Chat now with support
Chat with Support

Identity Manager 8.0 - Release Notes

Fixes

The following is a list of solved problems in this version.

Table 5: General known issues

Fix

Issue ID

Error in the History Database if the Oracle procedure PProcessGroupDelete is called whilst running the process VI_SourceDatabase_Import. 28725, 4113915

New files are not distributed by automatic software update if they were imported by transport into the One Identity Manager database.

27625, 3900149, 4024883
Custom scripts in the script library are automatically overwritten by the automatic software update. 27667, 3896466
The task QBM-K-JobqueueOverviewInvalid is queued to frequently in the DBQueue. 28367, 4064153
It is possible to create new entries in QBMGuidReplace although GUIDReplace is already running. 28432, 4090349
The program Schema Extension is terminated immediately and without prompting, after pressing ESC. 28480, 4087262
The write access of a custom permissions group for a custom column disappears if the permissions group has read access to at least one other regular column. 28481, 4068237
Data Import only reads the first line in a CSV file if the line break only consists of "CR". 28483, 4088573
Different errors adding and editing custom configuration parameters. 28492, 28493, 4071473
Consistency check fails if a foreign key column of a view is added in a simple table. 28497, 4045308, 4080035
Error in the Database Transporter if custom columns of default tables are imported, which do not have the prefix "CCC_". 28524
Error in Manager if changes are logged for the table DialogTag. 28544, 4075754
Error in the script VID_GetRunningOSfromServer. 28565, 4084084
The configuration supplied in the global configuration file (globallog.config) occasionally causes messages to be thrown out of the error log file if there is a high rate of log entries. 28568, 4075429
A previously configured HTTP authentication is not displayed if the program Job Service Configuration is restarted. 28571, 4081445
If a custom translation is deleted in the Manager, the associated entry in the table DialogMultiLanguage is not deleted. 28613, 4100028
If primary keys changed by migration, it might result in invalid references. 28614, 4079826
Objects exports as a ZIP file from Manager might be different to the same export from the Database Transporter. 28629, 4062338
The configuration parameter "Common\AutoExtendPermissions" also affects custom permissions groups. 28709, 4115806
Single step mode does not work when debugging a database project in the Web Designer. 28347, 3914817

An error message is shown in the transport package description of a package being loaded by the Database Transporter that was created in Manager.

28629, 4062338

Validation script does not work properly when accessing parameter sets in the Report Editor.

28806, 4110991

Passwords of default system users are marked as "expired". This makes it impossible to carry out an installation or to log in with the default system user. Custom system users are not affected.

All new installations and updates of version 8.0 after the 9th December 2017 are affected.

This fix deals with the problem described in the knowledge article under https://support.oneidentity.com/kb/235185.

29170, 4170482-1

Table 6: Target system connection

Fix

Issue ID

Error adding computer objects in Active Directory.

28293, 4068230

A system filter in the scope definition is not taken into account when synchronizing an Active Directory domain.

28501, 4093584

If the task Unlock user account is run on an Active Directory user account, the user account remains locked.

28638, 4090604

Error executing the process ADS_ADSDomain_Maintain ADSOtherSID_PostSync for an Active Directory domain managed by Active Roles.

27571, 4075290

Active Roles specific properties of Active Directory objects cannot be edited if there is also an Active Directory synchronization project for the domain.

28589, 4074695

Error in the formatting script for the column LDPDomain.Ident_Domain. 28619, 4099296
Error in the SAP R/3 connector during SNC authentication. 24742, 3253751
If an SAP user account's membership in a single role is deleted in One Identity Manager, the change is not provisioned. 28048, 4096475
An error occurs if all the telephone numbers of an SAP user account are deleted at the same time. 28529, 4073192
If a schema type has several columns marked with IsUniqueKey, only the first one is used to create the prototype object during provisioning. 27584, 4096785

Diverse error on the form "Define search criteria for employee assignment".

28547, 4095553

Identification and correction of invalid changes does not work for many-to-many schema types in property mapping rules.

27476, 4102364

Error adding a new mapping with the mapping wizard, which based on an existing mapping.

28538, 4101927

Error using "$$" in a database user's password if the One Identity Manager database is encrypted.

28556, 4101908

If two synchronizations with the same start up configuration are started at the same time, a synchronization, which is already running, is not always correctly identified.

28673, 4079945

After successful provisioning of memberships, the "outstanding" label must be reset.

A patch for synchronization projects with the patch ID VPR#27304 is available.

27304

Table 7: Identity and Access Governance

Fix

Issue ID

If the method CreateITShopOrder is called to transform a membership in hierarchical roles into an assignment request, the Customizer gets stuck in an infinite loop if the base object is loaded as deferred object. 28037, 3997275
The subject in the mail template "Attestation - Approval by mail" uses an invalid column. 28251

See also:

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 8: General known issues
Known Issue Issue ID
If you connect to a database with the Database Compiler, the task "QBM-K-CommonWaitForCompiler" is immediately queued in the DBQueue. If Database Compiler ends without compiling the database, the task remains in the DBQueue. 3209411, 23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as SQL query and use aliases for the affected columns.

23521

Error message in the Web Designer query window: "Access to the path ... is denied."

This error occurs if the user the web application process runs under, does not have write permissions for the given folder.

23769

Errors may occur if the Web Installer is started in several instances at the same time.

24198

Headers in reports saved as CSV do not contain corresponding names.

24657

"Read Only" type tables with Common Table Expressions (CTE) in the ViewAddOn are not added in the schema.

In One Identity Manager 7.0, behavior has been modified if you use common table expressions with the keyword with as a condition for view definitions in read-only tables. The conditions for view definitions are embedded in a summary query. This means, you cannot be sure that a common table expression is the very first expression in a query.

Possible error message:

(execute slot single)50000 0 re-throw in Procedure QBM_ZViewBuildR, Line 1050000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 10250000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 8250000 0 re-throw in Procedure QBM_PViewBuild_FromAddOn, Line 6550000 0 re-throw in Procedure QBM_PSQLCreate, Line 26156 0 detected in (...) Procedure ..., Line 6156 0 Incorrect syntax near the keyword 'with'

Recommended action:

Check custom view definitions.

  1. Create a view under common table expression usage.

    Example:

    create view CCC_Vxy as

    with a (col1, col2) as (

    select 1 as col1, 2 as col2

    )

    select * from a

    go

  2. Use the view in the additional view definition (QBMViewAddon) of the read-only table.

    select * from CCC_Vxy

 

Number of parameter pairs "ParamName"/"ParamValue" in the MailComponent's process task "SendRichMail" is not always sufficient.

10 parameter pairs are available by default. If this number is not sufficient, you can add additional custom process parameters, which Process Editor can then use as parameters. This function is available as from One Identity Manager version 7.0.

25164

In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.

12753

Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation. This problem only occurs if the Configuration Wizard is started directly. Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.

3372460, 25315

The error message "This access control list is not in canonical form and therefore cannot be modified" sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on parent folder of the web application (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.

26739
Schema extensions on a database view of type "View" (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type "View" are not permitted. 3775973, 27203

Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.

3981140, 27793

DialogTable.OnLoadingScript is no longer supported.

27968

If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.

28373, 4081234

Error in the SQL Formatter if a Boolean attribute supplies a 'NULL' value. The default value is '0'.

28381, 4063027

Database error migrating a database in an SQL Server AlwaysOn availability group.

The following error occurs during a One Identity Manager schema update:

Database error 1468: The operation cannot be performed on database "<database name>" because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group. ALTER DATABASE statement failed.

Cause: The database is a component of an AlwaysOn availability group and the SQL Server Service Broker no longer exists. The One Identity Manager schema update tries to add the SQL Server Service Broker again.

Solution:

  1. Remove the database from the AlwaysOn availability group.

  2. Update the One Identity Manager schema. This recreates the SQL Server Service Broker again.

  3. Add the database to the AlwaysOn availability group again.

27919, 4039342

Table 9: Target system connection
Known Issue Issue ID

Schema properties used to identify system objects must contain a value. They cannot be empty.

23895

Automatic employee assignment for Notes user accounts does not work.

Cause: DialogObject.ObjectName on NDOUser has been renamed from "NotesUser" to "NDOUser".

Solution: Test the existing search criteria for employee assignment (table column NDODomain.AccountToPersonMatchingRule) and replace "NotesUser" with "NDOUser".

23270
An error may occur when synchronizing a target system and provisioning object modification if the synchronization project was created with One Identity Manager 7.0 and no hotfixes were installed.

Example of an error message:

[2134002] Error executing an adhoc projection!

[1777239] The mapping rule (Members by SID) was unable to execute the projection between system objects (<group cn>) and (<group dn>) successfully!

Solution: Delete the synchronization project and recreate it. Restore your customizations.

3011731, 24022

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.

23795

After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as pending.

This problem can occur if:

  • SAP role assignments to user accounts were loaded before installing One Identity Manager 7.0.1. in the One Identity Manager database
  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1., incorrect assignments are labeled as pending after synchronizing again using the appropriate synchronization configuration.

Solution: Delete pending assignments in One Identity Manager target system synchronization.

 

By default, the building block "HR_ENTRY_DATE" of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block "HR_ENTRY_DATE" remotely in your SAP HCM system. Create a mapping for the schema property EntryDatein the Synchronization Editor.

3260098, 25401

You must provide a user account with the following permissions for full synchronization of Active Directory user accounts with the supplied One Identity Manager default configuration.

  • Member of the Active Directory group "Domain administrators"

A sensible minimum configuration which, with respect to pure user management, differs effectively in terms of permissions from a member of the group "Domain administrators" cannot be recommended.

26350, 3612100

Very high memory usage when processing memberships in LDAP groups in an Oracle Database. 26770
Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses are stored until now. 27042

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.

3777857, 27359

No passwords can be provisioned when the bind method "Fast Bind" is in use in Active Directory. The method "SetPassword" is, therefore, not available.

The process step "AdhocProjection" fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).

27427

Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.

3923873, 3932523, 27687

To use automatic employee assignment for central user administration (CUA) user accounts, assign the account definition to the CUA central system. Account definitions cannot be used to assign user accounts to child systems.

28137

Error in IBM Notes connector (Error getting revision of schema type ((Server))).

Probable cause: The IBM Notes environment is rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the IBM Notes environment.

27126

Table 10: Third party contributions
Known Issue Issue ID
Synchronizing a very large Active Directory system with an SQL Server database crashes with the error message (Microsoft SQL Server, error: 22022). 23524

Error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers a ArgumentException. For more information, see https://support.microsoft.com/en-us/kb/2863929.

24626

Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting "File and Printer sharing" is not set on the server. This option is not set on domain controllers on the grounds of security.

24784

An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.

27830

Schema changes

The following provides an overview of schema changes in One Identity Manager version 7.1.2. up to version 8.0.

Configuration Module
  • New column DialogColumn.SplittedLookupSupport and new table QBMSplittedLookup for preparing data for faster cross-table searches.
  • New column DialogTable.DisplayNameSingular for mapping the singular form of table display names.
  • New tables QBMPwdPolicy, QBMObjectHasPwdPolicy and QBMVPwdPolicyColumns for mapping password policies.
  • New table QBMPwdHistory for mapping password history.
  • New table QBMPwdBlacklist for defining restricted passwords.
  • New columns DialogUser.BadPasswordAttempts, DialogUser.PasswordLastSet and DialogUser.PasswordNeverExpires for handling system users passwords.
  • New columns Job.IsForHistory and Jobqueue.IsForHistory for specifying whether process step messages are written in the process history.
  • New column Job.PriorityDefinition for defining a script, which specifies the priority depending on the contents of the process.
  • New columns JobParameter.IsCompressed and JobRunParameter.IsCompressed for specifying whether the parameter's value is compressed.
  • New columns QBMDBQueueTask.ExecutionDelaySeconds and QBMDBQueueTask.LastExecutedAt for mapping time of execution.
  • New column QBMDBQueueTask.ChangeLimit for labeling DBQueue Processor tasks with loading limits.

  • New columns QBMEventHasFeature.XMarkedForDeletion, QBMMethodHasFeature.XMarkedForDeletion and QBMScriptHasFeature.XMarkedForDeletion.
  • New table QBMFileHasDeployTarget for assigning files to machine roles for automatic software updating.
  • Column QBMPermissionSettingBase.Principal extended to nvarchar(23) or varchar2(23) respectively.
  • Column QBMVSystemOverview.Category extended to nvarchar(20) or varchar2(20) respectively.
  • Data type of column QBMVSystemOverview.Category changed to nvarchar(20) or varchar2(20) respectively.
  • Column DialogDBQueue.SubObject shortened to nvarchar(38) or varchar2(38) respectively.
  • Data type of columns Job.ProcessTracking and JobChain.ProcessTracking changed to bit or number(1, 0) respectively.
  • The column DialogTable.OnLoadingScript has been deleted.
  • The column QBMServer.UID_Database has been deleted.
Target System Synchronization Module
  • New column DPRAttachedDataStore.CreationDate for mapping time of creation.
  • New column DPRJournalSetup.OptionContextDisplay as display name for entries in the synchronization log.
  • New column DPRNameSpaceHasDialogTable.WhereClause as condition for provisioning memberships.
  • New columns DPRProjectionStartInfo.StartGroupConcurrenceBehavior and DPRProjectionStartInfo.StartGroupName for grouping start up configurations.
  • New columns DPRSchemaClass.IsObsolete, DPRSchemaMethod.IsObsolete, DPRSchemaProperty.IsObsolete and DPRSchemaType.IsObsolete for marking deprecated elements.
  • New column DPRShellPatch.IsAutoPatch for labeling patches that should be run automatically.
Target System Base Module
  • Column TSBVDirectAssignWrong.Reason shortened to varchar(21) or varchar2(21) respectively.
  • Column UNSContainer.CanonicalName extended to nvarchar (max) or clob respectively.
  • Columns UNSContainer.cn extended to nvarchar(1024) or varchar2(1024) respectively.
  • Column UNSContainer.DomainDisplayName shortened to nvarchar(128) or varchar2(128) respectively.
  • Data type of column UNSContainer.ObjectGUID changed to nvarchar(256) or varchar2(256) respectively.
  • The column UNSGroup.IsApplicationGroup has been deleted.
Active Directory Module
  • New column ADSDomain.ObjectSID.
  • The column ADSContainer.IsAppContainer has been deleted.
  • The column ADSGroup.IsAplicationGroup has been deleted.
Microsoft Exchange Module
  • New table EX0OwaMailboxPolicy and new column EX0MailBox.UID_EX0OwaMailboxPolicy for mapping Outlook Web App mailbox policies.
  • New column EX0MailBoxDatabase.IsRecovery for labeling as recovery database.
LDAP Module
  • The column LDAPContainer.IsAppContainer has been deleted.
  • The column LDAPGroup.IsAplicationGroup has been deleted.
SharePoint Module
  • New column SPSRLAsgn.MatchPatternForMembership for mapping categories for SharePoint roles.
SAP R/3 User Management module Module
  • New column SAPLicence.Country for mapping country surcharges.
  • New column SAPLicence.SonderVersion for mapping special versions.
SAP R/3 Compliance Add-on Module
  • The column SAPRCRange has been deleted.
Universal Cloud Interface Module
  • New columns UCIItem.CanonicalName, UCIItem.DistinguishedName and UCIItem.ObjectGUID.
Identity Management Base Module
  • New column DPRNameSpace.IsFilterDesignerEnabled for displaying compliance rules in the rule editor.
  • New column Person.BadPasswordAttempts as failed login count.
  • New column Person.BadPwdAnswerAttempts as failed answers to question count.
  • New columns Person.Passcode and Person.PasscodeExpires for passcode usage.
  • New column Person.PasswordLastSet for mapping the last password modification.
  • Data type of column PersonPasswordHistory.XTouched changed to varchar(1) or varchar2(1) respectively.
  • New column ShoppingCartPatternItem.ObjectKeyOrgUsedInAssign for specifying the role or organization to contain the assignment.
  • New column PWODecisionHistory.IsFromDelegation for labeling whether the approval was met based on a delegation.
  • New column PWODecisionSubMethod.RevisionNumber for specifying the revision number.
  • New table QERWorkingMethod and new column PersonWantsOrg.UID_QERWorkingMethod for mapping instances of approval workflows.
  • New table QERWorkingStep and new column PWOHelperPWO.UID_QERWorkingStep for mapping instances of approval steps.
  • Data type of columns PersonWantsOrg.OrderDetail2 and ShoppingCartItem.OrderDetail2 changed to nvarchar(64) or varchar2(64) respectively.
  • Columns QERCentralAccount.ColumnName and QERCentralAccount.TableName extended to varchar(30) or varchar2(30) respectively.
  • Column QERCentralAccount.AccountName shortened to nvarchar(400) or varchar2(400) respectively.
  • Columns QERMailAddress.ColumnName and QERMailAddress.TableName extended to varchar(30) or varchar2(30) respectively.
  • Column QERMailAddress.UID_PK extended to varchar(200) or varchar2(200) respectively.
  • Columns QERMailAddress.CompareValue and QERMailAddress.EmailAddress shortened to nvarchar(400) or varchar2(400) respectively.
  • Column ESet.Ident_ESet extended to nvarchar(256) or varchar2(256) respectively.
  • The column PWOHelperPWO.UID_PWODecisionStep has been deleted.
  • The columns BaseTree.IsProviderRoot and BaseTree.UID_ProviderSyncServer have been deleted.
Attestation Module
  • New column AttestationCase.UID_QERWorkingMethod for mapping instances of approval workflows.
  • New column AttestationHelper.UID_QERWorkingStep for mapping instances of approval steps.
  • New column PWODecisionStep.IgnoreNoDecideForPerson specifies whether the employee affected by this attestation instance may also approve it.
  • The column AttestationHelper.UID_PWODecisionStep has been deleted.
Business Roles Module
  • The column Org.UID_ProviderSyncServer has been deleted.

Synchronization template modifications

The following provides an overview of modified synchronization templates in One Identity Manager version 7.1.2. up to version 8.0.

  • Non-functional changes do not necessitate the update of existing synchronization projects. In this case, you are dealing with minimal adjustments, such as changes to display names.
  • Functions modification must be applied to existing synchronization projects so that all existing target system synchronizations can still be run without error. For more information, see Patches for synchronization projects.

Table 11: Synchronization template modifications

Module

Synchronization template

Type of modification

Patch ID

Azure Active Directory Module

 

Azure Active Directory synchronization

functional

VPR#27304

Active Directory Module

Active Directory synchronization

functional

VPR#27304, VPR#27457, VPR#27769, VPR#27997, VPR#28560_ADS

Active Roles Module

Synchronize Active Directory Domain via Active Roles

functional

VPR#27304

Cloud Systems Management Module

Universal Cloud Interface synchronization

functional

VPR#27304, VPR#27371

Oracle E-Business Suite Module

 

 

 

Oracle E-Business Suite synchronization

new

 

Oracle E-Business Suite CRM data

new

 

Oracle E-Business Suite HR data

new

 

Oracle E-Business Suite OIM data

new

 

Microsoft Exchange Module

 

 

 

 

Microsoft Exchange 2010 synchronization (deprecated)

functional

VPR#27304, VPR#27447, VPR#28904

Microsoft Exchange 2010 synchronization (deprecated)

functional

VPR#27304, VPR#27447, VPR#28904

Microsoft Exchange 2010 synchronization (v2)

new

VPR#28904

Microsoft Exchange 2013_2016 synchronization (v2)

new

VPR#28904

G Suite Module

G Suite synchronization

new

 

LDAP Module

 

 

AD LDS Synchronization

functional

VPR#27304

OpenDJ Synchronization

functional

VPR#27304

IBM Notes Module

 

Lotus Domino synchronization

functional

VPR#27304, VPR#27769_NDO, VPR#28560_NDO

Exchange Online Module

Exchange Online synchronization (deprecated)

functional

VPR#27304

 

Exchange Online synchronization (v2)

new

 

SAP R/3 User Management module Module

 

 

SAP R/3 Synchronization (Base Administration)

functional

VPR#27289, VPR#27304, VPR#27769_SAP, VPR#28560_SAP

SAP R/3 (CUA subsystem)

functional

VPR#27289, VPR#27304, VPR#28560_SAP

SAP R/3 Analysis Authorizations Add-on Module

SAP R/3 BW

functional

VPR#27304

SAP R/3 Compliance Add-on Module

SAP R/3 authorization objects

functional

VPR#27539, VPR#27769_SAP, VPR#28560_SAP

SAP R/3 Structural Profiles Add-on Module

 

SAP R/3 HCM authentication objects

functional

VPR#27304

SAP R/3 HCM employee objects

functional

VPR#27304

SharePoint Module

 

SharePoint synchronization

functional

VPR#27304

Universal Cloud Interface Module

 

SCIM Connect via One Identity Connect For Cloud

functional

VPR#27304, VPR#27769_SCIM, VPR#27860, VPR#28560_SCIM

SCIM synchronization

functional

VPR#27304, VPR#27769_SCIM, VPR#27860, VPR#28560_SCIM

Unix Based Target Systems Module

 

 

Unix Account Management

functional

VPR#27304

AIX Account Management

functional

VPR#27304

SharePoint Online Module

SharePoint Online Synchronization

new

 

Related Documents