Identity Manager 9.0 LTS - Release Notes

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

Errors may occur if the Web Installer is started in several instances at the same time.

Headers in reports saved as CSV do not contain corresponding names.

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

• Create an extension to the respective form that displays a text message under the menu explaining the problem.
• Add a default schedule to the subscribable report.
• In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

There are two possible solutions to the problem:

• The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

• Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

  Example:

  <assemblyBinding >
  <dependentAssembly>
  <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>
  <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
  </dependentAssembly>
  </assemblyBinding>

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the HR_ENTRY_DATE building block remotely in your SAP HCM system. Create a mapping for the EntryDate schema property in the Synchronization Editor.

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

• Add a custom column to the table SAPUser.
• Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
• Modify the synchronization configuration as required.

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

• A company, which exists in the central system, is assigned to user account.

  - OR -

• A company is assigned to the central system.

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always run with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

• Correct the error in the target system.

  - OR -

• Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

To disable type conversion

• In the StdioProcessor.exe.config file, add the following settings.

  • In the existing <configSections>:

    <sectionGroup name="SAP.Middleware.Connector">

    <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

    </sectionGroup>

  • In the new section:

    <SAP.Middleware.Connector>

    <GeneralSettings anyDateTimeValueAllowed="true" />

    </SAP.Middleware.Connector>

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

• Windows Server 2016: KB4462928

• Windows Server 2012 R2: KB4462926, KB4462921

• Windows Server 2008 R2: KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed in future once One Identity Manager has resolved the problem.Microsoft

In certain circumstances, the wrong language is used in the Stimulsoft controls in the Report Editor.

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.