Release Notes
January 2018
These release notes provide information about the One Identity Manager release. For changes to the Web Designer and the Web Portal since the last version, see the document "Web Designer and Web Portal Changes".
The documentation is available in both English and German. The following documents are only available in English:
Synchronization template modifications
Upgrade and installation instructions
One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.
With this product, you can:
Every one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.
One Identity Manager 8.0 is a major release with enhanced features and functionality. See Features and Enhancements.
New features in One Identity Manager 8.0:
Cyclical checking of authentication for existing connections.
The system runs validity checks for open connections to prevent users from working with existing connections if they have been deactivated after they logged in. The check is carried out by the next permissions-based action on the connection after a configurable interval of 20 minutes. The interval is defined in the configuration parameter "Common\Authentication\CheckInterval".
Support for password policies in the
.You can implement password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.
A default password policy is supplied that protects the password for system users and employee-based authentication modules. Other predefined password policies are also supplied.
Support for expired passwords.
The user is advised that their password is about to expire and can change the password if necessary. In the case of employee-based authentication modules, the system sends reminder emails starting from 7 days before the password's expiry date. You can configure the time in days in the configuration parameter "Common\Authentication\DialogUserPasswordReminder". The emails are triggered by a schedule and use the mail template "Employee - system user password expires".
To prevent password of certain system users from expiring, you can mark these system users so that their passwords never expire.
Support for password history.
Failed login attempts are logged.
Support for load balancing of all SQL processes.
A new server function "SQL processing server" is available. The server can execute SQL tasks. Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.
Improved identification of the server for automatic software updating.
A new server function "Update server" is available. This server executes automatic software updating of all other servers. The server requires a direct connection to the database server that the One Identity Manager database is installed on.
The server installed with the One Identity Manager database, is labeled with this functionality during initial installation of the schema.
Preparing data for faster cross-table searching.
The values for columns can be prepared for faster cross-table searching. Searching for single values in MVP columns is supported.
The functionality can be used for finding a unique central user account, for example, or a unique default email address for an employee. Columns in the default installation, which are taken into account when mapping the central user account or an email address, are labeled accordingly.
The configuration of initial data for LDAP authentication modules is done with the configuration parameters "TargetSystem\LDAP\Authentication", "TargetSystem\LDAP\Authentication\Authentication", "TargetSystem\LDAP\Authentication\Port", "TargetSystem\LDAP\Authentication\RootDN" and "TargetSystem\LDAP\Authentication\Server".
The initial configuration data for existing installations remains valid and is used as a fallback.
New Password Reset Portal.
The Password Reset Portal allows users to reset passwords of the user accounts they manage, securely. Users can navigate from the Web Portal directly to the Password Reset Portal.
To utilize the Password Reset Portal, it must be installed as a dedicated web application. The required security is guaranteed by Starling Two-Factor Authentication.
New Operations Support Web Portal.
The Operations Support Web Portal supports help desk users with their tasks in . You can use the Operations Support Web Portal to create passcodes, display DBQueue and Job queue entries for specific objects, show process steps and restart them if necessary, monitor processing handling performance.
To utilize the Operations Support Web Portal, it must be installed as a dedicated web application. A new application role Base roles | Operations support is provided for use with the Operations Support Web Portal. The required security is guaranteed by Starling Two-Factor Authentication.
Support for the Starling 2FA App for multi-factor authentication.
In addition to the login, a further access control (multi-factor authentication) can be configured.
Changed data values are marked.
Processes triggered by users are displayed.
Users specify whether diagrams are permanently hidden.
Owners of departments, location and cost centers can also manage child objects.
A product can be unsubscribed for several people at the same time, also for multi-requestable/unsubscribable resources.
Users can temporarily switch to another language.
Custom configuration settings for a given web project can be managed in a central overview.
Support for SharePoint Online as target system. The key aspects are the mapping of user accounts, groups, site collections, sites, roles and role assignments. The SharePoint Online connector and a default project template are installed.
Mapping remote mailboxes for Exchange hybrid support. The mapping for remote mailboxes is part of the Microsoft Exchange project template. Remote mailboxes are synchronized using the Microsoft Exchange connector.
The member filter's excluded lists for the target system Microsoft Exchange have been altered in connection with Exchange hybrid support.
A patch for synchronization projects with the patch ID VPR#28904 is available.
The way the Microsoft Exchange version is determined has been changed. The schema property ObjectVersion is used to determine the version.
A patch for synchronization projects with the patch ID VPR#27447 is available.
The Microsoft Exchange connector now supports connections through HTTPS.
|
NOTE: Microsoft Exchange does not support this type of connection by default. You must configure support for HTTPS in your Microsoft Exchange. |
Introduction of a revision filter for Microsoft Exchange.
Microsoft Exchange synchronization has been changed as follows to support customer environments with large numbers of objects:
Automatic dependency resolution of the synchronization workflow's steps has been disabled, which has reduced the number of synchronization steps.
Due to this, reference objects arise in the synchronization buffer during synchronization (DPRAttachedDataStore), possibly at short notice, which are resolved afterward by a maintenance step. This happens exclusively on the side, therefore requiring no other access to the Microsoft Exchange infrastructure.
|
IMPORTANT: The revision algorithm can only be enabled in synchronization projects created with version 8.0. If usage of revisions is activated in old 7.x synchronization projects, modifications made directly in Microsoft Exchange are not necessarily recognized. |
|
NOTE: Due to the complexity of the changes, existing synchronization projects are not automatically converted by using the patch. You can, however, continue to use existing synchronization projects (from 7.x installations), unchanged until the next major release because the schema is compatible. The properties of the old "mailbox" schema type that has been transferred to the new schema types named above, are marked as obsolete in the "mailbox" type. This does not, however, have any affect on the functionality. These properties will certainly be removed in the next major release. Even if your 7.x synchronization projects are compatible, it is recommended you recreate the synchronization project using the synchronization project template implemented in the version 8.0. |
Introduction of a revision filter for Exchange Online.
Exchange Online synchronization has been changed as follows to support customer environments with large numbers of objects:
The schema type "Mailbox" has been divided into the following types:
The synchronization steps for CalendarProcessingSettings_UserShared and MailboxStatistics_RoomEquipment are disabled by default. Calendar processing settings for user mailboxes (CalendarProcessingSettings_UserShared) are not usually relevant but can be queried by the appropriate commands. The same is valid for status information (for example, the number of emails, last login) from room and equipment mailboxes (MailboxStatistics_RoomEquipment). The steps in the workflow "Initial Synchronization" can be enabled at any time if required. However, this can cause a noticeable increase in the runtime.
|
IMPORTANT: The revision algorithm can only be enabled in synchronization projects created with version 8.0. If usage of revisions is activated in old 7.x synchronization projects, modifications made directly in Exchange Online are not necessarily recognized. |
|
NOTE: Due to the complexity of the changes, existing synchronization projects are not automatically converted by using the patch. You can, however, continue to use existing synchronization projects (from 7.1.2 installations), unchanged until the next major release because the schema is compatible. The properties of the old "mailbox" schema type that has been transferred to the new schema types named above, are marked as obsolete in the "mailbox" type. This does not, however, have any affect on the functionality. These properties will certainly be removed in the next major release. Even if your 7.1.2 synchronization projects are compatible, it is recommended you recreate the synchronization project using the synchronization project template implemented in the version 8.0. |
The LDAP connector supports connections at rootDSE level.
The LDAP connector provides information about object class hierarchy.
The Windows PowerShell connector supports SecureString parameters.
A ConversionMethod can now be entered in the SetParameter definition. The ConversionMethod="ToSecureString" is currently supported. This allows connections parameters to be passed securely.
Synchronization workflows can be copied.
Start up configurations can be grouped. Behavior for simultaneous start up within a group can be defined.
The delay between retries is specified in the configuration parameter "Common\Jobservice\RedoDelayMinutes".
New schema class type "Unique Objects" for creating unique objects to simplify the import of multiple object types from a single source such as a CSV file or a database table.
Introduction and versioning of approval workflows for IT Shop requests and attestations.
The configuration parameters "QER\Attestation\OnWorkflowAssign" and "QER\Attestation\OnWorkflowUpdate" specify whether pending attestations are reset when the approval workflow is changed.
|
NOTE: If you have set up you own approval procedures and have used properties from approval steps in your queries for finding approvers, modify these queries as follows: If you referenced the table PWODecisionStep over the column UID_PWODecisionStep until now, then change this reference to the column UID_QERWorkingStep in the table QERWorkingStep. |
See also:
The following is a list of enhancements implemented in One Identity Manager 8.0.
Enhancement |
Issue ID |
---|---|
An employee's main identity can now be used for authentication with the authentication module "Person". | 27863, 3962834 |
Improved performance in the DBQueue Processor. |
27284, 28522, 28569, 27675, 4064153, 4064153 |
Labeling of DBQueue Processor tasks for load limiting. Limits for changes within an operation are configured in the configuration parameters "QBM\DBQueue\ChangeLimitMin" and "QBM\DBQueue\ChangeLimitMax". |
12081 |
Dynamically determining statistics under Oracle Database. This is configured in the configuration parameter "QBM\DBQueue\OptimizerDynamicSampling". |
28004 |
Tasks that require a connection to the application server are displayed in the Launchpad. | 26864 |
Instead of only offering access to single values, an entity (and therefore all its values), accessed by FKs can now be returned through the IEntityWalker. |
27105 |
Improved configuration options for importing transport with change labels. | 26557 |
Improved monitoring of the entire Job queue in Job Queue Info. | 26785 |
Improved identification of database staging levels by modifying colors in the status bar in all front-ends. | 27148 |
Columns with a list of permitted values can be added in the full text search. | 27469, 667442 |
Pending changes are now displayed in the Manager. |
26340 |
Favorites can be removed in the Manager using the context menu. | 27043 |
Improved display of permissions group hierarchy in the User & Permissions Group Editor. | 26956, 28195, 4054136 |
The Language Editor now displays the language available in the front-end as optional languages for translation. |
28359 |
Clarified error message [810025] User accounts: Write permission denied. |
28587, 4087337 |
Improved update behavior for the One Identity Manager Service automatic software update. |
28650 |
Improved error logging in the process component "FileComponent". |
28656, 4093596 |
Minimum process query interval set to 10 seconds for the Job service. |
27112, 3867374 |
Multiple One Identity Manager Service instances can be installed on one server using One Identity Manager Installation Wizards and the Server Installer. The different installation directories are numbered sequentially. |
27231, 3965347 |
Out-Parameters are shown in the process history. |
27237 |
The SQL Editor in the Designer and the Object Browser support auto-completion. |
27688 |
The Script Editor in the Designer supports auto-completion for configuration parameters. |
27422 |
Improved sorting by column in the Schema Editor in the Designer. |
27482 |
Improved representation of result lists in the SQL Editor in the Designer and the Object Browser. |
27445 |
Improved display of base data in the Designer. |
28246 |
Customizations to default processes and default tables displayed in the Designer. |
28230 |
Hidden parameters are displayed by a new program function in the Job Queue Info. To use this function, assign the respective permissions groups to the program function "JobQueue_ShowHiddenParameters" |
27665, 3975588 |
The columns that trigger templates can be displayed in the Designer. |
27852 |
Improved generation of indexes. |
27921, 3988910 |
Extended functions for editing change labels in the Manager and the Designer. The changes sort order can be modified. You can search inside the change labels. The change label's XML data can be edited. |
26894 |
Improved transporting by change label. |
28011 |
Syntax check for preprocessor condition now takes place on saving. |
28021, 4053085, 4053085 |
Improved the Software Loader to prevent error conditions. |
28158, 4051728 |
Custom event can now be added to default processes in the Designer. |
28231 |
IT Shop tags can be transported. |
28418, 4085515, 4085518 |
The generic form "VI_Generic_MasterData" supports the definition of bit masks. |
28536 |
Improved representation of schema tables extensions in the Web Designer. |
26980, 3705851 |
Improved definition of indexes in the Schema Extension program. |
28598, 4064153 |
Optimized the Database Transporter to prevent deadlocks when transporting schema extensions. |
28603, 4107215 |
Data modifications are no longer possible in the One Identity Manager database when triggers are disabled. |
28610, 4107215 |
Improved re-enabling of triggers and constraints. |
28637, 4107215, 4109588 |
The System Debugger differentiates between system scripts and custom scripts when exporting. |
27667 |
The System Debugger can be used to upload templates, formatting scripts, table scripts and method definitions. |
27918 |
Language culture codes can now be used in #LD notation in scripts. |
28852 |
The configuration parameter "Common\ProcessState\ProgressView\WaitInJobChain" has been deleted. Customized usage might required modification. |
27870 |
Enhancement |
Issue ID |
---|---|
The authentication module setting installed in the Web Portal and the Web Designer is limited to authentication modules that are not capable of SSO. | 20870, 690405 |
Certain CSS outlines are only shown in accessibility mode for visual reasons. | 655773 |
The component VI_Edit_MultiValueProperty for entering multi-value properties has been reworked. | 26254, 657785 |
The views 'Object state' and 'Solution' have been merged. |
24475, 673888 |
The special definition of Hyper Views has been removed from the Web Portal code. The view is now exclusively generated from the content of the table DialogTree. | 674809, 692057 |
The Master/Detail control supports low resolution better. | 673729 |
Visual representation of read-only properties has been reworked. | 676883 |
Visual representation of the heatmap has been reworked. | 677380, 677385 |
Edit functions in the component VI_Roles_RolesAndEntitlements have been moved to the ObjectSheet component. | 25974, 677572 |
A switch for controlling object dependent references has been added. | 25841, 677573 |
Some unused images have been removed from the WebDesigner.ImageLibrary.dll. | 677574 |
Code branches for desktop and mobile views have been standardized in the form templates. | 678334 |
The old data model for configuring search fields has been removed because the search index can be used instead. | 27088, 678805 |
The Web Portal login page has been adapted for low resolution. | 678828 |
Some Web Portal functions cannot be used sensibly on smartphones. In these cases, an appropriate message is displayed. | 715853 |
Option for automatically deriving a grid's lists view from the grid definition. | 692572 |
The new composition API is available for use over .NET. |
681359 |
A list view, which is optimized for smartphones can be defined for a grid in addition to a table-based view. |
691223 |
There is an option for always displaying a grid as a list view. |
692352 |
Processing of an employee's data is centralized in the component VI_Common_ObjectSheet_Person. |
693277 |
Some properties, node types and values are marked as "obsolete". |
693528 |
Optional condition for the grid, whether row selection is enabled for a specific row. |
693632 |
Validator conditions can be defined in the control tree. |
694767 |
Captcha is automatically updated after incorrect input. |
27671, 694770 |
The compiler checks object dependent links for ambiguity and generates an error message. |
694783 |
The compiler checks whether an element's identifier starts with the correct module prefix. |
695006 |
Option for hiding a grid column in the automatically generated list view. |
695200 |
"Create interactive entities" is disabled for new objects. |
25800, 695769 |
The timeout for a Web Designer module's inactivity can be configured globally. |
697175 |
New function "Try to fix compiler messages". |
698451 |
Forwarding within forms of a form component is now possible. |
705753 |
Improved handling of user configuration (QBMXUser), if a non-employee related authentication module is used. |
706324 |
In the Master/Detail control the threshold for switching between vertical and horizontal view has been optimized. |
706509 |
There is now a property on an extension to disable it. |
710612 |
Custom controls can be added in the grid control header. |
711465 |
Improved handling of control for auto-completion. |
711679 |
Which button is linked to the ENTER key can be controlled in the component for displaying popups. |
714531 |
The total number or results is shown in grids. |
715617 |
Enhancement |
Issue ID | ||
---|---|---|---|
Faster loading of synchronization projects in the Synchronization Editor. |
27555 | ||
Diverse optimizations of the synchronization buffer and cache behavior. | 26832, 27662, 27563, 28350, 28576 | ||
Improved behavior of the Synchronization Editor when working with encrypted values. The default value of the configuration parameter "DPR\UI\EncryptedValueHandling" has been changed to "IgnoreAll". This means the encryption dialog is not shown when the synchronization project is opened. All encrypted values are ignored by default. |
27274 | ||
German display names of property mapping rules and virtual schema properties are converted to English. A patch for synchronization projects with the patch ID VPR#28560 is available. |
28560 | ||
Converts connection parameter names and values. A patch for synchronization projects with the patch ID VPR#27769 is available. |
27769 | ||
Optimized pre-scripts for generating target system relevant processes. |
28042, 3859791 | ||
The domain object SID is determined by Active Directory synchronization. A patch for synchronization projects with the patch ID VPR#27457 is available. |
27457 | ||
When Active Directory group memberships are synchronized, the global catalog query for resolving the SID is not carried out. The mapping "group" has been extended with additional virtual schema properties. A patch for synchronization projects with the patch ID VPR#27997 is available.
|
27997 | ||
Improved mapping SAP license information for system measurement. A patch for synchronization projects with the patch ID VPR#27289 is available. |
27289 | ||
Improved transfer of the validity period for SAP role assignments and memberships in structural profiles. | 26883, 28031, 3677202, 4041294, 4054671 | ||
The schema type SAPRCRange has been removed. A patch for synchronization projects with the patch ID VPR#27539 is available. |
27539 | ||
An additional tab for passwords is displayed on the Unix user account's master data form. | 27947 | ||
Optimized provisioning of objects changes for the Universal Cloud Interface interface. A patch for synchronization projects with the patch ID VPR#27371 is available. |
27371 | ||
Changed the SCIM interface's property mapping rules for the schema properties "id", "canonical name" and "distinguished name" to the new schema properties added for them in the One Identity Manager schema. A patch for synchronization projects with the patch ID VPR#27860 is available. |
27860 | ||
Email notifications can be configured through login data in the case of custom target systems. This is configured in the configuration parameter "TargetSystem\UNS\Accounts\InitialRandomPassword" and its sub-parameters. |
28111 | ||
The following configuration parameters have been deleted. When you update One Identity Manager version 7.x to version 8.0, the configuration parameter settings for forming passwords are passed on to the target system specific password policies. Configuration parameters for Azure Active Directory
Configuration parameters for Active Directory
Configuration parameters for the new Universal Cloud Interface interface
Configuration parameters for LDAP
Configuration parameters for IBM Notes
Configuration parameters for SAP R/3
Configuration parameters for Unix
|
28111 | ||
The following configuration parameters have been deleted. Customized usage might required modification. Configuration parameters for Active Directory
Configuration parameters for IBM Notes
Configuration parameters for SAP R/3
Configuration parameters for SharePoint
|
28607 |
Enhancement |
Issue ID |
---|---|
The employee's overview reports have been extended to include additional information about assigned entitlements and sub identities. |
26847 |
Report that provide the number of employees that are assigned to a department, a cost center or a location, have been extended by a grouping by identity types. |
27913 |
Permitted values for employees' identity types have been extended by the value "Machine identity". | 28324 |
The company can be set for internal and external employees. | 28573 |
Employees can be deleted from the QBM_PDeleteDeep. using the procedures |
27643, 2657573 |
Improved tooltips in a request's approval sequence. |
28540 |
The approval history shows whether the approval decision was met based on a delegation. | 27431 |
Improved performance loading attestation cases. | 28582, 4100881 |
Inactive employees are excluded when determining approvers and attestators. |
27815, 4011577 |
|
13224 |
The configuration parameter "QER\Person\CentralPasswordHistoryLength" has been deleted. The value of the configuration parameter is copied to the password policy for the employees central password. |
28666 |
See also:
The following features are no longer supported with this version of One Identity Manager:
Provider mode, including the associated process component "ObjectTransferComponent".
The One Identity Manager databases. For more detailed information about synchronizing using the One Identity Manager connector, see the One Identity Manager User Guide for the One Identity Manager Connector.
connector can be used for transporting data betweenThe following functions will be discontinued in later One Identity Manager versions and should no longer be utilized:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy