What is new in IBM Security Verify Governance Version 10.0.0

This version delivers enhancements in the areas of deployment, performance and scalability, auditing, and usability.

Change in product name and version

IBM® Security Verify Governance is the new name for IBM Security Identity Governance and Intelligence. The first version number for the new nomenclature is 10.0.0.

The following table shows the correspondence between the old and the re-branded names of the product chargeable components:

Table 1. Old and new names of chargeable components
Previous name	Current name	Description
IBM Security Identity Governance Compliance	IBM Security Verify Governance Compliance	This component can be acquired separately or included in IBM Security Verify Governance Enterprise. The included key capabilities are: Entitlement Discovery Access Certification Business Activity-based Risk Modeling Separation of Duty Risk Analysis Risk Access Control and Mitigation Compliance Reports Infrastructure Adapters
IBM Security Identity Governance Lifecycle	IBM Security Verify Governance Lifecycle	This component can be acquired separately or included in IBM Security Verify Governance Enterprise. The included key capabilities are: Identity Lifecycle Management Access Request Account and Password Management Attribute and Role based Policy Management Approval and Fulfillment workflows End-to-end change request auditing and change control Infrastructure Adapters Includes the Identity Manager component.
IBM Security Identity Governance Analytics	BM Security Verify Governance Role Optimization	An optional add-on of Compliance or Lifecycle. It is also included in IBM Security Verify Governance Enterprise. The included key capabilities are: Role Analysis and Reporting Role Modeling and Role Mining Role Lifecycle Management
	IBM Security Verify Governance Application Adapters	An optional add-on of Compliance or Lifecycle. It is also included in IBM Security Verify Governance Enterprise. It includes a set of adapters to manage accounts and access entitlements for wide range of applications.
	IBM Security Verify Governance Host Adapters	An optional add-on of Compliance or Lifecycle. It includes a set of adapters to manage identities and access entitlements for mainframe systems and applications.
IBM Security Identity Governance Enterprise Edition	IBM Security Verify Governance Enterprise	Provides comprehensive IGA capabilities and includes Lifecycle, Compliance, Analytics, and Application Adapters. Includes the Identity Manager component.

Within IBM Security Verify Governance, also the following changes are in effect:

The IBM Security Identity Governance and Intelligence server is renamed IBM Security Verify Governance server
The IGI command in the virtual appliance command-line interface, is renamed SVG.
The IGI acronym, that was previously contained in labels and descriptions, is changed to the SVG acronym or to the full product name.

The mobile app also changes its name to IBM Security Verify Request.

IBM Security Identity Manager becomes the Identity Manager component of IBM Security Verify Governance

IBM Security Identity Manager becomes formally a component of IBM Security Verify Governance. Identity Manager is now included in the IBM Security Verify Governance Lifecycle and Enterprise chargeable components.

The installation, configuration, and use of Identity Manager remain distinct from IBM Security Verify Governance and are similar to those of IBM Security Identity Manager Versions 6.x and 7.x. For the documentation, refer to section Identity Manager in this Knowledge Center.

Support withdrawn for XenServer and Ubuntu

These platforms are not supported by this IBM Security Verify Governance version.

Supported database versions

This product version supports exclusively these database versions:

Internal PosgreSQL
Oracle 19c Enterprise
DB2 Version 11.5.4 Standard Edition.
The Verify Governance Version 10.0.0 product package, that you can download from Passport Advantage, includes an activation key to upgrade your current DB2 to Version 11.5.4 Standard Edition from Fix Central, as well as installation images for a fresh DB2 Version 11.5.4 Standard Edition installation.

Supported Transport Layer Security (TLS) versions

IBM Security Verify Governance is installed with TLSv1.2 in Transition mode, including all of its components, and uses only non_CBC ciphers that are accepted by TLSv1.2.

TLSv1.2 in Transition mode implies that if any external middleware, such as the DB2 and Oracle database servers, the LDAP server, or other server, is not yet on TLSv1.2, the SSL communication between that middleware and the virtual appliance will not be interrupted.

TLSv1.2 in Strict mode is also supported. Using TLSv1.2 in Strict mode requires that all external connecting middleware be also on TLSv1.2 and use the same ciphers that are defined for the local management interface. The virtual appliance administrator can go to the Advanced Tuning Parameters page of the virtual appliance local management interface to change the lmi.security.protocol key to this value.

If TLSv1.2_strict is used, also all the connected middleware must be on TLSv1.2 and use strong ciphers. SHA-2 certificates are required. SHA-1 certificates do not work with TLSv1.2 strict mode.

See Advanced tuning parameters for the virtual appliance for details.

The new reset_tls_mode CLI command can be used to revert from TLSv1.2_strict back to TLSv1.2 in transition mode. See Resetting TLSv1.2 strict mode to transition for details.

Service Center (New) provided in addition to the classic Service Center

The Service Center (New) deploys a new and powerful user interface, with a slender look and feel, that provides a simpler and more intuitive user experience. The Service Center (New) is experimental and is released in stages. The functionality that is available with this version covers the certification of User and Organizational Unit assignment campaigns.

The Service Center (New) is distributed out-of-the-box, but it must be enabled with a virtual appliance CLI command. See Enabling and managing the Service Center (New) for a description of this and other related commands.

New Verify Governance REsT APIs

The following Verify Governance REsT APIs were added:

Category	Resource	API
Access Certification (AC) API methods	Campaigns-Supervisor	Find Reviewers
	Organizational Unit	Find Supervisor to Escalate OU
	Organizational Unit	Get Statistics about OU Assignments
	Organizational Unit-Supervisor	Inspect OU by Reviewer
	Organizational Unit-Supervisor	Org. Unit View by Reviewer
	User Assignment	Find Supervisor to Escalate User Assignment
	User Assignment	Get Statistics about User Assignments
	User Assignment	User View by Campaign
	User Assignment-Supervisor	Entitlement View by Reviewer
	User Assignment-Supervisor	User View by Reviewer

See Verify Governance REST APIs for more information and for the link to the full Verify Governance REsT API documentation.

New virtual appliance CLI commands to manage the IBM Security Verify Governance server

The svg>server command-line interface command provides options to start, stop, restart, and see the current status of the IBM Security Verify Governance server.

The commands run the same actions that can be run from the Server Control box in the virtual appliance local management interface or with the virtual appliance Rest APIs.

See Managing the IBM Security Verify Governance server from the CLI for details.

Request Center enhancements

The following enhancements were made in the request lists of the Authorization and Execution steps:

Redesign of how requests that await approval or execution are displayed

The lists of requests are shown in a tree view that displays the parent requests. Users can expand them to display their child requests. The Search tool also returns the parent requests of the requests that the search is filtered for, and then expand them. All requests have a parent and at least one child request, each with its own Request ID. User Access Change parent requests spawn a child request for every entitlement for which an action is requested.

The requests list also has a new layout:

An Actions column enables a user to run bulk actions on parent requests and all of their children, or actions on single child requests.
All of the actions that can be selected from within the request details, can be selected also at the summary level from the Actions column.
In child requests, new columns list the application, entitlement, and accounts that are impacted by the request, when applicable.

These enhancements apply, with the due differences based on the types of requests, to the lists of requests that are displayed for:

Summary of requests to authorize or execute
Escalated requests
Redirected requests
Requests that are redirected after expiring
Daily Work
Request Report

Action displays if authorizing a Delegation or User Access Change request increases the risk of the beneficiary

When enabled, the Enable Risk information for Approvers option in Process Designer shows the

Expected risk from
approval

icon in the Actions column of every parent request in the Requests Summary and Daily Work windows of a request approver. When the approver selects this icon, the Incompatibility Details window displays a tree view of the risk situation of the request beneficiary. The risks in bold apply to the entitlements that are to be delegated or assigned in the specific request. A Mitigation tab displays the defined mitigation actions for the risks in the list.

If the approval of the request does not change the current risk situation of the user, a message states this and the Incompatibility Details window is not displayed.

Applies to the Authorization functionalities of contexts Delegation Change and User Access Change.

New Mitigation icon in the list of escalated requests

A Mitigation icon enables a Risk Manager to work escalation requests at the summary level. It helps the Risk Manager to check for the overall risk information of the selected request.

The Risk Manager can also add mitigations to the request, by selecting each risk and selecting an already-defined mitigation object, before approving or revoking the request.

The icon is displayed also in escalation requests in the Daily Work view.

Process Designer activity configuration options are documented in Modeling an activity.

Documentation for the Request Center is in The available functions of the Request Center.

Records can be sorted by column in Access Certification campaigns

Campaign reviewers and supervisors can click around most column names to sort the campaign records on the selected column. If a column is sortable, they see an upward looking arrow to the right of the column name when they click it. The column content is then sorted in ascending order. If they click the arrow to make it point downward, the column content is sorted in descending order.

The sorting is done on the initial characters and follows this order: first, special characters; then, numeric values; then, upper cases of the English alphabet; then, lower cases of the English alphabet; last, all letters of non-English alphabets. If the product runs on a PostgreSQL database, the characters of the English alphabet are arranged by following a dictionary sort.

Certification campaigns for reviewers and supervisors are documented in Campaign Management.

Parallel processing allowed for some bulk actions in the User View of User Assignment Access Certification campaigns

When a reviewer or supervisor runs the Approve All, Revoke All, or Signoff All bulk actions on a number of selected users, the icons in the Actions column, for the users that are processed, are temporarily replaced by a revolving hourglass ( an hourglass ). As soon as all the assignments of a user are processed (approved, revoked, or signed off), the hourglass in the user's row is replaced by the previous icons (with the updated status).

While the processing takes place, and the an hourglass is displayed, the reviewer or supervisor can do other actions in the Service Center.

If two bulk actions are selected, for example an Approve All followed by a Revoke All, on a group of users, the two actions are performed one after the other.

The documentation for the User View of User Assignment campaigns is at Details - User View (reviewers) and Details for Supervisor - User Assignment (supervisors).

New out-of-the-box task in Task Planner

The new Unlock Review Records task with its job unlocks the review records of User Assignment campaigns that remain in a locked state for more than the specified interval. The task is active by default and the default interval is 2 hours.

Out-of-the-box tasks and jobs are documented in Task Planner default jobs.

New product reports and additional option for custom filters in Report Designer

Two out-of-the-box Audit reports are added:

Account Change Audit Report: Audit report for Account Change activities. The report can be generated for a specific application or for a group of applications.
User Change Audit Report: Audit report for the some User Change activities (User Add, User Modify, and User Remove) across an organizational unit.

Out-of-the-box reports are documented in Available reports.

The Multiple Selection column is added in the Filters tab of the report creation wizard. While defining a custom report, the administrator can select the Multiple Selection check box to enable a custom filter for multiple selection. This enables users to select multiple values for the custom filter when they run the report. See Filters tab for details.

Entitlements added to the Activity scope tab in Process Designer for Delegation and Admin Delegation workflows

For these workflows, the Process Designer administrator can now select an entitlement scope so that, when a requestor creates a delegation request, the entitlements that are displayed as available for delegation are filtered by this scope.

For these workflows, the administrator can select also an Application scope so that, when a requestor creates a delegation request, the entitlements that are displayed as available for delegation are first filtered on the selected application scope, and then on the selected entitlement scope.

An Application tab, that was not previously included in the Activity scope tab of Admin Delegation workflow definitions, is now available.

Visibility scopes are documented in Modeling an activity.

Enhancements in the definition of Certification Campaigns in Access Governance Core

The following enhancements were made:

The end dates of active campaigns can be changed from the Actions menu: Administrators can use the Change end date action in the Certification Search list of campaigns. The action becomes available only on selected active () campaigns. When the action is selected, a Change end date window helps the administrator select a new closing date for the campaign.
A new notification for Change of campaign end date can be specified in the Notification page of the campaign definition, so that a reviewer or supervisor is informed of the change. The out-of-the-box Campaign End Date Changed notification template is also available for use.
The duration of a campaign can be specified also by a fixed date: The Duration drop down list in the Scheduling tab includes now the Fixed date option, where the administrator can select a specific date when the campaign is to closed.
The new End Date field is appended, where the administrator can specify a closing date. For other Duration selections, the date is calculated by the system and displayed as read-only in the field. For Fixed date selections, the calendar becomes active and the administrator clicks it to select the date.

The definition of certification campaigns is documented in Certification Campaigns.

Correction of the rule behavior for HR Feed CSV connectors for users

In previous versions, the rule that updated the USER_ERC table with HR Feed files coming from CSV connectors was unable to recognize that a record in input from a CSV file was already in the USER_ERC table because the primary key had different capitalization. As a consequence, the record was added to the USER_ERC table, and an Add User IN event was generated. But the event was not further processed because the record was found to be already present.

From this version, the rule can detect if a record in the CSV file is already listed in USER_ERC, despite the different capitalization, and proceeds to update the existing record with the changed record of the CSV file. The operation is now audited as a Modify User event.

CSV connectors are documented in CSV connectors integration.