Chat now with support
Chat with Support

Identity Manager 8.1.3 - Release Notes

Release Notes

One Identity Manager 8.1.3

Release Notes

June 2020

These release notes provide information about the One Identity Manager release, version 8.1.3. You will find all the modifications since One Identity Manager version 8.1.2 listed here.

One Identity Manager 8.1.3 is a patch release with new functionality and better behavior. See New features and Enhancements.

If you are updating a One Identity Manager version prior to One Identity Manager 8.1.2, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide


About One Identity Manager 8.1.3

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

Starling Cloud Join

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit

New features

New features in One Identity Manager 8.1.3:

Basic functionality
  • Improved support for encrypting a database. If you are installing a new database, you can encrypt it immediately with the Configuration Wizard. To do this, the Configuration Wizard opens a new page called Database encryption.

  • To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component. The QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter defines whether the login data is recorded.

  • Running of all automatic schedules can be temporarily stopped. This behavior is controlled by the new QBM | Schedules configuration parameter. If the configuration parameter is set, schedules are run automatically. If the configuration parameter is not set, schedules are not run automatically. However, you can start the schedules manually.

Web applications
  • In the Web Portal, you can now use heatmaps to show how many requests have been generated for each department, cost center, location or business role. This allows "hot spots" to be identified, meaning places in the organization that generate an unusually high number of access requests. This helps determine common characteristics of such access requests to aid decisions for investments in policy and role management. In the Web Portal, open the heatmaps on the home page's Request | Explore tile.

  • In the Web Portal, it is now possible to control how table columns are sorted by using the keyboard.

Target system connection
  • One Identity Safeguard version 6.0 is supported.

  • Simplified system connection wizards for Active Roles.

    On the Target server page, the system connection wizard now tries to find the service entries under CN=Enterprise Directory Manager,CN=Aelita,CN=System,<Domain DN> using the current login credentials. If the entries are found, their DNS names are provided in a menu. If no entries are found, the user can enter the target server manually.

  • Support for dynamic Azure Active Directory groups.

  • Support for dynamic Office 365 groups.

  • HCL Domino Server Version 11 and HCL Notes Client Version 11.0.1 are supported.

See also:


The following is a list of enhancements implemented in One Identity Manager 8.1.3.

Table 1: General


Issue ID

The FileComponent process component support path lengths of more than 260 characters.


New parameters of the ScriptComponent process component are available for the CSVExport and CSVExportSingle process tasks.

  • ValueMaskChar: Character for masking values. If the parameter exists, the character is automatically added at both ends of each value and every time the same character appears within the value, it is doubled.

  • Culture: Language to use for formatting the value.

  • ConvertUtcTimes: Specifies whether UTC times are converted to local times.

  • TimeZone: For converting to the timezone to use. Only used if the ConvertUtcTimes is set. If the parameter is not set, the Job server's local timezone is used.

  • ParameterSet: UID of the parameter set to use. If the parameter is set, the parameter set is loaded and the parameters are made available to the query as Query parameters.

32410, 32939, 33039

More tolerant handling of temporary errors in the schema update.


Improved functionality for the Launchpad.

  • You can create tasks that can be run straight from the Launchpad.

  • Menu items in the Manager can be opened straight from the Launchpad.

32909, 33007, 33037

You can now enter more than one value in the TargetSystem | LDAP | Authentication | RootDN configuration parameter using a pipe (|) delimited list. For example, DC=Root1,DC=com|DC=Root2,DC=de. The LDAP authentication modules check authentication against each of the root domains.

Verification of login credentials with an LDAP authentication module has been optimized. LDAP user accounts that are not assigned to an employee, are not taken into account anymore. The domains entered in the user accounts are used for verification (LDAPAccount.UID_LDAPDomain).


Improved error logging in the application server.


Table 2: General web applications


Issue ID

In the Web Portal, keyboard shortcuts for buttons are now displayed in full (for example, [Alt-C]).


In Web Portal, the version number is shortened (for example 8.1).


In the Web Portal, the option to change the priority of all products when you edit the shopping cart has been renamed.


Improved performance when checking the shopping cart in the Web Portal. 32765

Improved security generating reports in the Web Portal.


Improved support for HTTP header authentication if the connection goes through an application server.


Improved accessibility in the Web Portal when displaying tiles in high contrast mode.


The Microsoft.OData library has been updated to the newest version.


If API resources (Typescript client and Swagger JSON) are not required for compiling the API, The API resources can now be generated in the DbCompiler.exe file using the DoNotBuildResources parameter. For example, this might be necessary if problems occurs during compiling.


The information saved in the sessions cookies of an API Server session now expire if the customer restarts the browser.


Table 3: Target system connection


Issue ID

Improved error messaging for load operations in the synchronization log.


The SCIM connector now uses the service provider's default value to find the maximum number of objects per page. The connector does not send values anymore.


Improved performance provisioning G Suite user accounts.


You can configure which user data is transferred to a different user account before G Suite user accounts are deleted.


Improved documentation of permissions required for integrating One Identity Manager as an application in Azure Active Directory.


The filter for the HRPerson_0709_IDEXT schema class was changed from a string to an integer comparison.

A patch with the patch ID VPR#32899 is available for synchronization projects.


Improved messages for the SCIM connector in the synchronization log.

32689, 32690

The SCIM connector detects whether the service provider requires URLs with a closing slash.


The recommendations from Microsoft about avoiding throttling during SharePoint Online synchronization have been implemented.


The Active Directory connector can use the One Identity Manager Service's user account to log in on the target system. To do this, leave the login credentials on the project wizard's Login page empty.


The Microsoft Exchange connector can use the One Identity Manager Service's user account to log in on the target system. To do this, in the project wizard enable the Use account of One Identity Manager Service option on the Enter connection credentials page.

A patch with the patch ID VPR#32703 is available for synchronization projects.


In the project wizard for connecting cloud applications in the Universal Cloud Interface, the cloud application menu has been made larger.


In an SAP schema extension file, you can provide a time offset for the revision counter (AddRevisionTimeOffset attribute) in the schema type definition. You can use this attribute if the revision counter only contains a change date but no timestamp. This allows objects that were changed after the previous synchronization run but on the same day, to be included in the next synchronization run.


Adjustments required to the Exchange Online connector due to Microsoft turning off functionality in the cloud.


You can configure whether the database to be connected takes case sensitivity into account for the generic ADO.NET provider.


Improved performance calculating user account assignments to groups in custom target systems (UNSAccountBInUNSGroupB table).


Table 4: Identity and Access Governance


Issue ID

Improved performance creating and by approval of attestation cases.


Improved indexing of the PersonHasObject and BaseTreeHasObject tables.


In the Manager, on the overview forms for application roles, departments, cost centers, location and business roles, you can now see which approval workflows they are used in.


Improved support for peer group analysis for attestation.


See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General known issues
Resolved issue Issue ID

Blocked slots are reset too frequently.


Error calculating time periods for memberships in reports with historical data.


Transaction scope of the DBQueue Processor's HDB-K-ProcessGroup task is too big.


Processes are sporadically not generated from schedules.


Input of dates in reports does not support every date format.


When a report is translated, the description is not translated.


The RPS_ParseReportDefinitionXML script takes disabled columns into account when calculating the row definition.


The Table with XOrigin (XIsInEffect) without update handling consistency check does not take automatically generated triggers into account.


The result of a SQL query in the Object Browser cannot be marked with Ctrl + A anymore.


If you change the foreign key on an object in the Object Browser and use the Discard button to discard the changes, the foreign key is not reverted.


If the time difference to UTC for a timezone changes, the mean time difference to UTC for the states in this timezone is not updated.


In certain circumstances, the following error occurs when the Crypto Configuration encrypts long strings: String or binary data would be truncated.


Some Austrian states are not shown in the national language.


Deferred DBQueue Processor tasks are included in the performance calculation.


Bad performance running DBQueue Processor tasks with 2 parameters.


Bad performance when, in the Job queue, there are a lot of similar processes for different queues.


Incorrect handling of custom triggers during database compilation after changes to the schema.

32793, 32962

Export definitions for data export are not saved in the user configuration and are therefore not available after the Manager has been restarted.


In Launchpad, if you search for an item and right-click on the result, in the context menu Remove from favorites is shown instead of Add to favorites.


In a One Identity Manager database with version 7.x, the \SDK\SQLSamples\Files\MSSQL2K\30374.sql script does not detect an empty ADSSite.UID_ADSDomain.


For initial migration with the provided database, the user requires the SQL Server dbcreator server role.


In certain circumstances, an object is saved more than once after running a template. The following message is displayed: <object> was changed by another user.


Error automatically updating software after updating a One Identity Manager database from version 8.1 if the database is part of an AlwaysOn Availability Group.


In certain circumstances, while using the LDAP authentication module, the Login failed or VI.Base.ViException: Wrong user name or password error occurs even though the correct login credentials were used.


Changes to DialogTable.isMNTable and DialogTable.IsMAllTable do not generate a recalculation task for Watch* trigger.


Table 6: General web applications

Resolved issue

Issue ID

In certain circumstances in the Web Portal, the scroll bars are missing in the product's detailed view and, therefore, not all the data is visible.


In certain circumstances in the Web Portal, the View Settings menu is shown twice in the search results after a search.


In the Web Portal date columns, if you filter with Before, objects that do not have a value in the corresponding field are, incorrectly, displayed as well.


In certain circumstances in the Web Portal, pending attestation are not displayed.


In the Web Portal, an error occurs if an empty grouped table is exported as a PDF.


In the Web Portal, values are being validated in fields although the input is not yet complete.


Under Safari, permitting browser notifications in the Web Portal causes an error.


In the Web Portal, an error occurs if a request for a product is displayed and it is not assigned to an IT Shop.


In the Web Portal, if a direct assignment of an SAP role to an SAP user account is removed, the associated entry in SAPUserInSAPRole is not deleted.


If several products in the shopping cart are tested for requestability and there is a conflict, all products are marked the same.

To make it easier to differentiate, in the VI_ITShop_ShoppingCart Web Designer component, a new Warning value has been introduced for the CheckStatus property in the ShoppingCart collection. Customized components that show this property must also take this new value into account.


An error occurs when an approver in the Web Portal adds an item to another employee's request and sends the request.


In the Web Portal, requests to be approved can be selected in a list. In certain circumstances, the selection goes missing when you switch to the another page of the list.


In the Web Portal, an error occurs if you use the function to split a role that you are responsible for.


In the Web Portal, on the Pending attestations page, an error occurs when you click the Business roles tile.


In the Web Portal, if you download a file with Internet Explorer 11 whose name contains non-ASCII characters, an incorrect file name is suggested for the file.


When a request is being approved in the Web Portal, it is possible to set the end of the validity period before the beginning of the validity period.


In the Web Portal, if a new child group is added, it is not shown in the list of child groups until the next login.


In the Web Portal, deleting objects causes performance problems as well as problems with the search function. 32987

In the Web Portal, if you filter delegations by recipient and the number of results is more than 1000, only the first 1000 are shown.


If an error alert is displayed in the Web Portal and you try to close it using the Escape key, the underlying dialog is closed instead of just the error alert.


In the Web Portal, there is no information about what date format is expected.


In the Web Portal, if an error occurs validating date input, the focus is not automatically set in the corresponding field.


Logging in to the Web Portal using OAuth 2.0/OpenID Connect does not work flawlessly.


Bad performance of the pre-defined Webportal.VI_ITShop_ProductSelection.AccProductStatusForPerson SQL statement.


In Web Designer, if you add a column of XdateInserted or XdateUpdated type to a table, the filter function for the column does not work in the Web Portal.


The Web Designer's GetDataState function does not work and returns a value of false even if columns have changed.


In certain circumstances, memory usage increases whilst working with the Web Designer.


In the Web Designer's navigation, none of the existing custom components are listed under Components.


In the Web Designer, if you open a context menu in a tree view with a right click, an error occurs.


If you deactivate the configuration key VI_RSTS_UseRedirect in the Web Designer, you can no longer log in to the Web Portal using RSTS.


Incorrect translations in the Web Designer Configuration Editor for the OAuth 2.0/OpenID Connect configuration.


The following error occurs running the API server: The CancellationTokenSource has been disposed.


Logging in to the Manager web application fails if TLS 1.0 or TLS 1.1 is disabled on the web server.


Table 7: Target system connection

Resolved issue

Issue ID

The IsSecret and IsSystemVariable properties of the DefaultUserPassword variable are not all correctly set in the synchronization project.

Patches with patch IDs VPR#32781_SCIM, VPR#32781_EBS, VPR#32781_NDO are available for synchronization projects.


Error applying a patch to a synchronization project after migrating to One Identity Manager version 8.1.2.


Error loading an object if an object class' unique key is defined as a column group and the value of one of the columns is NULL.


Provisioning a single group membership takes too long.


If synchronization projects are updated from the command line and the Patches=AllFixes parameter is set at the time, the milestones are not implemented.


If an Active Directory object that already has the SAMAccountName exists in another container in Active Directory, an error occurs.


The Value of parameter 'distinguishedName' cannot be converted to an ADSI path error message does not include the DN passed down.


Error during synchronization if accessing special properties of Active Directory objects using a DirectoryEntry object's extension method.


Active Directory account policies that are assigned through Active Directory groups are not taken into account in Active Directory user accounts.


In the Manager, the Active Directory Change master data form does not show changes to the Dial-up permitted property in Active Directory user accounts (ADSAccount.AllowDialIn).


Wrong reference scope for Active Directory locations.

A patch with the patch ID VPR#32965 is available for synchronization projects.


In certain circumstances, Active Directory synchronization fails with the error: Value cannot be null.


An error occurs when reading and writing Active Directory object properties that are read or written using an extension method.


Error during provisioning when restoring a deleted Active Directory object with activated Active Directory recycle bin feature.


The Active Roles connector does not support the function level for Windows Server 2016 domains.

A patch with the patch ID VPR#32844 is available for synchronization projects.


The edsaWTSUserConfigInheritInitialProgram property in the User mapping is negated. This behavior is no longer required.

A patch with the patch ID VPR#32871 is available for synchronization projects.


Error serializing complex properties from schema extensions in synchronization projects with the SCIM connector.


The SCIM connector uses the wrong media type for POST queries in the HTTP header. The data is swapped around.


The User.address~primary schema property is set to True even if no address data is given.

A patch with the patch ID VPR#32754 is available for synchronization projects.


Error loading the object list during a cloud application synchronization if the object list contains an object without a creation date .


The provisioning process for a cloud application's user accounts returns the wrong data for loading the objects.


In synchronization projects that were created with the One Identity Starling Connect project template, mapping telephone numbers does not work when provisioning changes.


Error provisioning in a cloud application if there is a read-only virtual schema property in the object matching rule.


Error provisioning group memberships if the SCIM connector uses PATCH queries.


Provisioning of deleted group memberships does not work under certain conditions.


Changes to values of multi-valued schema properties are not correctly mapped in PUT queries.


Checking for the existence of target system objects fails if there are several mappings.


During synchronization, an invalid entitlement assignment is not re-enabled if it exists in Oracle E-Business Suite as a valid assignment. EBSUserInResp.XOrigin retains the value 16.


Error provisioning Notes user accounts if the user account's certificate has been changed.


After updating Notes group memberships, the Summary and Names options are not set on the Members schema property anymore.


The process for locking Notes user accounts does not work correctly.


If SAP user accounts marked for deletion are reset, the associated SAPUserInSAPRole entries remain marked for deletion and are not reset.


The IsSecret and IsSystemVariable properties of the TempUserPassword variable are not all correctly set in the synchronization project.

A patch with the patch ID VPR#32781_SAP is available for synchronization projects.


If a One Identity Manager user account is renamed in SAP, not all existing assignments are transferred to the new user account by provisioning, only the last one.


Assigning or removing a direct membership in SAPUserInSAPRole that is already inherited generates the provisioning process.


Synchronizing SAP authorizations does not load all authorization object assignments to SAP transactions (SAPTransactionHasSAPAuthObject).


The reference scope for the SAPLicence table is so restrictive that in the SAP R/3 environment existing license assignments in the SAPUserHasLicence table cannot be added.


On the SAP user accounts' overview form, the assigned composite profiles from a CUA's child system are not displayed.


If single object synchronization is run several times sequentially on an Exchange Online mailbox, the value for XMarkedForDeletion swaps back and forth between 0 and 2.

A patch with the patch ID VPR#32768 is available for synchronization projects.


Error provisioning G Suite user accounts in One Identity Manager version 8.1.2.


Error loading single objects with Windows PowerShell if the parameter Identity is used.


Performance problems deleting memberships during single object synchronization.


In the Manager, custom columns of Datetime type are not displayed with the desired alternative column identifier for custom target systems.


On the form for defining search criteria for employee assignment, employees' display names are not correctly formatted.


The following error occurs when the UNSAccountB.CN template is run: Entry point was not found.


In the Manager, on the Change master data form for custom groups, the category cannot be selected if it does not have a container.


If an Exchange Online synchronization project is opened in an encrypted database in the Synchronization Editor, it is not possible to identify which password belongs to which user.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

Notifications from questions about an attestation case are sent to the wrong employee.


Error adding attestation cases.


Error automatically removing E-Business Suite entitlement assignments after attestation has been denied.


The GenProcID in requests is emptied too quickly if an approved request's validity period is in the future.


Automatic approval decisions caused by the QER | ITShop | DecisionOnInsert or QER | ITShop | AutoDecision configuration parameter settings are also decided for the chief approval team.


The consistency check's repair script Requested products that are not assigned generates missing entries in the PersonInITShopOrg table with the wrong value for XOrigin.


Under certain circumstances, when determining a request's approver, a fallback approver is not found although there is no regular approver.


If in the second approval step of an approval workflow, the approval method EX is used and approval of the first approval step was decided automatically, the process for external approval is not triggered.


If the QER-K-ShoppingRackMakeDecisionEX task is returned to the DBQueue, in One Identity Manager 8.1.2 external approval is triggered again. Therefore the process for external approval is started twice.


The display name for the requested product is not displayed in requests (PersonWantsOrg.DisplayOrg) if the product exists on more than one shelf.


Shops cannot be separated from shopping centers that are assigned a shopping center template.


Error importing SAP functions if the One Identity Manager database is connected through an application server.


If, in the permissions editor for SAP functions, one of the Add by tasks is run and One Identity Manager is running over an application server, the Manager freezes.


Bad performance in the DBQueue Processor SAC-K-ProfileHasTCDInFID task.


The Replace method is not available for requests with Renewal status.


Error removing shops from shopping centers.


In the Manager, the Additional information column (PersonWantsOrg.AdditionalData) is missing from the Request details form.


Table 9: IT Service Management

Resolved issue

Issue ID

In the Manager, diverse master data are missing from the PC and server master data forms.


Error adding a help desk call: Error executing script 'VI_AE_GetAttachmentPath'.


See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating