Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.3 - Release Notes

One Identity Manager

One Identity Manager

Release Notes

Version 9.3

07 January 2025, 08:08

These release notes provide information about the One Identity Manager release version 9.3. You will find all the modifications since One Identity Manager version 9.2.1 listed here.

For the most recent documents and product information, see Online product documentation.

One Identity Manager 9.3 is a minor release with new functionality and enhanced behavior. See New features and Enhancements.

If you are updating a One Identity Manager version older than One Identity Manager 9.2.1, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

About One Identity Manager

About One Identity Manager

One Identity Manager simplifies the process of managing user identities, access permissions, and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

The One Identity Manager enables you to realize Access Governance demands cross-platform within your entire company. One Identity Manager is based on an automation-optimized architecture and, unlike other “traditional” solutions, addresses major identity and access management challenges in a fraction of the time, complexity, and expense.

One Identity Starling

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling.

For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit https://www.cloud.oneidentity.com.

New features

New features in One Identity Manager 9.3:

General

  • One Identity Manager is now based on .NET 8.

    • Scripts and all custom extensions must be compatible with .NET 8.

    • NuGet packages are supported as dependencies in scripts.

    • The configuration settings for logging messages using NLog are now made in the nlog.config configuration file.

    • General configuration settings for the One Identity Manager tools can be specified in the appsettings.json configuration file.

    Due to significant updates, it is not possible to use automatic software to update Job servers and web applications. Therefore, update your Job servers and web applications manually. For more information, see Upgrade and installation instructions.

    Some functions are no longer supported. For more information, see Deprecated features.

    Custom scripts for synchronization projects that use custom DLL files must be adapted and recompiled. For more information, see Known issues.

  • Automated logging of object changes.

    After objects in One Identity Manager have changed, log messages are automatically generated in CEF (Common Event Format) for a defined subset of changes and sent to a specific syslog server. The types of changes to be logged can be defined in the new QBMCEFDefinitions table, along with message templates and up to five replacement parameters in ObjectWalker notation that relate to the changed object. The connection to the syslog server is configured using the new configuration parameters under QBM | CEF.

  • The Database Agent Service has been fundamentally revised. The entire process control is now carried out in the Database Agent Service .NET component. The old control procedure QBM_PWorkDBQueueMain, which ran on the database server, is no longer required.

    NOTE: The following tables are read-only views and no longer to be used as a basis for customizations:

    • QBMDBQueueOverview_fix

    • QBMDBQueueOverview

    • QBMDBQueueSlot

    • QBMDBQueueSlot_fix

    • QBMDBQueueTaskPerf

    • QBMDBQueueTaskPerf_fix

  • Configuration of DBQueue Processor task processing has been reworked. New configuration parameters:

    • QBM | DBQueue | ChangeLimitDefault

    • QBM | DBQueue | MaxBulkFactor

    • QBM | DBQueue | MaxSlotsPerTask

    • QBM | DBQueue | OverloadLimit

    This change has meant removing configuration parameters. For more information, see Deprecated features.

  • Support of multiple result lists for one menu item.

    The Manager supports the display of more than one result list for a menu item. This makes it easy to switch between multiple result lists. You can specify which columns are displayed in a results list and change the order of the columns. Editing of lists in the Designer has been adapted. An editor is provided for modifying results lists.

    NOTE: Custom menu items are converted during migration. Check these entries after the migration and adjust them further if necessary.

  • The new process archive view in Job Queue Info displays completed processes including processes that have already been archived in a History Database. You can apply filters. This view is only shown if a History Database is configured in the TimeTrace.

  • If reports must be displayed in different languages, some characters may not be displayed correctly in all the languages. Use the Common | UI | ReportAlternateFontname configuration parameter to define a font that is available on all web servers and clients. Then this font is used to display the reports.

  • Email notifications can be sent with Microsoft 365. To do this, an application must be registered in Microsoft Entra ID and declared in One Identity Manager with the new Common | MailNotification | O365ClientId configuration parameter.

  • Additional data security settings for access via LDAP can be configured for email notifications. New configuration parameters are Common | MailNotification | Encrypt | AuthenticationType, Common | MailNotification | Encrypt | Port, and Common | MailNotification | Encrypt | UseSSL.

  • Tables indexing can be configured for full-text search. The new Common | Indexing | PriorityTables configuration parameter determines the order in which the search index processes the database tables. The new Common | Indexing | ExcludeTables configuration parameter determines which tables are temporarily excluded from indexing.

  • Support for loading configuration options for secrets from Azure Key Vault.

  • The Manager web application supports logging in via OAuth.

  • When creating a transport package with SQL statements in the Database Transporter, single user mode can be enabled or disabled for transport.

  • To import transport packages that contain system files with older file versions, users now need the Common_FileRevisionDowngrade program function.

  • New parameter in the DBConsCheckCmd.exe command line program to list and run consistency checks grouped by category.

  • New parameter in the Quantum.MigratorCmd.exe command line program to force a complete check and repair of the default data during the schema update.

  • Installation of a History Database is now also possible without a memory-optimized file group.

  • Windows Server 2025 is supported.

API configuration

  • The API Server now supports a generic API that accesses tables that have been released for access via the API Server.

  • The API Server now enables integration with Microsoft Application Insights. This allows monitoring and analysis of API Server performance. Integration can be carried out with a plugin.

  • You can now define your own error messages in API methods that are suited to your use case.

  • You can now specify for the Web Portal, whether each request for a system entitlement is checked to see if the recipient has a user account in the target system, and, if necessary, whether to provide a user account for the request. This can be configured using the RequestMissingAccounts configuration key in the Administration Portal.

  • In the Administration Portal, it is now possible to use the AttestationConfig/FilterIdentityApproverInsteadOf and ServerConfig/ITShopConfig/FilterIdentityApproverInsteadOf configuration keys to specify identities that can be delegated request or attestations approvals.

  • In the Administration Portal, you can now use the EnablePasswordProfileLogin configuration key to configure logging in using password questions.

  • In the Administration Portal, it is now possible to use the ApiConnectionUrl configuration key to configure the URL of a specific API which clients can use to establish a connection.

  • Cross-Origin Resource Sharing (CORS) can now be configured in the Administration Portal using the CorsOrigins and CorsMaxPreflightAgeSeconds configuration keys.

  • In the Administration Portal, you can now configure different Web Portal functions using new configuration keys.

    • EnableWebauthnKeyManagement: Specifies whether users can manage their WebAuthn security keys.

    • EnableNewPerson: Specifies whether users can create identities.

    • ProductSelectionByPeerGroup: Specifies whether products are recommended when putting together a new request by analyzing the recipient's peer group.

    • EnableNewDepartment: Specifies whether users can create departments.

    • EnableNewLocality: Specifies whether users can create locations.

    • EnableNewProfitcenter: Specifies whether users can create cost centers.

    • EnableNewAeRole: Specifies whether users can create application roles for which they are responsible.

    • EnableNewOrg: Specifies whether users can create business roles.

    • EnableNewESet: Specifies whether users can create system roles.

    • EnableNewTeamRole: Specifies whether users can create team roles.

    • EnableNewDelegationSubstitute: Specifies whether users can delegate responsibilities in packages (global delegations).

    • EnableNewDelegationIndividual: Specifies whether users can delegate certain responsibilities separately (individual delegations).

HTML5 web development

  • Modified procedure for loading libraries in HTML applications. When compiling an HTML application, care must be taken to ensure that all required libraries are compiled beforehand. This applies regardless of the libraries in which code has been changed.

  • The Angular workspace integrates the Nx tool for easier dependency management and improved compilation speed.

  • In the Web Portal there is now an editor component for properties of type bitmask.

HTML5 web applications

  • In the Web Portal, you can now share a product with other users so that they can also request the product.

  • In the Web Portal it is now possible to display and manage application roles.

  • In Web Portal, you can now assign the responsibilities of identities for which you are responsible to other identities.

  • An identity administrator can now delegate role memberships and responsibilities of all identities to other identities.

  • Some actions that you perform when using Web Portal (for example, approving or denying requests) are processed in the background as so-called background processes. This means you can continue using the Web Portal without interruption. You can now display and manage these background processes.

  • In the Operations Support Web Portal, notifications are now displayed on the start page if recommended threshold values from the system report are exceeded.

Target system connection

  • Azure Active Direct has been renamed to Microsoft Entra ID.

  • The synchronization of user-defined Microsoft Entra ID security attributes is supported.

    A patch with the patch ID ADO#446363 is available for synchronization projects.

  • The synchronization of Microsoft Entra ID user accounts sponsors is supported.

    A patch with the patch ID ADO#438166 is available for synchronization projects.

  • The synchronization of Microsoft Entra ID temporary access passes is supported in Microsoft Entra ID tenants. Use the configuration parameters under TargetSystem | AzureAD | Accounts | TemporaryAccessPass to configure settings for temporary access passes.

    A patch for synchronization projects with the patch ID ADO#446183 is provided.

    NOTE: This function requires UserAuthenticationMethod.ReadWrite.All permissions for the One Identity Manager application in Microsoft Entra ID.

  • Office 365 has been renamed Microsoft 365.

  • Send permissions are now also supported for Exchange Online room mailboxes.

  • The Exchange Online connector now uses the SkipLoadingCmdletHelp parameter in the Connect-ExchangeOnline call, if available. This reduces possible orphaned directories in the temporary folder and eliminates them.

  • The creating and editing Microsoft 365 groups (O3EUnifiedGroup) via app-only authentication is supported. Subscribers cannot be edited.

    NOTE: This change requires additional permissions Group.Create, Group.ReadWrite.All, and GroupMember.ReadWrite.All for the application registered in Microsoft Entra ID.

  • Microsoft Teams channels and teams now have links to the corresponding SharePoint websites.

  • Loading of Microsoft Teams channels and teams has been switched to the /teams endpoint.

    NOTE: This change requires TeamSettings.ReadWrite.All permissions for the One Identity Manager application in Microsoft Entra ID.

  • Active Directory, which is supplied with Windows Server 2025, is supported to the same extent as before.

  • In order to move user accounts to a special Active Directory container when disabling them, a container for disabled user accounts (ADSAccount.UID_ADSContainerDisabled) can be given in the IT operating data.

  • After moving a mailbox from a local Microsoft Exchange to Exchange Online, the outstanding mailbox is now automatically deleted.

  • Oracle Database 23ai is supported.

  • One Identity Safeguard version 8.0 is supported to the previous extent.

  • The PowerShell modules for One Identity Safeguard versions 7.0 and 7.5 support .NET 8.

    NOTE: The PowerShell modules must be reinstalled. Copy the directory with the PowerShell module matching the version from the Modules\PAG\dvd\AddOn\safeguard-ps directory on the One Identity Manager installation medium to the %ProgramFiles%\WindowsPowerShell\Modules\safeguard-ps directory on the server.

  • Support for directories as members of PAM asset groups

    A patch with the patch ID ADO#433775 is available for synchronization projects.

  • The SDK example and code snippets for retrieving synchronization passwords from One Identity Safeguard for Privileged Passwords have been updated and simplified. For more information, see under Modules\PAG\dvd\AddOn\SDK.

  • Support for SAP .Net Connector 3.1 for x64 with version 3.1.5 for Microsoft.NET 8.0.x.

  • The One Identity Manager Business Application Programming Interface is certified with the SAP S/4HANA Cloud Private Edition, release 2023.

  • For more information about the PowerShell connector with detailed instructions and a range of examples, see One Identity GitHub under PowerShell Connector Guide.

Identity and Access Governance

  • Use the new QER | Person | User | DeleteOptions | ReapplyTemplatesOnRestore configuration parameter to specify whether templates are reapplied when a user account marked for deletion that is managed by account definitions is restored.

  • The following subscribable reports have been added.

    • Orphaned user accounts

    • User accounts with above average permissions count

    • Identities with multiple user accounts per target system.

    • Unused user accounts

  • The new PX - Identity in any parameter of the request properties approval procedure enables manual selection of an approver for a request. To do this, a criterion for selecting identities can be stored in a request parameter that the requester uses to select an identity. The selected identity makes the final approval decision for the request. The approval procedure can be used when managers are looking for a deputy, for example. The selected identity becomes the deputy once the request is granted approval.

  • Modified definition and calculation of SAP functions. Function arguments can be used to define how the authorization objects are logically linked. The logical operation is saved as a condition for each SAP function.

    • The new TargetSystem | SAPR3 | SAPRights | AbilityNamePattern configuration parameter contains the naming convention for the function arguments.

    • The TargetSystem | SAPR3 | SAPRights | TestWithoutTCD configuration parameter is no longer required and will be deprecated in future One Identity Manager versions. In version 9.3, the configuration parameter setting can no longer be changed.

    • During the One Identity Manager database update to version 9.3, existing SAP functions are converted to the new procedure.

    • When importing function definitions from older versions of One Identity Manager, these are also converted to the new procedure.

    • There is a new task, Add via authorization object, in the permissions editor.

    • It is now possible to enter two different variations of the same authorization object in an authorization definition.

    • Any fields can be added manually in the permissions editor.

    IMPORTANT:

    • Before updating the One Identity Manager database to version 9.3, check the configuration parameter setting.

    • After updating the database and importing function definitions, check the authorization definitions and the conditions of the converted function definitions before enabling and using the SAP functions.

  • If membership is requested or canceled in a system entitlement, the provisioning status of the membership is saved and updated on the request.

  • Approval procedures for attestation cases can be divided into stages.

    1. (Optional) Staging

      Those the owners of the respective attestation policy can review the details of an attestation run. If errors are detected the affected attestation cases can be canceled, the errors corrected, and attestation restarted.

    2. Attestation

      Attestation is run according to the defined approval workflow.

    3. (Optional) Challenge

      If an attestation is finally denied, the identities affected can challenge the decision. For example, this prevents entitlements that are needed at short notice from being withdrawn by a scheduled attestation and then having to reassign them again.

    4. (Optional) Automatically withdraw entitlements

      If an attestation is denied in the end, the denied entitlements can be removed immediately.

  • Microsoft 365 is now used for attestation by mail. Use the configuration parameters under QER | Attestation | MailApproval | Mail system to configure the information required for sending email notifications.

    Microsoft 365 is now used for request approvals by mail. Use the configuration parameters under QER | ITShop | MailApproval | Mail system to configure the information required for sending email notifications.

Related topics

Enhancements

The following is a list of enhancements implemented in One Identity Manager 9.3.

Table 1: General

Enhancement

Issue ID

Improved documentation of the DatabaseAgentServiceCmd.exe command line program.

427953

Improved how the Configuration Wizard displays warnings and error messages when processing DBQueue Processor tasks.

430668, 36632

Improved documentation for creating database users in the Designer.

430676, 36685

New consistency check Duplicate Keys in ProxyTable. This determines whether there are multiple entries in a proxy table that have the same UID, even though the UID should be unique.

431167, 36911

Improved the Template uses too long columns consistency check.

432559, 37161

Improved how One Identity Manager tools display date and time in the system journal.

436043

The status page of the application server now shows the connected History Database databases.

439822

Improved behavior of the context menus in Job Queue Info.

441115

Improved behavior when encrypting connection data when restoring a database in the Configuration Wizard.

441175

The InstallManager.Cli.exe command line program can now also be run without administrative privileges.

442673

Improved security in Docker images. The port that releases containers has been changed to 8080 for Linux containers and Windows containers. The new app user without root permissions is used for Linux containers.

443610

The program settings of the Manager and the Designer have been reworked.

453450

The SQL Formatter usage test for UID columns consistency check now provides more precise information about the error location.

453821

Password Manager Secure Password Extension has been updated to version 5.14.2.

454264

Improved process handling to avoid locks in the database if there are a lot of changes being made in parallel.

455268

The name of the authenticated user is now entered in the system journal when login audit is enabled.

456106

Improved Designer-internal full-text search.

456285

Optimized transport of schema extensions using the Database Transporter.

456443, 456397

Optimized initialization of the Designer's internal database. Define the behavior for loading columns in the Designer.

456450

The values of the Limit and Min. time difference [sec] properties for DBQueue Processor tasks can now be customized.

459207

Improved and more standardized display texts for process tracking.

460026

If the Common | ProcessState | PropertyLog | AllDefaultPropertiesForModel configuration parameter is set, the usage (XIsInEffect) and the origin of assignments are now also recorded when changes are made.

460990

When creating tables with the Schema Extension Wizard, the primary key indexes are now created with a row lock.

461386

Improved performance running deferred operations.

462200

The Schema Extension now allows you to remove custom schema extensions for m-to-n and m-to-all tables.

462919

Improved performance of the query filter dialog with large result sets.

463059

Improved performance processing DBQueue Processor tasks that have 1 as the value for the maximum number of instances.

463394

In the Database Compiler, messages for processing the database can be copied to the clipboard with Ctrl + C.

467500

Loading reports via an application server does not always take the permissions into account correctly.

468072

Improved performance evaluating the process archive in Job Queue Info.

468290

Only tables that exist in the dbo schema are included in automatic index creation.

469029

Missing HTTP response codes have been added in the One Identity Manager REST API Reference Guide.

431330

Table 2: API configuration

Enhancement

Issue ID

As the API Server is based on ASP.NET Core, dependencies on Owin have been removed.

319906

Some APIs have been moved for security reasons.

  • The API endpoint imx/metadata has been removed. Instead, project-specific endpoints (portal/metadata and opsupport/metadata) must now be called.

  • The imx/systeminfo/thirdparty API endpoint has been removed. Instead, project-specific endpoints (portal/systeminfo/thirdparty, opsupport/systeminfo/thirdparty, and passwordreset/systeminfo/thirdparty) must now be called.

405504

The API Server no longer stores the authentication token as a cookie in the browser. All session data is stored in the QBMSessionStore table. In addition, persistently stored authentication cookies are no longer supported. All cookies are now only generated as session cookies.

409895

Improved protection against automatic account blocking attacks.

If you use your own API project, you must include the ProjectLevelConfig class configuration.

var captchaValidator = builder.Resolver.Resolve<ICaptchaValidator>();
var services = builder.Resolver.Resolve<IServices>();
var configService = builder.Resolver.Resolve<IConfigService>();
 
var projectLevelConfig = new ProjectLevelConfig(captchaValidator);
services.Register(projectLevelConfig);
configService.RegisterConfigurableObject(projectLevelConfig);

416537

The application used for configuring Password Reset Portal authentication has been changed to PasswordReset. This allows a configuration of authentication modules that only applies to Password Reset Portal.

420909

In the Administration Portal, it is now possible to use the RecommendationExclude configuration key to specify which entitlements are not recommended for assignment to objects.

421447

In the Administration Portal, it is now possible to enable or disable logging in to Password Reset Portal with an access code using the EnablePasscodeLogin configuration key.

421481

It is now possible to define generic criteria for filtering data using API plugins. A corresponding API example has been provided for this purpose.

440838

It is now possible to add a custom shopping cart check to the Web Portal using a Composition API plugin.

442121

It is now possible to create API methods that support duplicate parameter values.

453412

Improved performance of the request history and certification history in the Web Portal.

This change means that the WorkflowSteps property in the API Server response is no longer set individually for each request/attestation case.

The previous behavior of the API can be restored by setting the compatibility level with an API plugin as follows.

public void Build(IApiBuilder builder) { 
 
                var settings = builder.Resolver.Resolve<IMethodSetSettings>();
                settings.CompatibilityLevel = ApiCompatibilityLevel.Api92; 
}

453959

The API Server now uses the integrated System.Text.Json library instead of the Newtonsoft.Json library.

General overview:

  • Property names must now be entered in double quotation marks.

  • To increase security, special characters are now automatically masked in the JSON code generated by the API Server.

The complete list of changes can be found at Migrate from Newtonsoft.Json to System.Text.Json.

NOTE: To integrate these changes, you may need to update custom API code.

456940

The Software Development Kit (SDK) with commented code examples for API development can now be found in One IdentityGitHub under Identity Manager API plugin development.

460908

Table 3: HTML5 web development

Enhancement

Issue ID

The source code of the web applications was configured for automatic code formatting with ESLint.

406450

Elemental UI has been updated to Angular version 17/18.

458500

The default value of the content security policy for web applications has been changed to content-security-policy: object-src 'none'; img-src 'self' data:; default-src: self;.

460429

Angular has been updated to version 18.2.2.

465211

Table 4: HTML5 web applications

Enhancement

Issue ID

Improved how API documentation is displayed in the Administration Portal.

205843

The Web Portal now displays error messages in a dialog instead of a banner.

268292

If the session expires in a web application, a corresponding message is now displayed and the login page is then loaded.

272514

The Web Portal now supports login with ReCAPTCHA.

284359

Improved attestation of system entitlement owners.

290501

A custom filter condition is now available in the Web Portal to search for products that provide access to a specific entitlement.

312490, 35892

The Queue filter has been added to the Process History page in the Operations Support Web Portal.

324018

Filters have been added to several pages in the Web Portal:

  • Attestation History, My Attestations, Pending Attestations: Attestation policy (as default filter)

  • Attestation Policies, Compliance Rules. and Company Policies: Compliance framework (as custom filter)

324018

When creating new Delayed Logic entities via the API Server, the HTTP status code 201 is now used to show success (used to be 200).

406394

In web applications, tables can now be sorted by clicking on the column title.

407866

In web applications, you can now simply jump to the first or last page in the tables.

417331

In the Web Portal, an option has been added for policy violations to display only policy violations of a specific object using a custom filter.

426972

The Web Portal now allows elements in hyperviews to be expanded and collapsed.

427822

Improved performance loading large amounts of data in the API Server.

431094

In the Web Portal, it is now possible to carry out actions for multiple requests and attestation cases.

432018

It is now possible to create an empty team role in Web Portal.

432021

The request history in the Web Portal now supports a My delegations filter, which filters global and single delegations.

432832

In the Web Portal, the technical names for columns are now also displayed so that it is easier to distinguish between these columns if their display names are the same.

433146

Increased security generating reports.

433758

Improved data display in the Web Portal.

435257

The password questions and answers stored in the Web Portal must now be unique.

435886

The configured display names of the tables and columns are used in the exported SCIM schema and in error messages that refer to specific tables and columns.

436088

Improved how the Web Portal displays an object's history.

437366

The web portal now uses long display names for system entitlements.

441186

In the Web Portal, it is now possible to navigate further in hyperviews based on object properties.

442024

The Web Portal now shows an icon in the header bar that displays the number of products in the shopping cart and goes to the shopping cart.

442136

The Web Portal can now display overviews of objects involved in pending attestation cases as hyperviews.

446465

A message is now displayed in Web Portal if requesting an entitlement for a role leads to a rule violation.

449174

Enhanced performance of the Web Portal home page.

450077

The DisableHyperViewNavigation configuration key has been renamed EnableHyperViewNavigation.

453647

In the Web Portal, improved performance when displaying user accounts in the Data Explorer.

454162

The Web Portal now correctly recognizes line-wraps as such and displays text correctly.

454683

The RSTS has been updated to version 2024-02-04.1.

Changes:

  • Only image files can still be configured on the RSTS login page.

  • Support for OAuth2 PKCE and DeviceCode Flow.

The RSTS must be uninstalled and reinstalled for the update.

455387

Improved installation of the API Server.

456127

When creating attestation policies in the Web Portal, a message is now displayed if you have defined a condition that refers to a sample but have not yet selected a sample.

457254

In the Web Portal, statistics for target systems and namespaces have been added and an option has been created to define KPIs in a hierarchical structure. In addition, the IHeatmapService and IKpiChartService interfaces have been removed. Only use the IChartService interface.

457542

Improved performance in the Web Portal for attestation case approval.

458137

Improved request process for Microsoft Entra ID role assignments and eligibilities.

459668

The Web Portal now also displays a relevant note when displaying attestation cases for properties that have not been set.

460548

The Web Installer normalizes the specified base URL and adds a trailing slash if this is not specified. The base URL of a web application must now be unique.

460949, 460947

Improved usability of the web application login pages.

464184

The search index no longer processes updates of referenced objects. To process changes to referenced objects, start a complete indexing process.

464396

In the Administration Portal it is now possible to configure the HTTP headers that are added to all responses using the HTTP header configuration key.

464628

The Web Portal now marks ineffective assignments accordingly for memberships of system entitlements.

464973

Improved support of the API Server for queries with a large number of results from the search index.

465551

When unsuccessful login attempts are logged, the user name used is now abbreviated.

466311

Improved performance for displaying identity responsibilities in the Web Portal.

466408

In the Web Portal, finding optional service items now also takes into account request procedures for multiple identities.

467368

Table 5: Target system connection

Enhancement

Issue ID

Improved mapping of external user IDs for SAP user accounts.

A patch with the patch ID ADO#326713 is available for synchronization projects.

326713

Improved documentation of the synchronization configuration for Exchange Online mailbox permissions.

430716, 36919

Improved documentation of permissions for synchronizing with SharePoint Online.

430723, 37026

The Synchronization Editor now displays a message suggesting that the wizard is used to create new base objects if possible.

430727, 37053

The generic database connector for the generic ADO.NET provider now supports loading from database systems that do not support transactions.

430918, 36210

The schema exported by the Active Directory connector takes into account the system-only labeling of attributes in Active Directory and exports these as read-only schema properties.

A patch with the patch ID ADO#440672 is available for synchronization projects.

440672

Support for PAM file access requests for accounts in a PAM system.

A patch with the patch ID ADO#450685 is available for synchronization projects.

450685

The uniqueness of system entitlement distinguished names in custom target systems has been redefined.

452898

Improved performance running UID comparisons in scripts, templates, and processes.

453649

The restriction on the permitted values for group claims of Microsoft Entra ID app registrations has been removed.

456597

Improved documentation of permissions for registering an application in Microsoft Entra ID.

457262

Most of the SCIM plugin error messages have been standardized for direct database connections and connections via an application server.

458772

The maximum lengths of the AADGroup.MailNickname and AADGroup.DisplayName columns have been limited according to the lengths in Microsoft Entra ID.

463821

Improved automatic creating of property mapping rules with the Synchronization Editor mapping wizard, which is based on the comparison of similar property names.

438936

The Synchronization Editor Command Line Interface offers additional options to compress the schema and activate the synchronization project after updating a synchronization project.

447064

Synchronization projects can now also be automatically created or updated via a remote connection. The configuration file has been extended to include definitions for establishing the remote connection.

430576

Improved performance processing the Assign user accounts to SAP parameters DBQueue Processor task (SAP-K-UserHasParameter).

466206

Some Microsoft Entra ID scheme types now support system filters.

439618

Corrected how parameters are passed to functions that are defined in an SAP schema extension file and are used to delete an SAP object.

464030

Optimized creating the central SAP user account for identities. This forms a unique name taking into account all the identity's SAP user accounts. Use the TargetSystem | SAPR3 | Accounts | CentralSAPAccountGlobalUnique configuration parameter to define how to format the central SAP user account.

441119

Table 6: Identity and Access Governance

Enhancement

Issue ID

Some statistics have been reworked.

421696

Improved performance when deleting entries from the Basetree table.

427842

Improved support for additional properties.

  • Additional properties and their property groups are now supported in multiple languages.

  • Additional properties are now visible to every logged-in user.

  • Additional properties can now be edited in the base data of the individual target systems. The permissions for target system administrators have been reworked.

452775, 452774, 430259, 24441

Improved peer group analysis. Resources that can be requested multiple times are also taken into account.

453951, 433858

The base object of the VI_Person_Deactive_ExitDate_Expired scheduled process has been changed to Identities.

464512

The reduced risk index for compliance rule copies, company guidelines, and SAP functions is not calculated and no longer displayed in the Manager. The risk index of compliance rules, company guidelines, and SAP functions is only reduced for productive versions by assigning mitigating controls.

469180, 468325

The AM - Manager of the linked identity approval procedure can now be selected for attesting user accounts in any target system.

459633

Improved performance when notifications are sent about the request or attestation case approvals.

436383

During attestation, terms of use can now be sent as a PDF file. The terms of use can be stored in different languages and are displayed in the respective language of the user.

430379

Random samples can now also be generated as part of sample attestation.

430504

Attestors of service items now see the complete overview form of the respective service item.

430582

A detailed description can now be entered for approval procedures. The description of the default approval procedures contains information about which approvers or attestors are determined and for which requests or base objects of the attestation the approval procedure can be used.

455400

The Assignment to system role option in assignment resources is now described in the One Identity Manager IT Shop Administration Guide.

458623

Adaptive cards for approving requests or for attestations now also include approval recommendations if this function is configured.

460602

The name and email address of an adaptive cards recipient are updated in the Starling Cloud Assistant if the default email address or the internal name for this identity in One Identity Manager is changed.

456047

Improved performance calculating risk indexes.

NOTES: Risk indexes are only calculated on a scheduled basis. Immediate recalculation when data changes no longer take place.

438165, 444303

Related topics
Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation