Chat now with support
Chat with Support

Identity Manager 7.1.5 - Release Notes

Release Notes

One Identity Manager 7.1.5

Release Notes

March 2019

These release notes provide information about the One Identity Manager release, version 7.1.5. You will find all the modifications since One Identity Manager version 7.1.4 listed here.

One Identity Manager 7.1.5 is a patch release with enhanced features and functionality. See Enhancements.

If you update a One Identity Manager version that is older that One Identity Manager 7.1.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about additional modules based on One Identity Manager technology under One Identity Manager Support.

You will find a summary of the changes made in Web Designer since the last release in Changes in Web Designer.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

Topics:

About One Identity Manager 7.1.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition
  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

Enhancements

The following is a list of enhancements implemented in One Identity Manager 7.1.5.

Table 1: General known issues

Enhancement

Issue ID

The connection server already provided for transferring data to a One Identity Manager History Database is now used. To use this function, enable the configuration parameter HDB | UseNamedLinkedServer in the One Identity Manager History Database and enter the connection server in the One Identity Manager History Database as server for the source database.

30028

Improved logging of error messages when transferring data to the One Identity Manager History Database.

30165

Improved performance when updating the One Identity Manager database.

30292

Improved logging in the application server.

30618

Improved performance in DBQueue Processor.

30763, 30626, 31293

The script VID_FindAndReplaceByLine has been deleted.

30632

Improved execution of templates through One Identity Manager Service.

30730

Improvements in the Job Queue Info.

  • If the DBQueue contains more than 250000 calculation tasks, the operation There are more tasks to be processed is displayed in the DBQueue. This shows the number of queued tasks that cannot currently be shown in the DBQueue overview.

31140

Process handling is interrupted during processing of DBQueue Processor triggers and constraints.

27486

Improved logging of terminated DBQueue slots.

30289

Improved protection of the application server's API.

31299, 31300

Improved protection against damaging SQL statements.

31299, 31301

Table 2: General web applications

Enhancement

Issue ID

Improved performance in the Web Portal for:

  • Displaying the request history

  • Editing questions about attestation cases

  • Approving requests

  • Determining an employee's entitlements

30470, 30471, 30673, 30863, 31192
Table 3: Target system connection

Enhancement

Issue ID

Optimized calculation of inheritance for group memberships. 30076

Improved performance for individual provisioning of memberships and for synchronization.

30667, 30864, 30922

Improved performance synchronizing Microsoft Exchange recipient lists.

31163

Improved performance calculating Azure Active Directory group memberships.

30702

Property mapping rules that are no longer required are removed from the OwaMailboxPolicy map.

A patch with the patch ID VPR#30498 is available for synchronization projects.

30498

Improved performance synchronizing Exchange Online recipient lists.

30959, 31162

In the Exchange Online connector, the list of error messages has been extended based on the assumption that the connection failed, by:

An error caused a change in the current set of domain controllers.

Your request is too frequent. Please wait for few minutes and retry.

Topology Provider could not find the Microsoft Exchange Active Directory Topology service on end point.

31168

Spaces in distinguished names of LDAP objects are tolerated.

30542

Improved performance

  • Calculating SAP functions

  • Calculating SAP group, role and profile hierarchies.

  • Synchronizing role assignments with the central system of a CUA (UserInCUARole)

    A patch with the patch ID VPR#30941 is available for synchronization projects.

30299, 30743, 30675, 30941

Table 4: Identity and Access Governance

Enhancement

Issue ID

If the option Temporarily disabled is not set for an employee and the date for Temporarily disabled from is in the future, the date for Temporarily disabled from and Temporarily disabled until are not deleted.

30344

Improved performance approving requests.

31341

See also:

Fixes

The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Error testing email addresses for uniqueness, if an email address was recalculated with a template but the old and the new values are identical.

30300

The function QBM_FSQRemoveComment does not recognize Linux carriage return.

30342

Ctrl+C does not copy the selected value in the Process step view in Job Queue Info.

30343

The script for selecting the server in a process step (Job.ServerDetectScript) is not implicitly extended by a Try-Catch-Block.

30347

If an object column and another column in the table QBMColumnTranslation are interrelated, the program exits because it cannot load these objects.

30380

Compilation fails if the process or process step contains quotation marks (") in names.

30403

Error filling raw tables if the One Identity Manager database and the History Database are installed in the same cluster. 30455

Under certain conditions, the database ends up in a trigger-free state if transport fails.

30459, 30447

Performance problems determining permissions.

30471

Wrong short name for the state of Newfoundland and Labrador.

30484

After extending the schema of custom read-only tables, new columns with the option Customer can configure are set to the value 0.

30491

Error in the method SqlFormatter.NotInClause.

30505

Problems initializing the Job queue if a large number of queues are affected.

30539

The physical dependency between DBQueue Processor tasks does not consider tasks without parameters.

30573

Terminated slots are identified correctly if the SQL Server reuses the SPID.

30584

The procedures for shrinking the entries in the tables DialogWatchOperation, JobHistory and DialogProcessChain do not shrink in blocks.

30604

Timestamps on changes made in the database in Designer are shown in UTC.

30610

Triggers are not generated for DBQueue Processor tasks that record changes to configuration data.

30646

Migration does not remove non-linear dependencies correctly.

30693

In reports, IN clause queries on UID and XObjectKey columns are listed with Unicode strings.

30723

The limit for IN clause in report queries is not kept to correctly.

30724

Error retrying process steps with the status MISSING. 30752

The procedure QBM_PCustomSQLFill fails with the message Violation of PRIMARY KEY constraint.

There is a new consistency check Index name longer than 30 characters.

30753

The customizer method GetNextID fails when executed in Designer.

30786

Relaying processes is being blocked because the procedure QBM_PJobUpdateState is being called to frequently.

30798

If a Job destination ID contains a special character, the links on the One Identity Manager Service status page do not work.

30924

Job Queue Info ends unexpectedly, if there is a filter on the system journal and it returns a lot of entries.

30928

The procedure ProcessShrink leaves behind entries with BasisObjectType=<unknown Object> in the DialogProcess table.

31007

The state of Florida has the wrong timezone.

31089

Starting and ending the Database Compiler in Designer leaves a Wait for compiler entry in the DBQueue. 30094

The 's configuration data is always used when logging into a dynamic authentication module.Manager

30241

An error can occur during execution of DBQueue tasks in connection with the task QBM_PDBQueueReplGenProcID.

30272

Line breaks in the header of CSV files are not written back correctly. A CR is converted to a CR/LF.

30288

In certain circumstances, the procedure QBM_PIndexDropRedundant deletes required default indices.

30354

The One Identity Manager Service returns the process steps but the slots remain blocked.

31055

The procedure QBM_PDBQueueOverviewFill updated the table DBQueueOverview too frequently.

30800, 31217, 31296

Error in the German translation of entries in the DBQueueTasks table.

31117

Incorrect values in DialogCountry.NumericCode.

31352

Table 6: General web applications

Resolved issue

Issue ID

If a valid until date is specified for a request approval, the current time is used. The request is therefore not valid until the end of the given day.

30348

An employee can request membership in a specific business role.

30194

Incorrect where clauses are generated while index searching in many-to-many tables.

30679

Wrong display names for DialogSchedule.LastRun and DialogSchedule.NextRun in the Schedule Editor.

30687

Unsubscribed assignment requests are shown in the request history, although the option Canceled or denied or dismissed is not set.

30726

A request for a default service item New Active Directory security group cannot be approved.

30837

If an attestation request has been answered and saved, the dialog window remains open.

30845

Mandatory fields for attestation cases are not checked when queried.

30862

Although the option Display file content in browser whenever possible is set to False for downloading a file, the file content is still shown in the browser.

30404

Mapped functions in Web Designer are ignored if a parameter is defined.

30443

If a pending request is exported and an approval decision about this pending request is made, an error occurs.

30463

The Windows performance monitor does not show a value in the Web Portal performance indicator.

30699

In Chrome, you cannot browse through Hyper View pages in the Web Portal.

Single shapes of a Hyper View can only be moved by clicking the header.

30790

If you edit a report subscription, the changes are not shown immediately in the report's detailed view.

30696

Some time data is only shown in English in the Web Portal.

31094

The filter settings for date columns are only available in English in the Web Portal.

31118

When a report is exported, the default template and not the custom template is used.

31231

In the Web Portal's configuration file (web.config), the URL /AE.axd is still declared.

The handler AE.axd for session information has been removed from the Web Portal's configuration file (web.config). Therefore, the handler is not included when Web Portal is installed. Any existing Web Portal installations are not affected by this change.

NOTE: If you still require the handler and want to include it again, enter the following lines in the Web Portal's configuration file (web.config):

In the section system.web\httpHandlers:

<add verb="GET" path="AE.axd" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

In the section system.webServer\httpHandlers:

<add name="AE.axd_GET" path="AE.axd" verb="GET" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

31299, 31302

Table 7: Target system connection

Resolved issue

Issue ID

Calculation of properties required for creating QueryByExamples objects does not recognize properties that are only loaded for matching by virtual ReadOnly properties.

30226

In Manager, changes to the value of IT operating data cannot be saved.

30295, 30746

Files in the synchronization user's temporary directory are not deleted.

30396

Error reading data from columns with data type varbinary if these are used as a primary key or part of one.

30474

Error loading synchronization projects.

30503

Provisioning tasks for group memberships are grouped under the wrong GenprocID.

30565

A maximum of 1024 modified memberships per group can be provisioned.

30597

Too many columns are loaded for resolving a reference.

30600

Running a clean up of the DPRMembershipAction table deletes entries that are still required.

30603

Synchronization deletes One Identity Manager database objects that are not unique in the target system.

30715

Processing of target system specific tasks in the DBQueue is blocked if this target system is being synchronized at the same time.

30773

Objects that are added and provisioned in the One Identity Manager database while synchronization is running are duplicated in the database.

30957

Updating the schema or transporting a synchronization project removes the quota definition.

31098

The variable set loads too late when synchronization starts.

31152

The Active Directory connector returns empty elements for empty multi-value property columns.

29853

Incorrect handling of trusted domains in Active Directory synchronization projects. The project template has been corrected.

A patch with the patch ID VPR#30192 is available for synchronization projects.

30192

Active Directory group memberships are not provisioned if the object SID for the user account is missing.

30509

Error processing unresolvable keys during Active Directory synchronization. 30552

Deleted values in the columns HomeDirectory and ProfilePath in Active Directory user accounts cannot be provisioned.

30561

Error calculating Active Directory group memberships if the user account's primary group has been changed.

30826

Error synchronizing the Active Directory user account schema properties ObjectKeyManager and Secretary. Synchronization quits although the option Continue on error is set.

30967

Timeout during synchronization of Azure Active Directory group memberships.

31051

If a Microsoft Exchange address list is marked as outstanding, the associated address book entries are not marked as outstanding.

30400

Error deleting outstanding Microsoft Exchange address book entries.

30401

If a Microsoft Exchange mailbox database is marked as outstanding, its server assignments are not marked as outstanding.

30466

Error provisioning deleted Microsoft Exchange mailboxes if deferred deletion is configured.

30807

Loading Microsoft Exchange data availability groups fails if all the servers involved are shut down.

31131

Error provisioning Exchange Online mailboxes.

A patch with the patch ID VPR#31269 is available for synchronization projects.

31269

The canonical name of LDAP objects are not formed automatically if the synchronization type is changed from No synchronization to One Identity Manager.

30398

Error setting up synchronization with IBM Notes if the connection to the Domino server is tested.

30427

Synchronization quits if the FullName of a Notes document cannot be loaded.

30691

The person document of a new Notes user account does not appear in the address book's default view.

30814

Error renaming a Notes user account if an organization unit is assigned to it.

30953

Flag Behavior inconsistent when handling SAPComPhone.PhoneType.

29725

The Synchronization Editor provides incorrect data for managers of organizational units from SAP HCM systems.

30121

Error loading SAP user accounts if the user account identifier contains quotes.

30258

When adding SAP user account with parameters, email addresses, telephone and fax numbers, distinguished names (such as SAPComPhone.DistinguishedName) are not formatted.

30356

Too many post-processing tasks are sent to the DBQueue if changes are made to SAP user accounts.

30361

The Insert event is not triggered for tasks in the HelperSAPUserInSAPRole table.

30367

SAP role assignments to SAP user accounts are provisioned, although the associated categories do not match.

30386

If several changes are made to an employee's central password in quick succession, by the Password Capture Agent for example, only the first change is made to the SAP user accounts.

30420

Company assignment of SAP user accounts is not provisioned in the target system.

A patch with the patch ID VPR#30453 is available for synchronization projects

30453

Error synchronizing company data (table Company).

30557

Error loading single objects for schema types that are provided by a schema extension file.

30653, 30701

Executable SAP transactions are not calculated correctly for SAP user accounts.

30718

Error calculating role assignments (table SAPUserInSAPRole).

30797, 31149

Wrong templates for columns  SAPComPhone.PhoneNumber and SAPComFax.FaxNumber.

31105

Error loading SAP user account if the name begins with a space character.

31329

During the calculation of SAP role assignments, those with ValidFrom="1900-01-01" and ValidTo<>"9999-12-31" are ignored.

31361

Error converting Json data with the data type Integer or Float.

30536

Error deleting group memberships with the SCIM connector.

30710

Cloud application group memberships are incorrectly resolved if the schema property members~type does not contain a value.

31187

The connectors Microsoft Exchange, Exchange Online and Windows PowerShell only use one revision counter even if several schema properties per schema type are flagged as revision counters.

In synchronization projects that use the Windows PowerShell Connector, the target system schema must be reloaded to use more revision counters.

In synchronization projects for Microsoft Exchange and Exchange Online, a patch with the patch ID VPR#31026 is provided.

31026

An Out-Of-Memory exception occurs while determining managers for email users and email contacts in large Exchange Online systems.

31087

The native database connector does not delete group memberships in the target system if provisioning is carried out by an application server.

30659

During synchronization of the native database connector, objects are marked as changed although they have not been changed.

30840

In the process of adding a new Windows PowerShell connection, the consistency check does not notice if a schema class does not have a unique key.

31324

If changes are made to group properties, too many post-processing tasks are queued in the DBQueue.

30076

Post-processing tasks for outstanding objects that have been deferred, are not executed.

31180

Table 8: Identity and Access Governance

Resolved issue

Issue ID

Attestations are discontinued with the reason "No approver available" even though an approver is available.

30408

If an approval workflow is waiting for external approval and the approval step EX is reached for a different attestation object, the external approval process is restarted for all pending objects.

30965

Under certain circumstances, the Customizer method CreateAttestations blocks DBQueue processing.

31016, 31370

Error deleting attestation cases.

31092

Disabling attestation policies does not delete the associated attestation cases.

31141

In email notifications to attestors, the pictures defined in custom mail templates are not shown.

31151

Service items cannot be added as products in the IT Shop if their identifier is longer than 128 characters.

30399

In the approval sequence, the time is shown as UTC time.

30483

Membership in a role cannot be delegated if the recipient of the delegation is already a member of this role.

30549, 30795

If a company resource is assigned by a limited period request and an unlimited period request at the same time and the limit period request expires, the company resource is removed although a valid, unlimited request still exists. 30697

The column templates ShoppingCartItem.ObjectKeyAssignment, DisplayObjectKeyAssignment and PersonWantsOrg.DisplayObjectKeyAssignment cannot be overwritten.

30766

Manager freezes when an approval workflow is copied.

30833

Initial login data is sent to the wrong employee when user accounts are requested in the IT Shop.

31014

Closed requests are not deleted, although the retention period must have expired.

31068

Incorrect testing of whether a company resource has already been assigned if the option Only for use in IT Shop is set.

31116

If an exception has been granted for a product with a rule violation in the approval process, the rule violation remains after the product has been canceled and the assignment removed.

30213

Ad-hoc rule checking does not create processing tasks for recalculating rule violations and for calculating the affected employee group. This means the affect employees may not be calculated correctly.

30281

If a disabled compliance rule is deleted, the associated rule violation is not deleted.

30585

Calculating rule violations also calculates disabled rules.

30728

Error calculating compliance after updating the One Identity Manager database if only modules that are not dependent on the Compliance Rules Module are selected.

30905

The process CPL_PersonInNonCompliance_Assign_MitigatingControls is assigned to the wrong server function.

30994

Error assigning an object from a custom table to a system role.

30465

As from version 7.1.2, company resource assignments of child system roles are not mapped in the table EsetHasEntitlement. However, by updating the One Identity Manager database to version 7.1.2 or later, assignments to child system roles are not removed from the table EsetHasEntitlement.

30614

Missing risk indexes for system roles.

31337

In Manager, the Change security question task can also be displayed even though the logged in user does not have the required permissions.

30287

In the Show Entitlements Origin report, SAP roles and BI analysis authorizations that are inherited through system roles are missing.

30291

See also:

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID

If you connect to a database with the Database Compiler, the task QBM-K-CommonWaitForCompiler is immediately queued in the DBQueue. If the Database Compiler ends without compiling the database, the task remains in the DBQueue.

23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.

23521

Error message in the Web Designer query window: Access to the path ... is denied.

This error occurs if the user the web application process runs under, does not have write permissions for the given folder.

23769

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Header text in reports saved as CSV are not given their correct names.

24657

Read Only type tables with Common Table Expressions (CTE) in the ViewAddOn are not added in the schema.

In One Identity Manager 7.0, behavior has been modified if you use common table expressions with the keyword with as a condition for view definitions in read-only tables. The conditions for view definitions are embedded in a summary query. This means, you cannot be sure that a common table expression is the very first expression in a query.

Possible error message:

(execute slot single)50000 0 re-throw in Procedure QBM_ZViewBuildR, Line 1050000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 10250000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 8250000 0 re-throw in Procedure QBM_PViewBuild_FromAddOn, Line 6550000 0 re-throw in Procedure QBM_PSQLCreate, Line 26156 0 detected in (...) Procedure ..., Line 6156 0 Incorrect syntax near the keyword 'with'

Recommended action:

Check custom view definitions.

  1. Create a view under common table expression usage.

    Example:

    create view CCC_Vxy as

    with a (col1, col2) as (

    select 1 as col1, 2 as col2

    )

    select * from a

    go

  2. Use the view in the additional view definition (QBMViewAddon) of the read-only table.

    select * from CCC_Vxy

 

Number of parameter pairs ParamName/ParamValue in the MailComponent's process task SendRichMail is not always sufficient.

10 parameter pairs are available by default. If this number is not sufficient, you can add additional custom process parameters, which Process Editor can then use as parameters. This function is available as from One Identity Manager version 7.0.

25164

In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.

12753

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation. This problem only occurs if the Configuration Wizard is started directly. Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Schema extensions on a database view of type View (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type View are not permitted.

27203

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.

28373

The One Identity Manager Service only logs messages in the event log Application, by default.

Cause: To add an event log with another name, you require administrator permissions on the Job server.

Solution:

  1. Add the file that the One Identity Manager Service should write to manually on the Job server. You can use Windows PowerShell, for example, to do this.

    1. Run Windows PowerShell as administrator on the Job server.

    2. Run the following CmdLet:

      New-EventLog -Source "Foobar" -LogName "<file name>"

  2. Enter this file name in the One Identity Manager Service's configuration file as the name for the event log in the module Logwriter .

  3. Restart the computer.

  4. Restart the One Identity Manager Service.

30540

The configuration parameter QER | ITShop | LimitOfNodeCheck specifies how many product nodes are deleted in one DBQueue Processor run if large numbers of products in the IT Shop are deleted through automatic processes. By default, 500 objects are processed in one run. Set the value lower if there are performance problems while executing the task QER-K-OrgAutoChild.

30657

Outstanding objects are ignored by inheritance calculation. This means, all memberships and assignments stay there until the outstanding objects have been processed.

Run target system synchronization to do this.

30909

Table 10: General web applications
Known Issue Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

It is not possible to log out of the Web Portal using OAuth 2.0/OpenID Connect because it is rerouted to a false address.

Cause: If, in the configuration parameter QER | Person | OAuthAuthenticator | LogoutEndpoint, a URL without a parameter is given, the logout parameters are appended to the URL in the configuration parameter in a format incompatible with the browser.

Solution: Add a dummy parameter to the URL in the configuration parameter, for example, instead of http://localhost/IdentityManager/logout use the value http://localhost/IdentityManager/logout?from=logout.

30999
Table 11: Target system connection
Known Issue Issue ID

Automatic employee assignment for Notes user accounts does not work.

Cause: DialogObject.ObjectName on NDOUser has been renamed from NotesUser to NDOUser.

Solution: Test the existing search criteria for employee assignment (table column NDODomain.AccountToPersonMatchingRule) and replace NotesUser with NDOUser.

23270
An error may occur when synchronizing a target system and provisioning object modification if the synchronization project was created with One Identity Manager 7.0 and no hotfixes were installed.

Example of an error message:

[2134002] Error executing an adhoc projection!

[1777239] The mapping rule (Members by SID) was unable to execute the projection between system objects (<group cn>) and (<group dn>) successfully!

Solution: Delete the synchronization project and recreate it. Restore your customizations.

24022

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as outstanding.

This problem can occur if:

  • SAP role assignments to user accounts were loaded in the One Identity Manager database before installing One Identity Manager 7.0.1
  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1, incorrect assignments are labeled as outstanding after synchronizing again using the appropriate synchronization configuration.

Solution: Delete outstanding assignments in One Identity Manager target system synchronization.

 

By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now.

27042

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

27359

No passwords can be provisioned when the bind method Fast Bind is in use in Active Directory. The method SetPassword is therefore not available.

The process step AdhocProjection fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).

27427

Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.

27687

To use automatic employee assignment for central user administration (CUA) user accounts, assign an account definition to the CUA central system. Account definitions cannot be used to assign user accounts to child systems.

28137

If an Active Directory user account has the property MailNickName, an error occurs when the mailbox is enabled.

[System.Management.Automation.ActionPreferenceStopException] The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: ExternalEmailAddress is mandatory on MailUser.

Cause: The property MailNickName is mapped in addition in the Active Directory mapping. This causes inconsistencies in the target system from the point the user accounts are added.

A user account of this kind appears in the Microsoft Exchange console as a mail user but without a target email address. An attempt to open this object causes an object corrupted error in Microsoft Exchange.

Solution: Clear up inconsistencies in the affected user accounts in Active Directory and correct your Active Directory mapping.

28820

Error synchronizing an OpenDJ system if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.

29620

If there are a large number of LDAP user accounts and LDAP groups in the database, provisioning might take a very long time. A message appears in the StdIO processor log(StdioProcessor.log) during the LDAP user account and LDAP groups update.

DEBUG (SystemObjectData <static>) : Creating SystemObjectData based on entity (%DisplayName% (%cn%)) columns (UID_LDAPAccount, UID_LDAPContainer, UID_LDPDomain, XObjectKey).

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(vrtScopeParentReference) returns ...

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(UID_LDAPContainer) returns ...

Cause: No reference scope is defined so that the default scope is used for resolving references. This causes too much data to be loaded from the database.

Solution: Define an empty reference scope. This means that scopes are not calculated when references are resolved, which noticeably improves performance with larger amounts of data.

30172

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    (missing or bad snippet)
  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

Table 12: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers a ArgumentException. For more information, see https://support.microsoft.com/en-us/kb/2863929.

24626

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

Web applications under .Net 4.x on IIS are generally not stable if Microsoft Application Performance Monitoring is running on the same system.

This problem is documented by Microsoft. For more information, see https://support.microsoft.com/en-us/help/3216459.

28557

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016 : KB4462928

  • Windows Server 2012 R2 : KB4462926, KB4462921

  • Windows Server 2008 R2 : KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed in future once One Identity Manager has resolved the problem.Microsoft

30575

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents