Chat now with support
Chat with Support

Identity Manager 8.0.5 - Release Notes

One Identity Manager 8.0.5

One Identity Manager 8.0.5

Release Notes

May 2020

These release notes provide information about the One Identity Manager release. You will find all the modifications since One Identity Manager version 8.0.4 listed here.

One Identity Manager 8.0.5 is a patch release with enhanced features and functionality. See FeaturesEnhancements.

If you are updating a One Identity Manager version prior to One Identity Manager 8.0.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

For changes to the Web Designer and the Web Portal since the last version, see the document Web Designer and Web Portal Changes.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide
  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide
  • One Identity Manager LDAP Connector for IBM RACF Reference Guide
  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide
  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide
  • One Identity Manager REST API Reference Guide
  • One Identity Manager Web Runtime Documentation
  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

Topics:

About One Identity Manager 8.0.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

Enhancements

The following is a list of enhancements implemented in One Identity Manager 8.0.5.

Table 1: General

Enhancement

Issue ID

Improved performance updating the current UTC time difference of all timezones.

32567

New parameters of the ScriptComponent process component are available for the CSVExport and CSVExportSingle process tasks.

  • ValueMaskChar: Character for masking values. If the parameter exists, the character is automatically added at both ends of each value and every time the same character appears within the value, it is doubled.

  • Culture: Language to use for formatting the value.

  • ConvertUtcTimes: Specifies whether UTC times are converted to local times.

  • TimeZone: For converting to the timezone to use. Only used if the ConvertUtcTimes is set. If the parameter is not set, the Job server's local timezone is used.

32410, 32939

Improved the Objectkey references to non existing object consistency check.

32333

Table 2: General web applications

Enhancement

Issue ID

In the Web Portal, the system role’s Hyper View has been reworked.

 20188

Improved performance requesting products in the Web Portal.

 32255

Improved performance of certain database queries in the Web Portal.

32253

In the Web Portal, keyboard shortcuts are now displayed for all buttons (for example, [Alt-C]).

31882

Improved performance of database-bound grids.

32393

Table 3: Target system connection

Enhancement

Issue ID

Improved performance provisioning assignments of Oracle E-Business Suite entitlements to user accounts.

 32498

The SCIM connector now uses the service provider's default value to find the maximum number of objects per page. The connector does not send values anymore.

32684

Improved messages for the SCIM connector in the synchronization log.

32689, 32690

Improved performance determining employees that are responsible for a target system groups.

32855

Improved performance provisioning G Suite user accounts.

32884

The filter for the HRPerson_0709_IDEXT schema class was changed from a string to an integer comparison.

A patch with the patch ID VPR#32899 is available for synchronization projects.

32899

The recommendations from Microsoft about avoiding throttling during SharePoint Online synchronization have been implemented.

32929

Improved documentation of permissions required for integrating One Identity Manager as an application in Azure Active Directory.

32820

Table 4: Identity and Access Governance

Enhancement

Issue ID

Improved performance creating and by approval of attestation cases.

32940

Improved performance calculating QER_FTPWOVisibleForPerson.

32334

Improved indexing of the PersonHasObject and BaseTreeHasObject tables.

32771

The Retain service item assignment on relocation option can now be set on default service items.

32588

In the Manager, on the overview forms for application roles, departments, cost centers, location and business roles, you can now see which approval workflows they are used in.

32745

See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Custom files are deleted during update installation of local assemblies.

28985

Tests for possibly damaging SQL statements are too strict.

32102, 32285

Error, if the name of the connection server for transferring data to the One Identity Manager History Database contains special characters.

32163

When a connection server is created, data transfer to a One Identity Manager History Database fails if the is_rpc_out_enabled option is not set.

32492

Transaction scope of the DBQueue Processor's HDB-K-ProcessGroup task is too big.

32761

In certain circumstances, not all elements are indexed in the search index.

31881

In the search index, the change date is set even though a table is not indexed in a run.

32406

In certain circumstances, table relations are incorrectly identified as errors in the consistency check.

32443

The _Old suffix causes errors during bulk updating of column names.

32488

Internal temporary table for determining historical data for reports is created with the wrong sort order.

32555

In certain circumstances, an error occurs in the QBM_PDBQueueProcess_Del procedure.

32332

Blocked slots are reset too frequently.

32585

In certain circumstances in the DBTransporterCMD.exe command line program, single user mode is not exited.

32620

Insufficient references in certain scripts.

32644

An error occurs in a date field if the value larger than 31.12.9998 is entered.

32368

Incorrect sorting of date values in the Manager if English (USA) is set as the language.

32441

ObjectWalker does not work with dynamic foreign keys in a Data Import script.

32214

Input of dates in reports does not support every date format.

32775

When a report is translated, the description is not translated.

32875

Processes are sporadically not generated from schedules.

32742

The Table with XOrigin (XIsInEffect) without update handling consistency check does not take automatically generated triggers into account.

32902

Results of a SQL query in the Object Browser cannot be marked with Ctrl + A anymore.

32942

If the time difference to UTC for a timezone changes, the mean time difference to UTC for the states in this timezone is not updated.

32973

Export definitions for data export are not saved in the user configuration and are therefore not available after the Manager has been restarted.

32887

Table 6: General web applications

Resolved issue

Issue ID

Information about the password strength is not displayed in the respective language in the Password Reset Portal.

30694

In the Web Portal, you can sort by columns with hidden content.

31969

In the Web Portal, the Back button on the Pending attestations page only works if there are no attestations.

31963

In the Web Portal, on the Pending attestations page, an error occurs when you click the Business roles tile.

32920

If an auditor in the Web Portal searches through requests (Requests | Auditing | Request), not all the results are found.

32069

In the Web Portal, selecting an employee for a new request can take a long time.

32372

In certain circumstances, an error occurs if you try to display a request template in the Web Portal.

32819

An error occurs when an approver in the Web Portal adds an item to another employee's request and sends the request.

32880

In the Web Portal, an error occurs if an empty grouped table is exported as a PDF.

32773

In the Web Portal, if you download a file with Internet Explorer 11 whose name contains non-ASCII characters, an incorrect file name is suggested for the file.

32921

If an error alert is displayed in the Web Portal and you try to close it using the Escape key, the underlying dialog is closed instead of just the error alert.

33020

In the Web Portal, an error occurs if a product request is displayed that is not assigned to an IT Shop.

32837

In the Web Portal, if a direct assignment of an SAP role to an SAP user account is removed, the associated entry in SAPUserInSAPRole is not deleted.

32842

In the Web Portal, requests to be approved can be selected in a list. In certain circumstances, the selection goes missing when you swap to the other side of the list.

32904

Use of the | character in the password of the SQL user who is used to install a web application causes an error.

32461

In the Web Designer, an error occurs if a project is compiled that contains a combobox node that is not iterated.

32366

In the Web Designer, some Web SQL functions cannot be used in conditions in column lists.

32374

The Web Designer's GetDataState function does not work and returns a value of false even if columns have changed.

32790

Bad performance of the pre-defined Webportal.VI_ITShop_ProductSelection.AccProductStatusForPerson SQL statement.

32767

In Web Designer, if you add a column of XdateInserted or XdateUpdated type to a table, the filter function for the column does not work in the Web Portal.

32709

In the Manager web application, an error occurs displaying rule violations.

32304

In the Web Designer, memory usage increases when working on module extensions.

32900

Table 7: Target system connection

Resolved issue

Issue ID

In the synchronization log, objects that are marked as outstanding are not logged.

32011

Objects with a combined primary key with a value of timestamp cannot be reloaded.

32266

The native database connector executes the configured processing method of a synchronization step only for the first object of the object class although several objects need to be processed. This happens if a pattern-based strategy is defined for the data operation.

32307

When you close a synchronization project, the password for logging in to the target system is saved incorrectly if it contains the dollar ($) character.

32226, 32311

Error updating the schema from a CSV file if the file has not been declared in the system connection wizard.

32391

Special characters are not masked correctly in custom project templates.

32474

Error during synchronization: The connection does not support MultipleActiveResultSets.

32604

The IsSecret and IsSystemVariable properties of the DefaultUserPassword variable are not all correctly set in the synchronization project.

Patches with patch IDs VPR#32781_SCIM, VPR#32781_EBS, VPR#32781_NDO are available for synchronization projects.

32781

Error adding memberships in the UNSAccountBInUNSGroupB table in the target system browser although the object are within the scope.

32532

Error testing the connection to the cloud application in the system connection wizards if there is no authentication endpoint given.

32627

If an error occurs loading the object list, the SCIM connector returns an empty list as successfully loaded. The error only occurs in One Identity Manager version 7.1.x and 8.0.x.

32646

Error serializing complex properties from schema extensions in synchronization projects with the SCIM connector.

32696

The SCIM connector uses the wrong media type for POST queries in the HTTP header. The data are swapped around.

32712

The provisioning process for a cloud application's user accounts returns the wrong data for loading the objects.

32780

Error provisioning group memberships if the SCIM connector uses PATCH queries.

32846

Provisioning of deleted group memberships does not work under certain conditions.

32853

Changes to values of multi-valued schema properties are not correctly mapped in PUT queries.

32901

The User.address~primary schema property is set to True even if no address data is given.

A patch with the patch ID VPR#32754 is available for synchronization projects.

32754

If a container is deleted from an Active Directory user account, verification of the object properties fails after provisioning.

A patch with the patch ID VPR#32258 is available for synchronization projects.

32258

If an Active Directory object that already has the SAMAccountName exists in another container in Active Directory, an error occurs.

32504

Error during synchronization if accessing special properties of Active Directory objects using a DirectoryEntry object's extension method.

32873

Active Directory account policies that are assigned through Active Directory groups are not taken into account doe Active Directory user accounts.

32803

In the Manager, some assignment forms for Active Directory objects can be opened with multi-select.

32438

In the Manager, the Change master data form (FormADSAccountMasterData) does not show changes to the Dial-up permitted property for Active Directory user accounts (ADSAccount.AllowDialI).

32889

The Active Roles connector does not support the function level for Windows Server 2016 domains.

A patch with the patch ID VPR#32844 is available for synchronization projects.

32844

The edsaWTSUserConfigInheritInitialProgram property in the User mapping is negated. This behavior is no longer required.

A patch with the patch ID VPR#32871 is available for synchronization projects.

32871

Problems connecting to Microsoft Exchange Server 2016 if using SSL.

32362

The ThrottlingPolicy property is not loaded for Microsoft Exchange mailboxes.

32533

The Notes connector returns the wrong value for AdminRequest.Type.

32589

Error provisioning Notes user accounts if the user account's certificate has been changed.

32705

The process for locking Notes user accounts does not work correctly.

32947

The system connection to SAP R/3 cannot be established if the synchronization user’s password contains dollar ($) characters.

32298

Parameters used to call a BAPI function to delete an SAP object are incorrectly populated.

32469

SAPTitle.DistinguishedName is not unique.

SAPTitle.DistinguishedName and SAPTitle.CanonicalName have been extended by the language code of the title. This makes the entries unique, even if several languages are maintained in the SAP system.

A patch with the patch ID VPR#32584 is available for synchronization projects.

32584

If SAP user accounts marked for deletion are reset, the associated SAPUserInSAPRole entries remain marked for deletion and are not reset.

32727

The IsSecret and IsSystemVariable properties of the TempUserPassword variable are not all correctly set in the synchronization project.

A patch with the patch ID VPR#32781_SAP is available for synchronization projects.

32781

If Oracle E-Business Suite editions are used, the Oracle E-Business Suite connector accesses the wrong data sets.

A patch with the patch ID VPR#30464 is available for synchronization projects.

30464

During synchronization, an invalid entitlement assignment is not re-enabled if it exists in Oracle E-Business Suite as a valid assignment. EBSUserInResp.XOrigin retains the value 16.

33024

When assigning account definitions to employees, process steps are not handled correctly anymore afterward. The status of the process step, to test whether a user account exists, is not set correctly in the JobQueue. The user account is created anyway. Subsequent processing of downstream tasks is blocked for the affected employee.

32580

On the form for defining search criteria for employee assignment, the allocated base object’s UID is display instead of the user account’s UID. This happens if the display pattern for the user account table is made up of several columns.

32612

On the form for defining search criteria for employee assignment, employees' display names are not correctly formatted.

32876

In the Manager, custom columns of Datetime type are not displayed with the desired alternative column identifier for custom target systems.

32702

Checking for the existence of target system objects fails if there are several mappings.

32908

Table 8: Identity and Access Governance

Resolved issue

Issue ID

If E-Business Suite permissions assignments to user accounts are attested and automatic removal of permissions is configured, denied assignments are not deleted.

30375

The condition for viewing the AttestationCase table of the VI_4_ALLUSER permissions group does not allow closed attestation cases to be displayed if the currently logged in user was involved.

31365

Automatic removal of permissions after attestation is denied does not taken into account whether the assignment is already marked for deletion or not.

32661

Notifications from questions about an attestation case are sent to the wrong employee.

32809

Error adding attestation cases.

32988

Error automatically removing E-Business Suite entitlement assignments after attestation has been denied.

32961

After the second step in an attestation case approval workflow, no more mail notifications are sent.

33049

In certain circumstances, an employee can make an approval decision for a request that was questioned.

32465

If an additional approver was assigned to an approval step, the chief approval team’s approval decision has no effect.

32467

The QER_ZITShopOrderAbort procedure uses the wrong cancellation method.

32522

If an approver makes approval decisions for several requests because they are delegated, the delegator is only informed the first time.

32526

In certain circumstances, despite the QER | ITShop | DeleteClosed configuration parameter being set, not all columns that are marked to be logged on deletion are logged.

32559

The consistency check's repair script Requested products that are not assigned generates missing entries in the PersonInITShopOrg table with the wrong value for XOrigin.

32827

Under certain circumstances, when determining a request's approver, a fallback approver is not found although there is no regular approver.

32872

The Replace method is not available for requests with Renewal status.

33029

In certain reports about employees, the time period for assignments is not calculated correctly.

31955

Performance problems calculating system role assignment to business roles and organizations.

32546

In the Manager, employees are shown on the Subscribable report overview form that do not subscribe to that report anymore.

32473

If a simple report is generated in CSV format, Display values about FK relations are not displayed properly.

32547

In certain reports about employees, the time period for assignments is not calculated correctly.

32389

Error calculating time periods for memberships in reports with historical data.

32726

The GenProcID in requests is emptied too quickly if an approved request's validity period is in the future.

32720

If, in the permissions editor for SAP functions, the Add by task is run and One Identity Manager is running over an application server, the Manager freezes.

32789

Table 9: IT Service Management

Resolved issue

Issue ID

In the Manager, the Help desk employee option on an employee’s master data form, is not displayed correctly if you swap between employees.

32587

In the Manager, diverse master data are missing on the PC and server master data forms.

32922

See also:

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 10: General known issues
Known Issue Issue ID
If you connect to a database with the Database Compiler, the task QBM-K-CommonWaitForCompiler is immediately queued in the DBQueue. If Database Compiler ends without compiling the database, the task remains in the DBQueue. 23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as SQL query and use aliases for the affected columns.

23521

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Header text in reports saved as CSV are not given their correct names.

24657

Number of ParamName/ParamValue parameter pairs in the MailComponent's SendRichMail process task is not always sufficient.

10 parameter pairs are available by default. If this number is not sufficient, you can add additional custom process parameters, which Process Editor can then use as parameters. This function is available as from One Identity Manager version 7.0.

25164

In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.

12753

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

25315

Schema extensions on a database view of type View (for example, Department) with a foreign key relation to a base table column (for example, BaseTree) or a database view of type View are not permitted.

27203

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

27793

If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.

28373

Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in the One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is a rudimentary basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.

29535

The default setting of globallog.config assumes that write access exists for %localappdata%. If an EXE does not have sufficient permissions, the log can be written to a directory that does have the access rights by changing the variable logBaseDir in the globallog.config or by introducing a special log configuration in the *.exe.config or the Web.config file.

30048

The One Identity Manager Service only logs messages in the event log Application, by default.

Cause: To add an event log with another name, you require administrator permissions on the Job server.

Solution:

  1. Add the file that the One Identity Manager Service should write to manually on the Job server. You can use Windows PowerShell, for example, to do this.

    1. Run Windows PowerShell as administrator on the Job server.

    2. Run the following CmdLet:

      New-EventLog -Source "Foobar" -LogName "<file name>"

  2. Enter this file name in the One Identity Manager Service's configuration file as the name for the event log in the module Logwriter .

  3. Restart the computer.

  4. Restart the One Identity Manager Service.

30540

The configuration parameter QER | ITShop | LimitOfNodeCheck specifies how many product nodes are deleted in one DBQueue Processor run if large numbers of products in the IT Shop are deleted through automatic processes. By default, 500 objects are processed in one run. Set the value lower if there are performance problems while executing the task QER-K-OrgAutoChild.

30657

Outstanding objects are ignored by inheritance calculation. This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.

30909

If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction.

The error, in case a Save Transaction is carried out is: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.

30972

Read Only type tables with Common Table Expressions (CTE) in the ViewAddOn are not added in the schema.

As from One Identity Manager 7.0, the behavior of CTEs with the with keyword as condition for view definitions in database views of Read only type has changed. The conditions for view definitions are embedded in a summary query. This means, you cannot be sure that a common table expression is the very first expression in a query.

Possible error message:

(execute slot single)50000 0 re-throw in Procedure QBM_ZViewBuildR, Line 1050000 0 rethrow in Procedure QBM_PViewBuildR_intern, Line 10250000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 8250000 0 re-throw in Procedure QBM_PViewBuild_FromAddOn, Line 6550000 0 re-throw in Procedure QBM_PSQLCreate, Line 26156 0 detected in (...) Procedure ..., Line 6156 0 Incorrect syntax near the keyword 'with'

Recommended action:

  1. Create a database view using Common Table Expressions.

    Example:

    create view CCC_Vxy as

    with myWithClause (column1, column2) as (

    select 1 as column1, 2 as column2

    )

    select * from myWithClause

    go

  2. Use the database view in the additional view definition (QBMViewAddon) of Read only type database views.

    select * from CCC_Vxy

 

If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports.

31322

Table 11: General web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739

An empty page is displayed in the Internet Explorer if the Operations Support Web Portal is opened with the URL.

The Operations Support Web Portal is supposed to be run on an intranet site and the setting Display intranet sites in Compatibility View is set on the web server.

Solution: Extend the section <system.webServer> in the Web Portal's configuration file (web.config). Enter an attribute or compatibility mode.

<system.webServer>

...

<httpProtocol>

<customHeaders>

...

<add name="X-UA-Compatible" value="IE=11" />

...

</customHeaders>

</httpProtocol>

</system.webServer>

750376

Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.

30271

It is not possible to log out of the Web Portal using OAuth 2.0/OpenID Connect because it is rerouted to a false address.

Cause: If, in the configuration parameter QER | Person | OAuthAuthenticator | LogoutEndpoint, a URL without a parameter is given, the logout parameters are appended to the URL in the configuration parameter in a format incompatible with the browser.

Solution: Add a dummy parameter to the URL in the configuration parameter, for example, instead of http://localhost/IdentityManager/logout use the value http://localhost/IdentityManager/logout?from=logout.

 30999

The validity of a password, connecting the Password Reset Portal through the application server, is not tested until it is saved. The test script, invalid name components and the password history are not taken into account in the client-side test. A server-side test is done when the password is saved. Therefore, errors are not shown until the password is saved.

31354

Table 12: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as pending.

This problem can occur if:

  • SAP role assignments to user accounts were loaded in the One Identity Manager database before installing One Identity Manager 7.0.1

  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1, incorrect assignments are labeled as pending after synchronizing again using the appropriate synchronization configuration.

Solution: Delete pending assignments in One Identity Manager target system synchronization.

  

By default, the HR_ENTRY_DATE building block of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the HR_ENTRY_DATE building block remotely in your SAP HCM system. Create a mapping for the EntryDate schema property in the Synchronization Editor.

25401

Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now.

 27042

Error in IBM Notes connector (Error getting revision of schema type ((Server))).

Probable cause: The IBM Notes environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the IBM Notes environment.

27126

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.

  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.

  • Modify the synchronization configuration as required.

27359

No passwords can be provisioned when the bind method Fast Bind is in use in Active Directory. The SetPassword method is therefore not available.

The AdhocProjection process step fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).

27427

Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.

27687

If an Active Directory user account has the property MailNickName, an error occurs when the mailbox is enabled.

[System.Management.Automation.ActionPreferenceStopException] The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: ExternalEmailAddress is mandatory on MailUser.

Cause: The property MailNickName is mapped in addition in the Active Directory mapping. This causes inconsistencies in the target system from the point the user accounts are added.

A user account of this kind appears in the Microsoft Exchange console as a mail user but without a target email address. An attempt to open this object causes an object corrupted error in Microsoft Exchange.

Solution: Clear up inconsistencies in the affected user accounts in Active Directory and correct your Active Directory mapping.

28820

Error loading single objects with Windows PowerShell if the parameter Identity is used. The error can occur during provisioning of changes made to objects in Microsoft Exchange or Exchange Online, for example, and causes follow-on errors.

Windows PowerShell connector's message: Command yielded <count> objects but only one was expected.

Cause: Multiple objects with the same name exist.

29152

Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always executed with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.

29556

Error synchronizing an OpenDJ system if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.

29620

If an employee's central password is used as the password for their user accounts, the password is not transferred to the password history of each individual user account. Therefore, reuse of the password cannot be prevented if the password is changed manually later.

Cause: An employee's central password is an encrypted value that can only be entered in the password history when it is assigned to an employee.

Recommendation:

  • Only use the employee's central password for the user accounts. Changes to the password are saved in the employee's password history.

    - OR -

  • Only make changes to the passwords directly in the user accounts. This saves the password modifications in the user account's password history.

29605

The Oracle E-Business Suite connector converts data with an unknown data type into strings and tries to write this value to the matching schema property in the One Identity Manager schema.

30098

If there are a large number of LDAP user accounts and LDAP groups in the database, provisioning might take a very long time. A message appears in the StdIO processor log(StdioProcessor.log) during the LDAP user account and LDAP groups update.

DEBUG (SystemObjectData <static>) : Creating SystemObjectData based on entity (%DisplayName% (%cn%)) columns (UID_LDAPAccount, UID_LDAPContainer, UID_LDPDomain, XObjectKey).

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(vrtScopeParentReference) returns ...

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(UID_LDAPContainer) returns ...

Cause: No reference scope is defined so that the default scope is used for resolving references. This causes too much data to be loaded from the database.

Solution: Define an empty reference scope. This means that scopes are not calculated when references are resolved, which noticeably improves performance with larger amounts of data.

30172

Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.

Solution:

  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.

31017

If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version 3.0.15.0 or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.

    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=3.0.0.42, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />

      </sectionGroup>

    • In the new section:

      <SAP.Middleware.Connector>

      <GeneralSettings anyDateTimeValueAllowed="true" />

      </SAP.Middleware.Connector>

32149

There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.

Cause:

No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.

Solution:

Messages in the script can be outputted using the *> operator to a file specified in the script.

Example:

Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.

32945

Although the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom configuration parameter is set and the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate is not set, the assignment date is not set as the first day of the validity period in assignments of SAP roles to SAP user accounts. This behavior occurs if a Valid until date is given for a request but no Valid from date.

32628

Table 13: Identity and Access Governance
Known Issue Issue ID

Moving a shelf to another shop and the recalculation tasks associated with it can block the DBQueue.

Solution:

Parent IT Shop nodes of shelves and shops cannot be changed once they have been saved.

To move a product in a shelf to another shop

  • Select the task Move to another shelf.

    - OR -

  • Assign the product to a shelf in the new shop then remove the product assignment to the previous shelf.

Once you have moved all the products, you can delete the shelf.

 31413

During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.

31997

Table 14: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers an ArgumentException. For more information, see https://support.microsoft.com/en-us/kb/2863929.

24626

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see https://github.com/mono/mono/issues/7455.

29607

Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.

29051

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016 : KB4462928

  • Windows Server 2012 R2 : KB4462926, KB4462921

  • Windows Server 2008 R2 : KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed in future once One Identity Manager has resolved the problem.Microsoft

30575

When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.

31998

In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see https://support.microsoft.com/en-us/help/4295103.

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.

33026

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating