Chat now with support
Chat with Support

Identity Manager 9.2 - Release Notes

Resolved issues

The following is a list of issues addressed in this release.

Table 7: General

Resolved issue

Issue ID

Under certain conditions, hyperlinks are not fully displayed in the Mail Template Editor.

35676

In rare cases, an attempt was made during process handling to enter the same process more than once in the process display (DialogProcess table). This led to a primary key violation and consequently to the error.

35765

Error displaying dates in the Where clause wizard when they are given with null values.

35801

When editing the connection string in the connection dialog, the first change is ignored.

35911

In certain cases, an error occurs when database queries are run via the object layer.

Error message: the Size property has an invalid size of 0

35993

When installing or updating One Identity Manager, custom files were saved in the wrong subdirectory.

36054

In the Script Editor of the Designer, the script list menu is too narrow.

36085

Error marking a completed process step for deletion or archiving.

36098

Error installing the application server due to Microsoft Edge WebView2 dependencies.

36107

The administrative user selected on the System administrator permissions page is not used in the Configuration Wizard.

36248

Cumulative transport packages are not displayed correctly in the transport history.

36260

Creating and setting up a One Identity Manager database requires an installation user with a dbcreator server role, even if a previously created database is going to be used.

36295

Process collection via HttpJobProvider does not work if SSL is configured for use by the proxy server.

36329

In the Designer, if column definitions cannot be loaded in the Schema Editor if they were disabled via a preprocessor condition.

36340

Inconsistencies in the definition of DBQueue Processor task dependencies.

36366

In the Designer, the data source of a key value is not populated correctly in the Language Editor.

36402

Under certain conditions, when the DBQueue Processor replaces processes, entries are retained that reference processes that no longer exist.

36645

When changing the parameter type from calculation to user query, the Table column (calc.) column for the parameter (DialogParameter.UID_DialogColumnCalculate) is not cleared.

36664

Incorrect display of historical assignments in reports if a database view is used as table.

36695

If the Database Agent Service stops when DBQueue Processor tasks are being compressed, data is lost.

36708

The language code nb is missing.

36714

Incorrect conversion of time values with a time of 00:00 and a date format of DateTime.

36745

In the documentation about the Docker container for the One Identity Manager Service, the CONFIGFROMDB parameter is insufficiently described.

36779

Under certain conditions, there may be orphaned entries for deleted machine roles in the ModuleInfo.xml file of the CCC module after updating.

36810

An error sometime occurs in the system configuration overview.

Error message: Divide by zero error encountered.

36822

In the One Identity Manager Installation Guide, port 443 is missing from the list of communication ports.

36851

Watch triggers are not created if a column for different database views is marked for logging data changes and the views are based on the same base table.

36857

In rare cases, a schedule is triggered several times.

36861

The Database Compiler stops responding when it is determining compiler tasks.

36865

An error occurs in Designer when assigning permission groups to applications.

Error message: Object reference not set to an instance of an object.

36879

An error occurs when calculating the display pattern if different data types are used.

Error message: Conversion failed when converting the nvarchar value '<value>' to data type int.

36895

Users from time zones with UTC+00:00 are not able to log in to the Manager web application.

36901, 431158

Transport by change label does not transfer the description and comment of change labels.

36904

In reports created with the Report Editor, filters and summaries contain incorrect results.

36906

The comparison of columns with date and time values does not always work correctly.

36945

Error handling processes that use the ModifyFileAccess_Universal process task.

Error message: Cacls.Exe failed with return code 122 ("The data area passed to a system call is too small").

NOTE: The process task has been replaced by the ModifyFileAccess_DotNetprocess task. For more information, see New features.

36946

When upgrading from One Identity Manager version 8.x to a newer version, an error may occur when compiling the type-safe database model.

Error message: Keyword is not valid as an identifier.

36949

Error saving an object change as a planned operation in the Manager if the Manager was started via an application server.

36951

Entries in the Job queue are often marked for recalculation. This blocks Job queue processing.

The DBQueue Processor task QBM-K-JobqueueOverviewInvalid has now been replaced by a trigger.

36962, 36963

Performance issues testing for multi-column uniqueness if objects are added to the One Identity Manager database in bulk.

37027

It is not possible to assign SAP roles to SAP user accounts in the Manager web application.

37032, 431268

Error importing data into the QBMDBPrincipal table if it results in duplicate entries relating to database users or login names.

37045

Under certain conditions, recalculation tasks for the DBQueue Processor that relate to the Target System Base Module (TSB) are not automatically deleted.

37048

Error displaying the QBM_TransportToHistoryDatabase process in the Process Editor if the SQL processing server server function is assigned to two Job servers or more.

37050

Changes to templates or formatting scripts in the Designer are not always saved in the database.

37056

An incorrect warning is displayed when opening a password policy in the Designer.

37083

Error if DialogDatabase.EditionDescription is marked as isBlobExternal.

37108

Filters generated in the SCIM connector may have an unnecessary bracket level. Some SCIM providers return a Bad request status due to these filters.

37119

The change history view of an object may exceed the IN clause limit of 8000 elements.

37140

Table 8: HTML web applications

Resolved issue

Issue ID

The Web Portal does not use the correct product names in the shopping cart.

35818, 317017

In the Web Portal, languages available for selection are not displayed in the respective language.

36138

The Docker container for the API Server does not log by Application Insights.

36484

The index in the Web Portal enters into an endless loop.

36587

In the Web Portal, clicking outside the request parameter prompt cancels the request.

36813

In the Web Portal, an error occurs when checking the shopping cart if the requested product has a request parameter that contains a list of permitted values.

36847, 431117

An error occurs in the Administration Portal when saving global changes.

36848, 431121

When approving delegations, an error occurs when a custom approval policy is used.

36854, 416803

Error testing request parameters in the shopping cart if the parameter contains a limiting condition with a variable.

36878

In the Web Portal, adding products to the shopping cart does not work.

37144

In the Web Portal, the request workflow displays withdrawal of an additional approver incorrectly.

292577

If a user tries to log in to the password reset portal with an expired passcode, they get the wrong information.

305015

Under certain conditions, the Web Portal does not display the rule violation testing for assignment requests.

306828

In the Web Portal, under certain conditions, an error message is displayed during approval of an attestation case.

317836

In the Web Portal, if new requests are made through peer groups or reference users, the products selected through organizational structures are not added to the cart.

319781

Under certain circumstances, editing attestation policies in the Web Portal deletes the conditions of the attestation policy.

320926

The Identity Access Comparison report cannot be generated in the Web Portal.

322252

Under certain conditions, the Web Portal's search function does not work and generates an error.

327287

The Web Portal does not display all the details about a rule violation for a product that causes a rule violation when requested.

331942

In the Administration Portal, the values true and false are not translated.

386304

Stores assigned to shopping centers are not displayed in the list of editable stores in the Web Portal.

403983

The API Server creates a new session for each request if the same authorization token is used.

405848

Request parameters of type query are handled correctly only if the query column is either XObjectKey or a primary key column.

412932

Registering a new user in the Password Reset Portal fails.

415340

The Web Portal allows delegations to be created without a time limit.

416793

The search in the Administration Portal does not correctly handle upper and lower case letters.

418578

The process view in the Operations Support Web Portal displays all the process steps of a process with the same name.

419792

In the Operations Support Web Portal, existing Job queue tasks are only displayed with a delay.

426530

Table 9: Web Designer web applications

Resolved issue

Issue ID

In the VI_Edit_Multiselect component of the Web Designer, values cannot be cleared.

36558

Displaying an identity's main data causes an error in the Web Designer Web Portal.

36578, 405073

In the Web Designer Web Portal, it is not possible to unsubscribe a product.

36647

The Web Designer Web Portal does not show translation values in some menus.

36761, 414583

The Web Designer Web Portal does not identify a rule violation when the shopping cart is checked even though mandatory parameters are not populated.

36764, 431063

After logging off from the Web Designer Web Portal, redirection to the configured URI does not work if Send redirect URI for the application is configured in the OAuth/OpenID Connect configuration.

36874

When an approver opens and approves a request in the Web Designer Web Portal via a link, any existing valid-until date is deleted.

37121, 431359

Code copied to customized functions of the Web Designer is reformatted.

428028

In the VI_Edit_Special_Person_TemporaryDeactivated Web Designer component, the IsTemporaryDeactivated parameter cannot be set to readonly.

430791

Table 10: Target system connection

Resolved issue

Issue ID

The handling of outstanding Exchange Online email users generates unnecessary provisioning tasks for Azure Active Directory groups.

36707

Error synchronizing against the generic database connector when the synchronization server is set up on a Linux server.

Error message: The time zone ID 'FLE Standard Time' was not found on the local computer.

34451

Error synchronizing with the One Identity Manager connector if virtual schema properties with the same name are used in schema types with the same name.

Error message: Error compiling synchronization project. An item with the same key has already been added.

35811

Different OneLogin user account properties are changed by each synchronization.

35958

Performance problems synchronizing SharePoint Online with a lot of site collections.

35975

In the Launchpad, an end user (database user) cannot enable offline mode for a target system.

36007

Error reading data with the CSV connector when there is a remote connection to the CSV system.

36126

Conversion error displaying Azure Active Directory objects in the target system browser.

Error message: [1777022] Schema property (extension_<guid>_description@User) only accepts data of type (System.String). The value loaded (["<user>"]) is however type (System.Text.Json.JsonElement).

36306

Memberships in system entitlements that are marked as outstanding are in effect in the One Identity Manager. This means that the system entitlements in One Identity Manager cannot be deleted.

36395

In the schema extension file of an SAP R/3 schema, if a function is defined with optional parameters, the properties of each single object are populated with empty values during synchronization. However, in the target system browser, the properties are provisioned correctly.

36425

The One Identity Manager Administration Guide for Connecting to Unix Based Target Systems does not sufficiently describe the minimum permissions.

36435

Insert operations take unexpectedly long if the SCIM provider does not support searching for endpoints with filters.

36459

If the assignment of a BI analysis authorization to a BI user account is deleted in One Identity Manager, the provisioning process does not remove the assignment from the SAP R/3 system.

36517

The One Identity Manager Password Capture Agent Administration Guide does not describe the DeleteJob parameter.

36592

The One Identity Manager Administration Guide for Connecting to Exchange Online does not sufficiently describe the permissions for app-only authentication using a self-signed certificate.

36619

If several synchronization projects exist for a target system, the provisioning tasks might be generated incorrectly for the wrong (inactive) project.

36671

If a Microsoft Teams team is archived, the associated SharePoint Online page can still be edited.

36677

The One Identity Manager Administration Guide for Connecting to Microsoft Exchange does not sufficiently describe the required permissions.

36680

SAP user account assignments to SAP roles are not updated correctly if the structure of the SAP roles changes.

36701

When using PowerShell module v3, an error may occur during synchronization with Exchange Online.

Error message: You must call Connect-ExchangeOnline before calling any other cmdlet.

36709, 37137

When templates for mail-enabled Azure Active Directory groups are reused, it changes the AADGroup.IsSecurityEnabled and AADGroup.IsMailEnabled columns.

36713

The communication data of SAP user accounts is not read correctly from systems with business partner functionality. This happens if the user account is linked to an HCM person (identical personnel number) and separate address and communication data exist.

36754

Error accessing schema properties in the central database of synchronization projects for system synchronization that map M:N schema types or key resolutions.

Error message: The system (...) does not have a data store.

A patch with the patch ID VPR#36755 is available for synchronization projects.

36755

Sometimes the object properties of certain types of SAP R/3 schema extensions are all read correctly in the target system browser, but during synchronization not all properties are accessed.

36768

Missing customizer for OneLogin user accounts (OLGUser table).

36771

An error occurs if the value $null is returned when running a script with the ExecuteScript process task of the PowerShellComponentNet4 process component.

Error message: Object reference not set to an instance of an object.

36776

The OLG_PersonAuto_Mapping_OLGUser script references a non-existing column.

Error message: Column UID_TSBAccountDefUser does not exist.

36788

Assigning group membership fails in an AIX system if there is no permission to use the bin/mv command.

36794

Error synchronizing owners of Azure Active Directory app registration if the owner is a service principal.

A patch with the patch ID VPR#36799 is available for synchronization projects.

36799

Error loading a synchronization project.

Error message: [System.TypeLoadException] Method 'TryConvertFromString' not found.

36815

Error synchronizing Notes Admin4 databases and certificate requests.

Error message: Error running synchronization step (AdminRequest) of synchronization configuration (Initial Synchronization). Quota (2) exceeded for method (Delete object).

A patch with the patch ID VPR#36831 is available for synchronization projects.

36831

Delta synchronization does not enter the group type of Azure Active Directory groups correctly.

36840

Provisioning of Active Directory groups sporadically fails when memberships and the member are deleted at the same time.

36843

Error synchronizing an SAP R/3 environment if the synchronization configuration contains a schema extension that uses a Where clause longer than 72 characters in the table definition.

36869

Connection error in the SCIM connector when using authentication based on a client certificate, even though the certificate has been validated as correct.

36872

The overview form for Azure Active Directory user account displays disabled group memberships.

36899

In Azure Active Directory, loading user accounts without a picture can cause an ImageNotFound error.

36928

When loading faulty SAP user accounts, the synchronization quits instead of logging the faulty objects and continuing the synchronization.

36931

Under certain conditions, Active Directory synchronization fails with the error: Value cannot be null.

36938

If booking permissions are processed for an object that still has an element in Microsoft Exchange that is no longer a recipient itself, the error You cannot call a method on a null-valued expression occurs.

36953

Reading the Tenant.AllowedDomainListForSyncClient fails if the data for this property exist in SharePoint Online.

Error message: Object cannot be stored in an array of this type.

36956

Error synchronizing SharePoint Online when a site collection contains a large number of sites.

Error message: The request uses too many resources.

A patch with the patch ID VPR#36961 is available for synchronization projects.

36961

When synchronizing an SAP R/3 environment with revision filtering, not just the changed user accounts are loaded, all of them are.

Error message: Object list of type USER is not able to read property BAPIUCLASS~SYSID. Subsequent loading of all single objects will affect performance.

A patch with the patch ID VPR#36970 is available for synchronization projects.

36970

When loading a SCIM schema with schema extensions, the list of names of the schema extensions included is empty.

A patch with the patch ID VPR#36985 is available for synchronization projects.

36985

Error in the generic database connector for Oracle Database when reading large numerical values from a table column of type NUMBER(20).

Error message: Arithmetic operation resulted in an overflow

36993

Error loading objects of the ExternalEmail schema type when the entire Google Workspace customer assigned as a member to a Google Workspace group.

37024

Error starting provisioning if there are object references for the changed object that were ignored during synchronization.

Error message: Unable to cast object of type 'System.Byte[]' to type 'System.IComparable'.

37031

Incorrect conversion of date values in the generic database connector.

37037

Error in CSV connector when handling object references.

37039

Synchronizing memberships does not clean the synchronization buffer if Ignore case is enabled on the value comparison rule.

37062

On the main data forms of user accounts the values in the Category property are not displayed correctly.

37070

Delta synchronization of Azure Active Directory user accounts without a manager fails.

37088

In the attributes parameter of an HTTP GET request, the names of properties defined in an overlay file are not formatted according to RFC.

37099

Error in the RACF connector if the RemoteConnectPlugin is used.

37103

Error in the template for OLGUser.status.

37138

SAP schema extensions with nested Where clauses in the table definition do not return the expected data sets.

37146

The log data from the database is not presented in the correct order in the system journal.

37155

Arbitrary changes to the SAPComSMTP.SMTPAddr column definition cause an error.

37169

The DialogTable without Layout information consistency check lists missing layout information for all custom tables.

37181

Table 11: Identity and Access Governance

Resolved issue

Issue ID

The default email address column template for identities (Person.DefaultEmailAddress) does not format values if neither the Microsoft Exchange Module nor the Domino Module are installed and active.

34915

If an approver can approve several approval steps at the same approval level, approval that is granted is not accepted although the QER | ... | ReuseDecision configuration parameter is set.

35517

Base objects for events on PersonWantsOrg and AttestationCase are not correct.

36430

The master data form for identities might prevent some interface elements in the Manager from being hidden due to an external error.

36485

If a product is moved to another shelf, renewal requests are not reset.

36634

In some cases, an error occurs when transporting approval workflows.

Error message: PWODecisionStep: Write permission denied for value "CountApprover".

36641

Product owners of Exchange Online distribution groups are not removed from the application role.

36668

Viewing permissions for VI_4_ALLUSER_LOOKUP missing for Azure Active Directory service principals to request Azure Active Directory role eligibilities.

36710

In the Manager, the date for creating user accounts (Person.TechnicalEntryDate) cannot be set to the person's start date (Person.EntryDate).

36758

Permissions for the product owner vi_4_ITSHOPADMIN_OWNER missing for various tables.

36777

In the Manager, identities cannot be deleted or inserted in the results list of inactive identities.

36784

The auxiliary table for request procedures (PWOHelperPWO) sporadically contains duplicate entries.

36805

Performance issues when processing DBQueue Processor tasks.

36826

On the overview form for an SAP composite role, the status of an assigned single role marked as pending is not displayed correctly.

36833

If exception approval is not permitted for a company policy, the Checked (IsDecisionMade), Decision on (DecisionDate), and the reason (DecisionReason) properties are no longer automatically set when policy violations are calculated.

36921

If products with a validity period (Max. days valid) are requested and the valid-until date is earlier than the end of the validity period, the valid-until date is automatically extended to match the length of the validity period.

36923, 431172

The VI_MassDeleteDelegate script fails with an error message if one of the requests has the status Canceled.

36924

Error in the QER_PSlotResetOnInvalidRoot procedure.

36955

Sporadic error in the Created by QBMDBQueueProcess: handle object update for object type ITShopOrg process. After being re-enabled, the process runs without errors.

36965

If a proxy view is attested, meaning, memberships in system entitlements (UNSAccountInUNSGroup) and the content of the snapshot is restricted to Object references: related objects 1-3 only by the attestation procedure, then the snapshot in the attestation procedure contains only the proxy object (UNSAccount). Other properties of the associated base object (for example, AADUser) are not displayed.

37035

If the QER | Attestation | ReuseDecision configuration parameter is set, approval granted by a previous approval step is not accepted if an intermediate approval step was denied approval.

37051

The compliance check in the shopping cart causes a rule violation for a subidentity although the subidentity did not break the rule.

37079

Calculation tasks are set for the compliance check when identities are added if the rule condition applies to all identities.

37097

Error importing enabled company policies with the Database Transporter.

Error message: QERPolicy: Write permission denied for value "IsWorkingCopy".

37098

When calculating the risk index for an object, # is entered as Changed by (XUserUpdated).

37130

Incorrect sort order in the Request History report in the Manager.

37135

Error in the formatting script for AOBApplication.NextRunDate when determining a valid date value.

37150, 431402

Typo in the German version of the IT Shop request - expires mail template.

37221

See also:

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 12: General
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined as keywords in the Report Editor.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Access errors can occur if several instances of the Web Installer are started at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Error connecting via an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

Variables are used in a report and there are customized translations given for these variables in the Report Editor. However, the variables are not translated in the report that is generated.

Cause: When reports are generated, the translations of default variables as displayed in the Report Designer dictionary below the Quest category are overwritten with the values from the One Identity Manager database.

Solution: Create your own variables and store them outside of the Quest category in the Report Designer dictionary. These variables can be translated.

36686

The consistency check Columns of type varchar(38) not PK and not FK. identifies issues with columns that are varchar(38) long but are not labeled as UID columns.

Solution: Choose a different column length when extending the schema. According to the modeling guidelines, columns with a length of varchar(38) are reserved for columns that map a UID.

37072

Table 13: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form, which displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.

at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

    Example:

    <assemblyBinding >

    <dependentAssembly>

    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>

    <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>

    </dependentAssembly>

    </assemblyBinding>

33867

In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.

Solution:

  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.

34110

Table 14: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt, or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will come into effect later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on the exact day.

Solution: To synchronize personnel data in advance that comes into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact, and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion, add the following settings to StdioProcessor.exe.config.

  • In the existing <configSections>:

    <sectionGroup name="SAP.Middleware.Connector">

    <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

    </sectionGroup>

  • A new section:

    <SAP.Middleware.Connector>

    <GeneralSettings anyDateTimeValueAllowed="true" />

    </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

34903

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

After upgrading from One Identity Manager version 8.0 or version 8.1 to One Identity Manager version 8.2.1 or later, PowerShell scripts that reference the Az PowerShell module (Import-Module Az) may not work. In a PowerShell launched on the same host, the scripts work without errors. Error messages are logged when the ExecuteScript process task is run by the PowerShellComponentNet4 process component.

Example:

Entry point was not found.

Cause:

One Identity Manager version 8.2.1 or later, ships with a specific version of an Azure.Core.dll library. The custom PowerShell script may however depend on a newer version of the Az PowerShell module. When the One Identity Manager Service runs the script, it uses the locally stored Azure.Core.dll, breaking the dependency.

Possible workarounds: Check whether the following workarounds might work with respect to input parameter and return value.

  • Call PowerShell as a subprocess

    To run a PowerShell command out of the current process, start a new PowerShell process directly with the command call:

    pwsh -c 'Invoke-ConflictingCommand'

  • Use the CommandComponent process component with the Execute process task to launch the PowerShell application with the following command call.

    powershell -c 'Invoke-ConflictingCommand'

37116

Table 15: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.

35193

If a service item has its Max. days valid option reduced such that approved requests are already expired, these requests cannot be unsubscribed anymore.

Solution:

Create a process for the AccProduct base object that is triggered when changes are made to AccProduct.MaxValidDays. The process calculates the 'valid until' date for these requests (PersonWantsOrg.ValidUntil) from PersonWantsOrg.ValidFrom and AccProduct.MaxValidDays.

After which, you can unsubscribe the requests.

36349

Table 16: Third party contributions
Known Issue Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

One Identity does not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory group provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

Under certain conditions, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Schema changes

The following provides an overview of schema changes from version 9.1.1 up to version 9.2.

Configuration Module
  • New column DialogParameter.QueryDisplayType for displaying data in value queries.

  • New column DialogTable.IsApiServerEnabled (in preparation for future functionality).

  • New columns DialogTree.InitScript and DialogTree.ListTitle for context-sensitive displaying of display texts in the user interface.

  • New column QBMHtmlApp.UID_QBMDBPrincipal for mapping the minimum access level for using HTML applications.

  • New column DialogDeferredOperation.XObjectKey.

  • New columns QBMNonLinearDepend.XUserInserted, QBMNonLinearDepend.XUserUpdated, QBMNonLinearDepend.XDateInserted, and QBMNonLinearDepend.XDateUpdated.

  • New tables QBMConfigLibrary and QBMConfigLibraryCategory for providing a configuration library of templates and formatting rules.

  • New table QBMMissingDisplayRight for quickly determining display permissions.

  • New table QBMUserConfig for the internal mapping of user settings.

Target System Synchronization Module
  • New column DPRProjectionConfig.GeneralConcurrenceStrategy for specifying a strategy to detect collisions.

  • New columns DPRProjectionStartInfo.FailureHandlingMode and DPRProjectionStartInfo.FailureHandlingRetryCycles for improved handling of failed objects.

  • New columns DPRProjectionStartInfo.SysConcurrenceCacheLifeTime and DPRProjectionStartInfo.SysConcurrenceCheckMode for improved detection of processing conflicts.

  • New columns DPRSchemaProperty.IsMvpOrderSignificant and DPRSystemMappingRule.MvpOrderBehavior for handling MVP values when detecting rogue modifications.

Target System Base Module
  • New columns TSBVAccountTable.ColumnNameAccDisabled and TSBVAccountTable.IsPersonAuto4Disabled to improve mapping user accounts of locked identities.

  • The columns TSBVUNSDomain.AlternatePropertyCaptions, TSBVUNSRoot.AlternatePropertyCaptions, and UNSRoot.AlternatePropertyCaptions have been deleted.

Azure Active Directory Module
  • New column AADAdministrativeUnit.UID_AERoleOwner for mapping owners of administrative units.

  • New column AADApplication.UID_AERoleOwner for mapping application owners.

  • New column AADServicePrincipal.UID_AERoleOwner for mapping service principal owners.

  • New columns for supporting other Identity Management relevant property of user accounts.

    • AADUser.EmployeeHireDate

    • AADUser.EmployeeLeaveDateTime

    • AADUser.EmployeeType

    • AADUser.EodCostCenter

    • AADUser.EodDivision

  • New columns for determining user account login times.

    • AADUser.siaLastNISignInDateTime

    • AADUser.siaLastNISignInRequestId

    • AADUser.siaLastSignInDateTime

    • AADUser.siaLastSignInRequestId

  • New column AADOrganization.RoleBehavior for mapping Azure Active Directory role management.

  • New tables for mapping Azure Active Directory role management.

    • AADBaseTreeHasScopedRLAsgn

    • AADBaseTreeHasScopedRLElgb

    • AADGroupInScopedRLAsgn

    • AADGroupInScopedRLElgb

    • AADPrincipalInScopedRLAsgn

    • AADPrincipalInScopedRLElgb

    • AADRole

    • AADRoleAssignment

    • AADRoleEligibility

    • AADRoleManagementPolicy

    • AADScopedRLAsgn

    • AADScopedRLElgb

    • AADUserInScopedRLAsgn

    • AADUserInScopedRLElgb

    • DepartmentHasScopedRLAsgn

    • DepartmentHasScopedRLElgb

    • LocalityHasScopedRLAsgn

    • LocalityHasScopedRLElgb

    • OrgHasScopedRLAsgn

    • OrgHasScopedRLElgb

    • ProfitCenterHasScopedRLAsgn

    • ProfitCenterHasScopedRLElgb

Exchange Online Module
  • New columns for mapping hierarchical address books.

    • AADOrganization.UID_O3EDLHABRoot

    • O3EDL.IsHierarchicalGroup

    • O3EDL.PhoneticDisplayName

    • O3EDL.SeniorityIndex

    • O3EMailbox.PhoneticDisplayName

    • O3EMailbox.SeniorityIndex

Microsoft Teams Module
  • New column O3TTeam.tmsAllowCreatePrivateChannels for specifying whether members can create or update private channels.

  • New table O3TTeamTemplate and new column O3TTeam.UID_O3TTeamTemplate for mapping Teams templates.

Active Directory Module
  • New columns for supporting POSIX properties of user accounts, contacts, and groups.

    • ADSAccount.Gecos

    • ADSAccount.GidNumber

    • ADSAccount.LoginShell

    • ADSAccount.UidNumber

    • ADSAccount.UidPosix

    • ADSAccount.UnixHomeDirectory

    • ADSContact.Gecos

    • ADSContact.GidNumber

    • ADSContact.LoginShell

    • ADSContact.UidNumber

    • ADSContact.UidPosix

    • ADSContact.UnixHomeDirectory

    • ADSGroup.GidNumber

Microsoft Exchange Module
  • New columns for mapping hierarchical address books.

    • EX0DL.IsHierarchicalGroup

    • EX0DL.PhoneticDisplayName

    • EX0DL.SeniorityIndex

    • EX0MailBox.PhoneticDisplayName

    • EX0MailBox.SeniorityIndex

    • EX0MailContact.PhoneticDisplayName

    • EX0MailContact.SeniorityIndex

    • EX0MailUser.PhoneticDisplayName

    • EX0MailUser.SeniorityIndex

    • EX0Organization.UID_EX0DLHABRoot

  • New table EX0VHABMembers for mapping hierarchical address books.

  • New table EX0DLSendAsPerm for mapping send permissions of mail-enabled distribution groups.

Exchange Hybrid Module
  • New columns EXHRemoteMailbox.PhoneticDisplayName and EXHRemoteMailbox.SeniorityIndex for mapping hierarchical address books.

LDAP Module
  • New columns for supporting the eduPerson object class.

    • LDAPAccount.EduPersonAffiliation

    • LDAPAccount.EduPersonAnalyticsTag

    • LDAPAccount.EduPersonAssurance

    • LDAPAccount.EduPersonEntitlement

    • LDAPAccount.EduPersonNickname

    • LDAPAccount.EduPersonOrcId

    • LDAPAccount.EduPersonOrgDN

    • LDAPAccount.EduPersonOrgUnitDN

    • LDAPAccount.EduPersonPrimaryAffiliation

    • LDAPAccount.EduPersonPrimaryOrgUnitDN

    • LDAPAccount.EduPersonPrincipalName

    • LDAPAccount.EduPersonPrincipalNamePrior

    • LDAPAccount.EduPersonScopedAffiliation

    • LDAPAccount.EduPersonTargetedId

    • LDAPAccount.EduPersonUniqueId

Domino Module
  • New columns for supporting Notes roaming user accounts.

    • NDOUser.RoamAB

    • NDOUser.RoamCleanPer

    • NDOUser.RoamCleanSetting

    • NDOUser.RoamExtFiles

    • NDOUser.RoamingUser

    • NDOUser.RoamMode

    • NDOUser.RoamSubDir

    • NDOUser.UID_NDOServerRoamSrvr

OneLogin Module
  • New column OLGUser.AccountDisabled for specifying whether the user account is locked.

Privileged Account Governance Module
  • New tables PAGPartition and PAGPartitionIsManagedBy for mapping partitions.

  • New columns PAGAsset.UID_PAGPartition and PAGDirectory.UID_PAGPartition for mapping partitions.

  • New columns for supporting access requests for API keys.

    • PAGAstAccount.AllowApiKeyRequest

    • PAGAstAccount.HasApiKeys

    • PAGAstAccount.HasTotpAuthenticator

    • PAGAstAccount.IsApplicationAccount

    • PAGUserAttestation.AllowApiKeyRequest

  • New columns PAGReqPolicy.LinkedAccountScopeFiltering and PAGReqPolicy.UseAltLoginName for PAM access request policies.

  • New column PAGEntl.XDateSubItem for mapping the change date of dependent objects.

  • New table PAGAuditLog for mapping audit logs to support Behavior Driven Governance.

Unix Based Target Systems Module
  • New columns for mapping user account login data.

    • UNXAccount.LastLogin

    • UNXAccount.LastLoginString

    • UNXAccount.LastPasswordChange

    • UNXHost.UID_DialogTimeZone

Identity Management Base Module
  • New column Person.LeaveOfAbsenceReason as reason for absence of an identity.

  • New column QERTermsOfUse.IsAcceptRequiresMfa for specifying whether multifactor authentication is required to accept the terms of use.

Company Policies Module
  • New columns QERPolicy.IsToAttestImmediately and QERPolicy.ObjectKeyAttPolicy to support automatic attestation of policy violations.

Attestation Module
  • New column AttestationPolicy.IsNoRunOnEmptyResult to specify whether an empty attestation run is generated when no attestation object was found.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 9.1.1 up to version 9.2. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating