Chat now with support
Chat mit Support

Identity Manager 8.1 - Release Notes

Release Notes

One Identity Manager 8.1

Release Notes

March 2019

These release notes provide information about the One Identity Manager release, version 8.1. You will find all the modifications since One Identity Manager version 8.0.2 listed here.

One Identity Manager 8.1 is a minor release with new functionality and improved behavior. See New features and Enhancements.

If you update a One Identity Manager version that is older that One Identity Manager 8.0.2, read the release notes from the previous versions as well. You can find the release notes under On Identity Manager Support.

For information about changes in the Data Governance Edition, see the One Identity Manager Data Governance Edition Release Notes.

For information about changes in the ServiceNow module, see the One Identity Manager and ServiceNow Integration Release Notes.

For information about changes in the Cloud HR System module, see the One Identity Manager and Cloud HR Systems Integration Release Notes.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide


About One Identity Manager 8.1

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition
  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

One Identity Hybrid Subscription

The newest version of our on-prem products will offer a mandatory One Identity Hybrid Subscription, which helps our customer’s transition to a hybrid environment on their way to the cloud. The subscription enables you to join their on-prem solutions with our One Identity Starling software-as-a-service platform. Giving your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of your on-prem product. We will continuously make available new products and features to our One Identity SaaS platform. With the One Identity Hybrid Subscription, you can use these immediately for their One Identity on-prem solutions and their subscription continues to add value.

Expand the capabilities of One Identity Manager with One Identity Hybrid Subscription, which offers a myriad of additional cloud-delivered features and services. Gain access to all-you-can-eat Starling Two-Factor Authentication to protect administrative access, to enforce additional factor authentication when requesting or approving critical access or to enable out of band user verification for password requests. For an additional cost, these offerings can also be extended to additional target systems and use cases. A single subscription can be used for all your One Identity products.

New features

New features in One Identity Manager 8.1:

Basic functionality
  • For information about the minimum system prerequisites, see System requirements.

  • Oracle Database is no longer supported as a database system for the One Identity Manager database.

  • One Identity Manager uses In-Memory OLTP ((Online Transactional Processing) for memory optimized data access. The database server must support Extreme Transaction Processing (XTP). Take the Advice for updating One Identity Manager into account at the same time.

  • Support for granular permissions at server and data level.

    SQL Server logins and database users are provided with the necessary permissions for administrative users, configuration users and end users. Take the Advice for updating One Identity Manager into account at the same time. For more detailed information about permissions, see the One Identity Manager Installation Guide.

    Some front-ends expect a minimum of configuration level user permissions. In this case, end user login is not supported. The permissions level for the current user is also shown in the login dialog.

  • The front-ends check whether the user has the required permissions before starting up. Users can only start up front-ends if they own permissions groups for the corresponding program functions. For more detailed information, see the One Identity Manager Authorization and Authentication Guide.

  • Role based permissions groups can be assigned to an application. In this case, the permissions of the permissions group only apply for this application. When a user logs on to the application, they receive the permissions of the permissions group in addition to their own permissions.

  • One Identity Manager logoffs can be written to the system journal. To enable this, set the configuration parameter Common | Journal | LogoffAudit. Logins and logoffs are available for analysis in the QBM_VDialogJournalLoginAudit view.

  • Improved support for troubleshooting

    • Object Browser supports debugging of scripts, templates, format scripts, table scripts, processes and methods.

      To generate local debug assemblies, enable the option Create debug information in Database Compiler and select the compiler setting Scripts including all dependencies. This option is only available for users that have obtained the program function Allow to create local debug assemblies (Common_CompileForDebug) through their permissions groups. The program function must be assigned to a custom permissions group.

    • You can search for scripts in System Debugger. Modified scripts are marked with a *. You can save multiple scripts at the same time.

    • To use System Debugger or the debug function in Object Browser, Visual Studio version 2017 with the latest Service Pack and Microsoft .NET Framework version 4.7.2 Developer Pack or later must be installed.

    • Windows Step Recorder is started in the front-end's error message window and records errors in the steps.

    • Support for NLog 4.5.11.

  • Log displayed in the application server. The log is only visible to users that have obtained the program function Enables log display in the application server (AppServer_Logs) through their permissions groups.

  • There is a command line program AppServer.Installer.CMD.exe available for installing an application server. You can find the program in the add-on for the Configuration Module.

  • Improved OAuth 2.0/OpenID Connect configuration.

    There is a wizard available in Designer for creating a OAuth 2.0/OpenID Connect configuration in One Identity Manager. Use OpenID Connect Discovery to find the configuration data or enter it manually. The data is mapped to its own tables in the One Identity Manager schema.

    NOTE: During a One Identity Manager database update, existing values from configuration parameters and the web server settings are transferred to the new data structure.

    The configuration parameter QER | Person | OAuthAuthenticator and its sub parameters have been deleted.

    In Designer, check the OAuth 2.0/OpenID Connect configuration and the web server settings under Base data | Security settings.

  • Extended support of JSON Web Key for OAuth 2.0/OpenID Connect authentication.

  • There is a command line program SchemaExtensionCmd.exe available for importing schema extensions. The program requires a definition file (XML file) that can be created in the Schema Extension program. There can be several extensions given in the definition file.

    With the Schema Extension program and the command line program, you can remove custom schema extensions from databases with a staging level Test environment or Development system.

  • Improved support for checking passwords.

    • You can define multiple password questions and answers. The configuration parameters QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions and QER | Person | PasswordResetAuthenticator | QueryAnswerRequests control how many password questions can be defined and must be answered. The configuration parameter QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery defines whether questions should no longer be used after the password has been reset successfully.

    • You can assign password policies to departments, cost centers, locations and business roles.

    • Password policies can be applied depending on the user account's account definition or the user account's manage level.

    • In password policies, you can specify character sets that are not permitted in generated passwords.

    • The column definition specifies whether a column contains name properties to be checked in the password policy.

    • An employee's central password is mapped to the employee's system user password. This behavior is defined in the configuration parameter QER | Person | UseCentralPassword | SyncToSystemPassword.

      NOTE: The configuration parameter QER | Person | UseCentralPassword | PasswordCaptureAgent | SyncSystemPassword has been removed. The script VI_CaptureAgent_SetPassword has been reworked. If you overwritten the script with your own, add the changes to it.

    • An employee's central password is noted in the user account passwords history and is taken into account when passwords are checked.

      NOTE: If you have defined custom templates for password columns, check whether these should be moved to the script QER_Publish_CentralPassword. Overwrite the script to do this.

    • By entering an employee's central password, locked system user logins, Active Directory user accounts and SAP users are unlocked. This behavior is controlled by the configuration parameters QER | Person | UseCentralPassword | SyncToSystemPassword | UnlockByCentralPassword, TargetSystem | ADS | Accounts | UnlockByCentralPassword and TargetSystem | SAPR3 | Accounts | UnlockByCentralPassword.

    • Four eyes principle for issuing the passcode. The configuration parameter QER | Person | PasswordResetAuthenticator | PasscodeSplit controls whether passcodes generated by the help desk are divided into two parts, one for the help desk and one for the employee's manager.

    • If login is employee based, customized password policies are taken into account.

    • To guarantee more security, Captcha is queried with passcode, password question and password.

  • Additional language settings for formatting data, such as date, time or numeric formats for users.

    • In the front-end program settings, the language for displaying text and the language for displaying values can be defined separately.

    • In the employee master data, you can specify a language for assessing values.

    • Use the configuration parameter Common | MailNotification | DefaultCultureFormat to specify the default language for language specific formatting of values for employees.

  • Database encryption uses RSA encryption with Optimal Asymmetric Encryption Padding (OAEP). Databases that are already encrypted with a key length of > 1024 bits are not converted but continue using PKCS#1 for encryption. New encrypted values use OAEP. If you still use a key that has 1024 bits, it is recommended you create a new key in Crypto Configuration and encrypt the database again.

  • In the installation wizard, you can change the installation settings for a service if they differ from the default installation.

  • The .Net Compiler Platform is used to compile the database and scripts for synchronization projects.

  • In the column definitions, you can define scripts to conditionally remove the column's viewing and edit permissions.

Web applications
  • With API Designer, you can quickly create, document, compile and publish a REST API. This API is based on the OpenAPI Specification and the One Identity Manager database model. The advantages of API Designer at a glance:

    • Simple and quick to use.

    • The finished API understands the One Identity Manager database model.

    • Changes to the API are transparent.

    • Supports the principles of good API design.

    • APIs that you create with help of API Designer are based, in principle, on the OpenAPI specification.

    For more detailed information, see the One Identity Manager API Designer User and Development Guide and the One Identity Manager HTML5 Development Guide.

  • The API Server supplies the API that you create with the help of the new API Designer.

  • The Operations Support Web Portal has essentially been recreated as an HTML5 application. The underlying REST API was created with the help of the new API Designer.

  • Implementation of Secure Password Extension to allow users to access the Password Reset Portal over the Windows login screen. Secure Password Extension is an application, which can access the entire functionality of the Password Reset Portal over the Windows login screen.

    Secure Password Extension is an add-on for the Active Directory Module. For detailed information about configuring and distribution of Secure Password Extension, see the One Identity Manager Secure Password Extension Administration Guide.

  • Users who self-register for the Web Portal, receive a confirmation email with a link to a confirmation page. On this page, the users can finish registering and set their initial password for logging in to One Identity Manager tools.

    New configuration parameters: QER | Attestation | ApproveNewExternalUsers, QER | Attestation | NewExternalUserTimeoutInHours, QER | Attestation | NewExternalUserFinalTimeoutInHours, QER | Attestation | MailTemplateIdents | NewExternalUserVerification und QER | WebPortal | PasswordResetURL

    New application role: Base roles | Self-registered employees

  • Different status messages are now shown as browser messages.

    New Web Designer configuration parameters: VI_Common_EnableNotifications and VI_Common_NotificationPollingInterval

Target system connection
  • New Privileged Account Governance Module for managing Privileged Account Management systems in One Identity Manager.

    You can create and edit user accounts in One Identity Manager. User accounts obtain user accounts that can request the entitlements required for accessing privileged systems in Privileged Account Management system. Request user accounts, user groups and access requirements to privileged systems in the Web Portal.

    With the One Identity Safeguard connector, One Identity Safeguard appliance user accounts, user groups, assets, asset groups, asset accounts, directories, directory accounts, account groups, entitlements and access request policies can be loaded into One Identity Manager. This allows you to use Identity and Access Governance processes such as attesting, Identity Audit, user account and system entitlements management, IT Shop or report subscriptions for Privileged Account Management tenants.

    For more detailed information, see the One Identity Manager Administration Guide for Privileged Account Governance.

  • The Windows system monitor shows you performance data for target system synchronization. You can enable performance monitoring in the Synchronization Editor configuration file (SynchronizationEditor.exe.config). You must start the Synchronization Editor in administrator mode in order to select One Identity Manager performance indicators.

  • Changes to a single object in the target system can immediately be transferred to the One Identity Manager database without having to synchronize the entire target system. Single object synchronization can be executed in Manager for objects that are already in the One Identity Manager database. The changes are made to the object properties that are mapped. If a membership list belongs to the object properties, the assignment table entries are also updated. If the object in the target system no longer exists, it is deleted in the One Identity Manager database.

  • You can define cross-synchronization project start sequences for full synchronization. This allows you to order start up configurations for different target system in a sequence and they are synchronized one after the other. The configuration parameter DPR | StartSequence | LifeTime controls the retention period for completed start sequences.

  • The native data connection allows you to extend the connector schema with virtual schema properties. A data operation that uses the virtual schema property must be defined for the relevant table. This schema property can then be precisely defined.

  • The Synchronization Editor provides a script library. All the scripts defined here can be used in other synchronization project scripts. Scripts that are marked as script templates can be imported into other synchronization projects where you can modify them and continue to use them. The scripts of script properties can be moved into the script library.

  • Before a G Suite user account is deleted, the user data can be transferred to another user account. The user account is not deleted from the target system until the data has been successfully transferred. You can configure this behavior in the target system connection. This function can only be used in newly created synchronization projects.

  • Access permissions for central user administration's SAP child system can be guaranteed through direct assignment, IT Shop requests and indirect assignments. Account definitions are used to do this.

    NOTE: Up to version 8.0, access to the central system was granted automatically (entry in table SAPUserInSAPMandant). As from version 8.1, this access must be explicitly granted (entry in SAPUserMandant). Existing assignments in SAPUserMandant are converted into direct assignments during the One Identity Manager database migration. This way, access permissions to the central system remain intact.

    Patches with the patch IDs VPR#28147 and VPR#28147_2 are available for synchronization projects.

  • SAP parameters can be passed down to SAP user accounts through business roles and organizations.

Identity and Access Governance
  • Managers of system roles, applications and subscribable reports can edit requests for objects of this type in the Web Portal. For this to work, managers are automatically added to the new application roles for product owners of system roles, applications and subscribable reports.

  • New configuration parameter under QER | Person| Starling for supporting One Identity Hybrid Subscription.

See also:


The following is a list of enhancements implemented in One Identity Manager 8.1.

Table 1: General known issues


Issue ID

In the case of process tasks and processes, you can define whether to wait for DBQueue Processor tasks to be handled.


Improved report generation.

  • You can now use the Escape button to stop a report from being generated.

  • The process component ReportComponent has a new parameter LimitRows, which defines a maximum limit for the number of lines returned for each query.

28921, 17407, 15696

Improved report export.

  • There is a new parameter for the process task Export, process component ReportComponent, which exports reports as Microsoft excel files.

  • There is now a parameter for the process task SendRichMail, process component MailComponent, which allows you to send reports in different formats as mail attachments.


Improved reports with historical data queries.

  • The Historical assignments query module allows queries to be created that are based on foreign key objects.
  • In the Historical assignments and Multiple object history query modules, you can specify which columns have their modifications displayed in the report.
  • You can define several criteria for the query modules Historical assignments and Multiple object history.
  • The data query for the query module Historical assignments returns the columns Origin and OriginDisplay for querying assignment types.

21158, 21159, 22003, 29816

Improved assignment of method definitions (DialogMethod) to object definitions (DialogObject).

30462, 30514

Detailed license report in the License Meter. 30321

Improved support for data transport.

  • When using the Database Transporter export function, you can select change labels under a root change label.

  • New dialog for solving transport conflicts.

  • New transport mode for transporting synchronization projects.

12732, 28945, 29555

In the Process Editor, the $ notation suggestion list has been extended. The $PC(VarName>)$ input shows an example in the suggestion list. The values( input shows a suggestion list with value definitions. The "&out( input shows a suggestion list with out parameters.

16108, 29090

To access the display value of column's old value, you can combine the object properties [o] and [d].

19641, 17262

Custom configuration parameters can only be created under the configuration parameter Custom.

NOTE: Existing custom configuration parameters cannot be customized on grounds of compatibility. Adjust these configuration parameters manually if required and check their usage.


Improved indexing of the search index.

  • You can use the configuration parameters Common | Indexing | BatchSize and Common | Indexing | Interval to configure the search index.

  • If the application pool is being reused, the search index is read-only.

  • Indexing log messages about are written to the application server's log.

786112, 30436, 30065

Improved logging in the program Quantum.MigratorCmd.exe.


You can use the configuration parameter QBM | DBServerAgent | CreateNotification to specify when messages are written from SQL Server Agent tasks to the event log.


The process component HandleObjectComponent's process tasks have been extended by an optional parameter ProcID for passing the GenProcID.

NOTE: The default processes have been modified. You must manually modify your custom processes as necessary.


The last process collection time for a Job server is saved.


Improved feedback from consistency checks.


You only see a selection of system types for a new connection in the database connection's login if different system types are allowed.


Improved navigation and editing of objects in Designer. Improved displaying of custom changes in Designer.

29864, 29786, 28997, 29001, 29342, 23814

Improved update behavior for automatic software update.


You can disable authentication module assignments to applications.


You can also set the time in the control for setting the date.


Forms with the form template FrmCommonChildRelationGrid show a column tooltip in the table header.


There is a spell checker in the Designer's Language Editor.


In the change label dialog, you can filter by change label.


Specialized editor for certain configuration parameters.


The VI.Base.ViException class now has a function SetSolution for setting the parameter and the text key plus a parameter, Solution, to load the completed text for entering in a solution to a problem.


The process tasks SendMail and SendRichMail of the process component MainComponent have been extended by the parameter TransportSecurity for specifying the encryption method for sending notifications by mail. The parameters EnableSSL, StartTls, StartTlsWhenAvailable and NoTransportSecurity have been deleted.

NOTE: The default processes have been modified. You must manually modify your custom processes as necessary.


Improved support for deferred operations.

  • The menu item Database | Show deferred operations is always shown in the Manager now.

  • On assignment forms, deferred operations for assignments are marked with their own icon.

  • Additional configuration parameters for configuring deferred operations are Common | DeferredOperation | AllowUpdateInInsertMode and Common | DeferredOperation | IgnoreMissingOnDelete.

21663, 30215, 30734

Improved execution of templates through One Identity Manager Service.

22360, 30730

Support for dynamically created HTML code in mail templates. It can be marked as type HTML in $ notation. The HTML code is accepted in scripts and columns but not masked. There is no security check.

Example script with HTML code:

Public Function CCC_HtmlMailText(obj As IEntity) As String

Return "<h1 style='color:red'>" & obj.Display & "</h1>"

End Function

Call in mail template:



Improvements in Job Queue Info.

  • The Affected objects view shows all the objects affected by a process step.

  • The Progress view shows the reinitialized Job queue. There is a warning in Job Queue Info as well. By clicking on the message, more detailed information is shown.

  • You can multi-select parameters for copying.

  • If the DBQueue contains more than 250000 calculation tasks, the operation There are more tasks to be processed is displayed in the DBQueue. This shows the number of queued tasks that cannot currently be shown in the DBQueue overview.

29052, 16641, 28692, 31140

Improvements in the Configuration Wizard.

  • Improved checking of SQL Server and database settings in the Configuration Wizard before migrating a One Identity Manager database.
  • The module version is displayed when you select the module.
  • If you create a new database with the Configuration Wizard, the directory name is also displayed if you select <default>.
  • Improved error list in the Configuration Wizard.

29224, 29262, 30227, 22575, 31061

Additional consistency check Differences in usage types in referring tables to prevent transport problems.


Improved selection of values from a list of permitted values in the Where Clause Wizard.


The simulation of permissions in Designer can be limited to selected tables.


Tables of type Read only, Union and Proxy can only be defined as viewable.


Improved support for statistics.

  • New editor for editing statistic definitions in Designer.

  • The statistics control has been extended. By double clicking on the title bar of a statistic, you can open other menu items to display reports or lists, for example. Another menu item must be defined below the menu item to get this functionality.

29444, 29145

Initialization of auto-completion for entering script code is now done in the background.


Process ID and start times of external processes are displayed on the One Identity Manager Service website.


Improved support for loading web application files in Software Loader.


New process tasks for setting and removing access rights for the process component FileComponent.


The number of list elements for data dependent menu items in a list are now shown.


You can configure how long the value of process parameters are allowed to be, which are recorded in the process history. New configuration parameter: Common | ProcessState | JobHistory | TrimLongParameters


On table relations, you can specify whether the root object, in a list of affected objects from a process, is added. This can prevent the parent object from being processed simultaneously more than once.


Optimization of object selection scripts for objects in the table BaseTree.


The overview forms VI_Structure_Locality_Assignments_Overview, VI_Structure_Department_Assignments_Overview, VI_Structure_ProfitCenter_Assignments_Overview and VI_Structure_Org_Assignments_Overview have been deleted.


The Designer's Schedule Editor can now be started from Launchpad.


The schedules Lock accounts of employees that have left the company and Enable temporarily disabled accounts are not enabled by default.


Employees and system users that are locked due to incorrect logins, are displayed in Manager and Designer.

  • New menu items in the navigation structure

  • Tooltip on overview forms

29095, 29371

The Person.OrderShoppingCart method interface has been changed to improve support for application servers. The class QER.Customizer.ItemInfo now contains ExceptionInfo with detailed information about the error.


Improvements in the application server

  • Improved protection of the application server's API.

  • Improved logging in the application server.

  • Improved validation of application server connections.

30405, 30618, 30315, 31299, 31300

Improved performance in DBQueue Processor.

30763, 30800, 30626

Improvements in the system information overview.

  • Improved display of recommendations for settings and critical values are highlighted.

  • Some of the database server's properties for the system information overview are determined by the DBQueue Processor depending on the configuration parameter QBM | DBServerProperties.

30896, 30678, 30850

Improved logging in the process component MailComponent. 31043

Release management support. There is a new change label type Release for collecting change labels for a release and additional reports in Designer.


One Identity Redistributable STS updated to version 2019.1.1.11.


The Report Editor uses Stimulsoft Ultimate 2019.1.1.

769216, 30873

Performance optimization when string instances are reused.


The connection server already provided for transferring data to a One Identity Manager History Database is now used. To use this function, enable the configuration parameter HDB | UseNamedLinkedServer in the One Identity Manager History Database and enter the connection server in the One Identity Manager History Database as server for the source database.


Error messages from the process history are transferred to the One Identity Manager History Database.


Improved logging of error messages when transferring data to the One Identity Manager History Database.


Improved performance when updating the One Identity Manager database.


The script VID_FindAndReplaceByLine has been deleted.


Implementation of a load cache ISession.QueryCacheBlock() to load SQL queries that might be called more than once, in one block.

27856, 29705

Improved protection against damaging SQL statements.

31299, 31301

Table 2: General web applications


Issue ID

Improved performance in the Web Portal for:

  • Displaying delegations, requests for approval and the request history

  • Editing questions about attestation cases

  • Determining an employee's entitlements

  • Approving requests

770382, 29414, 30470, 30471, 30673, 30863, 31192

You can select the language on the login page before logging in.


Web Portal users can specify their language preferences when they register.


If the first login to the Web Portal fails because the confirmation link has expired, for example, the user can request a new confirmation email.


Improved user navigation in the Web Portal.

  • The page Responsibilities | Auditing has been structurally reworked.

  • The way some parameters are displayed in the filter wizard has been made more user friendly.

  • List sort order (DialogTree.ListOrderBy) is taken in to account in Hyper Views in the Web Portal.

  • The detail view and overview tiles for business and system roles show more information.

  • Improved display of potential rule violations.

  • Improved display of URL in property view.

  • The page My Processes has been reworked and improved.

  • The search is shown in another view.

  • Hyper Views display additional information.

726106, 738158, 745500, 760498, 761671, 762208, 768037, 773368, 773566, 775573, 781813, 783457, 30034

Improved user navigation for editing and approving requests.

  • The 'Save for later list' can be completely deleted with one click.

  • After moving the last product from the 'Save for later list', the user is automatically shown the shopping cart.

  • After moving the last product from the shopping cart to the 'Save for later list', the user is automatically shown the 'Save for later list'.

  • It is now easier to navigate to objects in the request history detail that are linked to the request.

  • Improved display of service categories when you make a request.

  • If a user clicks on the email link to make an approval decision about a request and the decision has already been made, the user is notified by a message in the Web Portal.

  • The Requests for <user> page offers a selection of recipients if there is more that one for the request.

  • The view of request to be approved is now sorted by priority.

  • In the request history, you can translate information about request time and date.

  • In the request overview, the request can subsequently be sorted and filtered.

  • The selection specifying which requests are copied, resent or added to a request template, has been reworked.

738155, 738157, 740766, 746966, 769201, 769896, 775198, 784674, 786514, 794762, 795801

When requesting products, you are shown whether a product has already been requested. Products that have already been requested cannot be added to the shopping cart again.

736902, 25756

If a custom request property is identical to a default request property (such as the valid from date), only the custom request property is shown in the shopping cart.

29305, 743621

The test to find out what products an employee is allowed to request has been extended in the AccProductInDepartment table.


With the new Web Designer configuration parameter VI_ITShop_Employee_Preselected, you can specify whether the current user is always preselected as recipient for a new request.


The default value for extending a request is now a value in the future and can be configured with help from the Web Designer configuration parameters VI_ITShop_Prolongation_Offset.

738195, 26139

Improved user navigation when attesting with automatic removal of entitlements.

  • The mail templates contain a link to the details of the attestation case and a warning if entitlements are removed automatically when the attestation case is not approved.

  • The attestor sees various details of the entitlements that are removed automatically.

736904, 794742, 30893

Web Portal users can view details of all the attestation cases that affect them.


New tab Compliance on the Pending attestations page. Detailed information is shown about rule violations of attestation objects.


If the option Employees do not inherit is set on a role, the user is informed of potential rule violations while compliance checking this role or during direct assignment. The rules will be violated the moment the option Employees do not inherit is disabled.

760181, 25477

When resolving rule violation, SAP roles that match SAP functions are taken into account.


If, during resolution of rule violations, no permissions are found on the first page, a better error text is displayed.


Users with the application role Identity Management | Employees | Administrators can now also manage employees in the Web Portal.


Selecting employees or user accounts also shows the identity.


The filter wizard is only shown for users with the program function Allow use of SQL wizard in Web Portal (Common_SqlWizardWeb).

792338, 30240

In tables that display hierarchical objects, the number of entries is shown at the top level.


In the Web Portal, some parts of Hyper Views are hidden.


The session in Web Portal can now be closed through a fixed URL /page.axd?ContextID=QBM_Logout.


Until now, missing form methods were entered as errors in the log. This error will now be ignored because during normal operations there are too many incorrect error messages due to the overlapping timing of user actions.


Certain error messages offer suggestions for solving the problem.


The Web Designer configuration parameter VI_Common_AutoCompleteListCount allows the user to specify how many matches are displayed for auto completion.


The new Web Designer configuration parameter VI_Common_HyperView_DisableNavigation allows you to disable navigation to other objects.


The new Web Designer configuration parameter VI_Common_AutoCompletePrefixOnly allows you to specify whether only matches that begin or contain the given term are displayed by auto-complete in input fields.


The new Web Designer configuration parameter VI_Common_CaptchaCaseInsensitive allows you to specify whether case sensitivity is checked by Captcha.


Employees, who are noted in the system as inactive with certification status new, can also log in to the Password Reset Portal.


Improved user navigation in the Password Reset Portal.

  • You can return to the home page at any time.

  • On the login page, you can configure the language before logging in.

  • Password questions and answers can also be set and changed in the Password Reset Portal.

  • Users can also change their sub identity passwords in Password Reset Portal.

724499, 759436, 789656, 794857

In the Operations Support Web Portal, you can limit the search to objects in specific tables.


Improved user navigation in Web Designer.

  • The design has been reworked.

  • The help menu has been reworked.

  • Terminology for saving projects has been changed. Project type is now used instead of save type.

  • The search function has been renamed to Find in the English user interface.

  • The information about the current object is now displayed in the toolbar instead of the node editor.

771460, 781812, 785007, 786212, 787063

A new property has been added to nodes at hierarchical level. It controls which nodes expand automatically when the data is loaded. 789080

It is now possible to jump straight from a report to the overview pages of separate entries.


The EditFilter() function in the Web Designer component VI_Edit_LimitedValues has been removed. You can only make changes to limit permitted values by using the properties.


The Web Designer component VI_Audit_Responsibilities uses the database view TSBVUNSRoot for displaying.


Microsoft Edge can now be started from Web Designer.


Object dependent references can be edited and disabled in Web Designer.

753696, 753699, 29313

The script for displaying the status of menu items (DialogTree.StateScript) is also taken into account by Web Designer.


Comments can now be added directly or by extension to collections.


The Web Designer Configuration Editor now checks whether a user account exists for automatic update and that the login data is correct. If this is not the case, the user can create a new user account.


Changes to files that are not made in Web Designer, are no longer overwritten by saving in the Web Designer. 762527

Web Designer compiler messages can be identified more easily based on error codes. In addition, the user can specify which warnings are handled as error and which error codes should be ignored.

780370, 780371

The log file display has been reworked in the Web Portal.


In the web application's log file, the list Web Designer nodes are shown with IDs.


Direct HTTP calls to Starling 2FA API are no longer possible. The QER.DefenderClient.dll has been renamed to QER.Starling2FAClient.dll.


The Starling 2FA client API version 5.9.18078.3 is supported.

Modified scripts: QER_CreateMFAUserID and QER_DeleteMFAUserID

767068, 770670

To prevent a Cross-Site-Request-Forgery (CSRF), the attribute SameSite for cookies with the value strict is preset in the Web Portal installation.


To guarantee more security, the default file web.config has been extended by the parameter httpRuntime enableVersionHeader="false".


AngularJS 1.7.2 is used.


If a user uses a user interface with high contrast, selected table entries are highlighted with a frame.


Table 3: Target system connection


Issue ID

Obsolete synchronization revisions are deleted by daily maintenance tasks in the table DPRRevisionStore.


Maintenance of the synchronization buffer can be done manually in the Synchronization Editor's expert mode.


Optimization of data throughput during provisioning if an application server is used.


While setting up a synchronization project from a custom project template, the synchronization project wizard adds single object operations for provisioning and for single object synchronization.


Improved representation of outstanding membership objects on the overview form for target system objects.

28491, 19817

Single provisioning can also be implemented with value comparison rules that map multi-value schema properties.


In the schema properties for resolving keys, you can configure whether unresolvable keys are written to the synchronization log.


Schema properties for resolving keys can be defined as Read-only.


A manager assignment to an employee can be removed by synchronizing Oracle E-Business Suite. A manager assignment to a department can be removed by synchronizing an SAP HCM system.

A patch with the patch ID VPR#29265 is available for synchronization projects.


Improved user navigation in the Synchronization Editor.

  • Improved display of member lists in the target system browser. You can sort the objects displayed in the schema properties edit dialog.

  • Detailed information is displayed about the results of the consistency check.

  • In the Synchronization Editor, when a user opens a synchronization project a message appears if another user is already working with this synchronization project.

  • By activating and saving already active synchronization projects, the consistency check is automatically run. If errors occur, the user will be prompted to activate or save the synchronization project.

  • Improved display of the scope in the Synchronization Editor.

  • Improvements in the Select system connection dialog when the synchronization project is created.

  • In the target system browser, the filter for displaying the result list for the selected schema type can be defined before the list is loaded.

24317, 29258, 29334, 29363, 29396, 29957, 30197

New consistency checks have been implemented.

  • Property mapping rule checking

  • Check whether start up configurations that have been grouped into a start group use the same schedule.

  • Check whether schema properties are in use that are marked internally as obsolete.

29642, 30654, 30780

Improved error message when a synchronization project cannot be opened because the scripts being used contain syntax errors.


In the target system browser, system objects can be displayed that contain encrypted values.


Synchronization projects can be automatically updated. The configuration file can be provided through a reference object. 30416

Script properties can be configured so that script runtime errors are ignored.


Improved performance

  • Single provisioning of memberships

  • Calculating DBQueue Processor tasks

  • Synchronizing

  • Provisioning new objects with Windows PowerShell based connectors

22556, 29063, 30667, 30702, 30864, 30892, 30922, 30942

Synchronization logs are shown in Manager.


Additional object definition for displaying user accounts in Manager depending on the respective identity.


The forest relation is mapped to Active Directory locations.

A patch with the patch ID VPR#29306 is available for synchronization projects.


The options Password never expires and Change password on next login for Active Directory user accounts cannot be enabled at the same time anymore.


When Active Directory user accounts are synchronized, references to cloud user accounts are synchronized. Synchronization is supported by the Active Directory and Active Roles connectors.

A patch with the patch ID VPR#29087 is available for synchronization projects.


During synchronization with the Active Roles connector, information about the Active Directory operating system is loaded.

A patch with the patch ID VPR#28612 is available for synchronization projects.


The Azure Active Directory connector uses Microsoft Graph .NET Wrapper Version 1.6.2.


The configuration parameter Target system | AzureAD is a preprocessor configuration parameter.


Microsoft Exchange room mailboxes can be created for enabled Active Directory user accounts.


The mailbox type of Microsoft Exchange mailboxes can be changed.


Proxy addresses can be maintained for remote mailboxes.


Remote mailboxes with the mailbox type Remote shared mailbox can be created.


When a mailbox is enabled, there is a test to check whether a remote mailbox or an e-mail user already exists for the given Active Directory account.


Property mapping rules that are no longer required are removed from the OwaMailboxPolicy map.

A patch with the patch ID VPR#30498 is available for synchronization projects.


Booking permissions for Exchange Online room and equipment mailboxes can now be granted for dynamic distribution groups, mail-enabled distribution groups and Office 365 groups.

A patch with the patch ID VPR#30588 is available for synchronization projects.


The following messages have been added to the list of errors caused by a dropped connection:

An error caused a change in the current set of domain controllers.

Your request is too frequent. Please wait for few minutes and retry.

Topology Provider coundn't find the Microsoft Exchange Active Directory Topology service on end point.


Improved performance synchronizing Exchange Online recipient lists.

30959, 31162

Primary memberships of employees in locations are also synchronized.

A patch with the patch ID VPR#29741 is available for synchronization projects.


In the system connection wizard, schema extension files for Oracle E-Business Suite are also checked for functional errors.


The Oracle Database Edition can be selected when setting up synchronization for E-Business Suite. The Edition can be changed in the connection parameters at any time.

A patch with the patch ID VPR#30464 is available for synchronization projects.


The serialization format of schema types in synchronization projects can be changed for Oracle E-Business Suite.

A patch with the patch ID VPR#31011 is available for synchronization projects.


Read-only API access can be configured for synchronizing G Suite.


In Manager, the G Suite organization property Block inheritance (GAPOrgUnit.BlockInheritance) cannot be edited anymore because it cannot edited with the Google Admin Console either. Do not use this property anymore.


The G Suite connector uses Google.Apis version 1.37.0.


Option to redefine structural classes as auxiliary classes in the LDAP connector.


Spaces in distinguished names of LDAP objects are tolerated. 30542, 30543

Automatic partitioned search for LDAP server with Oracle Directory Server Enterprise Edition (ODSEE) is no longer supported. The partitioned search can be configured in the system connection wizard. To do this, select the object class nsUniqueId on the Options for partitioned search page and use the characters ABCDEF0123456789.


When adding Notes mailbox files, you can set an access step for the owner. The configuration parameter TargetSystem | NDO | Accounts | MailFileAccessRole specifies which access steps are passed by default.

A patch with the patch ID VPR#30313 is available for synchronization projects.


Improved performance

  • Provisioning Notes objects

  • Provisioning Notes group memberships

30658, 30895

Parameter of type IN can now be passed to the process task RunAgent of the process component NDO Component.


The communications timeout between SharePoint connector and target system has been increased to 24 hours.


The configuration parameter Target system | SharePoint Online is a preprocessor configuration parameter.


SAP user accounts can be renamed in One Identity Manager. In the process, the user account properties are transferred to a new user account and the original user account is deleted.


In the system connection wizard, schema extension files for SAP R/3 are also checked for functional errors.


Improved performance

  • Calculating SAP functions

  • Calculating SAP group, role and profile hierarchies.

  • Synchronizing role assignments with the central system of a CUA (UserInCUARole)

    A patch with the patch ID VPR#30941 is available for synchronization projects.

30299, 30743, 30675, 30941

The process conponent SAP Component has been extended by the process functions ObjectExists and DelRoleFromUser.

31120, 31145

The SCIM connector can use client certificates for authentication.


Variables used by synchronization and their values are logged.


In synchronization projects with the SCIM connector, you can configure the use of local cache.

A patch with the patch ID VPR#30497 is available for synchronization projects.


The CSV connector recognizes multiple identical entries in the CSV file. For synchronization, you can select one entry or ignore all entries.


Extended consistency checks in the Windows PowerShell connector.

29201, 30220

If a dropped connection is identified in a Windows PowerShell connector, the error message for the exception that caused it is outputted by NLog on each reconnection attempt.


Table 4: Identity and Access Governance


Issue ID

Simplified support of special processes for deleting employees during implementation of data protection regulations (GDPR).

  • A new procedure QER_PPersonDelete_GDPR is available.
  • The process task Delete of the process component HandleObjectComponent has a new parameter Deep for deleting dependent objects and references.

27643, 30468, 30721

The delegator can be notified by the approval decision.


If memberships in roles and organizations are attested (table PersonInBaseTree), the approval procedure CM can be used to determine the attestors. 30123

If the attestation procedure in an attestation policy changes, a check is done to find out whether the assigned approval policy is permitted.


You can configure which methods are applied to a request if the requested assignment has to be removed because the attestation case was not approved. New configuration parameter: QER | Attestation | AutoRemovalScope | PWOMethodName


The approval procedure OA can also be used to determine an attestor if system entitlement assignments to user accounts or system role assignments to employees are attested.


New approval procedure for determining attestors for user accounts: EA - user account's employee.


Usage types can be assigned to standard reasons. In Web Portal, standard reasons are filtered this way. All usage types are assigned to your custom standard reasons during the One Identity Manager update. You can edit these usage types in Manager.

22810, 789946

In the approval step, you specify whether employees that are affected by the approval are allowed to approve this approval step. This prevents

  • The requester and recipient of one request making the approval decision

  • The employee being attested from approving the attestation case


Default approval procedures can be copied for customization.


Mail templates for renewal and unsubscribing can now be assigned to approval policies. The configuration parameter QER | ITShop | MailTemplateIdents | InformRecipientAboutUnsubscribe has been deleted.


New mail templates for delegation approval notifications. New configuration parameters have been added under QER | ITShop | Delegation | MailTemplateIdents for configuring such notifications.


When the recipient of a request is removed from a customer node, requested company resource assignments to business role and organizations can remain intact. New configuration parameters have been added under QER | ITShop | ReplaceAssignmentRequestOnLeaveCU for configuring this behavior.


Improved performance calculating delegations. 28964

The method CreateITShopOrder already creates an entry in the approval sequence when the request is made in IT Shop.


The task Remove from all shelves is only displayed if an IT Shop shelf is assigned to a company resource as a product.


The configuration parameter QER | ITShop | LimitOfNodeCheck specifies how many product nodes are deleted in one DBQueue Processor run if large numbers of products in the IT Shop are deleted through automatic processes. By default, 500 objects are processed in one run. Set the value lower if there are performance problems while executing the task QER-K-OrgAutoChild.


Unused application roles for product owners are now deleted if the configuration parameter QER | ITShop | GroupAutoPublish is not set.


Improved performance handling request processes.


Improvements calculating inheritance for system roles.

  • New configuration parameter for defining mutually exclusive system roles: QER | Structures | Inherite | ESetExclusion.

  • Special handling of system roles are passed down through hierarchical roles. New configuration parameter: QER | Structures | Inherite | NoESetSplitting

28248, 28973

On the system role overview, company resources that are assigned to child system roles are displayed in separate form elements.


If affected permissions are specified in the rule conditions of compliance rules, you can define the partial conditions Has extended property in group and SQL statement.


Improved display of rule violations involving SAP functions.

  • New overview form with details about an employee's rule violations, the object involved and the mitigating controls assigned.

  • The SAP functions affected and the compliance rules that can be violated by them are displayed on the overview forms SAP user accounts, SAP roles and SAP profiles, business role and organizations.

  • The SAP function instance overview form shows the violated compliance rules and those business roles and organizations affected.


An employee type can be given for employees. This represents the employee's relationship to the company.

787290, 29094

Reports about employees contain additional information.

30063, 30079

If the option Temporarily disabled is not set for an employee and the date for Temporarily disabled from is in the future, the date for Temporarily disabled from and Temporarily disabled until are not deleted.


If a permanently disabled employee is re-enabled, the leaving date and last working day are only deleted if they are in the past.


Role types can be assigned to role classes. This allows you to limit usage of role types to the assigned role classes.


You can assign a manager and a deputy manager to an application role.


Improved performance finding owners of system entitlements.


See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General known issues

Resolved issue

Issue ID

Populating raw tables fails if process views with identical process group IDs exist in the One Identity Manager database and the History Database as well. 27846
Error filling raw tables if the One Identity Manager database and the History Database are installed in the same cluster. 30455

The One Identity Manager History Service and the One Identity Manager Service are both installed when the One Identity Manager History Database is installed.

To correct the problem, the HDBService.exe file has been removed. The installation of the History Database service will now be carried out by the viNetworkService.exe.

IMPORTANT: If you are affected by this problem, uninstall the One Identity Manager History Service before updating your One Identity Manager History Database. Run the following command as administrator:

sc delete "HDBService"


Error testing email addresses for uniqueness, if an email address was recalculated with a template but the old and the new values are identical.


You can set edit permissions for columns that are part of a primary key or part of a key for a many-to-all table.


Error message calling Quantum.MigratorCmd.exe with the operation DUMP.


Problem opening Language Editor in Designer if very large tables are loaded for translation.


The function QBM_FSQRemoveComment does not recognize Linux carriage return.


The script for selecting the server in a process step (Job.ServerDetectScript) is not implicitly extended by a Try-Catch-Block.


Bulk operations are obstructed from delivering process steps by entries in the QBMElementAffectedByJob table. 30362

If an object column and another column in the table QBMColumnTranslation are interrelated, the program exits because it cannot load these objects.


Compilation fails if the process or process step contains quotation marks (") in names.


Error logging in through an application server if the user is working with Turkish language settings.


Session ID in the application server can be reused.

NOTE: Now the session ID is not reused, by default.

You can configure reuse of the session ID. In the application server's configuration file (web.config), a new parameter allowsessionidreuse has been added to the section server. The modification only affects new installations. Existing installations are not changed.

To allow reuse of session IDs:

  • For new installations: uncomment the parameter in the application server's web.config.
  • For the existing installation: add the following to the server section of the application server's web.config

    <add key="allowsessionidreuse" value="true" />

31299, 31306

Under certain conditions, the database ends up in a trigger-free state if transport fails.

30459, 30447

Performance problems determining permissions.


Wrong name of state "Newfoundland and Labrador".


After extending the schema of custom read-only tables, new columns with the option Customer can configure are set to the value 0.


Error in the method SqlFormatter.NotInClause.


Problems initializing the Job queue if a large number of queues are affected.


The physical dependency between DBQueue Processor tasks does not consider tasks without parameters.


Terminated slots are identified correctly if the SQL Server reuses the SPID.


The procedures for shrinking the entries in the tables DialogWatchOperation, JobHistory and DialogProcessChain do not shrink in blocks.


Timestamps on changes made in the database in Designer are shown in UTC.


Problem determining the resulting permissions filter for objects.

30582, 31110

Migration does not remove non-linear dependencies correctly.


Error retrying process steps with the status MISSING. 30752

The procedure QBM_PCustomSQLFill fails with the message Violation of PRIMARY KEY constraint.

There is a new consistency check Index name longer than 30 characters.


The customizer method GetNextID fails when executed in Designer.


Custom columns are not taken into account by auto-completion if script code is entered.


If a process step is copied in the Process Editor, the priority definition (Job.PriorityDefinition) is not copied at the same time.


If a Job destination ID contains a special character, the links on the One Identity Manager Service status page do not work.


Ctrl+C does not copy the selected value in the Process step view in Job Queue Info.


Job Queue Info ends unexpectedly, if there is a filter on the system journal and it returns a lot of entries.


In reports, IN clause queries on UID and XObjectKey columns are listed with Unicode strings.


The limit for IN clause in report queries is not kept to correctly.


Relaying processes is being blocked because the procedure QBM_PJobUpdateState is being called to frequently.


Error in process tracking (NullReferenceException).


The state of Florida has the wrong timezone.


The procedure ProcessShrink leaves behind entries with BasisObjectType=<unknown Object> in the DialogProcess table.


Components and tasks with MaxInstance=1 run in parallel due to load balancing.


Triggers are not generated for DBQueue Processor tasks that record changes to configuration data.


The One Identity Manager Service returns the process steps but the slots remain blocked.


Table 6: General web applications

Resolved issue

Issue ID

Error logging in to the Password Reset Portal again if the portal was not in use in the meantime. 30423
Unsuitable error message if a password is entered in the Password Reset Portal that does not conform to the password policy. 29804

An employee can request membership in a specific business role.


Next has to be double clicked in each step of a delegation in Web Portal.


Unsubscribed assignment requests are shown in the request history, although the option Canceled or denied or dismissed is not set.


A request for a default service item New Active Directory security group cannot be approved.


Mandatory fields for attestation cases are not checked when queried.


If the Report Subscription Module is not installed or the configuration parameter QER | RPS | DefaultReportTemplate is not set, a PDF export is still offered in the Web Portal. Attempts to export to PDF in Web Portal fail.


The web browser control in Web Designer blocks certain URLs.


If you swap pages when trying to select of roles during delegation, you lose the selection.


Incorrect where clauses are generated while index searching in many-to-many tables.


In the Web Portal, the character sets are not translated in the password policy tip.


Wrong display names for DialogSchedule.LastRun and DialogSchedule.NextRun in the Schedule Editor.


In the Web Portal, the Memberships tile is shown if you select an assignment resource under Responsibilities, although a member could not be assigned to an assignment resource.


Diagram pages that extend over several pages are not displayed correctly.


Error if the Manager web application is called by a Load Balancer.

NOTE: By default, use of SameOrigin is enabled because it concerns a security function. Use of the SameOrigin Policy can now be optionally disabled. In the Manager web application's configuration file (Web.config), in the section application, insert the following entry to do this.



<add key="DoNotApplySameOriginPolicy" value="True" />




In the Web Portal's configuration file (web.config), the URL /AE.axd is still declared.

The handler AE.axd for session information has been removed from the Web Portal's configuration file (web.config). Therefore, the handler is not included when Web Portal is installed. Any existing Web Portal installations are not affected by this change.

NOTE: If you still require the handler and want to include it again, enter the following lines in the Web Portal's configuration file (web.config):

In the section system.web\httpHandlers:

<add verb="GET" path="AE.axd" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

In the section system.webServer\httpHandlers:

<add name="AE.axd_GET" path="AE.axd" verb="GET" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

31299, 31302

Table 7: Target system connection

Resolved issue

Issue ID

Errors publishing group memberships if there are memberships that are not mapped.


Error executing the script DPR_GetAdHocData.


Property mapping rules with the option Force mapping against direction of synchronization are not fully included if provisioning executes several synchronization steps of workflow.


If changes are made to group properties, too many post-processing tasks are queued in the DBQueue.


If patches are being applied and the database has encrypted connection data, the connection dialog for entering the data, opens in the background.


In Manager, changes to the value of IT operating data cannot be saved.

30295, 30746

Error opening master data form of object from custom target system if custom columns are displayed.


It is not possible to remove a target system from the database with the procedure QBM_PDeleteDeep.


The settings in a hierarchy filter that has been converted into a variable, are removed from the Synchronization Editor if the target system connection cannot be established.


Files in the synchronization user's temporary directory are not deleted.


Error reading data from columns with data type varbinary if these are used as a primary key or part of one.


Error loading synchronization projects.


Error in provisioning when decoding XML strings.


Simulation results do not contain enough information.


Provisioning tasks for group memberships are grouped under the wrong GenprocID.


A maximum of 1024 modified memberships per group can be provisioned.


Too many columns are loaded for resolving a reference.


Running a clean up of the DPRMembershipAction table deletes entries that are still required.


Synchronization deletes One Identity Manager database objects that are not unique in the target system.


Processing of target system specific tasks in the DBQueue is blocked if this target system is being synchronized at the same time.


Provisioning of group memberships fails if a referenced object is not found.


Script variables are recalculated each time they are accessed.


Objects that are added and provisioned in the One Identity Manager database while synchronization is running are duplicated in the database.


One Identity Manager uses the wrong mapping to provision memberships.


Updating the schema or transporting a synchronization project removes the quota definition.


The synchronization user's password is written to the log file without encryption.


Synchronization start up loads the variable set too late.


Post-processing tasks for outstanding objects that have been deferred, are not executed.


Incorrect handling of trusted domains in Active Directory synchronization projects. The project template has been corrected.

A patch with the patch ID VPR#30192 is available for synchronization projects.


Cross domain memberships are not deleted during provisioning.


Active Directory group memberships are not provisioned if the object SID for the user account is missing.


Error processing unresolvable keys during Active Directory synchronization. 30552, 30811

Deleted values in the columns HomeDirectory and ProfilePath of an Active Directory user accounts cannot be provisioned.


Error calculating Active Directory group memberships if the user account's primary group has been changed.


Error synchronizing the Active Directory user account schema properties ObjectKeyManager and Secretary. Synchronization quits although the option Continue on error is set.


Timeout during synchronization of Azure Active Directory group memberships.


Global catalogs should be initialized when the first necessary access is made and not whilst establishing the connection to Active Directory.


Not all permissions are documented that are required for synchronizing Microsoft Exchange.


If a Microsoft Exchange address list is marked as outstanding, the associated address book entries are not marked as outstanding.


Error deleting outstanding Microsoft Exchange address book entries.


If a Microsoft Exchange mailbox database is marked as outstanding, its server assignments are not marked as outstanding.


Error provisioning deleted Microsoft Exchange mailboxes if deferred deletion is configured.


Loading Microsoft Exchange data availability groups fails if all the servers involved are shut down.


The processing method MarkAsOutstanding is missing in the synchronization step RoleAssignmentPolicy for Microsoft Exchange.

A patch with the patch ID VPR#28815 is available for synchronization projects.


Error provisioning Exchange Online mailboxes.

A patch with the patch ID VPR#31269 is available for synchronization projects.


The process for provisioning memberships in E-Business Suite authorizations are repeatedly inserted in the Job queue if the user account's ID (column UserID) is not set.


Date values in script properties are not converted into language dependent format.

A patch with the patch ID VPR#28962_EBS is available for synchronization projects.


Error setting up synchronization with an LDAP directory if an AttributeType is returned in quotes in the server schema.

30366, 30337

Canonical names of LDAP objects are not formatted automatically if the synchronization type is changed from No synchronization to One Identity Manager.


Error setting up synchronization with IBM Notes if the connection to the Domino server is tested.


Synchronization quits if the FullName of a Notes document cannot be loaded.


The person document of a new Notes user account does not appear in the address book's default view.


Error synchronizing Notes templates.


Error renaming a Notes user account if an organization unit is assigned to it.


Error adding a group based SharePoint Online user account.

A patch with the patch ID VPR#30729 is available for synchronization projects


The processing method MarkAsOutstanding is missing in a number of synchronization steps for SAP R/3 authorization objects.

A patch with the patch ID VPR#29477 is available for synchronization projects.


One Identity Manager Administration Guide for the SAP R/3 Compliance Add-on is missing a note informing the user that synchronization of SAP authorization objects for central user administration clients is not supported.


The options Home address and Default address can be disabled although only an email address is assigned to the SAP user account.


During synchronization of SAP group, role or profile assignments to SAP user accounts from a secondary system, the assignments are not saved in the One Identity Manager database.


Incorrect synchronization of organization structure objects from an SAP HCM system (HROrgUnit).


When adding SAP user account with parameters, email addresses, telephone and fax numbers, distinguished names (such as SAPComPhone.DistinguishedName) are not formatted.


Too many post-processing tasks are sent to the DBQueue if changes are made to SAP user accounts.


The Insert event is not triggered for tasks in the HelperSAPUserInSAPRole table.


SAP role assignments to SAP user accounts are provisioned, although the associated categories do not match.


If several changes are made to an employee's central password in quick succession, by the Password Capture Agent for example, only the first change is made to the SAP user accounts.


Company assignment of SAP user accounts is not provisioned in the target system.

A patch with the patch ID VPR#30453 is available for synchronization projects


If an existing SAP user account is given the manage level Full managed, the IT operating data for the SAP communications data (SAPComPhone, SAPComFax and SAPComSMTP) is not calculated.


Error synchronizing company data (table Company).


Error loading single objects for schema types that are provided by a schema extension file.

30653, 30701

Executable SAP transactions are not calculated correctly for SAP user accounts.


Error calculating role assignments (table SAPUserInSAPRole).

30797, 31149

Error in provisioning if the option Set effective password in Manager for a user account with the type Service or System has been set.

30952, 30956

Wrong templates for columns  SAPComPhone.PhoneNumber and SAPComFax.FaxNumber.


Error converting Json data with the data type Integer or Float.


Error deleting group memberships with the SCIM connector.


Cloud application group memberships are incorrectly resolved if the schema property members~type does not contain a value.


The connectors Microsoft Exchange, Exchange Online and Windows PowerShell only use one revision counter even if several schema properties per schema type are flagged as revision counters.

In synchronization projects that use the Windows PowerShell Connector, the target system schema must be reloaded to use more revision counters.

A patch with the patch ID VPR#31026 is provided for Microsoft Exchange and Exchange Online synchronization projects.


An Out-Of-Memory exception occurs while determining managers for email users and email contacts in large Exchange Online systems.


The native database connector does not delete group memberships in the target system if provisioning is carried out by an application server.


During synchronization of the native database connector, objects are marked as changed although they have not been changed.


Spaces in schema property names that are flagged as revision counters, are not masked in the native database connector.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

Attestations are discontinued with the reason "No approver available" even though an approver is available.


Under certain circumstances, the Customizer method CreateAttestations blocks DBQueue processing.


Error deleting attestation cases.


Disabling attestation policies does not delete the associated attestation cases.


In email notifications to attestors, the pictures defined in custom mail templates are not shown.


Service items cannot be added as products in the IT Shop if their identifier is longer than 128 characters.


In the approval sequence, the time is shown as UTC time.


The script VI_BuildITShopLink_Unsubscribe creates a wrong link.


Membership in a role cannot be delegated if the recipient of the delegation is already a member of this role.


If a company resource is assigned by a limited period request and an unlimited period request at the same time and the limit period request expires, the company resource is removed although a valid, unlimited request still exists. 30697

The column templates ShoppingCartItem.ObjectKeyAssignment, DisplayObjectKeyAssignment and PersonWantsOrg.DisplayObjectKeyAssignment cannot be overwritten.


Manager freezes when an approval workflow is copied.


Initial login data is sent to the wrong employee when user accounts are requested in the IT Shop.


Closed requests are not deleted, although the retention period must have expired.


The DBQueue Processor checks automatic approval for requests that are already approved but not yet assigned (OrderState = 'Granted').


Incorrect testing of whether a company resource has already been assigned if the option Only for use in IT Shop is set.


If an exception has been granted for a product with a rule violation in the approval process, the rule violation remains after the product has been canceled and the assignment removed.


Ad-hoc rule checking does not create processing tasks for recalculating rule violations and for calculating the affected employee group. This means the affect employees may not be calculated correctly.


If a disabled compliance rule is deleted, the associated rule violation is not deleted.


Calculating rule violations also calculates disabled rules.


Error calculating compliance after updating the One Identity Manager database if only modules that are not dependent on the Compliance Rules Module are selected.


Wrong table name in One Identity Manager System Roles Administration Guide in section Disabled system roles.


Error assigning an object from a custom table to a system role.


As from version 7.1.2, company resource assignments of child system roles are not mapped in the table EsetHasEntitlement. However, by updating the One Identity Manager database to version 7.1.2 or later, assignments to child system roles are not removed from the table EsetHasEntitlement.


System users with permissions groups vi_4_PERSONADMIN and VI_4_ALLMANAGER cannot add any employees.

NOTE: By solving this issue, you may find that objects are not inserted properly because columns permissions are missing on compulsory fields. Table permissions of the respective permissions group are taken into account during calculation of each column permission. Table permissions of different permissions groups are no longer transferred to all columns. This means, a column cannot be edited when an object is inserted if the table permission Insertable is not defined for the permissions group that grants the column permission Editable.


In Manager, the Change security question task can also be displayed even though the logged in user does not have the required permissions.


In the Show Entitlements Origin report, SAP roles and BI analysis authorizations that are inherited through system roles are missing.


Error displaying the Employee Access Overview at specific point in time report.


Display errors in the Filter Designer

  • Creating dynamic roles with many filter criteria

  • Select several elements from a menu

29639, 30668

If a simple report is generated in CSV format, an empty report is created.


See also:

Knowledge Base
Benachrichtigungen und Warnmeldungen
Technische Dokumentationen
RSS Feed
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente