Chat now with support
Chat with Support

Identity Manager 8.1.5 - Release Notes

Release Notes

One Identity Manager 8.1.5

Release Notes

28 February 2022, 15:18

These release notes provide information about the One Identity Manager release, version 8.1.5. You will find all the modifications since One Identity Manager version 8.1.4 listed here.

One Identity Manager 8.1.5 is a patch release with new functionality and improved behavior. See New features and Enhancements.

If you are updating a One Identity Manager version prior to One Identity Manager 8.1.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

For the most recent documents and product information, see the One Identity Manager documentation.

Topics:

About One Identity Manager 8.1.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

Starling Cloud Join

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

New features

New features in One Identity Manager 8.1.5:

Basic functionality

  • The system information overview shows whether a database is encrypted.

  • In the Database Compiler and in the program's status bar, a warning is shown if there are invalid script assemblies. The database needs to be compiled.

  • To access the REST API on the application server, the user required the Enables access to the REST API on the application server (AppServer_API).

    IMPORTANT: Ensure that the users that the ReST API communicates with, obtain this program function.

  • The search index on the application server supports indexing of diacritical characters.

  • To prevent maintenance tasks from obstructing daytime relevant post-processing in the DBQueue, a new QBM_PDBQueueProcess_Mnt on <database> database schedule has been implemented for processing the maintenance tasks. The maintenance tasks pass your tasks on to the database schedule instead of running them themselves. This means that nothing changes in the scheduling of maintenance tasks. The database schedule does not have an active schedule, but is started through the QBM_PWatchDog on <database> database schedule.

  • The effectiveness of the assignments (XIsInEffect column) is recorded in the history. Analysis of the effectiveness of the assignments in reports depends on the new Common | ProcessState | PropertyLog | ShowEffectiveAssignmentsOnly configuration parameter. If the configuration parameter is set, only the assignments in effect are shown in reports (default). If the configuration parameter is not set, all assignment are shown irrespective of their effectiveness.

    NOTE: Assignment data that was recorded in an earlier One Identity Manager version is still shown irrespective of its current effectiveness.

Target system connection

  • Support for One Identity Active Roles version 7.4.4.

  • The Exchange Online connector uses the Exchange Online PowerShell V2 module.

See also:

Enhancements

The following is a list of enhancements implemented in One Identity Manager 8.1.5.

Table 1: General

Enhancement

Issue ID

Improved protection against damaging SQL statements.

33586, 33587

The Launchpad Configure > Add system users entry has been renamed to Configure > Manage system users.

33896

Columns of assignment tables (M:N tables, M:all tables) cannot be included in the full-text search (DialogColumn.IndexWeight).

NOTE: To clean up existing installations, there is the Column in m:n or m:all - table with IndexWeight > 0 consistency check that finds columns from assignment tables, which are weighted for the full-text index.

33976

In the Schema Extension, validity of the foreign key definition is checked when a read-only database view is added.

33320

Optimized performance importing schema extensions with the Database Transporter.

33797

In the Object Browser, when you switch to another object of the same type, the focus remains on the selected property. This makes it easier to compare object properties when you switch between them.

33843

Improved performance of various SQL functions.

33396

New mandatory field definitions for the DialogState.Ident_DialogState, DialogState.NationalStateName, DialogCountry.CountryName, DialogCountry.NationalCountryName columns. The groups of columns that must be unique (QBMUniqueGroup) have been adjusted.

34173

New optional parameter -dc (--deleteconfig) in the InstallManager.CLI.exe command line tool to remove configuration data and log files when uninstalling One Identity Manager.

33673

Table 2: General web applications

Enhancement

Issue ID

Logging in to the Web Portal with an OAuth provider is now possible without calling up oauth/{appId}/{authentifier} URL beforehand.

33553

Identity credentials (id_token_hint) are now passed during OAuth provider login.

33495

Improved Web Portal performance.

33328

It is now possible for a web application to communicate with an API Server other than the one that the web application comes from.

33841

The withPermissions parameter of the Web Designer dbcount() function is now marked as depreciated.

34222

Improved speed of displaying the shopping cart.

33913

Increased the Web Portal's security.

33611

Updated the Microsoft.Owin library to version 4.1.1.

33809

Table 3: Target system connection

Enhancement

Issue ID

This functionality, of access permissions automatically being created for clients when SAP roles or profiles are assigned to user accounts, was removed when ID 28147 was implemented in version 8.1.0.

Now you are able to configure whether missing access to an SAP client is automatically allowed (entry in the SAPUserInSAPMandant table). To do this, the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter has been introduced.

If the configuration parameter is set, missing user account-client assignments are created after a role or a profile is passed down from this client. For direct assignments of roles and profiles, access to the client must be guaranteed beforehand as it was previously.

CAUTION: By automating the inheritance process, user accounts might obtain access permissions for clients without the knowledge of the target system managers.

By default, the configuration parameter is not set.

 33624

The SAPUser.Guiflag column's display name has been changed to Login by SAP GUI allowed (insecure communication).

34251

SCIM filter expressions are passed down with each subset query during cursor-based paging.

33601

The SCIM connector now supports Bearer authentication for logging in to the target system.

A patch with the patch ID VPR#33729 is available for synchronization projects

 33729

Attribute check with schema during modification calls has been removed from the RACF connector.

33596

The native database connector now supports columns with the DateTimeOffset data type.

34214

The synchronization engine now differentiates between NULL and empty values when comparing.

33981

The Starling Cloud configuration wizard now supports the EU region in the One Identity Starling Cloud login. Users are automatically connected to the Starling Cloud system that suits them the best.

33748

Table 4: Identity and Access Governance

Enhancement

Issue ID

Improved performance calculating dynamic roles.

33675

Improved performance checking compliance rules.

33675

Improved performance in the queries that determine the approvers of default application procedures.

33997

See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General
Resolved issue Issue ID

Checking certificates of process steps with the SendMail and the SendRichMail process tasks fails if the revocation list distribution points defined in the certificate cannot be reached.

The behavior has been changed as follows:

If the revocation server is unreachable, the error will not occur. If the revocation server can be reached and the certificate is invalid, an error occurs.

33519

If the One Identity Manager database and the History Database are on different servers, an error may occur in certain circumstances.

OLE DB provider... for linked server ... returned message "The object is in a zombie state. An object may enter a zombie state when either ITransaction::Commit or ITransaction::Abort is called, or when a storage object was created and not yet released.".

(0 rows affected) Msg 1206, Level 18, State 118, Procedure HDB_PGetRawFromSource_Intern, Line 581 [Batch Start Line 0] The Microsoft Distributed Transaction Coordinator (MS DTC) has cancelled the distributed transaction.

33541

In certain circumstances, when the Database Transporter is importing a transport package, the SQL session appears to get blocked. The messages are not updated soon enough in the Database Transporter. Therefore it looks like the transport package has not been processed.

33427

During bulk import of transport packages with the DBTransporterCMD.exe command line program, disabled triggers get left behind in the system.

33646, 33747, 34356

In the Schema Extension, not all 23 characters can be used for a table name (according to the documentation).

33552

In the Schema Extension, if a foreign key is created in the BaseTree table that points to a view (for example, Locality), the relation in the QBMRelation table is created incorrectly. As a result, the QBMRelation invalid Child Execute by (RI) consistency check fails.

33689

The following error sometimes occurs when running various processes:

[810143] Database error 10054: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - An existing connection was forcibly closed by the remote host.)

33680

If a custom foreign key column is removed by the QBM_PColumnCustomRemove procedure, the generated RI triggers stay the same. These triggers still contain references to the columns that no longer exist.

33691

Missing permissions for custom schema extensions at database level after transporting more custom schema extensions. This issue occurs if the permissions have been granted manually.

33716

DBQueue Processor QBM-K-CommonReIndexTable tasks that reindex large tables do not disappear from the DBQueue.

Reindexing of tables does not take place anymore if they are larger than 1 GB or have more than 1 million data records. Maintenance of these tables must be carried out by the database administrator within the maintenance period.

33733

DBQueue processing seems to halt, no more tasks are processed. In SQL Server reports, messages about blocking issues that the QBM_PDBQueueProcess_Main process session is involved in, are logged.

34132

The data in the DialogTimezone, DialogCountry, and DialogState tables is not up-to-date.

32980, 33181

The display values in templates are not resolved if the templates are calculated by a process step using the ExecuteTemplates process function.

Running the template in an interactive session works correctly.

33769

Error calculating the initial, next activation time of the schedules. If a start date is defined for a new schedule, it is run for the first time not on this date but on the next scheduled date after this start date.

33836

SOAP Web Service methods that save do not work. If a method requires an object to be saved, this does not happen and the method does not have any effect, as in PersonWantsOrg.MakeDecision.

33915

If a CSV report is generated by a data stream that does not supply any data, the header is not written in the file. This creates an empty file.

Solution: A new parameter, CsvBandFilter, for the ReportComponent process component's Export function, allows a header to be inserted even when the report does not have any data.

33971

Using the SwitchToModuleGuid function results in missing generic indexes.

34058

If the Only use for role-based authentication option for a permissions group (DialogGroup.IsRoleBasedOnly) changes, the administrative users' members are not recalculated in this group.

Solution: This option is always set for role-based permissions groups.

34098

When you edit change labels in the Designer and add several objects to one change label at the same time, the sort order is not correct. The object that you selected last, is inserted as the second object in the change label. For example, in the case of configuration parameters it might mean that during transport, the paths in the target database are not generated correctly.

33905

Error importing transport packages with extensions of database views and permissions respectively. If additional columns are created in a view definition's extension (QBMViewAddOn) and then permissions for them are granted and these changes are transported together, this error occurs during import:

[810143] Database error 50000: Cannot insert object in DialogColumnGroupRight because the associated object in DialogColumn does not exist. Rule QBM_RFRL27.

33849

The FileComponent process component cannot set permissions on files and shares with a path length of more than 260 characters.

33512

If data query about the history of several objects uses an XObjectKey column from a parent query as criteria, it results in an empty set of results.

33539

Error reinitializing the One Identity Manager Service if there are orphaned process steps in the Job queue.

33558

Error when the One Identity Manager database was set up for replication. In this case, table are created by the SQL Server that do not conform to the One Identity Manager naming convention.

This causes the error:

DBQueue task "QBM-K-SetRowLockOnly" fails with:

(execute slot single)50000 0 re-throw in Procedure QBM_ZSetRowLockOnly, Line 11

8152 0 detected in (SRV=..., DB=...) Procedure QBM_ZSetRowLockOnly, Line 3

8152 0 String or binary data would be truncated.

Furthermore, some consistency checks also fail.

33573

When modules are removed, references in dynamic foreign keys are not removed.

33638

Changing the password in the Launchpad causes errors when applications are started afterward.

33897

Performance issues inserting a large number of objects if the table has a combination of columns that have to be unique. These issues particularly occur during initial synchronization.

34050

The control for editing process plan parameters in the Designer truncates the values.

34113

Loading Job queue processes is sometimes blocked by queries on tables that are locked by a transaction.

34136

In the Manager, the Go to assigned object context menu is enabled in drop-down menus in modal dialogs.

33340

In the Manager, the names of employees or organizations that begin with diacritical characters (such as Å, Ø or Æ) are not sorted in the A-Z or Miscellaneous filters.

33604

Very long process parameters are truncated and the process steps are not processed.

34236

When importing transport packages with system configuration, the necessary recalculation tasks are not created, which, for example, recreate the previously deleted FK constraints.

34252

When updating the database, the countries and capital Bhutan are not generated in national notation.

14013

In certain circumstances, no objects are imported from transport packages with change labels.

34331

Display error in the Database Transporter when exporting synchronization projects.

34379

Uninstalling One Identity Manager does not clear the entries in the registry.

33673

Table 6: General web applications

Resolved issue

Issue ID

The TSBAERoleForGroup view has bad performance. This leads to long delays when loading overview forms in the Web Portal.

32855

In the Web Portal, an error occurs if you open a date filter in a table, select a date and then cancel the whole process again.

33547

In the Web Designer, an object-dependent reference can no longer be edited after it has been saved, only deleted.

33982

In the Web Designer, an incorrect value is calculated in columns of Int data type in the O3EMailbox table when an action is performed.

34006

In Web Designer, the SQL query no longer uses a select count (*) to determine the total number of entries. This can lead to performance problems.

Solution: The Count function has been implemented again.

34072

In the Web Portal, a change to a support call under Recently selected by a staff member results in an error.

34131

In reports, the user who added an assignment is not always displayed.

34093

After adding a help archive in the Web Designer, the zip files are not found.

34199

If you open the list for selecting recipients at the beginning of a request process in the Web Portal, there is a loss in performance.

33693

When submitting a request in the Web Portal, an error message appears.

33705

In the VI_Edit_Special_Person_TemporaryDeactivated Web Designer component, the IsTemporaryDeactivated parameter cannot be set to readonly.

33800

In certain circumstances, long loading times occur in the Web Portal.

33845

When calling attestation functions in the Web Portal, there is a loss of performance.

34062

When creating a new report subscription in the Web Portal, it is not possible to close the dialog box with the Escape key.

33731, 33576

The swagger user interface is not accessible and the Failed to load API definition. error message appears.

33269

The API Server does not supply all JSON files in the HTML archives.

33282

In the Web Portal, the Additional Columns function is not displayed, although in Web Designer the corresponding columns of the collection have been marked as IsAdditionalColumn=true. 33625

When grouping delegations by the Assignment Type column in the Web Portal, the result list shows an incorrect number of delegations.

33791

The code generator creates an incorrect TypedClient.ts file that causes errors during compilation.

33881

In certain circumstances, date formats for attestations are not displayed in the user-defined format in Web Portal.

34094

Compilation of the api-server-web-ui web application quits unexpectedly.

34183

Certain special characters in the database password cause issues when installing the Web Portal.

34294

In certain circumstances, the Web Portal does not display the correct attestation policy of an attestation case in the pending attestation view.

33561

Searching in the Web Portal in a large number of pending attestation cases (more than 1000) does not find all potential results.

33565

In certain circumstances, pending attestation cases are incorrectly displayed in the Web Portal.

33567

Attestation processes continue to be offered to persons for decision in the Web Portal, although their decision is no longer required.

33568

When editing or creating a report subscription in the Web Portal, if the list of selectable, additional subscribers also shows deactivated employees, an error occurs when saving the report subscription.

33580

If you create a new report subscription in the Web Portal, select additional subscribers and then create a new report subscription, the additional subscribers are preselected.

33635

In certain circumstances, in the Web Portal, the View Settings menu cannot be hidden using the Web Designer.

33659

When sending an inquiry about an attestation case to an user in the Web Portal, the respondent is incorrectly shown as authorized for approval.

33684

An employee incorrectly receives a message in the Web Portal when requesting a resource that they have already requested because the resource has already been directly assigned to the employee's subidentity.

33826

It is possible to edit business roles in the Web Portal that you do not manage.

33956

In certain circumstances, attestation cases are assigned to an incorrect attestation policy in the Web Portal.

34070

Too many identical SQL statements slow down the Web Portal.

34073

In the Web Portal, when filtering a large number of requests on the Renew or Unsubscribe page, not all potential requests are displayed.

34103

If the VI_Common_SqlSearch_PrefixLike configuration key is set, not all potential objects are found when searching in the Web Portal.

32680

In the Manager web application, the Create assignment resource task is provided for application roles and business roles

33526

Logging in to the Manager web application fails if TLS 1.2 is enabled and SSL 3.0 is disabled on the Internet Information Services.

Note: By default, use of SSL is not set. SSL usage can now be optionally set. To do this, you must add the following entry in the Manager web application's configuration file (Web.config) in the section application.

<application>

<add key="AllowSSL" value="True" />

</application>

33670

When installing the Manager web application for the application pool, if a user is used whose password includes &, the Encrypt web.config step fails with the error: An error occurred while parsing EntityName. Line 74, position 39.

33831

Performance issues when viewing pending attestation cases in the Web Portal.

33662

If you want to use the Check all services function in the service availability check in the Operations Support Web Portal, an error occurs.

34204

If the values for additional request properties (AccProductParameter) are adjusted in the Web Portal by the approver during the approval process, these changes are not applied to the requests.

34092

Table 7: Target system connection

Resolved issue

Issue ID

An error occurs when connectors that use the local SQLite cache to load an object list and the virtual schema properties from the synchronization configuration with a property type of Key resolution are used. The value is a schema property is not correctly determined and the synchronization unexpectedly quits with am error.

Error: The object <obj> does not have a value for key property <prop>.

33532

Performance issues in the target system browser when reloading objects from tables with more than one primary key and no object key.

33607

Incorrect logging of script variables in the synchronization log if a variable set other than the default one is used in the synchronization project.

33627

When a synchronization project is imported with the DBTransporterCmd.exe program, the shadow copy is not deleted. This means that after importing the synchronization project is opened in its old state.

33751

Error importing a synchronization project with the Database Transporter if the synchronization project already exists in the target database and several connected objects are deleted by the import.

33835

If an empty value cannot be resolved for a schema property of Key resolution type, a warning is logged or synchronization stops, depending on the configuration.

33877

Scripts for custom processing methods do not handle schema properties with values taken from the connected system. For example, if a custom processing method is run instead of the Insert method, the schema properties remain empty.

In custom processing method scripts, a third, optional parameter can now be given that passes the object value from the connected system.

33979

The value in the XOrigin column cannot be changed by synchronization.

33996

When publishing outstanding memberships in groups (UNSAccountBInUNSGroupB), the HandleOutstanding event is not triggered.

34023

Error during synchronization when properties needed for resolving object references are missing from the objects in the synchronization buffer.

34071

When native database columns are read or written with the native database connector, the date is converted to UTC.

33661

The native database connector does not take the reference scope into account if it is defined as a system filter only.

34257

Error connecting the SharePoint Online connector with the target system if legacy authentication with user name and password is disabled on the SharePoint server.

Error: [System.NotSupportedException] Cannot contact web site '<site>' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.

TheSharePoint Online connector now supports authentication through an Azure Active Directory application with a self-signed certificate.

A patch with the patch ID VPR#33432 is available for synchronization projects.

33432

Long runtimes for provisioning SharePoint Online user accounts, groups, roles, and permission levels.

33582

SharePoint Online connector performance issues. Error: "... has not been initialized."

33548

In the value list of the O3SRole.RoleTypeKind column, the values Reviewer, RestrictedReader, and RestrictedGuest are missing.

34074

In certain circumstances, Unix user accounts with special characters in their passwords are not added correctly. Only a fraction arrives in the target system. Provisioning ends with the error:

[Sugi.Common.Exceptions.SugiParserException] Received unexpected EOF while parsing action results

33592

When a new Unix user account is created, the parameter for the home directory is not taken into account. This means that the home directory is always created under /home/<user name>.

33713

Error including a schema extension file in the SAP connector schema if the tables are defined after the functions in the file.

33564

If a schema type is defined in a schema extension file that uses table definitions for the ListObjectsDefinition and ReadObjectDefinition attributes as well as function calls for the InsertObjectDefinition, WriteObjectDefinition, and DeleteObjectDefinition attributes, the parameters of the given function are missing in the resulting schema as schema properties of the schema type.

33574

Error when user accounts inherit SAP roles (SAPUserInSAPRole) if the corresponding SAP user account client access (SAPUserMandant) is marked as outstanding.

Error 1: Although the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is not set or does not exist, valid assignments are generated.

Error 2: If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is set, valid assignments are generated. But the client's assignment to the user account stays outstanding. This provisions the role assignment. The outstanding mark is not removed until the next time synchronization is run.

The SAP_ZUserInSAPProfile and SAP_ZUserInSAPRole procedures for calculating inheritance have been corrected. If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is not set, the roles and profiles are not inherited by the user account and the entry in SAPUserMandant stays outstanding. If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is set, the outstanding mark is removed and the roles and profiles are inherited by the user account

NOTE: SAP roles and profiles can then also be assigned directly if the assignment to the user account of the client that the roles and profiles belong to, is marked as outstanding. This removes the outstanding mark.

33724

Passing parameter to functions that are defined in an SAP schema extension file is not always correct.

33939

Very long runtimes for calculating memberships in SAP roles in One Identity Manager version 8.1.4.

33959

The SAP synchronization project consistency check shows warning messages.

A patch with the patch ID VPR#33980 is available for synchronization projects.

33980

When renaming SAP user accounts in the Manager, the Disabled password option is not taken into account.

34059

The SAPUserInSAPHRP.Excluded column is not provisioned in SAP R/3 although it can be edited in the Manager.

A patch with the patch ID VPR#34081 is available for synchronization projects.

34081

The description of SAP roles is divided into two fields in the SAP GUI. In One Identity Manager, the entire description is written in one column although there are also two fields available.

In the synchronization project, a new virtual schema property has been created to divide up the description. The map has been adapted. A patch has been provided to correct existing synchronization projects.

34128

An SAP group can be assigned to SAP user accounts that are administered through a Central User Administration, in One Identity Manager only if the group's client is assigned to the user accounts. In the SAP R/3 environment, a user account can be assigned to the central client's group without the user account being authorized for the central client.

34164

Error provisioning an SAP user account when the valid from date of the user account is greater than the valid until date. This data installation is now prevented in One Identity Manager.

34245

Exchange Online dynamic distribution groups (O3EDynDL table) do not allow the empty included recipients (IncludedRecipients column) although it is not a mandatory field in the Exchange Admin Center. An error occurs during synchronization. The Customizer prevents the column from being empty.

33730

Incorrect number of the Notes version in log messages when using IBM Domino Server version 10 or HCL Domino Server version 11.

33654

Error provisioning Notes mail-in databases.

33755

When a mail-in database is created, it is mandatory to enter the Notes domain that the mail-in database should belong to. There is a property mapping rule missing for transferring the value to the target system during provisioning of the mail-in database.

A patch with the patch ID VPR#33759 is available for synchronization projects.

33759

The IBM Notes connector does not store the user ID file in the location specified in the TargetSystem | NDO | TempNetworkPath configuration parameter.

The configuration parameter has been deleted. Customized usage might require modification. Use the settings in the main data of the linked Notes domain or the allocated mail server.

34302

When the system connection to an Oracle E-Business Suite is saved, parts of the connection credentials are saved twice.

A patch with the patch ID VPR#34008 is available for synchronization projects.

34008

If an Active Directory global catalog is unreachable due to the firewall configuration, requests to the global catalog will not fail. Process steps that perform name resolution through a global catalog remain in the Processing state in this case.

Solution: A timeout of 65 seconds has been built into the Active Directory connector so that a request that is not answered within a certain time is considered to have failed.

33807

When creating Active Directory user accounts, diacritical characters (for example, Å, Ø, or Æ) are not correctly taken into consideration in the templates and table scripts. The user accounts are not created.

33590

The description of the TargetSystem | ADS | Accounts | NotRequirePassword configuration parameter does not match the behavior. The description has been adjusted.

33500

Errors in the documentation of some Password Capture Agent properties in the One Identity Manager Password Capture Agent Administration Guide.

33967

Errors may occur when synchronizing LDAP groups and their members if at least one member user account is not yet stored in the One Identity Manager database and is only found in the synchronization buffer.

34211

Assigning an LDAP computer to a device does not queue a LDP-K-LDPMachineInLDAPGroup recalculation task. This means that groups inherited through the device are not assigned to the computer.

33509

Error when provisioning memberships in LDAP groups. An attempt is made to write a empty value to the Member attribute of an LDAP group.

Error message:

Operation error message: A protocol error occurred.

Response result code: (2) ProtocolError

Response message: no values given

33869

Issues if the Password property is a mandatory field in LDAP. For all schema classes that have this property, a vrtPassword is provided by the connector. The virtual property is mapped in the default. The actual Password property is not mapped. This leads to an error in the consistency check of the synchronization project as well as errors in provisioning.

34091

The length of the LDAPAccount.RoomNumber column is too short.

34099

An error occurs when checking an Active Directory password policy in the Designer:

VI.DB.DatabaseException: Database error 1: SQL logic error

no such table: ADSPolicyAppliesTo

33770

The Custom and the User defined tabs on the main data form for cloud user accounts are both called Custom in the English user interface.

33578

Error synchronizing a cloud application with the SCIM connector when using the ETAG property as a revision counter.

33762

Not all changed objects are correctly viewed and updated when synchronizing a cloud application with revision filtering because the time zone of the SCIM provider is not taken into account.

33949

Exception error during initial synchronization of a cloud application with the SCIM connector: Invalid token header. No credentials provided.

33988

Authentication failure due to missing encoding when logging in to an Oracle cloud application using the SCIM connector.

34123

The length of the AADUser.State column is too short.

33954

Performance problems during synchronization if many-to-all tables are included in the mapping.

34096

Simultaneous provisioning of multiple G Suite organizations fails (quota exceeded).

33636

The Customizer prevents the primary email address of a G Suite user account from being changed if this involves using an email address that is already assigned as an alias.

34160

The Customizer prevents the modification of Microsoft Exchange mailboxes when the Active Directory user account is disabled.

34329

When exiting the System Connection Wizard for Microsoft Exchange, an error occurs if a password with two dollar signs ($) is entered in the connection parameters.

Error message: Unknown Variable (T)!

34359

The Delete sensitive data process step does not always run reliably when the employee's central password is propagated to the user account. It might result in password fields in the database not being cleared.

The behavior has been changed as follows:

  • An employee's central password is now only passed on to user accounts belonging to target systems that are synchronized by the One Identity Manager (NamespaceManagedBy=VISYNC). In custom target systems, it must also be possible to perform write operations (IsNoWrite=0).

  • For read-only target systems (NamespaceManagedBy=ReadOnly), the employee's central password is no longer propagated to the employee's user accounts.

  • An additional process step has been implemented in the processes for user accounts. This waits until all user account's processes have completed. Then the user account's password data is deleted from the database.

    The following processes were modified:

    AAD_User_Insert

    AAD_User_Update/(De)Activate

    ADS_ADSAccount_Insert

    ADS_ADSAccount_Update/(De-)activate

    ADS_ADSAccount_Insert (ReadOnly)

    LDP_Account_Insert

    LDP_Account_Update/(De-)Activate

    CSM_User_Insert

    CSM_User_Provision

    EBS_EBSUser_Insert

    EBS_EBSUser_Update

    GAP_User_Insert

    GAP_User_Update/(De)Activate

    PAG_User_Insert

    PAG_User_Update/(De)Activate

    SAP_SAPUser_Insert

    SAP_SAPUser_Update

    UNX_Account_Insert

    UNX_Account_Update/(De)activate

    NDO_NDOUser_Insert

    NDO_NDOUser_Update

    NDO_NDOUser_Insert (ReadOnly)

    UCI_UCIUser_Insert

    UCI_UCIUser_Update

32671

Changing an employee's central password several times quickly results in an error.

Error: <Central Account> was changed by another user.

34388

Table 8: Identity and Access Governance

Resolved issue

Issue ID

When calculating whether the an approval step has timed out for an approver or attestor, the members of the chief approval team are taken into consideration. This may result in the approval step not being escalated or broken off although the timeout has been exceeded for all the regular approvers.

33436

If attestation cases for permanently deactivated employees are closed automatically, no publishing date (DateHead) is set.

33511

If there are several thousand Reminder for attestation cases tasks being processed in the DBQueue, blocked sessions and deadlocks may occur. This prevents the DBQueue from being processed quickly.

33570

If several attestors have been determined for one approval step where the number of approvers is set to 1 and one attestor has already made an approval decision, the other attestors are still sent a reminder email. This error occurs in the scheduled demand for attestation.

33664

Attestation cases do not come to an end when attestations for several attestation policies are started simultaneously and generation of an attestation case fails.

33711

Performance issues approving attestation cases.

33732

Very high memory usage and performance issues running attestations for attestation policies that create a lot of attestation cases.

Solution:

  1. Transaction repetition has been disabled in the objects layer. Now there might be more error messages during processing.

  2. The VI_GetAttestationObject script can be customized. An optimized version that only contains the foreign key references can significantly reduce the runtime.

33994

If the approval policy that applies to a product is defined on the service item or the service category, the product cannot be moved without breaking off any active requests.

33650

Error unsubscribing a product with a limited period. If the request of a limited period product has been renewed several time such that the total validity period exceed the validity period define in the service item, an error occurs when unsubscribing the product.

33756

Double entries in the PWOHelperPWO table. Sporadically, entries in the auxiliary table for request procedures (PWOHelperPWO) are add twice. This leads to a doubling of email notifications. If the approval workflow contains an approval step for external approval, the process for external approval is generated twice.

33780

Renewing a limited period request fails although the renewal's expiry date is withing the validity period.

33892

The main data forms for departments, locations, cost centers, and business roles also show countries that are not enabled in the Country menu. Only enabled countries are allowed.

33668

Assignments created through inheritance of SAP roles and SAP user accounts become active one day late. This happens if the database server is in a timezone to the west of UTC.

34034

In One Identity Manager, if the validity period of an SAP user account is changed, no recalculation of company resource assignments to employees is triggered.

34338

New keywords for service items will only be found after a complete re-indexing has been performed on the application server.

33518

For automatic approvals, the processes do not go to the Frozen status when they fail.

33386

Error saving completed requests if a validity period (Max. days valid) is subsequently set on the service item.

33799

When approving requests, an error occurs under the following conditions:

  • The approval has been delegated and the delegator would like to be notified of the approval decision.

  • The reason for the approval decision is too long.

33861

A request for recalculating the approvers is queued in the DBQueue, although the NoRecalc is set on the QER | ITShop | ReducedApproverCalculation configuration parameter.

33932

Renewals and cancellations fail if the request's valid until date has already passed at the time of approval.

33935

It is not possible to reduce the value of Max. days valid for a single service position.

Changes to this value now affect new requests and renewals. If the value is changed from 0 to greater than 0, the change also affects existing requests.

34038

Requests receive the status Pending after final approval, although no other request is active.

34052

If a cancellation date that is in the past is specified for a cancellation, an error message appears. Subsequently, the product cannot be canceled even with a valid date.

34144

On the overview forms of resources and service items, columns that do not exist are used in the Display columns property (DialogTree.ElementColumns).

33674

If an exclusion clause is defined for two business roles (BaseTreeExcludesBaseTree), it may happen that a dynamic role should nevertheless assign a employee to the business role. The DBQueue Processor assignment is not processed and an error is logged: Cannot make assignment because there are already employee assignments to roles that exclude the roles to be added.

33720

If a new employee is created in the Manager or the Web Portal and the manager (UID_PersonHead) is entered at the same time, the process defined in the HelperHeadPerson table that is supposed to start by setting the manager, is not triggered.

34063

Missing indexing for the BaseTreeOwnsObject table.

34130

Incorrect German translation for the entry The following employees are currently entitled to approve this request.

34175

When approving rule violations, exception approvers can specify a valid until date that exceeds the validity period specified in the compliance rule.

33808

The employee group affected by a compliance rule is determined incorrectly, if main and subidentities need to be determined.

34197

When deserializing objects of an attestation case, an error may occur if the logged in user does not have sufficient edit permissions.

34365

Table 9: IT Service Management

Resolved issue

Issue ID

In the Manager, it is not possible to maintain the number of CPUs per computer or server

33745

See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating