Chat now with support
Chat with Support

Identity Manager 8.2 - Release Notes

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.

12753

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Schema extensions on a database view of type View (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type View are not permitted. 27203

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

The following error occurred installing the database under SQL Server 2019:

QBM_PDBQueueProcess_Main unlimited is only allowed as an agent job

Solution:

  • The cumulative update 2 for SQL Server 2019 is not supported.

For more information, see https://support.oneidentity.com/KB/315001.

32814

Table 10: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form that displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.
at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

    Example:

    <assemblyBinding >
    <dependentAssembly>
    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>
    <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
    </dependentAssembly>
    </assemblyBinding>

33867

In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.

Solution:

  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.

34110

Table 11: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.

27687

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always run with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.

    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

 

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

Table 12: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

Table 13: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers an ArgumentException. For more information, see https://support.microsoft.com/en-us/kb/2863929.

24626

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

In certain circumstances, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Schema changes

The following provides an overview of schema changes from version 8.1.5 up to version 8.2.

Microsoft Teams Module

  • New data model for the Microsoft Teams Module.

Application Governance Module

  • New data model for the Application Governance Module.

Configuration Module

  • New table QBMColumnBitMaskConfig and new columns DialogColumn.BitMaskConfigOrder, DialogColumn.DisallowCustomBitMaskConfig, and DialogColumn.HasBitMaskConfig for mapping bitmasks.

  • New table QBMColumnLimitedValue for mapping lists of permitted values.

  • New tables QBMTableRevision and QBMVTableRevision for mapping revision data for tables.

  • New table QBMTrustedSQL and new column QBMWebApplication.TrustedSourceKey for mapping trusted SQL queries.

  • New table QBMVSystemState to map the system status.

  • New column DialogColumn.MultiValueSpecification for defining further requirements for the single values of MVP columns.

  • New columns DialogCountry.IsHistorical and DialogState.IsHistorical for marking countries and states as historical.

  • New column DialogDashBoardDef.DashBoardType to map types of statistics definitions.

  • New column DialogDatabase.UID_DialogCountryDefault to specify a default country.

  • New column DialogDatabase.UpdatePhase to map the phases for step-by-step preparation of a migration.

  • New column DialogMethod.IsVisibleScript for a script to conditionally show the method.

  • New column DialogRichMail.AttachmentFileName as a template for formatting the file name for the report attachment.

  • New column DialogTable.DeleteDelayScript for a script to determine an object-specific deferred deletion.

  • New column DialogTable.SplittedLookupSupport as path to a Person object for cross-table searching.

  • New column DialogTree.HelpKey for mapping a help key.

  • New columns for QBMConsistencyCheck.AccessLevelMin, QBMConsistencyCheck.DescriptionElementDetect, and QBMConsistencyCheck.DescriptionRepair for consistency checks.

  • New columns QBMDBQueueTask.RestoreDelay and QBMDBQueueTaskPerf.RestoreDelay to map a minimum time until reactivation of DBQueue Processor tasks.

  • New columns QBMHtmlApp.Ident_QBMHtmlApp, QBMHtmlApp.IsPreCompiled and QBMHtmlApp.SortOrder for HTML applications.

  • New columns QBMIdentityClient.AcrValues and QBMIdentityProvider.AcrValues to map acr values.

  • New columns QBMIdentityClient.IsSendPostLogoutRedirectURI and QBMIdentityClient.PostLogoutRedirectURI for forwarding URI details.

  • New columns QBMIdentityClient.TokenEndpointCertThumbPrint for the fingerprint of the certificate to verify the token.

  • New columns QBMIdentityProvider.CheckClaim and QBMIdentityProvider.CheckValue for checking an additional claim type.

  • New column QBMIdentityProvider.NoIdTokenCheck to specify whether the ID token is checked.

  • New column QBMLimitedSQL.TypeOfLimitedSQL to specify a type for the predefined SQL.

  • New column QBMPwdPolicy.MandatoryCharacterClasses to specify how many rules must be met for character classes.

  • New columns QBMServer.FQDNExternaland and QBMServer.PortNumberExternal for accessing Job servers.

  • New column for QBMServer.NotUsedForJobCreation to specify whether the Job server participates in load balancing.

  • New column QBMUniqueGroup.ViolationMessage to enter error message text.

  • New column QBMVSystemOverview.SubElement for better evaluation of the system configuration.

  • The data type for the columns DialogColumnBulkDependencies.XTouched, QBMBufferConfig.XTouched, QBMColumnTranslation.XTouched, QBMNonLinearDepend.XTouched, QBMTransportHistory.XTouched, and QBMUniqueGroupHasColumn.XTouched has been changed to nchar(1).

  • The DialogDatabase.ConnectionString column has been extended to nvarchar(max).

  • The DialogSchedule.StartTime column has been extended to varchar(256).

  • The QBMConsistencyCheck.Description column has been extended to nvarchar(max).

  • The columns QBMDBPrincipal.LoginName and QBMDBPrincipal.UserName have been extended to nvarchar(128).

  • The QBMDBRoleDef.Rolename column has been extended to nvarchar(400).

  • The data type for the QBMFileRevision.HashValue column has been changed to varbinary(64).

  • New mandatory field definition for the DialogObject.UID_DialogTable column.

  • The QBMVBlobInternal table has been deleted.

  • The QBMIdentityClient.TokenEndpointKey column has been deleted.

Target System Synchronization Module

  • New tables DPRProjectionDependency and DPRSystemSyncDependency to map dependencies for synchronization.

  • New tables DPRVSyncRunMessages and DPRVSyncRunOverview for improved evaluation of synchronization logs.

  • New columns for mapping system synchronization.

    • DialogColumn.SystemSyncDirection

    • DialogTable.SystemSyncKeyColumns

    • DialogTable.SystemSyncMode

    • DialogTable.UID_SystemSyncConfigCLRType

    • DPRProjectionConfigStep.DoNotRespectOutstanding

  • New column DPRProjectionConfig.JournalMessageContexts for better mapping of journal entries.

  • New columns DPRProjectionStartInfo.ProgressText and DPRProjectionStartInfo.ProgressValue for mapping the progress of synchronizations.

  • New column DPRRevisionStore.ValueType to map the type of revision value.

  • New column DPRSchema.FunctionalLevel for mapping the development state of a schema.

  • New column DPRSchemaType.ShrinkLock to prevent removing the schema type during schema compression.

  • New column DPRShell.IsAutomaticallyManaged to specify whether the synchronization project is automatically managed.

  • New column DPRShell.LastMigrationError to map the error message of the last migration of a synchronization project.

  • New column DPRStartSequence.ConcurrConflHandling to map the behavior in case of collisions.

  • New column DPRStartSequenceHasProjection.CurrentJobReference to map the currently running process.

  • The DPRJournal.ProjectionState column has been extended to varchar(64).

  • The DPRSchemaProperty.AutoFillBehavior and DPRSchemaProperty.MandatoryBehavior columns have been extended to nvarchar(64).

Target System Base Module

  • New tables for advanced mapping of system entitlements in cloud target systems.

    • BaseTreeHasUNSGroupB1

    • BaseTreeHasUNSGroupB2

    • BaseTreeHasUNSGroupB3

    • DepartmentHasUNSGroupB1

    • DepartmentHasUNSGroupB2

    • DepartmentHasUNSGroupB3

    • ITShopOrgHasUNSGroupB1

    • ITShopOrgHasUNSGroupB2

    • ITShopOrgHasUNSGroupB3

    • ITShopSrcHasUNSGroupB1

    • ITShopSrcHasUNSGroupB2

    • ITShopSrcHasUNSGroupB3

    • LocalityHasUNSGroupB1

    • LocalityHasUNSGroupB2

    • LocalityHasUNSGroupB3

    • OrgHasUNSGroupB1

    • OrgHasUNSGroupB2

    • OrgHasUNSGroupB3

    • ProfitCenterHasUNSGroupB1

    • ProfitCenterHasUNSGroupB2

    • ProfitCenterHasUNSGroupB3

    • UNSAccountBHasUNSGroupB

    • UNSAccountBHasUNSGroupB1

    • UNSAccountBHasUNSGroupB2

    • UNSAccountBHasUNSGroupB3

    • UNSAccountBInUNSGroupB1

    • UNSAccountBInUNSGroupB2

    • UNSAccountBInUNSGroupB3

    • UNSGroupB1

    • UNSGroupB1Collection

    • UNSGroupB1Exclusion

    • UNSGroupB1InUNSGroupB1

    • UNSGroupB2

    • UNSGroupB2Collection

    • UNSGroupB2Exclusion

    • UNSGroupB2InUNSGroupB2

    • UNSGroupB3

    • UNSGroupB3Collection

    • UNSGroupB3Exclusion

    • UNSGroupB3InUNSGroupB3

  • New columns UNSRootB.GroupUsageMask, UNSRootB.UserContainsGroupList, and UNSAccountB.XDateSubItem for advanced mapping of system entitlements in cloud target systems.

  • New column UNSGroupB.HasReadOnlyMemberships to map dynamic memberships.

  • New columns UNSAccountB.IsGroupAccount_UNSGroupB, UNSAccountB.IsGroupAccount_UNSGroupB1, UNSAccountB.IsGroupAccount_UNSGroupB2, and UNSAccountB.IsGroupAccount_UNSGroupB3 for better mapping of inheritance of groups and permissions.

  • New columns UNSAccountB.IsNeverConnectManual and UNSAccountB.NeverConnectToPerson for mapping connections to employees.

  • New column AERoleHasTSBAccountDef.XIsInEffect to map the assignments in effect.

  • New column TSBAERoleForRoot.UID_AERoleMemberShip to map target system members.

  • New column UNSAccountB.XDateSubItem to map the modification date of dependencies.

  • New column UNSRootB.DeleteDelayDays to map a delete delay of custom target systems.

  • The data type for the UNSAccountB.MatchPatternForMembership and UNSGroupB.MatchPatternForMembership columns has been changed to bigint.

  • The data type for the columns TSBITData.XTouched, TSBITDataMapping.XTouched, TSBVUNSDomain.XTouched, and TSBVUNSRoot.XTouched has been changed to nchar(1).

Azure Active Directory Module

  • New tables AADApplication and AADApplicationOwner for mapping Azure Active Directory applications.

  • New tables AADServicePrincipal and AADServicePrincipalOwner to map Azure Active Directory service principals.

  • New tables AADAppRole and AADAppRoleAssignment to map app roles.

  • New tables AADGroupHasDeniedService, AADGroupHasSubSku, and AADUserHasSubSkuCompressed to map license assignments across Azure Active Directory groups.

  • New tables AADHomeRealmDiscoveryPolicy, AADServicePrincipalOwner, AADTokenIssuancePolicy, and AADTokenLifetimePolicy to map Azure Active Directory policies.

  • New columns for mapping additional properties of Azure Active Directory user accounts.

    • AADUser.AboutMe

    • AADUser.AgeGroup

    • AADUser.BirthDay

    • AADUser.ConsentProvidedForMinor

    • AADUser.EmployeeID

    • AADUser.FaxNumber

    • AADUser.HireDate

    • AADUser.ImAddresses

    • AADUser.Interests

    • AADUser.IsResourceAccount

    • AADUser.LegalAgeGroupClassification

    • AADUser.MySite

    • AADUser.OnPremisesDistinguishedName

    • AADUser.OnPremisesDomainName

    • AADUser.OnPremisesExtensionAttribute1

    • AADUser.OnPremisesExtensionAttribute10

    • AADUser.OnPremisesExtensionAttribute11

    • AADUser.OnPremisesExtensionAttribute12

    • AADUser.OnPremisesExtensionAttribute13

    • AADUser.OnPremisesExtensionAttribute14

    • AADUser.OnPremisesExtensionAttribute15

    • AADUser.OnPremisesExtensionAttribute2

    • AADUser.OnPremisesExtensionAttribute3

    • AADUser.OnPremisesExtensionAttribute4

    • AADUser.OnPremisesExtensionAttribute5

    • AADUser.OnPremisesExtensionAttribute6

    • AADUser.OnPremisesExtensionAttribute7

    • AADUser.OnPremisesExtensionAttribute8

    • AADUser.OnPremisesExtensionAttribute9

    • AADUser.OnPremisesSAMAccountName

    • AADUser.OnPremisesUserPrincipalName

    • AADUser.OtherMails

    • AADUser.PastProjects

    • AADUser.PreferredName

    • AADUser.Responsibilities

    • AADUser.Schools

    • AADUser.Skills

  • New columns AADUser.ExternalUserState and AADUser.ExternalUserStateChangeDate for mapping guest users.

  • New columns AADUser.NeverConnectToPerson and AADUser.IsNeverConnectManual for mapping connections to employees.

  • New columns AADUser.IsGroupAccount_DeniedService, AADUser.IsGroupAccount_DirectoryRole, AADUser.IsGroupAccount_Group and ADUser.IsGroupAccount_SubSku for better mapping of inheritance of groups and permissions.

  • New column AADUser.LastPasswordChangeDateTime to map the date of the last password change.

  • The data type for the columns AADDeniedServicePlan.MatchPatternForMembership, AADDirectoryRole.MatchPatternForMembership, AADGroup.MatchPatternForMembership, AADSubSku.Match PatternForMembership, and AADUser.Match PatternForMembership has been changed to bigint.

  • The mandatory field definition for the AADUser.DisplayName and AADUser.UserPrincipalName columns has been changed.

  • The table AADSubSkuExclusion has been deleted.

  • The columns AADUserHasSubSku.RiskIndexCalculated and AADUserHasSubSku.UID_AADSubSku have been deleted.

Exchange Online Module

  • New column AADUser.IsGroupAccount_UnifiedGroup for better mapping of inheritance of groups and permissions.

  • New columns O3EMailbox.UID_Person, O3EMailbox.IsNeverConnectManual, O3EMailbox.NeverConnectToPerson, O3EMailContact.IsNeverConnectManual, O3EMailContact.NeverConnectToPerson, O3EMailUser.IsNeverConnectManual, and O3EMailUser.NeverConnectToPerson to map connections to employees.

  • New column O3EUnifiedGroup.HiddenFromExchClientsEnabled to hide the Office 365 group in Outlook.

  • The data type for the columns O3EDL.MatchPatternForMembership, O3EMailbox.MatchPatternForMembership, O3EMailContact.MatchPatternForMembership, O3EMailUser.MatchPatternForMembership, and O3EUnifiedGroup.MatchPatternForMembership has been changed to bigint.

  • The data type for the O3EMailbox.XTouched column has been changed to nchar(1).

Active Directory Module

  • New columns ADSAccount.IsNeverConnectManual, ADSAccount.NeverConnectToPerson, ADSContact.IsNeverConnectManual, and ADSContact.NeverConnectToPerson for mapping connections to employees.

  • New columns ADSAccount.IsProtectedFromAccidentalDel, ADSContact.IsProtectedFromAccidentalDel, ADSGroup.IsProtectedFromAccidentalDel, and ADSMachine.IsProtectedFromAccidentalDel to protect against accidental deletion.

  • New columns ADSContact.MSDsConsistencyGuid, ADSGroup.MSDsConsistencyGuid, and ADSMachine.MSDsConsistencyGuid to map Azure AD Connect anchor ID.

  • New column ADSAccount.MiddleName to map the middle name.

  • New column ADSGroup.HasReadOnlyMemberships to map dynamic memberships.

  • The data type for the ADSAccount.MatchPatternForMembership, ADSContact.MatchPatternForMembership, and ADSGroup.MatchPatternForMembership columns has been changed to bigint.

Active Roles Module

  • New column ADSGroup.edsaIsDynamicGroup for mapping dynamic groups.

  • New columns ADSGroup.edsvaCGisControlledGroup and ADSGroup.edsvaGFIsGroupFamily for mapping Active Roles Group Family groups.

Microsoft Exchange Module

  • New table EX0AddrBookPolicy and new column EX0MailBox.UID_EX0AddrBookPolicy to map Microsoft Exchange address book policies.

  • New tables EX0MailboxFullAccessPerm and EX0MailboxSendAsPerm for mapping additional Microsoft Exchange mailbox permissions.

  • New columns EX0MailBox.IsNeverConnectManual, EX0MailBox.NeverConnectToPerson, EX0MailContact.IsNeverConnectManual, EX0MailContact.NeverConnectToPerson, EX0MailUser.IsNeverConnectManual, and EX0MailUser.NeverConnectToPerson for mapping connections to employees.

  • New column EX0MailBox.IsSingleItemRecoveryEnabled for single item recovery.

  • New columns EX0MailBoxDatabase.IsExcludedFromProvisioning and EX0MailBoxDatabase.IsSuspendedFromProvisioning to map automatic mailbox distribution for Microsoft Exchange mailbox databases.

  • The data type for the columns EX0DL.XTouched, EX0DynDL.XTouched, EX0MailBox.XTouched, and EX0Server.XTouched has been changed to nchar(1).

Exchange Hybrid Module

  • New columns EXHRemoteMailbox.IsNeverConnectManual and EXHRemoteMailbox.NeverConnectToPerson for mapping connections to employees.

LDAP Module

  • New columns LDAPAccount.IsNeverConnectManual and LDAPAccount.NeverConnectToPerson for mapping connections to employees.

  • The data type for the LDAPAccount.MatchPatternForMembership and LDAPGroup.MatchPatternForMembership columns has been changed to bigint.

  • The LDPDomain.Ident_Domain column has been extended to nvarchar(128).

Unix Based Target Systems Module

  • New columns UNXAccount.IsNeverConnectManual and UNXAccount.NeverConnectToPerson for mapping connections to employees.

  • The data type for the UNXAccount.MatchPatternForMembership and UNXGroup.MatchPatternForMembership columns has been changed to bigint.

Oracle E-Business Suite Module

  • New columns EBSUser.IsNeverConnectManual and EBSUser.NeverConnectToPerson for mapping connections to employees.

  • The data type for the columns EBSUser.MatchPatternForMembership and EBSResp.MatchPatternForMembership has been changed to bigint.

Domino Module

  • New columns NDOUser.IsNeverConnectManual and NDOUser.NeverConnectToPerson to map connections to employees.

  • The data type for the NDOUser.MatchPatternForMembership and NDOGroup.MatchPatternForMembership columns has been changed to bigint.

SharePoint Module

  • New columns SPSUser.IsGroupAccount_SPSGroup and SPSUser.IsGroupAccount_SPSRLAsgn for better mapping of inheritance of groups and permissions.

  • New columns SPSUser.IsNeverConnectManual and SPSUser.NeverConnectToPerson for mapping connections to employees.

  • The data type for the SPSUser.MatchPatternForMembership, SPSRLAsgn.MatchPatternForMembership, and SPSGroup.MatchPatternForMembership columns has been changed to bigint.

SharePoint Online Module

  • New table O3SWebTemplate for mapping SharePoint Online web templates.

  • New columns O3SUser.IsGroupAccount_Group and O3SUser.IsGroupAccount_RLAsgn for better mapping of inheritance of groups and permissions.

  • New columns O3SUser.IsNeverConnectManual and O3SUser.NeverConnectToPerson for mapping connections to employees.

  • New columns O3SSite.UserCodeWarningLevel to map additional thresholds for SharePoint Online site collections.

  • The data type for the columns O3SUser.MatchPatternForMembership, O3SRLAsgn.MatchPatternForMembership, and O3SGroup.MatchPatternForMembership has been changed to bigint.

Google Workspace Module

  • New tables to map assignments of Google Workspace admin roles.

    • DepartmentHasGAPOrgAdminRole

    • GAPBaseTreeHasOrgAdminRole

    • ITShopOrgHasGAPOrgAdminRole

    • ITShopSrcHasGAPOrgAdminRole

    • LocalityHasGAPOrgAdminRole

    • OrgHasGAPOrgAdminRole

    • ProfitCenterHasGAPOrgAdminRole

  • New columns to map assignments of Google Workspace admin roles.

    • GAPOrgAdminRole.DisplayName

    • GAPOrgAdminRole.IsForITShop

    • GAPOrgAdminRole.IsITShopOnly

    • GAPOrgAdminRole.MatchPatternForMembership

    • GAPOrgAdminRole.RiskIndex

    • GAPOrgAdminRole.UID_AccProduct

    • GAPUserInOrgAdminRole.RiskIndexCalculated

    • GAPUserInOrgAdminRole.XIsInEffect

    • GAPUserInOrgAdminRole.XOrigin

  • New columns GAPUser.IsGroupAccount_Group, GAPUser.IsGroupAccount_OrgAdminRole, and GAPUser.IsGroupAccount_PaSku for better mapping of inheritance of groups and permissions.

  • New columns GAPUser.IsNeverConnectManual and GAPUser.NeverConnectToPerson for mapping connections to employees.

  • New columns for mapping additional properties for Google Workspace user accounts.

    • GAPUser.GenderAddressMeAs

    • GAPUser.GenderCustomGender

    • GAPUser.GenderType

    • GAPUser.RecoveryEmail

    • GAPUser.RecoveryPhone

  • New columns for mapping additional properties for Google Workspace groups.

    • GAPGroup.stWhoCanContactOwner

    • GAPGroup.stWhoCanDiscoverGroup

    • GAPGroup.stWhoCanModerateContent

    • GAPGroup.stWhoCanModerateMembers

    • GAPGroup.stWhoCanViewGroup

    • GAPGroup.stWhoCanViewMembership

  • The data type for the columns GAPGroup.MatchPatternForMembership, GAPPaSku.MatchPatternForMembership, and GAPUser.MatchPatternForMembership has been changed to bigint.

  • The columns GAPGroup.stAllowGoogleCommunication and GAPGroup.stShowInGroupDirectory have been deleted.

SAP R/3 User Management module Module

  • New columns SAPUser.IsGroupAccount_SAPGrp, SAPUser.IsGroupAccount_SAPProfile and SAPUser.IsGroupAccount_SAPRole for better mapping of inheritance of groups and permissions.

  • New columns SAPUser.IsNeverConnectManual and SAPUser.NeverConnectToPerson for mapping connections to employees.

  • New column SAPUser.IdAdType for mapping user types.

  • New columns for mapping additional properties for SAP user accounts.

    • SAPUser.BirthName

    • SAPUser.FirstName2

    • SAPUser.LastName2

    • SAPUser.NameAddOn

    • SAPUser.NameAddOn2

    • SAPUser.SORT1

    • SAPUser.SORT2

  • The data type for the columns SAPGroup.MatchPatternForMembership, SAPGrp.MatchPatternForMembership, SAPProfile.MatchPatternForMembership, SAPRole.MatchPatternForMembership, and SAPUser.MatchPatternForMembership has been changed to bigint.

SAP R/3 Compliance Add-on Module

  • New table SACTransactionType and new columns SAPTransaction.UID_SACTransactionType and SAPFunctionDetail.UID_SACTransactionType to map SAP application types.

  • New columns for mapping additional properties for function definition.

    • SAPFunctionDetail.AUTHOBJNAM

    • SAPFunctionDetail.AUTHOBJTYP

    • SAPFunctionDetail.AUTHPGMID

    • SAPFunctionDetail.RFC_NAME

    • SAPFunctionDetail.RFC_TYPE

    • SAPFunctionDetail.SAPHashValue

    • SAPFunctionDetail.SRV_NAME

    • SAPFunctionDetail.SRV_TYPE

    • SAPFunctionDetail.TCD

  • New columns for mapping additional properties for SAP applications.

    • SAPTransaction.AUTHOBJNAM

    • SAPTransaction.AUTHOBJTYP

    • SAPTransaction.AUTHPGMID

    • SAPTransaction.RFC_NAME

    • SAPTransaction.RFC_TYPE

    • SAPTransaction.SAPHashValue

    • SAPTransaction.SimpleCompareProperty

    • SAPTransaction.SRV_NAME

    • SAPTransaction.SRV_TYPE

    • SAPTransaction.TCD

    • SAPTransaction.TransactionDisplay

    • SAPFunctionInstanceDetail.UID_SAPTransaction

  • The columns SAPFunctionDetail.TransactionCode, SAPFunctionInstanceDetail.TransactionCode, and SAPTransaction.Ident_SAPTransaction have been deleted.

SAP R/3 Structural Profiles Add-on Module

  • New column SAPUser.IsGroupAccount_SAPHRP for better mapping of inheritance of groups and permissions.

  • The data type for the SAPHRP.MatchPatternForMembership column has been changed to bigint.

Privileged Account Governance Module

  • New columns to map access requests for SSH keys for One Identity Safeguard.

    • PAGAsset.SSHHostKeyFingerPrint

    • PAGAsset.SSHKeyProfileName

    • PAGAstAccount.AllowSSHKeyRequest

    • PAGAstAccount.HasSSHKey

    • PAGAstAccount.SSHKeyProfileName

    • PAGUserAttestation.AllowSSHKeyRequest

  • New column PAGUser.AllowPersonalAccounts to support the vault for personal passwords.

  • New columns PAGUser.IsNeverConnectManual and PAGUser.NeverConnectToPerson for mapping connections to employees.

  • The data type for the columns PAGUser.MatchPatternForMembership and PAGUsrGroup.MatchPatternForMembership has been changed to bigint.

  • The data type for the following columns has been changed to nchar(1).

    • PAGAccessOrder.XTouched

    • PAGAccGroup.XTouched

    • PAGAccGroupHasMember.XTouched

    • PAGAppliance.XTouched

    • PAGAsset.XTouched

    • PAGAssetInAstGroup.XTouched

    • PAGAstAccount.XTouched

    • PAGAstGroup.XTouched

    • PAGDirAccount.XTouched

    • PAGDirectory.XTouched

    • PAGEntl.XTouched

    • PAGEntlHasMember.XTouched

    • PAGIdentityProvider.XTouched

    • PAGReqPolicy.XTouched

    • PAGReqPolicyApprover.XTouched

    • PAGReqPolicyHasDirAccount.XTouched

    • PAGReqPolicyReviewer.XTouched

    • PAGReqPolicyScopeItem.XTouched

    • PAGUser.XTouched

    • PAGUserAttestation.XTouched

    • PAGUserHasDirAccount.XTouched

    • PAGUserInUsrGroup.XTouched

    • PAGUsrGroup.XTouched

Cloud Systems Management Module

  • New tables for advanced mapping of system entitlements in cloud target systems.

    • CSMBaseTreeHasGroup1

    • CSMBaseTreeHasGroup2

    • CSMBaseTreeHasGroup3

    • CSMGroup1

    • CSMGroup1Collection

    • CSMGroup1Exclusion

    • CSMGroup1InGroup1

    • CSMGroup2

    • CSMGroup2Collection

    • CSMGroup2Exclusion

    • CSMGroup2InGroup2

    • CSMGroup3

    • CSMGroup3Collection

    • CSMGroup3Exclusion

    • CSMGroup3InGroup3

    • CSMUserHasGroup

    • CSMUserHasGroup1

    • CSMUserHasGroup2

    • CSMUserHasGroup3

    • CSMUserInGroup1

    • CSMUserInGroup2

    • CSMUserInGroup3

    • DepartmentHasCSMGroup1

    • DepartmentHasCSMGroup2

    • DepartmentHasCSMGroup3

    • ITShopOrgHasCSMGroup1

    • ITShopOrgHasCSMGroup2

    • ITShopOrgHasCSMGroup3

    • ITShopSrcHasCSMGroup1

    • ITShopSrcHasCSMGroup2

    • ITShopSrcHasCSMGroup3

    • LocalityHasCSMGroup1

    • LocalityHasCSMGroup2

    • LocalityHasCSMGroup3

    • OrgHasCSMGroup1

    • OrgHasCSMGroup2

    • OrgHasCSMGroup3

    • ProfitCenterHasCSMGroup1

    • ProfitCenterHasCSMGroup2

    • ProfitCenterHasCSMGroup3

  • New columns CSMRoot.GroupUsageMask and CSMRoot.UserContainsGroupList for advanced mapping of system entitlements in cloud target systems.

  • New columns CSMUser.IsGroupAccount_CSMGroup, CSMUser. IsGroupAccount_CSMGroup1, CSMUser.IsGroupAccount_CSMGroup2, and CSMUser.IsGroupAccount_CSMGroup3 for better mapping of group inheritance and permissions.

  • New columns CSMUser.NeverConnectToPerson and CSMUser.IsNeverConnectManual for mapping connections to employees.

  • New column CSMRoot.DeleteDelayDays to map a delete delay for cloud target systems.

  • The data type for the CSMUser.MatchPatternForMembership and CSMGroup.MatchPatternForMembership columns has been changed to bigint.

Universal Cloud Interface Module

  • New tables for advanced mapping of system entitlements in cloud target systems.

    • UCIGroup1

    • UCIGroup1InGroup1

    • UCIGroup2

    • UCIGroup2InGroup2

    • UCIGroup3

    • UCIGroup3InGroup3

    • UCIUserHasGroup

    • UCIUserHasGroup1

    • UCIUserHasGroup2

    • UCIUserHasGroup3

    • UCIUserInGroup1

    • UCIUserInGroup2

    • UCIUserInGroup3

  • New columns UCIRoot.GroupUsageMask and UCIRoot.UserContainsGroupList and UCIUser.XDateSubItem for advanced mapping of system entitlement in cloud target systems.

Identity Management Base Module

  • New tables QERPickCategory and QERPickedItem for sample attestation.

  • New table DynamicGroupHasImmediateColumn and new columns DynamicGroup .IsCalculateImmediately and DynamicGroup.IsRecalculationDeactivated for improved calculation of dynamic roles.

  • New table QERDynamicGroupBlackList for mapping exclusion lists for dynamic roles.

  • New table QERBufferRecalcDecisionMaker for improved calculation of approvers.

  • New table QERITShopOwnerUsage for mapping product owners.

  • New tables QERUniversalSubstitute and QERUniversalSubstituteInRoot for improved mapping of delegations.

  • New tables QERVBaseTreeHasElement and QERVPersonHasElement to summarize assignments.

  • New table QERVFirstUnicodeChar to improve grouping and filtering of objects by name.

  • New columns to map an application role for managers of company structures.

    • AERole.UID_AERoleManager

    • BaseTree.UID_AERoleManager

    • Department.UID_AERoleManager

    • ITShopOrg.UID_AERoleManager

    • ITShopSrc.UID_AERoleManager

    • Locality.UID_AERoleManager

    • ProfitCenter.UID_AERoleManager

  • New columns for mapping approval reasons.

    • AccProduct.ApproveReasonType

    • AccProduct.DenyReasonType

    • AccProduct.OrderReasonType

    • AccProductGroup.ApproveReasonType

    • AccProductGroup.DenyReasonType

    • AccProductGroup.OrderReasonType

    • PWODecisionStep.ApproveReasonType

    • PWODecisionStep.DenyReasonType

  • New column AccProductParamCategory.IsOldStyle to specify whether the obsolete definition is used for the request parameter of this request property.

  • New columns QERWorkingStep.EscalateIfNoApprover and PWODecisionStep.EscalateIfNoApprover for improved escalation.

  • New column PersonWantsOrg.UiOrderState to display the request status in the Web Portal.

  • New column PWODecisionRuleRulerDetect.SQLQueryObjectsToRecalc for improved recalculation of approvers.

  • New column AERoleHasQERResource.XIsInEffect to map the assignments in effect.

  • New columns OrgRoot.IsPersonAssignOnce and OrgType.IsPersonAssignOnce to prevent assigning people to multiple company structures.

  • New column Person.DecentralizedIdentifier to map a decentralized identity.

  • New column Person.IsPwdResetByHelpdeskAllowed to specify whether password resetting by password help desk staff is allowed.

  • New columns QERAssign.IsMAllAssign, ShoppingCartItem.ObjectKeyElementUsedInAssign, and ShoppingCartItem.ObjectKeyOrgUsedInAssign to support assignment requests for resources.

  • The QERAssign.Ident_QERAssign column has been extended to nvarchar(256).

  • The data type of the PersonPasswordHistory.XTouched column has been changed to nchar(1).

Attestation Module

  • New columns AttestationCase.IsUnderConstruction and AttestationRun.CountChunksUnderConstruction to flag that the attestation case is not yet completely set up.

  • New columns AttestationObject.UiText, AttestationObject.UiTextGrouped1, AttestationObject.UiTextGrouped2 and AttestationObject.UiTextGrouped3 to map text templates for attestation procedures.

  • New columns AttestationPolicy.IsSetApprovalStateOnApproved and AttestationPolicy.IsSetApprovalStateOnDenied to automatically set the certification status.

  • New column AttestationPolicy.IsShowElementsInvolved to show the objects to be attested.

  • New column AttestationPolicy.UID_DialogCulture to map the language in which information to be attested is displayed.

  • New AttestationPolicy.UID_AERoleOwner column to map an application role whose members are allowed to edit the attestation policy.

  • New columns AttestationPolicy.UID_QERPickCategory and AttestationWizardParm.UID_DialogTablePickCategory for sample attestation.

Compliance Rules Module

  • New ComplianceRule.UID_DialogRichMailNewViolation column for the new rule violation mail template.

  • New columns PersonInNCHasMControl.IsInActive and PersonInNCHasMControl.UID_PersonWantsOrg to improve assignment of mitigating controls when approving requests.

Company Policies Module

  • New column QERPolicy.UID_DialogDashBoardDef to map policy violation statistics.

  • New column QERPolicy.UID_DialogReport to map policy violations reports.

  • New column QERPolicy.UID_DialogRichMailNewViolation for the new policy violation mail template.

Business Roles Module

  • New column Org.UID_AERoleManager to map an application role for business role managers.

Report Subscription Module

  • New column AERoleHasRPSReport.XIsInEffect to map the assignments in effect.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 8.1.5 to version 8.2. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Modified synchronization templates

The following provides you with an overview of modified synchronization templates. Patches are made available for updating synchronization templates in existing synchronization projects. For more information, see Patches for synchronization projects.

Table 14: Overview of synchronization templates and patches

Module

Synchronization template

Type of modification

Azure Active Directory Module

Azure Active Directory synchronization

changed

Active Directory Module

Active Directory synchronization

changed

Active Roles Module

Synchronize Active Directory domain via Active Roles

changed

Cloud Systems Management Module

Universal Cloud Interface synchronization

none

Oracle E-Business Suite Module

Oracle E-Business Suite synchronization

changed

Oracle E-Business Suite CRM data

changed

Oracle E-Business Suite HR data

changed

Oracle E-Business Suite OIM data

changed

Microsoft Exchange Module

Microsoft Exchange 2013_2016 synchronization (v2)

changed

Microsoft Exchange 2010 synchronization (deprecated)

changed

Microsoft Exchange 2010 synchronization (v2)

changed

Google Workspace Module

Google Workspace synchronization

changed

LDAP Module

AD LDS synchronization

changed

AD LDS Synchronization (version 2)

new

OpenDJ synchronization

changed

OpenDJ Synchronization (version 2)

new

Generic LDAP Synchronization (version 2)

new

Oracle DSEE Synchronization (version 2)

new

Domino Module

Lotus Domino synchronization

changed

Exchange Online Module

Exchange Online synchronization (v2)

changed

Privileged Account Governance Module

One Identity Safeguard synchronization

changed

SAP R/3 User Management module Module

SAP R/3 Synchronization (Base Administration)

changed

SAP R/3 (CUA subsystem)

changed

SAP R/3 Analysis Authorizations Add-on Module

SAP R/3 BW

changed

SAP R/3 Compliance Add-on Module

SAP R/3 authorization objects

changed

SAP R/3 Structural Profiles Add-on Module

SAP R/3 HCM authentication objects

changed

SAP R/3 HCM employee objects

changed

SharePoint Module

SharePoint synchronization

none

SharePoint Online Module

SharePoint Online synchronization

changed

Universal Cloud Interface Module

SCIM Connect via One Identity Starling Connect

changed

SCIM synchronization

changed

Unix Based Target Systems Module

Unix Account Management

changed

AIX Account Management

changed

Target System Synchronization Module

Automatic One Identity Manager synchronization

new

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating