Release Notes PDF

Hitachi ID Password Manager 10.0.
Release Notes
Software revision: 10.0.4

Document revision: 6484
Last changed: Sunday 23rd April, 2017
© 2017 Hitachi ID Systems, Inc. All rights reserved.

Contents
1 Password Manager 10.0.4 3

1.1 Features and Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Component framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3 Privileged access usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.4 Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.5 Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.6 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.7 Requests app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.8 Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.9 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.10 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.11 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.3 Component Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.4 Group management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.5 Identity management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.6 IDMlib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.7 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.8 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.9 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.10 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
i
Password Manager Release Notes
1.2.11 SKA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.12 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.13 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.14 Privileged access configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.15 Privileged access usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.16 Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.17 Profile attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.18 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.19 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.20 Requests app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.21 Session monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.22 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.23 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.24 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.25 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.26 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.27 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1.1 Add-ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.2 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.3 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.5 Logging / Health check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.6 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.7 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.8 Python / IDMLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.9 Reports and dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.10 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.11 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.12 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1.13 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.3 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.5 Installation / Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.6 SKA / Login Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.7 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.8 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.9 Plug-ins / Event triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.10 Python / IDMLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.11 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.13 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.14 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.15 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.16 User classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.17 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.18 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1.1 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.5 Python / IDMLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.6 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.7 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.8 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.3 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.5 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.6 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.7 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.8 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.9 Personal vault app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.11 Profile attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.12 PSL ANG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.13 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.15 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.16 Telephone Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.17 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.18 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.19 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.20 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.1.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.1.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.1.5 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.6 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.7 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2.1 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.2.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2.5 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2.6 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2.7 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2.8 Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.9 Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.10 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.12 Profile and request attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.13 Python / IDMLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.14 Reference build . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.15 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.17 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.18 User classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.19 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.20 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.1.1 Add-ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1.2 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.4 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.5 Branding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.6 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.8 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.10 Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.1.11 Managed Account Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.1.12 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.13 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.14 Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.16 PSL ANG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.1.17 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.1.19 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.20 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.21 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.22 User classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.23 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.24 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.1.25 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2.1 Add-ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2.3 Auto discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2.4 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.2.6 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.2.8 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2.9 Managed Account Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2.10 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2.11 Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2.12 Password reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2.13 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2.15 Profile and request attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.2.16 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49


5.2.18 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.2.19 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.2.20 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.21 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.22 User classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.23 User interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2.24 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.2.25 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Hitachi ID Password Manager Release Notes
Conventions
This document uses the following conventions:
This information . . . displayed in . . .

Variable text (substituted for your own text) <angle brackets>
Non-text keystrokes – for example, [Enter] key on a keyboard. [brackets]
Terms unique to Hitachi ID Identity and Access Management italics
Suite
Button names, text fields, and menu items boldface
Web pages (names) italics and boldface
Literal text, as typed into configuration files, batch files, monospace font
command prompts, and data entry fields
Wrapped lines of literal text (indicated by the → character) Write this string as a
→single line of text.
Hypertext links – click the link to jump to a section in this Purple text
document or a web site
External document – click the link to jump to a section in another Magenta text
document. The links only work if the documents are kept in the
relative directory path.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

DISCLAIMER!: The following is a list of features and enhancements made to Password

Manager for the Password Manager 10.0.4 release.
Although every effort has been made to ensure the accuracy of these
release notes, they may contain minor errors or omissions.

Password Manager 10.0.4 1
features1004
1.1 Features and Improvements
1.1.1 Component framework
• Added a new component, Scenario.pam_disclosure_mysql_cli, which creates a disclosure plug-in

designed to run MySQL client tools.
• Added new component, Scenario.pam_disclosure_sqldeveloper, which creates a disclosure plug-in

designed to run SQL Developer.
1.1.2 Installation
• Python 3.5.3 is now required for installation by agtpython and pxpython.
1.1.3 Privileged access usability
• When searching by resource attributes, up to seven additional columns can be added.
1.1.4 Provisioning
• Added new system variable MODELAFTER_SHOW_DIFFS. When it is enabled, the profile compari-
son page will show only the different entitlements by default.
1.1.5 Plug-ins
• Added model user information to attribute validation, restricted values, and request rewrite plug-ins.
1.1.6 Replication
• Added pwdconflicts utility to list, resolve or force randomize accounts with passwords in conflict.
3
1.1.7 Requests app
• Update made to the Requests app to include authorization reasons in detail panel pop-up for the
authorizers.
1.1.8 Search
• The advanced user search has been improved to allow searching for users based on configured profile
attributes.
1.1.9 Security
• Split the user access rule reset privilege into reset and resetexpirepw.
1.1.10 Utilities
• Modified utility licviewer to list limited-license Hitachi ID Privileged Access Manager.
1.1.11 Workflow
• For phased authorization, if an authorizer is configured to be in more than one phase,

IDWFM_AUTH_PHASE_PROPAGATION allows the authorizer’s response in the first phase to be
propagated to later phases.

issues1004
1.2 Resolved Issues
1.2.1 API
• Corrected an issue so that administrator group ACLs are propagated for API Service (idapi) sessions.
• Fixed proxy list validation when creating a target via API Service.
1.2.2 Auto discovery
• The psupdate_loaddb_pre script will not be executed until after the agent has completed listing.
• Fixed an issue with discovery so there are no AccountMerge errors if an account ID case is changed
on the target system.
• Corrected a race condition causing failure to pick up work from queue.
• Fixed auto discovery so that it no longer tries to delete discovered computer systems.
1.2.3 Component Framework
• Fixed health check to properly handle changed configurations by clearing last run results between
health check runs.
• Processing does not halt after looking up attributes in empty lookup tables with the attribute calculation
policy table.
• The gm_folder_create component has been improved to allow the use of the
im_policy_implementer_tasks_plugin component.
• Change made to component management to improve upgrade of internal database.
• Updated the hid_impersonate component to verify and correct the case of userids.
• The im_corp_detect_automated_rehire component now includes the implementor related compo-
nents.
1.2.4 Group management
• Unmanaged groups are now properly removed from user profiles.

• Corrected an issue so that groups can be re-managed after being un-managed as a result of being
invalidated.

1.2.5 Identity management
• Roles with auto-assignment are disabled for removal in PDR.

• Profiles with NULL audittimes can now be invalidated when resyncing profiles.
• Fix an issue where access to a network resource is either restricted or not managed by the Hitachi ID
Group Manager shell extension.
• Corrected issue so that the CHECKED_LOCKED_ACCOUNTS system variable is ignored when as-
sisting users as a help desk user.
• Enhanced UserattrMerge performance during auto discovery.
1.2.6 IDMlib
• Updated the Python IDMLib library log handler to handle exceptions during emit in the same way as
the parent logging handler class.
1.2.7 Installation
• Messaging service is installed correctly after a reinstall.

• Updated installer to check that the default database of the SQL Server login account is set to the
dedicated database.
• Added a pre-upgrade license check for limited-license Hitachi ID Privileged Access Manager to the
installer.
• Changed setup to report an error when the account running services is not the expected account.
1.2.8 Logging
• Fixed a logging issue for the event triggered by unbinding managed accounts that no longer satisfy
an import rule.
1.2.9 Maintenance
• Scheduled jobs will now allow administrators to select nodes if any of the nodes associated with the
job are orphaned.
• Discovered subscribers are no longer cleared by the list operation.
1.2.10 Mobile
• Updated Mobile Worker Service (mobworker) such that push notification will be properly sent.

1.2.11 SKA
• Fixed Hitachi ID Login Assistant on Mac OS X Sierra to no longer launch system prompts when
logging in to the secure kiosk account (SKA).
• Disabled Windows Script Host and PowerShell for Login Assistant SKA account.
• RDP connections with Login Assistant SKA installed will not prompt for credentials twice.
• Fixed pslocalr ActiveX control to work properly on a workstation where SKA is installed.
1.2.12 Notification
• Changed user notifications to support additional session parameters for redirection.
1.2.13 Performance
• The authorization chains selection has been improved to prevent multiple executions.
1.2.14 Privileged access configuration
• Invalid accounts are no longer available when selecting accounts to add to a managed system policy.
• Corrected an issue so that LWSGrpMbrLoad stored procedure handles duplicate group memberships
of an account that differs in case.
• Modified behavior so that orchestration only happens when managed accounts have at least one
subscriber defined.
• Enhanced ImportTestProfileList stored procedure by omitting history table for a select statement.
• Added a database query to remove a potential deadlock situation when running a database re-index
during an ImportTestProfileList stored procedure call.
• Checked out accounts are not unbound unexpectedly by an import rule with "Unbind objects if they
no longer satisfy this rule" selected.
• Corrected behavior so that an unsuccessful initial password randomization on managed credentials
does not break target system credentials.
• KVGroup input to the attribute validation plug-in now includes a KVGroup for managed system policy
in group set requests.
• Fixed managed system policies to properly release local service mode policies.
• Added multiple credential support for import rule credential plug-ins.
• Fixed password reset to properly resolve procedures that are run out of sequence.
• Corrected an issue so that the Browser control access disclosure plug-in correctly passes in the value
set in the usernamefieldids field.

1.2.15 Privileged access usability
• Disclosure plug-ins can now be run consecutively in the Privileged access app.
• Fixed behavior so that managed systems, access, and monitored users can be properly defined using
the search widget when updating user attributes in a Sessmon request search request.
• Removed duplicate colons for attribute descriptions from the update attributes pop-up.
• Restricted the number of characters for personal vault accounts. Passwords for personal vault ac-
counts are no longer optional.
• Explicitly attaching a group to a group set marks all same name groups as attached.
1.2.16 Plug-ins
• Changed input to AUTH CRITERIA MOD plug-in to provide the initial event in the extras KVGroup.
• Fixed the valiace.exe plug-in to allow for the proper authentication of RSA Authentication Manager
tokens.
• The implementor task component plug-in will default the isimpltask setting to true.
1.2.17 Profile attributes
• Fixed an issue so that in a hierarchical attribute setup that requires a child attribute value, the drop-
down list only contains applicable restricted values based on the parent attribute and can be properly
updated.
• Corrected an issue so that child attribute values can be updated in a pre-defined request regardless
of whether their parent attribute value is updated in the same request.
1.2.18 Replication
• Corrected issue so that passwords ending up in the incomplete status are fixed in a tri-node replication
environment.
• Fixed scheduled reports so that they can be re-assigned to other replica nodes.
• Updated the installer and database procedures to avoid resynchronization failures on replication
nodes caused by foreign key constraints.
1.2.19 Reports
• Reports can be e-mailed in PDF format without excessive system usage.

• Corrected logic when filtering on minimum or maximum entitlements in summary mode of Resources
per user report.

• Implementers report now can correctly return explicitly assigned implementers.

• User search displays invalidated users to have a strike on them.
1.2.20 Requests app
• The Requests app now can be accessed by notification and e-mail links if the module link was re-
moved due to customization.
1.2.21 Session monitor
• Added an icon to indicate the video can be resized in the session monitor view session virtual window.
• Guacamole video recordings are now generated correctly when downloaded.
• Fixed issue so that Guacamole session package generation containing video is successful.
• Size of screenshot is now calculated and displayed for guacamole sessions.
• Modified behavior so that only content types that were recorded in a session package can be included
in a session package download request.
• Removed system variables SMON_TERMINATE_ON_CHECKIN and
SMON_TERMINATE_BY_ADMINISTRATOR.
• Replaced termination request smstatus.status (TERRQ) and logic around it with the revokedby column
in PAM checkout tables.
• Corrected an issue so that the status of Guacamole sessions is set to complete when account access
is checked in.
1.2.22 Services
• The Workflow Manager Service (idwfm) will allow the authorization script to finish before allowing
authorizers to take action on requests.
• Sessions without screen captures can be viewed. Other capture types are displayed.
1.2.23 Upgrade
• Fixed an upgrading issue from 8.2.4 on SQL Standard.

• Fixed installer so that it does not fail during pre-installation tasks during upgrade if the replication
nodes contain different data keys.
• After upgrading from IDM v8.x and 9.x to current release, the override button in the PSA console is
available.
• Upgrade removes dirty data to avoid upgrade failures.

• The "Password database synchronizer" scheduled job is removed when upgrading from 9.0.X in-
stances.
• Upgrading will not cause component errors if IDMSuite Health check Disk space is missing non-
required arguments.
• New subscribers that have an account ID that differs in case with other subscribers can be listed after
upgrade.
• Corrected an issue so that the "List resources from discovered target systems" scheduled job contains
the updated command-line arguments after upgrade.
• Improved upgrade to avoid database failure when the value of segid is zero in table deleg.
• A check for orphaned managed accounts is performed when upgrading from 9.0.X. The orphaned
accounts must be fixed or ignored.
• Improved upgrade process to make sure the API user is enabled during upgrade.
1.2.24 Usability
• "Configure event" pop-up now updates the parent page properly upon closing.
1.2.25 User Interface
• Changed user interface inclusions to allow components to add custom user interface modifications.
• Changed CGIs to prevent HTTP response splitting.
• Updated the Requests app to display the ellipsis properly across different browsers.
1.2.26 Utilities
• Fixed updinst ignore GUIDMask, NodeName and idarch registry keys during syncreg.
1.2.27 Workflow
• The Workflow Manager Service (idwfm) no longer sends administrator e-mails when no escalation
plug-in is set.
• Fixed a potential race condition issue for new group create requests.
• Enhanced workflow performance by reviewing workflow request table indexes.

features1003
2.1.1 Add-ons
• Added support for MAC OS X Sierra for the Login Assistant and SKA.
2.1.2 API
• Add InstanceProxyList IDAPI function to list the configured proxy servers to run operations on target
systems.
• Added new argument includeRedundant in API service WFRequestAttrsSet. When includeRedundant

is set to true, request attributes whose values are already matching their mapped profile attribute
values will be kept in the request. Otherwise, they will be removed from the request.
• Added support for managed account attributes in ResourceAttrsSet/Get/Del API calls.
• Limited the UserClassPointCacheUpdateUser stored procedure calls when submitting IDMLib idtrack
requests.
• Auto Discovery has been improved to resynchronize newly discovered accounts with existing profiles.
• Added a new component, Scenario.pam_disclosure_mysql_cli, which creates a disclosure plug-in

designed to run MySQL client tools.
2.1.5 Logging / Health check
• Removed secondary IDMLib request logging.

• Cleaned up Health check UI by eliminating the redundant inclusion of ‘Health Check’ in the name of
the components.
11
• Enhanced logging service to avoid KVG log files overwriting each other. Also added the last 6 digits
of the request ID in KVG log file names to make it easier to group.
2.1.6 Mobile
• Added support for load balanced environments for the Hitachi ID Mobile Access proxy servers.
• Added the Private proxy server URL parameter for the Mobile Worker Service (mobworker) to allow
for session persistence with the Hitachi ID Mobile Access proxy servers.
2.1.7 Performance
• Improved the response time of the ’Accounts’ report for systems with many accounts.
• Improves performance of Python IDAPI functions.
• Reduced calls to the plugin_authmod plug-in when submitting requests.
• Improved the performance of the plugin_attrval plug-in when submitting requests.

• Minimized calls made to the plugin_passgen plug-in during request submission.
• Improved performance of userclass procedures when submitting requests.
2.1.8 Python / IDMLib
• The IDMLib library has been enhanced to allow the encrypting of plain text and the decrypting of
encrypted text.
• Changed IDMLib class DBCmd to support Python date types.
2.1.9 Reports and dashboards
• Revise ‘Manage reports’ to ‘Reports dashboard’ in the tab and the title of the report landing page.
• Added the new report ’Compare numbers of group memberships’. This report compares numbers
of group memberships by counting group memberships that are consistent or not consistent with
assigned roles, group memberships that are consistent or not consistent with auto-assignment, and
group memberships by how they were assigned.
• Added the new report ’Role entitlement leverage’. This report shows the leverage provided by roles by
calculating the percentage of entitlements from roles and the percentage of entitlements not included
in roles.
• Enhanced the ’Effective role assignment report’ with new search criteria so that report2pdr can auto-
matically assign roles to users who already have most of the entitlements required for a role.
• Added the User and service metrics to list user and service statistics report.

2.1.10 Services
• Changed the AJAX service to close database connections when no longer required.
• Added system variable ADMIN_ATTACH_USERS_ONLY_TO_EXISTING_ACCOUNTS that will allow

help desk users to only attach users to existing accounts.
• Added system variable ADMIN_ATTACH_USERS_ONLY_TO_VALID_ACCOUNTS that will allow help
desk users to only attach users to valid accounts.
2.1.11 Usability
• Added the DiscoveredSystemGetByAttr API function, which is used for searching for targets based on
discovered system attributes.
• Updated Hitachi ID Access Certifier search engines to support filter based on resource attribute.
2.1.12 Utilities
• Removed the pwdsync utility.
2.1.13 Workflow
• Added system variables WF_HIDE_AUTHORIZERS and WF_HIDE_OTHER_OPERATIONS. When

WF_HIDE_AUTHORIZERS is enabled, the authorizer table will be hidden when viewing requests.
When WF_HIDE_OTHER_OPERATIONS is enabled, the request App and request details page will
only show operations the authorizer is assigned to when an authorizer views a request.

issues1003
2.2 Resolved Issues
2.2.1 API
• Updated UserSearch API such that it will return correct results when search by ALL_MANAGERS.
• Change IDAPI call InstanceList to check against reason rather than boolean to determine db_commit_suspend
status.
2.2.2 Applications
• Disclosure options are no longer available in the Personal vault app for accounts created with no
password.
• Searches are now correctly saved in the Personal vault app for custom filters.
• Fixed an issue with the search criteria in the Requests app when the search type is changed.
• Users are no longer allowed to check-out access while randomization is disabled in the Privileged
access app unless otherwise configured.
• Changed auto discovery to retain attribute information recorded on account creation.
• Changed hid_browser_fingerprint component to support longer client addresses.

• Corrected hid_policy_attrval_validation component to handle reservation of unique attribute value.
• Changed component hid_user_interface to rebuild both language and skins when a component up-
dates the user interface.
2.2.5 Installation / Setup
• Fixed setup.exe to support MSSQL Windows Authentication.

• Fix upgrades from pre-9.x instances.
• Added AuthMode support for upduserclassdsql to fix upgrades from 10.0.x.
• IDM messaging service is removed upon uninstallation of Password Manager.
• Fixed issue so that the correct schema is used when creating database objects during product instal-
lation when the schema install user is defined.

2.2.6 SKA / Login Assistant
• SKA installation requires CleanupProfiles policy to be disabled.

• Fixed an issue with the Credential Provider to properly display the ‘Other user’ tile when logging in to
Windows.
• Modified the Login Assistant for MAC OS X to ensure that the Safari session is restored to its original
login state when logging back in to the SKA.
• Modified the Login Assistant for MAC OS X to remove the Dock and Spotlight Search.
2.2.7 Mobile
• Fixed a registration issue with the Hitachi ID Mobile Access application for Android mobile devices.
• Modified the process and user interface for registering the Hitachi ID Mobile Access application from
the Mobile devices self-service pages in Front-end (PSF).
2.2.8 Notification
• Fixed an issue where authorizers where incorrectly getting multiple e-mail notifications for a single
request.
2.2.9 Plug-ins / Event triggers
• Updated search filter plug-in such that it will work properly when searching by a boolean attribute.
• Fixed an issue to ensure that the cgilocalr.exe plug-in for S_STATUS_EXT will run properly even when
S_RESET_TO_PUSHPASS is set to Automatic.
• The flags PreSelectTemplate, PreSelectRole and PreSelectGroup are set when selecting a pre-
defined request in the IDR module such that the hide screen functions will work properly for the request
rewrite plug-in.
• Python scripted connectors will properly process custom operations.

• Fixed Transaction Monitor Service (idtm) to limit calls to VectorStageAdd stored procedure during
request submission.
• Minimized user class and userclasspoint cache recalculations during request submission.
• IDMLib authorizer class catches invalid authorizer status and will place the request on hold.
• Changed IDMLib to allow simultaneous addition and deletion of resources in
IDWFM_REQUEST_REWRITE_PLUGIN.

2.2.11 Replication
• High water mark warnings and e-mails are no longer triggered when a replication minimum queue
length is equal to the maximum length.
• Changed SendQueueThread to improve on node replication.
• Added new utility "smonmove" that changes the location of session monitoring data in the database
in the event that the replication node becomes decommissioned.
• Updated node assignments to force update of a service ID for a managed system policy in the event
that a replication node is decommissioned.
• ’Role assignments’ report no longer generates entries for invalidated users.

• Reports can be generated while Password Manager’s language is set to Italian.
• Minor wording changes for certification reports.
• Operation dropdown in ’Implementers’ report now only contains operations relevant to implementers
defined by different resources.
• Fixed an issue with the ’Profiles’ report to properly return user attributes when searching on managed
groups.
• Hide unnecessary search criteria in ’Profile’ report in summary mode.

• Search criteria in reports is properly collapsing.
• Corrected request details pop-up in reports to display complete information.
• Deleted users are filtered out of Incomplete roles and Role assignments reports.
• Corrected an issue where the search criteria text file sent with emailed reports did not have the correct
value for date and integer search criteria.
• Added the "Last load time" to the Account/subscriber dependencies report.
2.2.13 Services
• Fixed a potential issue in Database Service (iddb) to avoid hanging when it starts up while auto-
discovery is running.
• Changed the AJAX service to close database connections when no longer required.

2.2.14 Upgrade
• After upgrading from 8.2.2 and 9.0.0 to current release, Database Service can successfully load
groups with owners.
• After upgrading from 8.1.2 to current release users can successfully request memberships to NT
groups.
• Custom reports in 8.2.x releases can successfully be upgraded.
• After upgrading from IDM v8.x and 9.x to current release, the help desk dashboard can display help
desk operations that were executed before the upgrade properly.
• Request attributes with a value of ’None’ can be upgraded correctly.
• Fixed an issue so that the correct number of displays captured is returned for Sessmon after upgrading
from 9.0.x to 10.0.x.
• Default options for pamlite are now pre-configured after upgrading from versions before 10.0.0.
• Improved upgrade process to refresh all configured e-mail events so that exit traps will work immedi-
ately after upgrade, provided that GLOBAL_ MAIL_PLUGIN is correct.
• Guacamole session recordings can be viewed after upgrading from 10.0.0.
2.2.15 Usability
• Changed the display of multi-valued attributes for user types to display the label for the attribute
correctly.
• Removed unsupported reference type from advanced search for resource attributes.
2.2.16 User classes
• Changed user class cache processing to support omitted IDs.
2.2.17 User interface
• Changed request application to use attribute group display settings when updating a request.
2.2.18 Workflow
• Changed requests submitted through IDAPI to retain the password set for account creation operations
added later.
• Changed IDSYNCH_ID_PLUGIN to allow invalid users to be reused correctly.

• Updated workflow functions such that CheckBatchApprovalStatus events always run before any e-mail
events. This will prevent e-mails being sent to authorizers too early.
• Default values defined in attributes having a parent/child configuration will be displayed to users.
• Changed workflow authorization to evaluate authorizations consistently where the requester and man-
ager are the same.

features1002
• Added ‘Use valid credential from template target system’ to the list of options for ‘Initial credentials to
use when creating new local account’ in target system import rule.
• Updated functional.im_policy_authorization component such that authorizer’s note will be populated

into request details page.
• Added an option to functional.im_policy_authorization to allow the policy to be applied to matching
resources only.
• Improved authorizer assignment based on policy rules for functional.im_policy_authorization compo-
nent.
• Enhanced component framework to allow the configuration of multiple search filters.
• Added scenario.pam_disclosure_sqlplus component to allow users to connect to Oracle databases
using SQLPlus.
• Added scenario.pam_disclosure_guacamole_rdp and scenario.pam_disclosure_ssh components for
Guacamole In-browser RDP and In-browser SSH disclosure plug-ins respectively.
• Enhanced functional.hid_authchain_smspin component to use system settings and display an error
message when unable to send e-mail.
• Enhanced scenario.im_corp_temporary_entitlement component to allow the updating of users ac-
counts and profile.
• Renamed scenario.im_corp_self_service component to scenario.im_corp_update_contact.
• Enhanced scenario.im_corp_termination component to use a fallback e-mail when the manager is not
assigned.
3.1.3 Performance
• Improved performance to end user login.

• Improved the performance of account creation requests through IDR module.
19
• Added a timeout for global-mail-plugin.py and call to smtplib() for when there are connection issues
with the SMTP server.
• Added IDMLib support to load original request details for check-out extension.
3.1.6 Services
• Enhanced API Service (idapi.exe) performance when under heavy load.
3.1.7 Usability
• Enhanced language translator skin to present a drop-down list of each language tag that that object
uses by right-clicking.
• Added support for custom report pinning.

• Improved style sheets to make it simpler for administrators to customize theme colours in the product.
• Hover text in Requests app now displays and closes upon mouse click.

issues1002
3.2 Resolved Issues
3.2.1 API
• Changed Reservation IDAPI function to return a proper error when trying to reserve an attribute owned
by a user that is no longer valid.
• Fixed an issue where adding a product administrator with a CIDR mask via command line using
adm_set.exe fails with iddb error messages.
• An API user with OTP IDAPI caller privilege can now be created through the UI.
3.2.2 Authentication
• Cookie validation is temporarily skipped during authchain execution to allow the use of ‘forgot my
password’ scenarios.
• Default installation of credential provider package does not include the smart-card tile option.
• Modified auto discovery to better handle errors associating accounts based on the same attribute
having the same value.
• Updated component hid-configuration to fix error when calling api_update() from some objects.
• Updated manage components so that it cannot remove themselves.
• Changed hid_policy_wfemail component to use the default sender.
• Fixed attribute validation to properly display notice that the user has validated the attribute change.
• The ID case plug-in will be correctly set for the specified target when set outside the target configura-
tion.
• Changed hid_user_interface component to allow non-default skins to be managed.
• Fixed the pam_disclosure_policy_plugin component to properly filter disclosures by ‘Group set’ Re-
questType.
3.2.5 Mobile
• Corrected issue where users are unable to navigate between panels in the Personal vault app if using
a mobile device.

• Corrected an issue in the mobile app so that users can now properly enter a request note.
• Fixed an issue where opening Requests app occasionally runs into an error on mobile.
• Fixed the size and position of the circular countdown timer in Personal vault app for mobile.
• Fixed the position of the spinner and the loading overlay in mobile to now cover the entire panel while
content is loading.
• Modified the mobile user interface to ensure that menus, mobile layout, and other screens are shown
properly and fit better on mobile devices that have smaller screens.
• Corrected issue where users were unable to submit check-out requests on Android mobile devices.
3.2.6 Maintenance
• Fixed the operating system version number reported by Windows 10 and Windows 2016 systems.
3.2.7 Notification
• %USERNAME% macro is now properly replaced in user notifications.

• Updated e-mail function such that Health check monitor e-mails can be sent via SMTP servers that
requires authentication.
3.2.8 Performance
• Resolved an issue affecting the performance of certain user enrollment operations. The performance
of the following reports and operations has been improved:
– User class recalculation
– Enrollment dashboard
– Enrollment report
– Accounts report
– Orphan/Inactive report
– Profiles report
– Question set configurations report
– Users qualifying for notifications report
– Synchronization report
3.2.9 Personal vault app
• Corrected issue where account passwords are not immediately updated in the Personal vault app.

• Fixed an issue that caused targetid not to propagate after being changed by a request rewrite.
• The request rewrite plug-in now allows rewrite requests that contain OrgChart or pluggable authenti-
cation module (PAM) session operations.
3.2.11 Profile attributes
• Restricted value drop-downs in ‘View and update profile’ page now display ‘Select one’ by default for
required restricted attributes, regardless of default value setting.
• Corrected issue where users are unable to specify a file for profile and request attributes.
• Fixed a case mismatch issue when reusing profile ID with a different character case.
3.2.12 PSL ANG
• PSL ANG expressions must now be used when defining the list of proxy servers in discovery templates.
• Improved the evaluation and validation of server proxies during auto discovery. Moved the source
proxy attribute for discovery templates to the $comp variable.
3.2.13 Replication
• Error message ‘Discovery may only be run on the instance that is configured to run auto discovery’
displays when trying to run auto discovery on a replica node.
• Export report output and e-mail report in PDF format are now properly working.
• Added Profile attribute report histogram.

• Enhanced the display of report cell columns in PDF format.
• Fixed an issue in workflow reports to use the proper immutable create date to indicate when the
requests were created.
• Minor rewording for Saved configuration certification setups report.

• Fixed an issue where the ‘Next run time’ was not adjusted for different timezones on the Scheduled
jobs page. Also fixed an issue where the ‘Next run time’ for scheduled reports is incorrect.
• Uncertified approved exceptions to Segregation of Duties are now shown in ‘Uncertified data’ report.

3.2.15 Security
• Disabled Internet option tabs (except Connections) from SKA.
3.2.16 Telephone Password Manager
• Resolved an issue where Transaction Monitor Service (idtm) could make repeated attempts to delete
a network resource that no longer exists.
3.2.17 Upgrade
• Fixed an issue to ensure that custom registry entries are retained when upgrading from a 32-bit
instance to a 64-bit instance.
• Fixed an issue when upgrading from versions prior to 8.1.0 to ensure that the 32-bit registry location
for the instance is mirrored over to the 64-bit registry location.
• Updated installer so IIS gets updated with font MIME types on 9.x upgrades.
3.2.18 Usability
• Date/time information within the product, such as e-mails and reports are now being displayed in
accordance with the user’s date/time preferences.
• Navigating away from Target system information page with unsaved target address changes will now
display a warning message.
• Fixed URL when switching languages.
• Star outline in Personal vault app is now clearly visible on all row backgrounds.
• Fixed a bug where the pinning menu was not accessible on ‘Environment variables’ page.
• Fixed an issue in the external data store, allowing users to search using the backslash character.
• The translator now works in grid mode.
• Context mode of the translator has been fixed.
• Request attributes of type ‘Boolean - Radio’, ‘User’, ‘Link’, ‘Password’ are now supported in the apps.
• Improved navigation for using the back button in pop-up windows in the product.
• Drag-selecting text or input fields in a selectable row will no longer trigger the row to be selected.
• Corrected advanced search issues in the apps that were caused by using account or discovered
attributes in the search criteria.

• Fixed the display for SoD exceptions in Requests app to not show an unnecessary dash next to role
names.
• Fixed an issue where tables overlap and checkboxes are minimized into an expand button when the
screen is narrow in the ‘Change password’ page.
• Corrected issue so that the hdd module properly displays all multiple encrypted systems and accounts
to unlock for a user profile.
• Corrected issue so that the response code is properly displayed in the hdd module for the agtsge7
connector.
3.2.20 Workflow
• Modified Workflow Manager Service (idwfm) to process e-mail events more efficiently in order to avoid
backlogs.
• Improved performance for DelegSubstituteList stored procedure in order to process delegations faster.

features1001
4.1.1 API
• Enhanced TargetAttributeGet API function to include additional data.
• Added browser fingerprinting component, hid_browser_fingerprint and hid_authchain_fingerprint, which

will attempt to uniquely identify users based on attributes of their web browser.
• The following new dlls will be installed into the <instance>\service\ folder:
– ajaxcheckpasswordrules.dll
– ajaxdashcollator.dll
– ajaxlanguage.dll
– ajaxmobileauth.dll
– ajaxpersonalvault.dll
– ajaxplugin.dll
– ajaxprivilegedaccess.dll
– ajaxreportcollator.dll
– ajaxrequests.dll
– ajaxsearchactions.dll
– ajaxsearchcollator.dll
– ajaxsession.dll
– ajaxsessionmonitor.dll
– ajaxsessmonparams.dll
– ajaxsessmonplay.dll
– ajaxusersettings.dll
26
• Removed unused IDARCHIVE_FILTER_PASSWORD_PLUGIN variable.
4.1.5 Upgrade
• Replaced ‘Patch’ option on setup page for minor release upgrades with ‘Upgrade’ for both main in-
stances and connector packs.
• Added ability to switch between mobile or desktop view before logging in.
• Advanced search options in Requests app now allows searching by relative date.
• Added functionality for searching and browsing lists in pop-up windows when specifying input fields in
Privileged access app and Session monitor app.
• Users can now be redirected from an external link, such as from an e-mail, to Requests app.
• Added functionality for copying account passwords in Personal vault app.
4.1.7 Workflow
• Added recipient search in report driven pre-defined requests.

issues1001
4.2 Resolved Issues
4.2.1 API
• Resource API functions correctly set attribute group manipulation operation.

• The host case generator is properly validated in both the web interface and the API.
• ‘Bypass security check provided by this module’ in help desk authentication chains is respected.

• Uninstall removes component and customizations artifacts.

• Newer versions of Microsoft Visual C++ Redistributables no longer prevent the installation of Password
Manager.
• Fixed database foreign key constraint errors caused when upgrading a Hitachi ID Privileged Access
Manager instance that has inactive managed accounts.
• Modified product installation to stop and disable HID scheduled tasks before proceeding.
• Modified behavior so that the Hitachi ID Health Check scheduled task is removed and re-installed
during a patch.
4.2.5 Mobile
• Corrected issues that resulted from specifying incorrect values for QR code durations for mobile au-
thentication.
• Corrected issue where QR codes do not regenerate when using mobile authentication.
• Modified the iOS Hitachi ID Mobile Access application to ensure that push notifications may still be
sent to iOS mobile devices when the notifications have been disabled and then re-enabled from the
iOS settings for the application.
• Enhanced the error messages for mobpushcli.exe when mobile push notifications cannot be sent
successfully to the mobile devices.
• Fixed an issue to prevent a connection timeout when contacting the Apple push notification server
when notifications are sent to mobile devices.
• Improved link navigation when using applications on mobile devices.
4.2.6 Miscellaneous
• Clarified connection timeout error message from SSH connector (agtssh) by providing specific infor-
mation such as the address and target ID.
4.2.7 Notification
• Launching psntfclient.exe on Windows 8 64-bit for a user that has web notifications no longer causes
script errors when the browser opens.

4.2.8 Password management
• Resolved an issue where associated accounts excluded by FILTER_ACCOUNT_PLUGIN could have

their passwords reset alongside other accounts in their target group.
• Corrected behavior so that existing and new accounts are properly listed when an ID filter is defined.
4.2.9 Password policy
• Password policy rules must not have N occurrences of the same character and have at most N pairs
of repeating characters are now case sensitive.
4.2.10 Performance
• Improved reliability of Database Service (iddb) and API Service (idapi) in a high stress environment.
• Improved the reliability of login with e-mail PIN.
• Corrected issue where some e-mail variables used in exit traps were not populated.
• Attribute validation plug-in messages now appear in the Requests app when selecting a request.
4.2.12 Profile and request attributes
• Modified Privileged access app, Session monitor app, and Requests app so that profile and request
attribute values are displayed correctly.
• Improved components to evaluate expressions included in policy tables.

• Added a more user-friendly error message to the authchain selector component in situations where
the plug-in output does not contain valid data.
• Updated IDMLib core module to improve login security.

• Changed IDAPI proxy helper class in IDMLib to support threads gracefully.
• Changed IDMLib logging to emit separate file while the IDM Logging service is stopped.
• Updated authmod methods to create the phase if a phase is specified but does not exist.
• Fixed an issue where managing components stopped accepting requests.

4.2.14 Reference build
• The pam_authmod_policy_plugin component can now handle managed groups that contain users
without profiles for determining authorizers.
• Modified behavior of the pam_disclosure_policy component so that access disclosure plug-ins also
need to be configured in the managed system policy.
4.2.15 Replication
• Registry settings are now correctly handled when nodes have different installation paths.
• Corrected issue so that conflicting passwords can be automatically resolved when an Oracle data
replication node is part of the replication environment.
• Corrected issue where resynchronization overwrites timestamps with the current time.
• Fixed replication watermark and queue full logs to respect ratelimit.
• Fixed an issue where download of saved report graphs failed.

• Fixed a potential crash when upgrading a saved report in vertical mode to current IDM version.
• Pinned reports and graphs now display appropriate error messages when users try to access them in
replicated nodes.
4.2.17 Upgrade
• Modified behaviour of product installation so that an error message dialog box is displayed when
components fail to be upgraded successfully.
• Modified behavior so that the Hitachi ID Messaging Service is removed and re-installed during a
patch.
• Fix an issue in upgrade process so that iddiscover can detect and invalidate accounts in post 8.x
upgrade.
• Backing up files using setup.exe is no longer available when upgrading instances from versions earlier
than 10.0.1.
4.2.18 User classes
• Radio button is correctly selected and applied in ‘Membership Criteria’ after updating.

• Corrected a minor ‘Show/hide columns’ tab display problem across pages.

• Improved the use and display of UTC time offsets.
• Fixed an issue when customizing skins for common styles in the user interface.
• Hovering over the PSA console menu or RPT module menu when it exceeds the browser size vertically
will now provide arrows to scroll through the menu items.
• Corrected issue where all skins were not rebuilt when installing some components.
• Custom app filters now save a basic search correctly.
• Front-end (PSF) homepage links are updated when closing an app.
• Fixed the apps to display relative date as request submit date.

• Style.m4 calculates header height and will adjust accordingly depending on custom logo height size.
Other UI position fixes for searchAction bar, status message positioning and icons on header for
mobile view.
• Listing tables are responsive and will provide an expand button (+) to display additional information if
the browser size is too narrow
• User is able to refresh the ‘Request List’ and ‘Request Details’ page successfully with the
IDS_LEGACY_ENABLED option enabled in IDS module.
• Enhanced manage components web UI to provide warnings when the required messaging service is
unavailable.
• Improved usability of priority sorting lists, such as authentication priority, identification priority, and
attribute group members.
• Customizations for custom operations in pre-defined request are correctly reflected in Requests app.
• Updated components web UI so that selection can be cleared after install.
4.2.20 Workflow
• The MAX_AUTH_ALLOWED system variable will be correctly applied to the resources in a request.

features10
5.1.1 Add-ons
• The OS/400 exit program has been improved to allow the installation on iSeries 7.2 operating system
and use the latest encryption protocol used by Password Manager.
• Dropped support on Lotus Notes lower than 8 for the Lotus Notes Extension client tools (psns.msi).
• Added a Universal CRT check to the Login Assistant installer. An error message is presented to the
user if the Universal CRT is not installed on the machine before Login Assistant is installed.
• Removed Firefox support module from Hitachi ID Login Manager.
• Enhanced cgilocalr/pslocalr to handle multiple domains within an Active Directory DN forest.

• Added non-IE browser(Chrome and Firefox) support to pslocalr.
• Hitachi ID Login Assistant installer is now available for Mac OS X allowing users to reset passwords
from a Mac workstation.
• GINA is no longer installable on older operating systems, such as Windows XP or Windows 2003.
ska*.msi can be used to run a successful installation of Hitachi ID Login Assistant on Windows 7 or
Windows 2008 R2 and higher.
5.1.2 API
• The UserGroupsGet API function has been enhanced to allow the listing of a user’s indirect member-
ship to groups.
• The UserGetByGroup API function has been enhanced to allow the listing of users from child groups.
• The WFRequestActionsSet and WFRequestActionsGet function support the child group options for
adding and removing nested groups.
• The IDAPI has been enhanced to allow the listing of users and group in both parent and child groups.
• Changed IDAPI to report an error for managed groups that are managed by auto resource assignment.
• Added a new Administrator privilege "Guacamole IDAPI caller" to limit Hitachi ID Systems API Ser-
vice (IDAPI) calls to only those allowed for Guacamole. Added a dedicated Guacamole IDAPI user
"_API_USER_GUACAMOLE".
32
• The ability to submit a workflow request in a single API call has been added to the Hitachi ID Systems
API Service (IDAPI).
• The following updates were made to support enable/disable of user profiles in workflow:
– New operation added to workflow requests to support enabling and disabling of user profiles.
– New operation type added to WFRequestActionsSet idapi function to support enabling and dis-
abling of user profiles.
– New resource type added to idmlib request to support enabling and disabling of user profiles.
– New resource type and operation type added to PreRequestMemberAdd/Delete idapi function to
support adding/deleting profile operations into pre-defined requests.
• Added options to IDAPI function call RoleResourceList to specify which kinds of resource members
to return.
• CertStartSingleUserRound API now accepts groupmembertype as a parameter. See idapi.pdf for

details.
• The IDAPI ResourceCreateSet function can set the ’Groups whose membership will be listed:’ options
by setting TARGET_LIST_MEMBER_TYPE.
• Enhanced API to support authentication, performing the function and logging out in a single API call.
• Added an implementer policy component to the component framework.
• Enhanced the installer to properly check for invalid characters in username and password fields for
database authentication.
• Auto discovery has been enhanced so that it can be run on a limited set of targets. This is more
efficient than doing a full discovery, as it limits the amount of data that the discovery process must
consider.
• Added the ability to enable/disable incremental listing during auto-discovery.

• Modified auto discovery, so that invalid user data can be cleaned up even if psupdate is run in parts.
• Added the "Groups whose membership will be listed" option to the auto discovery section for target
system information.
• Removed obsolete auto discovery plug-in for (un)binding discovered systems and discovered mem-
bers. Removed obsolete options for discovering new target information and members in auto discov-
ery utility (psupdate).
• Enhanced psupdate utility.

5.1.5 Branding
• Re-branded SKA by updating the existing title "Local SKA" to "Login Assistant".
5.1.6 Database
• Changes have been made to loadplatform.exe in order to detect and report on target template differ-
ences.
• Introduced new produce "Hitachi ID Oracle Data Replication Service" for oracle data replication.
• The External Data store will allow the use of HTML in the column descriptions.
• Unified PAM database tables ’wstnuser’ and ’xwstnuser’ into a single table called ’pamaccountpoli-
cies’.
• Modified behavior of managed account passwords so that passwords from all randomization attempts,
whether successful or not, get recorded.
• Added a Universal CRT check to the pre-installation check for the product setup to check for the
existance of the KB2999226 windows update hotfix and Visual C++ Runtime 2015 redistributable
pre-requisites.
• Enhanced installation by providing a warning at the ’Pre-Installation Check page’ when the wrong
version of python is installed.
• The installer will install all product binaries regardless what license is used.
• Changed install in order to add _IT_SECURITY_ by default.

• Support for server 2012 core mode has been included.
• Remove following parameter from setup.exe -useoracle, -usemssql, -dbserver, -dbusername and -
dbuserpwd.
• The Microsoft Visual C++ 2015 Redistributable (x64) will now be installed by the installer during the
pre-installation check if it is not previously installed.
• Windows 2003/XP are not supported as local workstation mode targets.
5.1.8 Licensing
• Template system and system import rules made available on Hitachi ID Identity Manager (IM) and
Hitachi ID Password Manager (PM) licenses.
• Excluded vault-only systems from the number of used systems in a Hitachi ID Privileged Access
Manager (PAM) license.

• Modified components license information by removing ’installed’ and adding ’limited license’
• Added a limited licensed Privileged Access Manager(PAM) module to allow access to PAM pages and
functionalities for all non-HiPAM licenses.
• Added new licensing model using Hitachi ID Group Manager (GM) and Hitachi ID Password Manager
(PM) ’limited license’.
• Modified logging so that idmsuite.log can be configured to exclude certain type of data based on
idmlogsvc.cfg configuration.
• Added extended log level option for recording performance runtime messages for Ajax requests.
• Unexpected errors in IDM Suite stored procedures will now be logged in Windows Event Viewer.
• Updated psdebug to add a perf_replication extended log flag, which logs messages relating to repli-
cation events and procedures.
• The orchestration issues health check monitor component has been removed from the product.
• Added Health check component to replace legacy Health check from the product.
5.1.10 Mobile
• Enhanced the Mobile Proxy Service (mobproxy) to be able to send push notifications to Android and
iOS mobile devices for users that have a registered Hitachi ID Mobile Access application. Added the
mobpushcli utility to send push notifications to Android and iOS mobile devices.
• Added an authentication chain module for Mobile Access two factor authentication to allow for a qr
code from the Hitachi ID Mobile Access application to be used.
• Added back button support in the Hitachi ID Mobile Access application.
• Added multiple profile support for the Hitachi ID Mobile Access application that and allows a mobile
device to be registered under multiple Hitachi ID Suite instances.
• The Scenario.pm_push_notification_enrollment and Scenario.im_pam_push_notification_enrollment
have been added to the component framework to allow push notifications to mobile devices.
• Added HTTPS support for communication between the Mobile Worker Service (mobworker) for URL of
the local instance and the instance for BASE_IDSYNCH_URL. Added the ’URL of the local instance’
parameter for load balancing support for the Mobile Worker Service for Hitachi ID Mobile Access.
• Deprecated support for iOS 7 and earlier for theHitachi ID Mobile Access application.
5.1.10.1 User interface

– Static popup pages fit the screen on mobile devices.
– Removed mobile skins and added a new responsive default skin that is adaptive to different
mobile devices and browser sizes.

5.1.10.2 Add-ons
– Mobproxy is now shipped as an .rpm installation package along with other add-on software.
5.1.10.3 Reports and dashboards

– Enhanced the Enrollment dashboard to now be able to show the enrollment statistics for "Register
mobile devices" for users that have registered a mobile device. Enhanced the Enrollment report
to add "Mobile devices" for the enrollment type to be able to show information for users that have
registered a mobile device.
5.1.11 Managed Account Groups
• Entitlement certification rounds now have the option of reviewing only group account members, child
groups only, or both. This is set before a round is started and applies to all group entitlements.
• Group segregation of duties (SOD) rules will detect both nested group violations with domains and on
cross target groups (NT local groups).
• Managed account groups have been renamed as Managed groups.
5.1.12 Miscellaneous
• Binaries are now all dual signed with SHA-1 and SHA-256 signatures using the SHA-2 certificate.
• Changed IE support to a minimum of IE11.

• Added relative dates to applications.
5.1.13 Notification
• Enhanced web and psntfclient notification pages so that users are redirected to notification page if
there are outstanding notifications and redirected to home page if all notifications are fulfilled.
• If the configuration of a role or a segregation of duties rule is being reviewed in a certification round,
a warning message will be displayed to the administrator when he or she accesses the role or segre-
gation of duties rule pages in PSA.
• Request notifications now redirect users to the new request app. However, the old request pages can
still be accessed (and notifications enabled for them) by enabling the option in the module.
5.1.14 Password management
• ID filter rules now correctly handle all cases when attributes are used to construct profile IDs.

• Improved reliability of using dcselect.exe to to generate a list of targets.

• Fixed an issue where password reset may fail if dcselect is used to generate a list of target system
and target administrator is defined in NT4 format.
• Changed batch request to display more detailed error messages when plugins fail.
• Deprecated support for the Windows LDAP trigger (psldap-sunldap.dll).

• Add plug-in fedidp-cs.exe, and support for extdb table SP_ACCESS. These are used to configure
authentication chains for SAML requests.
• Added exit traps FEDIDP_IDENTIFY_SUCCESS/FAILURE and FEDIDP_AUTH_SUCCESS/FAILURE,
which are used to track federated login.
• The subgroup adds and deletes can trigger exit traps when the operations are successful or not.
• Added a new plug-in to determine if a request viewer should see the authorization details.
• FILTER GROUP MEMBER PLUGIN has been added to filter nested groups.
• Added exit traps USER_IDENTIFY_SUCCESS and USER_IDENTIFY_FAILURE; these are called

when a user is successfully identified by the instance. Removed exit trap USER_LOGIN_START,
which has been replaced by USER_IDENTIFY_SUCCESS. Patching the instance will update the
associated system variable accordingly.
• Updated exit traps USER_LOGIN_SUCCESS / USER_LOGIN_FAILURE; these are now called when
a user completes the authentication process, instead of once per authentication script. Added new
exit trap AUTH_CHAIN_SUCCESS / AUTH_CHAIN_FAILURE, which is triggered whenever an au-
thentication chain is executed.
• Added Search filter plugin to filter search results from selected search engines.
• Added an additional pswxtsvc disclosure plug-in to support the updated Windows NT Server address
format.
• Added Firefox and Chrome support for native access disclosure controls. Also, added one-time ability
to view native access disclosure controls.
• IDM Suite now supports SAML federated login, allowing it to authenticate users on behalf of several
popular web applications. Removed the USER_LOGIN_START exit trap, which did not distinguish
authorization and identification events. Adds the following event traps, triggered during user authenti-
cation:
– USER_IDENTIFY_SUCCESS
– USER_IDENTIFY_FAILURE
– AUTH_CHAIN_SUCCESS
– AUTH_CHAIN_FAILURE
The USER_LOGIN_SUCCESS and USER_LOGIN_FAILURE events are now called only once per
login attempt, at the conclusion of an authentication chain.

5.1.16 PSL ANG
• The SSH script connector will not crash when using the trim() function in certain situations.
• Enhanced the Discovery template to allow pslang expressions in the proxy field.
• Added two PSLang functions, memberOfByNameNested and memberOfBySIDNested, for evaluating
group memberships in managed accounts import rules.
5.1.17 Replication
• Added additional database, log analyzer, and healthcheck files to the blacklist for replication.
• Enhanced Pre-defined requests report by adding a new column "Completed with mixed authoriza-
tion statuses" to usage mode, which is used to count the number of requests containing different
authorization status within each request.
• Added drill-down functionality to the Help desk dashboard.
• Added new drill-down window feature to graphs within reports in order to provide more in depth infor-
mation.
• Groups report has been updated to include child groups and indirect group members.
• Added capability to Help desk dashboard to show graph for top 5 statistics.
• Modified help desk dashboard by adding a user search and improving layout for subdashboards.
• Added new report ’Configuration certifier details’ to show details of configuration certification rounds
assigned to the certifier.
• Updated workflow reports to include operations with nested groups.
• The Search requests report has been modified to distinguish between requesters and recipients in
the headers for the profile attributes that are returned for the report.
• Added macros for message and note fields in reports with new macro expansion formats, to be up-
dated in docs. Changed format of date macros from MM-DD-YYYY to YYYY-MM-DD and fixed formula
that calculates hour in 12 hours clock.
• Modified the format of macros for filename fields in reports to be suitable for file names.
• Update reports to display date format, time format and time zone according to users preferences for
the resources category.
• Updated Certification details and Certifier details report to display the actual certifier for delegated
certification rounds.
• Added a new filter to the Event log report to show only Help desk events.

• Added two new columns("Target system ID" and "Target system Description") for Resource type:
Managed account group in Request popularity report.
• Enhanced Sent Notifications report by having drill-down chart functionality.
• Enhanced authentication chain reports by adding drill-down functionality.
• Added drill-down to Group set access check-out trend report.
• Added drill-down functionality to the Onboarding and offboarding trend report.
• Added new report drill-down functionality to generated graphs in Question Set configurations report.
• Added drill-down functionality to the Request Volume trend report.
• Added drill-down functionality to Daily notifications report.
• Enhanced reports to display request id as link.
• Enhanced summarized ’Assigned entitlement’ report performance in a large environment.
• Add drill-down functionality to Certification dashboard. Removed Current activity from Certification
dashboard.
• Added drill-down functionality to Enrollment dashboard.
• Added drill-down capability to the graphs in the managed accounts dashboard.
• Added drill-down capability to the graphs in the group sets dashboard.
• Added drill-down capability to the user profiles dashboard.
• Enhanced Reports by allowing pre-defined request IDs to be clickable.
• Enhanced Reports by allowing templates to be clickable.
• Enhanced certification reports by having certifcation round descriptions clickable and when clicked, a
popup page with information about the round will be displayed.
• Changed the "Request status" header to "Synchronization status" in the Report > System operation
> Synchronization report.
• Added a system variable DASH TIMEOUT DELAY to set dashboard cache recalculation maximum
timeout, in hours.
• Added a popup menu to overlapping points on the managed account access trend dashboard line
graph in order to allow the user to select which line series to drill-down into.
• "Use within the last N days" and "Use N or more days ago" options are now available for defining a
date range for reports.
• Added new report to list explicit users who had been added to or deleted from user clases.
• Performance metric report now displays PDRs as clickable links.
• "Notification description" column is added to the Daily notification statistic report tables.
• Reports can now be exported to DFS namespaces.
• Added new role mining report to discover clusters of users based on profile and request attributes as
well as entitlements.

• Added new Privileged access operations report: "Privileged access frequency analysis".
• Modified the date and time formats to a standardized format for all Certification reports.
• Modified the date and time formats to a standardized format for all Users reports.
• Enhanced the Enrollment dashboard and report as well as access for the View enrollment dashboard
administrative privilege to be available for all licenses.
• Added the four new search criteria (min/max # of distinct values and min/max % of users with a value)
to Profile attribute coverage report.
• Add drill-down functionality to the Requester and recipient affinity report.
• Revised existing certification reports to handle only entitlement certification. Also, added 2 new re-
ports for configuration certification:
– Certification of configurations rounds.

– Saved configuration certification setups.
• Saved reports are preserved through upgrade of 7.3.1. However, they cannot be re-run.
• Enhanced Roles violating segregation of duties rules report to support nested groups.
• Enhanced dashboard drill-downs to display user configured preferred date/time formats.

• Changed Trend reports and Performance metrics report to adjust search date to comply with the
specified interval unit.
• Merge subtotal date columns into one in reports.
• Added a circle data point in dashboard line graphs to make it consistent with report line graphs.
• Added new column to the auto-assignment setup report to include child group auto-removal status.
• Certification dashboard can now be pinned to home page.
• Enrollment dashboard can now be pinned to home page.

• The privileged access license information dashboard object can now be pinned.
• Made changes to dashboard to allow pinning dashboard objects while highlighting them.
• Users are able to pin pages or objects on pages.
• Enhanced report "Resources per user" to report access privileges for console only user properly.
• Added search criteria ’request attribute’ in search request report
• Certification of entitlements reports have been updated to return console only user properly.

5.1.19 Security
• Improved browser security by preventing our product from being loaded in non-local frames.
• fedidp_ident authentication chain module is created in order to intercept and save the SAML request
and perform any initial triage and validation.
• Added authentication chain module "Fedidp_assert", which is used to generate signed SAML asser-
tions from a SAML authorization request.
• The CGI will accept valid content types that can be used in authentication chains for pre-authorization.
• Enhanced protection against Cross site scripting (XSS) attack on profile attributes with Link type
5.1.20 Services
• Updated the Idarch service to handle manual reset requests for multiple (accountid, workstation) pairs.
5.1.21 Usability
• Report graph and data table can now be pinned to the home page.
• Improved all of the search engines for a better look and functionality and to include an AJAX interface
and infrastructure to provide dynamic searching.
• Cleaned up search field prefixes to make search fields easier to use.

• Improved usability by saving contents of note/reason field to the request details page.
• When using advanced search to search for a managed group, the following attributes can be used in
the search: Is security group, Parent group ID, Owner, Group type, and custom resource attributes.
• Enhanced the Target system address configuration page to retain user-entered values for required
and non-required parameters when the address parameters are blanked out.
• Resource descriptions on the pre-defined request summary page and report to PDR summary page
are now displayed as clickable links.
• Added hover menu to ease navigation across the product.

• Added new search bar in the page header that offer suggested page links based on the typed key-
word(s).
• Enhanced priority ordering pages by using drag and drop.
• Improved user experience with product by limiting scope of popup window to warn about loosing
unsaved content.
• Added functionality to ensure old address line inputs are cleared as soon as target type is changed.
• Modified instance name to allow names that are shorter than three characters.
• Enhanced navigation usability in Hitachi ID Org Manager (HIOM)

• Enhance usability by merging ’Choose PDR’ and ’View profile’ pages.

• Minor edit to ’View and update profile’ pages.
• Administrators can view and filter search results based on a group’s type and whether it’s a security
group or not.
• Users can view whether a group is a security or a distribution group when requesting group member-
ship.
5.1.22 User classes
• Added error message when required authorizer is not mapped in user class point.
• IDAPI functions have been added to allow the testing and configuration of multi-participant user class
points.
• Added the option to user interface skin customizations to support the override using sytle-custom.m4.
• Enhanced user interface customization to include widgets.
• Enhanced functionality by adding clickable accounts that display information about the account.
• Corrected the request details page to correctly render the "Escalate now" button.
• Rename operation label "View / Update profile information" to "Update profile".
• Added new feature to allow users to customize the home page layout.
• Added a numerical ’percentage complete’ to the certification progress bar to increase readability.
• Remove the "Advanced search help" link
• Modified address input style by removing ability to manually enter addresses, by forcing the use of the
address wizard only.
• Added a system variable to handle the selection of "Records per page" to be displayed on search
pages.
• Updated Certification segments page to display entitlements and configuration segments in separate
tables.
• Requests are universally displayed as clickable links.
• The PSA_LOGIN_DISABLE system variable has been removed to no longer allow direct login to the
Administrative console (psa).
• Modified text in HIAC from ’Certification configuration’ to ’Certification setup’ Renamed ’Resources
not in saved configurations’ to ’Resources not in saved certification setups’.
• Updated text of the link to review certification rounds under Compliance and audit.

• Change embedded help links to show link separately.

• Users are able to pin pages or objects on pages for the following dashboards:
– PAM Managed accounts
– PAM Group sets
– Account sets.
• Rewording changes in Hitachi ID Access Certifier (HIAC). Configuration is now called Certification
setup.
• When Microsoft Internet Explorer is chosen to navigate features on Hitachi ID identity and Access
Management Suite, Internet Explorer 11 is the only fully supported version.
• Updated screen so that users can see which groups they already have indirect membership to, when
they are requesting group membership changes.
• Clickable links made available for user profiles, managed accounts, managed systems and target
systems.
• Enhanced request details page to handle check out button properly when no account can be checked
out.
• Modified the check-in button from requests details page (IDS) so that check-in happens with a single
click, with no re-direction to PSW module.
• When viewing the status of a single account or account set request, the check out button now appears
with a magnifying glass which allows a user to view more information on the check out.
• A ’Check all’ checkbox has been added to search table headers.
• Added black list and white list for UserAccountSearch search engine.
• Reword text from ’access certification’ to ’entitlement certification’.
• Redesigned the Password Manager user interface.
• Added a new section called "Conflicting passwords" to handle managed accounts that have more than
one candidate password.
• If multiple languages are installed, product now includes a language selector in the top right hand
corner, enabling users to select an alternate language from a drop down menu.
5.1.24 Utilities
• Added fedidp-util.exe, used to generate certificate store data used for federated login.
• Added -idfiledir to upddid.exe. -idfiledir represents the folder used to store retrieved digital ID files.
• Added support in loadplatform for setting the directory for loading agents.
• Fixed idmemail.write_file utility to write an .eml file for every To recipient.
• Added options -delete and -deletemaxage for dbarc.exe, so that, old archive data can be deleted in
bulk from the database.
• A new system variable (IDR NETWORK RESOURCE VALID ONLY) was added under the IDR module
options. This flag is used to determine whether the user is able to request access for an undefined
network resource from the Shell Extension utility.

5.1.25 Workflow
• Added functionality for alerting authorizers when users or their user class have never checked out the
requested account before.
• Added implementer and escalation support to the search request application.
• Request Application support acting as a delegate/escalate.
• The group-group-add and group-group-delete operations are correctly passed to the agents when
submitted to the workflow manager.
• Nested group memberships are evaluated during segregation of duties rules evaluation.
• Enhanced consistency by having the proper module set with the corresponding actions.
• POST content length limit for dbe.exe module is removed, as it can legitimately have large data posted
to it.
• Improve workflow manager performance on authorizer email notification under heavy load.
• Enhanced resource inheritance when choosing not to inherit by allowing users to be able to choose
the implementer that was chosen at target level.
• Updated the search engine for managed system policy tables.

• Upgraded the ResourceGroupSearch engine for Password policies, and Privileged access to systems.
• Updated the search engine for the remove recorded session packages page.
• Updated the search engine for the download recorded sessions page.
• Updated the search engine for the recorded sessions request table.
• Implemented cache control for search engines. Hitachi ID Password Manager returns a maximum of
10,000 matches by default. If there are more matches, users are warned to refine their search.
• Added a Clone button under the Target system information page that will clone a target and its con-
figuration/attributes.
• Added four new advanced search keys in blackboard advance search.
• Added dynamic headers for search data tables that allows some data columns to be shown/hidden
and sorted.
• Locations can now only be updated in the Inventory menu when managing the system.
• Added attribute support to the advanced search criteria in the discovered accounts table.
• Enhanced pre-defined requests by displaying proper information in the summary page.
• "Stop managing all groups" button prompts message that displays the success and failed counts (if
applicable) of all unmanaged groups.
• Enhanced SesslogSearch search engine in order to make it more usable and user friendly.
• Resource operations for targets can be now set group-group add and group-group delete operations.

• Enhanced segregation of duties (SOD) violation checking to detect violations caused by role and child
groups.
• Updated ’Delegate certification segment’ pages to support the Configuration certification segments.
• Enable advanced search for finding certification resources.
• The ’inactive’ state for managed systems and accounts is no longer available. The inactive state ap-
plied when an object that passed an import rule no longer passes it, and the "Archive failed evaluated
objects if they were managed before evaluation" box on that rule is not checked. Now, the object
remains active on the policy, so it will still be randomized, until it is archived.
• Enhance delegation process by having option to delegate only workflow requests, implementer tasks
or access certification.
• Added search functionality in the request application.
• The ability to create a pre-defined request for Network resource has been added.
• Added protection to avoid adding resources to a pre-defined request that will cause the pre-defined
request in violation of a segregation of duties rule
• Fixed an issue with the list timeout for connectors where it could occasionally cause the connectors
to list indefinitely.
issues10
5.2 Resolved Issues
5.2.1 Add-ons
• Fixed Hitachi ID Login Assistant to support Internet Explorer 11 mode and web fonts to ensure all
icons are displayed and functioning as expected.
• For Hitachi ID Login Manager, fixed loadalias.exe to attempt passing alias information to only accounts
that are on the specified target and give proper return codes.
• Authentication chains will correctly handle invalid authentication chain behaviour.

• Users can now login using case insensitive email address.
• Fixed an issue with emailsmspin.pss authentication chain to generate correct emails.
• Corrected template targets not to be listed by proxy server.

• Fixed so that invalid user data can be cleaned up even if psupdate is run in parts.

• Added back the "sysID" and "syspassword" keys for all connectors and for backwards compatibility
for targets that support the system id and system password credentials. Pslang connectors will also
duplicate the values with the "sysid" and "syspw" keys for backwards compatibility.
• Added support in the hid_loaddb component to allow use of remove_duplicates decorator.
5.2.4 Database
• loadplatform will now report database or script errors on the command line when a missing/invalid
name failure occurs.
• Locking out certain queries to resolve an issue where SQL error handling could fail.
• Increased rtaudit.otherid column size.

• Corrected an issue to ensure import rules containing a condition that matches a long distinguished
name do not get truncated on SQL generation.
• Modified upgrade scripts so that system variables that contain a boolean value do not get overridden
after upgrade.
• Fixed issue where pre-defined requests for "Non-user-based" recipients could not be created after
upgrade.
• Updated instructions in samples directory to reflect current convention on where to store image files.
• IDMSuite installation now creates a database with a simple recovery model.
• Fixed an issue in the installer to honor all the settings from the setup.inf file.
5.2.6 Licensing
• Attribute options are open to Hitachi ID Privilege Access Manager (PAM only) license for ’Account
change history’ and ’User and account history’ audit reports.
• Removed over limit license sleep delay so that the user interface response will not slow down once
license limit exceeded.
• Resolved an issue where setting PsTempDir to a value that contains, but does not exactly match the
instance name would cause incorrect log rotation.
• Improvement on warning message for synchronous exit traps.
• Changed psa to properly display the Authorization tab warning icon.

• Fixed an issue in system logs to not adjust ’Current server time’ to user preference. All timestamps in
system logs are displayed following the server timezone.
• Corrected updinst.exe to cache messages and dumps to idmsuite.log at the time needed.
• Fixed health-check script so that a database lockdown is not caused, when health-check script and
loganalyzer script are running at same time.
• Modified the process to start a service, by first detecting if a port is already in use. The purpose of
this is to produce error logs and prevent port failures.
• Modified the error message on target system information page to return a descriptive message about
an agent operation failure.
• Removed Workflow Manager Service (idwfm) warning message to display, "PAM requests do not
require processing" for event EVENT_RECIP_EMAIL_BATCH_PROCESSED.
• Fixed checklogs errors regarding component framework.
5.2.8 Maintenance
• Fixed an issue in loaddb when the accounts on the source of profile (SoP) do not have a value set for
the attributes (meaning they should not get a profile).
5.2.9 Managed Account Groups
• Role enforcement and automatic assignment cannot be enabled at the same time for managed ac-
count groups.
5.2.10 Miscellaneous
• Updated API documentation for ReserveCheck function.
5.2.11 Notification
• Fixed an issue for macro detection within exit traps as well as notifications and modified regex to parse
through dashes and numbers and to show the message content correctly.
• Remove redundant timezone string from report notification messages.

• Resolved a number of memory allocation issues in the notification service.
• Fixed notifications to show multiple toast notifications when appropriate.

5.2.12 Password reset
• Fixed an issue where password reset may fail if dcselect is used to generate a list of target system
and target administrator is defined in NT4 format.
5.2.13 Performance
• Improved page performance for product administrators when the system has a high number of admin-
istrator groups.
• A system variable has been added, SEARCH_USER_WITH_ACCOUNTS, to allow user searches that
could previously search on account short ID to once again do so.
• Improved performance for implementers searching for pending implementation requests.
• When using an authentication module plug-in, requests will remain in the pending state until authen-
tication module has finished running.
• Changed IDMLib to allow direct import of extras modules.
• Fixed an issue to populate the password for all of the resources in a request when the password
generator plugin does not return a password.
• Fixed an issue in question set configurations report to escape quote properly.
• Removed IDO FILTER USER PLUGIN; custom components can be written to filter out accounts in the
orgchart.
• Modified access disclosure plug-in behavior to disclose expired managed account passwords in the
event that the password fails to be randomized.
• Fixed licensing issue with user notification plug-in pop-ups.
• Fixed an issue that would occasionally cause the command prompt control disclosure plug-in to crash
on exit.
• Changed implementer plug-in to be called only once.
• Fixed e-mail customization to save consistently.
• Made changes to exit trap DBE DATA MODIFIED are made to include query data from the event.
• Added disclosure plug-in support for Chrome through the Hitachi ID Browser Extension, which is
available on the chrome web store.
• Added an additional pswxtsvc disclosure plug-in to support the updated Windows NT Server address
format.
• Corrected pswxcmd keystroke data capture so that it does not crash third-party processes when
multiple sessmon session are active and so that it works for impersonated processes.
• Modified the clipboard module to minimize the amount of time the clipboard gets locked.

5.2.15 Profile and request attributes
• Fixed an issue in profile attribute to suppress errors when switching to boolean attribute type.
5.2.16 Replication
• Corrected the database replication page to correctly escape the values in the description input field.
• Fixed a Database service(iddb.exe) issue when multiple node replication environment is configured
and primary node system has multiple CPUs. Rebooting primary node, sometimes, caused database
service not functional.
• Fixed a data replication configuration issue where the service list in the source node was not com-
pletely propagated to replicated node.
• Component Framework files and database are replicated to nodes after changes are made.
• Fixed report and dashboard drill-down windows to not exceed the height of the browser window.
• Fixed an issue in Event log report to ensure long group id is displaying properly.
• Changed the Stuck requests report to calculate subtotals correctly to be inline with other reports.
• Display and compare date/time attributes properly in reports.
• Standardized display of date in reports for the following categories:
– User
– Workflow
– Privileged access: Configuration category.
• Changed Password change history report so that current passwords display the scheduled expiration
time in the Expiration time column.
• Improved the account sets dashboard and drill-down.
• All account IDs are now clickable in the ’Compare users report’ and the ’Users with common entitle-
ments’ report.
• License re-alignment has been performed for both Enrollment and Workflow dashboards.
• Fixed an issue in Search requests report to allow "Account set access" filter option to be available for
Operation field and "account set access" requests to show up in reports.
• Fixed an issue in report to calculated the number of request properly.
• Corrected issue where the drill-down for the ’Sent notifications’ report was missing some information.
• Session activity report no longer displays invalid users.
• Fixed enrollment report to calculate profile attribute enrollment type properly.

• Report type dropdown menu for Delegation report option changed from “Summary by user and login
method” to "Summary by user”.
• Corrected privilege checks so that individual administrators can view drill-down reports on the work-
flow dashboard.
• Fixed an issue for saved reports to ensure that the last run time indicates the proper date and time.
• Performance metrics report now runs properly for users in UTC 1+ timezones.
• Fixed an issue with reports to display dates in preferred date format specified by user.
• Downloading a saved report containing graph should not freeze the user interface.
• Improved Managed accounts and Group sets dashboards.
• Fixed an issue with notification related reports to not show clickable links for deleted notifications.
• Remove redundant timezone string from report notification messages.
• Displayed data has been standarized for report and dashboard drill-downs.
• ’Last updated’ in dashboards now displays local time.
• Modified Discovered subscribers report to not include group memberships. Modified Discovered sub-
scribers report to include Sharepoint service accounts.
5.2.18 Security
• The reCAPTCHA component has been added to allow easier implementation of the Google re-
CAPTCHA authentication method.
• Any user can now click on entitlement descriptions, but they must have the required ACLs to see any
data, otherwise they will just see an empty pop-up.
• Fixed a bug to prevent users with only ’Recompute dashboard cache’ privilege from accessing the
product administration console.
• Fixed a potential security issue that could have occurred when using javascript.
• Menu based ACLs should be honored when jumping straight to the page.
• Fixed Hard Drive Encryption Systems end user pages so that response codes do not get removed
when the page is refreshed.
5.2.19 Services
• Corrected a race condition in the iddb service startup logic that was causing the service to slowly start
up when a large number of cgis are accessed concurrently.

5.2.20 Upgrade
• Fixed upgrading scripts to allow upgrades from 7.2.1 to 10.0.0.

• Fixed the issue of broken pending RENU actions when upgrading from version 8.2.7 to current version.
5.2.21 Usability
• Improved local workstation key management, in order to reduce unnecessary database growth.
• Password verification for a target administrator is no longer required when changing a target type or
target address.
• Changed drill-down to prevent clicking a previous page when a new popup comes up.
5.2.22 User classes
• Fixed Managed groups and profile attribute so that they can not be unmanaged or deleted when
attached to a user class.
• Fixed Administrative and User access privileges for clickable links so that they are not cached.
• Change criteria of userclass "_PARTICIPANTS_DIFFER" to match when one of the actors is blank.
• Fixed an issue where it was possible to add a user as a user class in a certification round by using
the user selection screen.
• Fixed listing in userclasses to properly deal with incorrect pslang criteria.
• Updated the Front-end (PSF) so that menu boxes re-order and re-size for desktop and mobile access.
• Fixed the user interface glitch by removing the "Authorizer action" column to improve user interaction
with the product.
• User interface glitch is corrected; therefore, no missing line segment under the “Authorization action"
column in the “Accounts to be added:".
• Fixed the Self-service ’View profile’ privilege to affect the clickable link availablity for a user’s own
profile.
• Fixed an issue with passfilt.psl password rules so that they are properly displayed and evaulated.
• In Administrative Module(psa.exe), the ’Pattern’ field in Manage ID filters has been expended to 80
characters.
• Rewording "Schedule and submit" to "Schedule for submission" and "Run and submit" to "Run for
submission".
• Corrected ’View and update profile (IDR)’ option to display the page properly on Chrome browser.

• Suspend and update button should work properly in request detail page when
IDP_APPROVE_SINGLE_RESOURCE is enabled.
• Disabled checkbox should be displayed in search results.

• Fixed target system information page to show only the applicable options based on license.
• Fixed the initialization of server datetime to report the correct datetime when the server timezone is
UTC (with or without DST).
5.2.24 Utilities
• Changed autores utility (for Automated resource assignment) to only submit requests for deficits where
there is also no pending request.
• Fixed a file replication problem where certain files with ’db’ extension name were not replicated prop-
erly.
5.2.25 Workflow
• Fixed an issue with Identity Manager Workflow Manager Service (idwfm), where when new accounts
are created, they do no get group membership.
• Fixed an issue where duplicate requests are displayed to Worklfow manager when they also happens
to be the request authorizer.
• Corrected a performance issue in Authorize requests(idp.exe) and Manage implementation tasks(idv.exe)
modules in a large environment with a number of historical workflow authorization information.
• Fixed account set checkout page to not show account disclosure magnifying glass if only run com-
mand plugin is configured.
• Fixed Administrative users to be able to update user group access control when they have the appro-
priate privileges.
• Repaired the user listing functionality when selecting the subordinates to attach to a manager.
• Change Target system configuration to fix "Allow enabling accounts" from always being checked.
• Enhanced the "submitting pre-defined requests using report output" functionality by adding a space
between the pre-defined request description and the pre-defined request ID in the drop down menu.
• Target system summary search is not valid, since, target system summary page link has been re-
moved from under PSA > Ressources >Target System.
• Object types and locations are now only available through the Inventory menu. Account and group
object types are also deprecated.
• Autores should not return variances or issue requests again when requests to resolve variances have
been submitted and are pending approval.
• Fixed Segregation of Duties (SOD) Rules in the resource details pop-up to show the correct SODs.

• URL found inside the email sent for delegation request, redirects user to the actual request page.
• Fixed an issue in pre-defined requests, where non-user-based pre-defined request link is not available.
• Pre-defined requests with template accounts now correctly calculate associated implementers.
• Changed CUST resource operations to accept the managed groups.
• Fixed loophole where roleA and roleB could be an entitlement for each other.
• TargetAttributeGet API call now returns target level overrides and mappings, target type level overrides
and mappings as well as default mappings to profile attributes.
• Removed DiscoveryComputerAttributeGet from idmlib and replaced it with ManagedSystemAttrGet.
• If a pre-defined request is modified, submitting requests using the PDR should reflect the changes in
the pre-defined request.
• The Email class has been fixed to allow the attaching of image files to emails.
• Profile attribute of type integer can now accept 0 as default value.
• Corrected issue so that WfRequestAttrsSet API function properly captures error messages that are
returned from Workflow Manager Service (idwfm) in case of failure.
• Advance search on integer resource attributes should work properly.
• Target system address configuration page for official scripted agents will check for valid script.
• If the account creation operation was deemed to be a success then USER_CREATE_FAILURE exit
trap should fire and no retry. If the account creation operation was deemed to be a failure then
USER_CREATE_FAILURE exit trap should not fire and the operation should be retried.
• Changed ResourceRead IDAPI function to return valid information on TARGET_USE_ID_FILTERS
on target systems.
• Fixed an issue in IDWFM where it doesn’t search delegations based on the proper delegation type.
The delegate now gets the correct list of tasks to accept/complete as a delegate.
• Enhanced PSF module to prevent cgi crashing when user settings are corrupted.
• A role or segregation of duties rule should not be deleteable while it is present in a saved certification
configuration or in an active certification configuration round.
• Removed "location" and "object type" fields from template account and managed account group
pages.
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
www.Hitachi-ID.com Date: | 2017-04-23 File: git:fox:doc/fox/release/release-notes.tex

Release Notes PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Release Notes PDF

Uploaded by

Copyright:

Available Formats

Hitachi ID Password Manager 10.0.

Software revision: 10.0.4

© 2017 Hitachi ID Systems, Inc. All rights reserved.

1 Password Manager 10.0.4 3

2 Password Manager 10.0.3 11

© 2017 Hitachi ID Systems, Inc. All rights reserved.

3 Password Manager 10.0.2 19

© 2017 Hitachi ID Systems, Inc. All rights reserved.

4 Password Manager 10.0.1 26

© 2017 Hitachi ID Systems, Inc. All rights reserved.

5 Password Manager 10.0.0 32

© 2017 Hitachi ID Systems, Inc. All rights reserved.

5.1.11 Managed Account Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

© 2017 Hitachi ID Systems, Inc. All rights reserved.

5.2.17 Reports and dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

© 2017 Hitachi ID Systems, Inc. All rights reserved.

This document uses the following conventions:

This information . . . displayed in . . .

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

DISCLAIMER!: The following is a list of features and enhancements made to Password

© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

1.1 Features and Improvements

1.1.1 Component framework

• Added a new component, Scenario.pam_disclosure_mysql_cli, which creates a disclosure plug-in

• Added new component, Scenario.pam_disclosure_sqldeveloper, which creates a disclosure plug-in

• Python 3.5.3 is now required for installation by agtpython and pxpython.

1.1.3 Privileged access usability

• When searching by resource attributes, up to seven additional columns can be added.

1.1.7 Requests app

• Modified utility licviewer to list limited-license Hitachi ID Privileged Access Manager.

• For phased authorization, if an authorizer is configured to be in more than one phase,

© 2017 Hitachi ID Systems, Inc. All rights reserved. 4

1.2.2 Auto discovery

1.2.3 Component Framework

1.2.4 Group management

• Unmanaged groups are now properly removed from user profiles.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 5

1.2.5 Identity management

• Roles with auto-assignment are disabled for removal in PDR.

• Messaging service is installed correctly after a reinstall.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 6

• Changed user notifications to support additional session parameters for redirection.

1.2.14 Privileged access configuration

© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

1.2.15 Privileged access usability

1.2.17 Profile attributes

• Reports can be e-mailed in PDF format without excessive system usage.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 8

• Implementers report now can correctly return explicitly assigned implementers.

1.2.20 Requests app

1.2.21 Session monitor

• Fixed an upgrading issue from 8.2.4 on SQL Standard.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 9

1.2.25 User Interface

© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

2.1 Features and Improvements

• Added new argument includeRedundant in API service WFRequestAttrsSet. When includeRedundant

2.1.3 Auto discovery

2.1.4 Component Framework

• Added a new component, Scenario.pam_disclosure_mysql_cli, which creates a disclosure plug-in

2.1.5 Logging / Health check

• Removed secondary IDMLib request logging.

• Improved the performance of the plugin_attrval plug-in when submitting requests.