One Identity Manager 9.0
Release Notes
08 August 2022, 16:18 
These release notes provide information about the One Identity Manager release, version 9.0. You will find all the modifications since One Identity Manager version 8.2.1 listed here.
One Identity Manager 9.0 is an LTS release with new features and improved behavior. See New features and Enhancements.
|  
 | CAUTION: Before you update an existing One Identity Manager installation to version 9.0, note the following: 
One Identity Manager 9.0 is a further development of version 8.2.1. All official releases of versions 8.2.1, 8.1.5, or earlier can be upgraded to version 9.0. Updating a newer version can lead to a downgrade.
Only selected patches, as defined by One Identity, are available for One Identity Manager 9.0. A hotfix that does not conform to this definition and has been provided for another version, is therefore not available for the 9.0 release. | 
If you are updating a  version older than  8.2.1, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on  technology under One Identity Manager Support.
One Identity Manager documentation is available in both English and German. The following documents are only available in English:
- 
One Identity Manager Password Capture Agent Administration Guide  
- 
One Identity Manager LDAP Connector for CA Top Secret Reference Guide  
- 
One Identity Manager LDAP Connector for IBM RACF Reference Guide  
- 
One Identity Manager LDAP Connector for IBM AS/400 Reference Guide  
- 
One Identity Manager LDAP Connector for CA ACF2 Reference Guide  
- 
One Identity Manager REST API Reference Guide  
- 
One Identity Manager Web Runtime Documentation 
- 
One Identity Manager Object Layer Documentation 
- 
One Identity Manager Composition API Object Model Documentation 
- 
One Identity Manager Secure Password Extension Administration Guide  
For the most recent version of the product information, see the One Identity Manager documentation.
Topics:
About One Identity Manager 9.0
One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.
With this product, you can:
- 
Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition 
- 
Realize Access Governance demands cross-platform within your entire concern with One Identity Manager 
Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.
One Identity Starling 
Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.
 
    
New features in One Identity Manager 9.0: 
General
- 
Azure SQL Database is supported. 
NOTE: A Azure SQL Database database must be available to install the schema. There is no support for creating a new Azure SQL Database with the Configuration Wizard. 
 
- 
Internal DBQueue Processor tasks are processed by a service, the Database Agent Service. The Database Agent Service is deployed by a One Identity Manager Service plugin. The DatabaseAgentPlugin must be configured on the Job server that serves as the update server. An administrative user must be used for the database connection in the Job provider. Alternatively, the Database Agent Service can be run by the DatabaseAgentServiceCmd.exe command line program.  
- 
The Configuration Wizard provides support for deleting a One Identity Manager database. Deleting a database also removes the database users, database roles, and server roles, as well as SQL Server logins.  
- 
The Configuration Wizard provides you with support for enabling a restored database. The necessary database users, database roles, and server roles are created and the database is compiled. 
- 
Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=. In order to continue using certain functions in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function. Users who do not have this program function can only run database queries that are classified as trusted or pose no risk. Some of the functions in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function. For more information, see the One Identity Manager Authorization and Authentication Guide. 
- 
The SessionHttpAuthentication plugin for the One Identity Manager Service supports logging in on the service's website with authentication modules. The users still require the JobServer_Status program function. 
- 
Support for disabling WHERE clauses for the application server REST API. 
- 
Various password columns have been extended. 
- 
You can enter an additional description for password requirements that are checked in the test script for password policies. This is displayed in the password policy description in the Password Reset Portal.  
- 
System users can be blocked from logging in directly to One Identity Manager tools. 
- 
A new User account (manual input/role-based) authentication module is provided. The employee whose login data matches that of the current user is used for logging in.  
- 
Authentication modules for the Password Reset Portal can use a list of columns from the same table to search for a user.  
- 
In the Database Transporter, several transport packages can now be combined into one cumulative transport package.  
- 
To re-enable process steps with the Frozen status in Job Queue Info, users need the JobQueue_Frozen program function.  
- 
Search index optimization can be started manually on the application server. 
- 
A connection timeout can be set in the One Identity Manager tools default connection dialog. 
- 
New optional parameter in the DBCompilerCMD.exe command line program to compile only those parts of the system that have changed. 
- 
New process function Execute SQL Single for the SQLComponent process component to run SQL statements in a single instance. The process function can be used when a special procedure call or a special data change is explicitly allowed to run just in one instance.  
- 
A script for changing values can be stored with the parameters (DialogParameter.OnPropertyChangedScript), which dynamically determines whether a parameter is, for example, read-only or mandatory.  
- 
Integration of events into typed wrapper classes. 
- 
Support for NLog 5.0. 
- 
Support for Microsoft .NET Framework version 4.8. 
- 
The One Identity Manager History Database has been significantly simplified in order to reduce the effort required to, on the one hand, set up and operate the database and, on the other hand, to enable it to operate on Azure SQL Databases. The History Database represents only a simple data storage. The History Database does not include the One Identity Manager modules or system configuration data. There are no longer any active components. Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace. 
IMPORTANT:  
- 
It is recommended to install the History Database first! 
- 
Existing databases are still supported for querying archived data in TimeTrace and reports. These databases do not need to be migrated. 
- 
If you still want to migrate an existing History Database, ensure that the all functions, procedures, tables, and views that are not in the following list are deleted by the History Database migration: HistoryChain, HistoryJob, ProcessChain, ProcessGroup, ProcessInfo, ProcessStep, ProcessSubstitute, RawJobHistory, RawProcess, RawProcessChain, RawProcessGroup, RawProcessStep, RawProcessSubstitute, RawWatchOperation, RawWatchProperty, SourceColumn, SourceDatabase, SourceTable, WatchOperation, WatchProperty Save any custom extensions before migrating. 
 
 
Web Portal (API Server)
- 
OneLogin is used for multi-factor authentication for request and attestation approvals. Prerequisites are: 
- 
Synchronization with a OneLogin domain is set up and the system has been initially synchronized. 
- 
The value of the ServerConfig/ITShopConfig/StepUpAuthenticationProvider configuration key is OneLogin MFA. 
- 
In the API server's configuration file (web.config), the following entry must be entered in the connection string: <add name="OneLogin" connectionString="Domain=<domain>;ClientId=<clientid>;ClientSecret=<clientSecret>" /> The respective values are taken from the OneLogin configuration. 
 
- 
The request recipient must agree to the terms of use if they also act as a request approver. 
- 
The requester is prompted to agree to the terms of use for a service item. 
- 
A requester can request optional service items in the Web Portal. 
- 
In the Web Portal, the historical change data of a role can be displayed in the role's overview. 
- 
Deleted roles can now be restored in the Web Portal. 
- 
In the Web Portal, two roles can be combined into one role. This function is offered for departments, locations, cost centers, and business roles.  
- 
In the Web Portal, it is possible to maintain request templates in the IT Shop and use them to create new requests. 
- 
In the Web Portal, exception approvers can grant or deny approval to policy violations. 
- 
Filters for columns and tables can be defined in the administration portal. 
- 
Administrators and owners of applications in the Application Governance Module can have system entitlements that meet a certain condition automatically assigned to applications. Owners and administrators can be notified when their applications have been automatically assigned new system entitlements. 
- 
In the Web Portal, approval decision recommendations can be made to attestors and approvers of requests. Recommendations to grant or deny attestation cases or requests are calculated on the basis of different criteria. The criteria are specified in the QER | Attestation | Recommendation and QER | ITShop | Recommendation configuration subparameters.  
Target system connection
- 
Offline mode can be used to pause handling of target system-specific processes by the One Identity Manager Service if a target system cannot be reached temporarily. This prevents target system-specific processes from being frozen in the Job queue and having to be re-enabled manually later. 
- 
Restrictions can be defined on any columns in the One Identity Manager schema when they are synchronized. For this reason, the Synchronization information column property is displayed in the Designer. 
- 
Synchronization and provisioning processes are put on hold while synchronization projects are updated. The retry delay time is set in the Common | Jobservice | RedoDelayMinutes configuration parameter. 
- 
Remote support for target system connections is implemented with .net Core resources. A patch with the patch ID VPR#34646_SAP is available for synchronization projects. 
- 
Support for OneLogin as target system. One Identity Manager focuses on setting up and editing user accounts and providing the permissions required for accessing applications and for authentication and authorization. One Identity Manager maps the OneLogin user accounts, roles, and applications. The OneLogin connector has the task of synchronizing with OneLogin. The OneLogin API controls access to OneLogin data. OneLogin Module installation supplies synchronization templates. For more information, see the One Identity Manager Administration Guide for Connecting to OneLogin. 
- 
Azure Active Directory group assignments to administrator roles are mapped in One Identity Manager. A patch with the patch ID VPR#33400 is available for synchronization projects. 
- 
Rules for memberships in dynamic Azure Active Directory groups are loaded into One Identity Manager. A patch with the patch ID VPR#34744 is available for synchronization projects. 
- 
The email address of Azure Active Directory user accounts can now be edited in One Identity Manager and written to the target system. A patch with the patch ID VPR#35286 is available for synchronization projects. 
- 
The Azure Active Directory user accounts' creation type is loaded into One Identity Manager. A patch with the patch ID VPR#35290 is available for synchronization projects. 
- 
Support for Azure Active Directory administrative units. A patch with the patch ID VPR#35289 is available for synchronization projects. 
- 
Support for B2C tenants. A patch with the patch ID VPR#35033 is available for synchronization projects. 
- 
Support for classifying Exchange Online Office 365 groups. Patches for synchronization projects with patch ID 35303_AAD and VPR#35303_O3E are provided. 
- 
TECH PREVIEW ONLY: The Exchange Online connector supports certificate based authentication. A patch with the patch ID VPR#34766 is available for synchronization projects. 
IMPORTANT: This function can be tested in test environments. You must definitely not use the connector in a live environment. 
 
- 
Support for moving Active Directory objects across domain borders. A patch with the patch ID VPR#33793 is available for synchronization projects. 
- 
Support for Microsoft Exchange mail enabled distribution groups of type Room lists. A patch with the patch ID VPR#31374 is available for synchronization projects. 
- 
Support for  7.5.2,  7.5.3, and  7.6. 
- 
The Google Workspace connector supports synchronization of external email addresses. They can be assigned as members, owners, or managers to Google Workspace groups that allow external members. A patch with the patch ID VPR#34885 is available for synchronization projects. 
- 
Support for Oracle E-Business Suite version 12.2.10. 
- 
Support for One Identity Safeguard version 7.0. A patch with the patch ID VPR#35621 is available for synchronization projects. 
- 
A new report with an overview of privileged staff access is available. 
- 
Support for the SharePoint Server Subscription Edition. 
- 
SAP parameters can also be inherited by SAP user accounts through system roles. 
Identity and Access Governance
- 
Improved support for inheriting target system specific groups. It is now possible to specify for individual groups whether the manage level inheritance settings apply to the group or whether the manage level settings for the group are overwritten. For example, this can be used to specify that a group should never be removed from user accounts automatically. 
- 
New approval policies are provided for requesting and attesting Azure Active Directory and Exchange Online system entitlements. 
- 
The object key of the effectively assigned product is saved with the request procedure if, in the course of the approval process, the requested product is changed. 
- 
For service items, service categories and approval steps, it can be specified whether a reason must be given or can be given optionally when requesting or making an approval decision. 
- 
Requests can be given dynamic parameters whose values are set by the customer when they make the request. After approval, a system entitlement (UNSGroupB) is generated from these parameters and their values and assigned to the request recipient. 
- 
More default objects provided for attesting employees. These attestations can be started together using a policy collection. 
- 
Identity itself 
- 
Primary or secondary departments 
- 
Memberships in business or system roles 
- 
Linked user accounts 
- 
Assigned system entitlements 
 Approval policies can be configured to be selected when creating attestation policies in the Web Portal. Additional approval procedures: 
- 
CN - Challenge the decision 
- 
PW - Owner of the attestation policy 
- 
XM - Manager of the employee for all attestations 
 
- 
Attestation policies to be run together can be combined into policy collections. A sample can be used limit the set of objects to attest for all attestation policies in the collection. 
- 
If no report is specified on the attestation procedure, snapshots are generated containing the necessary information about the objects to be attested. The content of these snapshots can be configured. 
NOTE: The snapshot is created by the ATT_GetAttestationObject script. This replaces the VI_GetAttestationObject script. 
 
- 
The date of the next attestation can be given for applications (Application Governance Module). Several default attestation policies are provided that use this date. 
See also:
 
    
The following is a list of enhancements implemented in One Identity Manager 9.0.
Table 1: General
| A minimum time until reactivation can be configured for DBQueue Processor tasks. | 32015 | 
| The application server supports session certificates created with the CNG API. | 32138 | 
| Improved performance when processing DBQueue Processor tasks. | 34049 | 
| Improved error messaging if an error occurs while signing emails. Improved documentation. | 35226 | 
| Changed values can be marked with an icon in the grid display. Use the display properties dialog to configure this. | 35247 | 
| Improved display of the One Identity Manager Service's status page. | 35285, 33313 | 
| Improved display of the application server status page. | 33314 | 
| Optimized performance when evaluating conditions. | 35407 | 
| The UnitOfWork attribute can now be used to access the currently opened Unit of Work in the scripts. | 35417 | 
| Improved labeling of where-clauses as trustworthy. | 35418 | 
| The Proxy view and Extensions to proxy view properties are now displayed on the More tab in the Schema Editor. | 35613 | 
| Suuport for authentication by LDAP using an SSL connection to the LDAP server. This is configured in the TargetSystem | LDAP | AuthenticationV2 configuration subparameters. | 34453 | 
| Improved performance for generating processes. | 35134, 35152 | 
| In the Designer, administrative system users can now be created in the Getting Started category. | 35263 | 
| Improved assignment of files to machine roles. | 33271 | 
| Improved behavior of the command line tools. Basic tests for parameter passing are performed. Version, error messages, and help texts are output. | 35427, 34825 | 
| Improved performance determining display permissions. | 35612 | 
| Improved performance when displaying processes in the Job Queue Info. | 35641 | 
| The QBM_ZDBQueueVoidTaskBulk procedure is now supplied in addition to the QBM_ZDBQueueVoidTask procedure. This now allows DBQueue Processor tasks marked for bulk processing to be disabled by entering the procedure in the QBMDBQueueTask.ProcedureName column. | 34864 | 
| It is possible to set an own query timeout at the DB session in the VI.DB, which is then used for all queries. | 34917 | 
| The third-party component Microsoft.Graph has been updated. | 35025 | 
Table 2: General web applications
| In the Web Portal, the approver can see the details of the requested service items. If a role membership is requested, information about the role's permissions is displayed. | 297243 | 
| Service items are no longer sorted on output to improve performance in Web Portal. This concerns, among other things, the service catalog and the selection of requestable products. | 309523 | 
| The rule violations for a specific rule can now be viewed from an email link. | 253881 | 
| Improved reports generation through the API Server. | 291080 | 
| It should be possible to use the API configuration to set whether only requested entitlements and assignments are offered when requesting using a reference user or all assignments that the reference user has. In the default setting, only requested objects are shown. If exactly one request recipient is selected, this request recipient cannot be selected as a reference user. | 33551, 295703 | 
| Using the ImxClient command line utility now supports a software update. The ImxClient command start-update can be used to start a software update. | 310595 | 
| Secure connection detection now supports the use of HTTPS-to-HTTP reverse proxies. | 313545 | 
| The configuration of the cookie path for the anti-XSRF cookie can be customized. | 35620, 310602 | 
| For each entity-based API method, a restrictive filter condition can be specified in the configuration. | 311030 | 
| A MarkForDeletion() method has been added to the IEntity TypeScript interface. | 288697 | 
| The following ImxClient commands are changed: get-filestate fetch-files push-files For these commands, /targets is now a mandatory parameter. | 310837 | 
| Angular has been updated to version 13. This may result in the need for manual corrections to customized HTML5 code. | 310627 | 
| The API Server checks the defined API routes for uniqueness at startup. A warning message is issued for non-unique routes. In the case of customized routes, warning messages may now be issued. | 279209 | 
| Improved performance when listing requestable service categories in the Web Portal. | 35577 | 
| The long display pattern (DialogTable.DisplayPatternLong) can optionally be used for displaying relationships hierarchically on forms,. | 35482 | 
| The trusted source key, which can be used to specify that Where-clauses from the Web frontend are trusted, can now be specified as the ConnectionBehaviour/TrustedSourceKey option in the configuration file. | 35239 | 
Table 3: Target system connection
| Unused virtual schema properties have been removed from the site mapping in Active Directory synchronization projects. A patch with the patch ID VPR#35533 is available for synchronization projects. | 35533 | 
| A bug in the VPR#35343_EX0 patch has been corrected. A patch with the patch ID VPR#35506 is available for synchronization projects. | 35506 | 
| The LDAP connector ignores case sensitivity when comparing values in the ObjectClass and StructuralObjectClass schema properties. A patch with the patch ID VPR#32702 is available for synchronization projects. | 35702 | 
| In synchronization projects for Exchange Online and SharePoint Online, not more than one base object can be created. A patch with the patch ID VPR#30841 is available for synchronization projects. | 30841 | 
| Quota settings of Exchange Online mailboxes are now synchronized. A patch with the patch ID VPR#34568 is available for synchronization projects. | 34568 | 
| The mailbox permissions Full access and Send as from Exchange Online mailboxes are now synchronized. A patch with the patch ID VPR#34265 is available for synchronization projects. | 34265 | 
| Improved display of app registrations and enterprise applications for Azure Active Directory in the Manager. | 35212 | 
| Improved support of automatic employee assignment for guest users of Azure Active Directory user accounts. | 35584 | 
| Additional revision filters are used for synchronizing SAP HCM personnel planning data. A patch with the patch ID VPR#32154 is available for synchronization projects. | 32154 | 
| Improved performance in the SCIM connector. A patch with the patch ID VPR#34952 is available for synchronization projects | 34952, 34953, 34954 | 
| The request timeout for querying the SCIM provider can be configured when setting up the system connection to a cloud application. A patch with the patch ID VPR#35571 is available for synchronization projects. | 35571 | 
| Code snippets can be used in script variables. Examples of commonly used script variables are provided in the Synchronization Editor. | 35011 | 
| Improvements to the synchronization engine. | 35196, 35480, 35617 | 
| Improved display of additional information about the connected target system in the Synchronization Editor. | 35242 | 
| The changed object is displayed in the header of provisioning logs. | 35493 | 
| Improved display of the system entitlement inheritance options on the main data form for user accounts. | 35524 | 
| Improved the One Identity Manager Business Application Programming Interface. | 35556 | 
| Improved display of outstanding objects from assignment tables in target system synchronization. | 34930 | 
| Improved display of assigned SAP groups, roles, profiles on the overview form for SAP user accounts. | 34780 | 
| Improved logging of delete operations on dynamic roles. | 35544 | 
| Improved performance during synchronization when a local cache is used. | 34955 | 
| The following note has been included in the documentation for connecting a SAP R/3 environment with BI analysis authorizations: 
NOTE: BI analysis permissions are not mapped in One Identity Manager if they are indirectly assigned to SAP user accounts in SAP R/3 using SAP roles or SAP profiles. With appropriately formulated SAP functions for the S_RS_AUTH authorization object, it is still possible to check in Identity Audit whether these BI analysis authorization assignments are permitted. | 35295 | 
| Improved display of inheritable groups and system entitlements on the overview forms for cloud user accounts and user accounts in custom target systems. | 35508 | 
| The AS/400 LDAP connector has been renamed to IBM i LDAP connector. | 35275 | 
| LIKE queries can no longer be run in the /VIAENET/READTABLE function module. | 35741 | 
Table 4: Identity and Access Governance
| On the employee overview form, the client of the associated SAP user accounts is also displayed. | 34929 | 
| Improved presentation of attestation case main data in the Manager. | 35576 | 
| Service items can be configured as hidden in the service catalog even though they can still be requested. | 35031 | 
| Completed deputizations can be deleted from the database or archived. | 35096 | 
| The expiry time for adaptive maps has been increased to 24 hours. The value of the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter is now 86400 by default. | 35727 | 
| Completed deputizations are deleted by the DBQueue Processor once the retention period is exceeded. | 35096 | 
See also:
 
    
The following is a list of solved problems in this version.
Table 5: General
| Defining procedures is sporadically broken off at different stages. Error message: Error 2021: The referenced entity 'xxx' was modified when the DDL was run. Please retry the operation. | 33544 | 
| Error running the QBM_PJobUpdateState_Bulk procedure: There is insufficient system memory. | 34590 | 
| Newly issued certificates may not be accepted. | 34900 | 
| In certain circumstances, mutually exclusive processes are delivered during process handling. | 34973 | 
| Schedules are not sorted correctly in the Designer. | 35522 | 
| Changes to the One Identity Manager Service configuration by the  are not always transferred to the database. | 35538 | 
| Display error in Manager on the Permissions tab in the object properties. | 35558 | 
| Restore login for expired sessions in the application server does not work. | 35594 | 
| Error connecting multiple Designer instances through an application server. | 35668 | 
| In Manager, method definitions are displayed although the visibility permission was removed by a script. | 35507 | 
| Authentication at the token endpoint using the client_secret_post method must include the client ID. | 35691 | 
| Process steps of the DelayComponent process component with the Delay process task fail with SQL syntax errors. | 35744 | 
| Application server installation fails if authentication through a system user is not allowed. | 34875 | 
Table 6: General web applications
| Errors occur if there are a lot of products in the Web Portal's shopping cart for which parameters must be specified. | 34417 | 
| In the Web Portal, the reason stored is incorrect if products are automatically canceled due to denied attestation. | 34528 | 
| When installing the Manager web application, WebView2 is installed unnecessarily. | 35662 | 
| In the Web Designer preview, an error occurs when opening a service category during the request process. | 35404 | 
| OAuth login to API Server fails because the State parameter cannot be decrypted. | 35611 | 
| The display names of request items are not localized. | 34865 | 
| If no matching time zone can be determined, an error message appears in the Web Designer Web Portal: Sequence contains no matching element. | 35191 | 
| Pressing Enter in a date field in the Web Designer Web Portal navigates to the home page. | 35559 | 
| Password questions in the Web Portal are still displayed under Profile, although the associated parameter has the value false. | 35647 | 
| In the Web Portal, the product description text is not displayed in a tooltip, only the technical name. | 35659 | 
| In node editing in the Web Designer, some properties do not show the data, only scroll bars. | 35586 | 
| In the Password Reset Portal, after an incorrect login attempt, the authentication modules for login are displayed twice. | 35546 | 
| The search in the Administration Portal may not return any results. | 307328 | 
| When a new database session is logged in within the same API Server session, the previously used user is not logged out. | 306163 | 
| The search index does not update the object keywords. | 303391 | 
| The search index does not find strings containing a hyphen or a backslash in every case. | 35634 | 
| When displaying attestation cases in the Web Portal, the headings of the Grouping and Property columns are not displayed correctly. | 35171 | 
| Clicking on the customized company logo in the Web Portal does not open the home page. | 35658 | 
Table 7: Target system connection
| The DPR_NeedExecuteWorkflow script and the current DPR_VWorkflowHandlesProperty view do not respect the mapping direction of the mapped schema properties. | 34982 | 
| A conversion error occurs when synchronizing a  domain. A patch with the patch ID VPR#35122 is available for synchronization projects. | 35122 | 
| When synchronizing cloud applications with the Universal Cloud Interface connector, the UserInGroup* and UserHasGroup* tables are ignored. A patch with the patch ID VPR#35451 is available for synchronization projects. | 35451 | 
| Error opening an AdminP task in the Synchronization Editor's object browser, if no database file is specified. A patch with the patch ID VPR#35500 is available for synchronization projects. | 35500 | 
| When updating synchronization projects for Domino, the MailFileAccessType variable is not created correctly. A patch with the patch ID VPR#35745 is available for synchronization projects. | 35745 | 
| Customizers prevent objects from being saved if the XOrigin column has the value 0. | 34854 | 
| Incorrect conversion of values in custom extensions. | 35060 | 
| The display name of Azure Active Directory user accounts for guest users is not transferred to the target system. | 35598 | 
| Merge mode for the AADApplicationOwner and AADServicePrincipalOwner tables is not enabled. | 35183 | 
| Azure Active Directory synchronization stops unexpectedly if an owner of a service principal is themselves a service principal. A patch with the patch ID VPR#35768 is available for synchronization projects. | 35768 | 
| Microsoft Teams Teams and Microsoft Teams channels are not assigned to a scope. A patch with the patch ID VPR#35410 is available for synchronization projects. | 35410 | 
| Failure to create Microsoft Teams channels. | 35428 | 
| Group memberships of Active Directory groups marked for deletion are not removed. | 35293 | 
| Rogue correction of Active Directory group memberships does not work. | 35492 | 
| Read processes for Active Directory do not use the OverrideVariables parameter. | 35555 | 
| Automatic employee assignment may create an unnecessary remote mailbox. | 35146 | 
| The PAG_PAGAccessOrder_CheckExistingAccessRequest process fails. | 35593 | 
| Error creating a Unix user account if the last name of the connected person contains a colon (:). | 26374 | 
| Reloading objects in bulk mode fails if an item cannot be loaded. | 34420 | 
| Conversion error synchronizing a Active Directory domain using One Identity Active Roles. | 35122 | 
| If at least three processing methods are defined in a synchronization step, the order of the processing methods is swapped when the synchronization project is saved. | 35499 | 
| The documentation for setting up a system connection with an Oracle Database is not up to date. | 35505 | 
| When setting up the system connection with a SalesForce application, no schema types are detected. | 35679 | 
| Error encrypting a database when DPRSystemConnection.ConnectionParameter is marked as encrypted. | 35695 | 
| Single object synchronization no longer works for Azure Active Directory user accounts. | 35728 | 
| The update migration of a very large database is unexpectedly stopped after 12 hours in the step SAP 2019.0004.0017.0000 (31561). | 35464 | 
| When requests are generated to assign SAP roles directly to SAP user accounts, the direct assignments are deleted and recreated with a different validity period. | 35648 | 
| Error applying the patch VPR#34563. | 35696 | 
| The assigned system entitlements 1, 2, and 3 are not displayed on the cloud application overview form. | 35512 | 
| Automatically created user accounts in custom target systems or user accounts (UNSAccountB table) or cloud user accounts (CMSUser table) do not inherit groups. For more information, see the knowledge article https://support.oneidentity.com/kb/339327. | 35214 | 
Table 8: Identity and Access Governance
| The permissions of the vi_4_ITSHOPADMIN_OWNER group for the AADGroup table are incorrect. | 35519 | 
| Translations of an application's name are not applied to the service category. | 35041 | 
| The DBQueue Processor tasks QER-K-ShoppingRackPWOHelperPWO-Del and ATT-K-AttestationHelper-Del may cause blockages. | 35157 | 
| Error transporting a resource that can be requested multiple times. | 35470 | 
| Lack of dependencies between DBQueue Processor tasks for allocating company resources to employees. | 35294 | 
| Performance issues determining attestation objects (DBQueue Processor task ATT-K-HelperAttestationPolicy). | 34201 | 
| Performance issues with recalculation of attestors. | 35455 | 
| If an approval level with multiple approval steps is rejected due to a timeout, the subsequent approval level (if rejected) is not always carried out. | 35473, 35474 | 
| Although an attestation case has Hold status, attestors who are redetermined for this approval step in the meantime still receive an attestation email notification. Quite rightly, the Manager and Web Portal do not display anything for these attestors to attest. | 35583 | 
| Compliance checking of requests in the shopping cart and in the approval process does not detect a rule violation if it is caused by different identities of an employee. Only the cyclical compliance check detects the rule violation. | 35170 | 
| Performance problems calculating groups of employees affected by compliance rules. | 35261 | 
| During automatic withdrawal of entitlements after a attestation is denied, requests with the renewal and cancellation statuses are not taken into account. | 34725 | 
| Immediate cancellation of a request is not possible if this request has already been previously canceled with a validity date. | 35431 | 
| If the DBQueue Processor task QER-K-ShoppingRackPWOHelperPWO is processed in multiple slots, this task may keep getting deferred. This stops other tasks from being handled. | 35466 | 
| When sending email notifications in request approval procedures, incorrect mail templates are used. | 35496 | 
| The mail template IT Shop request - renewal specifies under Requested by the initial requester of the request, instead of the employee requesting the renewal. | 35529 | 
| Requests for products with a specified validity period can be extended indefinitely. | 35651 | 
See also: