Chat now with support
Chat mit Support

Identity Manager 9.1 - Release Notes

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

Table 10: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form that displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.
at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

    Example:

    <assemblyBinding >
    <dependentAssembly>
    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>
    <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
    </dependentAssembly>
    </assemblyBinding>

33867

In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.

Solution:

  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.

34110

Table 11: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.
    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

 

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

Table 12: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.

35193

Table 13: Third party contributions
Known Issue Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

In certain circumstances, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Schema changes

The following provides an overview of schema changes from version 8.2.1 up to version 9.1.

OneLogin Module
  • New data model for the OneLogin Module.

Configuration Module
  • New columns DialogHistoryDB.IsTransportTarget and DialogHistoryDB.TransportConnectionString for archiving data in a One Identity Manager History Database.

  • New column DialogParameter.OnPropertyChangedScript for mapping a script that runs when values change.

  • New column DialogProcessSubstitute.ReadyForDeleteOrExport for flagging a process as completed and deleted so can be therefore be exported.

  • New column DialogTable.TransportSingleUser to map a single user mode for transport.

  • New column DialogUser.IsDisabledForDirectLogin for flagging whether the system user can be used for direct login.

  • New columns QBMFileHasDeployTarget.ObjectKeyDeployTarget and QBMFileHasDeployTarget.UID_QBMFileHasDeployTarget for assigning files to machine roles.

  • New column QBMPwdPolicy.AdditionalPwdRequirements for describing the additional password requirements that will be checked in the test script.

  • New columns QBMServer.IsJobServiceSuspended and QBMServer.SuspendReason to stop the service when a target system goes offline.

  • New mandatory field definition for the QBMFileHasDeployTarget.XObjectKey column.

  • The following columns have been extended to varchar(990).

    • DialogHistoryDB.ConnectionString

    • DialogWebService.ProxyPassword

    • DialogWebService.UserPassword

    • QBMPwdPolicy.DefaultInitialPassword

    • QBMServer.SRVAccount

    • QBMServer.SRVAccountDomain

    • QBMServer.SRVAccountPwd

  • The QBMVPwdPolicyColumns.ColumnName and QBMVPwdPolicyColumns.TableName columns have been extended to varchar(30).

  • The QBMVPwdPolicyColumns.UID_DialogColumn and QBMVPwdPolicyColumns.UID_DialogTableReference columns have been extended to varchar(38).

  • The column QBMFileHasDeployTarget.UID_QBMDeployTarget column has been deleted.

Target System Synchronization Module
  • New column DialogColumn.SyncInfo for mapping restrictions for synchronizing columns.

  • New column DPRAttachedDataStore.OwnerSchema for better access to schema information.

  • New columns DPRJournal.CausingEntityDisplay, DPRJournal.CausingEntityKey, and DPRJournal.JobId for improved logging.

  • New column DPRStartSequenceHasProjection.CurrentJobReference for mapping the process that is currently running.

  • New columns DPRRootObjConnectionInfo.IsOffline and DPRRootObjConnectionInfo.IsOfflineModeAvailable for flagging offline mode.

  • The data type of the DPRShell.IsFinalized column has been changed to int.

Target System Base Module
  • New table TSBSpecificGroupBehavior for overwriting the inheritance settings of groups from the manage level.

  • The UNSAccountB.Password column has been extended to varchar(990).

Azure Active Directory Module
  • New tables AADAdministrativeUnit, AADGroupInAdministrativeUnit, and AADUserInAdministrativeUnit for mapping Azure Active Directory administrative units.

  • New table AADUserIdentity and new column AADUser.Identities for mapping identities of Azure Active Directory user accounts.

  • New table AADGroupInDirectoryRole and new column AADGroup.IsAssignableToRole for assigning Azure Active Directory groups to administrator roles.

  • New table AADGroupClassificationLbl for classifying Office 365 groups.

  • AADOrganization.TenantType for mapping tenant types.

  • New column AADUser.CreationType for mapping the creation type of Azure Active Directory user accounts.

  • New columns AADGroup.MembershipProcessingState and AADGroup.MembershipRule for mapping rules for memberships in dynamic Azure Active Directory groups.

  • The AADUser.Password column has been extended to varchar(990).

Exchange Online Module
  • New tables O3EMailboxFullAccessPerm and O3EMailboxSendAsPerm for mapping mailbox permissions.

  • New columns O3EMailbox.IssueWarningQuota, O3EMailbox.ProhibitSendQuota and O3EMailbox.ProhibitSendReceiveQuota for mapping thresholds for Exchange Online mailboxes.

  • New column O3EUnifiedGroup.UID_AADGroupClassificationLbl for classifying Office 365 groups.

  • The O3EMailUser.Password column has been extended to varchar(990).

Active Directory Module
  • New columns ADSDomain.AdUserName, ADSDomain.AdUserPassword, and ADSDomain.UID_ADSMachineRIDMaster to support moving Active Directory objects across domains.

  • The ADSAccount.UserPassword column has been extended to varchar(990).

Microsoft Exchange Module
  • New columns EX0DL.RecipientType and EX0DL.RecipientTypeDetails for mapping recipient types for mail-enabled distribution groups.

  • The ADSDomain.EX0UserPassword column has been extended to varchar(990).

LDAP Module
  • The LDAPAccount.UserPassword and LDAPContainer.UserPassword columns have been extended to varchar(990).

Oracle E-Business Suite Module
  • The EBSUser.Password column has been extended to varchar(990).

Domino Module
  • The following columns have been extended to varchar(990).

    • NDOCertifier.Password

    • NDOServer.Password

    • NDOUser.InternetPassword

    • NDOUser.Password

    • NDOUser.PasswordInitial

Google Workspace Module
  • New tables GAPExternalEmail and GAPExternalEmailInGroup for mapping external email addresses.

  • The GAPUser.Password column has been extended to varchar(990).

SAP R/3 User Management module Module
  • New column ESetHasEntitlement.ParameterValue for system roles to inherit SAP parameters.

  • New column SAPVSAPUserInSAPRoleAll.UID_SAPMandant for improved displaying of roles, groups, and profiles of SAP R/3 user accounts.

  • The SAPUser.Password column has been extended to varchar(990).

Privileged Account Governance Module
  • New columns to map access requests for One Identity Safeguard remote desktop session requests.

    • PAGAsset.IsRDPApplicationHostPlatform

    • PAGReqPolicy.ObjectKeyRDPAppHostAccount

    • PAGReqPolicy.RDPApplicationAlias

    • PAGReqPolicy.RDPApplicationDisplayName

    • PAGReqPolicy.UID_PAGAssetRDPAppHost

  • New columns to map access requests for SSH keys for One Identity Safeguard.

    • PAGAsset.SSHHostKeyFingerPrintSha256

    • PAGReqPolicy.AllowSessionSSHKeyRelease

    • PAGReqPolicy.ChangeSSHKeyAfterCheckin

    • PAGReqPolicy.PassphraseProtectSSHKey

  • New column PAGUser.ChangePasswordAtNextLogin for flagging whether the user must change their password the next time they log in.

  • New column PAGUsrGroup.AdminRoles for mapping a list of permissions that all users added to the group should receive.

  • New column PAGUser.AllowPersonalAccounts for supporting the vault for personal passwords.

  • The PAGUser.Password column has been extended to varchar(990).

Cloud Systems Management Module
  • The CSMUser.Password column has been extended to varchar(990).

Universal Cloud Interface Module
  • The UCIUser.Password column has been extended to varchar(990).

Identity Management Base Module
  • New table QERTermsOfUseHasFile for assigning files to terms of use.

  • New column AccProduct.IsToHideFromITShop for flagging whether the service item is hidden from the service catalog.

  • New columns PersonWantsOrg.Recommendation and PersonWantsOrg.RecommendationDetail for mapping approval decision recommendations for the approver in the IT Shop.

  • New column PersonWantsOrg.ObjectKeyFinal for mapping the effectively assigned product.

  • New columns PersonWantsOrg.UID_QERJustificationOrder and ShoppingCartItem.UID_QERJustificationOrder for mapping standard reasons.

  • New column PWODecisionMethod.IsHideFromSelection for flagging whether the approval policy is hidden in the Web Portal.

  • The Person.CentralPassword and Person.Passcode columns have been extended to varchar(990).

  • The PWODecisionStep.ComplianceRelevance and QERWorkingStep.ComplianceRelevance columns have been deleted.

Attestation Module
  • New table AttestationPolicyGroup and new columns AttestationPolicy.UID_AttestationPolicyGroup and AttestationRun.UID_AttestationPolicyGroup for grouping attestation policies.

  • New columns AttestationCase.Recommendation and AttestationCase.RecommendationDetail for mapping approval decision recommendations for the approver in the IT Shop.

  • New column AttestationObject.ObjectReportMode as attestation object snapshot.

  • New columns AttestationPolicy.ApproveReasonType and AttestationPolicy.DenyReasonType for mapping the type of reason.

  • New column AttestationPolicy.IsSingleCaseNotification for flagging whether notifications are always send about pending attestations.

  • New column AttestationPolicy.UID_QERTermsOfUse for assigning terms of use.

  • New column AttestationRun.UID_AttestationPolicy for mapping the attestation policy.

Application Governance Module
  • New columns AOBApplication.WhereClause and AOBApplication.WhereClauseAddOn to define filter conditions for automatically creating application entitlements..

  • New column AOBEntitlement.IsDynamic for flagging automatically created application entitlements.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 8.2.1 to version 9.1. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Modified synchronization templates

The following provides you with an overview of modified synchronization templates. Patches are made available for updating synchronization templates in existing synchronization projects. For more information, see Patches for synchronization projects.

Table 14: Overview of synchronization templates and patches

Module

Synchronization template

Type of modification

Target System Synchronization Module

Automatic One Identity Manager synchronization

changed

Azure Active Directory Module

Azure Active Directory synchronization

changed

Azure Active Directory B2C tenant

new

Active Directory Module

Active Directory synchronization

changed

Active Roles Module

Synchronize Active Directory domain via Active Roles

none

Cloud Systems Management Module

Universal Cloud Interface synchronization

changed

Oracle E-Business Suite Module

Oracle E-Business Suite synchronization

changed

Oracle E-Business Suite CRM data

changed

Oracle E-Business Suite HR data

changed

Oracle E-Business Suite OIM data

changed

Microsoft Exchange Module

Microsoft Exchange 2013/2016/2019 synchronization (v2)

changed

Microsoft Exchange 2010 synchronization (deprecated)

deleted

Microsoft Exchange 2010 synchronization (v2)

deleted

Google Workspace Module

Google Workspace synchronization

changed

LDAP Module

AD LDS synchronization

changed

AD LDS Synchronization (version 2)

changed

OpenDJ synchronization

changed

OpenDJ Synchronization (version 2)

changed

Generic LDAP Synchronization (version 2)

changed

Oracle DSEE Synchronization (version 2)

changed

Domino Module

Lotus Domino Synchronization

changed

Exchange Online Module

Exchange Online synchronization (v2)

changed

Microsoft Teams Module

Microsoft Teams (via Azure Active Directory)

changed

OneLogin Module

OneLogin Domain Synchronization

new

Privileged Account Governance Module

One Identity Safeguard synchronization

changed

SAP R/3 User Management module Module

SAP R/3 Synchronization (Base Administration)

changed

SAP R/3 (CUA subsystem)

none

SAP R/3 Analysis Authorizations Add-on Module

SAP R/3 BW

none

SAP R/3 Compliance Add-on Module

SAP R/3 authorization objects

none

SAP R/3 Structural Profiles Add-on Module

SAP R/3 HCM authentication objects

changed

SAP R/3 HCM employee objects

changed

SharePoint Module

SharePoint synchronization

none

SharePoint Online Module

SharePoint Online synchronization

changed

Universal Cloud Interface Module

SCIM Connect via One Identity Starling Connect

changed

SCIM synchronization

changed

Unix Based Target Systems Module

Unix Account Management

none

AIX Account Management

none

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen