지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.1.4 - Release Notes

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Header text in reports saved as CSV are not given their correct names.

24657

In certain circumstances, objects can be in an inconsistent state after simulation in Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.

12753

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Schema extensions on a database view of type View (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type View are not permitted. 27203

Error connecting through an application server or the API Server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

It is not possible to extend predefined dynamic foreign keys by references to redefined tables. If you define custom dynamic foreign keys, at least one of the parties involved - dynamic foreign key column or referenced table - must be a custom object.

29227

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

The default setting of globallog.config assumes that write access exists for %localappdata%. If an EXE does not have sufficient permissions, the log can be written to a directory that does have the access rights by changing the variable logBaseDir in the globallog.config or by introducing a special log configuration in the *.exe.config or the Web.config file.

30048

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. The error, in case a Save Transaction is carried out is: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

The following error occurred installing the database under SQL Server 2019:

QBM_PDBQueueProcess_Main unlimited is only allowed as an agent job

Solution:

  • The cumulative update 2 for SQL Server 2019 is not supported.

For more information, see https://support.oneidentity.com/KB/315001.

32814

Table 10: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form that displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

Table 11: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now. 27042

Error in IBM Notes connector (Error getting revision of schema type ((Server))).

Probable cause: The IBM Notes environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the IBM Notes environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.

  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.

  • Modify the synchronization configuration as required.

27359

Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.

27687

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always executed with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Error synchronizing an OpenDJ system, if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.

29620

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.

    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • A new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The G Suite connector cannot successfully transfer Google applications user data to another G Suite user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for G Suite, save an application transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. You can see an example XML when you edit the application transfer XML in the system connection wizard.

To limit the list of user data you want to transfer

  1. In the Synchronization Editor, open the synchronization project.
  2. Select Configuration > Target system.

  3. This starts the system connection wizard.
  4. On the system connection wizard's start page, enable Show advanced options.

  5. On the Advanced settings page, enter the XML document in the Application transfer XML field.

  6. Save the changes.

33104

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

Table 12: Identity and Access Governance

Known Issue

Issue ID

Moving a shelf to another shop and the recalculation tasks associated with it can block the DBQueue.

Solution:

Parent IT Shop nodes of shelves and shops cannot be changed once they have been saved.

To move a product in a shelf to another shop

  • Select the task Move to another shelf.

    - OR -

  • Assign the product to a shelf in the new shop then remove the product assignment to the previous shelf.

Once you have moved all the products, you can delete the shelf.

31413

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

Table 13: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers an ArgumentException. For more information, see https://support.microsoft.com/en-us/kb/2863929.

24626

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

In certain circumstances, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

In the Manager web application, following errors can occur under Windows Server 2008 R2:

System.Security.Cryptography.CryptographicException: Object was not found.

at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)

Workaround:

  1. In the Internet Information Services (IIS) Manager, select the application and then the Advanced Settings context menu item.

  2. On the Process Model panel, set the option Load User Profile to True.

For more information, see https://support.microsoft.com/en-us/help/4014602.

31995

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Schema changes

The following provides an overview of schema changes in One Identity Manager from version 8.1.3 up to version 8.1.4.

Configuration Module
  • New column QBMDBQueueTaskPerf.CountChildTasks.

Exchange Online Module
  • Columns O3EDynDL.Notes, O3EMailContact.Notes, O3EMailUser.Notes, and O3EUnifiedGroup.Notes extended to nvarchar(1024).

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 8.1.3 to version 8.1.4. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Modified synchronization templates

The following provides you with an overview of modified synchronization templates. Patches are made available for updating synchronization templates in existing synchronization projects. For more information, see Patches for synchronization projects.

Table 14: Overview of synchronization templates and patches

Module

Synchronization template

Type of modification

Azure Active Directory Module

Azure Active Directory synchronization

changed

Active Directory Module

Active Directory synchronization

none

Active Roles Module

Synchronize Active Directory domain via Active Roles

none

Cloud Systems Management Module

Universal Cloud Interface synchronization

none

Oracle E-Business Suite Module

Oracle E-Business Suite synchronization

changed

Oracle E-Business Suite CRM data

changed

Oracle E-Business Suite HR data

changed

Oracle E-Business Suite OIM data

changed

Microsoft Exchange Module

Microsoft Exchange 2010 synchronization (deprecated)

none

Microsoft Exchange 2013/2016 synchronization (deprecated)

none

Microsoft Exchange 2010 synchronization (v2)

none

Microsoft Exchange 2013/2016/2019 synchronization (v2)

none

G Suite Module

G Suite synchronization

none

LDAP Module

AD LDS synchronization

none

OpenDJ synchronization

none

IBM Notes Module

Lotus Domino synchronization

none

Exchange Online Module

Exchange Online synchronization (deprecated)

none

Exchange Online synchronization (v2)

none

Privileged Account Governance Module

One Identity Safeguard synchronization

none

SAP R/3 User Management Module

SAP R/3 Synchronization (Base Administration)

changed

SAP R/3 (CUA subsystem)

none

SAP R/3 Analysis Authorizations Add-on Module

SAP R/3 BW

none

SAP R/3 Compliance Add-on Module

SAP R/3 authorization objects

none

SAP R/3 Structural Profiles Add-on Module

SAP R/3 HCM authentication objects

none

SAP R/3 HCM employee objects

none

SharePoint Module

SharePoint synchronization

none

SharePoint Online Module

SharePoint Online synchronization

none

Universal Cloud Interface Module

SCIM Connect via One Identity Starling Connect

changed

SCIM synchronization

changed

Unix Based Target Systems Module

Unix Account Management

none

AIX Account Management

none

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택