Chat now with support
Chat with Support

Identity Manager 9.1.2 - Release Notes

Resolved issues

The following is a list of issues addressed in this release.

Table 6: General

Resolved issue

Issue ID

If databases are restored from a database backup, the start of DBQueue processing and the delivery of Job queue processes are synchronized.

35340

An error may occur if the user settings are saved when you close the Designer.

35478

When installing or updating One Identity Manager, custom files were saved in the wrong subdirectory.

36054

In the Script Editor of the Designer, the script list menu is too narrow.

36085

Cumulative transport packages are not displayed correctly in the transport history.

36260

Process collection via HttpJobProvider does not work if SSL is configured for use by the proxy server.

36329

Inconsistencies in the definition of DBQueue Processor task dependencies.

36366

Under certain conditions, the application server cannot be uninstalled completely without errors.

36585, 407733

If the Common | TableRevision configuration parameter is set, operations on base tables may fail and degrade performance.

36602

Under certain circumstances, when the DBQueue Processor replaces processes, entries are retained that reference processes that no longer exist.

36645

When changing the parameter type from calculation to user query, the Table column (calc.) column for the parameter (DialogParameter.UID_DialogColumnCalculate) is not cleared.

36664

Incorrect display of historical assignments in reports if a database view is used as table.

36694

If the Database Agent Service stops when DBQueue Processor tasks are being compressed, data is lost.

36708

The language code nb is missing.

36714

Incorrect conversion of time values with a time of 00:00 and a date format of DateTime.

36745

In the documentation about the Docker container for the One Identity Manager Service, the CONFIGFROMDB parameter is insufficiently described.

36779

References to third-party components incorrect.

36783

An error sometime occurs in the system configuration overview.

Error message: Divide by zero error encountered.

36822

In the One Identity Manager Installation Guide, port 443 is missing from the list of communication ports.

36851

Watch triggers are not created if a column for different database views is marked for logging data changes and the views are based on the same base table.

36857

In rare cases, a schedule is triggered several times.

36861

The Database Compiler stops responding when it is determining compiler tasks.

36865

An error occurs in Designer when assigning permission groups to applications.

Error message: Object reference not set to an instance of an object.

36879

An error occurs when calculating the display pattern if different data types are used.

Error message: Conversion failed when converting the nvarchar value '<value>' to data type int.

36895

Users from time zones with UTC+00:00 are not able to log in to the Manager web application.

36901

Transport by change label does not transfer the description and comment of change labels.

36904

The comparison of columns with date and time values does not always work correctly.

36945

When upgrading from One Identity Manager version 8.x to a newer version, an error may occur when compiling the type-safe database model.

Error message: Keyword is not valid as an identifier.

36949

Error saving an object change as a planned operation in the Manager if the Manager was started via an application server.

36951

Entries in the Job queue are often marked for recalculation. This block Job queue processing.

The DBQueue Processor task QBM-K-JobqueueOverviewInvalid has now been replaced by a trigger.

36962, 36963

Performance issues testing for multi-column uniqueness if objects are added to the One Identity Manager database in bulk.

37027

It is not possible to assign SAP roles to SAP user accounts in the Manager web application.

37032

Error importing data into the QBMDBPrincipal table if it results in duplicate entries relating to database users or login names.

37045

Under certain circumstances, recalculation tasks for the DBQueue Processor that relate to the Target System Base Module (TSB) are not automatically deleted.

37048

Error displaying the QBM_TransportToHistoryDatabase process in the Process Editor if the server function (SQL processing server) is assigned to two Job servers or more.

37050

Changes to templates or formatting scripts in the Designer are not always saved in the database.

37056

Error if DialogDatabase.EditionDescription is marked as isBlobExternal.

37108

The change history view of an object may exceed the IN clause limit of 8000 elements.

37140

The log information from the database is not displayed in the correct order in the system journal.

37155

In Report Editor, report queries and parameters are not assigned to change labels when they are saved.

37212

In the Manager web application, an error sometimes occurs when you double click on an icon.

37242

The definition file for view tables with foreign key relationships created with Schema Extension is missing the foreign key information.

37263

Errors can occur if a template is run on several objects at the same time.

37307

Table 7: HTML web applications

Resolved issue

Issue ID

The Docker container for the API Server does not log by Application Insights.

36484

The index in the Web Portal enters into an endless loop.

36587

User account main data cannot be edited in the Web Portal.

36635

In the Web Portal, clicking outside the request parameter prompt cancels the request.

36813

Under certain conditions, the Web Portal does not display the request history.

36850

In the Web Portal, an error occurs when a custom approval policy is used for approving delegation.

36854

In the German Web Portal an incorrect message is displayed when canceling a request process.

36913

An incorrect time period is used in certain cases when generating reports in the Web Portal.

36987

In the Web Portal, adding products to the shopping cart does not work.

37144

The Web Portal does not use the correct product names in the shopping cart.

317017, 35818

The API Server creates a new session for each request if the same authorization token is used.

405848

In the Web Portal, when creating report subscriptions, the values for the Dynamic time span parameter are not translated.

412455

In the Web Portal, assignment analysis of identity assignments to stores cannot be displayed.

416558

Under certain conditions, changing configuration keys in the Administration Portal cause errors.

416817, 36848

In the Web Portal, certain predefined attestation policies cannot be copied.

417640

The search does not work correctly in the Web Portal.

417655

Request parameters of type query are handled correctly only if the query column is either XObjectKey or a primary key column.

419421

The Web Portal allows delegations to be created without a time limit.

420627

The My Direct Reports tile on the Web Portal's home page cannot always be seen by every manager.

423861

Under certain conditions, the correct display names of objects are not shown in Web Portal.

424382

If a user tries to log in to the Password Reset Portal with an expired passcode, they get the wrong information.

424383

In the Web Portal, instead of the name of an object, the type of the object is displayed twice in the assignment analysis.

424384

Registering a new user in the Password Reset Portal fails.

425107

Under certain circumstances, local changes in the Administration Portal do not take effect.

427943

In the Operations Support Web Portal, existing Job queue tasks are only displayed with a delay.

427945

Testing API methods in the API documentation does not work.

428177

Auto-completion is not available for API Server classes.

428221

The process view in the Operations Support Web Portal displays all the process steps of a process with the same name.

428239

Calculating the loss of entitlements when attestation cases are denied, takes too long.

431040, 36691

Under certain circumstances, navigation controls are not displayed for pending attestations in the Web Portal.

431112

Error testing request parameters in the shopping cart if the parameter contains a limiting condition with a variable.

431143, 36878

In the Web Portal, responsibility of the current identity for another identity is not determined correctly.

431242, 37011

Table 8: Web Designer web applications

Resolved issue

Issue ID

Auditors are sent an error message in the Web Designer Web Portal when a session expires.

35565

In the VI_Edit_Multiselect component of the Web Designer, values cannot be cleared.

36558

In the Web Designer Web Portal, it is not possible to unsubscribe a product.

36647

The Web Designer Web Portal does not correctly differentiate between time zones with identical times but different names.

36765

After logging off from the Web Designer Web Portal, redirection to the configured URI does not work if Send redirect URI for the application is configured in the OAuth/OpenID Connect configuration.

36874

The Web Designer Web Portal does not show translation values in some menus.

414583, 36761

Under certain conditions, errors occur in the Web Portal when generating a report.

430783, 33299

In the VI_Edit_Special_Person_TemporaryDeactivated Web Designer component, the IsTemporaryDeactivated parameter cannot be set to readonly. 430790, 33800

Under certain conditions, the Web Designer Web Portal goes into an infinite loop when an error message is displaying and closed.

431048

The Web Designer Web Portal does not identify a rule violation when the shopping cart is checked even though mandatory parameters are not populated.

431063, 36764

Decreased performance Web Designer Web Portal when using the Apply To All function in a shopping cart with a lot of items.

431215, 36990

In the Web Designer Web Portal, a request's expiry date is reset if the approval decision was made from an email.

431359, 37121

Table 9: Target system connection

Resolved issue

Issue ID

Error synchronizing against the generic database connector when the synchronization server is set up on a Linux server.

Error message: The time zone ID 'FLE Standard Time' was not found on the local computer.

34451

When removing the Microsoft Exchange mailbox account definition, the Active Directory user account might get deleted.

34839

The Legal age group property on the Azure Active Directory user account (AADUser.LegalAgeGroupClassification) has an undefined value.

35860

Different OneLogin user account properties are changed by each synchronization.

35958

Error reading data with the CSV connector when there is a remote connection to the CSV system.

36126

Memberships in system entitlements that are marked as outstanding are in effect in the One Identity Manager. This means that the system entitlements in One Identity Manager cannot be deleted.

36395

In the schema extension file of an SAP R/3 schema, if a function is defined with optional parameters, the properties of each single object are populated with empty values during synchronization. However, in the target system browser, the properties are provisioned correctly.

36425

Insert operations take unexpectedly long if the SCIM provider does not support searching for endpoints with filters.

36459

If the assignment of a BI analysis authorization to a BI user account is deleted in One Identity Manager, the provisioning process does not remove the assignment from the SAP R/3 system.

36517

The One Identity Manager Password Capture Agent Administration Guide does not describe the DeleteJob parameter.

36592

If several synchronization projects exist for a target system, the provisioning tasks might be generated incorrectly for the wrong (inactive) project.

36671

If a Microsoft Teams team is archived, the associated SharePoint Online page can still be edited.

36677

Employees' phone numbers are not mapped to Exchange Online mail users.

36693

SAP user account assignments to SAP roles are not updated correctly if the structure of the SAP roles changes.

36701

The handling of outstanding Exchange Online email users generates unnecessary provisioning tasks for Azure Active Directory groups.

36707

When using PowerShell module v3, an error may occur during synchronization with Exchange Online.

Error message: You must call Connect-ExchangeOnline before calling any other cmdlet.

36709, 37137

When templates for mail-enabled Azure Active Directory groups are reused, it changes the AADGroup.IsSecurityEnabled and AADGroup.IsMailEnabled columns.

36713

The communication data of SAP user accounts is not read correctly from systems with business partner functionality. This happens if the user account is linked to an HCM person (identical personnel number) and separate address and communication data exist.

36754

Error accessing schema properties in the central database of synchronization projects for system synchronization that map M:N schema types or key resolutions.

Error message: The system (...) does not have a data store.

A patch with the patch ID VPR#36755 is available for synchronization projects.

36755

Sometimes the object properties of certain types of SAP R/3 schema extensions are all read correctly in the target system browser, but during synchronization not all properties are accessed.

36768

Missing customizer for OneLogin user accounts (OLGUser table).

36771

An error occurs if the value $null is returned when running a script with the ExecuteScript process task of the PowerShellComponentNet4 process component.

Error message: Object reference not set to an instance of an object.

36776

The OLG_PersonAuto_Mapping_OLGUser script references a non-existing column.

Error message: Column UID_TSBAccountDefUser does not exist.

36788

Assigning group membership fails in an AIX system if there is no permission to use the bin/mv command.

36794

Error synchronizing owners of Azure Active Directory app registration if the owner is a service principal.

A patch with the patch ID VPR#36799 is available for synchronization projects.

36799

Error loading a synchronization project.

Error message: [System.TypeLoadException] Method 'TryConvertFromString' not found.

36815

On the overview form for an SAP composite role, the status of an assigned single role marked as pending is not displayed correctly.

36833

Delta synchronization does not enter the group type of Azure Active Directory groups correctly.

36840

Provisioning of Active Directory groups sporadically fails when memberships and the member are deleted at the same time.

36843

Error synchronizing an SAP R/3 environment if the synchronization configuration contains a schema extension that uses a Where clause longer than 72 characters in the table definition.

36869

Connection error in the SCIM connector when using authentication based on a client certificate, even though the certificate has been validated as correct.

36872

The overview form for Azure Active Directory user account displays disabled group memberships.

36899

In Azure Active Directory, loading user accounts without a picture can cause an ImageNotFound error.

36928

When loading faulty SAP user accounts, the synchronization quits instead of logging the faulty objects and continuing the synchronization.

36931

Under certain conditions, Active Directory synchronization fails with the error: Value cannot be null.

36938

Performance issues when loading SAP user account overview forms.

36941

If booking permissions are processed for an object that still has an element in Microsoft Exchange that is no longer a recipient itself, the error You cannot call a method on a null-valued expression occurs.

36953

Reading the Tenant.AllowedDomainListForSyncClient fails if the data for this property exist in SharePoint Online.

Error message: Object cannot be stored in an array of this type.

36956

Error synchronizing SharePoint Online when a site collection contains a large number of sites.

Error message: The request uses too many resources.

A patch with the patch ID VPR#36961 is available for synchronization projects.

36961

When synchronizing an SAP R/3 environment with revision filtering, not just the changed user accounts are loaded, all of them are.

Error message: Object list of type USER is not able to read property BAPIUCLASS~SYSID. Subsequent loading of all single objects will affect performance.

A patch with the patch ID VPR#36970 is available for synchronization projects.

36970

When loading a SCIM schema with schema extensions, the list of names of the schema extensions included is empty.

A patch with the patch ID VPR#36985 is available for synchronization projects.

36985

Error in the generic database connector for Oracle Database when reading large numerical values from a table column of type NUMBER(20).

Error message: Arithmetic operation resulted in an overflow

36993

Error loading objects of the ExternalEmail schema type when the entire Google Workspace customer assigned as a member to a Google Workspace group.

37024

Error starting provisioning if there are object references for the changed object that were ignored during synchronization.

Error message: Unable to cast object of type 'System.Byte[]' to type 'System.IComparable'.

37031

Incorrect conversion of date values in the generic database connector.

37037

Error in CSV connector when handling object references.

37039

Synchronizing memberships does not clean the synchronization buffer if Ignore case is enabled on the value comparison rule.

37062

On the main data forms of user accounts the values in the Category property are not displayed correctly.

37070

Delta synchronization of Azure Active Directory user accounts without a manager fails.

37088

In the attributes parameter of an HTTP GET request, the names of properties defined in an overlay file are not formatted according to RFC.

37099

Error in the RACF connector if the RemoteConnectPlugin is used.

37103

Filters generated in the SCIM connector may have an unnecessary bracket level. Some SCIM providers return a Bad request status due to these filters.

37119

Error in the template for OLGUser.status.

37138

SAP schema extensions with nested Where clauses in the table definition do not return the expected data sets.

37146

Arbitrary changes to the SAPComSMTP.SMTPAddr column definition cause an error.

37169

If a connection parameter is deleted in the connector definition of a synchronization project for connecting a target system via the Windows PowerShell connector and then the target system schema is reloaded, the connection parameter is not updated in the One Identity Manager database (DPRSystemConnection.ConnectionParameter).

NOTE: The problem does not occur once the service pack has been installed. If a connection parameter was deleted in the connector definition before installing the service pack, contact support to clean up DPRSystemConnection.ConnectionParameter.

37223

Write protection for a synchronization project opened by multiple users at the same time in Synchronization Editor does not work correctly.

37261

Possible errors when synchronizing a SharePoint Online environment

Error message: Duplicate key (reference resolution)

A patch with the patch ID VPR#37272 is available for synchronization projects.

37272

A process stops responding during provisioning if a new Notes user account has a password longer than 63 characters.

37302

Memberships in application roles are not written when synchronizing with the CSV connector if the primary key of the Person table is used as the key property in the mapping.

37306

Table 10: Identity and Access Governance

Resolved issue

Issue ID

If an approver can approve several approval steps at the same approval level, approval that is granted is not accepted although the QER | ... | ReuseDecision configuration parameter is set.

35517

Base objects for events on PersonWantsOrg and AttestationCase are not correct.

36430

If a product is moved to another shelf, renewal requests are not reset.

36634

In some cases, an error occurs when transporting approval workflows.

Error message: PWODecisionStep: Write permission denied for value "CountApprover".

36641

Product owners of Exchange Online distribution groups are not removed from the application role.

36668

Poor performance loading the list of attestation cases.

36739

In the Manager, the date for creating user accounts (Person.TechnicalEntryDate) cannot be set to the person's start date (Person.EntryDate).

36758

Permissions for the product owner vi_4_ITSHOPADMIN_OWNER missing for various tables.

36777

In the Manager, employees cannot be deleted or inserted in the results list of inactive employees.

36784

The auxiliary table for request procedures (PWOHelperPWO) sporadically contains duplicate entries.

36805

Performance issues when processing DBQueue Processor tasks.

36826

If exception approval is not permitted for a company policy, the Checked (IsDecisionMade), Decision on (DecisionDate), and the reason (DecisionReason) properties are no longer automatically set when policy violations are calculated.

36921

If products with a validity period (Max. days valid) are requested and the valid-until date is earlier than the end of the validity period, the valid-until date is automatically extended to match the length of the validity period.

36923

The VI_MassDeleteDelegate script fails with an error message if one of the requests has the status Canceled.

36924

Error in the QER_PSlotResetOnInvalidRoot procedure.

36955

Sporadic error in the Created by QBMDBQueueProcess: handle object update for object type ITShopOrg process. After being re-enabled, the process runs without errors.

36965

If the QER | Attestation | ReuseDecision configuration parameter is set, approval granted by a previous approval step is not accepted if an intermediate approval step was denied approval.

37051

The compliance check in the shopping cart causes a rule violation for a subidentity although the subidentity did not break the rule.

37079

Calculation tasks are set for the compliance check when identities are added if the rule condition applies to all identities.

37097

Error importing enabled company policies with the Database Transporter.

Error message: QERPolicy: Write permission denied for value "IsWorkingCopy".

37098

When calculating the risk index for an object, # is entered as Changed by (XUserUpdated).

37130

Incorrect sort order in the Request History report in the Manager.

37135

Error in the formatting script for AOBApplication.NextRunDate when determining a valid date value.

37150

Typo in the German version of the IT Shop request - expires mail template.

37221

If an employee can approve a request when they are a regular approver as well as being a member of the chief approval team, the approval history sometimes logs the chief approval team as approver rather than the regular approver.

37308

In a multi-step approval process with automatic approval, a request is denied even though the DecisionOnInsert configuration parameter is set. The error occurs if, after approval is denied for the approval level, the requester is an approver for further approval levels.

37370

Not enough information is displayed to product owners about a service item.

37387

See also:

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 11: General
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined as keywords in the Report Editor.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Access errors can occur if several instances of the Web Installer are started at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Error connecting via an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

Variables are used in a report and there are customized translations given for these variables in the Report Editor. However, the variables are not translated in the report that is generated.

Cause: When reports are generated, the translations of default variables as displayed in the Report Designer dictionary below the Quest category are overwritten with the values from the One Identity Manager database.

Solution: Create your own variables and store them outside of the Quest category in the Report Designer dictionary. These variables can be translated.

36686

The consistency check Columns of type varchar(38) not PK and not FK. identifies issues with columns that are varchar(38) long but are not labeled as UID columns.

Solution: Choose a different column length when extending the schema. According to the modeling guidelines, columns with a length of varchar(38) are reserved for columns that map a UID.

37072

Table 12: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form, which displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.
at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

    Example:

    <assemblyBinding >
    <dependentAssembly>
    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>
    <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
    </dependentAssembly>
    </assemblyBinding>

33867

In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.

Solution:

  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.

34110

Table 13: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt, or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will come into effect later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on the exact day.

Solution: To synchronize personnel data in advance that comes into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact, and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.
    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

 

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

After upgrading from One Identity Manager version 8.0 or version 8.1 to One Identity Manager version 8.2.1 or later, PowerShell scripts that reference the Az PowerShell module (Import-Module Az) may not work. In a PowerShell launched on the same host, the scripts work without errors. Error messages are logged when the ExecuteScript process task is run by the PowerShellComponentNet4 process component.

Example:

Entry point was not found.

Cause:

One Identity Manager version 8.2.1 or later, ships with a specific version of an Azure.Core.dll library. The custom PowerShell script may however depend on a newer version of the Az PowerShell module. When the One Identity Manager Service runs the script, it uses the locally stored Azure.Core.dll, breaking the dependency.

Possible workarounds: Check whether the following workarounds might work with respect to input parameter and return value.

  • Call PowerShell as a subprocess

    To run a PowerShell command out of the current process, start a new PowerShell process directly with the command call:

    pwsh -c 'Invoke-ConflictingCommand'

  • Use the CommandComponent process component with the Execute process task to launch the PowerShell application with the following command call.

    powershell -c 'Invoke-ConflictingCommand'

37116

Table 14: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.

35193

If a service item has its Max. days valid option reduced such that approved requests are already expired, these requests cannot be unsubscribed anymore.

Solution:

Create a process for the AccProduct base object that is triggered when changes are made to AccProduct.MaxValidDays. The process calculates the 'valid until' date for these requests (PersonWantsOrg.ValidUntil) from PersonWantsOrg.ValidFrom and AccProduct.MaxValidDays.

After which, you can unsubscribe the requests.

36349

In One Identity Manager 9.1.2 or older versions, rule conditions cannot be read by compliance rules that were created with One Identity Manager 9.2 or newer.

35131

Table 15: Third party contributions
Known Issue Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

One Identity does not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory group provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

Under certain conditions, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Schema changes

The One Identity Manager version 9.1.2 does not contain any changes to the schema compared to version 9.1.1.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 9.1.1 up to version 9.1.2. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating