Chat now with support
Chat with Support

Identity Manager 8.0.5 - Release Notes

One Identity Manager 8.0.5

One Identity Manager 8.0.5

Release Notes

May 2020

These release notes provide information about the One Identity Manager release. You will find all the modifications since One Identity Manager version 8.0.4 listed here.

One Identity Manager 8.0.5 is a patch release with enhanced features and functionality. See FeaturesEnhancements.

If you are updating a One Identity Manager version prior to One Identity Manager 8.0.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

For changes to the Web Designer and the Web Portal since the last version, see the document Web Designer and Web Portal Changes.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide
  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide
  • One Identity Manager LDAP Connector for IBM RACF Reference Guide
  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide
  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide
  • One Identity Manager REST API Reference Guide
  • One Identity Manager Web Runtime Documentation
  • One Identity Manager Object Layer Documentation
  • One Identity Manager Composition API Object Model Documentation


About One Identity Manager 8.0.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.


The following is a list of enhancements implemented in One Identity Manager 8.0.5.

Table 1: General


Issue ID

Improved performance updating the current UTC time difference of all timezones.


New parameters of the ScriptComponent process component are available for the CSVExport and CSVExportSingle process tasks.

  • ValueMaskChar: Character for masking values. If the parameter exists, the character is automatically added at both ends of each value and every time the same character appears within the value, it is doubled.

  • Culture: Language to use for formatting the value.

  • ConvertUtcTimes: Specifies whether UTC times are converted to local times.

  • TimeZone: For converting to the timezone to use. Only used if the ConvertUtcTimes is set. If the parameter is not set, the Job server's local timezone is used.

32410, 32939

Improved the Objectkey references to non existing object consistency check.


Table 2: General web applications


Issue ID

In the Web Portal, the system role’s Hyper View has been reworked.


Improved performance requesting products in the Web Portal.


Improved performance of certain database queries in the Web Portal.


In the Web Portal, keyboard shortcuts are now displayed for all buttons (for example, [Alt-C]).


Improved performance of database-bound grids.


Table 3: Target system connection


Issue ID

Improved performance provisioning assignments of Oracle E-Business Suite entitlements to user accounts.


The SCIM connector now uses the service provider's default value to find the maximum number of objects per page. The connector does not send values anymore.


Improved messages for the SCIM connector in the synchronization log.

32689, 32690

Improved performance determining employees that are responsible for a target system groups.


Improved performance provisioning G Suite user accounts.


The filter for the HRPerson_0709_IDEXT schema class was changed from a string to an integer comparison.

A patch with the patch ID VPR#32899 is available for synchronization projects.


The recommendations from Microsoft about avoiding throttling during SharePoint Online synchronization have been implemented.


Improved documentation of permissions required for integrating One Identity Manager as an application in Azure Active Directory.


Table 4: Identity and Access Governance


Issue ID

Improved performance creating and by approval of attestation cases.


Improved performance calculating QER_FTPWOVisibleForPerson.


Improved indexing of the PersonHasObject and BaseTreeHasObject tables.


The Retain service item assignment on relocation option can now be set on default service items.


In the Manager, on the overview forms for application roles, departments, cost centers, location and business roles, you can now see which approval workflows they are used in.


See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Custom files are deleted during update installation of local assemblies.


Tests for possibly damaging SQL statements are too strict.

32102, 32285

Error, if the name of the connection server for transferring data to the One Identity Manager History Database contains special characters.


When a connection server is created, data transfer to a One Identity Manager History Database fails if the is_rpc_out_enabled option is not set.


Transaction scope of the DBQueue Processor's HDB-K-ProcessGroup task is too big.


In certain circumstances, not all elements are indexed in the search index.


In the search index, the change date is set even though a table is not indexed in a run.


In certain circumstances, table relations are incorrectly identified as errors in the consistency check.


The _Old suffix causes errors during bulk updating of column names.


Internal temporary table for determining historical data for reports is created with the wrong sort order.


In certain circumstances, an error occurs in the QBM_PDBQueueProcess_Del procedure.


Blocked slots are reset too frequently.


In certain circumstances in the DBTransporterCMD.exe command line program, single user mode is not exited.


Insufficient references in certain scripts.


An error occurs in a date field if the value larger than 31.12.9998 is entered.


Incorrect sorting of date values in the Manager if English (USA) is set as the language.


ObjectWalker does not work with dynamic foreign keys in a Data Import script.


Input of dates in reports does not support every date format.


When a report is translated, the description is not translated.


Processes are sporadically not generated from schedules.


The Table with XOrigin (XIsInEffect) without update handling consistency check does not take automatically generated triggers into account.


Results of a SQL query in the Object Browser cannot be marked with Ctrl + A anymore.


If the time difference to UTC for a timezone changes, the mean time difference to UTC for the states in this timezone is not updated.


Export definitions for data export are not saved in the user configuration and are therefore not available after the Manager has been restarted.


Table 6: General web applications

Resolved issue

Issue ID

Information about the password strength is not displayed in the respective language in the Password Reset Portal.


In the Web Portal, you can sort by columns with hidden content.


In the Web Portal, the Back button on the Pending attestations page only works if there are no attestations.


In the Web Portal, on the Pending attestations page, an error occurs when you click the Business roles tile.


If an auditor in the Web Portal searches through requests (Requests | Auditing | Request), not all the results are found.


In the Web Portal, selecting an employee for a new request can take a long time.


In certain circumstances, an error occurs if you try to display a request template in the Web Portal.


An error occurs when an approver in the Web Portal adds an item to another employee's request and sends the request.


In the Web Portal, an error occurs if an empty grouped table is exported as a PDF.


In the Web Portal, if you download a file with Internet Explorer 11 whose name contains non-ASCII characters, an incorrect file name is suggested for the file.


If an error alert is displayed in the Web Portal and you try to close it using the Escape key, the underlying dialog is closed instead of just the error alert.


In the Web Portal, an error occurs if a product request is displayed that is not assigned to an IT Shop.


In the Web Portal, if a direct assignment of an SAP role to an SAP user account is removed, the associated entry in SAPUserInSAPRole is not deleted.


In the Web Portal, requests to be approved can be selected in a list. In certain circumstances, the selection goes missing when you swap to the other side of the list.


Use of the | character in the password of the SQL user who is used to install a web application causes an error.


In the Web Designer, an error occurs if a project is compiled that contains a combobox node that is not iterated.


In the Web Designer, some Web SQL functions cannot be used in conditions in column lists.


The Web Designer's GetDataState function does not work and returns a value of false even if columns have changed.


Bad performance of the pre-defined Webportal.VI_ITShop_ProductSelection.AccProductStatusForPerson SQL statement.


In Web Designer, if you add a column of XdateInserted or XdateUpdated type to a table, the filter function for the column does not work in the Web Portal.


In the Manager web application, an error occurs displaying rule violations.


In the Web Designer, memory usage increases when working on module extensions.


Table 7: Target system connection

Resolved issue

Issue ID

In the synchronization log, objects that are marked as outstanding are not logged.


Objects with a combined primary key with a value of timestamp cannot be reloaded.


The native database connector executes the configured processing method of a synchronization step only for the first object of the object class although several objects need to be processed. This happens if a pattern-based strategy is defined for the data operation.


When you close a synchronization project, the password for logging in to the target system is saved incorrectly if it contains the dollar ($) character.

32226, 32311

Error updating the schema from a CSV file if the file has not been declared in the system connection wizard.


Special characters are not masked correctly in custom project templates.


Error during synchronization: The connection does not support MultipleActiveResultSets.


The IsSecret and IsSystemVariable properties of the DefaultUserPassword variable are not all correctly set in the synchronization project.

Patches with patch IDs VPR#32781_SCIM, VPR#32781_EBS, VPR#32781_NDO are available for synchronization projects.


Error adding memberships in the UNSAccountBInUNSGroupB table in the target system browser although the object are within the scope.


Error testing the connection to the cloud application in the system connection wizards if there is no authentication endpoint given.


If an error occurs loading the object list, the SCIM connector returns an empty list as successfully loaded. The error only occurs in One Identity Manager version 7.1.x and 8.0.x.


Error serializing complex properties from schema extensions in synchronization projects with the SCIM connector.


The SCIM connector uses the wrong media type for POST queries in the HTTP header. The data are swapped around.


The provisioning process for a cloud application's user accounts returns the wrong data for loading the objects.


Error provisioning group memberships if the SCIM connector uses PATCH queries.


Provisioning of deleted group memberships does not work under certain conditions.


Changes to values of multi-valued schema properties are not correctly mapped in PUT queries.


The User.address~primary schema property is set to True even if no address data is given.

A patch with the patch ID VPR#32754 is available for synchronization projects.


If a container is deleted from an Active Directory user account, verification of the object properties fails after provisioning.

A patch with the patch ID VPR#32258 is available for synchronization projects.


If an Active Directory object that already has the SAMAccountName exists in another container in Active Directory, an error occurs.


Error during synchronization if accessing special properties of Active Directory objects using a DirectoryEntry object's extension method.


Active Directory account policies that are assigned through Active Directory groups are not taken into account doe Active Directory user accounts.


In the Manager, some assignment forms for Active Directory objects can be opened with multi-select.


In the Manager, the Change master data form (FormADSAccountMasterData) does not show changes to the Dial-up permitted property for Active Directory user accounts (ADSAccount.AllowDialI).


The Active Roles connector does not support the function level for Windows Server 2016 domains.

A patch with the patch ID VPR#32844 is available for synchronization projects.


The edsaWTSUserConfigInheritInitialProgram property in the User mapping is negated. This behavior is no longer required.

A patch with the patch ID VPR#32871 is available for synchronization projects.


Problems connecting to Microsoft Exchange Server 2016 if using SSL.


The ThrottlingPolicy property is not loaded for Microsoft Exchange mailboxes.


The Notes connector returns the wrong value for AdminRequest.Type.


Error provisioning Notes user accounts if the user account's certificate has been changed.


The process for locking Notes user accounts does not work correctly.


The system connection to SAP R/3 cannot be established if the synchronization user’s password contains dollar ($) characters.


Parameters used to call a BAPI function to delete an SAP object are incorrectly populated.


SAPTitle.DistinguishedName is not unique.

SAPTitle.DistinguishedName and SAPTitle.CanonicalName have been extended by the language code of the title. This makes the entries unique, even if several languages are maintained in the SAP system.

A patch with the patch ID VPR#32584 is available for synchronization projects.


If SAP user accounts marked for deletion are reset, the associated SAPUserInSAPRole entries remain marked for deletion and are not reset.


The IsSecret and IsSystemVariable properties of the TempUserPassword variable are not all correctly set in the synchronization project.

A patch with the patch ID VPR#32781_SAP is available for synchronization projects.


If Oracle E-Business Suite editions are used, the Oracle E-Business Suite connector accesses the wrong data sets.

A patch with the patch ID VPR#30464 is available for synchronization projects.


During synchronization, an invalid entitlement assignment is not re-enabled if it exists in Oracle E-Business Suite as a valid assignment. EBSUserInResp.XOrigin retains the value 16.


When assigning account definitions to employees, process steps are not handled correctly anymore afterward. The status of the process step, to test whether a user account exists, is not set correctly in the JobQueue. The user account is created anyway. Subsequent processing of downstream tasks is blocked for the affected employee.


On the form for defining search criteria for employee assignment, the allocated base object’s UID is display instead of the user account’s UID. This happens if the display pattern for the user account table is made up of several columns.


On the form for defining search criteria for employee assignment, employees' display names are not correctly formatted.


In the Manager, custom columns of Datetime type are not displayed with the desired alternative column identifier for custom target systems.


Checking for the existence of target system objects fails if there are several mappings.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

If E-Business Suite permissions assignments to user accounts are attested and automatic removal of permissions is configured, denied assignments are not deleted.


The condition for viewing the AttestationCase table of the VI_4_ALLUSER permissions group does not allow closed attestation cases to be displayed if the currently logged in user was involved.


Automatic removal of permissions after attestation is denied does not taken into account whether the assignment is already marked for deletion or not.


Notifications from questions about an attestation case are sent to the wrong employee.


Error adding attestation cases.


Error automatically removing E-Business Suite entitlement assignments after attestation has been denied.


After the second step in an attestation case approval workflow, no more mail notifications are sent.


In certain circumstances, an employee can make an approval decision for a request that was questioned.


If an additional approver was assigned to an approval step, the chief approval team’s approval decision has no effect.


The QER_ZITShopOrderAbort procedure uses the wrong cancellation method.


If an approver makes approval decisions for several requests because they are delegated, the delegator is only informed the first time.


In certain circumstances, despite the QER | ITShop | DeleteClosed configuration parameter being set, not all columns that are marked to be logged on deletion are logged.


The consistency check's repair script Requested products that are not assigned generates missing entries in the PersonInITShopOrg table with the wrong value for XOrigin.


Under certain circumstances, when determining a request's approver, a fallback approver is not found although there is no regular approver.


The Replace method is not available for requests with Renewal status.


In certain reports about employees, the time period for assignments is not calculated correctly.


Performance problems calculating system role assignment to business roles and organizations.


In the Manager, employees are shown on the Subscribable report overview form that do not subscribe to that report anymore.


If a simple report is generated in CSV format, Display values about FK relations are not displayed properly.


In certain reports about employees, the time period for assignments is not calculated correctly.


Error calculating time periods for memberships in reports with historical data.


The GenProcID in requests is emptied too quickly if an approved request's validity period is in the future.


If, in the permissions editor for SAP functions, the Add by task is run and One Identity Manager is running over an application server, the Manager freezes.


Table 9: IT Service Management

Resolved issue

Issue ID

In the Manager, the Help desk employee option on an employee’s master data form, is not displayed correctly if you swap between employees.


In the Manager, diverse master data are missing on the PC and server master data forms.


See also:

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 10: General known issues
Known Issue Issue ID
If you connect to a database with the Database Compiler, the task QBM-K-CommonWaitForCompiler is immediately queued in the DBQueue. If Database Compiler ends without compiling the database, the task remains in the DBQueue. 23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as SQL query and use aliases for the affected columns.


Errors may occur if the Web Installer is started in several instances at the same time.


Header text in reports saved as CSV are not given their correct names.


Number of ParamName/ParamValue parameter pairs in the MailComponent's SendRichMail process task is not always sufficient.

10 parameter pairs are available by default. If this number is not sufficient, you can add additional custom process parameters, which Process Editor can then use as parameters. This function is available as from One Identity Manager version 7.0.


In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.


Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.


Schema extensions on a database view of type View (for example, Department) with a foreign key relation to a base table column (for example, BaseTree) or a database view of type View are not permitted.


Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.


If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.


Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in the One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is a rudimentary basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.


The default setting of globallog.config assumes that write access exists for %localappdata%. If an EXE does not have sufficient permissions, the log can be written to a directory that does have the access rights by changing the variable logBaseDir in the globallog.config or by introducing a special log configuration in the *.exe.config or the Web.config file.


The One Identity Manager Service only logs messages in the event log Application, by default.

Cause: To add an event log with another name, you require administrator permissions on the Job server.


  1. Add the file that the One Identity Manager Service should write to manually on the Job server. You can use Windows PowerShell, for example, to do this.

    1. Run Windows PowerShell as administrator on the Job server.

    2. Run the following CmdLet:

      New-EventLog -Source "Foobar" -LogName "<file name>"

  2. Enter this file name in the One Identity Manager Service's configuration file as the name for the event log in the module Logwriter .

  3. Restart the computer.

  4. Restart the One Identity Manager Service.


The configuration parameter QER | ITShop | LimitOfNodeCheck specifies how many product nodes are deleted in one DBQueue Processor run if large numbers of products in the IT Shop are deleted through automatic processes. By default, 500 objects are processed in one run. Set the value lower if there are performance problems while executing the task QER-K-OrgAutoChild.


Outstanding objects are ignored by inheritance calculation. This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.


If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction.

The error, in case a Save Transaction is carried out is: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.


Read Only type tables with Common Table Expressions (CTE) in the ViewAddOn are not added in the schema.

As from One Identity Manager 7.0, the behavior of CTEs with the with keyword as condition for view definitions in database views of Read only type has changed. The conditions for view definitions are embedded in a summary query. This means, you cannot be sure that a common table expression is the very first expression in a query.

Possible error message:

(execute slot single)50000 0 re-throw in Procedure QBM_ZViewBuildR, Line 1050000 0 rethrow in Procedure QBM_PViewBuildR_intern, Line 10250000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 8250000 0 re-throw in Procedure QBM_PViewBuild_FromAddOn, Line 6550000 0 re-throw in Procedure QBM_PSQLCreate, Line 26156 0 detected in (...) Procedure ..., Line 6156 0 Incorrect syntax near the keyword 'with'

Recommended action:

  1. Create a database view using Common Table Expressions.


    create view CCC_Vxy as

    with myWithClause (column1, column2) as (

    select 1 as column1, 2 as column2


    select * from myWithClause


  2. Use the database view in the additional view definition (QBMViewAddon) of Read only type database views.

    select * from CCC_Vxy


If no date is given, the date 12/30/1899 is used internally. Take this into account when values are compared, for example, when used in reports.


Table 11: General web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometimes occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.


An empty page is displayed in the Internet Explorer if the Operations Support Web Portal is opened with the URL.

The Operations Support Web Portal is supposed to be run on an intranet site and the setting Display intranet sites in Compatibility View is set on the web server.

Solution: Extend the section <system.webServer> in the Web Portal's configuration file (web.config). Enter an attribute or compatibility mode.






<add name="X-UA-Compatible" value="IE=11" />






Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.


It is not possible to log out of the Web Portal using OAuth 2.0/OpenID Connect because it is rerouted to a false address.

Cause: If, in the configuration parameter QER | Person | OAuthAuthenticator | LogoutEndpoint, a URL without a parameter is given, the logout parameters are appended to the URL in the configuration parameter in a format incompatible with the browser.

Solution: Add a dummy parameter to the URL in the configuration parameter, for example, instead of http://localhost/IdentityManager/logout use the value http://localhost/IdentityManager/logout?from=logout.


The validity of a password, connecting the Password Reset Portal through the application server, is not tested until it is saved. The test script, invalid name components and the password history are not taken into account in the client-side test. A server-side test is done when the password is saved. Therefore, errors are not shown until the password is saved.


Table 12: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.


After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as pending.

This problem can occur if:

  • SAP role assignments to user accounts were loaded in the One Identity Manager database before installing One Identity Manager 7.0.1

  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1, incorrect assignments are labeled as pending after synchronizing again using the appropriate synchronization configuration.

Solution: Delete pending assignments in One Identity Manager target system synchronization.


By default, the HR_ENTRY_DATE building block of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the HR_ENTRY_DATE building block remotely in your SAP HCM system. Create a mapping for the EntryDate schema property in the Synchronization Editor.


Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now.


Error in IBM Notes connector (Error getting revision of schema type ((Server))).

Probable cause: The IBM Notes environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the IBM Notes environment.


The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.

  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.

  • Modify the synchronization configuration as required.


No passwords can be provisioned when the bind method Fast Bind is in use in Active Directory. The SetPassword method is therefore not available.

The AdhocProjection process step fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).


Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.


If an Active Directory user account has the property MailNickName, an error occurs when the mailbox is enabled.

[System.Management.Automation.ActionPreferenceStopException] The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: ExternalEmailAddress is mandatory on MailUser.

Cause: The property MailNickName is mapped in addition in the Active Directory mapping. This causes inconsistencies in the target system from the point the user accounts are added.

A user account of this kind appears in the Microsoft Exchange console as a mail user but without a target email address. An attempt to open this object causes an object corrupted error in Microsoft Exchange.

Solution: Clear up inconsistencies in the affected user accounts in Active Directory and correct your Active Directory mapping.


Error loading single objects with Windows PowerShell if the parameter Identity is used. The error can occur during provisioning of changes made to objects in Microsoft Exchange or Exchange Online, for example, and causes follow-on errors.

Windows PowerShell connector's message: Command yielded <count> objects but only one was expected.

Cause: Multiple objects with the same name exist.


Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always executed with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.


Error synchronizing an OpenDJ system if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.


If an employee's central password is used as the password for their user accounts, the password is not transferred to the password history of each individual user account. Therefore, reuse of the password cannot be prevented if the password is changed manually later.

Cause: An employee's central password is an encrypted value that can only be entered in the password history when it is assigned to an employee.


  • Only use the employee's central password for the user accounts. Changes to the password are saved in the employee's password history.

    - OR -

  • Only make changes to the passwords directly in the user accounts. This saves the password modifications in the user account's password history.


The Oracle E-Business Suite connector converts data with an unknown data type into strings and tries to write this value to the matching schema property in the One Identity Manager schema.


If there are a large number of LDAP user accounts and LDAP groups in the database, provisioning might take a very long time. A message appears in the StdIO processor log(StdioProcessor.log) during the LDAP user account and LDAP groups update.

DEBUG (SystemObjectData <static>) : Creating SystemObjectData based on entity (%DisplayName% (%cn%)) columns (UID_LDAPAccount, UID_LDAPContainer, UID_LDPDomain, XObjectKey).

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(vrtScopeParentReference) returns ...

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(UID_LDAPContainer) returns ...

Cause: No reference scope is defined so that the default scope is used for resolving references. This causes too much data to be loaded from the database.

Solution: Define an empty reference scope. This means that scopes are not calculated when references are resolved, which noticeably improves performance with larger amounts of data.


Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.


  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.


If date fields in an SAP R/3 environment contain values that are not in a valid date or time formats, the SAP connector cannot read these values because type conversion fails.

Solution: Clean up the data.

Workaround: Type conversion can be disabled. For this, SAP .Net Connector for .Net 4.0 on x64, version or later must be installed on the synchronization server.

IMPORTANT: The solution should only be used if there is no alternative because the workaround skips date and time validation entirely.

To disable type conversion

  • In the StdioProcessor.exe.config file, add the following settings.
    • In the existing <configSections>:

      <sectionGroup name="SAP.Middleware.Connector">

      <section name="GeneralSettings" type="SAP.Middleware.Connector.RfcGeneralConfiguration, sapnco, Version=, Culture=neutral, PublicKeyToken=50436dca5c7f7d23" />


    • In the new section:


      <GeneralSettings anyDateTimeValueAllowed="true" />



There are no error messages in the file that is generated in the PowershellComponentNet4 process component, in OutputFile parameter.


No messages are collected in the file (parameter OutputFile). The file serves as an export file for objects returned in the pipeline.


Messages in the script can be outputted using the *> operator to a file specified in the script.


Write-Warning "I am a message" *> "messages.txt"

Furthermore, messages that are generated using Write-Warning are also written to the One Identity Manager Service log file. If you want to force a stop on error in the script, you throw an Exception. This message then appears in the One Identity Manager Service's log file.


Although the TargetSystem | SAPR3 | ValidDateHandling | ReuseInheritedDate | UseTodayForInheritedValidFrom configuration parameter is set and the TargetSystem | SAPR3 | ValidDateHandling | DoNotUsePWODate is not set, the assignment date is not set as the first day of the validity period in assignments of SAP roles to SAP user accounts. This behavior occurs if a Valid until date is given for a request but no Valid from date.


Table 13: Identity and Access Governance
Known Issue Issue ID

Moving a shelf to another shop and the recalculation tasks associated with it can block the DBQueue.


Parent IT Shop nodes of shelves and shops cannot be changed once they have been saved.

To move a product in a shelf to another shop

  • Select the task Move to another shelf.

    - OR -

  • Assign the product to a shelf in the new shop then remove the product assignment to the previous shelf.

Once you have moved all the products, you can delete the shelf.


During approval of a request with self-service, the Granted event of the approval step is not triggered. In custom processes, you can use the OrderGranted event instead.


Table 14: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers an ArgumentException. For more information, see


Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.


An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.


Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see


Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: The StimulReport.Net component from Stimulsoft handles the report as one page.


Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016 : KB4462928

  • Windows Server 2012 R2 : KB4462926, KB4462921

  • Windows Server 2008 R2 : KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed in future once One Identity Manager has resolved the problem.Microsoft


When connecting an external web service using the web service integration wizard, the web service supplies the data in a WSDL file. This data is converted into Visual Basic .NET code with the Microsoft WSDL tools. If, in code generated in this way, default data types are overwritten (for example, if the boolean data type is redefined), it can lead to various problems in One Identity Manager.


In certain Active Directory/Microsoft Exchange topologies, the Set-Mailbox Cmdlet fails with the following error:

Error on proxy command 'Set-Mailbox...'

The operation couldn't be performed because object '...' couldn't be found on '...'.

For more information, see

Possible workarounds:

  • Connect to the Microsoft Exchange server that the user mailbox is on. Use a custom process to do this. Use the OverrideVariables parameter (ProjectorComponent process component) to overwrite the server (CP_ExchangeServerFqdn variable).

  • Because this problem only occurs with a few schema properties, you should consider protecting these schema properties in the synchronization project against write operations. You can set the schema properties in a custom process using the PowershellCompomentNet4 process component through a user-defined Windows PowerShell call.


Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating