February 8, 2021
- An issue preventing CSV data from being imported into Identity Manager has been resolved.
- An issue causing the incorrect PPMSTRMON error "Text not available for message T518003 file PPMMSGF" has been corrected.
- For consistency with IBM conventions, *ALL has been removed in the SUBSET options for profiles on the PTPMLIB/PPMDLTPRF command.
- A problem preventing Option 6=Send via Email on the Work with Generated Passwords panel from working for profiles on the first page of profiles has been resolved.
- A problem preventing Option 6=Send via Email on the Work with Generated Passwords panel from sending the correct number of emails when multiple profiles have been specified has been resolved.
- The product has been renamed Powertech Identity Manager for IBM i. The new name is used throughout the software and accompanying documentation. (Prior to version 2.17, the product was called "Powertech Power Admin.")
Central Administration Fixes
- Extraneous diagnostic messages in job logs have been removed.
- The correct names for Powertech products are now used throughout the Central Administration software and accompanying documentation.
- A defect that resulted in error Message ID MCH3601 “Pointer not set for location referenced” to appear at the bottom of the Audit Definitions panel (PPL3810) has been corrected.
- User profiles whose text is defined at the maximum length of 50 are now fully accommodated.
Central Administration Fixes
- Installation now accommodates objects that have object text defined at the maximum length of 50.
- A change was made within the installation of Central Administration to accommodate user profile objects whose object text cannot convert to Unicode.
- A change was made within the “Work with Directory Queries” panel PPL2920 to ensure all validation errors are displayed appropriately. Additionally, a F4=Prompt has been added for the External Server field.
- The “Work with User Profiles” panel option 9=Entity Activity no longer omits data immediately after a profile is created in Power Admin.
- The Retrieve Position Description API no longer incorrectly returns Error Message ID T611005.
- The PPMCRTPRF command now properly acknowledges inputted system groups.
Central Administration Fixes
- A problem causing existing audits to become unremovable after removing a system has been resolved.
- While including systems, Central Administration now ensures the system being included is not defined as an Allowed System for any existing Templates.
- An RNX0115 error in monitor job PPMEVTMON has been corrected. The problem occurred when a Power Admin Company that contained at least one Department and Position was removed.
- A problem that prevented password synchronization from occurring in certain scenarios was corrected.
Central Administration Fixes
- Installation now supports user profiles with blank location values.
- The History Subset and Sort Panel (PPL3372) no longer signals error CPF24B3 “Message type PPL3372 not valid” when F4=Prompt is attempted for a field that does not support prompting.
- The Set Monitor Status (PPLMONSTS) command now functions properly when attempting to set the status for the Monitor value of *PROFILE.
- The 'List Template Profile Settings' API (PPL6125) now correctly outputs Template Profile Settings that exist for an Allowed System to the inputted user space.
New Features in Power Admin
- Password Syncing. Power Admin's new password syncing capability allows you to keep IBM i passwords the same across a network of systems. With Password Syncing enabled, a change to a synced password on any managed system can propagate to all other managed systems on the network for that user.
- Password propagation can sync profiles when changed by the user or an administrator.
- Password propagation can sync passwords of profiles attached to a Person and/or those not attached to a Person.
- A summary of Password Sync Requests can be emailed to the person who owns the changed profile, the active profile when the password was changed (e.g. an administrator), or both.
- In case of a communication delay between the management system and an endpoint, Power Admin will recognize passwords that were changed on the endpoint more recently than Power Admin’s password change request, and leave the request in a pending state for review.
- See Syncing Passwords in the Power Admin help for more details.
New Features in Central Administration
- Custom Attributes. Additional, custom data items can be added to entities such as Templates, as well as Power Admin entities such as People.
- Creating a Custom Attribute makes it available to all entities of the allowed Entity Class, including entities that already exist.
- Deleting a Custom Attribute deletes it from all entities of the allowed Entity Class.
- The values for Custom Attributes are stored by Central Administration on the Management System.
- Custom Attribute Values can be acquired via CSV imports, the Active Directory interface for People in Power Admin, or by using the user interface.
- API PPL6130 allows administrators to get or update the Custom Attribute Values for a particular entity. See API PPL6130 for details.
- See Defining Custom Attributes in the Central Administration help for more details.
Power Admin Fixes:
- The User Profile accounting code setting now allow the vertical bar “|” or pipe character to be entered when maintaining user profile, profile creation, or profile auditing settings.
- Select Person (Panel PPM3605), which appears in various areas of Power Admin, has been changed so that it now indicates when a Subset is active. Message ID UIG3003 “The list is subsetted” will now appear on the status line in white when a subset is active.
- For failed audits that used the “User Profile Settings” strategy, and were remedied with “Accept New Settings”, each actual setting that differs from the associated template’s setting will be created as a specific user profile audit setting. (In previously versions all settings were being created in this fashion and not only the ones that differed.)
- The Select User Profile panel no longer displays user profiles that no longer exist on the system.
Diagnostic Message ID CPD9861 “OUTFILE parameter required with OUTPUT(*OUTFILE)" is signaled when the OUTPUT parameter of *OUTFILE is entered without a value for the OUTFILE parameter. In this scenario, the value is supplied before allowing the command to run.
Central Administration Fixes:
Users who do not have *ALLOBJ special authority can now successfully purge audit history via the PPLPRGAUDR *CMD as well as from other areas of the product.
Power Admin Fixes:
- Power Admin now automatically corrects objects that are known to occasionally become damaged (User Index; Data Queue).
Central Administration Fixes:
- A job’s library list is now returned to its original state after Central Administration processes a user profile function that was processed by Power Admin's exit point programs.
- The PPLCMNSVR monitor job had a built-in feature that was acknowledging the QSTGLOWLMT system value. That feature was added to better handle an IBM i system defect that at one time was not in all base OS releases. That PTF is now included in all base releases, so this built-in feature has been removed.
- Event processing and integrity improvements have been added.
- Entering the History Browser no longer results in Message ID CPF2419 and/or CTL0001 in the job log.
- The PPLCMNMON monitor job is no longer unable to start due to the /tmp directory being so large that the Unix stat function fails with error “Object is too large to process”. The stat function has been replaced with stat64, which is specifically designed to handle larger objects.
- Power Admin now allows you to import data from CSV files in order to expedite the process of creating People and Profile Templates. For details, see Importing a CSV File.
- Alerts now appear when Power Admin has encountered an unexpected condition, or a condition that is handled by a deviation from normal processing. For more information, see Working with Alerts.
- Deleted User Profiles in Balanced Profile Pools are now recreated with the same settings as at the time of deletion.
- Extra History records are no longer created for the “Formatting message file” each time a Power Admin Configuration Setting is changed.
- Email Generated Passwords. Administrators can now configure Power Admin to automatically send generated passwords to onboarded users over email. See Configuring Email in the Power Admin Administrator's Guide for details.
- Power Admin’s uninstaller no longer requires the end point to be disconnected from the Central Administration management system in order to complete.
- Minor help typos were corrected.
- An error causing duplicate information in the Profile Activity Report panel (PPM3545), resulting in an excessively long report, has been corrected.
- Option 4, Delete, on the Work with Generated Passwords panel (PPM3730) is now functional.
- Problems deleting user profiles have been resolved.
- Incomplete audits are no longer caused by the following:
- Audits for systems that do not contain the software that the audit refers to
- Audits that include auditing of the Management System
- A help typo in the PPMSYNCPSN command description has been fixed.
- Active Directory integration. Power Admin now allows you to import Active Directory data and use that data to create new People in Power Admin, or apply the data to existing People. Once populated, the Active Directory data can be linked with Power Admin and synchronized using periodic checks against the Active Directory server, whereupon updates to Active Directory entries will be automatically reflected in Power Admin's People definitions. See Integrating Power Admin with Active Directory.
- Improved automation support. Operational Resources (such as event monitors) can now be disabled and enabled. After being disabled, they will not start again until they are deliberately enabled. This aids in preventing unwanted operations from occurring during backups or HA operations. A new command set, PPLMONSTS and PPMMONSTS, allows you to enable or disable Operation Resources programatically so that this function can be embedded in your HA or backup processes to prevent resources from starting at inopportune
times. See Set Monitor Status (PPMMONSTS).
- New Change User Profile command. A new command, PPMCHGPRF, allows you to change a subset of the profile settings for a set of *USRPRF objects on any system in your network. These settings are STATUS, PASSWORD and PWDEXP. Profiles may be selected by their attachment to People, Positions, Systems, etc. This allows you to set the password for all Profiles attached to a Person at one time, regardless of the number of systems on which those Profiles exist. See Change User Profile command.
- New Delete User Profile command. A new command, PPMDLTPRF, allows you to delete *USRPRF objects from any system in your network. Profiles may be selected by their attachment to People, Positions, Systems, etc., or generically by name. See Delete User Profile command.
- Enhanced Delete Person command. The Delete Person (PPMDLTPSN) command has been enhanced to support post-processing of the attached *USRPRF objects when a Person is deleted. You can delete or disable the attached *USRPRF objects. See Delete Person panel.
- Enhanced Profile Activity Report. A history date range has been added to the Profile Activity command (PPMPRFACT) so that you can limit the output of historical information to a time period of interest. See Profile Activity Report panel.
- New Power Admin APIs. Several APIs have been provided to allow you to interact with PowerAdmin from within your own applications (see Power Admin APIs):
- Retrieve System definition
- Change System definition
- List Systems to user space
- Retrieve Template definition
- List Template Allowed Systems
- Determine if a System is allowed to use a Template
- List Template Profile settings to user space
- Retrieve Company definition
- List Companies to user space
- Retrieve Department definition
- List Departments to user space
- Retrieve Position definition
- List Positions to user space
- New Central Administration APIs. (See Central Administration APIs):
- Retrieve System Configuration
- Change System Configuration
- List Systems
- Retrieve Template Definition
- List Resolved Template Profile Settings
- List Template System Allowances
- Can System Use Template
- List Template Profile Settings
- Power Admin is now delivered with new deployment functionality, including the ability to stage the product installation.
- The Profile Activity Report (PPMPRFACT) has been enhanced to allow the specification of a date/time range for the history data. Only history dated within the range will be printed. Each Profile name will be printed regardless of whether or not it has historical data; a "No History" indication will be printed if that is the case. See Profile Activity Report panel for more details.
- PPMDLTPSN now has options to delete or disable the profiles attached to a Person, then delete the Person. See Delete Person panel for more details.
- The profile setting for Limit device sessions (LMTDEVSSN) now supports all valid operating system values.
- Change Profile Settings (PPMCHGPS) has been updated to provide validation of the “Setting value” parameter. See Change Profile Settings panel for more details.
- The "Profile Existence" Audit Strategy no longer skips profiles. (Previously, profiles with a status of "m" were erroneously skipped). Additionally, the "Remove from PowerAdmin" Remedy was updated to allow for the removal of the Profile from the "Work with Profiles" list and not send another directive to the endpoint system to try to delete it.
- The Profile Activity Report (PPMPRFACT) has been enhanced to better display information for all profiles, including archived profiles that have been deleted by the user and are no longer visible on the "Work with User Profiles" panel.
- New command PPMCRTPRF allows automated creation of profiles..
- The ability to change templates en masse was added (using the new PPMCHGPS command).
- Non-ALLOBJ users can no longer access PowerAdmin even if they are on the PTADMIN autl.
- Generated Passwords are now automatically removed whenever a Profile is deleted
- PPM3205 (Select Department) panel's Position to feature now works with a partial name.
- Signaling of Message ID VLD3005 has been fixed so that it now appears on the PPL3010 “Work with Templates” status line when attempting to delete a Template that is currently referenced by a position.
- Licensing issues have been addressed.
- Green screen query issues for user upgrading from Network Security 6.54 to Network Security 7 have been resolved.
- Object locks are now checked prior to updating.
- The PPMPRFACT command now includes the expected Profiles.
- Objective evidence of *USRPRF deletion on the endpoint is now attained before Profiles are removed from PowerAdmin on the management system.
- Multiple Profile Pools (Person/Position combination) can now share a Base Profile Name.
- Automatic Balancing of Profile Pools can now be set en masse for Persons, Positions, Companies, and Departments.
- Profiles recreated during Automatic Balancing now include the text description.
- A Profile Pool's Base Profile Name can now be blank when Automatic Balancing is set to *NONE.
- The PPMPRTPRF command printed output has been enhanced to show the current attachments, if any, to other entities such as Person and Position.
- Profile Creation Settings now appear correctly in report output.
- A new Emergency System Disconnect (PPLDSCSYS) command has been introduced for disconnecting a system from your network when the Management System is no longer available. This method initiates the activity that would have occurred had the system been disconnected normally.
The following features have been added to PowerAdmin:
- A Company entity has been added to PowerAdmin, which allows for multiple collections of Departments.
- An abbreviation can now be defined for each Company, Department, and Position. These abbreviations can be used with Name Patterns to automatically generate meaningful user profile names and text during Onboarding.
- The PPMCRTPSN and PPMCHGPSN command parameter previously called "PROFILE" has been changed to "ABBR". If you have coded these commands into any of your processes, those uses of the commands must be changed.
- User profiles created during Onboarding now use an "adaptive pattern" to determine the name of the profile and its text. These patterns can contain various pieces of information from the Company, Department, Position and Person involved in the Onboard operation. The patterns are defined on each Company, with defaults for new Companies defined in the System Settings.
- PowerAdmin Templates are now split into two categories: User Profile Auditing Settings and User Profile Creation Settings. Templates defined for User Profile Auditing Settings are used for auditing profile values as before. Templates defined for User Profile Creation Settings apply to Profiles created during Onboarding and during Creating and Managing Profile Pools.
- Copying a Template now copies all of the settings as well as all of the Allowed System and their settings.
- "Work with People" has been enhanced to allow subsetting and sorting options. These options are remembered when you exit and will be restored upon your return to "Work with People." The finder and the report listing for People have also been enhanced to support the same subsetting and sorting options as the "Work with People" list.
- "Work with People" has also been enhanced to allow you to "Onboard a person like another Person" or to "Create a new Person and Onboard the new person like another Person." (See option 20, Onboard another like this in Work with People panel.) The current Profile Pools for the "source" person are replicated to the "target" person. This is convenient when Onboarding several people into the same Position.
- Option 6, Onboard Person into Position is more accessible. It has been added to the PowerAdmin Main Menu.
- The "Post-creation Options" necessary to accomplish the "Create user profile" activity are now packaged inside the event itself. The local Software Config Options on endpoints are no longer used.
- PowerAdmin now allows you to monitor and update user profiles on managed system in real-time. It knows every user profile created, changed, or deleted from any system in the network, as well as the user profile's current settings. It functions like a "networked WRKUSRPRF.” As an added benefit of this, ad hoc changes to profiles (for example, disabling the profile or setting a password) can now be accomplished without affecting the settings used by the Auditing function.
- “Work with Templates” is now more accessible, available using option 70 in the PowerAdmin Main Menu.
- Most finders now support F6 to create a new item. For example, press F6 in the "Select Department panel" to create a new Department, then select it.
- Product Security now supports registration of group profiles as Role Users. This means that when a particular user is not a Role User, but is a member of a group that is assigned to a Role, that profile will be given the access of the group profile's Role.
- "Work with User Profiles" has been enhanced to allow subsetting and sorting options. You can now subset by Position and/or Person. The Template, Person, and Position subset selections now support the value *NONE (having no Template, Person or Position) and the ability to consider both direct assignment of Templates as well as Templates inherited from Position assignments.
- The “State” of profiles now indicate whether PowerAdmin is interested in a Profile (i.e. has a Person, Position or Template assigned to it, or it has Profile Auditing Settings), and whether the profile exists on a system.
- The User Profile text field now allows special characters (values that start with *).
- The new Audit Strategy “User Profile Owner” can be used to verify or correct the ownership of an authority to user profile objects.
- The new Audit Strategy “Auto-Balanced Profile Pools” can be used to identify missing *USRPRF objects for Profiles that are attached to automatically balanced Profile Pools. The identified Profiles can be removed from PowerAdmin or can have the *USRPRF object recreated.
- The new Audit Strategy “Verify Profile Existence” can be used to identify missing *USRPRF objects for Profiles that are NOT attached to automatically balanced Profile Pools. The identified Profiles can be removed from PowerAdmin or can have the *USRPRF object recreated.
- Significant improvements have been made to the communications subsystem improving reliability, efficiency, and speed. Among these improvements is an increase to the amount of data a single event can carry.
- UID,GID, and HOMEDIR values are no longer imported from *USRPRF objects when importing Template settings.
- PowerAdmin now provides a simple "Profile Activity" report that formats general historical data in a more PowerAdmin-related manner (e.g. prints the history in descending order by time of occurrence).
- An issue causing the F10 key to be disabled immediately after importing settings from a *USRPRF object has been resolved.
- The process of entering profile settings when adding supplemental group profiles has been improved. Prompting the SUPGRPPRF command now allows you to specify items that are not OS-defined special values. Duplicate values are not allowed in the list, nor are extra values when a single value is selected. Each item must be a valid OS name or special value.
- Occurrences of blank entries in the History Browser have been addressed.
- Occurrences of missing Profile descriptions have been addressed.
- A missing value resulting in an install-time deficiency has been corrected.
- A deficiency whereby the built-in support for “moving a library to another system in a disaster-recovery scenario” was not working as expected has been corrected.
- Premature license code expiration messages have been eliminated.
- Support for administering license keys for all PowerTech products from a Central Management system.
- New command for to assign profiles to create relationships between a profile and a person, position or template.
- Add Remedy process to take corrective action when failures are found during auditing by easily applying remedies to user profiles. Remedies allow you to update value records or ignore failures, and can be applied manually or automatically.
- Update Pre-checker to identify PTFs from IBM to fix memory leak issue
- Commands now display parameter text
- Correct audit on Special Authorities
- Handle audit on TEXT field properly
- Correct Assign/Remove on User Profile Template