Chat now with support
Chat with Support

Identity Manager 9.3 - Release Notes

Resolved issues

The following is a list of solved problems in this version.

Table 7: General

Resolved issue

Issue ID

An error occurs when transporting schema information (table QBMCustomSQL).

Error message: An item with the same key has already been added

431395, 37145

The QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter is not described correctly in the English One Identity Manager Authorization and Authentication Manual.

438952

An error occurs when opening any form in a newly installed Manager web application.

Error message: Item has already been added. Key in dictionary: 'XYZ.Forms.dll' Key being added: 'XYZ.Forms.dll'

439744, 37398

In the Manager web application, filters on assignment forms do not work if the ?? operator is used in the display pattern.

439751

Parameters cannot be edited if an error occurs in the script that determines the value.

441998

The processes history archive also stores process steps that have never been handled.

443585

An error occurs when filling the internal Designer database.

Error message: SQL logic error no such column: XRamState.

444001

Importing a hotfix transport into a customer database results in a conflict if the same data has been customized.

444145

Under certain conditions, entries in the DBQueue go missing when the Database Agent Service starts and the DBQueue is nearly empty.

445976

Updating the schema can cause the data for XDateUpDated and XUserUpdated to be set unnecessarily.

446409

Maintaining constraints results in retries not being carried out as intended if an error occurs.

447479

Occasionally, processes that are started by schedules are not created.

453421

Error when running the script for determining the parameter values.

453784

Resource consumption too high and repeated indexing of tables for the search without any changes in the tables.

455394

An error may occur when importing transport packages that contain templates.

Error message: Object was changed by another user.

455881

Error when running reports via an application server if the report name contains an ampersand (&).

456290

The English ParameterValue descriptions of the ScriptComponent process component is incorrect.

456662

After installing operating system updates, errors may occur when establishing a connection via the application server (System.Security.Cryptography.CryptographicException).

457508

In the process tracking view, processes may not be marked as finished even though processing is complete.

460024

Under certain conditions, process tracking data is generated for a dependent object instead of for the initially changed object.

460068

Logged change actions for tables with a conditional display pattern do not contain a readable display value.

460507

In the Manager, it is necessary to open the main data form in order to see certain tasks.

460569

API servers are not displayed in the Job Queue Info.

460587

Some DBQueue Processor tasks are unnecessarily marked to be run separately.

460633

The column sort order of the data export in Manager does not work correctly for date values.

460847

The SDK example QBM\dvd\AddOn\SDK\ScriptSamples\07 Expert knowledge\01 External databases.vb references VI.DB.Oracle.ViOracleFactory,VI.DB.Oracle.

NOTE: Use the Oracle Data Provider for .NET instead of VI.DB.Oracle.

461031

Exporting data to a newly created History Database can result in an error.

461832

When transferring data to the History Database, the Common | ProcessState | PackageSizeHDB configuration parameter may not be taken into account.

462986

Archiving process tracking data fails for processes with a large number of dependencies to substituted follow-on processes.

462999

If the minimum password quality for password policies is set to a high value, 4 for example, passwords could not be generated automatically.

463789

Error running the QBM-K-SetRowLockOnly DBQueue Processor task if Microsoft Change Data Tracking (CDC) is enabled.

465625

Exporting CSV reports results in the column headings not necessarily being displayed in the correct language of the recipient.

466033

The QBM_PSetRowLockOnly procedure does not exclude columnstore indexes from processing.

466200

Defining a filter in Job Queue Info causes an unnecessary confirmation prompt to appear.

466969

Data Import duplicates columns when navigating forward and backward.

467262

Error inserting custom code snippets in the Script Editor.

469529

Timeout when updating the One Identity Manager database to version 9.2.1 while the QBM_PJobCreate_HOTemplate_B procedure is running.

464312

Table 8: HTML5 web applications

Resolved issue

Issue ID

Identity properties that are blocked from editing can be edited in the Web Portal.

421001

In the Web Portal it is possible to use the dark theme, although it is not supported.

421025

When a session expires an inadequate error message is displayed on the Web Portal login page.

423707

In the Web Portal, devices are incorrectly managed under Setup > Devices instead of under Responsibilities > My responsibilities > Devices.

424585

In the Web Portal, the shopping cart gave the impression that a partial check or partial submit was possible.

425801

Under certain conditions, selecting requests in the Web Portal can lead to long response times for administrators of organizations and business roles.

431026

On some pages in the Web Portal, the user-defined filters no longer work when grouping data.

433621

No confirmation prompt is displayed when cache is disabled in the Administration Portal.

435111

In the Web Portal, it is possible to generate reports that access tables that the logged-in user is not authorized to read.

437355

In the Web Portal, the search for objects that contribute to a policy violation does not work.

437689

Under certain conditions, automatic removal of memberships during attestation does not work in the Web Portal.

438213

Under certain conditions, requesting SAP authorizations can cause issues in the Web Portal.

438296

The VI_ITShop_ProductSelectionByReferenceUser configuration key has no function.

438568

The ServerConfig/ITShopConfig/VI_ITShop_ProductSelectionFromTemplate configuration key has no function.

438570

Scrolling does not work correctly in the Web Portal when creating a new report subscription.

438778

The Web Portal sometimes displays service categories twice on the request page.

439739

In the Web Portal, attestations for a target system that, in the meantime, has been renamed causes an error.

441980

Information is missing in the log view of the Administration Portal.

442530

The number of open sessions is not displayed correctly in the Administration Portal.

442746

Under certain conditions, the Administration Portal does not display the navigation.

444100

In the Web Portal, pending requests data cannot be exported.

444638

In the Web Portal, the sequence of the final result differs from the specified sequence when exporting.

444708

Under certain conditions, an error occurs in the Web Portal when products are displayed.

449292

Performance issues displaying the overview of attestation cases pending approval in the Web Portal.

450286

In the Administration Portal, disabling navigation in hyperviews using the EnableHyperViewNavigation configuration key in the API project Web Portal also disables navigation in hyperviews in the Operations Support Web Portal.

455119

The Web Portal displays the additional approver as a recipient instead of an additional approver.

455633

In the Web Portal, it is not possible to select dynamic foreign key properties when defining customized filters.

455793

The Web Portal fails to load saved views under certain conditions.

455931

In the Web Portal, it is not possible to approve requests with certain request properties under certain conditions.

456919

In the Web Portal, certain attestation cases cannot be opened via a link.

457344

Requests with a valid-from date in the past cannot be approved in the Web Portal.

457651

The Web Portal does not display the names of some objects correctly in the assignment analysis.

458709

It is not possible to manage disabled reports in the Web Portal.

459392

In the Web Portal, if provisioning of an application is canceled, all the associated products are incorrectly canceled.

459686

In the Web Portal, it is not possible to search for child service categories on the request page.

459707

In the Web Portal, it is not possible to export pending requests that can be approved by the chief approval team.

460431

In the Web Portal, the delegation process must be restarted if the search for objects to be delegated does not produce any results.

462048

The Web Portal does not display the name of a delegation deputy correctly in the request history.

463587

Under certain conditions, the search for system entitlements or user accounts of specific identities in the Web Portal can produce incomplete results or error messages.

463613

The Web Portal does not export the header when exporting data to CSV.

465136

The Web Portal goes into a request loop if an invalid email address is given in the personal settings.

465213

Under certain conditions, an error occurs in the Web Portal when entitlements are revoked.

465520

The Web Portal does not process requests for API key requests correctly.

465521

Under certain conditions, errors occur in the Web Portal when generating certain reports.

466209

The Web Portal displays details of a request in truncated form in the request history.

466517

Under certain conditions, the Web Portal does not load products on the New Request page and an error occurs.

471545

In the Web Portal, requesting products with dependent products does not work under certain conditions.

455814

Table 9: Target system connection

Resolved issue

Issue ID

An error sometimes occurs when removing an account definition.

430573, 36099

In the Designer, under certain conditions, an error occurs when a Job server overview form opens.

430795, 34055

Under certain conditions, DialogWatchOperation.OperationUser is not populated correctly.

438921

An error occurs when configuring auxiliary class assignments for LDAP synchronization projects.

439007

Error in the Exchange Online connector when it converts ISO country codes.

441949

If a quota is reached, no report is created during synchronization simulation.

443647

Under certain conditions, an error occurs when provisioning changes to the country ID of Exchange Online mail users.

452120

No entry is created in the DPRMemberShipAction table if pending assignments of administrative units to Microsoft Entra ID user accounts or groups are published in One Identity Manager. Therefore, the assignment is not published.

454690

The BaseTreeOwnsObject table is now also used for container objects (CSMContainer and UCIContainer tables).

455140

During DBQueue Processor task processing, duplicate entries might occur in the AADScopedRLAsgn and AADScopedRLElgb tables.

457077

An error occurs in the Microsoft Entra ID connection wizard when changing the authentication from delegated entitlements to application entitlements.

457263

In the SCIM plug-in, an incorrect patch request leads to an internal server error.

457486

An error occurs in encrypted databases when loading LDAP connection data in the Synchronization Editor.

457514

An error occurs in the SCIM connector when serializing a PUT request.

457682

In the SCIM plug-in, complex filter expressions for simple attributes and for foreign key relationships cause a list response (ListResponse) and not an error.

458758, 456157

If the TargetSystem | ADS | ARS_SSM configuration parameter is set without Active Roles Module being installed, compilation errors occur.

459611

Provisioning of SharePoint Online website collections occasionally fails.

Error message:

[System.Exception] Unable to resolve site collection.

[Microsoft.SharePoint.Client.ServerException] A site already exists at url.

463502

Provisioning of SharePoint Online roles or SharePoint Online groups fails if the underlying SharePoint Online website collection was only created shortly beforehand.

465067

A Microsoft Entra ID user account cannot be deleted if there is still a SharePoint Online user account dependent on it.

465287

Loading Microsoft Entra ID user accounts does not work under certain conditions.

468425

Errors that occur when correcting rogue modifications are not included in the synchronization log.

470045

If a custom schema class is used as a member of a virtual schema property with the Members of M:N schema types property type, this schema class is sometimes not used during synchronization.

466355

If the authentication type Ntlm is disabled, a connection is not established via the RemoteConnectPlugin.

453136

A user account that is marked for deletion in One Identity Manager and has been re-enabled in the target system is not enabled by the synchronization in One Identity Manager.

464211

When editing the schema of a CSV file for an existing system connection in the Synchronization Editor, if a column has the DateTime data type selected, the Timezone field is not displayed

456049

The Maps objects referenced by multiple references option in the Synchronization Editor cannot be enabled on a mapping that has a base mapping assigned to it.

456849

When synchronizing with the One Identity Manager connector, sometimes an object is not imported if an error occurred when synchronizing the previous object.

457199

Target system login using the SCIM connector is not possible if the client secret contains a colon :.

460083

Synchronization sometimes uses more than the permitted 1024 key values for database queries.

462034

Error reading back an object property of a newly created object in a MySQL database. The object is not found in the target system.

462101

Outstanding memberships in system entitlements are converted to a direct membership if they are re-enabled by synchronization.

463620

Performance issues can occur when determining the revision data of One Identity Manager object types.

466991

Error using a remote connection to synchronize a target system.

Error message: Unable to cast object of type 'System.String' to type 'VI.Projector.Data.ISystemObjectData'

469869

Error applying the patch VPR#37274 to a Microsoft Exchange synchronization project if an additional variable set exists.

466144

When provisioning Google Workspace user account properties (such as email addresses, telephone numbers, user details), the GAP_UserOrganization_Insert/Update/Delete process sometimes ends with errors.

466239

Error saving Notes user accounts when the spelling (case-sensitive) of first or last names is changed.

469230

The SAP connector does not reliably end the RFC connection between two requests.

459214

The SAP connector does not tolerate incorrect data values.

455745

SAP communication data for identities cannot be saved if no from date is entered.

455667

Error saving changes to the SAPComSMTP.SMTPAddr column in the Designer.

432573

When checking an Oracle E-Business Suite schema extension file in the Synchronization Editor, the error message that appears is insufficient.

461818

Provisioning an assignment of a user account to a group in a cloud application is run before the user account is created in the target system.

457459

OAuth authentication for logging in to a cloud application does not work if a combination of application/client ID and additional user name and password is used.

460097

When synchronizing a cloud application via SAP Cloud Identity Services, the PATCH operation does not work for schema properties that are defined in a schema extension.

462827

Error provisioning deleted group memberships if the SCIM provider does not support PATCH operations.

Error message: Internal Server Error

463886

Table 10: Identity and Access Governance

Resolved issue

Issue ID

An error occurs when saving entries in the PersonWantsOrg table with a customized OnSaving script.

Error message: No transaction or savepoint of that name was found.

433763

Under certain conditions, an error occurs when running DBQueue Processor tasks for the BaseTreeHasObject table.

Error message: Violation of PRIMARY KEY constraint 'PK_Basetree_7B2E29F1AC061A4F'. Cannot insert duplicate key in object 'dbo.BasetreeHasObject'.

454698

The AN - Attestor of the system entitlement or system role to attest approval procedure incorrectly determines product owners instead of attestors of system entitlements.

IMPORTANT: The approval procedure has been corrected.

Check existing approval workflows that use this procedure. To retain previous functionality, the AN - Attestor of the system entitlement or system role to attest approval procedure can be replaced by EO - Product owner of the system entitlement to attest in approval steps.

459614

If no country is assigned to an identity, the country entered as the default in the database was not taken into account when determining the fallback.

459962

If responsibility for approving requests or attestations has been delegated, the justification texts from other approval steps are sometimes used in email notifications to the delegators.

465678

If a dynamic role and the associated business role are deleted at the same time, the memberships sometime remain in the system as orphans.

467420

Unnecessary email notification for pending requests if the request has already been automatically assigned.

468164

The VI_ITShopTempl_UserInterface_and_DisplayRights permissions group has invalid edit permissions in IT Shop.

469293

The Manager does not sort requests correctly by date in the Request History report.

431379

Two additional approval steps are sometimes displayed in the approval history for a product changeover, even though the product was not replaced.

457053

Displaying system entitlements in the Manager on the Add to IT Shop form takes a very long time if a large number of objects must be loaded.

458426

Performance issues or errors if a large number of requests are generated almost simultaneously.

458512

Membership in a business role cannot be delegated if the identity became a member of this business role directly and also via a delegation that cannot be delegated on.

459744

In the Manager, request property parameters are not sorted according to the Sort order property.

462373

Error requesting a business role assignment.

469739

Related topics

Known issues

The following is a list of issues known to exist at the time of release of this version.

Table 11: General

Known Issue

Issue ID

Error in the Report Editor if columns are used that are defined as keywords in the Report Editor.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Access errors can occur if several instances of the Web Installer are started at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Error connecting via an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. If a Save Transaction is run in the process, an error occurs: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports. For detailed information about displaying dates and time, see the One Identity Manager Configuration Guide.

31322

Variables are used in a report and there are customized translations given for these variables in the Report Editor. However, the variables are not translated in the report that is generated.

Cause: When reports are generated, the translations of default variables as displayed in the Report Designer dictionary below the Quest category are overwritten with the values from the One Identity Manager database.

Solution: Create your own variables and store them outside of the Quest category in the Report Designer dictionary. These variables can be translated.

36686

The consistency check Columns of type varchar(38) not PK and not FK. identifies issues with columns that are varchar(38) long but are not labeled as UID columns.

Solution: Choose a different column length when extending the schema. According to the modeling guidelines, columns with a length of varchar(38) are reserved for columns that map a UID.

37072

Installing web applications using the Web Installer in a virtual machine (VM) is not supported if the installation source is located in a shared folder such as a local folder on the VM host that is provided to the VM as a new file drive.

The event log may display error messages for Source = Application error and Incorrect application name: WebInstaller.exe.

Workaround: Use a network share and assign it to a free drive letter in your VM.

471381

Table 12: HTML5 web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

In the Web Portal, a product’s request properties are not transferred from the original request to the shopping cart if the request is renewed or canceled.

Cause: Request properties are saved in separate custom columns.

Solution: Create a template for (custom) columns in the ShoppingCartItem table that stores the request properties when the request is made. This template must load the request properties from the identical (custom) columns in the PersonWantsOrg table relating to this request.

32364

In the Web Portal search, if you enter a search term and then group the data, the view also displays empty groups.

468982

Table 13: Target system connection

Known Issue

Issue ID

Memory leaks occur with PowerShell connections, which use Import-PSSession internally.

23795

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

Error in Domino connector (Error getting revision of schema type ((Server))).

Probable cause: The HCL Domino environment was rebuilt, or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the HCL Domino environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.

29253

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will come into effect later.

Cause: The BAPI_EMPLOYEE_GETDATA function is always run with the current date. Therefore, changes are taken into account on the exact day.

Solution: To synchronize personnel data in advance that comes into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If a SharePoint site collection only has read access, the server farm account cannot read the schema properties Owner, SecondaryContact, and UserCodeEnabled.

Workaround: The properties UID_SPSUserOwner and UID_SPSUserOwnerSecondary are given empty values in the One Identity Manager database. This way, no load error is written to the synchronization log.

31904

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.

    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

The Google Workspace connector cannot successfully transfer Google applications user data to another Google Workspace user account before the initial user account is deleted. The transfer fails because of the Rocket application's user data.

Workaround: In the system connection's advance settings for Google Workspace, save a user data transfer XML. In this XML document, limit the list to the user data to be transferred. Only run the Google applications that have user data you still need. For more information and an example XML, see One Identity Manager Administration Guide for Connecting to Google Workspace.

33104

If target system data contains appended spaces, they go missing during synchronization in One Identity Manager. Every subsequent synchronization identifies the data changes and repeatedly writes the affected values or adds new objects if this property is part of the object matching rule.

Solution:

Avoid appending spaces in the target system.

33448

In the schema type definition of a schema extension file for the SAP R/3 schema, if a DisplayPattern is defined that has another name in the SAP R/3 schema as in the One Identity Manager schema, performance issue may occur.

Solution: Leave the DisplayPattern empty in the schema type definition. Then the object's distinguished name is used automatically.

33812

After an update from SAP_BASIS 7.40 SP 0023 to SP 0026 or SAP_BASIS 7.50 SP 0019 to SP 0022, the SAP R/3 connector can no longer connect to the target system.

34650

After upgrading from One Identity Manager version 8.0 or version 8.1 to One Identity Manager version 8.2.1 or later, PowerShell scripts that reference the Az PowerShell module (Import-Module Az) may not work. In a PowerShell launched on the same host, the scripts work without errors. Error messages are logged when the ExecuteScript process task is run by the PowerShellComponentNet4 process component.

Example:

Entry point was not found.

Cause:

One Identity Manager version 8.2.1 or later, ships with a specific version of an Azure.Core.dll library. The custom PowerShell script may however depend on a newer version of the Az PowerShell module. When the One Identity Manager Service runs the script, it uses the locally stored Azure.Core.dll, breaking the dependency.

Possible workarounds: Check whether the following workarounds might work with respect to input parameter and return value.

  • Call PowerShell as a subprocess

    To run a PowerShell command out of the current process, start a new PowerShell process directly with the command call:

    pwsh -c 'Invoke-ConflictingCommand'

  • Use the CommandComponent process component with the Execute process task to launch the PowerShell application with the following command call.

    powershell -c 'Invoke-ConflictingCommand'

430202, 37116

The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

After updating to One Identity Manager version 9.3 or later, scripts in synchronization projects that use custom DLLs can no longer be translated.

Cause: Conversion of One Identity Manager base technology to .Net 8.

Solution:

  1. Transfer these scripts to the Synchronization Editor script library as external scripts.

  2. Customize the script code for the use of NuGet packages.

  3. Compile the scripts.

463957

Table 14: Identity and Access Governance

Known Issue

Issue ID

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

If an assignment is inherited through a role hierarchy, bit 1 is set on the inherited assignment. Inherited assignments are consequently always indirectly assigned, even if they were originally created directly by a dynamic role or an assignment request.

35193

If a service item has its Max. days valid option reduced such that approved requests are already expired, these requests cannot be unsubscribed anymore.

Solution:

Create a process for the AccProduct base object that is triggered when changes are made to AccProduct.MaxValidDays. The process calculates the 'valid until' date for these requests (PersonWantsOrg.ValidUntil) from PersonWantsOrg.ValidFrom and AccProduct.MaxValidDays.

After which, you can unsubscribe the requests.

36349

Table 15: Third party contributions

Known Issue

Issue ID

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016: KB4462928

  • Windows Server 2012 R2: KB4462926, KB4462921

One Identity does not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory group provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.

30575

Under certain conditions, the wrong language is used in the Stimulsoft controls in the Report Editor.

31155

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined PowerShell call.

33026

Schema changes

The following provides an overview of schema changes from version 9.2.1 up to version 9.3.

Configuration Module

  • New tables for editing the user interface navigation.

    • QBMGroupHasTree

    • QBMProductHasTree

    • QBMTree

    • QBMTreeHasColumn

    • QBMTreeHasSheet

    • QBMTreeHasTreeResult

    • QBMTreeHasUIDashBoard

    • QBMTreeResult

    • QBMTreeResultHasColumn

    • QBMTreeResultHasSheet

    • QBMUIDashBoard

  • New table QBMCEFDefinitions for mapping SIEM messages.

  • New table QBMDBQueueTaskMetric for processing DBQueue Processor tasks.

  • New table QBMExternalPackage for mapping external NuGet packages for system compilation.

  • New column DialogColumn.CacheInfo to specify the behavior when columns are loaded in the Designer.

  • New column DialogColumn.ResultSortOrder as the default order for displaying the column in result lists or on overview forms.

  • New column DialogDatabase.UID_CutOffTask for internal use.

  • New column DialogDBQueue.PathLength to optimize DBQueue Processor processing.

  • New column DialogTable.IsNoProcessMonitoring to exclude the table from process monitoring.

  • New column QBMClrType.Alias to group together different implementations of the same interface.

  • New column QBMDBQueueTask.CustomWeight for customized weighting of the processing sequence for DBQueue Processor tasks.

  • New column QBMFileRevision.SourceType for optimizing script compilation.

  • New column QBMProduct.UID_QBMTree as the start menu item for an application.

  • The following tables are now read-only views.

    • QBMDBQueueOverview_fix

    • QBMDBQueueOverview

    • QBMDBQueueSlot

    • QBMDBQueueSlot_fix

    • QBMDBQueueTaskPerf

    • QBMDBQueueTaskPerf_fix

  • New mandatory field definition for the following columns:

    • DialogMultiLanguage.XObjectKey

    • QBMDBQueueTask.XObjectKey

    • QBMDBQueueTaskDepend.XObjectKey

    • QBMFileRevision.XObjectKey

    • QBMMissingDisplayRight.XObjectKey

    • QBMModuleDef.XObjectKey

    • QBMModuleDepend.XObjectKey

    • QBMNonLinearDepend.XObjectKey

    • QBMRelation.XObjectKey

    • QBMXUser.XObjectKey

  • The DialogDatabase.CustomerName column has been extended to nvarchar(256).

  • The DialogHistoryDB.TransportConnectionString column has been extended to varchar(max).

  • The data type of the DialogSheet.SortOrder column has been changed to nvarchar(7).

  • The following tables have been deleted.

    • DialogAEDSAction

    • DialogAEDSActionHasObject

    • DialogAEDSActionType

    • DialogGroupHasTree

    • DialogTree

    • DialogTreeHasSheet

    • DialogTreeInDialogProduct

    • QBMDBQueueSlot

    • QBMDBQueueTaskDependCollection

    • QBMDevBranch

    • QBMDevBranchHasAssembly

  • The following tables have been deleted.

    • DialogColumn.BitMaskConfig

    • DialogColumn.LimitedValues

    • DialogDBQueue.SortOrder

    • QBMDBQueueCurrent.SortOrder

    • QBMDBQueuePond.noCheckForExisting

    • QBMDBQueuePond.SortOrder

    • QBMDBQueueSlot.CountToLoad

    • QBMDBQueueSlot.RunningState

    • QBMDBQueueSlot.ServerProcess

    • QBMDBQueueSlot.SlotNumber

    • QBMDBQueueSlot.UID_QBMDBQueueSlot

    • QBMDBQueueSlot.UID_Task

    • QBMDBQueueSlot.XObjectKey

    • QBMDBQueueTask.CountSingleSteps

    • QBMDBQueueTask.IsUnusedInSimulation

    • QBMDBQueueTask.LastExecutedAt

    • QBMDBQueueTask.MaxBulk

    • QBMDBQueueTask.MinBulk

    • QBMDBQueueTask.SingleTime

    • QBMDBQueueTask.SortOrder

    • QBMProduct.UID_DialogTree

    • QBMWebApplication.UID_DialogAEDSWebProject

    • QBMWebApplication.UID_DialogAuthentifier

    • QBMWebApplication.UID_DialogAuthSecondary

Target System Synchronization Module

  • New column DPRScript.IsExternal for scripts with external references to NuGet packages.

  • New mandatory field definition for the DPRScript.UID_DPRShell and DPRScript.UID_QBMClrType columns.

Target System Base Module

  • New mandatory field definition for the TSBITData.XObjectKey and TSBITDataMapping.XObjectKey columns.

Microsoft Entra ID Module

  • New tables to support Microsoft Entra ID security attributes.

    • AADSecAttrDef

    • AADSecAttrSet

    • AADSecAttrSvcPInstance

    • AADSecAttrUsrInstance

  • New table AADUserSponsor for mapping sponsors of Microsoft Entra ID user accounts.

  • New table AADUserTemporaryAccessPass for mapping temporary access passes for Microsoft Entra ID user accounts.

  • New column AADOrganization.SyncTags for mapping additional synchronization data.

  • New column AADUser.XDateSubItem for mapping the change date of dependent objects.

Exchange Online Module

  • New mandatory field definition for the O3EMailbox.XObjectKey column.

  • The O3EMailbox.AdditionalResponse column has been extended to nvarchar(max).

  • The O3EUnifiedGroup.SharePointDocumentsUrl, O3EUnifiedGroup.SharePointNotebookUrl, and O3EUnifiedGroup.SharePointSiteUrl columns have been extended to nvarchar(max).

Microsoft Teams Module

  • New column O3TTeamChannel.ObjectKeyO3SSite for linking a SharePoint website.

Active Directory Module

  • New column ADSAccount.UID_ADSContainerDisabled as container for disabled Active Directory user accounts.

Microsoft Exchange Module

  • New mandatory field definition for the following columns:

    • EX0DL.XObjectKey

    • EX0DynDL.XObjectKey

    • EX0MailBox.XObjectKey

    • EX0Server.XObjectKey

Privileged Account Governance Module

  • New columns to support access requests for files:

    • PAGAstAccount.AllowFileRequest

    • PAGAstAccount.HasFile

    • PAGDirAccount.AllowFileRequest

    • PAGDirAccount.HasFile

    • PAGUserAttestation.AllowFileRequest

  • New columns PAGAssetInAstGroup.ObjectKeyMember and PAGAssetInAstGroup.UID_PAGAssetInAstGroup for mapping group memberships.

  • The PAGAssetInAstGroup.UID_PAGAsset column has been deleted.

SAP R/3 User Management Module

  • The SAPComSMTP.SMTPAddr column has been shortened to nvarchar(241).

Identity Management Base Module

  • New table QERRiskIndexColumnDepend for defining dependencies between risk indexes.

  • New column PWODecisionRule.Remarks for a better description of the approval procedures.

  • New columns for the use of samples in attestation.

    • QERPickCategory.CreateRandomSampleForEachRun

    • QERPickCategory.IsRandomSample

    • QERPickCategory.RandomSamplePickRate

    • QERPickCategory.RandomSampleWhereClause

  • The PersonPasswordHistory table has been deleted.

  • The QERRiskIndexHasSourceTable table has been deleted.

  • The PWODecisionRule.IsSimulationBased column has been deleted.

  • The QERRiskIndex.IsExecuteImmediate column has been deleted.

Attestation Module

  • New column AttestationObject.UiChallengeText queries when challenging attestation approvals.

SAP R/3 Compliance Add-on Module

  • New tables and new columns to support SAP functions and calculations.

    • SACAbility

    • SACAbilityFI

    • SACFunctionInstanceHasAO

    • SACFunctionInstHasAbilityFI

    • SACProfileHasAbilityFI

    • SAPFunction ConditionString

    • SAPFunctionDetail.UID_SACAbility

    • SAPFunctionInstanceDetail.UID_SACAbility

    • SAPFunctionInstanceDetail.UID_SACAbilityFI

  • The SAPFunctionDetail.LowerLimit and SAPFunctionInstanceDetail.LowerLimit columns have been extended to nvarchar(max).

  • New mandatory field definition for the SAPRCTable.XObjectKey column.

  • The SAPProfileHasTCDinFID table has been deleted.

  • The following tables have been deleted.

    • SAPFunctionDetail.AUTHOBJNAM

    • SAPFunctionDetail.AUTHOBJTYP

    • SAPFunctionDetail.AUTHPGMID

    • SAPFunctionDetail.RFC_NAME

    • SAPFunctionDetail.RFC_TYPE

    • SAPFunctionDetail.SAPHashValue

    • SAPFunctionDetail.SRV_NAME

    • SAPFunctionDetail.SRV_TYPE

    • SAPFunctionDetail.TCD

    • SAPFunctionDetail.UID_SACTransactionType

    • SAPFunctionInstanceDetail.UID_SAPTransaction

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 9.2.1 up to version 9.3. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating