Chat now with support
Chat mit Support

Identity Manager 9.2 - Release Notes

One Identity Manager 9.2

One Identity Manager 9.2

Release Notes

02 October 2023, 15:04

These release notes provide information about the One Identity Manager release version 9.2. You will find all the modifications since One Identity Manager version 9.1.1 listed here.

For the most recent documents and product information, see Online product documentation.

One Identity Manager 9.2 is a minor release with new functionality and enhanced behavior. See New features and Enhancements.

If you are updating a One Identity Manager version older than One Identity Manager 9.1.1, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide


About One Identity Manager 9.2

About One Identity Manager 9.2

One Identity Manager simplifies the process of managing user identities, access permissions, and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

The One Identity Manager enables you to realize Access Governance demands cross-platform within your entire company. One Identity Manager is based on an automation-optimized architecture and, unlike other “traditional” solutions, addresses major identity and access management challenges in a fraction of the time, complexity, and expense.

One Identity Starling

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling.

For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit

New features

New features in One Identity Manager 9.2:

  • Support for Amazon RDS for SQL Server as a database system.

  • A configuration library with variations of templates and formatting scripts is available. There are different templates supplied for the CentralAccount, CentralEBSAccount, CentralSAPAccount, DefaultEmailAddress, and InternalName columns in the Person table as well as formatting scripts.

  • Automated monitoring of object changes

    After objects have changed in One Identity Manager, the processing of these changes can be monitored automatically via an interface (REST API). The REST API returns the resulting process ID for each object action. This process ID can be used to retrieve various information about the processes that handle the object changes.

  • The functionality of the FileComponent.ModifyFileAccess_DotNet process task has been extended.

    A new parameter, AccessControlList, allows multiple entries of access permissions to be configured. The ModifyFileAccess_Universal process task has been replaced by this process task in the default processes.

    IMPORTANT: In the processes to create home and profile directories for Active Directory user accounts, the QER | Person | User | AccessRights | HomeDir | EveryOne, QER | Person | User | AccessRights | ProfileDir | EveryOne, QER | Person | User | AccessRights | TerminalHomeDir | EveryOne, and QER | Person | User | AccessRights | TerminalProfileDir | EveryOne configuration parameters are no longer taken into account.

    Ensure that the subdirectories under the root directories, such as the home directory, do not inherit permissions from the Everyone user group. Otherwise, there is a possibility that the user group obtains unwanted permissions on all home directories.

HTML web applications

NOTE: New Web Portal features have been implemented for the HTML application but not for the Web Designer Web Portal.

  • The Web Portal offers context-sensitive help. This shows help texts and links to the user guides.

  • The Web Portal now displays descriptions of certain properties as help.

  • In the Web Portal, you can now compare identities and their properties with each other.

  • In the Web Portal, you can now display responsibilities of identities that report to you. You can also limit the identities displayed to just those that have left or will soon leave the company.

  • To make it easier to maintain entitlements required by a team, you can now create a role for the identities you are responsible for.

  • TECH PREVIEW ONLY: The Web Portal supports editing of approval workflows.

    NOTE: This feature is only available to users who have the Portal_Preview_WorkflowEditor program function.

  • The Web Portal now shows approval guidance for pending requests.

  • The Web Portal can now display archived requests.

  • In the Web Portal, you can now display approval guidance for pending attestation cases.

  • You can now edit policy collections in the Web Portal.

  • There is now a feature in the Web Portal that provides recommendations for assigning entitlements to departments, application roles, business roles, cost centers, locations, or system roles.

  • In the Web Portal, those responsible for a software application now see the identities that have access to the software application.

  • In the Web Portal, you can now link and use custom designs.

  • In the Web Portal, you can now maintain translations of application names and descriptions.

  • In the Web Portal, you can now use search terms as filters. To do this, you enter the desired term in the search field and then press the Enter key.

  • In the Operations Support Web Portal, you can now display the contents of the DBQueue.

  • The Operations Support Web Portal now displays pending objects only for target systems for which the user is responsible.

  • In the Operations Support Web Portal, you can now see the completed or still open operations in the system that belong to a specific process ID.

  • In the Operations Support Web Portal, you can now display the operation history. Operations can be filtered by time, change type, and user that triggered it.

  • In the Operations Support Web Portal, you can now view the process history.

  • Log files can now be viewed and downloaded in the Administration Portal.

Target system connection
  • Property mapping rules can be used to configure whether the order of the values of multi-valued schema properties is taken into account when detecting rogue modifications.

  • Extension of the RemoteConnectPlugin

    The RemoteConnectPlugin has been extended. Additional authentication methods can be used to establish a remote connection to the target system. Additional properties, such as timeout or certificates, can be configured.

  • If system filters or object filters are created in the Synchronization Editor, it is possible to test whether the filter condition provides the correct results.

  • Changes to virtual schema properties can be tested directly in the Synchronization Editor mapping editor.

  • Support for Role-based access control (RBAC) and privileged identity management (PIM) for Azure Active Directory in new "RBAC" and "PIM" modes. Due to limitations of the Microsoft Graph API, the role management feature in One Identity Manager in "PIM" mode supports only the global directory space for active role assignments. These features must be activated manually.

    A patch with the patch ID VPR#35513 is available for synchronization projects.

  • Additional identity management related schema properties are mapped to Azure Active Directory user accounts.

    A patch with the patch ID VPR#36729 is available for synchronization projects.

  • Additional schema properties are mapped for the last login time of Azure Active Directory user accounts. These schema properties can only be accessed under an Azure Active Directory premium license.

    A patch with the patch ID VPR#33776 is available for synchronization projects.

  • Support for hierarchical address books in Exchange Online.

    A patch with the patch ID VPR#35780 is available for synchronization projects.

  • Support for Microsoft Teams team templates.

  • Support for POSIX enhancements for Active Directory user accounts, groups, and contacts.

    Patches for synchronization projects with patch ID VPR#14634 and VPR#14634_ARS are provided.

  • Support for hierarchical address books in Microsoft Exchange.

    A patch with the patch ID VPR#35779 is available for synchronization projects.

  • Active Roles version 8.1.3 is supported to the previous extent.

  • One Identity Manager supports the LDAP object class eduPerson. This object class is mainly used in directories of universities and colleges to simplify communication between institutions.

  • Support for One Identity Safeguard versions 7.2 and 7.3.

    A patch with the patch ID VPR#36617 is available for synchronization projects.

  • Support for One Identity Safeguard partitions.

    A patch with the patch ID VPR#36044 is available for synchronization projects.

  • Support for SAP .Net Connector 3.1 for x64, with version for Microsoft .NET 4.8 or later.

  • Roaming of Notes user accounts is supported.

    A patch with the patch ID VPR#36087 is available for synchronization projects.

  • The SCIM connector supports synchronization of SAP Cloud ALM applications via SAP Cloud Identity Services with the default schema. To set up the synchronization, you can use the SCIM synchronization of the SAP Cloud ALM application project template.

  • Information is mapped about the last password change and the last login date of Unix user accounts.

    A patch with the patch ID VPR#36688 is available for synchronization projects.

Identity and Access Governance
  • Renaming

    In the process of renaming, unused translations in the DialogMultiLanguage table have been cleaned up.

    • Employees to Identities

      One Identity Manager manages not only natural persons, but a wide variety of identity types. To represent this more clearly, the Person object type has been renamed from Employee to Identity. In the process, Pseudo employee has been renamed to Virtual identity.

    • Request templates to Product bundles

    • Help desk calls to Tickets

    • Language culture to language or language code

  • Support for Behavior Driven Governance for One Identity Safeguard. This includes:

    • Attestation and recertification of memberships in PAM user groups for user accounts that have not made access requests within a defined period of time. The memberships are removed automatically if attestation is denied. The time period is set by the TargetSystem | PAG | UnusedThresholdInDays configuration parameter.

    • Detection of PAM objects, such as assets, user groups, or entitlements that have not been used for a defined period of time. If, according to the PAM audit log, an entitlement has not been used during this period, a recertification procedure can be used to determine whether the entitlement is still required. Unused entitlements can then be removed from the target system. The time period is set by the TargetSystem | PAG | UnusedThresholdInDays configuration parameter.

  • New approval procedure OX - Owner of the object in any request parameter of the request properties.

    The approval procedure determines as approvers the owners (application role) of an object that is given in a request parameter. The application role is assigned to the object through a foreign key column. The name of the request parameter is given with the approval step, as well as the name of the table column that refers to the application role. The approval procedure can be used for all products that are assigned a request property that uses this request parameter.

  • Terms of use can be allocated to attestation policies. The terms of use can be provided as a PDF file in different languages.

  • In the Web Portal, attestors can be given approval recommendations. The recommendations for approving or denying attestation cases are calculated based on various criteria. The criteria are specified in the QER | Attestation | Recommendation configuration subparameters.

    NOTE: The feature has been implemented for the Web Portal HTML application but not for the Web Designer Web Portal.

  • You can now assign additional properties to attestation cases.

  • Attestation policies can be configured to generate an empty attestation run if no object to be attested is found when the attestation cases are calculated.

  • New approval procedures BA - Owner of the application and BE - Approver of application entitlement

    The approval procedures determine the owner (application role) or approver (application role) of the associated application when attesting application entitlements in the Application Governance Module.

  • New approval procedure SP - Owner of service principal

    This approval procedure determines the owner (application role) of the attested Azure Active Directory service principal.

See also:


The following is a list of enhancements implemented in One Identity Manager 9.2.

Table 1: General


Issue ID

The Update event is only generated if there were changes to the object.


The UnitOfWork prevents object changes from being added after the commit is started, otherwise they would be lost.


Introduction of a bulk query interface in the VI.DB, specifically to speed up front-ends.


The Consistency Editor can filter consistency checks in the test options dialog.


Improved the DialogDeferredOperation with overdue actions, activated but without existing job consistency check.


The SQL formatter consistency check now also checks for correct parametrization of the EmptyClause for key columns.


The Objectkey references to non existing object (tolerated) consistency check is no longer required and been removed.


Enhanced performance and handling of autocompletion of syntax in script code.


Improved function selection for calling scripts in the Designer Script Editor. The menu tries to preselect the script the respective selection.


Improved how proxy view extensions are displayed in the Designer's Schema Editor.


Improvements made to the user interface to support changes to multilingual translated data.


Support for automatic translation of compound strings. This finds the translation of each part and combines them to form the completed string.


In the Designer's Language Editor, customized default translations have a yellow background in the translation table.


The format of the configuration data in the form definition have been reworked. Custom form definitions are converted automatically.


The information in the DialogLogicalForm.DialogFormDefinition column are now check for valid XML notation when saved.


Masking of free text variables in the user interface navigation has been improved. Users can now influence how special characters are masked when they use them.


Using a script, user interface variables can be calculated dynamically and depending on the context. This allows display texts in the user interface to be context-sensitive.

36305, 36238, 36862

Implementation of a visibility script in diverse default methods. This hides the methods in the Manager's task menu if they cannot be run because of object specific conditions.


The Manager shows a tool tip with a description on various assignment forms.


A new control element enables the comfortable maintenance of complex data structures, which are stored on the database side, in the Json format or also in the .NET database ConnectionString format, for example.


Improved accessibility of the hierarchical list control.


The reason for denying a session certificate in the application server is now logged by NLog.


The product version is now shown on the tile with system information in the application server.


The AppServer.Installer.CMD.exe program is now installed locally in the same way as the other command line programs.


It is now possible to edit an existing application server installation with the Web Installer.

33584, 314733

In the One Identity Manager Service log view, the Raw Log menu displays the NLog log including entries from plugins.


The permissions for the Database Agent Service to access the msdb database that are no longer required, have been removed.


The DatabaseAgentServiceCmd.exe program now writes all warnings and errors to the console output.


The email configuration wizard can now specify a Job server that takes over the SMTP server functionality.


When processes are generated for email notifications, error messages are logged if the relevant configuration parameters are not set or no valid email address is entered.


Disabled Job servers are now better displayed in the Job Queue Info program.


In the Job Queue Info, the stop and start behavior of the system (emergency stop) has changed to stop queue processing without a delay if possible.


Improved how process step error messages are presented in the Job Queue Info program. A dialog with the entire error message can be opened via the error link or the context menu.


Improved layout of buttons for emergency stop in the Job Queue Info toolbar.


Logging in the database with NLog 5 is now possible.


If an error occurs during saving, both the table name and the display name of the object are now output in order to better locate the faulty object.


Improved output of error messages from the database.


Autocomplete has been improved in the Object Browser filter.


Extra space in the Object Browser filter text box has been removed.


Enhanced performance importing cumulative transports with the Database Transporter.


Improvements in the DBTransporterCMD.exe command line program.

37012, 37013

Various improvements to the Data Import program's user interface.


The Software Loader displays a warning if the selected files for importing are not in a valid install directory.


Enhanced support for horizontal read scale-out in local availability groups of an SQL Server cluster.

  • Templates for configuring read scale-out have been integrated into the application configuration files.

  • The different connection pools are now visible in the log.

36109, 36110, 36977, 37029

Enhanced performance for cleaning up the DBQueue Processor task buffer.


There is now no process delivery if there are custom database triggers that are disabled.


Columnstore indexes are excluded when a transport is created with the Database Transporter.


Permissions on the PersonPasswordHistory table are removed if they are not required.

36940, 419127

Enhanced performance filling the QBMSplittedLookup table.


The index weighting for the full-text search can now also be set for integer columns.


Triggers are no longer disabled while the DBQueue is being compressed. This stops the database from switching into maintenance mode and there is no disadvantage to the users.


For an HTML application, a database user can be specified whose has an access level that meets the required minimum of being able to use this HTML application.


Enhanced performance of viewing conditions for different application roles.


After a database migration, the data for the module definition of the customer module CCC is regenerated.


Superfluous role definitions for the History Database have been removed. An SDK script is provided for creating the minimum required permissions.


The Schema Extension allows custom columns to be deleted in the view tables.


A report can be exported in a given format with just one click if it is configured correspondingly.


The query and calculation settings for report parameters can be changed with the data dependencies script, the front-end will adapt automatically.


Where clauses from the report definition of subscribable reports are now also marked as trusted.


The System Debugger has new command line parameters /Conn and /Auth that allow login credentials to be passed directly, making it possible to login automatically.


The Quantum.MigratorCmd.exe program can now be used to create custom permissions groups (/Group parameter) and run SQL statements after database installation (/PostSQL parameter).


In the installation wizard, on the Module selection page, additional descriptions about each module are displayed when selected.


A new authorization method has been implemented for using the RemoteConnectPlugin in Docker containers.


Third-party components update.


Increased security generating reports.


Table 2: HTML web applications: Feature parity with the Web Designer Web Portal


Issue ID

In the Web Portal, it is now possible to save the current view of a page.

32356, 30242, 300743

In the Web Portal, you can now view statistics and KPIs, depending on the permissions of the logged-in user.

36789, 393878, 322309

In the Web Portal, the filter dialog has been revised and an option to create custom filters has been added.


In the Web Portal, you can now send request inquiries to other identities.


In the Web Portal, you can now display a state overview and a status comparison in the object history.


In the Web Portal, you can now manage Webauthn security keys as long as the API Server is configured with RSTS.


In the Password Reset Portal, you can now manage password questions.


You can now sort tables in the Web Portal.


In the Web Portal, you can now manage resources, assignment resources, multi-request resources, and multi-requestable/unsubscribable resources.


In the Web Portal, it is now possible to create departments, application roles, business roles, cost centers, locations, and system roles.


Managers, IT Shop administrators, and Compliance and Security Officers can view request from identities.


In the Web Portal, you can now display the system entitlement history.


In the Web Portal, you can now export tables.


In the Web Portal, you can now display, create, and edit tickets.

304631, 305721

In the Web Portal, you can now edit the main data of risk index functions.


In the Web Portal, you can now use function analysis to display identities with critical SAP functions that violate compliance rules. You can also use rule analysis to display compliance rules that include SAP functions and identify any identity that violates the compliance rules.


Rule violation management has been extended in the Web Portal:

  • More details are displayed about rule violations.

  • Mitigating controls that are assigned to a rule violation are displayed.

  • Rule violation detection can be started manually.


In the Web Portal, you can now filter by attestation cases in which a specific identity has made an approval decision.


Auditors can now view identities in the Web Portal.


In the Web Portal, Auditors can now view departments, application roles, business roles, cost centers, locations, and system roles.


In the Web Portal, you can now display company policies.


Compliance framework managers and auditors can now view compliance rules in the Web Portal.


The Web Portal now requires explicit re-authentication of the logged-in user to agree to the terms of use. The authentication procedure for this is configurable and can be disabled.


The Web Portal now supports browser notifications.


In the Web Portal, you can now view and respond to request inquiries.


In the Web Portal, you can now send inquiries about attestation cases to other identities.


In the Web Portal, you can now view and respond to inquiries about attestation cases.


In the Web Portal, those responsible for a software application can now edit the main data of the software application.


Auditors now see all requests in the Web Portal.


The Web Portal now displays list reports directly in the browser.


The Web Portal now displays devices, and you can edit their master data.

405829, 275567

In the Web Portal, a request can now be resubmitted from the request history.


The Web Portal displays information about the logged in user, their permissions groups, and program functions.


The Web Portal displays the source data of certain statistics.


In the Web Portal, you can now display policy violations associated with company policies.


In the Web Portal, managers can now create individual delegations and deputizations for identities for which they are responsible.


In the Web Portal, you can now see the mitigating controls assigned to company policies or policy violations. In the case of policy violations, you can also edit the mitigating control assignments.


In the Web Portal, you can now display a hyperview of the logged in identity in the profile settings.


In the Web Portal, you can now display hyperviews of objects involved in attestation cases and policy violations.


Table 3: HTML web applications


Issue ID

It is now possible to edit an existing API Server installation with the Web Installer.

33584, 314733, 313398

During installation of the API Server it is possible to set the password of the default system user IdentityRegistration. It is also possible to specify another system user, whose login can be used to create new identities.

36343, 407727

The API Server can write the session ID to log entries.

To do this, there must be the following entry in the <nlog> section of the nlog.config file:


<add assembly="QBM.CompositionApi.Server" />



Local customizing of an API Server configuration is now only allowed by default if the API Server was started from the command line on the ImxClient.

Local customizations are disabled on IIS-based installations. You can override this behavior by adding the following code snippet to the web.config file.


<add key="IsStandAlone" value="true" />



The API Server supports Websocket API methods.


Enhancements to API clients for Angular developers:

  • Named interfaces are now used for the parameter types. These interfaces are exported so that they can be used in the application code.

  • The parameter properties are stored with their descriptions in the API client.


The API Server uses HTTP status code 403 if authentication fails.


The SCIM API's CSRF protection mechanism of the API Server is disabled by default.


API clients are now more stable if the network connection breaks.


The API Server runs a version check. Access by API clients of other versions causes an error.


Enhanced performance starting the API Server.


Compatibility of the API Server with reverse proxies has been improved. Reverse proxies can be configured in the Administration Portal.


The API Server uses less space for temporary files on an IIS installation.


Type-safe classes are now supported for editing custom API plugins.


The API Server now takes all languages into account that are listed in the Accept-Languages header of an API query.


The .WithSingleEntityRead() extension method was implemented in the API Server. It can be used to load single entities via the API (identified by the primary key).


If the base URL of the API Server does not match a web application, a corresponding log entry is now generated.


Angular application debugging has been stabilized by implementing the deleteDestPath option.


API client methods now support canceling of API requests.


In the Administration Portal, naming of multiple configuration keys has been improved.


Recently added configuration keys can now be deleted in the Administration Portal.


The Administration Portal now displays the API documentation. You can also configure how the API documentation is displayed in the Administration Portal settings.


Enhanced performance of the API documentation.


Requests from the API documentation (Swagger) no longer fail due to the missing X-XSRF-TOKEN header, as it is now included in the requests.


The SameSite cookie setting can now be edited in the Administration Portal.


The domain of the cookies sent by the API Server can now be configured in the Administration Portal.


A default design for web applications can now be configured in the Administration Portal.


The web applications now support a high-contrast design.


In the Administration Portal the VI_ITShop_CanCloneCartItemsByPerson and VI_ITShop_CanCloneCartItemsByProduct configuration parameters that have no effect, have been removed.


Improved the Administration Portal display of the API Server status:

  • You can show the list of composition API caches.

  • You can empty the cache.

  • You can enable and disable cookies usage.

  • You can display charts on the start page that show the number of sessions in chronological order.


In the Administration Portal, you can now configure that users cannot change the language in their profile settings and that the browser language is used for the web application interfaces instead.

35813, 206640

In the Administration Portal, you can now configure the maximum size of an identity's profile picture.


The ConfigFileEditorCMD program now supports the /preventdbupdate true command line parameter. If this is set, the application token is not updated in the database. This parameter is primarily intended for use in containers.


The Web Portal uses a new mode for searching products on the product selection page to provide more complete search results and enhance performance.

32800, 423711

When approving a request or an attestation case, the approval step in which the approval is being decided is now displayed.

34861, 316872

You can now specify values for request parameters of products assigned to a product bundle. These values are then pre-set from the corresponding product bundle on requesting.

33637, 316846

The user now receives a warning before saving and before starting an attestation policy if the expected number of attestation cases exceeds a given threshold. The threshold can be configured.

34918, 305302

The Web Portal has a completely revised New Request page.

35573, 312077

Enhanced performance in the Web Portal for:

  • approving attestation cases

  • displaying my responsibilities

35861, 36814

New attestation conditions are provided to identify unused user accounts, which can be used for attestation of user accounts and memberships in system entitlements.


New attestation conditions are provided to identify unused PAM entitlements, which can be used, for example, as part of Behavior Driven Governance for One Identity Safeguard.

37005, 37006

In Web Portal, using the keyboard has been improved.


IT Shop administrators can now edit product bundles in the Web Portal.


In the Web Portal, you can now create a new system role for an application without assigning entitlements to this system role at the same time.


Application entitlements of an application can now be filtered in the Web Portal.


Enhanced editing of service items:

  • In the Web Portal, you can see which application the application entitlement of a service item is assigned to.

  • If the service item properties cannot be edited due to an application entitlement assignment, a message is displayed.

  • IT Shop administrators can change the owner of a service item.


In the Web Portal, if SAP function compliance rules are violated, you can now display the SAP authorizations that lead to the rule violation.


In Web Portal, you can now set certain properties for multiple products that you want to request at once (for example, validity and reasons).


As a report administrator, you can now specify who can access or subscribe to a report in the Web Portal.


You can now configure your own settings in the Web Portal:

  • Application design

  • Time zone

  • Using the profile language instead of the browser language

319031, 206656

Views in the Web Portal can now be configured on more pages:

  • Attestation runs

  • Rule violations

  • Identities overview in the Data Explorer

  • System entitlements overview in the Data Explorer


When requesting from a product bundle in the Web Portal, the request parameters stored with the product bundle are now included as well.


In the Web Portal, you can now zoom in and move around in hyperviews.


In the Web Portal, you can now perform an origin analysis when attesting an assignment.


In Web Portal you can now perform an origin analysis in the attestation history for an assignment attestation.


In the Web Portal, you can now click to display hyperviews such that all the information is shown.


If an attestation is approved or denied, an evaluation is carried out as to whether a reason must be provided.


Hyperviews in web applications now support displaying of visual separators.


The Web Portal and the Password Reset Portal now support a layout that hides the header and the menu bar.


As the person responsible for an application, you can now edit the service category structure for the application in the Web Portal.

A service item with application entitlement can now only be assigned to a service category under the basic service category of the application.


A new menu item Responsibilities > My Responsibilities has been added in the Web Portal. You can now use this menu item to display all objects for which you are responsible.


In the Web Portal, resolving rule violations of compliance rules for SAP functions has been improved.


If role memberships of a logged-in user change, the user is notified in the Web Portal and must log in again.


In the Web Portal, if you click an object for further editing or a detailed view, the pane that opens now shows the name of the corresponding object as a subtitle.


If the MitigatingControlsPerViolation configuration parameter is set, the request approver can now add mitigating controls to the resulting rule violations of a request as long as the approver is also an exception approver for the violated rule.

In addition, the user can now see the request's mitigating controls in the request history.


If the MitigatingControlsPerViolation configuration parameter is set, you can now add mitigating controls to rule violations.


Attestation runs that were started via a policy collection are now marked accordingly in the Web Portal.


In the Web Portal, you can now cancel requests to which you have write permissions.

36058, 319102

Handling of pending attestation cases has been expanded to include the following:

  • Displaying terms of use for an attestation case if the terms of use have been assigned to the underlying attestation policy

  • Displaying policy violations of the attestation case base object

  • Attestation cases with policy violations are highlighted in the overview

  • Displaying mitigating controls for policy violations of an attestation case

  • Risk assessment of the attestation case basic object


In the Web Portal, you can now assign mitigating controls to a policy violation.


In the Web Portal, the display of selected objects has been standardized.


Resolving rule violations has been expanded to include the following:

  • The user can specify a reason that will be used to unsubscribe requests if at least one unsubscription is made.

  • Generated unsubscriptions are displayed in the request history in such a way that it is apparent who resolved the rule violation.

  • A default reason is automatically used for request cancellations, indicating that the cancellation was made to resolve a rule violation.


Hyperviews are now provided in the Web Portal for the following objects:

  • Identities

  • Departments

  • Application roles

  • Business roles

  • Cost centers

  • Locations

  • System roles

  • User accounts

  • Resources

  • Multi-request resources

  • Multi requestable/unsubscribable resources

  • Assignment resources

  • System entitlements

  • Compliance rules

  • Company policies


In the Web Portal, you can display the history of an object chronologically.


You can now use the Password Reset Portal to create a new user account.


In the Web Portal, you can now manage the ticket attachments (download, upload, edit, and delete) as well as edit the structure of the attachment folders.


In the Web Portal, you can now view your own attestation status.


How the recipient of a delegation is displayed in the request history has been improved.

36122, 388967

The following program functions have been introduced.

  • Portal_UI_ApplicationAdmin

  • Portal_UI_ApplicationOwner

  • Portal_UI_PAGStatistics

  • Portal_UI_PasswordHelpdesk

  • Portal_UI_PersonAdmin

  • Portal_UI_PersonManager

  • Portal_UI_PersonStatistics

  • Portal_UI_PolicyAdmin

  • Portal_UI_PolicyOwner

  • Portal_UI_PolicyStatistics

  • Portal_UI_QERPolicyAdmin

  • Portal_UI_QERPolicyStatistics

  • Portal_UI_ResourceAdmin

  • Portal_UI_RoleAdmin

  • Portal_UI_RoleStatistics

  • Portal_UI_RuleStatistics

  • Portal_UI_ShopAdmin

  • Portal_UI_ShopStatistics

  • Portal_UI_StructAdmin

  • Portal_UI_StructStatistics

  • Portal_UI_TSBStatistics

395043, 427871

You can now specify in a parameter definition (for reports or requests) that the selection of a parameter value is made from a flat list (instead of from a tree).


In the Operations Support Web Portal, the Availability check has been extended and revised.


In the Operations Support Web Portal, only objects that are directly assigned are marked as outstanding.


Displaying processes in the Operations Support Web Portal has been improved:

  • You can use the process ID to go directly to the operations that belong to the process ID.

  • You can see a summary status for each process.

  • You can see the list of objects affected by a process.

  • You can see the error message of a failed process step and copy it to the clipboard for further use.


In the Operations Support Web Portal, the stop and start behavior of the system has changed to stop queue processing without a delay if possible.


The Operations Support Web Portal is now only offered if a database connection with the Configuration user access level is used.


The Angular applications now use Angular 14.


The RSTS has been updated to version 2023-02-28.1.


  • Multiple instances of the service can be installed next to each other.

  • Integration of OneLogin MFA.

  • Support for LDAPS with SSL/TLS when connecting to Active Directory or an LDAP server.

  • New support for automatic monitoring and updating of metadata when configuring with a URL.

  • Starling 2FA removed.

The RSTS must be uninstalled/reinstalled for the update.


Table 4: Web Designer web applications


Issue ID

Third-party components JQuery UI and Angular.js updated.

315799, 417517

Enhanced performance in the Web Designer Web Portal displaying the shopping cart.

33913, 430424

When rule violations are resolved in the Web Designer Web Portal, the reason and the person who unsubscribed are now given for unsubscribed entitlements.


Increased the Web Designer Web Portal's security.

36328, 430932, 415297

Increased security generating reports.


Table 5: Target system connection


Issue ID

Support for using a connection certificate to log in to Azure Active Directory. This requires an X.509 certificate including private key. You can use a self-signed certificate.

A patch with the patch ID VPR#36596 is available for synchronization projects.


Service principals can now be assigned as owners of Azure Active Directory service principals.

A patch with the patch ID VPR#35769 is available for synchronization projects.


The list of permitted values of the preferred single sign-on mode for Azure Active Directory service principals has been extended.


It is now also possible to remove Exchange Online distribution lists if the synchronization user account is not given in the distribution list as a manager.


The Exchange Online connector now uses and requires the Exchange Online PowerShell module with version 3.2.0 or later.


The maximum configurable number of simultaneous connections has been increased to 999 in the Exchange Online connector.


The connector for Azure Active Directory and Microsoft Teams now uses version 5 of the Microsoft Graph .NET SDK (Graph Wrapper).


Enhanced performance when loading Microsoft Teams teams and channels as part of synchronization.


The Allow members to create private channels option is read in and synchronized for Microsoft Teams teams.


When a Microsoft Teams team is archived, all associated properties except for custom columns are now locked and can no longer be edited.


The connector for Microsoft Exchange 2013, Microsoft Exchange 2016, and Microsoft Exchange 2019 now supports access to the MessageCopyForSendOnBehalfEnabled and MessageCopyForSentAsEnabled properties. There is no mapping in the default.


Support for send-as permissions for Microsoft Exchange mail-enabled distribution groups.

A patch with the patch ID VPR#35776 is available for synchronization projects.


OneLogin roles can now be automatically added to the IT Shop. The behavior is regulated by the QER | ITShop | AutoPublish | OLGRole configuration parameter.


In the case of OneLogin user accounts, it can only specify whether the user account is locked.


If an exact change date for OneLogin user account can be set, the current timestamp is used as the revision counter.


To support One Identity Safeguard Behavior Driven Governance, audit logs are synchronized.

A patch with the patch ID VPR#36315 is available for synchronization projects.

36315, 36920

Support for PAM access requests for remote desktop applications for assets.


Support for OneLogin as authentication provider for PAM user accounts. The reports and policies for using multi-factor authentication have been adapted accordingly.


Support for PAM access requests for API keys for accounts.


Clear up of the synchronization configuration for SAP authorization objects.

A patch with the patch ID VPR#35904 is available for synchronization projects.


The object filter can filter SAP user accounts by the feature USTYP.


In the Unified Namespace, the mapping of object properties from SAP roles to system entitlements has been changed. SAPRole.RoleDescription is now mapped to UNSGroup.Description. 36498
A synchronization project for the synchronization of BI analysis authorizations can only be set up if the SAP Business Warehouse component is installed in the SAP R/3 system. 36514

When single roles are assigned to composite roles in the SAP R/3 system, only memberships marked as active are synchronized.


When establishing the system connection to a cloud application, the number of items per page can be configured for object list requests.

A patch with the patch ID VPR#36376 is available for synchronization projects.

Improved user navigation in the project wizard when setting up synchronization with a cloud application with OAuth authentication. 36905
If a cloud application blocks access to the target system because too many requests are made, the SCIM connector attempts to resend the requests after a specified delay. Definitions according to RFC 6585 are observed. The connector retries up to 30 times. 36339

The SCIM connector allows customized lines in GET request headers.


When the SCIM connector is authenticated via OAuth, the configured client ID and client secret data is always transmitted in the header and body of the POST request.


The One Identity Manager connector provides a virtual schema property that can be used to map translations of single values.


When setting up synchronization with the CSV connector, the path to the CSV file can be specified as an absolute path or as a relative path to the CSV system file. This way CSV files from different locations can be used in one synchronization project.


The Powershell connector definitions consistency check now checks whether at least one return command (ReturnBinding) has also been defined for a property that is readable according to the definition.


Advanced logging modes when running Windows PowerShell scripts with PowershellComponentNet4.


Support for new format of ClientSecret strings generated by One Identity Starling Connect.


Improved error handling for target system connectors that use the local cache when individual objects cannot be loaded due to corrupted data.


The value of quota variables can also be specified as a percentage.


Enhanced performance when creating display values for synchronization objects.


The target system browser provides the option to edit a previously defined filter for the result list.


The dialog for decrypting connection data in Synchronization Editor has been improved.


In the dialog for selecting the synchronization server, an existing Job server can now also be selected. This automatically assigns the server function matching this Job server.


If in Manager on the Target system adjustment form a method for handling the pending objects cannot be run due to constraints, the respective icon is disabled. Details about the respective constraint can be displayed.


New consistency check for synchronization projects that warns about configuration errors in mappings of M:all tables (for example ESetHasEntitlement).


Creating, changing, and deleting user accounts in custom target systems (UNSAccountB) avoid unnecessary post-processing tasks.


New configuration parameter QER | Person | User | DeleteOptions | DeleteOutstanding which allows user accounts marked as pending to be deleted automatically.


In the Manager, the Define search criteria for identity assignment form for target systems, now also displays the activation status of identities and user accounts. An option is provided to manually connect even locked user accounts to identities.


In the Manager, inactive identities can now also be assigned to user accounts on the user account main data forms of the target systems. The new configuration parameter QER | Person | HideDeactivatedIdentities specifies whether inactive identities are shown or hidden on the user account main data forms.

36703, 36734

References to the Active Directory edition have been removed from the installation wizard and guides.

Existing installations of this edition are not affected.


The Manager overview forms for user accounts display information about heritability of system entitlements better.


Table 6: Identity and Access Governance


Issue ID

The terms of use can be provided as a PDF file in different languages.


The data about an attestation object of an attestation case is provided as a report or as a snapshot. Report and snapshot can be displayed in the Manager.


Various enhancements determining attestors with the SO approval procedure.


If compliance rule violations are identified in the request approval process, exception approvers may assign mitigating controls when approving the rule violation.


Various columns in the ComplianceRule table have been additionally labeled as multi-language. Their contents can now be translated.


The Rule Editor for compliance rule reworked for future extensions. This modification removed the assembly value in the XML configuration. Rule conditions created with older One Identity Manager versions can still be loaded. Compliance rule created with One Identity Manager 9.2 do not work in older One Identity Manager versions.


Multifactor authentication can be requested for accepting terms of use.


IT Shop customizer error messages use custom display values and date formats and can be translated.


Email notifications will no longer be sent to permanently inactive identities.


Service item attestators see all the information about an attestation object on the service items overview form.


The overview form of an application role also displays the approval workflows in which the application role is determined to be the fallback approver.


Deputizations and delegations come to an end when the deputy is deactivated.


The display values of some values of the AttestationHistory.DecisionType column have been corrected so that the display value and the English translation of the display value are identical.


Previous display value

New display value









Revoke additional approver

If you retrieve translations of values in custom scripts, for example in email notifications, adjust these scripts accordingly. Use the new display value as a key for the translation.

Example of use in the pre-script to generating a process:

  • Previous: Connection.MultiLanguage.GetInLanguage("AttestationHistory", "DecisionType", "Abort", personLanguage).ToString()

  • New: Connection.MultiLanguage.GetInLanguage("AttestationHistory", "DecisionType", "Canceled", personLanguage).ToString()


The display values of some values of the PWODecisionHistory.DecisionType column have been corrected so that the display value and the English translation of the display value are identical.


Previous display value

New display value






Additional approver



Show in history






Change shelf



Stock request






Reset reservation



Revoke additional approver



Revoke delegation

If you retrieve translations of values in custom scripts, for example in email notifications, adjust these scripts accordingly. Use the new display value as a key for the translation.

Example of use in a script:

  • Previous: multiLanguage.Get("PWODecisionHistory", "DecisionType", "Grant")

  • New: multiLanguage.Get("PWODecisionHistory", "DecisionType", "Approval")


The request overview form displays the request properties that are used (modern definition) and their parameters.


The Request History report for an identity now shows approved multi-request resources under the Approved multi-request resources tab.


Calculation of SAP functions optimized.


A reason can now be entered for the temporary deactivation of an identity. For this purpose, a LeaveofAbsenceReason (Reason for absence) column has been added to the Person table.


Enhanced performance calculating SAP functions.


Masked special characters can be used in the authorization definition of SAP functions.


Enhanced performance in attestation policy condition testing.


Improved how the Move products dialog is presented in the Manager.


The following scripts for formatting links in emails to directly approve requests or directly attest, or for displaying rule violations have been converted internally to use IEntity.

  • VI_BuildITShopLinks

  • VI_BuildAttestationLinks

  • VI_BuildComplianceLinks

If these scripts are to be custom used for any other purpose than for mail templates, the calling parameter must be changed from Base to Entity.


The calculation of permitted approvers in the approval workflow has been optimized. Approval levels that have already been completed are no longer recalculated after each change.


The ApplicationStart_ApplicationGovernance program function is no longer needed and has been removed.


The OA and TO approval procedures have been extended to determine approvers for assignment requests.

The EN approval procedure has been extended to determine attestors for assignments of system entitlements to hierarchical roles.


If an email notification from the IT Shop cannot be sent due to a processing error, the sender of the email is informed and the original email is deleted from the outbox. A new mail template Approval - Error processing an approval mail is provided.

21300, 31884

When calculating the peer group factor, resources that can be requested more than once are also taken into account.


See also:

Knowledge Base
Benachrichtigungen und Warnmeldungen
Technische Dokumentationen
RSS Feed
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen