Chat now with support
Chat mit Support

Identity Manager 9.1.1 - Release Notes

Resolved issues

The following is a list of issues addressed in this release.

Table 5: General

Resolved issue

Issue ID

If data imported via a CSV connector uses an application server connection, the default values of properties cannot be removed.


In the Schema Extension, a summary of the changes is no longer shown.


Using the emergency stop to halt the DBQueue Processor can result in a time delay if a lot of DBQueue Processor processes are being handled quickly.


WebView2 is not installed on administrative workstation if only Workstation | Configuration or Workstation | Development & Testing machine roles are selected.


The Form Editor generates an empty form definition when a new interface form is inserted in the form overview's root level.


Permissions required on new tables are not granted for end users if the Database Transporter imports the schema extensions.


The QBM_PTriggerDrop procedure logs entries in the system journal even though no triggers were deleted.


An error occurs in the Manager using the context menu to run a task is run on an object.


An error occurs updating statistics during maintenance tasks. Therefore, the statistics are not up-to-date.

Error message: User does not have permission to perform this action.


The Manager does not reliably save the column selection in a filter.


An error occurs when the Software Loader imports a new file.

Error message: Number of primary key columns does not match.


An error occurs using OAuth2.0/OpenID Connect to log in to the application server or the Job server, to display the status, for example.


The Job Queue Info does not display the change information for the CausingEntityPatch parameter correctly.


Hierarchically structured changes labels are not displayed correctly in the Database Transporter when transporting by change label.


If the functionality for read access distribution in a cluster is used, a message appears stating that the Database Agent Service is not running although it was started.


Some SQL statements that only query data still require a database connection with write access. Under certain conditions, errors can occur when read access distribution is used in the cluster.


The QBMColumnLimitedValue.KeyValue column is too short.


The Process Editor cannot restore the default layout.


Schema extensions do not populate existing data records with default values. This causes errors.


Rule violations are not identified in the simulation.


After ending a simulation, the data is not fully displayed in the report.


Special change labels are not displayed when changes are committed in the Designer.


An error occurs on saving in the Designer if a change label was selected that already contains references to objects.


Running the ExecuteTemplates method on a multi-select object does not return a result.


Entries in a list of permitted values may not be translated correctly.


Error running the Check uniqueness of alternate keys consistency check.


The ProcID parameter is not taken into account in triggered processes with the FireGenEvent process task of the HandleObjectComponent process component.


The Database Transporter does not display each transport of a cumulative transport correctly.


Multiple start times for a schedule are not taken into account correctly when calculating the run times and while running.


The Schema Extension creates indexes for object keys (XObjectKey) whose names are more than 30 characters long and therefore do not comply with the naming convention.


Machine roles are not correctly applied in the Docker container for the API Server.


If the server function for a process step changes, the system does not notice that the process needs to be recompiled.


If a schedule is supposed to run on a certain day of the week, an error occurs when calculating the next run.

36287, 36290

An error occurs loading collections with an empty where clause.


An error occurs when an export definition that is saved in the user settings is deleted in the Manager.


Filter queries for menu items that contain objects with certain starting characters are run too often.


The Job Queue Info throws an error when the number of retries is set.


Under certain conditions, such as when the network is interrupted, the Database Agent Service plugin stops and does not start again.


Under certain conditions, the Database Transporter compiles web projects too often when it imports a cumulative update.


Columns that do not exist in certain tables are queried in the transport condition.


The Configuration Wizard does not process calculation tasks for the DBQueue Processor when a database is restored.

35876, 36428

Auxiliary tables are not included in consistency checks.


The One Identity Manager Service status page is not always shown.


Error running the QBM_PJobCreate_HOInsert procedure if a WhereClause property changes.


Process steps in the Job queue sporadically have an inconsistent state and cannot be processed.


Custom triggers might be deleted when the One Identity Manager database is updated from version 8.1.x to version 9.1.


The import of custom schema extensions checks references to columns before the columns themselves are imported.


If a column was marked for recording historical data in the source database but is removed again before it is transferred to the History Database, the History Database transfer fails.


In certain cases, an error occurs sending subscribed reports.


HTTP-HEAD requests to the One Identity Manager Service website cause the following error: "Bytes to be written to the stream exceed the Content-Length bytes size specified.".


Processes on the DialogDatabase table can no longer be started manually. This also affects the ATT_DialogDatabase_Trigger_AttestationCase_VerificationMail process.


In the database query with the Historical assignments query module, the user shown as the CreateUser is not the one that created the assignment.


Permissions filters are modified by code processing.


Error creating a generating condition or a script for a process using dollar ($) notation if a foreign key column is selected by double-clicking the right mouse button.


The Database Transporter does not show data that causes a conflict correctly in the Merge conflict dialog box.


Error saving requests if processes are already in the Job queue that can trigger events to send mail for other requests.

Error message: String or binary data would be truncated in table 'OneIM.sys.TT_QBM_YParameterList_6A941822', column 'Parameter1'.


Under certain conditions, exporting to the History Database fails.


It is only possible to install a module with the Configuration Wizard later if another module is selected for update at the same time.


If parallelization of process handling is intensive, the Job queue can enter an inconsistent state when processes are restarted.


Processes that are not run because the IsExclusivePerObject process task is enabled, can stop other processes from running.


Replacing variables from the navigation in element descriptions on overview forms does not work.


After reindexing tables as part of maintenance tasks, not all indexes may be released again.


Table 6: General web applications

Resolved issue

Issue ID

You cannot upload a profile image in the Web Portal.


In the Web Designer Web Portal, it is not possible to request a multi-requestable/unsubscribable resource for an identity more than once.


The wrong information is shown when logging in to the Web Designer Web Portal.


Under certain conditions, the scrollbars are missing in the Password Reset Portal.


Under certain conditions, the Web Designer Web Portal always prompts that too many search results were found.


Under certain conditions, the Web Portal search function does not return the expected result.


In the Web Portal, the shopping cart implies you can send a subset of the requested items.


The modified Display pattern property does not affect the request or request parameters in the Web Portal.


If you enter a date for a product property in the Web Portal's shopping cart, under certain conditions the value is deleted when the shopping cart is submitted.


The Web Designer Web Portal does not display all the tiles correctly.


The Web Portal search does not return the correct results if an asterisk (*) is included as a placeholder.


In the Web Designer Web Portal, you must enter a product's request parameters for each request recipient although the product is configured such that the request parameters only have to be entered once.


Under certain conditions in the Web Designer Web Portal, you cannot export the request history data.


Too many database connections are established in the Web Designer Web Portal for unauthorized queries.


The Web Portal does not display new requests immediately in the respective tile.


The Web Designer Web Portal does not check renewal requests and cancellations correctly in the shopping cart.


Under certain conditions, dependencies of multiple request parameters to one another are not taken into account in the Web Portal.


Code highlighting and auto completion of variables does not work in the Web Designer.


An error can occur when the Manager web application is automatically updated.


Under certain conditions, the Web Designer Web Portal does not show a change icon when values are added or changed.


Under certain conditions, selecting requests and displaying the request history in the Web Portal, can lead to long response times for administrators of organizations and business roles.

36316, 36613

In the Web Portal, it is only possible to manage directly subordinate identities.


Under certain conditions, the Web Portal's request history shows request properties with the incorrect values.


Under certain conditions in the Web Portal, it is not possible to create service items for system entitlements.


In a customized Web Portal, you cannot add a product renewal as a request to the shopping cart.


In the Web Portal, the request workflow displays withdrawal of an additional approver incorrectly.


In the Web Portal, the shopping cart uses the wrong product names.


In the Web Portal, the Request details pane does not appear anymore once products are added to the shopping cart that require more information.


The Web Portal displays some untranslatable text when the terms of use are being accepted.


The Web Portal displays the wrong message when selecting requestable products if a product was already assigned.


The Web Portal does not display memberships that were added or deleted in system roles in an identity's history.


If you make a new request in the Web Portal using a peer group, the products selected by organizational structure are each put in their own shopping cart.


Under certain conditions, installing the Web Portal fails.


In the Operations Support Web Portal a column title is not translated correctly in the process overview.


Under certain conditions, instead of the display name the Web Portal displays only the ID of the selected object when conditions for automatic membership are created.


The Web Portal does not always show the correct results when grouping and filtering in tables at the same time.


Under certain conditions, the Web Portal shows the splash screen all the time.


Under certain conditions, the Password Reset Portal shows the splash screen all the time.


In the Web Portal, when you reset objects to their previous state you can switch to the second step in the wizard without entering data. This causes an error.


The Operations Support Web Portal leaves the queue list empty, and no data appears.


In the Web Portal, it is not possible to search by compliance rules and to filter the respective search results.


In the Web Portal, no recipient must be selected if requesting for others.


In the Web Portal, no system role memberships are displayed.

324128, 36503

The Web Portal uses the wrong identifiers in the details of an attestation case.


Under certain conditions, after clicking Assign/Change in the Web Portal, no objects can be selected for property fields.


It is not possible to create new user accounts in the Password Reset Portal.

324290, 36034

The Web Portal shopping cart does not correctly display whether an identity is not entitled to request a product. The request can still be sent, but it has no effect.


The Web Portal marks all pending requests as compliance violations the moment just one of the displayed pending requests causes a compliance violation.


The Web Portal cannot display a compliance violation in the shopping cart and the respective shopping cart cannot be submitted.


A report is not subscribable in the Web Portal if it is not configured for PDF format.


It is not possible to edit identity main data in the Web Portal, even if you have all the necessary permissions.

330766, 36011

In the Web Portal, it is not possible to publish application entitlements.


In the Web Portal, the Requests submitted by other users filter option in the request history does not work.


If you change the title of a web application is causes follow-up problems.

352481, 36016

In the Web Portal, copying attestation policies causes an error.

358311, 36090

Under certain conditions, errors occur when displaying potential rule violations in the shopping cart.


In the Web Portal, requesting a product causes an error if the product cannot be requested for at least one request recipient.


In the Web Portal, it is possible to add products in the shopping cart although the recipient does not have request authorization.


In the Web Portal, approval decisions about policy violations can only be made once.


The Web Designer Web Portal does not display all the tiles on the request page correctly.


The Web Portal does not translate the descriptions of the corresponding company policies correctly when it displays policy violations.


Under certain conditions, the View Settings menu in the Web Designer Web Portal is shown twice.

367741, 35722

If you try to log in to the Web Portal with the wrong credentials, an empty page is displayed instead of an error message.


In the Administration Portal, the links to some of the web applications are incorrect.


Under certain conditions, the Operations Support Web Portal does not display provisioning processes.


Under certain conditions, it is not possible to add products to request templates in the Web Portal.


Under certain conditions the Web Portal does not load data correctly when requests for products with additional information are made.


Under certain conditions, an error occurs editing the date fields.

387324, 36166

In the Web Portal, you cannot display the details of request templates.


The Web Designer Web Portal header is displayed incorrectly.


The Operations Support Web Portal does not translate all the user interface captions of the Pending provisioning processes function correctly.

389068, 36362

In the Web Portal, it is not possible to assign new attestation policies to policy collections.

390235, 36414

Renewed login to a web application again does not change the imx_sessiongroup cookie.

393075, 36317

In the Administration Portal, it is not possible to disable the Service items without image inherit the image of the assigned service category configuration key.


Grouping attestation cases in an attestation run's details in the Web Portal causes an error.

393864, 36359

Under certain conditions, password questions cannot be edited in the Web Portal.


Under certain conditions, the numerical values of the following configuration parameters are not read in correctly.

  • QER\ITShop\Recommendation\ApprovalRateThreshold

  • QER\ITShop\Recommendation\PeerGroupThreshold

  • QER\ITShop\Recommendation\RiskIndexThreshold

  • QER\ITShop\PeerGroupAnalysis\ApprovalThreshold


The API Server sometimes uses invalid connections to the application server.


It is not possible to log in to the Administration Portal using OAUTH authentication.


In the Web Portal, attestation cases offered to identities for approval although their approval is not required anymore.

36505, 405092

The Web Portal displays a number instead of a string for the Gender property in the details of an attestation run.


In certain cases in the Web Portal, issues with business roles that conflict with each other are not found when the shopping cart is checked.


Table 7: Target system connection

Resolved issue

Issue ID

The SCIM connector sets boolean and numerical properties to null if they do not contain a value. Error message: Cannot convert null to 'bool' because it is a non-nullable value type.


On Windows Server 2012, the Exchange Online connection fails to connect to the target system.


On the Define search criteria for employee assignment form in the Manager, the Google Workspace user accounts are not shown when a new search criterion is defined.


Error editing the endpoint configuration of a system connection to a cloud application.


The display values of multi-value properties are not shown properly in the target system browser.


Azure Active Directory synchronization generates too many processes.


An error occurs when an Azure Active Directory group is created without an alias.


Error connecting to a database via the generic database connector if the password for the database login contains double quotes.


Error copying synchronization projects.


Error creating a synchronization project for synchronizing Oracle E-Business Suite. Error message: An item with the same key has already been added.


Microsoft Exchange remote mailboxes are not included when determining the origin of entitlements.


The Active Directory connector writes structural objects classes for domains (ADSDomain.StructuralObjectClass) at every synchronization.

A patch with the patch ID VPR#35808 is available for synchronization projects.


User accounts (UNSAccount) without containers (UNSContainer) are ignored even if there are not any containers in the target system.


If Active Directory is synchronized using a special variable set, an error occurs when Active Directory SIDs are updated by the MaintainOtherSid process task.


Under certain conditions, an error occurs simulating synchronization:

  • Simulation is run over a remote connection.

  • Simulation is started several times for the same start up configuration.


Error saving a synchronization project if the connection goes through the application server and the target system connection has high network latency.

Error message: Application server returned an error.


If an object filter was defined for a root entry in the scope definition, there might not be an object in the scope.


Synchronization with OneLogin fails if there are self-registered users.

Error: Null object cannot be converted to a value type.


The target system alignment uses an incorrect formatter option.


If there are several redundant entries in SAP R/3 for an authorization object, only one authorization definition is read into the One Identity Manager database when SAP authorization objects are synchronized. All other instances are ignored. In particular, the instance with the highest value is missing.

A patch with the patch ID VPR#35944 is available for synchronization projects.


Error loading SharePoint Online objects if an object filter is defined.


Access to the RemoteConnectPlugin does not work across machines.

The HTTP server registration has been adjusted and can be set up using the HttpAuthentication and HttpBindAddress parameters in the plugin's configuration.


An error occurs loading the list of all Active Directory user accounts with the Active Directory connector if one of the user accounts contains a mistake.


Synchronization with OneLogin might possibly report ambiguous keys in the reference resolution to the OLGUserHasOLGCustomAttribute table.


References that cannot be allocated because the OneLogin objects no longer exist, are saved in the synchronization buffer.

A patch with the patch ID VPR#35969 is available for synchronization projects.


You cannot select an account definition on the OneLogin user account's master data form.


Processing conflicts between synchronization and other system processes (for example, provisioning) are not always reliably detected.

In the StdioProcessor configuration file, the rate of updating the processing information can now be configured. By default, the data remains in the cache for 60 seconds. Only change this value if there is an issue.

If you are affected by the issue, add the following entries to the StdioProcessor.exe.config file:



<section name="synchronization" type="System.Configuration.NameValueSectionHandler" />




<add key="SysConcurrenceCacheLifeTime" value="60" />



The OLG_4_NAMESPACEADMIN_ONELOGIN permissions group has too many edit permissions on OneLogin applications (OLGApplication table) and OneLogin roles (OLGRole table).


An error occurs if a synchronization project is created for Azure Active Directory and provisioning of subscription assignments (AADUserHasSubSku table) is disabled.


The schema provided by the Domino connector might be incomplete or individual properties might not have the correct data type.

35644, 35999, 36142

There is no recalculation of the effective assignments of target system-specific system entitlements if the inheritance settings defined in the manage level are overwritten. The following assignments are affected:

  • Subscription assignments to Azure Active Directory user accounts (AADUserHasSubSku table)

  • Entitlement assignments to Oracle E-Business Suite user accounts (EBSUserInResp table)

  • Role assignments to SAP R/3 user accounts (SAPUserInSAPRole table)

  • Structural profile assignments to SAP R/3 user account (SAPUserInSAPHRP table)


There is no recalculation of the effective assignments of system entitlements for cloud target systems if the inheritance settings defined in the manage level are changed.


The O3SWeb.Description column is too short.


Provisioning processes in a target system go into a Frozen state if a password containing special characters is transferred with encryption.


There is no recalculation of the effective assignments of system entitlements for custom target systems if the inheritance settings defined in the manage level are changed.


An error occurs in the One Identity Safeguard connector if tags are used in object filters.


Error changing an employee's default email address if they have an Azure Active Directory user account with an Exchange Online mailbox.


When a synchronization project is created over a remote connection, an error can occur during deserialization.


A synchronization simulation quits unexpectedly if a remote connection is used.


PATCH operations generated for schema extension properties cause an error in the SCIM connector.

A patch with the patch ID VPR#36108 is available for synchronization projects.


In the Synchronization Editor, the timeout for a remote connection is too short. For example, this can cause errors when creating a synchronization project over a remote connection.

The timeout has been increased to 3 minutes to solve the issue. If this timeout is not sufficient, you can adjust the following value in the SynchronizationEditor.exe.config file.


<add key="RequestTimeout" value="180" />



When a synchronization project is created over a remote connection, an error can occur if the volume of data is too big.


If the One Identity Manager database is encrypted, the system mistakenly encrypts the ExpirePassword connection parameter in synchronization projects with the LDAP connector for IBM RACF.


A scope filter configured hierarchically in a connected LDAP target system with a Microsoft implementation (Active Directory Lightweight Directory Service (AD LDS) or Active Directory) has no effect.


Ineffective memberships in cloud groups or system entitlements are provisioned.

A patch with the patch ID VPR#36150 is available for synchronization projects.


The Manager does not display the menu item for user accounts and groups of cloud target systems correctly.


In the UNSAccount proxy table, the AccountName column for the EX0MailBox, EX0MailContact, and EX0MailUser tables is empty.


An error occurs when the Synchronization Editor performs a consistency check on schedules with multiple start times.


Errors can occur when writing the synchronization log.


Connecting to an Azure Active Directory tenant with schema extensions for types that are not currently supported by the Azure Active Directory connector ("device" for example) causes an error.

Error message: Object reference not set to an instance of an object.


Dynamic memberships of Azure Active Directory user accounts in Office 365 groups that are marked as outstanding cannot be deleted by target system synchronization.


A conversion error occurs for Oracle.ManagedDataAccess.Types.OracleDecimal' when objects in a table are added in a sequence.


If a scope file was defined, an error occurs adding new objects with the SCIM connector because of an incorrect query.


Single roles contained in collective roles cause errors with double entries in the One Identity Manager database when synchronizing SAP role assignments to user accounts in a CUA.


In the Synchronization Editor, the start up configuration list that can be assigned to a start up sequence is empty.


It is not possible to select an account definition for the Active Directory domain on the Microsoft Exchange mailbox or the Exchange hybrid remote mailbox forms.

36228, 36257

It is not possible to delete a SharePoint Online site collection with an assigned administrator (O3SSite.UID_O3SUserPrimaryAdmin).


No OneLogin user accounts can be assigned to employees.


Certain SAP communication data such as preferred telephone numbers or preferred email addresses that are marked as outstanding, cannot be deleted during target system synchronization.


Error displaying schema types in the target system browser of a SAP HCM system's synchronization project if a hierarchy is defined that contains a circular reference.


No passwords are transferred to the LDAP target system if the LDAP connector V2 is being used.

A patch with the patch ID VPR#36271 is available for synchronization projects.


It is possible that new objects do not display meaningful values if they were incompletely mapped.


An error occurs updating LDAP synchronization projects.

Error message: Error running the Apply' script of patch (VPR#33513 - Support multiple domains with the same DN)!


The ADS_PersonHasTSBAccountDef_Autocreate_ADSAccount/Contact process goes into a Frozen state in the Wait until dependent objects recalled process step.


If errors occur loading target system objects, synchronization quits even though the workflow has the Continue on error option enabled.


Using the O3S_CreateO3SSite script to add SharePoint Online site collections does not work if modern authentication with a certificate is used.


The DBQueue Processor removes Active Directory user accounts from Active Directory groups that have the Read-only memberships property (ADSGroup.HasReadOnlyMemberships).


The target system browser for Exchange Online objects sometimes displays GUIDs instead of readable values.


The Azure Active Directory connector sends unnecessary (empty) patches after a group is updated where only members or owners have changed.


The filters generated in the SCIM connector for resolving references are not formatted correctly.


LDAP user accounts and groups cannot be deleted if they are connected to a SharePoint user account.


Active Directory user accounts and groups cannot be deleted if they are connected to a SharePoint user account.


Unnecessary updates are triggered by the LDAP connector if there are empty values.


Filters in the SCIM connector may not contain sufficient data to query objects in the target system.


Virtual properties for resolving references attempt to use the synchronization buffer in target systems.


Error provisioning object changes if the DPRProjectionObjectState table contains object references with the System.Byte[] object type. Error message: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.


It is not possible to enter multiple lines of encrypted data in the Synchronization Editor.


The User account is disabled property for user accounts (LDAPAccount.AccountDisabled) is not taken into account in the LDAP connector V2.

A patch with the patch ID VPR#36450 is available for synchronization projects.


Process steps for setting permissions and publishing are not carried out if the home directory of Active Directory user accounts with unknown home directory paths is moved.


Provisioning assignments of SAP BI user account to BI analysis authorizations takes a very long time and sends a lot of RFC queries to the SAP application server.


An error occurs creating the Send as and Full access mailbox permissions for Microsoft Exchange remote mailboxes.


An error occurs when multiple custom target system user accounts or groups are selected in the Manager.


Authentication via WindowsHttpAuthentication does not work in the One Identity Manager Service.


Under certain conditions, processes that should be exported together to a History Database are not grouped into a process group.


Error during delta synchronization of Azure Active Directory group memberships.


The target system's own cross-site scripting tokens are not sent to the SCIM provider in the header of a write operation.


If the InternetAddress schema property is empty, a warning is written in the system journal when HCL Domino is synchronized (not initial synchronization).

A patch with the patch ID VPR#35816 is available for synchronization projects.


The value in the AADUser.ThumbnailPhoto column is not provisioned in the target system.


Changes to the Microsoft Exchange mailbox databases in One Identity Manager are overwritten by old values.

A patch with the patch ID VPR#36151 is available for synchronization projects.


Error synchronizing a cloud application with the SCIM connector when filters are defined in the synchronization project.


Error loading objects if a schema extension for an SAP R/3 synchronization project has a key property defined that is longer that 70 characters.


Error provisioning assignments of SAP BI analysis authorizations to BI user accounts if assignment is across clients.


Sometime the calculation of assignment from cloud user accounts to cloud groups fails.


Error generating the synchronization log if a new value contains a very long string.


Error loading objects lists via remote connections.


Error provisioning a new Microsoft Teams team.


When memberships are removed from Unix groups, other memberships that should not be removed are deleted.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

Under certain conditions, entries in the PWOHelperPWO table are not recalculated.


Duplicate entries in the AttestationHelper table. Sporadically, entries are created twice in the auxiliary table for attestation cases (AttestationHelper). This means the number of email notifications is doubled. If the approval workflow contains an approval step for external approval, the process for external approval is generated twice.


Permissions missing from the vi_4_ITSHOPADMIN_OWNER permissions group for the columns ADSGroup.HasReadOnlyMemberships and AADGroup.HasReadOnlyMemberships.


Application entitlements that are created automatically might not have a display name.


The CreateITShopOrder method for creating assignment requests for memberships in Exchange Online mail-enabled distribution groups is missing.


The TSBVPersonAndGroups view can contain duplicates. For example, this can cause errors generating reports about the origin of entitlements.


If the display pattern for the Person table is customized such that the InternalName column is not used anymore, errors occur when generating email notifications for the next approver.


Office 365 groups are not taken included when determining the origin of entitlements.


The Analyzer cannot run an analysis after the database connection has changed.


If the QER | ITShop | ExceededValidUntilUnsubscribe configuration parameter is set, unsubscribing processes quit unexpectedly with an error.


Under certain conditions, those responsible for organizations are not deleted.

  • An application role is assigned to a department as an additional manager.

  • An employee becomes a member of this application role by assignment request.

  • The assignment is canceled.

However, the employee remains manager of the department (entries in the HelperHeadOrg table with XOrigin = 8 are not deleted).


End users are missing edit permissions for the AttestationHistory table.


If an approval decision is made when a request is created, no email notification is sent to the requester.


Error attesting objects with properties that are disabled by a pre-processor conditions.


Too many recalculation tasks are generated by removing the mutually exclusive entry from Active Directory groups.


The Analyzer does not run without an error.


Attestation procedures are loaded too often if users have limited permissions.


An error occurs if multiple attestation runs are created simultaneously for an attestation policy. Only one attestation run is created. The processes to generate further attestation runs fail.


Error attesting if the attestation was delegated and the length of the text in the reason for the approval decision is longer than 400 characters.


If identifiers were issued manually in the working copy of a rule, incorrect identifiers are formed for compliance rules and subrules (UID_ComplianceRule and UID_ComplianceSubRule) when compliance rules are enabled.


DBQueue Processor requests CPL-K-ComplianceSubRuleFillPersonS block each other, are reset repeatedly, and are not processed.


An error occurs running the System entitlement ownership attestation default attestation policy.


The permissions to edit a dynamic role's role/organization in the Manager are wrong. 36106

Given values are not in permitted in the approval sequence for the affected approval's type (PWODecisionHistory.DecisionType).


If there is no employee assigned to the product owner application roles, they will be deleted even if they are assigned to a service item or service category.


If a shopping cart with request parameters is sent off and the request is automatically approved because the QER | ITShop | DecisionOnInsert configuration parameter is set, the request parameters are missing from the request procedure.


If request parameters are given for a request, the UIDs are displayed in the request history instead of the parameters' display names.


When requests are canceled because the requested product has been removed from the IT Shop, the request recipients are not notified, although a mail template, Cancel, is stored with the approval policy.


Sporadically, there are double entries in the auxiliary table for request procedures (PWOHelperPWO).


Error assigning service items to Azure Active Directory groups marked with the Read-only memberships property(ADSGroup.HasReadOnlyMemberships).


Approval procedures stop responding when the number of approvers is set to -1.


In the Manager, multiple pending requests cannot be canceled at the same time.


Error calculating memberships in dynamic roles: The current transaction cannot be committed and cannot support operations that write to the log file.


If the product owner of a service item in an Azure Active Directory group changes, the members of the originally assigned application role remain as group owners. If the product owner of a service item in an Exchange Online e-mail enabled distribution group changes, the members of the originally assigned application role remain administrators of the distribution group.


Events on the Person base object are not generated properly if management of an employee's role memberships (like the primary department) is automated via IT Shop requests.


If a customer is removed from a shop in which they have requests and this customer is authorized to request the same product in another shop, then the changes are not illustrated clearly in the approval history.


See also:

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 9: General
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined as keywords in the Report Editor.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.


Access errors can occur if several instances of the Web Installer are started at the same time.


Headers in reports saved as CSV do not contain corresponding names.


Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.


Error connecting via an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.


Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.


If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.


If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.


Variables are used in a report and there are customized translations given for these variables in the Report Editor. However, the variables are not translated in the report that is generated.

Cause: When reports are generated, the translations of default variables as displayed in the Report Designer dictionary below the Quest category are overwritten with the values from the One Identity Manager database.

Solution: Create your own variables and store them outside of the Quest category in the Report Designer dictionary. These variables can be translated.


Table 10: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.


In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.


It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.


In the Web Portal, it is possible to subscribe to a report without selecting a schedule.


  • Create an extension to the respective form, which displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.


If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.
at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).


    <assemblyBinding >
    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>
    <bindingRedirect oldVersion="" newVersion=""/>


In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.


  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.


Table 11: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.


By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.


Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt, or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.


The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.


Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.


Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will come into effect later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on the exact day.

Solution: To synchronize personnel data in advance that comes into effect later, use a schema extension and load the data from the table PA0001 directly.


Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.


The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.


  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.


If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact, and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.


If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.
    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />


    • In the new section:


      <GeneralSettings anyDateTimeValueAllowed="true" />



There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.


No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.


Messages in the script can be outputted using the *> operator to a file specified in the script.


Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.


The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.


In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.


If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.


Avoid appending spaces in the target system.


The process of provisioning object changes starts before the synchronization project has been updated.


Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.


After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.


Table 12: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.


If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.


If a service item has its Max. days valid option reduced such that approved requests are already expired, these requests cannot be unsubscribes anymore.


Create a process for the AccProduct base object that is triggered when changes are made to AccProduct.MaxValidDays. The process calculates the 'valid until' date for these requests (PersonWantsOrg.ValidUntil) from PersonWantsOrg.ValidFrom and AccProduct.MaxValidDays.

After which, you can unsubscribe the requests.


Table 13: Third party contributions
Known Issue Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.


An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.


Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.


Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

One Identity does not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory group provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.


Under certain conditions, the wrong language is used in the Stimulsoft controls in the Report Editor.


When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.


In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.


Schema changes

The following provides an overview of schema changes from version 9.1 up to version 9.1.1.

Configuration Module
  • The QBMColumnLimitedValue.KeyValue column was extended to nvarchar(256).

Target System Base Module
  • The data type of the UNSAccountInUNSGroup.XIsInEffect column was changed to bit.

Active Directory Module
  • The data type of the ADSVAccountInADSGroup.IsMembership, ADSVAccountInADSGroup.IsPrimary, and ADSVAccountInADSGroup.XIsInEffect columns was changed to bit.

  • The data type of the ADSVMachineInADSGroup.IsMembership, ADSVMachineInADSGroup.IsPrimary, and ADSVMachineInADSGroup.XIsInEffect columns was changed to bit.

SharePoint Online Module
  • The O3SWeb.Description column was extended to nvarchar(max).

SAP R/3 User Management module Module
  • The data type of the SAPVSAPUserInSAPRoleAll.XIsInEffect column was changed to bit.

Identity Management Base Module
  • The data type of the QERVPersonHasElement.XIsInEffectOfPersonAssignment column was changed to bit.

Compliance Rules Module
  • New columns ComplianceRule.RiskDescription, ComplianceRule.RiskObjectives, ComplianceRule.RiskOrgMitigationCtrl, and ComplianceRule.RiskScope for extending compliance rules.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 9.1 up to version 9.1.1. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen