhanced to support Additional Settings in the UI, which includes Access Request Type Mapping, Provisioning
Actions for Role, and Provisioning Actions for System sections.

l Supports access management requests that are configured for auto approval in the SAP GRC system.

SAP HANA
l Enhanced to support get and provisioning of external type users.

l Supports custom user parameters for aggregation and provisioning.

l Supports the following new versions:

l SAP HANA Cloud Database version 4.0 application

l SAP HANA 2.0 SPS6 version

SAP HR/HCM
l Redesigned to use an SAP-certified function module for enhanced security and performance. The use of the
RFC_READ_TABLE has been made limited according to SAP recommendations.

Salesforce
l Supports creating, updating, and deleting public groups (ensure that your service account user has the “Public
Groups” object [R || W] added into the administrative user profile).

l No longer supports Salesforce API version 48.0 or prior. The connector will only work on API version 56.

l Supports creating new portal and partner users, as well as assigning portal and partner licenses to existing
Salesforce users using their respective user profiles (ensure that your service account user has “Manage
Contacts” object [R||W] added into the administrative user profile).

l Supports use of the Enhanced Domains option in the Salesforce system.

SailPoint Release Notes 27

ServiceNow Identity Governance
l Supports configurable option to read deleted events (for example, removing a group or role) of user’s con-
nection from a custom table instead of the sys_audit_delete table. This enhances the delta aggregation per-
formance.

l Supports the ServiceNow Utah and Tokyo release.

IdentityIQ for ServiceNow Service Desk

l Supports pulling RITM status into SailPoint.

l Enhanced to populate the access request comment on the ServiceNow ticket. Existing service desk integ-
rations need to modify the provisioning task definition to include the comments for access request comments.
This feature is automatically included for all new configurations.

l Supports ServiceNow Tokyo and Utah release.

SharePoint Online
l Supports configurable endpoints when Azure Active Directory is deployed on a non-public national cloud
server.

SharePoint Server
l Supports managing Microsoft SharePoint Server Subscription Edition.

Siebel
l Supports Siebel server version 22.8.0.0.

Slack
l Supports creation of a guest user to have access to a single or multiple channels in Slack Enterprise Grid Plan.

SuccessFactors
l Enhanced to support account delta aggregation.

l Enhanced to exclude Personal Identifiable Information (PII) data for employees.

SailPoint Release Notes 28

 l Enhanced to manage external users, and their entitlements, who are in the onboarding stage.

l Supports additional attributes and custom attributes related to user entities via the ODATA API.

l Enhanced to aggregate selective employee records based on filtering criteria.

Web Services
l Supports Create, Update, and Delete for Group objects.

l Supports removing entitlements while disabling accounts and enabling entitlements while enabling accounts.

l Now provides example rules to show the use of Web Services operation rules to help configure the searchAfter
attribute for pagination.

Windows Local
l Supports Microsoft Windows Server 2022.

Workday
l Supports adding proxy level parameters in the Workday application.

l Supports Workday web service versions 39.1 and 38.0.

Workday Accounts
l Enhanced to integrate with Workday Learning Module and aggregate the training information associated with
users.

l Supports managing Service Center Representative accounts.

l Supports filtering of accounts based on the Organization Type and Organization Reference ID.

l Supports aggregation and provisioning of future accounts ahead of their hire date.

l Enhanced to provide an option for multi-threading, which will improve the account aggregation performance.

l Supports additional schema attributes for User-Based Security Group objects.

SailPoint Release Notes 29

Zoom
l Supports OAuth 2.0 authentication.

l Authentication Type “API Token” is no longer supported. Set up your Zoom application to configure Oauth2.0
Authentication to avoid any failures.

Connectivity Supported Platform and Language Updates

Connector/Component New Platform Version

Active Directory Con-

Supports Microsoft Windows Server 2022
nector
ACF2 Full Connector Supports z/OS 2.5
l Supports Jira Service Management version 5.2

l Supports Jira Software Server version 9.6

Atlassian Suite - Server

l Supports Confluence version 8.1
Connector
l Supports Bitbucket version 8.8

l Supports Bamboo version 9.2

BMC Remedy Connector Supports BMC Helix 21.3 system.

BMC Helix Connector
BMC Helix ITSM Service
Desk Integration Module
Supports BMC Helix IT Service Management Suite version 22.1
Supports version 22.1.
l Supports Oracle JRE for Java version 17 and OpenJDK 17 platforms.

Cloud Gateway l Supports RHEL 9.0.

l Supports Microsoft Windows Server 2022

EPIC Connector Supports Epic version May 2022

HCL Domino Connector
IBM Security Verify
Access Connector
IdentityIQ for Atlassian
Server Jira Service Desk
Supports HCL Domino version 12.0.2.
l Supports IBM Security Verify Access 10.0.3
l Supports IBM Security Verify Access 10.0.6 with Supported Backend Servers:
IBM Security Directory Suite version 10.0
Supports Atlassian Jira Service Management (Server) Version 5.2.0

SailPoint Release Notes 30

Connector/Component New Platform Version

IdentityIQ for IBM Secur-

Supports IBM Security Verify Governance v10.0
ity Identity Manager
IdentityIQ for ServiceNow
Supports the ServiceNow Tokyo and Utah release.
Service Desk
Linux Connector Supports Red Hat Enterprise Linux versions 8.8 and 8.5.
Microsoft SharePoint
Supports managing Microsoft SharePoint Server Subscription Edition.
Server Connector
MS SQL Server - Direct
Supports MS SQL Server 2022
Connector
Oracle E-Business Con-
Supports the 12.2.11 Oracle EBS environment
nector
Oracle Identity Manager
Supports the Oracle Identity Manager 12C version.
Connector
PeopleSoft Connector Supports PeopleTools version 8.60.05 and 8.59 environment
PeopleSoft HCM Con-
Supports PeopleTool version 8.60.05
nector
RACF Full Connector Supports z/OS 2.5
RSA Connector Supports RSA Authentication Manager version 8.7 and 8.6
SAP Business Suite
Integration is certified with 'SAP HANA S/4 2022'
(ERP)
SailPoint Identity
Governance Connector Supports the ServiceNow Tokyo and Utah release.
for ServiceNow
l Supports SAP HANA Cloud DB ver 4.0 application
SAP Hana DB Connector
l Supports SAP HANA 2.0 SPS6 version

Supports API version 56.0 (For existing applications, you must remove the User-
Salesforce Connector PermissionsMobileUser attribute from the schema for the connector to work with the
new 56.0 API version.)
ServiceNow IdentityIQ for
Supports the ServiceNow Tokyo and Utah release.
Service Desk
ServiceNow Catalog
Supports the ServiceNow Tokyo and Utah release.
Integration
l Enhanced to support the account delta aggregation
SAP SuccessFactors
Connector
l Enhanced to exclude PII data for employees.

SailPoint Release Notes 31

Connector/Component New Platform Version

Siebel Connector Supports Siebel server version 22.8.0.0.

Top Secret Supports zOS 2.5
Top Secret LDAP Supports zOS 2.5
Windows Local Con-
Supports Microsoft Windows Server 2022
nector
Workday Connector Supports Workday web service version 38.0 and 39.1

Connectivity Dropped Platform Support

Connector/Integration Module Dropped Platforms

ACF - Full z/OS 2.2 and z/OS 2.3 systems

No longer supports the following:

l Jira Software Server version 8.13 and 8.12

Atlassian Suite Server Connector l Confluence version 7.8 and 7.7

l Bitbucket version 7.5

l Bamboo version 7.1 and 7.0

IdentityIQ for ServiceNow Service Desk

ServiceNow Paris, Rome, and Quebec release.
Integration Module (SDIM)
Oracle Identity Manager 11g R1 and Oracle Identity Manager 11g
IdentityIQ for Oracle Identity Manager
R2 releases.
IBM AIX Connector AIX version 7.1
Red Hat Enterprise Linux versions 8.4, 8.3, 8.2, 8.1, 8.0, 7.9, 7.8
Linux Connector
and Ubuntu OS Version 18.04 LTS.
Oracle Solaris Connector Solaris versions 11.3, 11.2, 11.0 and 10.0
RACF -Full z/OS 2.2 and z/OS 2.3 systems
RACF - LDAP z/OS 2.2 and z/OS 2.3 systems
RSA Connector RSA 8.3, 8.4, and 8.5 version.
SailPoint Identity Governance Connector for
ServiceNow Paris, Rome, and Quebec release.
ServiceNow
ServiceNow Service Desk Paris, Rome, and Quebec releases.
Top Secret z/OS 2.2 and z/OS 2.3 systems

SailPoint Release Notes 32

Connector/Integration Module Dropped Platforms

Top Secret LDAP z/OS 2.2 and z/OS 2.3 systems

Zoom API Token authentication type.

Dropped Connector Support

End of Life: The following connectors and connector components are no longer supported:

l Oracle Fusion HCM Connector - On December 31, 2023, Oracle Fusion HCM Connector will no longer be sup-
ported. Use the newly-released Oracle HCM Cloud Connector. For documentation on the new connector, refer
to Integrating SailPoint with Oracle HCM Cloud.

l IdentityIQ for Oracle Identity Manager - IdentityIQ for Oracle Identity Manager Version 1: Connection via OIM
Integration Web Application is no longer supported. Use the newly-released Identity IQ for Identity Manager
Version 2: Connecting Oracle Identity Manager via Oracle Client API. For documentation on the new con-
nector, refer to IdentityIQ for Oracle Identity Manager V2.

l IBM Tivoli Access Manager - Support for REST API for IBM Tivoli Access Manager connectors is no longer sup-
ported.

l Zoom - Support for API Token authentication is no longer supported.

Known Issues - IdentityIQ

Issue ID Description

When an assigned role that has been added by an assignment rule is removed from an
IIQETN-11203 identity through a revoke or remove action, Access History will not recognize that there
is a negative assignment. As a result, role removal events are not created consistently
and some data and counts may be incorrect.
In the Access History feature, if any of the roleAssignments for an identity capture are
IIQETN-11209
set to negative=”true”, then the counts shown in the UI for Roles and Entitlements
may be inaccurate.

SailPoint Release Notes 33

Resolved Issues - IdentityIQ

Issue ID Description

IIQSR-
Entitlements are now revoked completely when revoking through Policy Violations.
761
IIQCB-
<Includes></Includes> tags can now be used for scripts in workflows.
4662
IIQCB- When the Assigned Role field on the Advanced Identity Search page is set to "is not equal to" now will
4680 exclude identities with multiple assigned roles if one of those roles matches the supplied value.
IIQCB-
Certification bulk delegated items with line item delegations no longer show errors.
4686
IIQCB-
Workflow exceptions are now localized.
4697
IIQCB-
Access Request Emails now uses EmailTemplate SessionProperties.
4699
IIQCB- When 'Show Password' option is enabled, we now disable historical passwords autofill as a hint when
4708 entering the next password.
IIQCB- On the Rapid Setup Leaver / Identity Operations pages, the Reassigned Artifacts Types pulldown no
4710 longer contains "Alert", "Classification", "Plugin", and "Task and Report Schedules".
IIQCB-
Importing an application no longer deletes and orphans schemas when running aggregation
4759
IIQCB- SAML Electronic Signatures can now be used with custom approval forms the same way that SAML
4792 Electronic Signatures are used with Approvals.
IIQCB- The Entitlement Catalog now displays when a Boolean type extended attribute is included in the search-
4825 able attributes.
IIQCB-
Running a RequestObjectSelector Rule no longer errors when filtering for extended attributes.
5042
IIQCB- On the Role Search page when filtering by profile the filter type will now include "Entitlement" value in
5374 the dropdown when there is at least one Role-Entitlement Association that is not of type "Permission".
[SECURITY] SailPoint Form sections with type `text` or `datatable` no longer render HTML by default.
IIQFW-1 Fields that need to display HTML must now provide the `contentIsEscaped` attribute and set it to `true`.
Any dynamic or user-entered content in the field must be escaped in order to be secure.
[SECURITY] HTML embedded in entitlement or role names will no longer be rendered as part of sur-
IIQFW-2
rounding formatting HTML.
[SECURITY] When MFA authorization workflow is configured and the user clicks on Forgot Password
IIQFW-7
for reset, the security authorization questions page can not be skipped until the reset workflow action is

SailPoint Release Notes 34

Issue ID Description

successful.
[SECURITY] On the Approvals page, HTML embedded in entitlements and roles will no longer render in
IIQFW-36
the browser.
IIQFW- [SECURITY] The server now escapes potentially harmful HTML contained in message parameters
224 before being displayed in the UI.
IIQCB-
The Policy Violations Details no longer displays HTML tags
4992
IIQCB- Processing a role that cannot be processed no longer results in a NullPointerException. As part of this
5034 change, IdentityIQ has improved diagnostic logging when unable to analyze a role for profile relations.
IIQFW- [SECURITY] IdentityIQ allows deserialization of classes from the sailpoint package by default. If the
287 jdk.serialFilter property is provided, it is recommended that it also specifies the sailpoint package.
IIQFW-
[SECURITY] A file traversal vulnerability in the JavaServer Faces (JSF) library has been fixed.
336
IIQFW- Added role="alert" to the message element, so the screen reader can now detect and read the mes-
369 sages displayed on the home page.
IIQFW- [SECURITY] IdentityIQ no longer supports an empty WebResource config. Running IdentityIQ without
584 a WebResource config will prevent the site from working for any non-SysAdmin user.
IIQFW- A 'data is still loading' alert message is now displayed during revocation of certification items, when the
634 items haven't finished loading, instead of throwing an exception.
IIQFW- Resolved issue where the Load More option was not being presented for certification campaigns con-
654 taining multiples of 5 + 1. For example: 6, 11, 16, 21, etc.
IIQFW-
[SECURITY] Updated UI so that instead of the actual client secret value we will send a dummy value.
728
IIQFW- [Security] Removed option to view security authentication question answers in clear text. The answer
729 fields are treated as password values. Actual answer values are no longer sent back to browser.
IIQFW-
[Security] The Spring library is now updated to version 5.2.24
833
With the upgrade to the JasperReports 6.19.1 library, the HtmlExporter.exportText() method in the sail-
IIQSR-836
point.reporting.export package is now deprecated and will be removed in a future release.
IIQSR-825 The option to select Class Action "Identity" in the Audit Configuration page is now available.
[SECURITY] Users who have no access to scoped Identities are no longer allowed to make requests
IIQSR-818
for those Identities.
A custom filter in a CertificationDefinition is now always copied to a new Certification created from that
IIQSR-815
CertificationDefinition as a template.
IIQSR-810 Classification Filter Rules are now exposed as task arguments. The number of records fetched with

SailPoint Release Notes 35

Issue ID Description

each SCIM call is now configurable via the "Page Size" argument on the FAM Classifications task. The
FAM Classification task is now more tolerant of errors. The "Retry Limit," "Retry Gap," and "Max Errors"
arguments have been added to the FAM Classification task to allow users to adjust how tolerant it is.
Role Profile synchronization now leverages the proxy Application, if needed, when fetching the enti-
IIQSR-808
tlement attribute.
A "source" attribute value of AttributeAssignment is no longer changed to "Rule" after native deletion
IIQSR-807
and re-provisioning.
[SECURITY] The Apache Commons Net library was updated to version 3.9.0 to mitigate a potential vul-
IIQSR-804 nerability in Nets FTP client that will by default trust a host from a PASV response. The updated library
will by default ignore such hosts.
[SECURITY] OAuth secrets are no longer fetched en-masse and will only be fetched with each indi-
IIQSR-803
vidual request for the secret of each OAuth client.
The Jasper Report for an unpartitioned Account Aggregation task is now rendered successfully on task
IIQSR-801
completion if a partitioned aggregation task is executed concurrently.
[SECURITY] Unauthorized server responses (error code 401) that result in browser login prompts can
IIQSR-800
now be overridden to prevent popups.
The message "Skipping aggregation of application in maintenance window" now appears for an applic-
IIQSR-799
ation in maintenance mode during a partitioned aggregation.
IIQSR-798 Identity Snapshots with unordered entitlement lists no longer cause an error in the Identity Warehouse.
Exporting a certification no longer generates an exception if an Identity was deleted after the cer-
IIQSR-796
tification was created.
IIQSR-794 An error no longer occurs when an entitlement owner removes an owned entitlement from another user.
Identities with more than 2100 entitlements will no longer throw a Microsoft SQL Server error when view-
IIQSR-785
ing the Access list in the View Identity quicklink.
IIQSR-780 Sequential tasks will run accordingly when selected to execute on an alternate host.
IIQSR-779 Errors when loading an object from the database no longer have the potential to cause data corruption.
Approving a single work item via My Work -> Work Items, when configured to require comments, no
IIQSR-777
longer generates an exception.
Fixed a problem that prevented hierarchical groups from being properly created during partitioned
IIQSR-773
group aggregation.
An entitlement provisioned via role is no longer certified as an additional entitlement when the role
IIQSR-771
includes entitlements from multiple applications.
IIQSR-770 The last UI page viewed is now properly restored after a SAML SSO timeout.
IIQSR-767 A revoked entitlement is no longer displayed under Entitlements in the Identity UI.
IIQSR-766 Fixed issue where selecting permitted roles can cause a Hibernate exception when using custom quick-

SailPoint Release Notes 36

Issue ID Description

links to manage access requests and dynamic scopes are associated with the quicklink.
Loading the Manager User Access page no longer makes duplicate calls to REST resource: rest.ui.re-
IIQSR-765
questaccess.IdentityIdNameListResource.
LinkEdit AttributeRequests in the ProvisioningPlan are now ignored during provisioning, avoiding gen-
IIQSR-763
eration of a manual workitem.
IIQSR-758 Permitted roles may now be deprovisioned via Batch Requests.
IIQSR-756 Application schemas now correctly handle '#' characters in attribute names.
IIQSR-755 Indirectly controlled Scopes are checked when accessing task and report results.
Business roles that expire but have a pending expiration extension are now properly adding IT role
IIQSR-752
when the extension is approved.
The text displayed in a certification message pop-up is now localized based on the browser's configured
IIQSR-750
language.
IIQSR-747 Auditing the delete of a WorkItem object no longer causes a LazyInitializationException error.
IIQSR-745 Reports downloaded as CSV no longer have repeated headers with misaligned column data.
The Manager column is now present in the Certification .csv export after launch of an Entitlement
IIQSR-744
Owner certification.
IIQSR-742 Inherited capabilities are now considered when adding capabilities to groups.
IIQSR-740 Login timeouts no longer cause a cascade of HTTP 408 errors leading to the filling of server logs.
[SECURITY] The LCM Manage Password workflow for self-service password reset no longer logs the
IIQSR-739
password in clear text with tracing enabled.
IIQSR-737 The selected QuickLink is now considered during LCM removal of current access items.
The "Last Action Status" column in the Manage Accounts identity details table now shows "Failed
IIQSR-735
Enable/Disable" status when the related access request is expired.
An error no longer occurs when submitting an access request for an identity in an assigned workgroup
IIQSR-733
with an advanced policy containing a capability.
A user with multiple roles which share one or more entitlements no longer provokes a dependency error
IIQSR-732
when the roles are removed after expiration.
The status for a completed access request item will now move from "Provisioning" to "Completed" with
IIQSR-729
split provisioning enabled.
[SECURITY] Resolved a vulnerability that allows users to change settings on identities who are outside
IIQSR-727
of their control. Refer to the Upgrade Considerations section for more information.
The script pre-parser no longer throws a StringIndexOutOfBoundsException for rules with a large num-
IIQSR-724
ber of variable expansions using the $(...) notation.
IIQSR-723 Remediators are now determined for all requests in unmanaged provisioning plans.

SailPoint Release Notes 37

Issue ID Description

IIQSR-722 An error no longer occurs when selecting a saved search in Identity Advanced Analytics.
IIQSR-717 Entitlements included in IT roles are now successfully removed using a sunset date.
Removing classifications from Classifiable objects (Entitlements, Roles) now cleans up unneeded
IIQSR-711
records from the spt_object_classification table.
IIQSR-710 Reports that fail now clean up persisted database objects that would otherwise be orphaned.
The displayName attribute is now correctly set on an account when the account is created during the
IIQSR-706
provisioning of an entitlement.
Attribute sync no longer fails when an Identity has multiple accounts on an application and the target
IIQSR-699
mapping does not have 'Provision to all accounts' selected.
IIQSR-697 The assigned scope for a TaskDefinition is now transferred to the TaskResult for tasks and reports.
When running incremental exports, the Data Exporter task now correctly exports objects that had been
IIQSR-696
modified while the previous instance of the Data Exporter task was running.
IIQSR-694 Filtering on Role Source Value during Manage Access no longer causes an error.
Sequential Task execution is no longer handled by an active long-running parent task and is instead
IIQSR-692
part of the native function of the TaskManager.
IIQSR-689 Clarified the javadoc comments for the Util.stringToDate() method.
IIQSR-688 Permitted roles that are assigned now show as an assignedRole in the Access Request.
Access Request deep links no longer redirect to the self-service page repeatedly or lose track of query
IIQSR-686
parameters.
IIQSR-682 The processing of scheduled assignments no longer generates errors and duplicate requests.
Added check in query options to fetch quicklinks for identities with system administrator capability to
IIQSR-681
avoid incorrect roles and entitlements filtering.
A log error no longer occurs during Identity Refresh when calculating which Roles to auto-assign via a
IIQSR-679
Population with a multi-value Identity attribute.
Initializing date fields in forms with existing values no longer results in errors that prevent the date picker
IIQSR-678
from functioning.
An email notification is no longer sent to an owner if the "Email Owner on Pre-Delegation Completion"
IIQSR-676
option is disabled in the Certification configuration.
The submit button is now disabled when generating an Access Request, eliminating the possibility for
IIQSR-674
duplicate requests to be created via multiple selects of the ENTER or SPACE keys.
Fixed an access request issue that prevented roles from being assigned to the same identity multiple
IIQSR-673
times even when the option to allow it is enabled.
IIQSR-670 A validation error message is now displayed on empty required Date fields after a form submit.
IIQSR-668 System level tasks now allow concurrency where applicable.

SailPoint Release Notes 38

Issue ID Description

The 'Perform Maintenance' task now properly releases SailPoint contexts that are used when pro-
IIQSR-666
cessing background workflow events.
The Managed Attributes of type Identity now store the name of the selected identity to keep consistent
IIQSR-663
with other Managed Attributes.
IIQSR-662 Performance of activity scans with large data sets has been improved.
When moving a Link from an Identity, both the target and source Identity will have the 'needsRefresh'
IIQSR-661
flag enabled.
When a new certification is created using the “Use Certification as Template” feature to clone an exist-
IIQSR-660 ing certification that has "Require Electronic Signature" enabled, that option can now be disabled in the
new certification.
Possible database cursor leaks were fixed for situations when the "Aggregate Correlated Applications"
IIQSR-659
task encounters duplicate links.
Requests that create an account in which the native id is generated by an application in maintenance
IIQSR-658
mode will now have the corresponding identity request updated with that native id.
In a transient Workflow, any XHTML-based forms following the first form are now successfully dis-
IIQSR-657
played.
IIQSR-656 The Identity Entitlements Detail report now successfully incorporates filtering by Assigners.
IIQSR-654 Fixed an issue in the Role Archive report that caused the Profiles section to be excluded.
IIQSR-651 Added audit details for certification revoke for provisioning and remediation of certification's item.
The CheckedPolicyViolations SCIM API endpoint now consistently returns a description for all policy
IIQSR-645
types.
Improved extensibility of Upgrade and Patch framework for modules, including ensuring rswork-
IIQSR-637
flows.xml is imported when required.
Improved performance for applying manual decisions to items within Certifications containing several
IIQSR-635
entities with very few items each.
When configuring a forwarding user for an identity, the Submit button is now disabled if the "Select User
IIQSR-634
to Forward to" field is empty with "Start Date" and "End Date" specified.
IIQSR-630 CertificationDefinition assigned scope is now applied to the Certification schedule object.
When using a custom form, the form owner is now correctly assigned when the name of the identity
IIQSR-622
launching the workflow contains a comma.
An Entitlement Owner certification will now revoke all attribute assignments under the same owner of
IIQSR-617
an application instead of only a single entitlement from a group of entitlements.
IIQSR-615 Tracing of the SCIM classes is now possible from the log4j2.properties file.
The "Created on" and "Created By" fields are now updated in Identity Events for changes in sun-
IIQSR-614
set/sunrise dates.

SailPoint Release Notes 39

Issue ID Description

A TaskDefinition is now exported from the console without errors when it contains arguments without a
IIQSR-613
type.
Using a forgot password link when multiple passthrough applications are configured no longer results in
IIQSR-609
incorrect authentication questions.
IIQSR-608 IT role mining panels now scale better when several Identity Populations are present.
IIQSR-605 The Role Details report no longer throws an error when thousands of roles are reported on.
The owner dropdown on the edit entitlement page now properly displays names containing a "&" rather
IIQSR-604
than "&amp;".
Defining an instance attribute in an application no longer results in duplicate attributeAssignments in an
IIQSR-601
Identity.
IIQSR-598 Grouping certification details by display name no longer results in excessive wait times.
IIQSR-584 Identity create forms with postback fields are properly executed before validation.
Timings for the following meters no longer produce negative statistics: "PlanEvaluator.execute phase
IIQSR-583
1", "ServiceRequestExecutor.execute"
The AuditLog source for provisioning expansion operations is now displayed correctly instead of
IIQSR-568
"unknown".
IIQSAW- [SECURITY] Values in the displayName field of Identities are now properly sanitized to avoid malicious
4960 content.
IIQSAW-
Account unlock is now properly translated to Danish.
4889
IIQSAW-
The user interface now properly displays Italian language prompts and labels.
4888
IIQSAW- Provisioning no longer fails in cases where an Active Directory account is moved, then deleted, and sub-
4880 sequently added again.
A defect in processing objects with nonstandard object IDs (since corrected in IdentityIQ 8.4 and 8.3p2)
caused NativeIdentityChange propagation to fail, and events to remain in the queue, blocking pro-
IIQSAW-
visioning. A new task template was added that re-processes these events. The new task "Reset Failed
4675
NativeIdentityChange Events" can be used to: report the number of failed events, prune events where
the old and new values only differ by case, and reset failed events and launch tasks to re-process them.
[SECURITY] The Apache Commons Text library was updated to version 1.10.0 to mitigate a potential
IIQSAW-
vulnerability for remote code execution or unintentional contact with remote servers if untrusted con-
4644
figuration values are used.
Changes made to Distinguished Name that are initiated within IdentityIQ (through Rapid Setup or cus-
IIQSAW-
tomizations) now result in appropriate updates to all IdentityIQ objects, and are no longer treated as
4311
new identities, but are instead recognized as moves or renames.

SailPoint Release Notes 40

Issue ID Description

IIQSAW-
Running group aggregation on a renamed group hierarchy no long produces errors.
4221
IIQSAW-
Replaced all uses of the JSON-java library with Jackson.
4206
lookupByName now works properly for the LaunchedWorkflows SCIM endpoint, and error handling is
IIQSAW-
improved for endpoints that do not support lookupByName, namely Accounts, Entitlements and Poli-
4201
cyViolations.
IIQPB- Workgroups Detail Report no longer show error that indicates a ResultSet closed and now displays the
1646 workgroup members list.
IIQPB-
Revoke Access no longer creates an account for missing accounts.
1637
IIQPB- When using custom forms for approvals and using e-signatures, form validation now occurs before e-
1535 signature prompt.
IIQPB- In Compliance Manager settings, changes to "Require Electronic Signature" are now saved suc-
1490 cessfully.
IIQPB- The identityai-recommender-plugin.zip version is now tied to the IdentityIQ version. For example, 8.4
1340 includes identityai-recommender-plugin.zip version 8.4
IIQPB-
The JasperReports library has been updated to version 6.19.1
1210
IIQPB- Elevated Access icons no longer display under Additional Options in Request Access when LCM Man-
1203 ager has unchecked `Show Elevated Access in Access Requests`.
IIQPB- The Capabilities to Identities Report no longer duplicates identities when they have a capability directly
1166 applied and is a member of a workgroup.
IIQMAG-
Cloning a role now updates the created and modified dates to the current date.
4688
In IdentityIQ 8.3 a new feature was introduced to create Native Change Events and process them to
update existing accounts and account groups when an application object was renamed or changed by
IIQMAG-
being moved to a different container. This behavior is now limited to Active Directory applications. For
4617
all other applications, the behavior in IdentityIQ for object renames will be the same as it was prior to
8.3.
New Installations or Upgrades will add the new Access History/Data Extract/Broker configuration
IIQMAG-
pages/rights entries into webresources.xml. Clients should review the changes and merge theirs if dif-
4591
ferent from OOTB.
IIQMAG-
SCIM update-account PUT now properly assigns the source attribute in the provisioning plan.
4430

SailPoint Release Notes 41

Issue ID Description

Requesting a new entitlement with sunrise and sunset dates for a user without an account on the applic-
IIQMAG-
ation now successfully adds the entitlement on sunrise date and removes the entitlement on sunset
4428
date.
IIQMAG- During a partitioned Account Group Aggregation, if any partition fails, the check deleted phase will be
4349 skipped.
IIQMAG-
Bad data no longer causes a NullPointerException during a role search in Advanced Analytics.
4336
Account aggregation no longer treats accounts that differ only with blank UUID vs. NULL UUID as a
IIQMAG-
renamed native identity. Instead, accounts with blank UUIDs are treated the same as accounts with
4316
NULL UUIDs.
IIQMAG- Native Change Detection is now triggered if aggregated values are different than requested values in
4310 Create Account Request.
NativeIdentityChange propagation no longer fails with the exception ”Attempt to generate refresh event
with null object” when the objectID of the object being processed is non-standard. When this error
IIQMAG- occurred, the failing NativeIdentityChangeEvents blocked provisioning. Customers previously on 8.3
4247 GA or 8.3p1 who encountered this error can resolve this issue using a newly introduced task template,
"Reset Failed NativeIdentityChange Events". Refer to the Upgrade Considerations section for more
information.
IIQMAG-
[SECURITY] Jackson-Databind library updated to resolve security vulnerabilities.
4223
IIQMAG- [SECURITY] The Password Reset process no longer attempts to reset a password for accounts that
4211 don't support it.
IIQMAG-
'Description' column is now populated in the 'Role Composition Access Review Live Report'.
4087
IIQFW- Account Group Membership Certification now includes an entitlement assignment update option, that
946 will update identity assignments.
IIQFW- Updated Identity request maintenance task, now correctly calculate statuses when doing 'approval and
938 provision split'.
IIQFW-
Roles By Application report now completes and does not throw a lazy initialization exceptions.
919
IIQFW- [SECURITY] Form Beans used to process SailPoint Form submissions must now implement the
655 FormBean interface. Anything else will throw an exception and block submission of the form.
IIQCB-
The Teams bot now contains translation files to match IdentityIQ.
4932

SailPoint Release Notes 42

Resolved Issues - Connectivity
Issue ID Description
CONCHENAB- The AIX Connector now supports fetch only attributes present in the account schema with an
4445 additional application configuration.
CONCHENAB- A new connector "Oracle Fusion HCM Accounts" is now available to govern the accounts of
4487 Oracle Fusion HCM system.
CONCHENAB- [SECURITY] To improve security, SailPoint has upgraded the spring-core-5.1.18.RELEASE.jar
4493 to spring-core-5.3.20.jar for the RSA Application.
CONCHENAB-
[SECURITY] Upgrading the vulnerable ognl jar to the latest version 3.3.4.jar
4503
CONCHENAB- [SECURITY] The Duo Connector now uses okhttp-4.9.3.jar and okio-2.8.0.jar to address the
4504 security vulnerability issues reported with previous version of these libraries.
CONCHENAB-
[SECURITY] Deprecating commons-httpclient jar due to vulnerability.
4539
CONCHENAB-
The Linux Connector now supports Red Hat Enterprise Linux versions 8.4 and 8.5.
4541
CONCHENAB-
The spring-web:5.1.18 jar is now upgraded with spring-web:5.2.20
4564
CONCHENAB- IdentityIQ for IBM Security Identity Manager now supports IBM Security Verify Governance
4568 v10.0.
CONCHENAB- [SECURITY] To improve security, SailPoint has upgraded the spring-beans-5.1.18.RELEASE.-
4571 jar to spring-beans-5.3.20.jar for the RSA application.
CONCHENAB- Workday Accounts Connector now supports managing Service Center Representative
4576 accounts.
CONCHENAB- The Duo Connector now follows the proxy settings from application server settings and also can
4587 bypass the proxy for hosts mentioned in nonProxyHosts list.
CONCHENAB-
The Workday Connector will now respect the autocomplete flag for custom id request.
4627
CONCHENAB-
The RSA Connector now supports RSA 8.7 version
4629
CONCHENAB-
The RSA Connector now supports RSA 8.6 version
4633
CONCHENAB- [SECURITY] To improve security, SailPoint has upgraded the kotlin-stdlib-1.4.10.jar to kotlin-
4635 stdlib-1.7.10.jar for the Duo application.
CONCHENAB- The Okta Connector will now respect the password policy set in Okta target system in terms of

SailPoint Release Notes 43

Issue ID Description
4640 password age and password History
Oracle Fusion HCM Connector will now support the fetching of custom attribute "Extern-
CONCHENAB-
alIdentifiers" during aggregation and get account operation if appropriate JSON path is
4655
provided
CONCHENAB-
The Workday Accounts Connector now correctly handles the Invalid Id error.
4656
CONCHENAB- The Oracle Fusion HCM Connectors now adds the ASSIGNMENT_MANAGER_NUMBER as
4657 the default attribute in the Account schema.
CONCHENAB- The Oracle Fusion HCM Connector now correctly handles rehire scenarios during the refresh
4663 account.
CONCHENAB- Oracle Fusion Connector now supports aggregation of the additional attributes from
4681 WORKERS API responses using a JSON path.
CONCHENAB-
The Oracle Fusion HCM Connectors account aggregation performance is now enhanced.
4695
CONCHENAB- The Oracle Fusion HCM Connector accounts aggregation will now fail in case of a planned out-
4723 age (maintenance) from the Oracle system.
CONCHENAB- The Oracle Fusion HCM Accounts aggregation will now fail in case of a planned outage (main-
4724 tenance) from the Oracle system.
CONCHENAB-
The child application account aggregation of Oracle Identity Manager is now successful.
4763
CONCHENAB- The Workday Accounts Connector now supports filtering of accounts based on the Organ-
4773 ization Type and Organization Reference ID
CONCHENAB- The Workday Accounts Connector now supports aggregation and provisioning of future
4775 accounts ahead of their hire date.
CONCHENAB- The Oracle Identity Manager Connector now provides the ability to filter out target system
4798 accounts fromOracle Identity manager users.
CONCHENAB- The Okta Connector now supports the addition and removal of custom roles directly associated
4801 withaccounts
CONCHENAB-
The IBM Security Verify Access Connector now supports IBM Security Verify Access 10.0.3
4803
CONCHENAB- The Okta Connector now supports the aggregation of custom roles directly associated with both
4819 accounts and groups.
CONCHENAB-
The Okta Connector now aggregates only the roles connected directly to the Okta user
4825
CONCHENAB- [SECURITY] All the spring jars are upgraded to a common version for resolving the vul-

SailPoint Release Notes 44

Issue ID Description
4913 nerabilities.
CONCHENAB-
The Workday Connector now supports Workday web service version 39.1
4948
The old approach to deploying Oracle Identity Manager Web Application is being deprec-
CONCHENAB- ated.The Oracle Identity Manager Connector is now discontinuing support for Oracle Identity
4961 Manager 11g R1 and 11g R2 releases.The Oracle Identity Manager Connector is now capable
of supporting Oracle Identity Manager 12C via Oracle Client API.
SailPoint announces the release of a new connector Oracle HCM Cloud to govern identities for
CONCHENAB-
Oracle Fusion HCM system. For documentation on the new connector, see Integrating
4988
SailPoint with Oracle HCM Cloud.
CONCHENAB- The Okta Connector now provides an option for multi-threading when aggregating Groups and
5057 Applications connected to Okta Accounts during Okta Account aggregation.
CONCHENAB- The Workday Accounts Connector now provides an option for muti-threading which will boost
5058 the Account Aggregation performance.
CONCHENAB- The Okta Connector no longer fails when aggregating the newly introduced group by Okta
5064 called "Okta Administrator".
CONCHENAB-
[SECURITY] The commons-httpclient.jar 3.1 is now removed due to vulnerability issues.
5072
[SECURITY] [SECURITY] The Spring Framework libraries have been upgraded to a newer ver-
sion due to vulnerabilities found in older versions. Please check the impact on custom con-
nectors, rules or any other customization, which are directly or indirectly using this JAR file.
CONCHENAB-
spring-aop-5.2.22.RELEASE.jar spring/spring-context-5.2.22.RELEASE.jar spring-context-sup-
5086
port-5.2.22.RELEASE.jar spring-core-5.2.22.RELEASE.jar spring-expression-
5.2.22.RELEASE.jar spring-tx-5.2.22.RELEASE.jar spring/spring-beans-5.2.22.RELEASE.jar
spring/spring-web-5.2.22.RELEASE.jar
CONCHENAB-
The Oracle Identity Manager Connector now supports the Oracle Identity Manager 12C version.
5098
CONCHENAB- The Workday Accounts Connector now supports additional schema attributes for User-Based
5161 Security Group Objects.
CONCHENAB-
The Workday Connector now allows adding proxy level parameters in the Workday application.
5179
On December 31, 2023, Oracle Fusion HCM Connector will be deprecated and it will no longer
CONCHENAB-
be supported. Use the newly released Oracle HCM Cloud Connector. For documentation on the
5203
new connector, see Integrating SailPoint with OracleHCM Cloud.
CONCHENAB- The Workday Accounts connector is now enhanced to integrate with Workday Learning Module

SailPoint Release Notes 45

Issue ID Description
5231 and aggregate the training information associated with the users
CONCHENAB-
The RSA Connector now supports Delta Account Aggregation.
5322
CONCHENAB-
The IBM Security Identity Manager now supports Delta Aggregation
5328
CONCHENAB-
Deprecating REST API support for IBM Tivoli Access Manager connectors.
5345
CONCHENAB-
The Linux Connector now supports RHEL version 8.8
5353
CONCHENAB-
The IBM AIX Connector has now deprecated IBM AIX 7.1 version.
5371
CONCHENAB- The following versions of Solaris have been depreciated and are no longer supported: Solaris
5373 11.3 SPARC x86 Solaris 11.2 SPARC x86 Solaris 11 SPARC x86 Solaris 10 SPARC x86
CONCHENAB-
The RSA Connector has now deprecated RSA 8.3 8.4 and 8.5 version.
5374
CONCHORDS-
The RACF Full Connector now supports z/OS 2.5
1254
CONCHORDS-
The ACF2 Full Connector now supports z/OS 2.5
1257
CONCHORDS-
The BMC Remedy Connector now supports BMC Helix 21.3 system.
1344
CONCHORDS-
The Atlassian Suite - Server Connector now supports Jira Service Management: 5.2
1358
New Platform Support : Atlassian Server Connector now supports following versions of various
Atlassian products - Jira Software Server: 9.6Confluence: 8.1Bitbucket: 8.8Bamboo: 9.2 Drop
CONCHORDS-
Platform Support : Atlassian Server Connector no more supports following versions of various
1416
Atlassian products - Jira Software Server: 8.13 and 8.12 Confluence: 7.8 and 7.7 Bitbucket: 7.5
Bamboo: 7.1 and 7.0
CONCHORDS-
The BMC Helix connector now supports BMC Helix IT Service Management Suite version 22.1
1706
New platform support - Following Mainframe connector now supports z/OS 2.5 system - RACF -
CONDOCS-872
Full, ACF2 - Full, Top Secret - Full, Top Secret - LDAP
Dropped platform support - the following Mainframe connectors no longer supports z/OS 2.2
CONDOCS-949 and z/OS 2.3 systems - RACF - Full, ACF2 - Full, Top Secret - Full, RACF - LDAP, Top Secret -
LDAP

SailPoint Release Notes 46

Issue ID Description
CONDOCS-1233 A new Snowflake connector is now available to govern identities for Snowflake Data Lake.
The SailPoint Identity Governance Connector for ServiceNow now no longer supports the Ser-
CONDOCS-1373 viceNow Quebec release. IdentityIQ for ServiceNow Service Desk Integration Module (SDIM)
now no longer supports the ServiceNow Quebec release.
Oracle Identity Manager versions 11gR3 , 11gr2 and 11gR1 are deprecated and will no longer
CONDOCS-1953
be supported.
CONDOCS-2469 The Oracle Solaris connector no longer supports Solaris versions 11.3, 11.2, 11.0 and 10.0
The Linux connector no longer supports Red Hat Enterprise Linux versions 8.4, 8.3, 8.2, 8.1,
CONDOCS-2472
8.0, 7.9, 7.8 and Ubuntu OS Version 18.04 LTS.
CONDOCS-2475 The IBM AIX connector no longer supports AIX version 7.1
Connectors implementing openConnector’s provisioning plan with a null operation in the attrib-
CONETN-3135 ute request will have the default operation as Add, resulting in a successful transaction.
However, an account request with a null operation will fail.
The Workday Accounts Connector no longer sends additional calls when provisioning ORG_
CONETN-3442
ROLE##ORG_NAME
CONETN-3661 The SAP GRC Integration will now support retry mechanism for polling of requests.
The Oracle HRMS Connector now displays a valid error message when the object is not found
CONETN-3672
on the managed system
The Microsoft SQL Server Connector now aggregates the child server roles when a group
CONETN-3681
aggregation is performed.
The SCIM 2.0 Connector no longer fails with java.lang.IllegalArgumentException when pro-
CONETN-3706
visioning accounts.
The AWS Connector now successfully aggregates accounts from an application whose service
CONETN-3707
account does not have permission for tags.
The SAP Direct Connector now aggregates description of a role when group aggregation is per-
CONETN-3714
formed.
The SuccessFactors Connector no longer fails when provisioning the area code for a phone
CONETN-3722
number.
CONETN-3731 The SAP Sybase Connector now uses the latest APIs for provisioning operations.
The SAP HR/HCM Connector now supports using state variable in the buildmap rule when run-
CONETN-3740
ning partitioned aggregation.
The SAP HR/HCM Connector no longer fails when performing a delta aggregation for an applic-
CONETN-3742
ation with custom BAPI configured.
The Workday Connector no longer aggregates an attribute whose value is cleared from the tar-
CONETN-3743
get system.

SailPoint Release Notes 47

Issue ID Description
The SCIM 2.0 Connector now correctly aggregates the multivalued attributes from an extended
CONETN-3753
schema.
The SCIM 2.0 Connector now aggregates sub-attributes of an account's manager when per-
CONETN-3758
forming account aggregation.
The JDBC Connector now supports provisioning on all the configured group types of an applic-
CONETN-3763
ation.
The SuccessFactors Connector aggregation no longer fails with connection reset error when an
CONETN-3764
account aggregation is performed.
The Google Workspace Connector now uses the attribute "isContinueOnError" when con-
CONETN-3778
figured in the application during delta aggregation to skip corrupted accounts.
The Okta Connector no longer reads unnecessary data from the target when provisioning an
CONETN-3788
account.
The REST Web Services Connector now saves application without any error when client cer-
CONETN-3789
tificate is saved in application config and browser is in non-English mode.
The Workday Account Connector now successfully retries the errors during group and account
CONETN-3791
aggregation which are defined as part of "retryableErrors" in the application config.
In the Azure Active Directory Connector, it is now optional to encode the attribute immutableId
CONETN-3792
used while provisioning of Federated User Account
The SCIM 2.0 Connector no longer fails with provisioning group having attribute "id" with a
CONETN-3796
value of type Double.
CONETN-3800 A provisioning rule with name of more than 32 characters is now supported.
The REST Web Services Connector now correctly retries errors when the only error code is
CONETN-3802
defined in retryableErrors.
The account aggregation of the HCL Domino Connector now fetches the groups based on the
CONETN-3804 flag "fetchGroupsForAllUsernames" which is true by default and can be set to false to improve
account aggregation time
The SAP Direct Connector now correctly aggregates description of a role from a CUA enabled
CONETN-3806
managed system.
ServiceNow account aggregation with partition now aggregates accounts and its roles and
CONETN-3813
groups properly.
CONETN-3814 The axiom.xml for connectors now includes all supported implementations.
The Oracle Fusion HCM Connector now correctly aggregates custom attributes for future hire
CONETN-3818
workers.
CONETN-3820 Azure Active Directory Group aggregation now correctly aggregates "teamsEnabled" attribute.
CONETN-3821 IQService now uses skipDNSLookup application config to skip the DNS lookup for the

SailPoint Release Notes 48

Issue ID Description
Exchange server when connecting over TLS for Active Directory application.
The Oracle Fusion HCM Connector now correctly provisions all supported attributes of a future
CONETN-3823
hire worker.
The PIRM task no longer removes the entitlements for sub-domain accounts of Google Work-
CONETN-3833
space connector.
The Workday Connector now correctly skips the future hired workers whose hire date is cor-
CONETN-3835
rected when an aggregation is performed.
The aggregation for LDAP Connector will not be retried without retryableErrors entry in the
CONETN-3837
application during PAGED_RESULTS iterate mode.
The Azure Active Directory Connector now supports managing Azure PIM Role memberships
CONETN-3850
to Azure Active Directory groups
CONETN-3867 The PeopleSoft Connector now supports the 8.59 PeopleTools environment
Salesforce PublicGroups entitlement will be using Group Name instead of Name to aggregate
and Provisioning operation as it is unique on the Salesforce managed System. This will be
applicable for the new source only and there won't be impact on the existing sources. For the
CONETN-3871 new sources created, switching to older alike source will be possible by making below flag false
in the source config file: <entry key-
="PublicGroupIde-
entityAttributeAsDeveloperName"><value><Boolean>false</Boolean></value> </entry>
The Linux Connector getObject operation now properly fetches values for the sudoCommands
CONETN-3882
if configured in schema.
The Oracle HCM Fusion Connector now correctly provisions the date attributes of an email for
CONETN-3885
an account.
The Workday Connector no longer fails with java.lang.ClassCastException when an aggreg-
CONETN-3889
ation is performed for an application with ROCustomisation rule.
Account Request attributes will no longer be removed from attributes of ProvisioningPlan
CONETN-3896
between Before Provisioning and After Modify Rule during provisioning operation.
The SAP GRC Integration will now skip proactive check for a role assignment if "skipPro-
CONETN-3898
activeCheck" is set to true in the application.
The Oracle HCM Fusion Connector now correctly aggregates the updated values for Assign-
CONETN-3901 mentStatusTypeId and AssignmentStatusType attributes when a delta aggregation is per-
formed.
The Azure Active Directory Connector now fetches all the shared mailboxes during account
CONETN-3903
aggregation.
CONETN-3911 The Oracle ERP Cloud Connector no longer fails when provisioning a data access containing

SailPoint Release Notes 49

Issue ID Description
special characters in its role name and security context value.
The RACF-Full Connector now supports resource aggregation and provisioning as additional
CONETN-3916 group schema, and requesting permissions for accounts and groups. Refer to documentation
for more details.
The Azure Active Directory Connector now manages mail-enabled security groups or dis-
CONETN-3923
tribution groups using IQService without any error.
The Oracle HCM Fusion Connector correctly aggregates the updated attributes when a delta
CONETN-3924
aggregation is performed.
The REST Web Services Connector now correctly sets the root path from Before Operation
CONETN-3925
Rule.
The PlanInitializerScript in Applications of type RACF, ACF2, and TopSecret no longer use
CONETN-3929
imports and System.out.println statements.
IQService will no longer show the errors/warnings messages related to UpgradeService while
CONETN-3931
running the Perform Maintenance task from IdentityIQ.
CONETN-3936 The Workday Connector is now certified with Workday API version 38.0
The Azure Active Directory Connector no longer throws the error "Fail to find owners of a chan-
CONETN-3938
nel " while channel aggregation in case the channel is soft deleted.
The Salesforce Connector account aggregation no longer fails when URL in the source is
CONETN-3949
changed.
The Oracle HCM Fusion Connector will now correctly aggregate changes to all supported attrib-
CONETN-3950
utes in delta aggregation.
The Azure Active Directory Connector now displays ExchangeOnline attributes on the UI after
CONETN-3951
account aggregation when "Manage Exchange Online" feature is enabled.
The Oracle Fusion HCM Connector correctly aggregates the ASSIGNMENT_MANAGER_ID
CONETN-3956
value when an aggregation is performed.
The SCIM 2.0 Connector now correctly updates the roles for an account when provisioning or
CONETN-3957
de-provisioning operation is performed.
The SCIM 2.0 Connector no longer fails with a NullPointerException when multiple complex
CONETN-3959
attributes are provisioned.
The SAP HR/HCM Connector no longer fails with NullPointerException when aggregating
CONETN-3960
accounts with custom value for STAT2 field.
The Oracle HCM Fusion Connector now skips the terminated users falling outside the ter-
CONETN-3962
mination offset when a delta aggregation is performed.
The Oracle HCM Fusion Connector now correctly aggregates future hires when a delta aggreg-
CONETN-3968
ation is performed.

SailPoint Release Notes 50

Issue ID Description
The REST Web Services Connector configuration page now correctly displays necessary attrib-
CONETN-3971
ute as per grant type selection on UI for OAuth 2.0 authentication.
For Active Directory applications, no warning message will be displayed in the GUI when delta
CONETN-3974 aggregation is performed followed by completion of Refresh task in which group membership is
being removed.
The filter string for the account additional filter will be saved as account.filterString in the source
CONETN-3975
application file for LDAP connectors.
The RACF connector no longer fails to aggregate unstructured targets and permissions when
CONETN-3979
Mainframe connector is upgraded to FSD0148 or later.
The Active Directory Connector now successfully provisions msExchHideFromAddressLists
CONETN-3980
with type as string.
CONETN-3982 The Web Services Connector now supports http proxy configuration for OAuth authentication.
The ServiceNow Connector account aggregation with partitioning enabled no longer query sys_
CONETN-3984 user_grmember and sys_user_has_role when no entitlement attributes are present in the
account schema.
The Azure Active Directory Connector no longer displays duplicate ServicePrincipals values in
CONETN-3985
Resource Object after running account aggregation.
Adding the attribute skipGroupFilterAttributeReplacement as true in the application , the Azure
CONETN-3987 Active Directory Connector no longer fails while creating the group when group filter contains a
value same as that of the attribute's name.
CONETN-3988 The SCIM 2.0 Connector correctly provisions the manager attributes using patch operation.
CONETN-3989 The Active Directory Connector now correctly provisions msExchHideFromAddressLists.
The Oracle Fusion HCM Connector now excludes Suspended workers when "skipSus-
ONETN-3990
pendedAccounts" is enabled in the application during aggregation.
The Azure Active Directory Connector now displays the correct spelling for UserPrincipalName
CONETN-3991
in provisioning policy.
The CloudGateway application now supports retryableErrors configuration for provisioning
CONETN-3998
retry.
The SharePoint Online Connector now fetches all sites including newly created sites during
CONETN-3999
aggregation.
The Azure Active Directory Connector no longer errors out the request while fetching the SignIn
CONETN-4002
Activity of users during account aggregation.
The SCIM 2.0 Connector now sends the path attribute for all patch operations when an exten-
CONETN-4003
ded schema attribute is included in provisioning.
CONETN-4009 The SAP HR/HCM Connector no longer fails when a delta or partitioned aggregation is per-

SailPoint Release Notes 51

Issue ID Description
formed.
CONETN-4010 The SAP HR Connector now has improved performance for delta aggregation.
The Azure Active Directory Connector now fetches the Exchange Online custom attributes dur-
CONETN-4012
ing account aggregation or getObject operation.
CONETN-4013 The SCIM 2.0 Connector now supports provisioning of complex attributes using PUT operation.
The Oracle Fusion HCM Connector can now aggregate delta changes for all attributes sup-
CONETN-4014
ported by the Oracle Atom Feed APIs.
The Azure Active Directory Connector now supports advanced query filters during account as
CONETN-4019
well as group aggregation.
The Azure Active Directory Connector now fetches all the Resource Groups during entitlement
CONETN-4023
aggregation.
The SAP Direct Connector correctly provisions the Parameter attribute for new and existing
CONETN-4024
accounts on the target system.
MANIFEST.MF file in IdentityIQCloudGateway.jar now correctly reflects the version details
CONETN-4025
along with patch.
The Before and After Provisioning rules are now correctly called when executeMan-
CONETN-4027
agedAppRules flag is set to true.
The Active Directory Connector now ignores delta changes for users in Resource forest having
CONETN-4029
msExchMasterAccountSid equals S-1-5-10.
The REST Web Services Connector now waits for max 3 minutes per retry while throttling
CONETN-4031
request.
The Okta Connector now correctly aggregates the changed users when a delta aggregation is
CONETN-4033
performed.
The Google Workspace Connector no longer logs an error message if there are no delegates
CONETN-4041
during account aggregation.
The Oracle Fusion HCM Connector now aggregates the correct data when a delta aggregation
CONETN-4042
is performed
The Microsoft SQL Server Connector now supports aggregating membership details of nested
CONETN-4044
database roles when an entitlement aggregation is performed.
Mainframe Connectors (RACF-Full, ACF2-Full, and TopSecret-Full) Enhanced to support
CONETN-4046 mutual TLS authentication for communication between IdentityIQ, Connector Gateway, and the
Mainframe Connector itself.Upgrade to latest Connector Gateway to leverage this feature.
Aggregation with cloudGateway on tomcat 9.0.69 onwards now works properly after adding fol-
CONETN-4047
lowing attribute in application. <entry key="httpCookieSpecsStandard" value="true"/>
CONETN-4049 The Google Workspace Connector no longer fails with HTTP error 404 while updating alias

SailPoint Release Notes 52

Issue ID Description
along with primary email address of the user.
The Azure Active Directory Connector now fetches all the resource groups during entitlement
CONETN-4057
aggregation.
The Connector Gateway does not break interceptions protocol for continuous transactions from
CONETN-4058
IdentityIQ connector side which are sent to CTSGATE for continuous 30 minutes.
The Mainframe Connector now supports setting provisioning result at attribute level with warn-
CONETN-4062
ing at account request in case of partial success.
The Azure Active Directory Connector now fetches the Exchange Online attributes for all the
CONETN-4064
accounts.
The LDAP Connector now removes entitlement as part of delete provisioning operation when
CONETN-4065
remove entitlement is sent to connector as part of attribute request.
The assignment of entitlement ServicePrincipal alone now works during account creation in
CONETN-4066
Azure Active Directory Connector.
The SAP HR/HCM Connector no longer fails when no employees are fetched from PA0000
CONETN-4067
table in target system.
The Workday Connector no longer fails when performing provisioning for CUSTOM ID's with
CONETN-4068
empty or null values.
WORKATTR attributes and other similar attributes are now updated while performing create
CONETN-4073 and update operation on user account as we added <UserProfileName>_SWITCH which is set
as 'Y' when these attributes are considered to be updated.
The Oracle E-Business Connector now correctly provisions the customer_id and supplier_id
CONETN-4077
attributes of an account when a provisioning operation is performed.
The LDAP Connector now clears group membership when null value is passed in SET oper-
CONETN-4078
ation.
The REST WebServices Connector now supports pagination using pagination steps for child
CONETN-4080
endpoint as well during aggregation.
The Google Workspace Connector now clears the "customSchema" attributes when null value
CONETN-4081
is passed in SET operation.
The Active Directory Connector no longer shows a false error message in the log during getOb-
CONETN-4083
ject operation for create Group operation.
CONETN-4084 The SCIM 2.0 Connector now supports Provisioning Multivalued core and extended attributes.
The SCIM 2.0 Connector can now aggregate accounts from a non-compliant SCIM target
CONETN-4085
server when the /Users response is not compliant with RFC.
The Oracle ERP Cloud Connector now supports provisioning of data access having special
CONETN-4086
characters in its security context values.

SailPoint Release Notes 53

Issue ID Description
Identity Governance Connector for ServiceNow now supports Utah release. ServiceNow Ser-
CONETN-4087
viceDesk Integration Module for ServiceNow now supports Utah release.
The delta aggregationfor ServiceNow Connector no longer fails in case if an empty group or an
CONETN-4091
empty user is present in ServiceNow memberships.
The Workday Connector no longer fails with "XML parsing failed" error when performing
CONETN-4099
account aggregation.
The Delimited File Connector now supports aggregation of accounts containing special char-
CONETN-4103
acters in its attributes.
The RACF Connector using After Provisioning rule with EmailTemplate no longer shows a
CONETN-4108
blank email body.
The BoxNet Connector now successfully deletes user who is owning content on the Managed
CONETN-4109
system when forceDeleteUser=true application config is configured.
The SCIM 2.0 Connector will call /ServiceProviderConfig endpoint only for compliant enabled
CONETN-4113
applications.
The Salesforce Connector now correctly sends null value attribute in update request to manage
CONETN-4114
system during provisioning.
The Apachex.x/conf/server.xml file now contains the value for "Error Report Valve" default as
CONETN-4115
false
The JDBC Connector now aggregates correct value for an account attribute of type BigDecimal
CONETN-4116
or Float.
The Oracle Fusion HCM Connector can now choose to aggregate values based on configured
CONETN-4117
JSON path or default OOTB values during account aggregation.
The SAP Direct Connector now supports setting password to productive mode when a Create
CONETN-4120
Account operation is performed.
The Google Workspace Connector no longer fail while provisioning the already existing group
CONETN-4123
on target system to the user.
IQService will not log any error message during provisioning if custom attribute is not present in
CONETN-4125
ActiveDirectory Schema on IQService host.
The Azure Active Directory Connector now does not throw an error while creating guest user
CONETN-4130
when the email ID has a sub-domain of an another existing user's email domain.
The Azure Active Directory Connector now honors the HTTP proxy settings configured as Java
CONETN-4134
system properties.
CONETN-4135 IQService Client authentication will now use system default logon provider.
In the Active Directory Connector domain NetBIOSName will be aggregated as part of account
CONETN-4137
and group aggregation. Customers need to add NetBIOSName as schema attribute as type

SailPoint Release Notes 54

Issue ID Description
String under Account and Group schema to leverage this facility.
The Active Directory Connector now successfully updates Exchange attributes for distribution
CONETN-4140
groups without mailnickname passed in provisioning plan.
The Azure Active Directory Connector now saves the ServicePrincipal memberships in the List
CONETN-4141
during account aggregation.
The Active Directory account creation with add Entitlements no longer fails with SQLGram-
CONETN-4147
marException when object is not found on Active Directory.
The SCIM 2.0 Connector now supports provisioning and de-provisioning of groups using /Users
CONETN-4149
endpoint.
The REST Web Services Connector now updates lastAggregationDate_account only when
CONETN-4153
account aggregation is successful.
The Azure Active Directory Connector now provisions the guest user successfully even if the
CONETN-4154
attribute password is present in the provisioning plan.
CONETN-4162 The Coupa connector now correctly provisions any additional account attribute.
The SAP SuccessFactors Connector no longer fails with Null Pointer Exception when a pro-
CONETN-4174
visioning operation is performed.
The Azure Active Directory Connector now honors the HTTP proxy authentication configured as
CONETN-4180
Java system properties.
The Salesforce Connector now executes the provisioning plan successfully for the Account Dis-
CONETN-4181
able operation when the plan contains UserRoleName in it.
The SCIM 2.0 Connector can now exclude custom header and request attributes when using
CONETN-4191
OAUTH 2.0 based authentication.
The Azure Active Directory Connector no longer throws an error, "Your password has expired",
CONETN-4192
after the user resets their password using PTA.
The Slack Connector now removes phone number value when phone number value set to null
CONETN-4197
or no value through provisioning plan.
The Azure Active Directory Connector now allows to assign permanent PIM roles to the users
CONETN-4198
and role assignable groups.
The SCIM 2.0 connector no longer fails when the Identity attribute is configured as an Integer
CONETN-4202
during a provisioning operation.
CONETN-4206 The SCIM 2.0 connector now supports role provisioning for an account for a PUT operation.
The Oracle ERP Cloud connector correctly revokes data accesses of an account when a de-pro-
CONETN-4211
visioning is performed.
User Filters, Group Filters, User Advanced Filters and Group Advanced Filters field are now
CONETN-4213
available on application ui page by default so making entries of these keys is in the application

SailPoint Release Notes 55

Issue ID Description
xml file through debug page is not required any more.
The Azure Active Directory Connector now supports filters for the Directory Roles, Azure AD
CONETN-4223
PIM Active and Eligible Roles, Azure PIM Active and Eligible Roles in the group aggregation.
The Azure Active Directory Connector now retries the intermittent errors, if the 'retry-
CONETN-4244
ableErrorsOnAgg’ attribute is configured during the channel aggregation.
The Azure Active Directory Connector now excludes Disabled/Deleted Subscriptions during
CONETN-4245
Entitlement Aggregation to avoid Aggregation Failure.
In ServiceNow Identity Governance Connector, delta account aggregation performance can be
CONETN-4248 improved by configuring the attribute 'maxDeltaAccountsCountToSkipCache' in case of less
number of changed accounts.
The SAP Fieldglass Connector now aggregates all accounts correctly when the pageSize is
CONETN-4260
configured to any value in the application.
CONETN-4266 The Linux Cconnector now support RHEL version 8.8
Entitlements are now added/removed on given sunrise/sunset date when provisioned via con-
CONETN-4271
nected application with Cloud Gateway
Aggregations are now successfully completed with cloud gateway running on tomcat server
CONETN-4275
9.0.75
CONHOWRAH- The Azure Active Directory Connector is now more resilient in handling IndexOutOfBound-
3749 sException while building PIM membership during account aggregation.
[SECURITY] The Azure Active Directory Connector now supports certificate based modern
CONHOWRAH-
authentication to communicate with Exchange Online which is more secure and is recom-
3764
mended by Microsoft.
CONHOWRAH-
The Active Directory Connector now supports Microsoft Windows Server 2022
3769
CONHOWRAH-
The Windows Local Connector now supports Microsoft Windows Server 2022
3772
CONHOWRAH- The Azure Active Directory Connector now fetches eligible and active roles only when PIM flag
3775 is enabled on the application configuration.
CONHOWRAH-
The Google Workspace Connector now supports archiving and unarchiving a user.
3782
CONHOWRAH- An error during partitioned account aggregation has been resolved in the Active Directory con-
3821 nector occurring when caching is enabled.
The Azure Active Directory Connector now respects the provided Azure Management API end-
CONHOWRAH-
point in the application configuration to form access token scope instead of a predefined static
3836
value.

SailPoint Release Notes 56

Issue ID Description
The LDAP Connector has been enhanced to support Modify Time Stamp as new delta aggreg-
CONHOWRAH-
ation mode. The user interface of the connector has also been updated to configure it with the
3861
necessary details required to connect to most of the LDAP Directory servers.
CONHOWRAH- The Azure Active Directory Connector now provides visibility into user's sign-in (last login) activ-
3871 ity.
CONHOWRAH- The Azure Active Directory Connector now supports managing Azure Active Directory Role as a
3911 group object.
CONHOWRAH- The SharePoint Online Connector now supports configurable endpoints when Azure Active Dir-
3986 ectory is deployed in non-public national cloud server.
The Azure Active Directory Connector now supports Continuous Access Evaluation (CAE)
CONHOWRAH- which leverages the Azure Active Directory real-time enforcement of Conditional Access loc-
3990 ation and risk policies along with instant enforcement of token revocation events for an enter-
prise application (service principal).
The IQService has now different configuration option to specify the IP or FQDN of the load bal-
CONHOWRAH-
ancer to distinguish the health check requests originating from load balancer for logging pur-
3993
pose.
CONHOWRAH- SailPoint is pleased to announce a new connector to govern identities for your Coupa system.
4010 For more information, refer to Integrating SailPoint with Coupa connector guide.
CONHOWRAH-
The HCL Domino Connector now supports HCL Domino version 12.0.2.
4042
CONHOWRAH-
The Azure Active Directory Connector now supports management of Access Packages.
4055
The Azure Active Directory Connector now supports managing user-assigned managed iden-
CONHOWRAH-
tities. For more information, refer to Integrating SailPoint with Azure Active Directory Connector
4084
guide.
CONHOWRAH- The Microsoft SharePoint Server Connector now supports managing Microsoft SharePoint
4092 Server Subscription Edition.
CONHOWRAH- The Azure Active Directory connector now supports reading and writing Azure Multi-Factor
4164 Authentication attributes required for different authentication methods.
CONHOWRAH- The Azure Active Directory connector now supports the PowerShell EXO V3 module for the
4186 Exchange Online Management feature.
CONHOWRAH- The Azure Active Directory Connector now supports filters for Channels during entitlement
4199 aggregation.
CONHOWRAH- [SECURITY] Due to the security vulnerabilities found in the json-smart-2.4.7.jar file, it has been
4224 upgraded with json-smart-2.4.10.jar. Ensure to update custom connectors, rules, or any other

SailPoint Release Notes 57

Issue ID Description
customizations that directly or indirectly reference the json-smart-2.4.7.jar file to json-smart-
2.4.10.jar.
CONHOWRAH- The Azure Active Directory source now supports the aggregation of Azure Active Directory
4278 group hierarchy.
CONHOWRAH- The Azure Active Directory connector now supports managing Service Principal for Enterprise
4322 Applications as an Account.
CONHOWRAH- The Azure Active Directory connector now supports creating SAML based applications and cor-
4345 responding Service Principals using the Gallery application templates.
CONHOWRAH- The Azure Active Directory connector now supports creation of Service Principals for already
4346 existing Applications ( Local / Multi Tenant Type )
CONJUBILEE- The Salesforce Connector now processes PermissionSetLicense first while provisioning both
1164 PermissionSet and PermissionSetLicense.
CONJUBILEE- For new applications, the SCIM 2.0 Connector schemas will have optional attribute "externalId"
1178 irrespective of schema endpoint response.
CONJUBILEE-
The Salesforce Connector now provisions Profile before Role.
1339
CONJUBILEE- For the REST Web Services Connector, the body section will be disabled in UI for the HTTP
1377 method 'GET'.
Below jars are upgraded to newer versions due to vulnerabilities found in older version. Please
check the impact on custom connectors, rules or any other customization, which are directly or
CONJUBILEE-
indirectly using these jar filesjersey/hk2-api-2.6.1.jar->jersey/hk2-api-3.0.3.jarjersey/hk2-loc-
1454
ator-2.6.1.jar->jersey/hk2-locator-3.0.3.jarjersey/hk2-utils-2.6.1.jar->jersey/hk2-utils-3.0.3.-
jarjersey/jersey-hk2-2.31.jar->jersey/jersey-hk2-3.0.4.jar
CONJUBILEE- [SECURITY] To enhance security, upgraded gson-2.8.5.jar with vulnerabilities to gson-2.9.0.-
1458 jar.
CONJUBILEE- The connector classloader now provides the ability to delegate loading of some classes and
1467 packages from system classloader.
CONJUBILEE-
The SCIM 2.0 Connector now works with Cloud Gateway.
1492
In latest Jersey library, “Java Validation API” library has been removed (Package : javax.val-
idation). So the “Bean Validation API“ library has to be added separately for customisation, if
CONJUBILEE- required. Below jars are upgraded to newer versions due to vulnerabilities found in older ver-
1495 sion. Please check the impact on custom connectors, rules or any other customization, which
are directly or indirectly using these jar files.jersey/jakarta.annotation-api-1.3.5.jar->jer-
sey/jakarta.annotation-api-2.1.0.jarjersey/jakarta.validation-api-2.0.2.jar->jer-

SailPoint Release Notes 58

Issue ID Description
sey/jakarta.validation-api-3.0.1.jar jersey/jersey-hk2-2.31.jar -> jersey/jersey-hk2-3.0.4.-
jarjersey/jakarta.ws.rs-api-2.1.6.jar->jersey/jakarta.ws.rs-api-3.1.0.jarjersey/jersey-client-2.31.-
jar->jersey/jersey-client-3.0.4.jarjersey/jersey-common-2.31.jar->jersey/jersey-common-
3.0.4.jarjersey/jersey-container-servlet-core-2.31.jar->jersey/jersey-container-servlet-core-
3.0.4.jarjersey/jersey-media-jaxb-2.31.jar->jersey/jersey-media-jaxb-3.0.4.jarjersey/jersey-
media-multipart-2.31.jar->jersey/jersey-media-multipart-3.0.4.jarjersey/jersey-server-2.31.jar-
>jersey/jersey-server-3.0.4.jarscim-sdk-1.8.18.01/jersey-apache-connector-2.22.2.jar->scim-
sdk-1.8.18.01/jersey-apache-connector-3.0.4.jar
CONJUBILEE-
The REST Web Services Connector now supports Create/Update/Delete for Group Objects
1503
CONJUBILEE- The IdentityIQ Cloud Gateway Synchronisation task now decrypts nested credentials before
1521 syncing to Cloud Gateway server.
The SCIM 2.0 Connector no longer ignores No Authentication headers when set up with a
CONJUBILEE-
Relax configuration. The SCIM 2.0 Connector now supports placeholders so that you can
1594
include sensitive attributes in No Authentication headers.
CONJUBILEE-
The REST Web Services Connector no longer ignores Connection Timeout value.
1600
CONJUBILEE- The REST Web Services Connector's Custom Authentication operation no longer ignores
1604 XPath Namespace Mappings.
CONJUBILEE-
The Jack Henry Connector now supports enabling or disabling the accounts.
1617
The Salesforce Connector now supports creating, updating and deleting Public Groups. Note:
CONJUBILEE-
Please make sure your service account user has "Public Groups" object [ R || W] added into
1622
administrative user profile
Below jars are upgraded to newer versions due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customization, which are directly or
1644
indirectly using these jar files. bcel-6.5.0 -> bcel 6.6.1
CONJUBILEE- The REST Web Services Connector now supports removing entitlements while disabling
1655 account and adding entitlements while enabling account.
Below jars are upgraded to newer versions due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customization, which are directly or
1660
indirectly using these jar files. bcprov-ext-jdk15on-1.61 -> bcprov-ext-jdk15on-1.70
Below jars are upgraded to newer versions due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customization, which are directly or
1661
indirectly using these jar files. bcprov-ext-jdk15on-1.61 -> bcprov-ext-jdk15on-1.70

SailPoint Release Notes 59

Issue ID Description
CONJUBILEE-
The Cloud Gateway now supports Oracle JRE for Java version 17 and OpenJDK 17 platforms.
1667
With this release, the Salesforce Connector no longer supports Salesforce API versions 48.0
CONJUBILEE- and prior, the connector will only work on API version 56. API version 56 doesn't support attrib-
1685 ute "UserPermissionsMobileUser", hence customers must remove the User-
PermissionsMobileUser parameter from schema manually, to avoid errors.
CONJUBILEE- The REST Web Services Connector example rules now show use of Web Services operation
1689 rules to help configure the searchAfter parameter for pagination.
The Salesforce connector now supports creating new Portal and Partner Users as well as
CONJUBILEE- assigning Portal and Partner Licenses to existing Salesforce Users using their respective user
1694 profiles. Note: Please make sure your service account user has "Manage Contacts" object [ R ||
W] added into administrative user profile
Below JAR is upgraded to newer version due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customisation, which are directly or
1696
indirectly using this JAR file. accessors-smart-1.2.jar -> accessors-smart-2.4.8.jar
Below JAR is upgraded to newer version due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customisation, which are directly or
1697
indirectly using this JAR file. commons-net-3.6.jar -> commons-net-3.9.0.jar
CONJUBILEE- The REST Web Services Connector aggregation runs fine if the partitioned aggregation option
1762 is selected and no endpoint for partitioned aggregation provided.
CONJUBILEE- The Salesforce Connector now supports use of "Enhanced Domains" option in Salesforce sys-
1805 tem.
CONJUBILEE-
The Cloud Gateway now supports RHEL 9.0.
1806
[SECURITY] Due to security vulnerabilities discovered in the json-smart-2.4.7.jar file, it has
CONJUBILEE-
been upgraded with json-smart-2.4.10.jar. Be sure to update custom connectors, rules, or other
1809
customisations which directly or indirectly reference the json-smart-2.4.7.jar file.
CONJUBILEE-
Now all operations for target collectors are executed in Cloud Gateway, if configured.
1815
CONJUBILEE-
The Cloud Gateway is now shipped with secure tomcat release Apache Tomcat 9.0.75.
1859
CONJUBILEE- The Salesforce Connector can now complete user provisioning without errors even if the Integ-
1869 ration User doesn't have full permissions to the Contact object in the Salesforce system.
CONJUBILEE-
The IdentityIQ Cloud Gateway now supports Windows Server 2022.
1960

SailPoint Release Notes 60

Issue ID Description
Below jars are upgraded to newer versions due to vulnerabilities found in older version. Please
CONJUBILEE-
check the impact on custom connectors, rules or any other customization, which are directly or
1987
indirectly using these jar files. bcel-6.5.0 -> bcel 6.6.1
CONNAMDANG- The SAP SuccessFactors Connector is now enhanced to fetch the primary employment inform-
3719 ation
CONNAMDANG-
A new Snowflake Connector is now available to govern identities for Snowflake Data Lake.
3778
CONNAMDANG- The SuccessFactor Connector now enhanced to fix the performance issues in account aggreg-
3787 ation
CONNAMDANG-
The SAP Hana DB Connector now supports SAP HANA 2.0 SPS6 version.
3847
CONNAMDANG-
The SuccessFactors Connector has been enhanced to support the account delta aggregation.
3866
CONNAMDANG- The SAP Hana Database Connector now enhanced to support get and provisioning of external
3911 type users
CONNAMDANG- The Snowflake Connector now enhanced to improve the performance of entitlement aggreg-
3918 ation.
CONNAMDANG- The SAP HANA Database Connector now supports Custom User Parameters for Aggregation
3989 and Provisioning
The SAP HR/HCM Connector has been redesigned to use RFC_READ_TABLE according to
SAP recommendations for enhanced security and technology adoption. The connector now
CONNAMDANG-
uses a SAP-certified function module to support the documented use cases. For more inform-
4000
ation on configuration and installation, refer to SailPoint Add-On to replace the use of RFC_
READ_TABLE.
CONNAMDANG- The Microsoft SQL Server - Direct Connector is now enhanced to support Azure SQL managed
4007 instance.
CONNAMDANG-
The Microsoft SQL Server - Direct Connector now supports MS SQL Server 2022
4032
CONNAMDANG-
The SAP SuccessFactors Connector is enhanced to exclude PII data for employees.
4033
CONNAMDANG- The SAP SuccessFactors Connector is now enhanced to manage external users and their enti-
4076 tlements who are in the onboarding stage.
CONNAMDANG-
IdentityIQ now supports new connector for integrating with the ‘Azure SQL' database.
4101
CONNAMDANG- The JDBC Connector is enhanced to fix probable injections in non-parameterised get object

SailPoint Release Notes 61

Issue ID Description
4126 queries.
CONNAMDANG- [SECURITY] The mysql-connector-java-8.0.30.jar has been upgraded to newer version mysql-
4129 connector-java-8.0.33.jar due to vulnerabilities found in older version.
[SECURITY] “commons-collections-3.2.2.jar“ has been upgraded to “commons-collections4-
CONNAMDANG-
4.4.jar” due to security vulnerabilities in connector-bundle-webservices and connector-bundle-
4158
jdbc
[SECURITY] Due to security vulnerabilities discovered in the json-smart-2.4.7.jar file, it has
CONNAMDANG-
been replaced with json-smart-2.4.10.jar. Be sure to update custom connectors, rules, or other
4161
customisations which directly or indirectly reference the json-smart-2.4.7.jar file.
CONNAMDANG- The SAP SuccessFactors Connector now supports additional attributes and custom attributes
4168 related to user entities via ODATA API.
CONNAMDANG- The SuccessFactors connector is now enhanced to aggregate selective records based on fil-
4201 tering criteria on employee records
CONNAMDANG-
The SAP HANA DB connector now works with SAP HANA Cloud DB ver 4.0 application.
4291
CONNAMDANG-
The PeopleSoft HCM Connector now supports PeopleTool version 8.60.
4304
CONSEALINK- A new healthcare integration “IdentityIQ for EPIC SER” is now available to govern the providers
2597 from EPIC.
CONSEALINK- The EPIC Connector test connection no longer fails on Oracle JDK 11 as the Bouncy Castle lib-
2695 rary is upgraded to 1.70 version.
CONSEALINK-
The Cerner Connector is now enhanced for efficient handling and closure of HTTP resources.
2925
CONSEALINK- For the Collaboration bundle, "jersey-common" jar has been upgraded to version 2.37 and its
3009 dependent jar "jersey-client" has also been upgraded to 2.37
CONSEALINK-
IdentityIQ now supports the BMC Helix Remedyforce Service Desk Integration Module.
3011
CONSEALINK- The IdentityIQ for ServiceNow Service Desk Integration now supports pulling RITM status in
3042 SailPoint.
CONSEALINK- The pending users from the Zoom User management are now successfully aggregated using
3060 the Zoom Connector.
CONSEALINK- The ServiceNow Identity Governance Connector account filter handling for sys user has role
3075 and sys user grmember is taken care of during cache initialization.
CONSEALINK- The Cerner Connector delete operations no longer fail if no additional attribute requests are
3101 provided.

SailPoint Release Notes 62

Issue ID Description
CONSEALINK- With the Zoom Connector, the assignment of multiple groups is now updated in the right format
3103 when a user is a member of more than one group.
CONSEALINK-
The EPIC Connector now supports Epic version May 2022.
3110
1) The ServiceNow Identity Governance Connector no longer supports the ServiceNow Paris
CONSEALINK-
release. And, 2) The IdentityIQ for ServiceNow Service Desk no longer supports the Ser-
3158
viceNow Paris release.
CONSEALINK- 1) The SailPoint Identity Governance Connector for ServiceNow now supports the ServiceNow
3162 Tokyo release. 2) The IdentityIQ for Service Desk now supports the ServiceNow Tokyo release.
CONSEALINK- The Slack Connector now supports creation of a guest user to have access to a single channel
3190 or multiple channels in Slack Enterprise Grid Plan.
CONSEALINK-
The Cerner Connector now aggregates invalid account usernames without failing.
3191
CONSEALINK-
The Zoom Connector now supports OAuth 2.0 authentication mechanism.
3234
CONSEALINK-
The Zendesk Connector now filters the accounts correctly without any error.
3243
CONSEALINK-
Jaxen library upgraded to a compatible version for supporting JDK 11
3274
CONSEALINK-
The Siebel Connector now supports Siebel server version 22.8.0.0.
3275
BMC Helix ITSM Service Desk Integration Module now supports version 21.3. With this new ver-
CONSEALINK-
sion, it supports Service Request via Digital Workplace with new Ticket Type "DWP Service
3276
Request".
CONSEALINK- All Service Desk Integration Module Configuration now supports attribute "pro-
3287 visioningRequestExpiration", which will avoid duplicate ticket creation.
CONSEALINK-
The EPIC SER Connector now displays provisioning failures at an attribute level.
3296
CONSEALINK- The ServiceNow Identity Governance Connector now supports "sysparm_query_category" as
3308 query parameter.
CONSEALINK- For ServiceNow Identity Governance Connector, "sysparm_fields" are now available to improve
3329 performance during aggregation operation
The SailPoint Identity Governance Connector now supports configurable option to read deleted
CONSEALINK-
events (such as removing group/role) of user's connection from custom table instead of sys_
3357
audit_delete table. This will enhance performance of delta aggregation.

SailPoint Release Notes 63

Issue ID Description
CONSEALINK- The Zoom Connector now supports the transfer_whiteboard attribute in the Delete user pro-
3367 visioning policy.
CONSEALINK-
The Zoom Connector no longer fails test connection with error 'authType' required.
3378
CONSEALINK- IdentityIQ for Atlassian Server Jira Service Desk now supports Atlassian Jira Service Man-
3421 agement (Server) Version 5.2.0
The EPIC Connector no more fails with error "TimeOut waiting for connection pool", User can
CONSEALINK-
increase the axis connection pool by configuring maxHostConnections parameter in applic-
3424
ation.
The ServiceNow Service Desk Integration Module now populates the Access Request com-
CONSEALINK- ment on the ServiceNow ticket. Existing ServiceDesk Integration configuration needs to modi-
3449 fythe provisioning task definition to include the comments for Access Request. This feature is
automatically included for all new configurations.
1) The ServiceNow Identity Governance Connector no longer supports the ServiceNow Rome
CONSEALINK-
release. And, 2) The IdentityIQ for ServiceNow Service Desk no longer supports the Ser-
3455
viceNow Rome release.
CONSEALINK-
BMC Helix ITSM Service Desk integration now supports OAuth 2.0 authentication.
3462
CONSEALINK- The EPIC Connector InBasket Classifications are no longer included by default in the account
3498 schema to avoid performance impact on provisioning operations.
The Generic SDIM now supports retrieving the ticket number from the URL if the create ticket
CONSEALINK- response returns the URL instead of the ticket number. The new attribute is 'Process Response
3512 Element Expression’ and it should be populated with parsing logic to fetch the ticket number
from the response URL.
CONSEALINK- New Service Desk Integration "IdentityIQ for Ivanti Cherwell ITSM Service Desk" is available
3556 now.
CONSEALINK- The EPIC Connector user fields "PrimaryManager" and "UsersManagers" are now supported
3566 as account attributes.
CONSEALINK- The ServiceNow Connector avoids unnecessary API calls related to entitlements if Customer is
3605 interested in only aggregating User data.
[SECURITY] For Collaboration bundle, "commons-collections-3.2.2.jar" jar has been removed
CONSEALINK-
due to vulnerability with the version. As there were no dependency of it on any of the con-
3656
nectors, instead of upgrading it has been removed.
CONSEALINK- A new out-of-the-box accounts connector for user access governance in Ivanti Cherwell ITSM
3765 solution

SailPoint Release Notes 64

Issue ID Description
CONSEALINK-
The Zoom connector no longer supports Authentication Type “API Token”.
3824
CONSEALINK-
The BMC Helix ITSM Service Desk Integration Module now supports version 22.1.
3927
CONUMSHIAN- The SAP GRC Connector now supports handling XML special characters ("'&<>) during user
4126 provisioning operations.
CONUMSHIAN-
The Amazon Web Services (AWS) Connector now supports 'AWS GovCloud (US)' Regions.
5107
CONUMSHIAN- The SAP Connector has been enhanced to provide a more relevant exception in case of certain
5129 erroneous situations.
The SAP GRC Connector is re-designed to use an SAP-certified function module for enhanced
CONUMSHIAN-
security and performance. The use of RFC_READ_TABLE has been made limited according to
5179
SAP recommendations.
CONUMSHIAN- The SAP GRC Connector now enhanced to support Account Partitioning for SAP Basis version
5232 751 and later.
CONUMSHIAN- The Oracle ERP Cloud Connector now enhanced to support aggregation of data access inform-
5284 ation (security context and security context values) even when not assigned to a role.
The SAP Direct Connector is re-designed to use an SAP-certified function module for enhanced
CONUMSHIAN-
security and performance. The use of RFC_READ_TABLE has been made limited according to
5303
SAP recommendations.
SAP Business Suite (ERP) Integration is certified with 'SAP HANA S/4 2022' for maintaining
CONUMSHIAN-
SailPoint Connectivity’s commitment to business continuity, customer support, and brand
5379
value.
The new Oracle Enterprise Performance Management (EPM) Cloud governance Connector
CONUMSHIAN- provides the capability for managing user accounts, predefined roles, application roles and
5405 groups. The integration supports EPM Cloud Services for Financial Consolidation and Close
(FCCS), Account Reconciliation (AR), Planning, Narrative Reporting (NR).
The new SAP Concur Connector provides Identity Governance on Expense management ser-
CONUMSHIAN- vices provided by Concur. The integration supports enforcing policies and permissions for grant-
5586 ing and revoking access to systems and data based on user identities, roles, and associated
groups for Expense, Request, Invoice, and Reporting.
The new Oracle Enterprise Performance Management (EPM) Cloud Governance Connector
CONUMSHIAN- provides the capability for managing user accounts, and reading and associating of Predefined
5688 roles, application roles and groups. The integration supports EPM Cloud Services for Planning,
Financial Consolidation and Close Service(FCCS), Account Reconciliation (ARCS), & Narrative

SailPoint Release Notes 65

Issue ID Description
Reporting (NR).
The new Oracle Enterprise Performance Management (EPM) Cloud Governance Connector
provides the capability for managing user accounts, and reading and associating of Predefined
CONUMSHIAN-
roles, application roles and groups. The integration supports EPM Cloud Services for Planning,
5691
Financial Consolidation and Close Service(FCCS), Account Reconciliation (ARCS), & Narrative
Reporting (NR).
The new Oracle Enterprise Performance Management (EPM) Cloud Governance Connector
provides the capability for managing user accounts, and reading and associating of Predefined
CONUMSHIAN-
roles, application roles and groups. The integration supports EPM Cloud Services for Planning,
5695
Financial Consolidation and Close Service(FCCS), Account Reconciliation (ARCS), & Narrative
Reporting (NR).
The new Oracle Enterprise Performance Management (EPM) Cloud Governance Connector
provides the capability for managing user accounts, and reading and associating of Predefined
CONUMSHIAN-
roles, application roles and groups. The integration supports EPM Cloud Services for Planning,
5724
Financial Consolidation and Close Service(FCCS), Account Reconciliation (ARCS), & Narrative
Reporting (NR).
CONUMSHIAN- The SAP Concur Connector has been enhanced to support role assignment to the user during
5747 the modify operation.
CONUMSHIAN- The SAP Concur Connector now supports date provisioning and retrieval in a fixed format, also
5756 fixing an attribute sync problem.
CONUMSHIAN- The SAP Concur Connector now handles the proper SCIM mapping of attributes required for
5769 provisioning use cases.
We have added additional settings on the SAP GRC Source Configuration UI for Access
CONUMSHIAN-
Request Type Mapping, Provisioning Actions for Roles and System sections for ease of con-
5836
figuration and maintenance
SailPoint’s Integration for the SAP Fieldglass Vendor Management System offers governance
CONUMSHIAN- capabilities for contingent workers. It offers seamless governance of external users man-
5852 agement for joiners, movers, leaver workflows, and separation of duty (SOD) checks based on
user roles, attributes, and entitlements.
CONUMSHIAN- SailPoint SAP GRC Integration now supports Access Management Requests that are con-
5974 figured for Auto-Approval in the SAP GRC system.
CONUMSHIAN-
The Oracle PeopleSoft HCM Connector is now supports PeopleTools version 8.60.05
5990
The Web Services Connector will now work with optional namespace prefix for XPATH attribute
CONVASHI-1431
mappings.

SailPoint Release Notes 66