Chat now with support
Chat with Support

Identity Manager 9.2.1 - Release Notes

Resolved issues

The following is a list of issues addressed in this release.

Table 6: General

Resolved issue

Issue ID

Error handling processes after a database was restored from a backup.

Error message: Script assembly WebServices_<...> not found in 'DialogScriptAssembly'.

430839, 35340

The Configuration Wizard does not process calculation tasks for the DBQueue Processor when a database is restored.

430950, 36428

An update migration from One Identity Manager versions 8.1.x or 8.2.x with granulated permissions to versions 9.0, 9.1, or 9.2 leaves behind permissions for the msdb database that are no longer required.

NOTE: Use the Modules\QBM\dvd\AddOn\SDK\SQLSamples\MSSQL2K\SDK_Remove_Rights_on_msdb.sql SDK script to remove permissions that are no longer required for the msdb database.

430965, 36480

Using single sign-on to log in to the Manager does not work if the web application is connected via an application server.

431124, 36849

Token authentication on the application server using OAuth2.0/OpenID Connect on the /api/script/... endpoint does not work.

431256, 37025

In the Report Editor, report queries and parameters are not assigned to change labels when they are saved.

432633, 37212

In the Manager web application, an error sometimes occurs when you double click on an icon.

433747, 37242

The definition file for view tables with foreign key relationships created with Schema Extension is missing the foreign key information.

433801, 37263

An error occurs logging in to the Launchpad via OAuth.

436327, 37289

Errors can occur if a template is run on several objects at the same time.

436367, 37307

If the Common | ProcessState | PropertyLog | AllDefaultPropertiesForModel configuration parameter is set, changes to account definition assignments to roles and organizations are now also logged.

438090

Threshold values of predefined statistics definitions can now be configured by customers.

438821

Errors can occur when process history records are transferred to the History Database.

Error message: Cannot insert duplicate key in object 'dbo.HistoryJob'.

438926, 37336

An error sometimes occurs when a session is discarded in the application server client.

Error message: System.ObjectDisposedException: The session is already disposed.

438971, 37367

Updating the database from One Identity Manager version 8.2.x to version 9.2.x fails.

IMPORTANT: Before you update a database with One Identity Manager version 8.2.x to a version 9.2.x, run the QBM\Database\MSSQL\040Procedures\QBM_GCommon2\QBM_PWriteDialogJournal.sql script in a suitable program for running SQL queries.

439671, 37341

Errors can occur selecting multiple processes in the Job Queue Info.

439761, 37410

If the SQL Server name contains special characters (such as \, ?, or :), the Database Transporter generates an invalid name for the transport file. Special characters are now replaced with an underscore (_).

439766

In certain constellations, schedules are started twice within a minute.

440501, 37439

Errors sometimes occur in Job Queue Info if there are entries from History Database to be displayed.

440504, 448996

Installing of the One Identity Manager schema in an empty database fails if the installation user used is not a member of the dbcreator server role.

440506, 37442

Compilation error when updating the One Identity Manager database to version 9.2 if the QER | Policy configuration parameter was not set in the existing installation.

440668

Incorrect calculation and evaluation of the effectiveness of historical assignments in reports.

440795

An error occurs transporting change labels that contain delete operations on schema data.

Error message: Object of type Additional view definition does not exist in database or you do not have the relevant viewing permissions.

441417

After reactivating process steps, warnings are recorded in the system journal.

441496

If the Debug information level is used for logging, errors may occur when front-ends open.

441518

In the Job Queue Info, filters in the process history are incorrect.

441675, 439759

Clicking elements in the result list sometimes triggers a drag and drop event that might result in subsequent errors.

441687

The DBQueue Processor task for creating database server permissions fails if the schema name contains a backslash (\).

441824

If the Address parameter in a process that sends an email notification is empty, the process does not fail.

442110

Incorrect calculation of the time zone for the database server.

442372

If a failed process step is manually forwarded to the error branch or the success branch, the information is logged in the subsequent process step.

442773

If the top process step in a process is moved, the necessity to compile is not detected.

443440

Performance issues running the maintenance task to reduce the process history.

445873

Data is missing in simple list reports that use the VI_Reporting_DefaultTemplate default report as a template.

445921

In Job Queue Info, filters on the JobHistory table that were created in an older One Identity Manager version are no longer displayed.

446319

Under certain conditions, deleting entries from the system journal causes performance problems or blocks the database.

447189

Under certain conditions, an error occurs when running the SQL Clause Executable (QER) consistency check.

448312

The English country code for the Republic of Türkiye has been corrected (Türkiye).

448328

Entries for the Pwd_DeniedChars and Pwd_Quality translation keys are missing in the database. These are used in the description of the password rules.

448584

Performance issues after updating a History Database.

449127

If Change Data Capture (CDC) is enabled for the One Identity Manager database, the Missing tables in dialogtable (base) consistency check fails.

454318

Sporadic error processing the DBQueue Processor QBM-K-XDateSubItemUpdateFU task.

Error message: Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 2.

454751

Table 7: HTML5 web applications

Resolved issue

Issue ID

In the Web Portal, the search sometimes quits and shows an error.

298020

An error occurs in the Web Portal if a report is made available for identities that have already been indirectly assigned.

314229

The list of approvers and attestors in the Web Portal is not complete.

418493

The system status is not displayed correctly in the Operations Support Web Portal.

425740

When attesting PAM user accounts, the wrong times are displayed in the Web Portal in the date for the last login and the last use.

426940

When a manager selects their employees' rule violations, queries can take a very long time.

430675, 36684

The Web Portal search does not return the correct results if an asterisk (*) is included as a placeholder.

430895, 36032

In the Web Portal, no service item can be created for an Active Directory group.

430940, 36377

Calculating the loss of entitlements when attestation cases are denied, takes too long.

431042, 36691

In the Web Portal, request properties for products in a service category are not inherited correctly by the products in the child service categories.

431218, 36991

In the Web Portal, responsibility of the current identity for another identity is not determined correctly.

431242, 37011

In the Web Portal, the Sponsor column is not displayed when approving attestation cases for new self-registered users.

433416

In the Operations Support Web Portal, the Passwords tab in the identity overview is empty.

433599

In the Web Portal, under certain conditions, the selected recipients displayed for a new request do not match the actual selection.

433900

The Password Reset Portal does not allow password questions to be edited.

434134

Certain reports cannot be created in the Web Portal.

438184

The API Server does not start under Linux.

438416

In the Web Portal, displaying user accounts (UNSAccount) in the Data Explorer takes too long.

438910, 37323

The Web Portal does not update the number of pending requests, attestations, and rule violations.

439550, 446476

In the Web Portal, it is possible to create a delegation although the Valid until mandatory value is empty.

439722, 37364

The search and filter for product bundles does not work in the Web Portal and causes other errors.

439918

Under certain conditions, it is not possible to use password questions to log in to the Password Reset Portal because the incorrect function is used to find the current user.

440142

The API Server sometimes does not extract/process the HTML5 web applications correctly.

440193

The Web Portal does not transfer all the request parameters for products to the shopping cart.

440206, 37386

In the Web Portal, the scrollbar is missing on the list of attestors for an attestation run.

440478

In the Web Portal, opening the Compliance Rules page causes an error if you have previously saved a custom view.

440720

If you call up a URL that opens the Web Portal requests page with a predefined search query, the search field is not filled out correctly and the search is not run.

440745

Although the configuration parameters for peer group analysis have been disabled (QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment, QER | Attestation | PeerGroupAnalysis | CheckCrossfunctionalAssignment, QER | ITShop | PeerGroupAnalysis, QER | Attestation | PeerGroupAnalysis), the associated approval recommendations are still calculated and displayed to Web Portal users.

440964

Installation of the API Server with an account-based system user fails.

441944

In the Operations Support Web Portal, process steps that are not at root level cannot be run again.

442934

Under certain conditions, the Web Portal is not displayed completely in the correct language.

443351

In the Web Portal, an error occurs if you open the shopping cart containing a product that is not assigned to a service category.

444242

A product is placed in the Web Portal shopping cart even though the action was canceled.

444465

When exporting attestation cases from the Web Portal, the names of the objects involved are not displayed correctly.

444713

The script for determining the value is not run correctly. This means that no initial values for request properties are displayed in the Web Portal.

445163

Some configuration settings of API Servers are not loaded correctly from the configuration files.

446293

Error creating an attestation policy in the Web Portal if an attestation procedure is assigned that was copied from a default attestation procedure.

Error: The SQL statement in the field 'Condition' is not correct. (4373909)

446829

In the Web Portal, no more than 20 child service categories of a service category can be displayed when requesting products.

446996

In the Web Portal, the list of products is not reloaded on the requests page after the recipient has been changed.

447002

The Web Portal does not always display all the entries in a drop-down.

447039

The color of the header bar in HTML5 web applications cannot be completely changed using a custom theme.

447474

The Log in button in the web applications hardly differentiates from the background and is therefore barely visible.

447713

In the Web Portal, not all associated entitlements are displayed in the requestable product details.

448406

The Web Portal does not display a scroll bar in the identity organization chart.

448531

In the Web Portal, product owners cannot unsubscribe requests for membership in system entitlements they manage.

449030

If the RISKINDEX preprocessor condition is not set, the API cannot be compiled.

449036

In the Web Portal, it is not always possible to change the format of the reports to be displayed.

449616

In the Web Portal, an error occurs if a pending attestation is opened.

450403

The Web Portal does not show the history of identities without user accounts if the user accounts have been deleted in the meantime.

452688

When editing a dynamic role, the Web Portal always displays certain condition values as disabled, even though they are enabled.

453346

Table 8: Web Designer web applications

Resolved issue

Issue ID

Under certain conditions, the View Settings menu in the Web Designer Web Portal is shown twice.

430862, 35722

Variables in code are no longer detected in the Web Designer.

430908, 36145

Under certain conditions, the Web Designer Web Portal goes into an infinite loop whilst displaying and closing an error message.

431050, 36706

The Web Designer Web Portal does not correctly differentiate between time zones with identical times but different names.

431068, 36765

Under certain conditions, you can display logs in the Web Designer Monitor.

431165, 36910

In the Web Designer, it is possible to select the Extended properties options on a Warning node.

431199

Decreased performance Web Designer Web Portal when using the Apply To All function in a shopping cart with a lot of items.

431217, 36990

Hyperviews of system entitlements cannot be displayed in the Web Designer Web Portal.

438977, 37369

The Web Designer Web Portal incorrectly displays a time picker for the Disable until property in identity main data.

440431

The Web Designer Web Portal does not display all information in a hyperview.

440490

In the Web Designer Web Portal, editing properties of multiple products in the shopping cart does not work properly.

440970

Color settings in the Web Designer Web Portal are not applied correctly.

441410

In the Web Designer Web Portal hyperviews, there are no more forwarding links.

442036, 37436

In the Web Designer Web Portal, pressing the Enter key in the filter dialog does not always work.

442101

The Web Designer Web Portal does not correctly identify all time zones. This causes an error.

442109

In the Web Designer, translations cannot be customized manually.

446017

In the Web Designer Web Portal, errors occur in the group count and in pagination when data is grouped.

446226

The Web Designer Web Portal does not show the history of identities without user accounts if the user accounts have been deleted in the meantime.

454468

Under certain conditions, errors occur in the Web Designer Web Portal when generating reports.

4723794, 33299

Table 9: Target system connection

Resolved issue

Issue ID

When removing a Microsoft Exchange mailbox account definition, the Active Directory user account might get deleted.

430816, 34839

Error provisioning outstanding cloud user accounts.

430832, 35201

Changes to an identity's telephone numbers are not forwarded to Exchange Online mail users with the Full managed manage level.

431043, 36693

Performance issues when loading SAP user account overview forms.

431183, 36941

If a connection parameter is deleted in the connector definition of a synchronization project for connecting a target system via the Windows PowerShell connector and then the target system schema is reloaded, the connection parameter is not updated in the One Identity Manager database (DPRSystemConnection.ConnectionParameter).

NOTE: The problem does not occur once the service pack has been installed. If a connection parameter was deleted in the connector definition before installing the service pack, contact support to clean up DPRSystemConnection.ConnectionParameter.

433714, 37223

The Domino connector does not recognize users or person documents that were newly created in Domino only shortly before synchronizing with the One Identity Manager database.

433740, 37238

When testing the connection settings in the project wizard, the SCIM connector cannot establish a connection to the cloud application if OAuth authentication is used and the connection parameter contains special characters.

433792, 37260

Write protection for a synchronization project opened by multiple users at the same time in Synchronization Editor does not work correctly.

433795, 37261

Possible errors when synchronizing a SharePoint Online environment

Error message: Duplicate key (reference resolution)

A patch with the patch ID VPR#37272 is available for synchronization projects.

433821, 37272

An error sometimes sporadically occurs when evaluating a synchronization simulation.

Error message: Object not set to a reference of an object.

436301, 37279

User accounts that are automatically created via account definitions are not enabled because the account expiry date is set to a value in the past if the last working day entry for associated identities is not given.

436313, 37284

Memberships in Azure Active Directory administrator roles cannot be loaded.

436354, 37303

Memberships in application roles are not written when synchronizing with the CSV connector if the primary key of the Person table is used as the key property in the mapping.

436363, 37306

An error occurs loading LDAP groups with a lot of members.

Error message: Invalid data. Data of type (System.Object[]) is not supported.

438967, 37365

Error loading a PostgreSQL database schema.

Error message: [System.OverflowException] Arithmetic operation resulted in an overflow.

438984, 37371

After changing the membership in a system entitlement, the DBQueue Processor task for updating the XDateSubItem column is not reset, even though there are processing tasks for the same object in the Job queue.

438992, 37376

Group memberships of Azure Active Directory user accounts are deleted when the corresponding memberships in Exchange Online are enabled.

439006, 37384

When synchronizing SAP authorization objects, not all objects in the USOBHASH table are read into the One Identity Manager database if SAP BASIS version 7.57 (SAP S/4HANA 2022) or later is used in the synchronized SAP R/3 environment.

Import the current SAPTRANSPORT_70.ZIP transport into the SAP R/3 system you want to synchronize. This uses the /VIAENET/LISTUSOBHASH function module instead of the AUTH_TRACE_GET_USOBHASH SAP module. When accessing SAP R/3, the SAP R/3 connector checks whether the /VIAENET/LISTUSOBHASH function module is available and uses it. This synchronizes all objects in the USOBHASH table. The synchronization log records whether the /VIAENET/LISTUSOBHASH function module is used.

440164

Error establishing a remote connection in the Synchronization Editor.

Error message: An existing connection was forcibly closed by the remote host.

440477, 37430

Some of the PAM asset group and PAM account group columns are too short.

440493, 37437

Error writing data to tables in a PostgreSQL database if the table contains a column whose value is incremented automatically.

440899

Under certain conditions, an error occurs when synchronizing Exchange Online.

Error message: You must call Connect-ExchangeOnline before calling any other cmdlet.

440909

If the token directory for the Azure Active Directory delta synchronization is not configured correctly, a more meaningful error is displayed.

441249

System users who have read-only permissions were able to delete, reset, and publish objects on the form for target system synchronization objects.

441968

An error occurs loading LDAP synchronization projects from older One Identity Manager versions.

442114

Error setting up synchronization with the generic database connector for the generic ADO.NET provider, SAP HANA databases, and DB2 (LUW) databases if the connection configuration is loaded from a UDL file.

Error message: DistributionConnector: Error connecting the system. Unable to load the UDL file.

442883

If several synchronizations are run in parallel from a start up sequence and at least two synchronizations are completed at the same time, it is possible that the start up sequence never completes.

443582

Error connecting to a cloud application using the SCIM connector if authenticating via the OAuth protocol 2.0.

A patch with the patch ID ADO#444262 is available for synchronization projects.

444262

In the Manager, an account definition cannot be selected on the main data form when creating a new Active Directory contact.

444696

Error creating a synchronization project with the One Identity Manager connector if the connected database is older than version 9.0.

444875

Error in the One Identity Manager connector when connecting to a version 8.2 database.

Error message: Invalid column name 'SyncInfo'.

445135

Assignments of cloud user accounts to cloud groups are not deleted from the One Identity Manager database during synchronization under the following conditions:

  • Synchronization is configured so that objects are deleted immediately if they only exist in the database.

  • These are direct assignments.

  • Assign by event is enabled for the CSMUserInGroup table.

445879

Target system objects that are loaded in the One Identity Manager database via a remote connection sometimes have incorrect display names.

446392

Some steps are missing in the report on simulating a synchronization with revision filtering.

446827

One Identity Safeguard users who use Active Directory as their identity provider cannot be removed from local One Identity Safeguard user groups.

447214

The O3EMailbox.AdditionalResponse column is too short.

447424

Occasionally, when re-enabling a failed process for creating Active Directory user accounts, a user account might be created without a password although the password was originally set.

448865

Performance issues when loading Azure Active Directory role eligibilities.

449166

The Exchange Online mailbox permissions for full access are not synchronized correctly.

449217

Error simulating a synchronization if a remote connection is used to reach the target system.

450049

In the setup for the system connection to an Oracle Database with the generic database connector, columns that allow NULL values are selected as unique keys.

450660

When configuring synchronization with the generic database connector, columns with the data type Integer cannot be selected as the preferred key.

450662

The virtual property for data conversion causes an error when converting dates if the time zone of the base value differs from the local time zone.

452616

Objects that are not modified but contain unresolvable memberships still add to the quota defined in the synchronization step. This can cause synchronization to quit.

452674

Outstanding Azure Active Directory objects are not shown in the target system synchronization in the Manager.

453248

After switching to version 3.1 of SAP .Net Connector, assignments of SAP roles to SAP user accounts were sometimes not synchronized from patch 3 onwards because the corresponding user account was not found.

454283

Table 10: Identity and Access Governance

Resolved issue

Issue ID

Poor performance loading the list of attestation cases.

431058, 438951, 444125, 36739

A manager's permissions for creating new departments, locations, cost centers, or business roles are too extensive.

431370, 37129

When delegating responsibilities for hierarchical roles, the value for role/organization (PersonWantsOrg.ObjectKeyOrgUsedInAssign) is not formatted correctly in the request process.

431390, 37142

A delegator receives notifications about the request approvals that are irrelevant.

433752, 37243

Poor performance deleting an IT Shop shelf.

436343, 37296

If an identity can approve a request when they are a regular approver as well as being a member of the chief approval team, the approval history sometimes logs the chief approval team as approver rather than the regular approver.

436371, 37308

Under certain conditions, email notifications about a request approval are not sent, even though email notifications are configured correctly.

438917, 37328

If a product is canceled while the request renewal process is running, the renewal workflow is run instead of the cancellation workflow.

438935, 37344

For the XM, CM, and PW approval procedures, attestors are not recalculated if an attestor has delegated the approval.

438946, 37354

In a multi-step approval process with automatic approval, a request is denied even though the DecisionOnInsert configuration parameter is set. The error occurs if, after approval is denied for the approval level, the requester is an approver for further approval levels.

438980, 37370

Not enough information is displayed to product owners about a service item.

439011, 37387

The SAC_FTProfileInSAPFunction function returns incorrect results if an SAP function consists of more than one transaction. This leads to unexpected results, depending on the order of the transactions within the SAP function.

439016, 37389

Incorrect recalculation of the attestors if a regular attestor is initially also a member of the chief approval team and is later removed from this group.

439757, 37407

The Customizer prevents assignment of Azure Active Directory groups, disabled Azure Active Directory service plans, and Azure Active Directory subscriptions to the IT Shop.

440848

Sometimes IT Shop requests are canceled if a shelf is moved to another shop, even though the Retain service item assignment on relocation option is enabled on the service item.

441274

If an approval step is escalated, the request is automatically canceled under the following conditions (and not submitted to the escalation approvers):

  • An approver from the next escalation approval step escalates the request manually.

  • The QER | ITShop | AutoDecision configuration parameter is set.

441330

The product owners of system roles, subscribable reports, and software cannot see the overview forms of the responsible product.

442050

Error requesting a cloud group if a cloud permissions control is assigned to this group.

442501

Occasional performance problems when processing the DBQueue Processor QER-K-PWOHelperFillMakeProc task.

443432

On the main data form for policy violations the links to object and policy do not work anymore.

443827

The CreateITShopOrder method is missing from various assignment tables.

452721

Performance issues when assigning identities to application roles.

453161

Error running the VI_Attestation_AttestationHelper send mail new task for approver process on a Job server connected via an application server.

453288

Related topics

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 11: General
Known Issue Issue ID

Error in the Report Editor if columns are used that are defined as keywords in the Report Editor.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Access errors can occur if several instances of the Web Installer are started at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Error connecting via an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between servers is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

Variables are used in a report and there are customized translations given for these variables in the Report Editor. However, the variables are not translated in the report that is generated.

Cause: When reports are generated, the translations of default variables as displayed in the Report Designer dictionary below the Quest category are overwritten with the values from the One Identity Manager database.

Solution: Create your own variables and store them outside of the Quest category in the Report Designer dictionary. These variables can be translated.

36686

The consistency check Columns of type varchar(38) not PK and not FK. identifies issues with columns that are varchar(38) long but are not labeled as UID columns.

Solution: Choose a different column length when extending the schema. According to the modeling guidelines, columns with a length of varchar(38) are reserved for columns that map a UID.

37072

Table 12: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

It is not possible to use the Web Designer to place a link in the header of the Web Portal next to the company name/logo.

32830

In the Web Portal, it is possible to subscribe to a report without selecting a schedule.

Workaround:

  • Create an extension to the respective form, which displays a text message under the menu explaining the problem.
  • Add a default schedule to the subscribable report.
  • In the Web Designer, change the Filter for subscribable reports configuration key (VI_Reporting_Subscription_FilterRPSSubscription) and set the schedule's Minimum character count value (UID_DialogSchedule) to 1.

32938

If the application is supplemented with custom DLL files, an incorrect version of the Newtonsoft.Json.dll file might be loaded. This can cause the following error when running the application:

System.InvalidOperationException: Method may only be called on a Type for which Type.IsGenericParameter is true.

at System.RuntimeType.get_DeclaringMethod()

There are two possible solutions to the problem:

  • The custom DLLs are compiled against the same version of the Newtonsoft.Json.dll to resolve the version conflict.

  • Define a rerouting of the assembly in the corresponding configuration file (for example, web.config).

    Example:

    <assemblyBinding >

    <dependentAssembly>

    <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30AD4FE6B2A6AEED" culture="neutral"/>

    <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>

    </dependentAssembly>

    </assemblyBinding>

33867

In the Web Portal, the details pane of a pending attestation case does not show the expected fields if the default attestation procedure is not used, but a copy of it is.

Solution:

  • The object-dependent references of the default attestation procedure must also be adopted for the custom attestation procedure.

34110

Table 13: Target system connection
Known Issue Issue ID

Memory leaks occur with PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt, or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to every user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will come into effect later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on the exact day.

Solution: To synchronize personnel data in advance that comes into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact, and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.8 on x64, version 3.1.2.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.

    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.1.2.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

The process of provisioning object changes starts before the synchronization project has been updated.

Solution:

Reactivate the process for provisioning object changes after the DPR_Migrate_Shell process has been processed.

34903

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

After upgrading from One Identity Manager version 8.0 or version 8.1 to One Identity Manager version 8.2.1 or later, PowerShell scripts that reference the Az PowerShell module (Import-Module Az) may not work. In a PowerShell launched on the same host, the scripts work without errors. Error messages are logged when the ExecuteScript process task is run by the PowerShellComponentNet4 process component.

Example:

Entry point was not found.

Cause:

One Identity Manager version 8.2.1 or later, ships with a specific version of an Azure.Core.dll library. The custom PowerShell script may however depend on a newer version of the Az PowerShell module. When the One Identity Manager Service runs the script, it uses the locally stored Azure.Core.dll, breaking the dependency.

Possible workarounds: Check whether the following workarounds might work with respect to input parameter and return value.

  • Call PowerShell as a subprocess

    To run a PowerShell command out of the current process, start a new PowerShell process directly with the command call:

    pwsh -c 'Invoke-ConflictingCommand'

  • Use the CommandComponent process component with the Execute process task to launch the PowerShell application with the following command call.

    powershell -c 'Invoke-ConflictingCommand'

37116

Table 14: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.

35193

If a service item has its Max. days valid option reduced such that approved requests are already expired, these requests cannot be unsubscribed anymore.

Solution:

Create a process for the AccProduct base object that is triggered when changes are made to AccProduct.MaxValidDays. The process calculates the 'valid until' date for these requests (PersonWantsOrg.ValidUntil) from PersonWantsOrg.ValidFrom and AccProduct.MaxValidDays.

After which, you can unsubscribe the requests.

36349

Table 15: Third party contributions
Known Issue Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

  • Windows Server 2008 R2: KB4462926

One Identity does not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory group provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

Under certain conditions, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined PowerShell call.

33026

Schema changes

The following provides an overview of schema changes from version 9.2 up to version 9.2.1.

Identity Management Base Module

  • New columns QERVPersonAndAERoles.InheritInfo, QERVPersonAndAERoles.ObjectKeyAssignment, QERVPersonAndAERoles.ObjectKeyOrg, and QERVPersonAndAERoles.UID_SourceColumn for improved mapping of responsibilities.

Privileged Account Governance Module

  • The columns PAGAstGroup.AssetGroupingRule, PAGAccGroup.DirectoryAccountGroupingRule, and PAGAccGroup.AssetAccountGroupingRule have been extended to nvarchar(max).

SAP R/3 Compliance Add-on Module

  • New mandatory field definition for the column SAPFunctionDetail.UID_SACTransactionType.

Microsoft Exchange Module

  • New table EX0VCanSendAs for mapping send permissions.

Exchange Online Module

  • The column O3EMailbox.AdditionalResponse has been extended to nvarchar(max).

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 9.2 up to version 9.2.1. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating