New Features

The 3.3 release of Select Identity introduces some new features and enhanced capabilities.  New features and enhancements of the 3.3 release include:

• New Search for User Management

The search has been improved and is no longer a separate dialog.  Administrators can now search more easily and have the ability to search using multiple fields.

• Improved Status for Disabled Users

When viewing a user’s membership, administrators can now distinguish between a user who was disabled due to a termination request vs. a user who was explicitly disabled.

• Workflow, Requests, and Approvals
• Added ability to search for requests by Target User Id or Requester from Request Status.
• Request Action and Request Number added to Approval Dialogs.
• Ability for an end-user to approve requests without an administrator explicitly granting them an “approver” role.
• Improved error handling in workflow with the introduction of a new status code.  See Default Workflow Templates installed with Select Identity.

• Registration and Self Service
• Scheduling of Self-Service is now a configurable option within Select Identity. 
• Added ability to customize introductory text in self-registration page.
• Registration will skip the context page if the user has an existing context value for the new service being added.
• Auto-Discovered users are now allowed to modify their profile prior to being associated to a service.
• Attribute
• Help Text for attributes now displayed with mouse-over action.
• Help Text supported for both Text Boxes and Multi-Selection controls.
• Resource Management
• Added SQL Connector utility which creates a mapping file that maps attributes to a resource for Select Identity supported relational databases.
• SQL Connector mapping utility allows for the creation of entitlements in supported relational databases.

New Connectors For Select Identity 3.3

•        Connector for Oracle 9i and 10g Administration

•        Connector for Microsoft SQL Server 2000 Administration

•        Connector for IBM DB2 Universal Database Administration

•        Connector for Sybase ASE 12.5 Administration

•        Connector for Novell eDirectory Version 8.7.3

•        Connector for Tru64 UNIX® Systems with SSH

•        Connector for Tru64 UNIX® Systems with Telnet

•        Universal Connector

•        Connector for IBM® AIX 5.1 Systems with Telnet

•        Active Directory 2003 (Supported)

Software Fixes

·         Disable Service membership for a user on two Services simultaneously using a shared entitlement (same resource), the disable operation will now remove the entitlement. 

·         Select Identity will validate against the service context constraint list when a user is created.

·         A specific service, specific context Admin User will be able to view the user context page both before and after approval.

·         Terminating a user on multiple HP-UNIX resources will now roll back the termination if the user is not able to be removed from all resources. Note that due to one-way password encryption, the restored user will need to have their password manually reset by an administrator.

·         Reset Password for a user on multiple resources will not roll back successful password changes. The request will show “Completed Error” for unsuccessful resources.

·         Clustering is supported by the Select Identity Installer.

·         Audit User Deletion Summary Report now supports searching for deleted users by service.

·         Multi-value and Expiration Date attribute types are now being stored in Select Identity when received from a Bulk Add User request. However, the Multi-value attribute value is not being displayed on the Approval view for the user.

·         Reconciliation and Bulk Add performance has been improved.

·         The Start and End Block ID properties in Workflow Studio no longer default to spaces in the value field. 

·         Attribute Management Help text now displays for drop-downs, searches, and multi-line text fields (including constraint lists).

Known Problems and Limitations

·         When defining a parent Service Role, you may assign multiple workflows for a single event for the purposes of passing those workflows down to other child Service Roles.  However, if you attempt to add, modify, or delete a user that references a context with multiple templates assigned to an event, the action will fail.

·         You must select a workflow when mapping the View Service Membership event in a Service Role.  The workflow is ignored but needed to view users in the Service.

·         Reconciliation requires that a user have at least one optional entitlement if the optional entitlements are specified in a constraint list for a Service.  Otherwise, a user with no entitlements or entitlements outside the constraint list cannot be assigned to the Service through reconciliation.

·         Password fields should be retyped with the existing password if the field is set to “updateable” in the views for Modify User or Add Service events.  In general, user passwords should be changed using the Reset Password function in Select Identity.

·         Composite Services use the views defined within the individual Services if using the Add Service feature.  Views defined in the Composite Service are ignored when adding an existing user to a new Service.

·         Modifying a user through the use of a Web Service does not use the view associated with a modify event.   Instead, it uses the Add User view.

·         If the password attribute is added to a Composite Service, the administrator will not be able to add a user to the Service.  Primary User Key and the Context Attribute are the only allowed attributes at the Composite Service level.

·         Some actions in Select Identity are specifically related to Service memberships and some are not.  For non-service related functions (enable all services, disable all services, reset password, terminate user, move user, and manage expiration), an administrator can perform actions for users outside their context if the user value is typed into the UserId field.  To avoid this problem:  1) users should be selected using the Search capabilities within Select Identity and 2) consider separating these functions by role.

·         Request Status may not be accurate when deleting a user’s service membership.   The request status indicates the deletion of the entitlement(s) failed.   However, the user was successfully deleted from the resource as expected.

·         The Password email template for Bulk Add Users is sent regardless of the provisioning status.  Be sure to include the [USERDEF:Status] keyword in the subject and body of the email template for password notifications.

·         If deleting a user from multiple service memberships simultaneously and the services contain multiple resources, the user may not be removed from the all the resources.   To avoid this problem, remove the user from one service membership at a time.

·         External Calls can only be invoked once from workflow when adding users through the Bulk Add capability.

·         If an Administrator inadvertently presses the submit button twice when adding a user or performs multiple actions on a user simultaneously, the second request will automatically fail.  Administrators should ensure that only one request is submitted for a specific user, allowing the request to complete before issuing another request for the same user.

·         Bulk Add supports a maximum of 200 users.  If you need to process more than 200 users, create multiple files with 200 users each and process the files sequentially.

·         Modification of a resource after changing the resource mapping file to remove attributes mapped to Select Identity attributes will fail with error “Application cannot be modified at this time.” Remove Select Identity mapping prior to modifying the resource.

·         The final Reconciliation Report is not received if users fail in provisioning or post provisioning. If no final report is received, manually view the Request Status for failed users.

·         Termination Audit and Summary reports will only return users when run by All Service, All Context administrators.

·         Create User will not be rolled back if resource user creation is successful, but adding entitlements fails.

·         To create a custom keystore, the keystore utility files found in the keystore directory of the CD should be used.  The keystore utility files generated by the installer should not be used to generate a custom keystore.

·         A workflow request will show an error and the provisioning event will fail when a user is terminated in Select Identity and the user does not exist on the resource.  If the user’s Service contains several resources or there are several services with different resources, the user will not be provisioned in any of the resources due to the failure.

·         Encrypted attribute fields should be retyped with the existing value if the field is set to “updateable” in the views for Modify User or Add Service events.  Otherwise, the encrypted value will be encrypted again if the field is not re-entered.

·         After upgrading from Select Identity 3.0.2 to 3.3, you cannot perform a “modify user” or “delete user” via web services if using existing services with a SQL Server database.  An error will be returned in the request status. 

·         When adding a user to an Administrative Service, the approval will fail if the approval is tied to a multi-page view for the service.   Avoid using multi-page views for Administrative Services if an approval is required.

·         If Select Identity is provisioning users to multiple services at the same time, it’s possible that errors may occur.  These errors can usually be avoided by ensuring the following:

o        The JTA Transaction Time-Out values for the Application Server have been increased (i.e., from 30 seconds  to 300 seconds)

o        The database connection pool in the application server has the correct number (i.e., 30 for single server, 60 for clustered server)

o        The Maximum Heap Size for the Server has at least 1 GB of memory

Note:  The above amounts are recommendations and can vary significantly based on your specific environment.  Contact your Application Server System Admin and Database Administrator for determining the correct values needed in your installation.