Identity Manager 8.2 - Release Notes

New features in One Identity Manager 8.2:

General

We are introducing inclusive terminology to our products and documentation, replacing non-inclusive terminology during the process. Changes to our user interface elements and error messages will be reflected in the documentation for each product version.
SQL Server 2019 support with the database compatibility level SQL Server 2017 (140).
Windows Server 2022 support for Job servers, application servers, and web servers.
Windows 11 support for workstations.
New formatting type to prevent XSS characters being entered. The new QBM | XssCheck und QBM | XssCheck | Sync configuration parameter determines whether a check is carried out.
Improved protection against damaging SQL statements. New configuration parameters for risk assessment, QBM | SQLCheck | RiskEvaluation and QBM | SQLCheck | SubSelect.
Support for a connection pool for separate sessions for reading and writing on different database servers. In the connection dialog, the Data Source property can contain a pipe (|) delimited list of servers. The first server specified is the primary server used for write access. All other servers are read-only copies with read access only.
For password policies, you can specify how many character class rules must be satisfied for a password to match the password policy..
Advanced configuration for OAuth 2.0/OpenID Connect.
- The OAuth 2.0/OpenID Connect configuration for identity providers can be taken from a template. For the One Identity Redistributable STS (RSTS), the file is pre-configured. You can find the RSTS_Template.xml in the One Identity Manager installation directory. The template can be used in the Designer.
- You can specify whether a check of the ID token takes place.
- You can specify the acr values that the authorization server can use for processing an authentication request.
- You can specify the claim type to be additionally checked.
- You can configure the behavior of the client after logging off from the application.
Support for authentication of external applications via OAuth 2.0/OpenID Connect.

There are new QBM | AppServer | AccessTokenAuth and QBM | AppServer | AccessTokenAuth | RoleBased configuration parameters provided for configuration.
Fallback for login using OAuth 2.0/OpenID Connect authentication modules for determining users. If no matching person is found for the claim value, the authentication modules search for the claim value in the system users' permitted logins (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in.
Individuals who are considered a security threat will no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.
A new table QBMColumnLimitedValue has been implemented to map lists of permitted values. A new table QBMColumnBitMaskConfig has been implemented to map bit masks. Editing is done in the Designer's Schema Editor on the Value properties tab. Default values can be deactivated on a custom basis.
You can specify whether to check if single MVP column values have to be unique, case sensitive, or accented characters. Editing is done in the Designer's Schema Editor on the Value properties tab.
For unique groups of columns, you can enter message texts to be used instead of the default error message.
The query type of predefined database queries can be used to specify whether an entire SQL query is being handled or just the Where clause section.
If the format is specified, the target type of the expression is a string. If the format is not specified, it is the specified data type.
You can specify whether a Job server participates in load balancing.
In custom method definitions, a script can be used to conditionally display a method. For example, this way you can control whether a task is only displayed in the Manager if a certain condition is met. The script does not change the user's permissions, only the behavior when loading an object in the One Identity Manager tools.
New features for schedules.
- Schedules can be run on a specific day of the week in a specific month.
- Multiple start times can be set per day.
- The start details of schedules is logged.
You can define a default country that is taken into account when determining working hours and holidays.
Extension of $ notation with optional format specification: $<definition>:<data type>{<format>}$
Introduction of a new One Identity Manager query language. The One Identity Manager query language can be used to create queries or Where clause expressions against the One Identity Manager object layer.One Identity Manager For example, the One Identity Manager query language is used to communicate between application servers and clients. Currently, you can use the One Identity Manager query language in the Object Browser's query window . For more information, see the One Identity Manager Configuration Guide.
Support for custom configuration files for logging with NLog. The custom-log-variables.config and custom-log-targets.config include files are defined in the globallog.config file. The LogFileLevel variable can overwrite the severity level in a custom configuration file. The eventLogLevel variable can be used to override the information level in a custom configuration file.
Transport templates can be created with the Database Transporter. You can use the transport templates when you create transport packages with the Database Transporter or with the DBTransporterCMD.exe command line program. This loads the export criteria from the transport template file.
The DBTransporterCMD.exe command line program supports the transport of synchronization projects.
New feature in the Quantum.MigratorCmd.exe command line utility.
- Support for creating, checking, and extending SQL Server logins if granulated permissions are used.
- New mode for creating an operational database after the database has been restored from a backup.
The DBCompilerCMD.exe command line program supports automatic compilation of the database. The database is monitored and compiled if necessary.
The AutoUpdate.exe command line program supports automatic software updating of a One Identity Manager installation.
The One Identity Manager tools are displayed in the Launchpad in a new Programs menu item and can be started from there.
Individual tasks in the Launchpad are also available for users with role-based permission groups.
An email configuration wizard is provided to configure email functionality in the One Identity Manager. The wizard can be run in the Launchpad and in the Designer's Configuration Parameter Editor.
The user interface of some One Identity Manager components requires Microsoft Edge WebView2 to display certain content. When installing the components, Microsoft Edge WebView2 is also installed.
The application server can be limited to a REST API mode.
Automatic updating of the application server can be configured in the web.config file. The mode attribute can be used to control whether the update is scheduled or started manually.
New Common | Indexing | DefaultResultLimit configuration parameter to specify the maximum number of search results returned for a query.
The API Server optionally provides a SCIM V2.0 interface through a plugin. This allows read and write access to a defined set of One Identity Manager tables.
The availability of a One Identity Manager Service can be tested over /alive.
New DirectConnection setting to configure the One Identity Manager Service for directly connecting to the target database without availability testing.
New DoNotWriteConfigBack setting to configure the One Identity Manager Service not to write the configuration back to the database.
New FtpComponent process component. This process component can transfer files by SFTP.
New CallMethodExclusive process task for the process component HandleObjectComponent to exclusively call a customizer method.
The F1 help and One Identity Manager documentation are provided in HTML5 format. You can access One Identity Manager documentation in the Manager by selecting the Help > Search in local help menu item.
Integration of Customizer methods into the Typed wrapper classes.
Step-by-step preparation of a database update. This runs through the various phases for preparing the database update. This step-by-step preparation is intended to ensure that users are informed about the upcoming update and that processes can be shut down in a targeted manner.

NOTE: Step-by-step preparation is used only when updating databases that have at least One Identity Manager version 8.2.

Web Portal

This One Identity Manager version includes fundamentally redesigned web applications based on HTML5 technology. These web applications are provided through the API Server and cover the following application areas, among others:
- IT Shop requests and approvals
- IT shop configuration
- Management of identities, user accounts, system entitlements, company structures, and system roles
- Application Governance
- Management of attestation policies
- Attestation case approvals
- Password management
- Job queue process monitoring
NOTE: The web applications that were previously part of the product are still available. For reasons of understanding, a distinction is now made between the Web Designer Web Portal and the Web Portal.

Application Governance is now part of the Web Portal. Application governance functionality lets you quickly and easily centralize the onboarding process for new applications. A new application combines all the entitlements that application users need for their daily tasks. This allows you to assign application permissions (for example, system entitlements or system roles) to your application and plan when they will be available in the Web Portal as requestable products.
In the Operations Support Web Portal it is now possible to view objects marked as outstanding, delete these objects in the database, or add them back to the target system. Additionally, it is possible to reset the status of these objects so that they are no longer marked as outstanding. A new Basic Roles | Operational Support | Post Synchronization Handling application role is provided..
It is now possible to decide in the Operations Support Web Portal how to deal with failed processes. For example, you can re-run processes and process steps that contain errors.
It is now possible to assign new passwords to identities in the Operations Support Web Portal.
In the Web Portal, you can display and request products that other people from your vicinity have already requested. As a manager, you can also see products from your team’s peer groups.
It is now possible to create, edit, and delete sample data in the Web Portal. This sample data can then be used in attestation policies to perform attestations for only a subset of objects, for example, if attesting all objects would take too long.
In Web Portal you can now display an organizational chart for each identity.
In the Web Portal, there is now a Products expiring soon tile on the home page that indicates products that will expire in the near future and need to be renewed.
Memberships in objects that were created through dynamic roles can now be excluded in the Web Portal.
It is now possible to create, edit, and delete shops and associated shelves in the Web Portal.
Using the Administration Portal, you can now view and edit your API configuration.
It is now possible to provide your own HTML5 applications as a ZIP file and have them hosted over the API Server.
It is now possible to create, edit, and delete service categories in the Web Portal.

Target system connection

Support for Microsoft Teams.

Microsoft Teams teams and channels are mapped in One Identity Manager. The Microsoft Teams connector has the task of synchronizing Azure Active Directory. Installing the Microsoft Teams Module provide synchronization templates for Microsoft Teams. The Azure Active Directory connector uses the Microsoft Graph API for accessing Microsoft Teams. For more information, see the One Identity Manager Administration Guide for Connecting to Microsoft Teams-Umgebung.

A patch for synchronization projects with patch ID VPR#32454 is provided.
Simulation of property mapping for single objects

In the Synchronization Editor, you can test the results of property mapping rules. In particular, this can be used to check the mapping of virtual schema properties. The test results can be exported and thus used for product support.
Support for the Microsoft Cloud for US Government (L4) national cloud deployment.

Patches for synchronization projects with patch ID VPR#34150 and patch ID VPR#34170 are provided.
Support for Azure Active Directory guest users. To send the invitation to guest users, additional modifications are required in the synchronization project.

Patches for synchronization projects with patch ID VPR#28669 and with patch ID VPR#32665 are provided.
For Azure Active Directory user accounts, additional properties are supported for mapping personal and federation information for Azure Active Directory.

A patch for synchronization projects with patch ID VPR#31389 is provided.
The date of the last password change to Azure Active Directory user accounts is loaded.

A patch for synchronization projects with patch ID VPR#32975 is provided.
Support for license assignment to Azure Active Directory user accounts through Azure Active Directory groups. Additional reports are provided for user accounts and subscriptions..

A patch for synchronization projects with patch ID VPR#32384 is provided.
Support for Azure Active Directory applications, service principals, and app roles.

A patch for synchronization projects with patch ID VPR#33088 is provided.
Support for Azure Active Directory activity-based timeout policies, home realm discovery policies, token issuance policies, and Token lifetime policies.

A patch for synchronization projects with patch ID VPR#33198 is provided.
Update employees when Azure Active Directory user accounts are changed.

The new TargetSystem | AAD | PersonUpdate configuration parameter can be used to control whether the properties of connected employees in One Identity Manager are updated when user accounts in Azure Active Directory are changed.
Support for custom Azure Active Directory schema extensions. The Azure Active Directory connector can read and write Azure Active Directory schema extensions.
The Azure Active Directory connector supports delta synchronization to speed up Azure Active Directory synchronization. Delta synchronization is not enabled by default, it must be customized.
The Hide group from Outlook property in Office 365 groups is mapped.

A patch for synchronization projects with patch ID VPR#34046 is provided.
The Active Directory connector supports Active Directory, which is shipped with Windows Server 2022.
With Active Directory synchronization, more restrictive values for the minimum password length and the number of passwords to store are applied from a domain's global account policy to the One Identity Manager password policy for that domain.
The Middle Name property of Active Directory user accounts is mapped.

A patch for synchronization projects with patch ID VPR#32110 is provided.
Support for protection against accidental deletion of Active Directory containers, user accounts, contacts, and computers.

Patches for synchronization projects with patch ID VPR#32759 and with patch ID VPR#32783 are provided.
The Azure AD Connect anchor ID of Active Directory user accounts, contacts, groups, and computers is mapped.

Patches for synchronization projects with patch ID VPR#32950 and with patch ID VPR#32952 are provided.
The Password Capture Agent supports Windows Server 2019 and Windows Server 2022.
Support for One Identity Active Roles version 7.4.5.
Support for the Active Roles Group Family.

A patch for synchronization projects with patch ID VPR#34634 is provided.
A new TargetSystem | ADS | ARS configuration parameter has been added Active Roles. Active Roles specific components are marked with a new preprocessor condition ARS.
Support for the Microsoft Exchange mailbox permissions Send as and Full access.

A patch for synchronization projects with patch ID VPR#21073 is provided. Synchronization is not enabled by default. In request to synchronize mailbox permissions, the synchronization project must be customized.
Support for excluding Microsoft Exchange mailbox databases from automatic mailbox distribution.

A patch for synchronization projects with patch ID VPR#26120 is provided.
Support for Microsoft Exchange address book policies.

A patch for synchronization projects with patch ID VPR#27741 is provided.
Support for recovery of individual items of Microsoft Exchange mailboxes.

A patch for synchronization projects with patch ID VPR#31470 is provided.
A new LDAP connector LDAP connector (version 2) is provided. Project templates are provided for OpenDJ, Active Directory Lightweight Directory Services (AD LDS), and Oracle Directory Server Enterprise Edition (DSEE), as well as a generic project template.
Support for multiple linking of LDAP systems with the same distinguished name.
- With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).
- For existing synchronization projects created with the generic LDAP connector, a patch with patch ID VPR#33513 is provided.
- LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain).
Support for the One Identity Safeguard versions 6.7, 6.10, and 6.11.
Support for access requests for SSH keys for One Identity Safeguard.

A patch for synchronization projects with patch ID VPR#32541 is provided.
Support for vault for personal passwords for user accounts in One Identity Safeguard.

A patch for synchronization projects with patch ID VPR#34392 is provided.
Connection of PostgreSQL databases

With the generic database connector, PostgreSQL databases can now also be connected.
The One Identity Manager connector supports synchronization of databases with different product versions or different number of modules.

A patch for synchronization projects with patch ID VPR#33728 is provided.
Generation of synchronization projects for synchronization of two One Identity Manager databases (system synchronization)

The synchronization project for synchronization of two One Identity Manager databases can be created automatically based on defined criteria. This creates an image of selected application data from a One Identity Manager database. Support for revision filtering. The frequency of synchronization can be set individually for each table to be synchronized.

System synchronization simplifies the setup and maintenance of the synchronization configuration. One Identity Manager takes care of setting up all the components of the synchronization configuration. Manual adjustments are not necessary. For example, use system synchronization to outsource computationally intensive functions such as attestation and automatic revoking entitlements from the central database.

A patch for synchronization projects with patch ID VPR#33728 is provided.
The scope of the synchronization protocol has been extended. Information about the processed objects, synchronization progress, revision filtering by synchronization step is now output. The level of detail can be configured in the synchronization workflows.
Variables can be used for defining quotas.
The Oracle E-Business Suite connector and the generic database connector for Oracle Database have been migrated to Oracle Data Provider for .NET (ODP.NET).

A patch for synchronization projects with patch ID VPR#33804 is provided.
IMPORTANT:
- The connection parameters of existing synchronization projects for Oracle E-Business Suite are altered when establishing the connection to the target system, where possible, and should be checked afterwards.
- The connection parameters of existing synchronization projects for the generic database connector for Oracle Database are altered when updating One Identity Manager, where possible, and should be checked afterwards.
Mapping of different types of system entitlements .

Many cloud applications use more than one group type to map entitlements. When connecting cloud applications, other types of system entitlements, such as roles or entitlement sets, can now be mapped in addition to groups. Depending on the target system, assignments are maintained either with the user accounts (user-based assignment) or with the system entitlements (entitlement-based assignment). The types used and with which object types the assignments are maintained is configured when synchronization is set up.

The different types of system entitlements and their assignments can be integrated into Identity Audit and attestation.
When defining schema types in a schema extension file for the SAP connector schema, the InsertCommitDefinition, WriteCommitDefinition, and DeleteCommitDefinition attributes can now also be used.
SAP S/4HANA user types and communication data are supported.

Patches for synchronization projects with patch ID VPR#33301 and VPR#33301_2 are provided.
An RFC function module /VIAENET/HELPER with the /VIAENET/ZHELPER function group is provided, which selects the PA0002 table.
An RFC function module /VIAENET/READTABLE is provided, which behaves similarly to the RFC_READ_TABLE function module. The function can read data from tables and views in the SAP database, as long as they are not marked as internal tables.
For mapping additional HR data to employees, the SAP R/3 HCM employee objects synchronization template provides the mapping and the Employee_PA0000 synchronization step. This mapping can be used instead of the default Employee mapping. To do this, activate the Employee_PA0000 synchronization step and deactivate the Employee synchronization step.
The Domino connector supports the Notes Client version 10.0.
Support for HCL Domino Server version 12.0 and HCL Notes Client version 12.0

NOTE: If the connected Domino system uses Domino 12 and the Domino connector has write access to the target system, then the gateway server must have Notes client version 12 installed.

If read-only access to the target system is required, an older Notes client version can also be used on the gateway server.
Creating SharePoint Online site collections and sites

You can add new site collections and site in the One Identity Manager and publish them in the SharePoint Online target system. Predefined scripts and processes are provided for this purpose. These can be used as templates to make site collections and sites requestable through the IT Shop.

A patch for synchronization projects with patch ID VPR#31779 is provided.
For synchronization of Unix-based target systems, authentication with a private SSH key is supported.

A patch for synchronization projects with patch ID VPR#33249 is provided.

Identity and Access Governance

Improved support for inheritance of target system-specific groups and permissions by user accounts.

To better distinguish which types of groups and permissions are inherited, additional options for inheritance have been implemented. In addition, you can specify which groups and privileges are to be inherited when you create the account definitions. A note is displayed on the user account overview forms when groups and permissions cannot be inherited.
For inheritance of groups and permissions based on categories, 64 categories can now be created.
Assignments of employees to multiple business roles can be prevented. You can enable the option for role classes and role types.
New default approval procedures KA and OT for attestations and IT Shop requests.
New default approval procedure CS for attesting employees.
New default objects (attestation policy, attestation procedure, condition types, approval workflow, and approval policy) for attestation of initial manager assignment. With this attestation, missing manager information can be requested and assigned to employees.
New report Overview of the results of an attestation run.
Attestation policies can be configured to automatically change the certification status of attestation objects when an attestation is approved or denied. The Set certification status to "Certified" and Set certification status to "Denied" options can be enabled if a table is selected in the attestation procedure that has an ApprovalState column. The feature can be used by default for attesting employees, business roles, application roles, and organizations.
Shortened process of attestations if an attestor is authorized to make multiple approvals in one attestation case. If this attestor grants approval it is automatically carried over to subsequent approval steps. Thus, the attestation case is submitted to the attestor for approval only once.

The feature is activated with the QER | Attestation | ReuseDecision configuration parameters.
Sample attestation

With sample attestation, attestation cases can be restricted to a selection of attestation objects. Samples can be compiled manually or based on defined criteria. A default sample Monthly organizational changes to employees is provided. This can be used if the QER | Selections | PersonOrganizationalChanges configuration parameter is set. To create random samples, the QER_PPickedItemInsertRandom SQL procedure can be used.
Weekends and public holidays are now taken into account by default when calculating working hours, for example for the due date of attestation cases or the approver reminders. To configure whether weekends or holidays should be treated as working days, additional configuration parameters have been introduced.
- QBM | WorkingHours | IgnoreHoliday
- QBM | WorkingHours | IgnoreWeekend
- For time-limited requests, if the expiration date has passed, requests can now go through a cancellation workflow before the assignment is permanently removed.
- QER | Attestation | UseWorkingHoursDefinition
Assignments of company resources to system roles can now be requested in the Web Portal. For this purpose, the Assignments to system roles default assignment resource is provided.

When attesting assignments to system roles, the requested assignments can also be removed automatically. The QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested configuration parameter was introduced for this purpose.
The definition of SAP functions has been extended so that external services, TADIR services and RFC function modules can be included in the authorization check in addition to transactions. Transactions, external services, TADIR services, and RFC function modules are mapped as SAP applications in One Identity Manager.

Patches for synchronization projects with patch ID VPR#32963_1 and VPR#32963_2 are provided.
The definition of product-specific request properties has been redesigned. Now you can define a lot of additional information for request parameters. This makes the implementation of request properties more flexible. The previous solution can still be used. When creating new request properties, you specify whether you want to use the modern or the obsolete definition.
Assigned requests that have passed their expiration date can now go through the cancellation workflow stored in the approval policy before the assignment is finally removed. The feature is activated with the QER | ITShop | ExceededValidUntilUnsubscribe configuration parameters.
Employees can excluded automatically from dynamic roles on he basis of a denied attestation or a rule violation. An excluded list is maintained to do this. Excluded lists can also be defined for individual employees.
Support for the reorganization of a IT Shop solution. The following tasks can be run on custom IT Shop structures:
- Simultaneous moving of several selected products from one shelf to another shelf.
- Moving a complete shelf to another shop.
- Moving a complete shop to another shopping center.
Introduction of a general deputization of all an employee's approval entitlements. An employee can appoint a deputy for all approval powers in one area. This deputy is additionally identified as the approver for all approvals that the employee is required to make during a specified time period. Deputies may be established for attestation, request approvals, and exception approvals of requests.
When attesting memberships in application roles, memberships that were created through a dynamic role can also be automatically removed. The QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole configuration parameter was introduced for this purpose.
Google Workspace admin role assignments can now be requested in the Web Portal and integrated into Identity Audit.
Manually created application roles for product owners are now also automatically deleted if they are not used.

NOTE: If you have set up your own application roles under the Request & Fulfillment | IT Shop | Product owners application role that you use for custom use cases (tables), then check whether these can be deleted automatically. Otherwise, disable the Clean up application role "Request & Fulfillment | IT Shop | Product owners" schedule.

See also:

Enhancements

The following is a list of enhancements implemented in One Identity Manager 8.2.

Table 1: General
Enhancement	Issue ID
The overview of the system configuration has been improved and extended with new values. The report can be saved as a CSV file The database encryption state is displayed. Improved display of historical data values.	31738, 32890, 32992, 34692
Improved support for the delta method for faster database updates.	32791, 32917
Improved migration performance.	34109, 34587, 34591
The basegroup database role is no longer used. The database role is no longer created for new installations. In existing installations the database role can still be used.	34179
Improved creation of table indexes.	33530
Improved readability of generated view definitions.	31491
New consistency check Mandantory field definition missing to detect potentially missing mandatory field definitions.	31297
The default language of a language code (QBMCulture.UID_DialogCultureDefault) can be customized.	31749
Entries are now generated in the DialogProcess table for deferred operations.	32782
Improved determining of process information about a trigger.	34529
Improved support for BULK operations in the object layer.	31066, 31573, 32249
Improved support for retrieving historical information.	30334, 30437, 31449, 31450, 31451, 34723
Extension of EntityLogic fluent interfaces for running conditionally.	33796
Optimized determining display values.	33931
The hash function SHA-1 is not used anymore.	27488
Improved password quality calculation. Password quality for short passwords can now be lower.	33683
Permissions of logins for administrative users with granulated permissions are extended in the Configuration Wizard, if necessary.	30904
Existing SQL Server logins can be used in Configuration Wizard.	30791
Improved enabling and disabling of authentication modules in the Designer.	33929
The <SpecialSheetData> section from configuring interface forms is no longer supported. The definition now goes in the <Properties> section. NOTE: Existing configurations will be adjusted during the database update. Check the data if necessary.	31332
Improved documentation of supplied schedules by default.	32506
Improved documentation for overriding templates.	33215
Improved support for uninstalling One Identity Manager components. As long as there are multiple One Identity Manager installations, the configuration data cannot be removed.	31159
In the connection dialog, the database server can now be deleted from the server menu.	32510
When running multiple databases in a managed instance in Azure SQL Database, you can fix the number of slots in the new QBM \| DBServerAgent \| CountSlotAgents configuration parameter.	34047
Improved support for installing modules later.	33942
Improved documentation of the DBQueue Processor reinitialization after a server hardware upgrade.	34208
The StdIoProcessor.exe checks whether its parent process (VINetworkService.exe) is still up and running.	31081
Improved logging of process handling in the One Identity Manager Service log file.	31536, 32792, 33721, 34330, 34559
Improved output of table names in error number 810005.	31686
New Server\Job Server\Configuration utility machine role for installing the Job Service Configuration.	32776
The Server Installer remembers the directory with the installation files.	33686
Improved installation information for the One Identity Manager Service in the Server Installer and in the Configuration Wizard.	34457
A time delay is now in effect when exiting the One Identity Manager Service to allow the service to synchronize with the database.	34459
Support for custom translations of resource file text.	23677
The Where Clause Wizard for entering database queries supports date comparisons.	17996
Improved feedback for the system status in the One Identity Manager tools' status bar.	29567
The status bar indicates whether the logged-in user is an administrative user.	33491
Update of the controls in the One Identity Manager tools.	31577
Improved display of multi-line values in MVP columns.	31312
Improved display of columns representing a URL.	33545
If a text is too long for translation, a corresponding hint is now displayed at the input field.	33667
To make filters available to all users, you can publish the filters in the Manager or in the Designer, for example.	31025, 33247
Improved display of the primary key in an object's properties dialog. The primary key can be copied in different formats.	32549
Improved SQL export in an object's properties dialog.	33679
Improved support for script editing. The functions in the advanced editing window for scripts have been revised and extended. Additional code snippets are provided. Sorting of the code snippets has been improved.	32026, 32937, 33161, 33162, 33240
Display values for report parameters can be passed to reports.	34272
The maximum number of result rows of report queries can now be modified.	34293
Tooltips are displayed on assignment forms in the Manager.	31634
Outstanding objects are now shown crossed out on the assignment forms.	34508
In the Object Browser, breakpoints are automatically saved in the configuration when the debug dialog is closed and loaded again when the debug dialog is reopened.	30816
Improved prompt when saving changes in the Object Browser.	31291
In the Object Browser, when SQL queries are run, the total number of times and the run time of the query are output.	31813
Enhancements and improvements in the Job Queue Info. Parameters that contain an object key are displayed as a link. The link displays the object properties. The Object Browser can be started. The Synchronization Editor can be started if the object keys refer to a synchronization project. A new start time for a process step can be set. The number of retries for a process step can be changed. Multiple Job servers can be selected at the same time to edit the credentials to determine the status.	30102, 31983, 32851, 33516, 33642
In the Software Loader the root directory is now stored per database.	29507
In the Database Transporter, test whether the logged-in user has sufficient permissions to import.	34704
Improved behavior of the web service integration wizard.	31425
Improved support for mail definitions in the Designer.	31820, 33419
In the Designer, modified configuration parameters are specially flagged in the Configuration Parameter Editor.	32566
Improved support for editing table relations. Dynamic table relations are now displayed in the Schema Editor.	31849, 32582, 32429
View definitions can be checked in the Schema Editor.	33170
In the Script Editor, the font size can be changed using Ctrl + mouse wheel.	32026
The Process Editor points out possible misconfigurations when checking process validity.	32035, 34223
Improved column configuration support in the Schema Extension.	32436
Improved behavior of the command line tools. Version, error messages, and help texts are output. In the /conn parameter of the command line tools, the name of the connection can be entered according to the HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Connections registry entry.	30328, 31082, 34077, 34209, 33010
Improved detection of need to compile in the DBTransporterCMD.exe command line program.	32062
Improved support for importing files with the SoftwareLoaderCMD.exe command line utility.	33943
Documentation of the create-web-dir.exe command line program.	33618
When closing the Launchpad with the Close button, a notice is now displayed that the Launchpad is minimized to the notification area of the Windows task bar.	31984
The Launchpad shows the color of the staging layer in the status bar.	32593
The PowerShell library for One Identity Manager has been extended.	33127

Table 2: General web applications
Enhancement	Issue ID
Improved security in the application server.	32466
REST API application server enhancements and improvements .	32576, 33963, 33728, 33126, 32930, 33923, 34016
Improved session handling in the application server when using tokens to authenticate.	33406
The validity of the session certificate is checked.	32141
In the application server, it is now possible to access the API with requests authenticated by access tokens.	245784
The VI_ITShop_Compliance_DoNotCheckIndirect Web Designer configuration key has been removed.	33042
For security reasons, the VI_Common_UserMessageAdd HTML Web Designer component now encodes the entered text by default. This behavior can be deactivated by the DoNotHtmlEncode() virtual function when calling the component.	202604
For security reasons, the VI_Common_ExternalFormHost Web Designer component can now no longer be used to display arbitrary URLs. If you need this functionality, you must rebuild existing code and use the QBM_Common_ExternalFormHost form component instead. This has the advantage of not passing URLs in the form of URL parameters.	203559
The parameter withPermissions of the Web Designer function dbcount() is now marked as obsolete.	34222
The permissions for debugging web applications have been extended.	34308
Webauthn security keys: The RSTS version has been updated to version 2019.11.22.0. You can now prevent the X-Frame-Options HTTP response header from being output at all by setting the RSTS configuration property DisableAddingXFrameOptionsHeader to true.	206688
Identities with the Basic roles \| Operational support application role can now no longer start and stop the DBQueue and JobQueue. If identities are to perform these tasks, they must be assigned the Basic Roles \| Operational support \| System administrators application role.	34368
Improved performance of grid controls. Less database queries are generated.	206856
When an request item is removed from a shopping cart that has dependent products, the dependent request items are also removed.	32758
When a shopping cart is deleted, its request items are also deleted.	33342
Improved presentation of the results of a peer group analysis.	34190
Managers now see all the delegations of their child identities in the Web Designer Web Portal and in the Web Portal.	33774
It is now possible to set a default size for images. When uploading images to Web Portal, they will be scaled accordingly.	32916
Shopping carts that have already been sent are now marked accordingly and it is no longer possible to add more products to such shopping carts.	33143
In the Web Portal, the request's main data now displays the request status instead of the processing status.	34181
Improved warnings have been introduced for the Web Portal log file and for the Web Portal monitor page, which indicate components that load a conspicuously large number of objects.	206672
Removed check box in front of the date field in the Web Portal. If you do not want a time restriction, do not enter anything in the field.	206732
If a single sign-on session ends in the Web Designer Web Portal, a button is now displayed that can be used to log in again with single sign-on.	206886
In the Web Portal, the set of selectable reference users is limited in the default configuration.	246899
The dialog for deleting secondary memberships of a role in the Web Portal has been extended. It now offers the possibility to optionally delete direct, requested, and dynamic memberships respectively.	250631
In the Web Portal, memberships in system entitlements can now be filtered and paginated.	275192
The label in the Filter on filter dialog has been changed to Filter on the '<column name>' column.	274174
In the Web Portal, an error message is displayed if the date entered is invalid.	33056
The following columns in the QBMWebApplication table have been described in such a way that it is clear that they are only relevant for the Web Designer Web Portal: UID_DialogAEDSWebProject UID_DialogAuthentifier UID_DialogAuthSecondary	34334
Improved design and navigation of the Operations Support Web Portal.	278209
For performance reasons, the API Server result format has been changed so that the value of DisplayValue is only sent if it differs from the value of Value.	206530
The imx/ping API method has been introduced for the API Server. This API method can be used as a "health check" of the API Servers. It can be called without authentication.	206652
It is now possible to configure the logging of the API Servers using a central configuration file.	206728
The API Server now returns unset dates in the JSON serialization as NULL.	239140
For the API Server, the Microsoft Extensibility Framework component has been removed. NOTE: Marking classes with the [Export] or [Import] attributes is no longer supported. All public classes that implement a given interface are automatically found as a plugin. Plugin classes must no longer be marked as "internal". Plugin classes must define a public and parameterless constructor.	240595
The API Server now supports HTTP compression.	265172
A content security policy has been introduced for HTML5 applications.	203857
The source code structure for HTML5 applications has been changed to an Angular workspace to enable a uniform folder structure without symbolic links.	226217
The API Server provides the HTML5 web application documentation.	268196
Halted requests no longer appear in HTML5 web application logs.	271770
For performance reasons, bulk entity processing can now be configured when configuring entity-based API methods.	228139
The entity schema must now be queried at runtime by the API Server.	251938
The following changes have been made to the API model for hierarchical entity structures: The DisableHierarchicalData flag in the API definition has been removed. The noRecursive URL parameter has been removed. The ParentKey URL parameter can be used to control whether results from the top level, a specific level, or all levels of the hierarchy should be returned.	273103
When an API method is defined, not all columns are made writable by default. When developing API methods, the columns must be declared individually or explicitly all made writable. Example: Method.Define("some_url") .From("Person") .EnableUpdate() .WithWritableColumns("FirstName", "LastName")	274045
The Internet Explorer is no longer supported.	273336
Update of the Secure Password Extension to version 5.9.5.	34834

Table 3: Target system connection
Enhancement	Issue ID
Customizer methods are provided to handle outstanding objects in an automated manner. These methods can be called in scripts or processes.	29566
Improved logging of synchronization errors using NLog.	30992
Improved documentation of quotas in synchronization steps.	31927
The synchronization buffer can be disabled for schema properties in the One Identity Manager schema that map members of many-to-many schema types or key resolutions. IMPORTANT: If the synchronization buffer is disabled, references that are missing in One Identity Manager will be deleted in the target system when synchronizing into the target system or during provisioning. Therefore, check carefully whether the synchronization buffer can be disabled.	31947
New consistency check Outstanding objects with not outstanding assignments to determine outstanding objects with assignments that are not outstanding.	32058
The Synchronization Editor can be run in offline mode when access to the connected system is not required.	32181
The One Identity Manager connector detects if the Customizer sets default values for mandatory fields.	32346
When automatically creating or updating synchronization projects using a command line command or Windows PowerShell CmdLet, a remote connection can now be used to connect to the target system.	32411
In the Synchronization Editor log view color is used to show whether a synchronization was completed successfully or with errors.	32517
When setting up a new synchronization step, a quota of 10% is set by default for objects in One Identity Manager for the Delete processing method. This quota can be adjusted on a project-specific basis.	32740
The home page of the Synchronization Editor shows whether patches are available for existing synchronization projects.	32795
To restart a start up sequence if it was unexpectedly stopped, the instance of the start up sequence can be deleted directly in the Synchronization Editor.	33050
The schema view of the mapping editor now shows which schema property contains the revision counter.	33064
Copies of synchronization projects can now be created in the Synchronization Editor.	33280
Improved membership provisioning when members of an object in One Identity Manager are mapped to different member lists of an object in the target system.	33449
Schema properties with the Property join property type (PropertyJoin) are now writable.	33417
In synchronization projects with the generic database connector, the Windows PowerShell connector, and the CSV connector, a subtype can be entered for each connected system. One Identity Manager needs this information to provision memberships if the objects from several similar generic target systems are mapped in the same One Identity Manager tables.	33426
The Synchronization Editor prevents synchronization projects from being edited and saved simultaneously by multiple users.	33753
Improved revision filtering support.	34101, 34102
The behavior of start up sequences can be configured such that a start up sequence starts multiple times, although multiple start ups are not allowed. The new instance of the start up sequence can be stopped with an error (default behavior) or stopped non-verbosely.	34114
Improved error message for the error: Automatic resolution of the failed workflow's dependencies.	34140
The Synchronization Editor Command Line Interface can be used to update the One Identity Manager schema in synchronization projects.	34117
The condition for applying a property mapping rule can now also be formulated as a script.	34285
Faulty connection parameters can be cleaned up in the system connection wizard.	34367
A new consistency check tests whether the system connection is writable when Correct rogue modifications is set on a property mapping rule.	34576
Improved display of messages in the synchronization log.	34691
Improved display of the origin of Azure Active Directory subscriptions and service plans for employees.	32744
Improved documentation of the features, recommendations, and necessary modifications when operating an Azure Active Directory federation.	33378
Improved support for linking Azure Active Directory user accounts and Active Directory user accounts in an Azure Active Directory federation.	34051
Improved handling of Azure Active Directory group owners when deleting groups.	33653
LDAP containers can be renamed.	34134
The syntax rules for LDAP attributes are now displayed in the Synchronization Editor in addition to the descriptions.	33434
Improved handling of multi-forest structures when resolving the DNS of the Global Catalog. The algorithm for searching the Global Catalog now takes the Active Directory forest root domain into account when searching.	31179
Improved display of Active Directory objects in the Manager and in reports. The full domain name (ADSDomain.ADSDomainName) is now used.	32242
The member schema properties of Active Directory groups is read-only in the target system browser to prevent write accesses that would lead to incorrect results if a group has more than 1500 members. A patch for synchronization projects with patch ID VPR#34324 is provided.	34324
Improved support for dynamic groups in Active Directory.	34769, 34632
Improved logging in the Active Roles connector.	33801
Improved treatment of dynamic groups in Active Roles.	34287, 34323, 34627
The Microsoft Exchange policy for mobile email queries has been renamed to Mobile device mailbox policy.	27741
The label of the PAGAccessOrder.ValidDurationMinutes column has been changed to Checkout duration [min].	34678
A wait step has been added to the processes ADS_ADSDomain_Publish ADSGroups to ITShop_PostSync and AAD_AADOrganization_Publish AAD objects to ITShop_PostSync to check if the respective process for automatically assigning employees to user accounts (ADS_ADSDomain_SearchandCreate_Person_PostSync and AAD_Organization_SearchAndCreate_Person_PostSync) has finished.	34651, 34658
In the system connection wizard for cloud applications, a reference time zone can be stored for handling date values without UTC offset. A patch for synchronization projects with patch ID VPR#33978 is provided.	33978
The generic database connector for the generic ADO.NET provider now supports reading back automatically mapped value.	34104
Improved logging in the generic database connector.	34823
Improved support for dynamic groups in custom target systems.	34632
Additional reports are provided about user accounts and groups in all target systems.	33456, 33599
Various reports now also show the origin of a membership or entitlement.	27414
Additional access control settings for Google Workspace groups are mapped. A patch for synchronization projects with patch ID VPR#32610 is provided.	32610
The HROrgUnitManager schema type has been extended so that the validity period of manager assignments can now also be mapped.	33209
The default company of SAP clients can now be read in by the synchronization. A patch for synchronization projects with patch ID VPR#33819 is provided.	33819
For target systems in Unified Namespace, an overview form is displayed in the Manager.	33412
The overview form for E-Business Suite systems (VI_EBS_EBSSystem_Overview) displays a message if no synchronization project has been set up.	34380
The Windows PowerShell connector and the One Identity Safeguard connector now treat passwords as secret values. A patch for synchronization projects with patch ID VPR#34403 is provided.	34403
The edsaIsDynamicGoup property of Active Directory groups is mapped in One Identity Manager. A patch for synchronization projects with patch ID VPR#34168 is provided.	34168
Additional schema properties are mapped to Google Workspace user accounts. A patch for synchronization projects with patch ID VPR#33093 is provided.	33093
The SCIM connector now allows parallel access 10 times max. to load single objects during synchronization. A patch for synchronization projects with patch ID VPR#32564 is provided.	32564
When using Universal Cloud Interface to synchronize cloud applications, it is now possible to configure whether to keep the target system connected. A patch for synchronization projects with patch ID VPR#33884 is provided.	33884

Table 4: Identity and Access Governance
Enhancement	Issue ID
Additional permitted values for Person.ImportSource.	24169
For automatic approvals of requests and attestation cases the following now applies: If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. Additional approvers must grant or deny approval within the time period that applied to the previous approvers.	33182
User accounts that are intentionally not assigned an employee can be marked accordingly. If attestation of user accounts that are not connected with an employee is approved, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not connected with an identity can be filtered by different categories.	33384, 34387
Text templates describing the facts to be attested can be stored in attestation procedures. This text is displayed to attestors in the Web Portal.	33494
Improved performance when setting up attestation cases and attestation runs.	33742, 34017, 34039, 34202, 34217, 34243, 34344, 34431
Attestation policies can have an application role assigned as the owner, so multiple employees can own an attestation policy.	33783
Attestation guidelines can define the language in which to display the information to be attested.	34148
Additional reports on attestation runs are provided, which contain the complete attestation history.	34203
Customized reports can now be assigned to default attestation procedures.	34569
Mail templates used for notifying rule and policy supervisors and exception approvers are now directly mapped to compliance rules and company policies. The following configuration parameters have been deleted: QER \| Policy \| EmailNotification \| NewExceptionApproval QER \| Policy \| EmailNotification \| NotPermittedViolation QER \| ComplianceCheck \| EmailNotification \| NewExceptionApproval QER \| ComplianceCheck \| EmailNotification \| NotPermittedViolation When the One Identity Manager database is updated, the values of the configuration parameters are transferred to the new ComplianceRule.UID_DialogRichMailNewViolation and QERPolicy.UID_DialogRichMailNewViolation columns.	31781
Approval steps can now be escalated even if no approver or attestor can be determined and no fallback approver is assigned. In this case, the request or attestation case is no longer canceled or passed on to the chief approval team, but escalated.	27902
The CM approval procedure can now also be used to attest system role assignments and employee's account definitions.	34290
When sending email notifications in the IT Shop and attesting, the sender address entered at the QER \| Attestation \| DefaultSenderAddress and QER \| ITShop \| DefaultSenderAddress configuration parameters is now given by default. The employee's default email address is no longer used as the sender address for automatic notifications.	32072
Permissions for the Request & Fulfillment \| IT Shop \| Administrators application role have been extended.	32185
On the overview forms of departments, locations, cost centers, business roles, application roles, and IT Shop structures, existing delegations of the manager and 2. manager are displayed.	32682
Improved performance when saving requests.	33898
New consistency check Direct memberships in BaseTree that are not allowed to identify direct assignments to roles and organizations for which direct assignment is not allowed.	34060
Recalculation of a dynamic role can be temporarily disabled (DynamicGroup.IsRecalculationDeactivated).	34076
Using the @UID_Org variable, you can access the role or organization referenced by the dynamic role.	33757, 31554
Improved calculation of dynamic rolls.	29973
The usage type of standard reasons can now be edited by users.	34218
The configuration parameters for automatic transfer of groups to the IT Shop have been restructured. The previous QER \| ITShop \| GroupAutoPublish configuration parameter and the preprocessor expression GroupAutoPublish applied to Active Directory and SharePoint groups. This has been divided up. The GroupAutoPublish preprocessor expression is still used with the new QER \| ITShop \| AutoPublish \| ADSGroup configuration parameter. For the new QER \| ITShop \| AutoPublish \| SPSGroup configuration parameter, the preprocessor expression AutoPublish_SPSGroup has been introduced. NOTE: If you have implemented customizations for SharePoint groups that use the GroupAutoPublish preprocessor expression, then change the preprocessor expression to AutoPublish_SPSGroup for this.	34310
Additional properties can now also be assigned to LDAP containers.	34401
Improved preparation of data for faster cross-table searching. It is now possible to additionally specify a path to the Person object in order to determine the employee within the cross-table search for user accounts or email addresses.	31167
When automatically creating application roles for product owners, the display name of the person is now used to form the application role name.	34602
When submitting requests, the valid until date is no longer checked against the current time. For example, errors are avoided if a long time has elapsed between creating and sending a shopping cart.	34621

Resolved issue	Issue ID
Parameter values are not copied entirely from the process simulation to the clipboard.	32724
Blockage when running QBM_PProcessGroupDelete while transferring data to the History Database.	34796
The DateRange class static methods do not yet perform the time zone conversion properly.	33009
Object definitions (DialogObject) can be created without a table reference.	33155
Error in the Schema Editor when editing tables and columns.	33429
Dates with the time 0:00 are not correctly converted to UTC format.	33472
It is not possible to create databases with a name longer than 40 characters.	33549, 33906
High memory consumption when compiling with the Configuration Wizard or the Database Compiler.	33563
Automatic software update does not take the files only option into account.	34454
When process steps with the Frozen status in Job Queue Info are advanced, the subsequent process step loses its retries.	34496
A change to the UseSSL option in the One Identity Manager Service configuration requires a restart of the service, although this is not necessary according to the information displayed in the Job Service Configuration.	34525
Error in the QBM_PDBQueueRunner procedure when removing modules.	34555
Error logging in to the Manager web application with Japanese language.	34558
When testing whether a report contains data, an error may occur. Error message: Could not find stored procedure 'Report_LimitData'.	34596
Entering a string for an event's process data results in a compilation error. Error message: '<text>' is not declared. It may be inaccessible due to its protection level.	34716
Data provided by the application server does not fill foreign keys with a NULL but an empty string.	34720
Error in Schema Extension when creating a custom table with a foreign key to a Basetree* view.	34749
Error in the DialogDeferredOperation with overdue actions, activated but without existing job consistency check.	34765
The QER_TIPersonInBaseTree trigger for checking BaseTreeExcludesBaseTree violations does not take the XOrigin column into account.	34519
When generating a preview for simple list reports, errors may occur under certain circumstances.	34752
Reports no longer correctly hide the minimum date (12/30/1899).	34550
A system user who has read-only permissions may be given additional change permissions by program functions.	34812
If a user account password is changed, the Customizer throws an error if the change is discarded rather than saved.	33594
Error in the Missing tables in dialogtable (base) consistency check's repair script.	34846
When saving formation rules in the System Debugger, the code disappears if there is a <summary> section in the code.	34404
Templates are not booked to the change label when saved to the System Debugger.	34412
Translations do not take all language dependencies into account.	34410
In certain circumstances, DialogWatchOperation.OperationUser is not be populated.	34429
Error opening the TimeTrace in the Manager.	34449

Resolved issue	Issue ID
The New child group button contains the CanInsert("AdsGroup") viewing condition. This viewing condition has been removed.	34544
The following collections have been removed from the VI_ITShop_Approvals Web Designer component: ITShopOrg ITShopOrgForPWOToDecide PWOHelperPWO QERWorkingStep PWOHelperPWOForRecallQuery The ITShopOrg collection was removed from the VI_ITShop_PWO_MasterDetail component.	201868
In the Web Portal, the reason stored is incorrect if products are automatically canceled due to denied attestation.	202027
In certain circumstances in the Web Portal, an attestation case approver cannot analyze the removal of permissions.	202031
In the Operations Support Web Portal users can create passcodes for themselves.	202046
In the Web Designer Web Portal it is possible to display hyperviews for which you do not have required permissions.	223719
The API Server cannot be installed because a WebDAV module is installed on the same Internet Information Services.	227123
If you search for AE/Ä in the Web Portal, entries with A are also found. NOTE: Perform a complete re-indexing after an update migration.	278865, 34389
In the Web Portal it ASP.NET sessions can go missing if Linux containers are in continuous operation.	34397
In the Web Portal, identities with the vi_4_PERSONADMIN permissions group do not see all the requests of their child identities.	33773
In the Web Portal, if a cancellation date that is in the past is specified for a cancellation, an error message appears. Subsequently, the product cannot be canceled even with a valid date.	34144
In the Web Portal, it is not possible to resolve compliance violations if the violation involves a primary identity.	34416

Resolved issue	Issue ID
Mappings that have the Only suitable for updates option enabled use the Insert processing method. Patches with the patch IDs VPR#33217_001 and VPR#33217_002 are available for synchronization projects.	33217
Too many entries are logged when detecting and correcting invalid changes.	34439
Synchronization stopped due to an error synchronizing with revision filtering: The revision property type does not match. Error message: Error filtering by revision. ---> System.ArgumentException: Object must be of type Int32.	34462
Error compiling scripts in C# syntax in Synchronization Editor, if an assignment is missing a space after the equals sign (=).	34500
Error creating a synchronization project with the SynchronizationEditor.CLI.exe command line utility if the database user's password contains a dollar sign ($).	34531
Error loading schema classes with the Unique objects class type using the RemoteConnectPlugin.	34683
Error provisioning the Password cannot be changed property for Active Directory user accounts (ADSAccount.UserCanNotChangePassword).	34390
Poor performance when opening assignment forms for ADSAccountInADSGroup.	34510
The Azure AD Connect anchor ID for Active Directory user accounts (ADSAccount.MSDsConsistencyGuid) cannot be overwritten in the map. A patch with the patch ID VPR#34715 is available for synchronization projects.	34715
Error saving an Microsoft Exchange mailbox if the Calendar Automate Enabled property (EX0Mailbox.AutomateProcessing) is empty.	34610
In the case of automatic employee assignment, for LDAP user accounts the Groups inheritable option (LDAPAccount.IsGroupAccount) is always set to True.	34556
When deleting an LDAP user account, memberships in LDAP groups are not removed if merge mode is active.	34594, 34601
Error in the SCIM connector during OAuth authentication with user name and password. Error message: Error 400 BadRequest ({"error": "invalid_request", "error_description": "The request contains invalid parameters or values."})	34578
Error running the EBS_UserInResp procedure. Error message: Conversion failed when converting date and/or time from character string.	34754
In the SAP connector, the LANGU property of the SAPTSAD3T schema type is not output correctly.	34557
In One Identity Manager, synchronization tries to recreate SAP roles assignments to user accounts with XIsInEffect=0. A patch with the patch ID VPR#34563 is available for synchronization projects.	34563
Search criteria for automatic employee assignment with an OR link causes a lots of hits if one of the fields is empty.	34415
If the validity period changes, SAP role assignments to user accounts are temporarily deleted.	34577
Problems synchronizing SharePoint Online when a site collection (site) is renamed in the target system.	34471
Defining a hierarchy filter in the scope of the One Identity Manager connection returns the wrong results.	32595
After changing the aliases of a Google Workspace user account, provisioning reloads the old value. A patch for synchronization projects with patch ID VPR#34645 is provided.	34645
During initial synchronization, the internet password is loaded from Notes user accounts. A patch for synchronization projects with patch ID VPR#34393 is provided.	34393
In synchronization projects for Notes domains, the MailFileAccessType variable has an incorrect default value. A patch for synchronization projects with patch ID VPR#25230 is provided.	25230
In synchronization projects for Unix-based target systems, the user's password is not encrypted. A patch for synchronization projects with patch ID VPR#32500 is provided.	32500

Resolved issue	Issue ID
Wrong name in bitmask configuration for PersonHasObject.InheritInfo.	34721
Querying the origin of entitlements blocks under certain circumstances.	34767
If an employee is deactivated, closed attestation cases are closed again.	34665
The search for specific attestation cases in Web Portal sometimes does not return a result if system entitlements are attested. The reason was the different formatting of display names for the attestation objects. For some tables mapped in Unified Namespace the display pattern has been changed. As a result, these objects are now displayed with different names in reports or views of the Web Portal.	34681
When an approval level with multiple approval steps times out, an identical process is generated multiple times.	34571
Email notifications about granted request approvals name the wrong approver.	34614
A product cannot be requested for several different workstations for which one employee is responsible.	30069

Identity Manager 8.2 - Release Notes

Release Notes

One Identity Manager 8.2

Topics:

About One Identity Manager 8.2

One Identity Starling

New features

General

Web Portal

Target system connection

Identity and Access Governance

Enhancements

Resolved issues

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 8.2 - Release Notes

Release Notes

One Identity Manager 8.2

Topics:

About One Identity Manager 8.2

One Identity Starling

New features

General

Web Portal

Target system connection

Identity and Access Governance

Enhancements

Resolved issues