Chat now with support
Chat with Support

Identity Manager 9.1 - Release Notes

Release Notes

One Identity Manager 9.1

Release Notes

19 September 2022, 14:18

These release notes provide information about the One Identity Manager release, version 9.1. You will find all the modifications since One Identity Manager version 8.2.1 listed here.

One Identity Manager 9.1 is a minor release with new functionality and improved behavior. See New features and Enhancements.

If you are updating a One Identity Manager version older than One Identity Manager 8.2.1, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

For the most recent documents and product information, see One Identity Manager documentation.

Topics:

About One Identity Manager 9.1

One Identity Manager simplifies the process of managing user identities, access permissions, and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire company with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

One Identity Starling

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit https://www.cloud.oneidentity.com.

New features

New features in One Identity Manager 9.1:

General
  • Azure SQL Database is supported.

    NOTE: An Azure SQL Database must be available to install the schema. There is no support for creating a new Azure SQL Database with the Configuration Wizard.

  • Internal DBQueue Processor tasks are processed by a service, the Database Agent Service. The Database Agent Service is deployed by a One Identity Manager Service plugin. The DatabaseAgentPlugin must be configured on the Job server that serves as the update server. An administrative user must be used for the database connection in the Job provider. Alternatively, the Database Agent Service can be run by the DatabaseAgent.exe command line program.

  • The Configuration Wizard provides support for deleting a One Identity Manager database. Deleting a database also removes the database users, database roles, and server roles, as well as SQL Server logins.

  • The Configuration Wizard provides you with support for enabling a restored database. The necessary database users, database roles, and server roles are created and the database is compiled.

  • Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=.

    In order to continue using certain features in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function.

    Users who do not have this program function can only run database queries that are classified as trusted or pose no risk. Some of the features in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function. For more information, see the One Identity Manager Authorization and Authentication Guide.

  • The SessionHttpAuthentication plugin for the One Identity Manager Service supports logging in on the service's website with authentication modules. The users still require the JobServer_Status program function.

  • Support for disabling WHERE clauses for the application server REST API.

  • Various password columns have been extended.

  • You can enter an additional description for password requirements that are checked in the test script for password policies. This is displayed in the password policy description in the Password Reset Portal.

  • System users can be blocked from logging in directly to One Identity Manager tools.

  • A new User account (manual input/role-based) authentication module is provided. The employee whose login data matches that of the current user is used for logging in.

  • Authentication modules for the Password Reset Portal can use a list of columns from the same table to search for a user.

  • In the Database Transporter, several transport packages can now be combined into one cumulative transport package. If individual transport packages require the database to be compiled, the web projects are not complied until each of the transports from the cumulative transport package have been imported.

  • To re-enable process steps with the Frozen status in Job Queue Info, users need the JobQueue_Frozen program function.

  • Search index optimization can be started manually on the application server.

  • A connection timeout can be set in the One Identity Manager tools default connection dialog.

  • New optional parameter in the DBCompilerCMD.exe command line program to compile only those parts of the system that have changed.

  • New process function Execute SQL Single for the SQLComponent process component to run SQL statements in a single instance. The process function can be used when a special procedure call or a special data change is explicitly allowed to run just in one instance.

  • A script for changing values can be stored with the parameters (DialogParameter.OnPropertyChangedScript), which dynamically determines whether a parameter is, for example, read-only or mandatory.

  • Integration of events into typed wrapper classes.

  • Support for NLog 5.0.

  • Support for Microsoft .NET Framework version 4.8.

  • The One Identity Manager History Database has been significantly simplified in order to reduce the effort required to, on the one hand, set up and operate the database and, on the other hand, to enable it to operate on Azure SQL Databases. The History Database represents only a simple data storage. The History Database does not include the One Identity Manager modules or system configuration data. There are no longer any active components.

    Declare the One Identity Manager History Database to be used for transferring data to the One Identity Manager in the TimeTrace.

    IMPORTANT:

    • It is recommended to install the History Database first!

    • Existing databases are still supported for querying archived data in TimeTrace and reports. These databases do not need to be migrated.

    • If you still want to migrate an existing History Database, ensure that the all features, procedures, tables, and views that are not in the following list are deleted by the History Database migration:

      HistoryChain, HistoryJob, ProcessChain, ProcessGroup, ProcessInfo, ProcessStep, ProcessSubstitute, RawJobHistory, RawProcess, RawProcessChain, RawProcessGroup, RawProcessStep, RawProcessSubstitute, RawWatchOperation, RawWatchProperty, SourceColumn, SourceDatabase, SourceTable, WatchOperation, WatchProperty

      Save any custom extensions before migrating.

Web Portal (API Server)
  • OneLogin is used for multi-factor authentication for request and attestation approvals. Prerequisites are:

    • Synchronization with a OneLogin domain is set up and the system has been initially synchronized.

    • The value of the ServerConfig/ITShopConfig/StepUpAuthenticationProvider configuration key is OneLogin MFA.

    • In the API server's configuration file (web.config), the following entry must be entered in the connection string:

      <add name="OneLogin" connectionString="Domain=<domain>;ClientId=<clientid>;ClientSecret=<clientSecret>" />

      The respective values are taken from the OneLogin configuration.

  • The request recipient must agree to the terms of use if they also act as a request approver.

  • The requester is prompted to agree to the terms of use for a service item.

  • A requester can request optional service items in the Web Portal.

  • In the Web Portal, the historical change data of a role can be displayed in the role's overview.

  • Deleted roles can now be restored in the Web Portal.

  • In the Web Portal, two roles can be combined into one role. This feature is offered for departments, locations, cost centers, and business roles.

  • In the Web Portal, it is possible to maintain request templates and to use them to create new requests.

  • In the Web Portal, exception approvers can grant or deny approval to policy violations.

  • Filters for columns and tables can be defined in the administration portal.

  • Administrators and owners of applications in the Application Governance Module can have system entitlements that meet a certain condition automatically assigned to applications. Owners and administrators can be notified when their applications have been automatically assigned new system entitlements.

    • In the QER | ITShop | MailTemplateIdents | InformAboutApplicationEntitlements configuration parameter, you can configure the mail template to be used for mail notifications to application administrators and owners.

  • In the Web Portal, request approvers can make approval recommendations. Recommendations to grant or deny requests are calculated on the basis of different criteria. The criteria are specified in the QER | ITShop | Recommendation configuration subparameters.

Target system connection
  • Offline mode can be used to pause handling of target system-specific processes by the One Identity Manager Service if a target system cannot be reached temporarily. This prevents target system-specific processes from being frozen in the Job queue and having to be re-enabled manually later.

  • Restrictions can be defined on any columns in the One Identity Manager schema when they are synchronized. For this reason, the Synchronization information column property is displayed in the Designer.

  • Synchronization and provisioning processes are put on hold while synchronization projects are updated.

    The retry delay time is set in the Common | Jobservice | RedoDelayMinutes configuration parameter.

  • Remote support for target system connections is implemented with .net Core resources.

    A patch with the patch ID VPR#34646_SAP is available for synchronization projects.

  • Support for OneLogin as target system.

    One Identity Manager focuses on setting up and editing user accounts and providing the permissions required for accessing applications and for authentication and authorization. One Identity Manager maps the OneLogin user accounts, roles, and applications. The OneLogin connector has the task of synchronizing with OneLogin. The OneLogin API controls access to OneLogin data. OneLogin Module installation supplies synchronization templates. For more information, see the One Identity Manager Administration Guide for Connecting to OneLogin.

  • Azure Active Directory group assignments to administrator roles are mapped in One Identity Manager.

    A patch with the patch ID VPR#33400 is available for synchronization projects.

  • Rules for memberships in dynamic Azure Active Directory groups are loaded into One Identity Manager.

    A patch with the patch ID VPR#34744 is available for synchronization projects.

  • The email address of Azure Active Directory user accounts can now be edited in One Identity Manager and written to the target system.

    A patch with the patch ID VPR#35286 is available for synchronization projects.

  • The Azure Active Directory user accounts' creation type is loaded into One Identity Manager.

    A patch with the patch ID VPR#35290 is available for synchronization projects.

  • Support for Azure Active Directory administrative units.

    A patch with the patch ID VPR#35289 is available for synchronization projects.

  • Support for B2C tenants.

    A patch with the patch ID VPR#35033 is available for synchronization projects.

  • Support for classifying Exchange Online Office 365 groups.

    Patches for synchronization projects with patch ID 35303_AAD and VPR#35303_O3E are provided.

  • TECH PREVIEW ONLY: The Exchange Online connector supports certificate based authentication.

    A patch with the patch ID VPR#34766 is available for synchronization projects.

    IMPORTANT: This feature can be tested in test environments. You must definitely not use the feature in a live environment.

  • Support for moving Active Directory objects across domain borders.

    A patch with the patch ID VPR#33793 is available for synchronization projects.

  • Support for Microsoft Exchange mail enabled distribution groups of type Room lists.

    A patch with the patch ID VPR#31374 is available for synchronization projects.

  • Support for Active Roles 7.5.2, Active Roles 7.5.3, and Active Roles 7.6.

  • The Google Workspace connector supports synchronization of external email addresses. They can be assigned as members, owners, or managers to Google Workspace groups that allow external members.

    A patch with the patch ID VPR#34885 is available for synchronization projects.

  • Support for Oracle E-Business Suite version 12.2.10.

  • Support for One Identity Safeguard version 7.0.

    A patch with the patch ID VPR#35621 is available for synchronization projects.

  • A new report with an overview of privileged staff access is available.

  • Support for the SharePoint Server Subscription Edition.

  • SAP parameters can also be inherited by SAP user accounts through system roles.

Identity and Access Governance
  • Improved support for inheriting target system specific groups. It is now possible to specify for individual groups whether the manage level inheritance settings apply to the group or whether the manage level settings for the group are overwritten. For example, this can be used to specify that a group should never be removed from user accounts automatically.

  • New approval policies are provided for requesting and attesting Azure Active Directory and Exchange Online system entitlements.

  • The object key of the effectively assigned product is saved with the request procedure if, in the course of the approval process, the requested product is changed.

  • For service items, service categories and approval steps, it can be specified whether a reason must be given or can be given optionally when requesting or making an approval decision.

  • Requests can be given dynamic parameters whose values are set by the customer when they make the request. After approval, a system entitlement (UNSGroupB) is generated from these parameters and their values and assigned to the request recipient.

  • More default objects provided for attesting employees. These attestations can be started together using a policy collection.

    • Identity itself

    • Primary or secondary departments

    • Memberships in business or system roles

    • Linked user accounts

    • Assigned system entitlements

    Approval policies can be configured to be selected when creating attestation policies in the Web Portal.

    Additional approval procedures:

    • CN - Challenge the decision

    • PW - Owner of the attestation policy

    • XM - Manager of the employee for all attestations

  • Attestation policies to be run together can be combined into policy collections. A sample can be used limit the set of objects to attest for all attestation policies in the collection.

  • If no report is specified on the attestation procedure, snapshots are generated containing the necessary information about the objects to be attested. The content of these snapshots can be configured.

    NOTE: The snapshot is created by the ATT_GetAttestationObject script. This replaces the VI_GetAttestationObject script.

  • The date of the next attestation can be given for applications (Application Governance Module). Several default attestation policies are provided that use this date.

See also:

Enhancements

The following is a list of enhancements implemented in One Identity Manager 9.1.

Table 1: General

Enhancement

Issue ID

A minimum time until reactivation can be configured for DBQueue Processor tasks.

32015

The application server supports session certificates created with the CNG API.

32138

Improved performance when processing DBQueue Processor tasks.

34049

Improved error messaging if an error occurs while signing emails. Improved documentation.

35226

Changed values can be marked with an icon in the grid display. Use the display properties dialog to configure this.

35247

Improved display of the One Identity Manager Service's status page.

35285, 33313

Improved display of the application server status page.

33314

Optimized performance when evaluating conditions.

35407

The UnitOfWork attribute can now be used to access the currently opened Unit of Work in the scripts.

35417

Improved labeling of where-clauses as trustworthy. 35418

The Proxy view and Extensions to proxy view properties are now displayed on the More tab in the Schema Editor.

35613

Suuport for authentication by LDAP using an SSL connection to the LDAP server. This is configured in the TargetSystem | LDAP | AuthenticationV2 configuration subparameters.

34453

Improved performance for generating processes.

35134, 35152

In the Designer, administrative system users can now be created in the Getting Started category.

35263

Improved assignment of files to machine roles.

33271

Improved behavior of the command line tools. Basic tests for parameter passing are performed. Version, error messages, and help texts are output.

35427, 34825

Improved performance determining display permissions.

35612

Improved performance when displaying processes in the Job Queue Info.

35641

The QBM_ZDBQueueVoidTaskBulk procedure is now supplied in addition to the QBM_ZDBQueueVoidTask procedure. This now allows DBQueue Processor tasks marked for bulk processing to be disabled by entering the procedure in the QBMDBQueueTask.ProcedureName column.

34864

It is possible to set an own query timeout at the DB session in the VI.DB, which is then used for all queries.

34917

The third-party component Microsoft.Graph has been updated.

35025

Optimization of data export from the Manager.

35349

Table 2: General web applications

Enhancement

Issue ID

In the Web Portal, the approver can see the details of the requested service items. If a role membership is requested, information about the role's permissions is displayed.

297243

Service items are no longer sorted on output to improve performance in Web Portal. This concerns, among other things, the service catalog and the selection of requestable products.

309523

The rule violations for a specific rule can now be viewed from an email link.

253881

Improved reports generation through the API Server.

291080

It should be possible to use the API configuration to set whether only requested entitlements and assignments are offered when requesting using a reference user or all assignments that the reference user has. In the default setting, only requested objects are shown. If exactly one request recipient is selected, this request recipient cannot be selected as a reference user.

33551, 295703

In the ImxClient command line program, the start-update command can be used to start a software update.

310595

Secure connection detection now supports the use of HTTPS-to-HTTP reverse proxies.

313545

The configuration of the cookie path for the CSRF protection cookie can be customized.

35620, 310602

For each entity-based API method, a restrictive filter condition can be specified in the configuration.

311030

A MarkForDeletion() method has been added to the IEntity TypeScript interface.

288697

The following ImxClient commands are changed:

get-filestate

fetch-files

push-files

For these commands, /targets is now a mandatory parameter.

310837

Angular has been updated to version 13. This may result in the need for manual corrections to customized HTML5 code.

310627

The API Server checks the defined API routes for uniqueness at startup. A warning message is issued for non-unique routes. In the case of customized routes, warning messages may now be issued.

279209

Improved performance when listing requestable service categories in the Web Portal.

35577

The long display pattern (DialogTable.DisplayPatternLong) can optionally be used for displaying relationships hierarchically on forms,.

35482

The trusted source key, which can be used to specify that Where-clauses from the Web frontend are trusted, can now be specified as the ConnectionBehaviour/TrustedSourceKey option in the configuration file.

35239

Table 3: Target system connection

Enhancement

Issue ID

Unused virtual schema properties have been removed from the site mapping in Active Directory synchronization projects.

A patch with the patch ID VPR#35533 is available for synchronization projects.

35533

A bug in the VPR#35343_EX0 patch has been corrected.

A patch with the patch ID VPR#35506 is available for synchronization projects.

35506

The LDAP connector ignores case sensitivity when comparing values in the ObjectClass and StructuralObjectClass schema properties.

A patch with the patch ID VPR#32702 is available for synchronization projects.

35702

In synchronization projects for Exchange Online and SharePoint Online, not more than one base object can be created.

A patch with the patch ID VPR#30841 is available for synchronization projects.

30841

Quota settings of Exchange Online mailboxes are now synchronized.

A patch with the patch ID VPR#34568 is available for synchronization projects.

34568

The mailbox permissions Full access and Send as from Exchange Online mailboxes are now synchronized.

A patch with the patch ID VPR#34265 is available for synchronization projects.

34265

Improved display of app registrations and enterprise applications for Azure Active Directory in the Manager.

35212

Improved support of automatic employee assignment for guest users of Azure Active Directory user accounts.

35584

Additional revision filters are used for synchronizing SAP HCM personnel planning data.

A patch with the patch ID VPR#32154 is available for synchronization projects.

32154

Improved performance in the SCIM connector.

A patch with the patch ID VPR#34952 is available for synchronization projects

34952, 34953, 34954

The request timeout for querying the SCIM provider can be configured when setting up the system connection to a cloud application.

A patch with the patch ID VPR#35571 is available for synchronization projects.

35571

Code snippets can be used in script variables. Examples of commonly used script variables are provided in the Synchronization Editor.

35011

Improvements to the synchronization engine.

  • Error handling

  • Detection of objects locked for synchronization

  • Automatic detection of synchronizations that quit unexpectedly.

35196, 35480, 35617

Improved display of additional information about the connected target system in the Synchronization Editor.

35242

The changed object is displayed in the header of provisioning logs.

35493

Improved display of the system entitlement inheritance options on the main data form for user accounts.

35524

Improved the One Identity Manager Business Application Programming Interface.

35556

Improved display of outstanding objects from assignment tables in target system synchronization.

34930

Improved display of assigned SAP groups, roles, profiles on the overview form for SAP user accounts.

34780

Improved logging of delete operations on dynamic roles.

35544

Improved performance during synchronization when a local cache is used.

34955

The following note has been included in the documentation for connecting a SAP R/3 environment with BI analysis authorizations:

NOTE: BI analysis permissions are not mapped in One Identity Manager if they are indirectly assigned to SAP user accounts in SAP R/3 using SAP roles or SAP profiles. With appropriately formulated SAP functions for the S_RS_AUTH authorization object, it is still possible to check in Identity Audit whether these BI analysis authorization assignments are permitted.

35295

Improved display of inheritable groups and system entitlements on the overview forms for cloud user accounts and user accounts in custom target systems.

35508

The AS/400 LDAP connector has been renamed to IBM i LDAP connector.

35275

LIKE queries can no longer be run in the /VIAENET/READTABLE function module.

  • To apply the change, import the BAPI transport SAPTRANSPORT_70.ZIP into the SAP R/3 system.

35741

Improved performance processing object changes if a scope is defined.

35406

Unnecessary queries made to the SAP system when using a table-based schema extension have been omitted.

35800

Table 4: Identity and Access Governance

Enhancement

Issue ID

On the employee overview form, the client of the associated SAP user accounts is also displayed. 34929
Improved presentation of attestation case main data in the Manager. 35576
Service items can be configured as hidden in the service catalog even though they can still be requested. 35031
Completed deputizations can be deleted from the database or archived. 35096
The expiry time for adaptive maps has been increased to 24 hours. The value of the QER | Person | Starling | UseApprovalAnywhere | SecondsToExpire configuration parameter is now 86400 by default. 35727
Completed deputizations are deleted by the DBQueue Processor once the retention period is exceeded. 35096

See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Defining procedures is sporadically broken off at different stages.

Error message: Error 2021: The referenced entity 'xxx' was modified when the DDL was run. Please retry the operation.

33544

Error running the QBM_PJobUpdateState_Bulk procedure: There is insufficient system memory. 34590
Newly issued certificates may not be accepted. 34900
In certain circumstances, mutually exclusive processes are delivered during process handling. 34973
Schedules are not sorted correctly in the Designer. 35522
Changes to the One Identity Manager Service configuration by the Job Service Configuration are not always transferred to the database. 35538
Display error in Manager on the Permissions tab in the object properties. 35558
Restore login for expired sessions in the application server does not work. 35594
Error connecting multiple Designer instances through an application server. 35668
In Manager, method definitions are displayed although the visibility permission was removed by a script. 35507
Authentication at the token endpoint using the client_secret_post method must include the client ID. 35691

Process steps of the DelayComponent process component with the Delay process task fail with SQL syntax errors.

35744

Application server installation fails if authentication through a system user is not allowed.

34875

New custom columns with initial values cause incorrect entries in the QBMCustomSQL table.

35502

Unnecessary correction of the date from 1899-12-31 to NULL.

35703

Issue with the automatic update under Linux.

35825

A conversion script, which is stored in the Data Import program, does not save.

35840

The Manager quits unexpectedly if more than two dependent objects are saved with the OnSaving scripts.

35838

Table 6: General web applications

Resolved issue

Issue ID

Errors occur if there are a lot of products in the Web Portal's shopping cart for which parameters must be specified.

34417

In the Web Portal, the reason stored is incorrect if products are automatically canceled due to denied attestation.

34528

When installing the Manager web application, WebView2 is installed unnecessarily.

35662

In the Web Designer preview, an error occurs when opening a service category during the request process.

35404

OAuth login to API Server fails because the State parameter cannot be decrypted.

35611

The display names of request items are not localized.

34865

If no matching time zone can be determined, an error message appears in the Web Designer Web Portal: Sequence contains no matching element.

35191

Pressing Enter in a date field in the Web Designer Web Portal navigates to the home page.

35559

Password questions in the Web Portal are still displayed under Profile, although the associated parameter has the value false.

35647

In the Web Portal, the product description text is not displayed in a tooltip, only the technical name.

35659

In node editing in the Web Designer, some properties do not show the data, only scroll bars.

35586

In the Password Reset Portal, after an incorrect login attempt, the authentication modules for login are displayed twice.

35546

In certain circumstances, the search in the administration portal does not return any results.

307328

When a new database session is logged in within the same API Server session, the previously used user is not logged out.

306163

The search index does not update the object keywords.

303391

The search index does not find strings containing a hyphen or a backslash in every case.

35634

When displaying attestation cases in the Web Portal, the headings of the Grouping and Property columns are not displayed correctly.

35171

Clicking on the customized company logo in the Web Portal does not open the home page.

35658

In certain circumstances in the Web Portal, an error occurs opening the request history.

34893

In the Web Portal's request history, incorrect or too many groups are displayed after a search followed by grouping.

35595

An error occurs in the Web Designer if you use the ObjectWalker function in a column list's condition.

35782

An error occurs if a report is created in the Web Designer Web Portal when it is connected directly to the One Identity Manager database and the One Identity Manager Service that generates the report is running against an application server.

35734

Missing permissions for the session certificate in the Web Portal container.

35912

Table 7: Target system connection

Resolved issue

Issue ID

The DPR_NeedExecuteWorkflow script and the current DPR_VWorkflowHandlesProperty view do not respect the mapping direction of the mapped schema properties.

34982

A conversion error occurs when synchronizing an Active Roles domain.

A patch with the patch ID VPR#35122 is available for synchronization projects.

35122

When synchronizing cloud applications with the Universal Cloud Interface connector, the UserInGroup* and UserHasGroup* tables are ignored.

A patch with the patch ID VPR#35451 is available for synchronization projects.

35451

Error opening an AdminP task in the Synchronization Editor's object browser, if no database file is specified.

A patch with the patch ID VPR#35500 is available for synchronization projects.

35500

When updating synchronization projects for Domino, the MailFileAccessType variable is not created correctly.

A patch with the patch ID VPR#35745 is available for synchronization projects.

35745

Customizers prevent objects from being saved if the XOrigin column has the value 0.

34854

Incorrect conversion of values in custom extensions.

35060

The display name of Azure Active Directory user accounts for guest users is not transferred to the target system.

35598

Merge mode for the AADApplicationOwner and AADServicePrincipalOwner tables is not enabled.

35183

Azure Active Directory synchronization stops unexpectedly if an owner of a service principal is themselves a service principal.

A patch with the patch ID VPR#35768 is available for synchronization projects.

35768

Microsoft Teams Teams and Microsoft Teams channels are not assigned to a scope.

A patch with the patch ID VPR#35410 is available for synchronization projects.

35410

Failure to create Microsoft Teams channels.

35428

Group memberships of Active Directory groups marked for deletion are not removed.

35293

Rogue correction of Active Directory group memberships does not work.

35492

Read processes for Active Directory do not use the OverrideVariables parameter.

35555

Automatic employee assignment may create an unnecessary remote mailbox.

35146

The PAG_PAGAccessOrder_CheckExistingAccessRequest process fails.

35593

Error creating a Unix user account if the last name of the connected person contains a colon (:).

26374

Reloading objects in bulk mode fails if an item cannot be loaded.

34420

Conversion error synchronizing an Active Directory domain using One Identity Active Roles.

35122

If at least three processing methods are defined in a synchronization step, the order of the processing methods is swapped when the synchronization project is saved.

35499

The documentation for setting up a system connection with an Oracle Database is not up to date.

35505

When setting up the system connection with a SalesForce application, no schema types are detected.

35679

Error encrypting a database when DPRSystemConnection.ConnectionParameter is marked as encrypted.

35695

Single object synchronization no longer works for Azure Active Directory user accounts.

35728

The update migration of a very large database is unexpectedly stopped after 12 hours in the step SAP 2019.0004.0017.0000 (31561).

35464

When requests are generated to assign SAP roles directly to SAP user accounts, the direct assignments are deleted and recreated with a different validity period.

35648

Error applying the patch VPR#34563.

35696

The assigned system entitlements 1, 2, and 3 are not displayed on the cloud application overview form.

35512

Automatically created user accounts in custom target systems or user accounts (UNSAccountB table) or cloud user accounts (CMSUser table) do not inherit groups.

For more information, see the knowledge article https://support.oneidentity.com/kb/339327.

35214

Poor performance in the Manager when displaying SAP roles that are assigned to SAP user accounts.

35761

Error updating synchronization projects with the Synchronization Editor Command Line Interface if the database is encrypted. The patches are not applied.

35805

Error deleting Azure Active Directory user account memberships in Office 365 groups.

35786

When filtering an object list, the SCIM connector ignores the date and time from the SCIM server if they are already supplied in UTC format.

35847

Table 8: Identity and Access Governance

Resolved issue

Issue ID

The permissions of the vi_4_ITSHOPADMIN_OWNER group for the AADGroup table are incorrect.

35519

Translations of an application's name are not applied to the service category. 35041
The DBQueue Processor tasks QER-K-ShoppingRackPWOHelperPWO-Del and ATT-K-AttestationHelper-Del may cause blockages. 35157
Error transporting a resource that can be requested multiple times. 35470
Lack of dependencies between DBQueue Processor tasks for allocating company resources to employees. 35294

Performance issues determining attestation objects (DBQueue Processor task ATT-K-HelperAttestationPolicy).

34201

Performance issues with recalculation of attestors.

35455

If an approval level with multiple approval steps is rejected due to a timeout, the subsequent approval level (if rejected) is not always carried out.

35473, 35474

Although an attestation case has Hold status, attestors who are redetermined for this approval step in the meantime still receive an attestation email notification. Quite rightly, the Manager and Web Portal do not display anything for these attestors to attest.

35583

Compliance checking of requests in the shopping cart and in the approval process does not detect a rule violation if it is caused by different identities of an employee. Only the cyclical compliance check detects the rule violation.

35170

Performance problems calculating groups of employees affected by compliance rules.

35261

During automatic withdrawal of entitlements after an attestation is denied, requests with the renewal and cancellation statuses are not taken into account.

34725

Immediate cancellation of a request is not possible if this request has already been previously canceled with a validity date.

35431

If the DBQueue Processor task QER-K-ShoppingRackPWOHelperPWO is processed in multiple slots, this task may keep getting deferred. This stops other tasks from being handled.

35466

When sending email notifications in request approval procedures, incorrect mail templates are used. Sometimes email notifications are sent even though no mail template is given in the approval step.

35496, 35819

The mail template IT Shop request - renewal specifies under Requested by the initial requester of the request, instead of the employee requesting the renewal.

35529

Requests for products for with a specified validity period can be extended indefinitely.

35651

The shopping cart cannot be filled and sent because the query that uses the QER_FTPWOOrderPerson function, does not finish.

35882

See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating