What is new in IBM Security Verify Governance Version 10.0.0
This version delivers enhancements in the areas of deployment, performance and scalability, auditing, and usability.
Change in product name and version
IBM® Security Verify Governance is the new name for IBM Security Identity Governance and Intelligence. The first version number for the new nomenclature is 10.0.0.
Previous name | Current name | Description |
---|---|---|
IBM Security Identity Governance Compliance | IBM Security Verify Governance Compliance | This component can be acquired separately or included in IBM Security Verify Governance Enterprise. The included key capabilities are:
|
IBM Security Identity Governance Lifecycle | IBM Security Verify Governance Lifecycle | This component can be acquired separately or included in IBM Security Verify Governance Enterprise. The included key capabilities are:
Includes the Identity Manager component. |
IBM Security Identity Governance Analytics | BM Security Verify Governance Role Optimization |
An optional add-on of Compliance or Lifecycle. It is also included in IBM Security Verify Governance Enterprise. The included key capabilities are:
|
IBM Security Verify Governance Application Adapters | An optional add-on of Compliance or Lifecycle. It is also included in IBM Security Verify Governance Enterprise. It includes a set of adapters to manage accounts and access entitlements for wide range of applications. |
|
IBM Security Verify Governance Host Adapters | An optional add-on of Compliance or Lifecycle. It includes a set of adapters to manage identities and access entitlements for mainframe systems and applications. |
|
IBM Security Identity Governance Enterprise Edition | IBM Security Verify Governance Enterprise | Provides comprehensive IGA capabilities and includes Lifecycle, Compliance, Analytics, and
Application Adapters. Includes the Identity Manager component. |
- The IBM Security Identity Governance and Intelligence server is renamed IBM Security Verify Governance server
- The IGI command in the virtual appliance command-line interface, is renamed SVG.
- The
IGI
acronym, that was previously contained in labels and descriptions, is changed to theSVG
acronym or to the full product name.
The mobile app also changes its name to IBM Security Verify Request.
See also Where the igi acronym is retained in IBM Security Verify Governance Version 10.0.0.
IBM Security Identity Manager becomes the Identity Manager component of IBM Security Verify Governance
IBM Security Identity Manager becomes formally a component of IBM Security Verify Governance. Identity Manager is now included in the IBM Security Verify Governance Lifecycle and Enterprise chargeable components.
The installation, configuration, and use of Identity Manager remain distinct from IBM Security Verify Governance and are similar to those of IBM Security Identity Manager Versions 6.x and 7.x. For the documentation, refer to section Identity Manager in this Knowledge Center.
Support withdrawn for XenServer and Ubuntu
These platforms are not supported by this IBM Security Verify Governance version.
Supported database versions
- Internal PosgreSQL
- Oracle 19c Enterprise
- DB2 Version 11.5.4 Standard Edition.
The Verify Governance Version 10.0.0 product package, that you can download from Passport Advantage, includes an activation key to upgrade your current DB2 to Version 11.5.4 Standard Edition from Fix Central, as well as installation images for a fresh DB2 Version 11.5.4 Standard Edition installation.
Supported Transport Layer Security (TLS) versions
IBM Security Verify Governance is installed with TLSv1.2 in Transition mode, including all of its components, and uses only non_CBC ciphers that are accepted by TLSv1.2.
TLSv1.2 in Transition mode implies that if any external middleware, such as the DB2 and Oracle database servers, the LDAP server, or other server, is not yet on TLSv1.2, the SSL communication between that middleware and the virtual appliance will not be interrupted.
TLSv1.2 in Strict mode is also supported. Using TLSv1.2 in Strict mode requires that all external connecting middleware be also on TLSv1.2 and use the same ciphers that are defined for the local management interface. The virtual appliance administrator can go to the Advanced Tuning Parameters page of the virtual appliance local management interface to change the lmi.security.protocol key to this value.
If TLSv1.2_strict is used, also all the connected middleware must be on TLSv1.2 and use strong ciphers. SHA-2 certificates are required. SHA-1 certificates do not work with TLSv1.2 strict mode.
See Advanced tuning parameters for the virtual appliance for details.
The new reset_tls_mode CLI command can be used to revert from TLSv1.2_strict back to TLSv1.2 in transition mode. See Resetting TLSv1.2 strict mode to transition for details.
Service Center (New) provided in addition to the classic Service Center
The Service Center (New) deploys a new and powerful user interface, with a slender look and feel, that provides a simpler and more intuitive user experience. The Service Center (New) is experimental and is released in stages. The functionality that is available with this version covers the certification of User and Organizational Unit assignment campaigns.
The Service Center (New) is distributed out-of-the-box, but it must be enabled with a virtual appliance CLI command. See Enabling and managing the Service Center (New) for a description of this and other related commands.
See also The new Service Center.
New Verify Governance REsT APIs
Category | Resource | API |
---|---|---|
Access Certification (AC) API methods | Campaigns-Supervisor | Find Reviewers |
Organizational Unit | Find Supervisor to Escalate OU | |
Organizational Unit | Get Statistics about OU Assignments | |
Organizational Unit-Supervisor | Inspect OU by Reviewer | |
Organizational Unit-Supervisor | Org. Unit View by Reviewer | |
User Assignment | Find Supervisor to Escalate User Assignment | |
User Assignment | Get Statistics about User Assignments | |
User Assignment | User View by Campaign | |
User Assignment-Supervisor | Entitlement View by Reviewer | |
User Assignment-Supervisor | User View by Reviewer |
See Verify Governance REST APIs for more information and for the link to the full Verify Governance REsT API documentation.
New virtual appliance CLI commands to manage the IBM Security Verify Governance server
The svg>server command-line interface command provides options to start, stop, restart, and see the current status of the IBM Security Verify Governance server.
The commands run the same actions that can be run from the Server Control box in the virtual appliance local management interface or with the virtual appliance Rest APIs.
See Managing the IBM Security Verify Governance server from the CLI for details.
Request Center enhancements
- Redesign of how requests that await approval or execution are displayed
- The lists of requests are shown in a tree view that displays the parent requests. Users can
expand them to display their child requests. The Search tool also returns the parent requests of the
requests that the search is filtered for, and then expand them. All requests have a parent and at
least one child request, each with its own Request ID. User Access Change parent requests spawn a
child request for every entitlement for which an action is requested. The requests list also has a new layout:
- An Actions column enables a user to run bulk actions on parent requests and all of their children, or actions on single child requests.
- All of the actions that can be selected from within the request details, can be selected also at the summary level from the Actions column.
- In child requests, new columns list the application, entitlement, and accounts that are impacted by the request, when applicable.
These enhancements apply, with the due differences based on the types of requests, to the lists of requests that are displayed for:- Summary of requests to authorize or execute
- Escalated requests
- Redirected requests
- Requests that are redirected after expiring
- Daily Work
- Request Report
- Action displays if authorizing a Delegation or User Access Change request increases the risk of the beneficiary
- When enabled, the Enable Risk information for Approvers option in Process Designer shows the
Expected risk from approval
icon in the Actions column of every parent request in the Requests Summary and Daily Work windows of a request approver. When the approver selects this icon, the Incompatibility Details window displays a tree view of the risk situation of the request beneficiary. The risks in bold apply to the entitlements that are to be delegated or assigned in the specific request. A Mitigation tab displays the defined mitigation actions for the risks in the list.If the approval of the request does not change the current risk situation of the user, a message states this and the Incompatibility Details window is not displayed.
Applies to the Authorization functionalities of contexts
Delegation Change
andUser Access Change
. - New Mitigation icon in the list of escalated requests
- A
Mitigation
icon enables a Risk Manager to work escalation requests at the summary level. It helps the Risk Manager to check for the overall risk information of the selected request.The Risk Manager can also add mitigations to the request, by selecting each risk and selecting an already-defined mitigation object, before approving or revoking the request.
The icon is displayed also in escalation requests in the
Daily Work
view.
Process Designer activity configuration options are documented in Modeling an activity.
Documentation for the Request Center is in The available functions of the Request Center.
Records can be sorted by column in Access Certification campaigns
Campaign reviewers and supervisors can click around most column names to sort the campaign records on the selected column. If a column is sortable, they see an upward looking arrow to the right of the column name when they click it. The column content is then sorted in ascending order. If they click the arrow to make it point downward, the column content is sorted in descending order.
The sorting is done on the initial characters and follows this order: first, special characters; then, numeric values; then, upper cases of the English alphabet; then, lower cases of the English alphabet; last, all letters of non-English alphabets. If the product runs on a PostgreSQL database, the characters of the English alphabet are arranged by following a dictionary sort.
Certification campaigns for reviewers and supervisors are documented in Campaign Management.
Parallel processing allowed for some bulk actions in the User View of User Assignment Access Certification campaigns
When a reviewer or supervisor runs the Approve All, Revoke
All, or Signoff All bulk actions on a number of selected users,
the icons in the Actions column, for the users that are processed, are
temporarily replaced by a revolving hourglass (). As soon as all the assignments of a user are
processed (approved, revoked, or signed off), the hourglass in the user's row is replaced by the
previous icons (with the updated status).
While the processing takes place, and the is displayed, the reviewer or supervisor can do other
actions in the Service Center.
If two bulk actions are selected, for example an Approve All followed by a Revoke All, on a group of users, the two actions are performed one after the other.
The documentation for the User View of User Assignment campaigns is at Details - User View (reviewers) and Details for Supervisor - User Assignment (supervisors).
New out-of-the-box task in Task Planner
The new Unlock Review Records
task with its job unlocks the review records of
User Assignment campaigns that remain in a locked state for more than the specified interval. The
task is active by default and the default interval is 2 hours.
Out-of-the-box tasks and jobs are documented in Task Planner default jobs.
New product reports and additional option for custom filters in Report Designer
- Account Change Audit Report
- Audit report for Account Change activities. The report can be generated for a specific application or for a group of applications.
- User Change Audit Report
- Audit report for the some User Change activities (User Add, User Modify, and User Remove) across an organizational unit.
Out-of-the-box reports are documented in Available reports.
The Multiple Selection column is added in the Filters tab of the report creation wizard. While defining a custom report, the administrator can select the Multiple Selection check box to enable a custom filter for multiple selection. This enables users to select multiple values for the custom filter when they run the report. See Filters tab for details.
Entitlements added to the Activity scope tab in Process Designer for Delegation and Admin Delegation workflows
For these workflows, the Process Designer administrator can now select an entitlement scope so that, when a requestor creates a delegation request, the entitlements that are displayed as available for delegation are filtered by this scope.
For these workflows, the administrator can select also an Application scope so that, when a requestor creates a delegation request, the entitlements that are displayed as available for delegation are first filtered on the selected application scope, and then on the selected entitlement scope.
An Application tab, that was not previously included in the Activity scope tab of Admin Delegation workflow definitions, is now available.
Visibility scopes are documented in Modeling an activity.
Enhancements in the definition of Certification Campaigns in Access Governance Core
- The end dates of active campaigns can be changed from the Actions menu
- Administrators can use the Change end date action in the Certification
Search list of campaigns. The action becomes available only on selected active (
) campaigns. When the action is selected, a Change end date window helps the administrator select a new closing date for the campaign.
A new notification for
Change of campaign end date
can be specified in the Notification page of the campaign definition, so that a reviewer or supervisor is informed of the change. The out-of-the-boxCampaign End Date Changed
notification template is also available for use. - The duration of a campaign can be specified also by a fixed date
- The Duration drop down list in the Scheduling tab
includes now the Fixed date option, where the administrator can select a
specific date when the campaign is to closed.
The new End Date field is appended, where the administrator can specify a closing date. For other Duration selections, the date is calculated by the system and displayed as read-only in the field. For Fixed date selections, the calendar becomes active and the administrator clicks it to select the date.
The definition of certification campaigns is documented in Certification Campaigns.
Correction of the rule behavior for HR Feed CSV connectors for users
In previous versions, the rule that updated the USER_ERC table with HR Feed files coming from CSV
connectors was unable to recognize that a record in input from a CSV file was already in the
USER_ERC table because the primary key had different capitalization. As a consequence, the record
was added to the USER_ERC table, and an Add User
IN event was generated. But the
event was not further processed because the record was found to be already present.
From this version, the rule can detect if a record in the CSV file is already listed in USER_ERC,
despite the different capitalization, and proceeds to update the existing record with the changed
record of the CSV file. The operation is now audited as a Modify User
event.
CSV connectors are documented in CSV connectors integration.