Chat now with support
Chat with Support

Identity Manager 9.2 - Release Notes

One Identity Manager 9.2

One Identity Manager 9.2

Release Notes

02 October 2023, 15:04

These release notes provide information about the One Identity Manager release version 9.2. You will find all the modifications since One Identity Manager version 9.1.1 listed here.

For the most recent documents and product information, see Online product documentation.

One Identity Manager 9.2 is a minor release with new functionality and enhanced behavior. See New features and Enhancements.

If you are updating a One Identity Manager version older than One Identity Manager 9.1.1, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

Topics:

About One Identity Manager 9.2

About One Identity Manager 9.2

One Identity Manager simplifies the process of managing user identities, access permissions, and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

The One Identity Manager enables you to realize Access Governance demands cross-platform within your entire company. One Identity Manager is based on an automation-optimized architecture and, unlike other “traditional” solutions, addresses major identity and access management challenges in a fraction of the time, complexity, and expense.

One Identity Starling

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling.

For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit https://www.cloud.oneidentity.com.

New features

New features in One Identity Manager 9.2:

General
  • Support for Amazon RDS for SQL Server as a database system.

  • A configuration library with variations of templates and formatting scripts is available. There are different templates supplied for the CentralAccount, CentralEBSAccount, CentralSAPAccount, DefaultEmailAddress, and InternalName columns in the Person table as well as formatting scripts.

  • Automated monitoring of object changes

    After objects have changed in One Identity Manager, the processing of these changes can be monitored automatically via an interface (REST API). The REST API returns the resulting process ID for each object action. This process ID can be used to retrieve various information about the processes that handle the object changes.

  • The functionality of the FileComponent.ModifyFileAccess_DotNet process task has been extended.

    A new parameter, AccessControlList, allows multiple entries of access permissions to be configured. The ModifyFileAccess_Universal process task has been replaced by this process task in the default processes.

    IMPORTANT: In the processes to create home and profile directories for Active Directory user accounts, the QER | Person | User | AccessRights | HomeDir | EveryOne, QER | Person | User | AccessRights | ProfileDir | EveryOne, QER | Person | User | AccessRights | TerminalHomeDir | EveryOne, and QER | Person | User | AccessRights | TerminalProfileDir | EveryOne configuration parameters are no longer taken into account.

    Ensure that the subdirectories under the root directories, such as the home directory, do not inherit permissions from the Everyone user group. Otherwise, there is a possibility that the user group obtains unwanted permissions on all home directories.

HTML web applications

NOTE: New Web Portal features have been implemented for the HTML application but not for the Web Designer Web Portal.

  • The Web Portal offers context-sensitive help. This shows help texts and links to the user guides.

  • The Web Portal now displays descriptions of certain properties as help.

  • In the Web Portal, you can now compare identities and their properties with each other.

  • In the Web Portal, you can now display responsibilities of identities that report to you. You can also limit the identities displayed to just those that have left or will soon leave the company.

  • To make it easier to maintain entitlements required by a team, you can now create a role for the identities you are responsible for.

  • TECH PREVIEW ONLY: The Web Portal supports editing of approval workflows.

    NOTE: This feature is only available to users who have the Portal_Preview_WorkflowEditor program function.

  • The Web Portal now shows approval guidance for pending requests.

  • The Web Portal can now display archived requests.

  • In the Web Portal, you can now display approval guidance for pending attestation cases.

  • You can now edit policy collections in the Web Portal.

  • There is now a feature in the Web Portal that provides recommendations for assigning entitlements to departments, application roles, business roles, cost centers, locations, or system roles.

  • In the Web Portal, those responsible for a software application now see the identities that have access to the software application.

  • In the Web Portal, you can now link and use custom designs.

  • In the Web Portal, you can now maintain translations of application names and descriptions.

  • In the Web Portal, you can now use search terms as filters. To do this, you enter the desired term in the search field and then press the Enter key.

  • In the Operations Support Web Portal, you can now display the contents of the DBQueue.

  • The Operations Support Web Portal now displays pending objects only for target systems for which the user is responsible.

  • In the Operations Support Web Portal, you can now see the completed or still open operations in the system that belong to a specific process ID.

  • In the Operations Support Web Portal, you can now display the operation history. Operations can be filtered by time, change type, and user that triggered it.

  • In the Operations Support Web Portal, you can now view the process history.

  • Log files can now be viewed and downloaded in the Administration Portal.

Target system connection
  • Property mapping rules can be used to configure whether the order of the values of multi-valued schema properties is taken into account when detecting rogue modifications.

  • Extension of the RemoteConnectPlugin

    The RemoteConnectPlugin has been extended. Additional authentication methods can be used to establish a remote connection to the target system. Additional properties, such as timeout or certificates, can be configured.

  • If system filters or object filters are created in the Synchronization Editor, it is possible to test whether the filter condition provides the correct results.

  • Changes to virtual schema properties can be tested directly in the Synchronization Editor mapping editor.

  • Support for Role-based access control (RBAC) and privileged identity management (PIM) for Azure Active Directory in new "RBAC" and "PIM" modes. Due to limitations of the Microsoft Graph API, the role management feature in One Identity Manager in "PIM" mode supports only the global directory space for active role assignments. These features must be activated manually.

    A patch with the patch ID VPR#35513 is available for synchronization projects.

  • Additional identity management related schema properties are mapped to Azure Active Directory user accounts.

    A patch with the patch ID VPR#36729 is available for synchronization projects.

  • Additional schema properties are mapped for the last login time of Azure Active Directory user accounts. These schema properties can only be accessed under an Azure Active Directory premium license.

    A patch with the patch ID VPR#33776 is available for synchronization projects.

  • Support for hierarchical address books in Exchange Online.

    A patch with the patch ID VPR#35780 is available for synchronization projects.

  • Support for Microsoft Teams team templates.

  • Support for POSIX enhancements for Active Directory user accounts, groups, and contacts.

    Patches for synchronization projects with patch ID VPR#14634 and VPR#14634_ARS are provided.

  • Support for hierarchical address books in Microsoft Exchange.

    A patch with the patch ID VPR#35779 is available for synchronization projects.

  • Active Roles version 8.1.3 is supported to the previous extent.

  • One Identity Manager supports the LDAP object class eduPerson. This object class is mainly used in directories of universities and colleges to simplify communication between institutions.

  • Support for One Identity Safeguard versions 7.2 and 7.3.

    A patch with the patch ID VPR#36617 is available for synchronization projects.

  • Support for One Identity Safeguard partitions.

    A patch with the patch ID VPR#36044 is available for synchronization projects.

  • Support for SAP .Net Connector 3.1 for x64, with version 3.1.2.0 for Microsoft .NET 4.8 or later.

  • Roaming of Notes user accounts is supported.

    A patch with the patch ID VPR#36087 is available for synchronization projects.

  • The SCIM connector supports synchronization of SAP Cloud ALM applications via SAP Cloud Identity Services with the default schema. To set up the synchronization, you can use the SCIM synchronization of the SAP Cloud ALM application project template.

  • Information is mapped about the last password change and the last login date of Unix user accounts.

    A patch with the patch ID VPR#36688 is available for synchronization projects.

Identity and Access Governance
  • Renaming

    In the process of renaming, unused translations in the DialogMultiLanguage table have been cleaned up.

    • Employees to Identities

      One Identity Manager manages not only natural persons, but a wide variety of identity types. To represent this more clearly, the Person object type has been renamed from Employee to Identity. In the process, Pseudo employee has been renamed to Virtual identity.

    • Request templates to Product bundles

    • Help desk calls to Tickets

    • Language culture to language or language code

  • Support for Behavior Driven Governance for One Identity Safeguard. This includes:

    • Attestation and recertification of memberships in PAM user groups for user accounts that have not made access requests within a defined period of time. The memberships are removed automatically if attestation is denied. The time period is set by the TargetSystem | PAG | UnusedThresholdInDays configuration parameter.

    • Detection of PAM objects, such as assets, user groups, or entitlements that have not been used for a defined period of time. If, according to the PAM audit log, an entitlement has not been used during this period, a recertification procedure can be used to determine whether the entitlement is still required. Unused entitlements can then be removed from the target system. The time period is set by the TargetSystem | PAG | UnusedThresholdInDays configuration parameter.

  • New approval procedure OX - Owner of the object in any request parameter of the request properties.

    The approval procedure determines as approvers the owners (application role) of an object that is given in a request parameter. The application role is assigned to the object through a foreign key column. The name of the request parameter is given with the approval step, as well as the name of the table column that refers to the application role. The approval procedure can be used for all products that are assigned a request property that uses this request parameter.

  • Terms of use can be allocated to attestation policies. The terms of use can be provided as a PDF file in different languages.

  • In the Web Portal, attestors can be given approval recommendations. The recommendations for approving or denying attestation cases are calculated based on various criteria. The criteria are specified in the QER | Attestation | Recommendation configuration subparameters.

    NOTE: The feature has been implemented for the Web Portal HTML application but not for the Web Designer Web Portal.

  • You can now assign additional properties to attestation cases.

  • Attestation policies can be configured to generate an empty attestation run if no object to be attested is found when the attestation cases are calculated.

  • New approval procedures BA - Owner of the application and BE - Approver of application entitlement

    The approval procedures determine the owner (application role) or approver (application role) of the associated application when attesting application entitlements in the Application Governance Module.

  • New approval procedure SP - Owner of service principal

    This approval procedure determines the owner (application role) of the attested Azure Active Directory service principal.

See also:

Enhancements

The following is a list of enhancements implemented in One Identity Manager 9.2.

Table 1: General

Enhancement

Issue ID

The Update event is only generated if there were changes to the object.

30163

The UnitOfWork prevents object changes from being added after the commit is started, otherwise they would be lost.

35913

Introduction of a bulk query interface in the VI.DB, specifically to speed up front-ends.

36478

The Consistency Editor can filter consistency checks in the test options dialog.

32390

Improved the DialogDeferredOperation with overdue actions, activated but without existing job consistency check.

34789

The SQL formatter consistency check now also checks for correct parametrization of the EmptyClause for key columns.

35737

The Objectkey references to non existing object (tolerated) consistency check is no longer required and been removed.

37141

Enhanced performance and handling of autocompletion of syntax in script code.

35649

Improved function selection for calling scripts in the Designer Script Editor. The menu tries to preselect the script the respective selection.

36081

Improved how proxy view extensions are displayed in the Designer's Schema Editor.

36380

Improvements made to the user interface to support changes to multilingual translated data.

34794

Support for automatic translation of compound strings. This finds the translation of each part and combines them to form the completed string.

34477

In the Designer's Language Editor, customized default translations have a yellow background in the translation table.

36422

The format of the configuration data in the form definition have been reworked. Custom form definitions are converted automatically.

35422

The information in the DialogLogicalForm.DialogFormDefinition column are now check for valid XML notation when saved.

36125

Masking of free text variables in the user interface navigation has been improved. Users can now influence how special characters are masked when they use them.

35886

Using a script, user interface variables can be calculated dynamically and depending on the context. This allows display texts in the user interface to be context-sensitive.

36305, 36238, 36862

Implementation of a visibility script in diverse default methods. This hides the methods in the Manager's task menu if they cannot be run because of object specific conditions.

36509

The Manager shows a tool tip with a description on various assignment forms.

32033

A new control element enables the comfortable maintenance of complex data structures, which are stored on the database side, in the Json format or also in the .NET database ConnectionString format, for example.

35518

Improved accessibility of the hierarchical list control.

36640

The reason for denying a session certificate in the application server is now logged by NLog.

35618

The product version is now shown on the tile with system information in the application server.

35963

The AppServer.Installer.CMD.exe program is now installed locally in the same way as the other command line programs.

35894

It is now possible to edit an existing application server installation with the Web Installer.

33584, 314733

In the One Identity Manager Service log view, the Raw Log menu displays the NLog log including entries from plugins.

35763

The permissions for the Database Agent Service to access the msdb database that are no longer required, have been removed.

35337

The DatabaseAgentServiceCmd.exe program now writes all warnings and errors to the console output.

36134

The email configuration wizard can now specify a Job server that takes over the SMTP server functionality.

35564

When processes are generated for email notifications, error messages are logged if the relevant configuration parameters are not set or no valid email address is entered.

33690

Disabled Job servers are now better displayed in the Job Queue Info program.

35677

In the Job Queue Info, the stop and start behavior of the system (emergency stop) has changed to stop queue processing without a delay if possible.

36222

Improved how process step error messages are presented in the Job Queue Info program. A dialog with the entire error message can be opened via the error link or the context menu.

36918

Improved layout of buttons for emergency stop in the Job Queue Info toolbar.

37105

Logging in the database with NLog 5 is now possible.

36303

If an error occurs during saving, both the table name and the display name of the object are now output in order to better locate the faulty object.

36373

Improved output of error messages from the database.

36639

Autocomplete has been improved in the Object Browser filter.

36083

Extra space in the Object Browser filter text box has been removed.

36084

Enhanced performance importing cumulative transports with the Database Transporter.

36401

Improvements in the DBTransporterCMD.exe command line program.

37012, 37013

Various improvements to the Data Import program's user interface.

36611

The Software Loader displays a warning if the selected files for importing are not in a valid install directory.

35609

Enhanced support for horizontal read scale-out in local availability groups of an SQL Server cluster.

  • Templates for configuring read scale-out have been integrated into the application configuration files.

  • The different connection pools are now visible in the log.

36109, 36110, 36977, 37029

Enhanced performance for cleaning up the DBQueue Processor task buffer.

35978

There is now no process delivery if there are custom database triggers that are disabled.

36433

Columnstore indexes are excluded when a transport is created with the Database Transporter.

36452

Permissions on the PersonPasswordHistory table are removed if they are not required.

36940, 419127

Enhanced performance filling the QBMSplittedLookup table.

36973

The index weighting for the full-text search can now also be set for integer columns.

36801

Triggers are no longer disabled while the DBQueue is being compressed. This stops the database from switching into maintenance mode and there is no disadvantage to the users.

36975

For an HTML application, a database user can be specified whose has an access level that meets the required minimum of being able to use this HTML application.

36436

Enhanced performance of viewing conditions for different application roles.

36759

After a database migration, the data for the module definition of the customer module CCC is regenerated.

36820

Superfluous role definitions for the History Database have been removed. An SDK script is provided for creating the minimum required permissions.

35936

The Schema Extension allows custom columns to be deleted in the view tables.

36667

A report can be exported in a given format with just one click if it is configured correspondingly.

35607

The query and calculation settings for report parameters can be changed with the data dependencies script, the front-end will adapt automatically.

36573

Where clauses from the report definition of subscribable reports are now also marked as trusted.

36574

The System Debugger has new command line parameters /Conn and /Auth that allow login credentials to be passed directly, making it possible to login automatically.

36403

The Quantum.MigratorCmd.exe program can now be used to create custom permissions groups (/Group parameter) and run SQL statements after database installation (/PostSQL parameter).

35746

In the installation wizard, on the Module selection page, additional descriptions about each module are displayed when selected.

35830

A new authorization method has been implemented for using the RemoteConnectPlugin in Docker containers.

36454

Third-party components update.

36426

Increased security generating reports.

37255

Table 2: HTML web applications: Feature parity with the Web Designer Web Portal

Enhancement

Issue ID

In the Web Portal, it is now possible to save the current view of a page.

32356, 30242, 300743

In the Web Portal, you can now view statistics and KPIs, depending on the permissions of the logged-in user.

36789, 393878, 322309

In the Web Portal, the filter dialog has been revised and an option to create custom filters has been added.

206836

In the Web Portal, you can now send request inquiries to other identities.

250607

In the Web Portal, you can now display a state overview and a status comparison in the object history.

252817

In the Web Portal, you can now manage Webauthn security keys as long as the API Server is configured with RSTS.

259005

In the Password Reset Portal, you can now manage password questions.

277546

You can now sort tables in the Web Portal.

284241

In the Web Portal, you can now manage resources, assignment resources, multi-request resources, and multi-requestable/unsubscribable resources.

288423

In the Web Portal, it is now possible to create departments, application roles, business roles, cost centers, locations, and system roles.

288860

Managers, IT Shop administrators, and Compliance and Security Officers can view request from identities.

290759

In the Web Portal, you can now display the system entitlement history.

299095

In the Web Portal, you can now export tables.

300508

In the Web Portal, you can now display, create, and edit tickets.

304631, 305721

In the Web Portal, you can now edit the main data of risk index functions.

304675

In the Web Portal, you can now use function analysis to display identities with critical SAP functions that violate compliance rules. You can also use rule analysis to display compliance rules that include SAP functions and identify any identity that violates the compliance rules.

304676

Rule violation management has been extended in the Web Portal:

  • More details are displayed about rule violations.

  • Mitigating controls that are assigned to a rule violation are displayed.

  • Rule violation detection can be started manually.

305793

In the Web Portal, you can now filter by attestation cases in which a specific identity has made an approval decision.

305996

Auditors can now view identities in the Web Portal.

306003

In the Web Portal, Auditors can now view departments, application roles, business roles, cost centers, locations, and system roles.

306005

In the Web Portal, you can now display company policies.

306100

Compliance framework managers and auditors can now view compliance rules in the Web Portal.

308021

The Web Portal now requires explicit re-authentication of the logged-in user to agree to the terms of use. The authentication procedure for this is configurable and can be disabled.

314572

The Web Portal now supports browser notifications.

319194

In the Web Portal, you can now view and respond to request inquiries.

321526

In the Web Portal, you can now send inquiries about attestation cases to other identities.

321541

In the Web Portal, you can now view and respond to inquiries about attestation cases.

321542

In the Web Portal, those responsible for a software application can now edit the main data of the software application.

394940

Auditors now see all requests in the Web Portal.

400433

The Web Portal now displays list reports directly in the browser.

405305

The Web Portal now displays devices, and you can edit their master data.

405829, 275567

In the Web Portal, a request can now be resubmitted from the request history.

413040

The Web Portal displays information about the logged in user, their permissions groups, and program functions.

415628

The Web Portal displays the source data of certain statistics.

416009

In the Web Portal, you can now display policy violations associated with company policies.

416128

In the Web Portal, managers can now create individual delegations and deputizations for identities for which they are responsible.

420543

In the Web Portal, you can now see the mitigating controls assigned to company policies or policy violations. In the case of policy violations, you can also edit the mitigating control assignments.

421474

In the Web Portal, you can now display a hyperview of the logged in identity in the profile settings.

421695

In the Web Portal, you can now display hyperviews of objects involved in attestation cases and policy violations.

425269

Table 3: HTML web applications

Enhancement

Issue ID

It is now possible to edit an existing API Server installation with the Web Installer.

33584, 314733, 313398

During installation of the API Server it is possible to set the password of the default system user IdentityRegistration. It is also possible to specify another system user, whose login can be used to create new identities.

36343, 407727

The API Server can write the session ID to log entries.

To do this, there must be the following entry in the <nlog> section of the nlog.config file:

<extensions>

<add assembly="QBM.CompositionApi.Server" />

</extensions>

36902

Local customizing of an API Server configuration is now only allowed by default if the API Server was started from the command line on the ImxClient.

Local customizations are disabled on IIS-based installations. You can override this behavior by adding the following code snippet to the web.config file.

<appSettings>

<add key="IsStandAlone" value="true" />

</appSettings>

416938

The API Server supports Websocket API methods.

394642

Enhancements to API clients for Angular developers:

  • Named interfaces are now used for the parameter types. These interfaces are exported so that they can be used in the application code.

  • The parameter properties are stored with their descriptions in the API client.

394386

The API Server uses HTTP status code 403 if authentication fails.

405643

The SCIM API's CSRF protection mechanism of the API Server is disabled by default.

405926

API clients are now more stable if the network connection breaks.

264940

The API Server runs a version check. Access by API clients of other versions causes an error.

296243

Enhanced performance starting the API Server.

312481

Compatibility of the API Server with reverse proxies has been improved. Reverse proxies can be configured in the Administration Portal.

319175

The API Server uses less space for temporary files on an IIS installation.

328741

Type-safe classes are now supported for editing custom API plugins.

316845

The API Server now takes all languages into account that are listed in the Accept-Languages header of an API query.

316933

The .WithSingleEntityRead() extension method was implemented in the API Server. It can be used to load single entities via the API (identified by the primary key).

251366

If the base URL of the API Server does not match a web application, a corresponding log entry is now generated.

389277

Angular application debugging has been stabilized by implementing the deleteDestPath option.

407356

API client methods now support canceling of API requests.

390096

In the Administration Portal, naming of multiple configuration keys has been improved.

424491

Recently added configuration keys can now be deleted in the Administration Portal.

307180

The Administration Portal now displays the API documentation. You can also configure how the API documentation is displayed in the Administration Portal settings.

322436

Enhanced performance of the API documentation.

307709

Requests from the API documentation (Swagger) no longer fail due to the missing X-XSRF-TOKEN header, as it is now included in the requests.

394255

The SameSite cookie setting can now be edited in the Administration Portal.

386427

The domain of the cookies sent by the API Server can now be configured in the Administration Portal.

388463

A default design for web applications can now be configured in the Administration Portal.

322421

The web applications now support a high-contrast design.

316555

In the Administration Portal the VI_ITShop_CanCloneCartItemsByPerson and VI_ITShop_CanCloneCartItemsByProduct configuration parameters that have no effect, have been removed.

422641

Improved the Administration Portal display of the API Server status:

  • You can show the list of composition API caches.

  • You can empty the cache.

  • You can enable and disable cookies usage.

  • You can display charts on the start page that show the number of sessions in chronological order.

387864

In the Administration Portal, you can now configure that users cannot change the language in their profile settings and that the browser language is used for the web application interfaces instead.

35813, 206640

In the Administration Portal, you can now configure the maximum size of an identity's profile picture.

367838

The ConfigFileEditorCMD program now supports the /preventdbupdate true command line parameter. If this is set, the application token is not updated in the database. This parameter is primarily intended for use in containers.

405743

The Web Portal uses a new mode for searching products on the product selection page to provide more complete search results and enhance performance.

32800, 423711

When approving a request or an attestation case, the approval step in which the approval is being decided is now displayed.

34861, 316872

You can now specify values for request parameters of products assigned to a product bundle. These values are then pre-set from the corresponding product bundle on requesting.

33637, 316846

The user now receives a warning before saving and before starting an attestation policy if the expected number of attestation cases exceeds a given threshold. The threshold can be configured.

34918, 305302

The Web Portal has a completely revised New Request page.

35573, 312077

Enhanced performance in the Web Portal for:

  • approving attestation cases

  • displaying my responsibilities

35861, 36814

New attestation conditions are provided to identify unused user accounts, which can be used for attestation of user accounts and memberships in system entitlements.

37004

New attestation conditions are provided to identify unused PAM entitlements, which can be used, for example, as part of Behavior Driven Governance for One Identity Safeguard.

37005, 37006

In Web Portal, using the keyboard has been improved.

410172

IT Shop administrators can now edit product bundles in the Web Portal.

416274

In the Web Portal, you can now create a new system role for an application without assigning entitlements to this system role at the same time.

421193

Application entitlements of an application can now be filtered in the Web Portal.

425214

Enhanced editing of service items:

  • In the Web Portal, you can see which application the application entitlement of a service item is assigned to.

  • If the service item properties cannot be edited due to an application entitlement assignment, a message is displayed.

  • IT Shop administrators can change the owner of a service item.

292570

In the Web Portal, if SAP function compliance rules are violated, you can now display the SAP authorizations that lead to the rule violation.

297236

In Web Portal, you can now set certain properties for multiple products that you want to request at once (for example, validity and reasons).

309614

As a report administrator, you can now specify who can access or subscribe to a report in the Web Portal.

314124

You can now configure your own settings in the Web Portal:

  • Application design

  • Time zone

  • Using the profile language instead of the browser language

319031, 206656

Views in the Web Portal can now be configured on more pages:

  • Attestation runs

  • Rule violations

  • Identities overview in the Data Explorer

  • System entitlements overview in the Data Explorer

320784

When requesting from a product bundle in the Web Portal, the request parameters stored with the product bundle are now included as well.

322296

In the Web Portal, you can now zoom in and move around in hyperviews.

367241

In the Web Portal, you can now perform an origin analysis when attesting an assignment.

388598

In Web Portal you can now perform an origin analysis in the attestation history for an assignment attestation.

388599

In the Web Portal, you can now click to display hyperviews such that all the information is shown.

418561

If an attestation is approved or denied, an evaluation is carried out as to whether a reason must be provided.

415322

Hyperviews in web applications now support displaying of visual separators.

206664

The Web Portal and the Password Reset Portal now support a layout that hides the header and the menu bar.

404198

As the person responsible for an application, you can now edit the service category structure for the application in the Web Portal.

A service item with application entitlement can now only be assigned to a service category under the basic service category of the application.

405217

A new menu item Responsibilities > My Responsibilities has been added in the Web Portal. You can now use this menu item to display all objects for which you are responsible.

406577

In the Web Portal, resolving rule violations of compliance rules for SAP functions has been improved.

320932

If role memberships of a logged-in user change, the user is notified in the Web Portal and must log in again.

293389

In the Web Portal, if you click an object for further editing or a detailed view, the pane that opens now shows the name of the corresponding object as a subtitle.

303776

If the MitigatingControlsPerViolation configuration parameter is set, the request approver can now add mitigating controls to the resulting rule violations of a request as long as the approver is also an exception approver for the violated rule.

In addition, the user can now see the request's mitigating controls in the request history.

305815

If the MitigatingControlsPerViolation configuration parameter is set, you can now add mitigating controls to rule violations.

367357

Attestation runs that were started via a policy collection are now marked accordingly in the Web Portal.

316985

In the Web Portal, you can now cancel requests to which you have write permissions.

36058, 319102

Handling of pending attestation cases has been expanded to include the following:

  • Displaying terms of use for an attestation case if the terms of use have been assigned to the underlying attestation policy

  • Displaying policy violations of the attestation case base object

  • Attestation cases with policy violations are highlighted in the overview

  • Displaying mitigating controls for policy violations of an attestation case

  • Risk assessment of the attestation case basic object

319199

In the Web Portal, you can now assign mitigating controls to a policy violation.

319201

In the Web Portal, the display of selected objects has been standardized.

320942

Resolving rule violations has been expanded to include the following:

  • The user can specify a reason that will be used to unsubscribe requests if at least one unsubscription is made.

  • Generated unsubscriptions are displayed in the request history in such a way that it is apparent who resolved the rule violation.

  • A default reason is automatically used for request cancellations, indicating that the cancellation was made to resolve a rule violation.

321559

Hyperviews are now provided in the Web Portal for the following objects:

  • Identities

  • Departments

  • Application roles

  • Business roles

  • Cost centers

  • Locations

  • System roles

  • User accounts

  • Resources

  • Multi-request resources

  • Multi requestable/unsubscribable resources

  • Assignment resources

  • System entitlements

  • Compliance rules

  • Company policies

367240

In the Web Portal, you can display the history of an object chronologically.

417844

You can now use the Password Reset Portal to create a new user account.

387948

In the Web Portal, you can now manage the ticket attachments (download, upload, edit, and delete) as well as edit the structure of the attachment folders.

388586

In the Web Portal, you can now view your own attestation status.

388600

How the recipient of a delegation is displayed in the request history has been improved.

36122, 388967

The following program functions have been introduced.

  • Portal_UI_ApplicationAdmin

  • Portal_UI_ApplicationOwner

  • Portal_UI_PAGStatistics

  • Portal_UI_PasswordHelpdesk

  • Portal_UI_PersonAdmin

  • Portal_UI_PersonManager

  • Portal_UI_PersonStatistics

  • Portal_UI_PolicyAdmin

  • Portal_UI_PolicyOwner

  • Portal_UI_PolicyStatistics

  • Portal_UI_QERPolicyAdmin

  • Portal_UI_QERPolicyStatistics

  • Portal_UI_ResourceAdmin

  • Portal_UI_RoleAdmin

  • Portal_UI_RoleStatistics

  • Portal_UI_RuleStatistics

  • Portal_UI_ShopAdmin

  • Portal_UI_ShopStatistics

  • Portal_UI_StructAdmin

  • Portal_UI_StructStatistics

  • Portal_UI_TSBStatistics

395043, 427871

You can now specify in a parameter definition (for reports or requests) that the selection of a parameter value is made from a flat list (instead of from a tree).

307699

In the Operations Support Web Portal, the Availability check has been extended and revised.

205400

In the Operations Support Web Portal, only objects that are directly assigned are marked as outstanding.

316548

Displaying processes in the Operations Support Web Portal has been improved:

  • You can use the process ID to go directly to the operations that belong to the process ID.

  • You can see a summary status for each process.

  • You can see the list of objects affected by a process.

  • You can see the error message of a failed process step and copy it to the clipboard for further use.

327062

In the Operations Support Web Portal, the stop and start behavior of the system has changed to stop queue processing without a delay if possible.

393858

The Operations Support Web Portal is now only offered if a database connection with the Configuration user access level is used.

 

The Angular applications now use Angular 14.

394843

The RSTS has been updated to version 2023-02-28.1.

Changes:

  • Multiple instances of the service can be installed next to each other.

  • Integration of OneLogin MFA.

  • Support for LDAPS with SSL/TLS when connecting to Active Directory or an LDAP server.

  • New support for automatic monitoring and updating of metadata when configuring with a URL.

  • Starling 2FA removed.

The RSTS must be uninstalled/reinstalled for the update.

404168

Table 4: Web Designer web applications

Enhancement

Issue ID

Third-party components JQuery UI and Angular.js updated.

315799, 417517

Enhanced performance in the Web Designer Web Portal displaying the shopping cart.

33913, 430424

When rule violations are resolved in the Web Designer Web Portal, the reason and the person who unsubscribed are now given for unsubscribed entitlements.

35754

Increased the Web Designer Web Portal's security.

36328, 430932, 415297

Increased security generating reports.

37244

Table 5: Target system connection

Enhancement

Issue ID

Support for using a connection certificate to log in to Azure Active Directory. This requires an X.509 certificate including private key. You can use a self-signed certificate.

A patch with the patch ID VPR#36596 is available for synchronization projects.

36596

Service principals can now be assigned as owners of Azure Active Directory service principals.

A patch with the patch ID VPR#35769 is available for synchronization projects.

35769

The list of permitted values of the preferred single sign-on mode for Azure Active Directory service principals has been extended.

37198

It is now also possible to remove Exchange Online distribution lists if the synchronization user account is not given in the distribution list as a manager.

36060

The Exchange Online connector now uses and requires the Exchange Online PowerShell module with version 3.2.0 or later.

36363

The maximum configurable number of simultaneous connections has been increased to 999 in the Exchange Online connector.

36521

The connector for Azure Active Directory and Microsoft Teams now uses version 5 of the Microsoft Graph .NET SDK (Graph Wrapper).

36738

Enhanced performance when loading Microsoft Teams teams and channels as part of synchronization.

33471

The Allow members to create private channels option is read in and synchronized for Microsoft Teams teams.

36568

When a Microsoft Teams team is archived, all associated properties except for custom columns are now locked and can no longer be edited.

36623

The connector for Microsoft Exchange 2013, Microsoft Exchange 2016, and Microsoft Exchange 2019 now supports access to the MessageCopyForSendOnBehalfEnabled and MessageCopyForSentAsEnabled properties. There is no mapping in the default.

35784

Support for send-as permissions for Microsoft Exchange mail-enabled distribution groups.

A patch with the patch ID VPR#35776 is available for synchronization projects.

35776

OneLogin roles can now be automatically added to the IT Shop. The behavior is regulated by the QER | ITShop | AutoPublish | OLGRole configuration parameter.

35878

In the case of OneLogin user accounts, it can only specify whether the user account is locked.

35989

If an exact change date for OneLogin user account can be set, the current timestamp is used as the revision counter.

37120

To support One Identity Safeguard Behavior Driven Governance, audit logs are synchronized.

A patch with the patch ID VPR#36315 is available for synchronization projects.

36315, 36920

Support for PAM access requests for remote desktop applications for assets.

35731

Support for OneLogin as authentication provider for PAM user accounts. The reports and policies for using multi-factor authentication have been adapted accordingly.

35731

Support for PAM access requests for API keys for accounts.

36617

Clear up of the synchronization configuration for SAP authorization objects.

A patch with the patch ID VPR#35904 is available for synchronization projects.

35904

The object filter can filter SAP user accounts by the feature USTYP.

36427

In the Unified Namespace, the mapping of object properties from SAP roles to system entitlements has been changed. SAPRole.RoleDescription is now mapped to UNSGroup.Description. 36498
A synchronization project for the synchronization of BI analysis authorizations can only be set up if the SAP Business Warehouse component is installed in the SAP R/3 system. 36514

When single roles are assigned to composite roles in the SAP R/3 system, only memberships marked as active are synchronized.

36766

When establishing the system connection to a cloud application, the number of items per page can be configured for object list requests.

A patch with the patch ID VPR#36376 is available for synchronization projects.

36376
Improved user navigation in the project wizard when setting up synchronization with a cloud application with OAuth authentication. 36905
If a cloud application blocks access to the target system because too many requests are made, the SCIM connector attempts to resend the requests after a specified delay. Definitions according to RFC 6585 are observed. The connector retries up to 30 times. 36339

The SCIM connector allows customized lines in GET request headers.

36202

When the SCIM connector is authenticated via OAuth, the configured client ID and client secret data is always transmitted in the header and body of the POST request.

36912

The One Identity Manager connector provides a virtual schema property that can be used to map translations of single values.

36375

When setting up synchronization with the CSV connector, the path to the CSV file can be specified as an absolute path or as a relative path to the CSV system file. This way CSV files from different locations can be used in one synchronization project.

35420

The Powershell connector definitions consistency check now checks whether at least one return command (ReturnBinding) has also been defined for a property that is readable according to the definition.

35654

Advanced logging modes when running Windows PowerShell scripts with PowershellComponentNet4.

36811

Support for new format of ClientSecret strings generated by One Identity Starling Connect.

36156

Improved error handling for target system connectors that use the local cache when individual objects cannot be loaded due to corrupted data.

36793

The value of quota variables can also be specified as a percentage.

36510

Enhanced performance when creating display values for synchronization objects.

36284

The target system browser provides the option to edit a previously defined filter for the result list.

36154

The dialog for decrypting connection data in Synchronization Editor has been improved.

36026

In the dialog for selecting the synchronization server, an existing Job server can now also be selected. This automatically assigns the server function matching this Job server.

35903

If in Manager on the Target system adjustment form a method for handling the pending objects cannot be run due to constraints, the respective icon is disabled. Details about the respective constraint can be displayed.

31890

New consistency check for synchronization projects that warns about configuration errors in mappings of M:all tables (for example ESetHasEntitlement).

36666

Creating, changing, and deleting user accounts in custom target systems (UNSAccountB) avoid unnecessary post-processing tasks.

36989

New configuration parameter QER | Person | User | DeleteOptions | DeleteOutstanding which allows user accounts marked as pending to be deleted automatically.

32052

In the Manager, the Define search criteria for identity assignment form for target systems, now also displays the activation status of identities and user accounts. An option is provided to manually connect even locked user accounts to identities.

32254

In the Manager, inactive identities can now also be assigned to user accounts on the user account main data forms of the target systems. The new configuration parameter QER | Person | HideDeactivatedIdentities specifies whether inactive identities are shown or hidden on the user account main data forms.

36703, 36734

References to the Active Directory edition have been removed from the installation wizard and guides.

Existing installations of this edition are not affected.

36939

The Manager overview forms for user accounts display information about heritability of system entitlements better.

36049

Table 6: Identity and Access Governance

Enhancement

Issue ID

The terms of use can be provided as a PDF file in different languages.

31889

The data about an attestation object of an attestation case is provided as a report or as a snapshot. Report and snapshot can be displayed in the Manager.

35498

Various enhancements determining attestors with the SO approval procedure.

36477

If compliance rule violations are identified in the request approval process, exception approvers may assign mitigating controls when approving the rule violation.

21081

Various columns in the ComplianceRule table have been additionally labeled as multi-language. Their contents can now be translated.

36845

The Rule Editor for compliance rule reworked for future extensions. This modification removed the assembly value in the XML configuration. Rule conditions created with older One Identity Manager versions can still be loaded. Compliance rule created with One Identity Manager 9.2 do not work in older One Identity Manager versions.

35131

Multifactor authentication can be requested for accepting terms of use.

35859

IT Shop customizer error messages use custom display values and date formats and can be translated.

36053

Email notifications will no longer be sent to permanently inactive identities.

36152

Service item attestators see all the information about an attestation object on the service items overview form.

36173

The overview form of an application role also displays the approval workflows in which the application role is determined to be the fallback approver.

36213

Deputizations and delegations come to an end when the deputy is deactivated.

36300

The display values of some values of the AttestationHistory.DecisionType column have been corrected so that the display value and the English translation of the display value are identical.

Value

Previous display value

New display value

Abort

Aborted

Canceled

Direct

Direct

Forward

RevokeAdditional

RevokeAdditional

Revoke additional approver

If you retrieve translations of values in custom scripts, for example in email notifications, adjust these scripts accordingly. Use the new display value as a key for the translation.

Example of use in the pre-script to generating a process:

  • Previous: Connection.MultiLanguage.GetInLanguage("AttestationHistory", "DecisionType", "Abort", personLanguage).ToString()

  • New: Connection.MultiLanguage.GetInLanguage("AttestationHistory", "DecisionType", "Canceled", personLanguage).ToString()

36460

The display values of some values of the PWODecisionHistory.DecisionType column have been corrected so that the display value and the English translation of the display value are identical.

Value

Previous display value

New display value

Abort

Abort

Cancel

AddAdditional

AddAdditional

Additional approver

AddHistoryEntry

AddHistoryEntry

Show in history

AddInsteadOf

AddInsteadOf

Delegation

ChangeBoard

ChangeBoard

Change shelf

CreateOrder

CreateOrder

Stock request

Grant

Grant

Approval

ResetReservation

ResetReservation

Reset reservation

RevokeAdditional

RevokeAdditional

Revoke additional approver

RevokeDelegation

RevokeDelegation

Revoke delegation

If you retrieve translations of values in custom scripts, for example in email notifications, adjust these scripts accordingly. Use the new display value as a key for the translation.

Example of use in a script:

  • Previous: multiLanguage.Get("PWODecisionHistory", "DecisionType", "Grant")

  • New: multiLanguage.Get("PWODecisionHistory", "DecisionType", "Approval")

36460

The request overview form displays the request properties that are used (modern definition) and their parameters.

36652

The Request History report for an identity now shows approved multi-request resources under the Approved multi-request resources tab.

36654

Calculation of SAP functions optimized.

36796

A reason can now be entered for the temporary deactivation of an identity. For this purpose, a LeaveofAbsenceReason (Reason for absence) column has been added to the Person table.

35739

Enhanced performance calculating SAP functions.

36821

Masked special characters can be used in the authorization definition of SAP functions.

36780

Enhanced performance in attestation policy condition testing.

37134

Improved how the Move products dialog is presented in the Manager.

36636

The following scripts for formatting links in emails to directly approve requests or directly attest, or for displaying rule violations have been converted internally to use IEntity.

  • VI_BuildITShopLinks

  • VI_BuildAttestationLinks

  • VI_BuildComplianceLinks

If these scripts are to be custom used for any other purpose than for mail templates, the calling parameter must be changed from Base to Entity.

36556

The calculation of permitted approvers in the approval workflow has been optimized. Approval levels that have already been completed are no longer recalculated after each change.

35602

The ApplicationStart_ApplicationGovernance program function is no longer needed and has been removed.

35869

The OA and TO approval procedures have been extended to determine approvers for assignment requests.

The EN approval procedure has been extended to determine attestors for assignments of system entitlements to hierarchical roles.

36432

If an email notification from the IT Shop cannot be sent due to a processing error, the sender of the email is informed and the original email is deleted from the outbox. A new mail template Approval - Error processing an approval mail is provided.

21300, 31884

When calculating the peer group factor, resources that can be requested more than once are also taken into account.

35854

See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating