Chat now with support
Chat with Support

Identity Manager 8.1.5 - Release Notes

Release Notes

One Identity Manager 8.1.5

Release Notes

28 February 2022, 15:18

These release notes provide information about the One Identity Manager release, version 8.1.5. You will find all the modifications since One Identity Manager version 8.1.4 listed here.

One Identity Manager 8.1.5 is a patch release with new functionality and improved behavior. See New features and Enhancements.

If you are updating a One Identity Manager version prior to One Identity Manager 8.1.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

For the most recent documents and product information, see the One Identity Manager documentation.


About One Identity Manager 8.1.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

Starling Cloud Join

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit

New features

New features in One Identity Manager 8.1.5:

Basic functionality
  • The system information overview shows whether a database is encrypted.

  • In the Database Compiler and in the program's status bar, a warning is shown if there are invalid script assemblies. The database needs to be compiled.

  • To access the REST API on the application server, the user required the Enables access to the REST API on the application server (AppServer_API).

    IMPORTANT: Ensure that the users that the ReST API communicates with, obtain this program function.

  • The search index on the application server supports indexing of diacritical characters.

  • To prevent maintenance tasks from obstructing daytime relevant post-processing in the DBQueue, a new QBM_PDBQueueProcess_Mnt on <database> database schedule has been implemented for processing the maintenance tasks. The maintenance tasks pass your tasks on to the database schedule instead of running them themselves. This means that nothing changes in the scheduling of maintenance tasks. The database schedule does not have an active schedule, but is started through the QBM_PWatchDog on <database> database schedule.

  • The effectiveness of the assignments (XIsInEffect column) is recorded in the history. Analysis of the effectiveness of the assignments in reports depends on the new Common | ProcessState | PropertyLog | ShowEffectiveAssignmentsOnly configuration parameter. If the configuration parameter is set, only the assignments in effect are shown in reports (default). If the configuration parameter is not set, all assignment are shown irrespective of their effectiveness.

    NOTE: Assignment data that was recorded in an earlier One Identity Manager version is still shown irrespective of its current effectiveness.

Target system connection
  • Support for One Identity Active Roles version 7.4.4.

  • The Exchange Online connector uses the Exchange Online PowerShell V2 module.

See also:


The following is a list of enhancements implemented in One Identity Manager 8.1.5.

Table 1: General


Issue ID

Improved protection against damaging SQL statements.

33586, 33587

The Launchpad Configure > Add system users entry has been renamed to Configure > Manage system users.


Columns of assignment tables (M:N tables, M:all tables) cannot be included in the full-text search (DialogColumn.IndexWeight).

NOTE: To clean up existing installations, there is the Column in m:n or m:all - table with IndexWeight > 0 consistency check that finds columns from assignment tables, which are weighted for the full-text index.


In the Schema Extension, validity of the foreign key definition is checked when a read-only database view is added.


Optimized performance importing schema extensions with the Database Transporter.


In the Object Browser, when you switch to another object of the same type, the focus remains on the selected property. This makes it easier to compare object properties when you switch between them.


Improved performance of various SQL functions.


New mandatory field definitions for the DialogState.Ident_DialogState, DialogState.NationalStateName, DialogCountry.CountryName, DialogCountry.NationalCountryName columns. The groups of columns that must be unique (QBMUniqueGroup) have been adjusted.


New optional parameter -dc (--deleteconfig) in the InstallManager.CLI.exe command line tool to remove configuration data and log files when uninstalling One Identity Manager.


Table 2: General web applications


Issue ID

Logging in to the Web Portal with an OAuth provider is now possible without calling up oauth/{appId}/{authentifier} URL beforehand.


Identity credentials (id_token_hint) are now passed during OAuth provider login.


Improved Web Portal performance.


It is now possible for a web application to communicate with an API Server other than the one that the web application comes from.


The withPermissions parameter of the Web Designer dbcount() function is now marked as depreciated.


Improved speed of displaying the shopping cart.


Increased the Web Portal's security.


Updated the Microsoft.Owin library to version 4.1.1.


Table 3: Target system connection


Issue ID

This functionality, of access permissions automatically being created for clients when SAP roles or profiles are assigned to user accounts, was removed when ID 28147 was implemented in version 8.1.0.

Now you are able to configure whether missing access to an SAP client is automatically allowed (entry in the SAPUserInSAPMandant table). To do this, the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter has been introduced.

If the configuration parameter is set, missing user account-client assignments are created after a role or a profile is passed down from this client. For direct assignments of roles and profiles, access to the client must be guaranteed beforehand as it was previously.

CAUTION: By automating the inheritance process, user accounts might obtain access permissions for clients without the knowledge of the target system managers.

By default, the configuration parameter is not set.


The SAPUser.Guiflag column's display name has been changed to Login by SAP GUI allowed (insecure communication).


SCIM filter expressions are passed down with each subset query during cursor-based paging.


The SCIM connector now supports Bearer authentication for logging in to the target system.

A patch with the patch ID VPR#33729 is available for synchronization projects


Attribute check with schema during modification calls has been removed from the RACF connector.


The native database connector now supports columns with the DateTimeOffset data type.


The synchronization engine now differentiates between NULL and empty values when comparing.


The Starling Cloud configuration wizard now supports the EU region in the One Identity Starling Cloud login. Users are automatically connected to the Starling Cloud system that suits them the best.


Table 4: Identity and Access Governance


Issue ID

Improved performance calculating dynamic roles.


Improved performance checking compliance rules.


Improved performance in the queries that determine the approvers of default application procedures.


See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General
Resolved issue Issue ID

Checking certificates of process steps with the SendMail and the SendRichMail process tasks fails if the revocation list distribution points defined in the certificate cannot be reached.

The behavior has been changed as follows:

If the revocation server is unreachable, the error will not occur. If the revocation server can be reached and the certificate is invalid, an error occurs.


If the One Identity Manager database and the History Database are on different servers, an error may occur in certain circumstances.

OLE DB provider... for linked server ... returned message "The object is in a zombie state. An object may enter a zombie state when either ITransaction::Commit or ITransaction::Abort is called, or when a storage object was created and not yet released.".

(0 rows affected) Msg 1206, Level 18, State 118, Procedure HDB_PGetRawFromSource_Intern, Line 581 [Batch Start Line 0] The Microsoft Distributed Transaction Coordinator (MS DTC) has cancelled the distributed transaction.


In certain circumstances, when the Database Transporter is importing a transport package, the SQL session appears to get blocked. The messages are not updated soon enough in the Database Transporter. Therefore it looks like the transport package has not been processed.


During bulk import of transport packages with the DBTransporterCMD.exe command line program, disabled triggers get left behind in the system.

33646, 33747, 34356

In the Schema Extension, not all 23 characters can be used for a table name (according to the documentation).


In the Schema Extension, if a foreign key is created in the BaseTree table that points to a view (for example, Locality), the relation in the QBMRelation table is created incorrectly. As a result, the QBMRelation invalid Child Execute by (RI) consistency check fails.


The following error sometimes occurs when running various processes:

[810143] Database error 10054: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - An existing connection was forcibly closed by the remote host.)


If a custom foreign key column is removed by the QBM_PColumnCustomRemove procedure, the generated RI triggers stay the same. These triggers still contain references to the columns that no longer exist.


Missing permissions for custom schema extensions at database level after transporting more custom schema extensions. This issue occurs if the permissions have been granted manually.


DBQueue Processor QBM-K-CommonReIndexTable tasks that reindex large tables do not disappear from the DBQueue.

Reindexing of tables does not take place anymore if they are larger than 1 GB or have more than 1 million data records. Maintenance of these tables must be carried out by the database administrator within the maintenance period.


DBQueue processing seems to halt, no more tasks are processed. In SQL Server reports, messages about blocking issues that the QBM_PDBQueueProcess_Main process session is involved in, are logged.


The data in the DialogTimezone, DialogCountry, and DialogState tables is not up-to-date.

32980, 33181

The display values in templates are not resolved if the templates are calculated by a process step using the ExecuteTemplates process function.

Running the template in an interactive session works correctly.


Error calculating the initial, next activation time of the schedules. If a start date is defined for a new schedule, it is run for the first time not on this date but on the next scheduled date after this start date.


SOAP Web Service methods that save do not work. If a method requires an object to be saved, this does not happen and the method does not have any effect, as in PersonWantsOrg.MakeDecision.


If a CSV report is generated by a data stream that does not supply any data, the header is not written in the file. This creates an empty file.

Solution: A new parameter, CsvBandFilter, for the ReportComponent process component's Export function, allows a header to be inserted even when the report does not have any data.


Using the SwitchToModuleGuid function results in missing generic indexes.


If the Only use for role-based authentication option for a permissions group (DialogGroup.IsRoleBasedOnly) changes, the administrative users' members are not recalculated in this group.

Solution: This option is always set for role-based permissions groups.


When you edit change labels in the Designer and add several objects to one change label at the same time, the sort order is not correct. The object that you selected last, is inserted as the second object in the change label. For example, in the case of configuration parameters it might mean that during transport, the paths in the target database are not generated correctly.


Error importing transport packages with extensions of database views and permissions respectively. If additional columns are created in a view definition's extension (QBMViewAddOn) and then permissions for them are granted and these changes are transported together, this error occurs during import:

[810143] Database error 50000: Cannot insert object in DialogColumnGroupRight because the associated object in DialogColumn does not exist. Rule QBM_RFRL27.


The FileComponent process component cannot set permissions on files and shares with a path length of more than 260 characters.


If data query about the history of several objects uses an XObjectKey column from a parent query as criteria, it results in an empty set of results.


Error reinitializing the One Identity Manager Service if there are orphaned process steps in the Job queue.


Error when the One Identity Manager database was set up for replication. In this case, table are created by the SQL Server that do not conform to the One Identity Manager naming convention.

This causes the error:

DBQueue task "QBM-K-SetRowLockOnly" fails with:

(execute slot single)50000 0 re-throw in Procedure QBM_ZSetRowLockOnly, Line 11

8152 0 detected in (SRV=..., DB=...) Procedure QBM_ZSetRowLockOnly, Line 3

8152 0 String or binary data would be truncated.

Furthermore, some consistency checks also fail.


When modules are removed, references in dynamic foreign keys are not removed.


Changing the password in the Launchpad causes errors when applications are started afterward.


Performance issues inserting a large number of objects if the table has a combination of columns that have to be unique. These issues particularly occur during initial synchronization.


The control for editing process plan parameters in the Designer truncates the values.


Loading Job queue processes is sometimes blocked by queries on tables that are locked by a transaction.


In the Manager, the Go to assigned object context menu is enabled in drop-down menus in modal dialogs.


In the Manager, the names of employees or organizations that begin with diacritical characters (such as Å, Ø or Æ) are not sorted in the A-Z or Miscellaneous filters.


Very long process parameters are truncated and the process steps are not processed.


When importing transport packages with system configuration, the necessary recalculation tasks are not created, which, for example, recreate the previously deleted FK constraints.


When updating the database, the countries and capital Bhutan are not generated in national notation.


In certain circumstances, no objects are imported from transport packages with change labels.


Display error in the Database Transporter when exporting synchronization projects.


Uninstalling One Identity Manager does not clear the entries in the registry.


Table 6: General web applications

Resolved issue

Issue ID

The TSBAERoleForGroup view has bad performance. This leads to long delays when loading overview forms in the Web Portal.


In the Web Portal, an error occurs if you open a date filter in a table, select a date and then cancel the whole process again.


In the Web Designer, an object-dependent reference can no longer be edited after it has been saved, only deleted.


In the Web Designer, an incorrect value is calculated in columns of Int data type in the O3EMailbox table when an action is performed.


In Web Designer, the SQL query no longer uses a select count (*) to determine the total number of entries. This can lead to performance problems.

Solution: The Count function has been implemented again.


In the Web Portal, a change to a support call under Recently selected by a staff member results in an error.


In reports, the user who added an assignment is not always displayed.


After adding a help archive in the Web Designer, the zip files are not found.


If you open the list for selecting recipients at the beginning of a request process in the Web Portal, there is a loss in performance.


When submitting a request in the Web Portal, an error message appears.


In the VI_Edit_Special_Person_TemporaryDeactivated Web Designer component, the IsTemporaryDeactivated parameter cannot be set to readonly.


In certain circumstances, long loading times occur in the Web Portal.


When calling attestation functions in the Web Portal, there is a loss of performance.


When creating a new report subscription in the Web Portal, it is not possible to close the dialog box with the Escape key.

33731, 33576

The swagger user interface is not accessible and the Failed to load API definition. error message appears.


The API Server does not supply all JSON files in the HTML archives.


In the Web Portal, the Additional Columns function is not displayed, although in Web Designer the corresponding columns of the collection have been marked as IsAdditionalColumn=true. 33625

When grouping delegations by the Assignment Type column in the Web Portal, the result list shows an incorrect number of delegations.


The code generator creates an incorrect TypedClient.ts file that causes errors during compilation.


In certain circumstances, date formats for attestations are not displayed in the user-defined format in Web Portal.


Compilation of the api-server-web-ui web application quits unexpectedly.


Certain special characters in the database password cause issues when installing the Web Portal.


In certain circumstances, the Web Portal does not display the correct attestation policy of an attestation case in the pending attestation view.


Searching in the Web Portal in a large number of pending attestation cases (more than 1000) does not find all potential results.


In certain circumstances, pending attestation cases are incorrectly displayed in the Web Portal.


Attestation processes continue to be offered to persons for decision in the Web Portal, although their decision is no longer required.


When editing or creating a report subscription in the Web Portal, if the list of selectable, additional subscribers also shows deactivated employees, an error occurs when saving the report subscription.


If you create a new report subscription in the Web Portal, select additional subscribers and then create a new report subscription, the additional subscribers are preselected.


In certain circumstances, in the Web Portal, the View Settings menu cannot be hidden using the Web Designer.


When sending an inquiry about an attestation case to an user in the Web Portal, the respondent is incorrectly shown as authorized for approval.


An employee incorrectly receives a message in the Web Portal when requesting a resource that they have already requested because the resource has already been directly assigned to the employee's subidentity.


It is possible to edit business roles in the Web Portal that you do not manage.


In certain circumstances, attestation cases are assigned to an incorrect attestation policy in the Web Portal.


Too many identical SQL statements slow down the Web Portal.


In the Web Portal, when filtering a large number of requests on the Renew or Unsubscribe page, not all potential requests are displayed.


If the VI_Common_SqlSearch_PrefixLike configuration key is set, not all potential objects are found when searching in the Web Portal.


In the Manager web application, the Create assignment resource task is provided for application roles and business roles


Logging in to the Manager web application fails if TLS 1.2 is enabled and SSL 3.0 is disabled on the Internet Information Services.

Note: By default, use of SSL is not set. SSL usage can now be optionally set. To do this, you must add the following entry in the Manager web application's configuration file (Web.config) in the section application.


<add key="AllowSSL" value="True" />



When installing the Manager web application for the application pool, if a user is used whose password includes &, the Encrypt web.config step fails with the error: An error occurred while parsing EntityName. Line 74, position 39.


Performance issues when viewing pending attestation cases in the Web Portal.


If you want to use the Check all services function in the service availability check in the Operations Support Web Portal, an error occurs.


If the values for additional request properties (AccProductParameter) are adjusted in the Web Portal by the approver during the approval process, these changes are not applied to the requests.


Table 7: Target system connection

Resolved issue

Issue ID

An error occurs when connectors that use the local SQLite cache to load an object list and the virtual schema properties from the synchronization configuration with a property type of Key resolution are used. The value is a schema property is not correctly determined and the synchronization unexpectedly quits with am error.

Error: The object <obj> does not have a value for key property <prop>.


Performance issues in the target system browser when reloading objects from tables with more than one primary key and no object key.


Incorrect logging of script variables in the synchronization log if a variable set other than the default one is used in the synchronization project.


When a synchronization project is imported with the DBTransporterCmd.exe program, the shadow copy is not deleted. This means that after importing the synchronization project is opened in its old state.


Error importing a synchronization project with the Database Transporter if the synchronization project already exists in the target database and several connected objects are deleted by the import.


If an empty value cannot be resolved for a schema property of Key resolution type, a warning is logged or synchronization stops, depending on the configuration.


Scripts for custom processing methods do not handle schema properties with values taken from the connected system. For example, if a custom processing method is run instead of the Insert method, the schema properties remain empty.

In custom processing method scripts, a third, optional parameter can now be given that passes the object value from the connected system.


The value in the XOrigin column cannot be changed by synchronization.


When publishing outstanding memberships in groups (UNSAccountBInUNSGroupB), the HandleOutstanding event is not triggered.


Error during synchronization when properties needed for resolving object references are missing from the objects in the synchronization buffer.


When native database columns are read or written with the native database connector, the date is converted to UTC.


The native database connector does not take the reference scope into account if it is defined as a system filter only.


Error connecting the SharePoint Online connector with the target system if legacy authentication with user name and password is disabled on the SharePoint server.

Error: [System.NotSupportedException] Cannot contact web site '<site>' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.

TheSharePoint Online connector now supports authentication through an Azure Active Directory application with a self-signed certificate.

A patch with the patch ID VPR#33432 is available for synchronization projects.


Long runtimes for provisioning SharePoint Online user accounts, groups, roles, and permission levels.


SharePoint Online connector performance issues. Error: "... has not been initialized."


In the value list of the O3SRole.RoleTypeKind column, the values Reviewer, RestrictedReader, and RestrictedGuest are missing.


In certain circumstances, Unix user accounts with special characters in their passwords are not added correctly. Only a fraction arrives in the target system. Provisioning ends with the error:

[Sugi.Common.Exceptions.SugiParserException] Received unexpected EOF while parsing action results


When a new Unix user account is created, the parameter for the home directory is not taken into account. This means that the home directory is always created under /home/<user name>.


Error including a schema extension file in the SAP connector schema if the tables are defined after the functions in the file.


If a schema type is defined in a schema extension file that uses table definitions for the ListObjectsDefinition and ReadObjectDefinition attributes as well as function calls for the InsertObjectDefinition, WriteObjectDefinition, and DeleteObjectDefinition attributes, the parameters of the given function are missing in the resulting schema as schema properties of the schema type.


Error when user accounts inherit SAP roles (SAPUserInSAPRole) if the corresponding SAP user account client access (SAPUserMandant) is marked as outstanding.

Error 1: Although the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is not set or does not exist, valid assignments are generated.

Error 2: If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is set, valid assignments are generated. But the client's assignment to the user account stays outstanding. This provisions the role assignment. The outstanding mark is not removed until the next time synchronization is run.

The SAP_ZUserInSAPProfile and SAP_ZUserInSAPRole procedures for calculating inheritance have been corrected. If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is not set, the roles and profiles are not inherited by the user account and the entry in SAPUserMandant stays outstanding. If the TargetSystem | SAPR3 | AutoFillSAPUserMandant configuration parameter is set, the outstanding mark is removed and the roles and profiles are inherited by the user account

NOTE: SAP roles and profiles can then also be assigned directly if the assignment to the user account of the client that the roles and profiles belong to, is marked as outstanding. This removes the outstanding mark.


Passing parameter to functions that are defined in an SAP schema extension file is not always correct.


Very long runtimes for calculating memberships in SAP roles in One Identity Manager version 8.1.4.


The SAP synchronization project consistency check shows warning messages.

A patch with the patch ID VPR#33980 is available for synchronization projects.


When renaming SAP user accounts in the Manager, the Disabled password option is not taken into account.


The SAPUserInSAPHRP.Excluded column is not provisioned in SAP R/3 although it can be edited in the Manager.

A patch with the patch ID VPR#34081 is available for synchronization projects.


The description of SAP roles is divided into two fields in the SAP GUI. In One Identity Manager, the entire description is written in one column although there are also two fields available.

In the synchronization project, a new virtual schema property has been created to divide up the description. The map has been adapted. A patch has been provided to correct existing synchronization projects.


An SAP group can be assigned to SAP user accounts that are administered through a Central User Administration, in One Identity Manager only if the group's client is assigned to the user accounts. In the SAP R/3 environment, a user account can be assigned to the central client's group without the user account being authorized for the central client.


Error provisioning an SAP user account when the valid from date of the user account is greater than the valid until date. This data installation is now prevented in One Identity Manager.


Exchange Online dynamic distribution groups (O3EDynDL table) do not allow the empty included recipients (IncludedRecipients column) although it is not a mandatory field in the Exchange Admin Center. An error occurs during synchronization. The Customizer prevents the column from being empty.


Incorrect number of the Notes version in log messages when using IBM Domino Server version 10 or HCL Domino Server version 11.


Error provisioning Notes mail-in databases.


When a mail-in database is created, it is mandatory to enter the Notes domain that the mail-in database should belong to. There is a property mapping rule missing for transferring the value to the target system during provisioning of the mail-in database.

A patch with the patch ID VPR#33759 is available for synchronization projects.


The IBM Notes connector does not store the user ID file in the location specified in the TargetSystem | NDO | TempNetworkPath configuration parameter.

The configuration parameter has been deleted. Customized usage might require modification. Use the settings in the main data of the linked Notes domain or the allocated mail server.


When the system connection to an Oracle E-Business Suite is saved, parts of the connection credentials are saved twice.

A patch with the patch ID VPR#34008 is available for synchronization projects.


If an Active Directory global catalog is unreachable due to the firewall configuration, requests to the global catalog will not fail. Process steps that perform name resolution through a global catalog remain in the Processing state in this case.

Solution: A timeout of 65 seconds has been built into the Active Directory connector so that a request that is not answered within a certain time is considered to have failed.


When creating Active Directory user accounts, diacritical characters (for example, Å, Ø, or Æ) are not correctly taken into consideration in the templates and table scripts. The user accounts are not created.


The description of the TargetSystem | ADS | Accounts | NotRequirePassword configuration parameter does not match the behavior. The description has been adjusted.


Errors in the documentation of some Password Capture Agent properties in the One Identity Manager Password Capture Agent Administration Guide.


Errors may occur when synchronizing LDAP groups and their members if at least one member user account is not yet stored in the One Identity Manager database and is only found in the synchronization buffer.


Assigning an LDAP computer to a device does not queue a LDP-K-LDPMachineInLDAPGroup recalculation task. This means that groups inherited through the device are not assigned to the computer.


Error when provisioning memberships in LDAP groups. An attempt is made to write a empty value to the Member attribute of an LDAP group.

Error message:

Operation error message: A protocol error occurred.

Response result code: (2) ProtocolError

Response message: no values given


Issues if the Password property is a mandatory field in LDAP. For all schema classes that have this property, a vrtPassword is provided by the connector. The virtual property is mapped in the default. The actual Password property is not mapped. This leads to an error in the consistency check of the synchronization project as well as errors in provisioning.


The length of the LDAPAccount.RoomNumber column is too short.


An error occurs when checking an Active Directory password policy in the Designer:

VI.DB.DatabaseException: Database error 1: SQL logic error

no such table: ADSPolicyAppliesTo


The Custom and the User defined tabs on the main data form for cloud user accounts are both called Custom in the English user interface.


Error synchronizing a cloud application with the SCIM connector when using the ETAG property as a revision counter.


Not all changed objects are correctly viewed and updated when synchronizing a cloud application with revision filtering because the time zone of the SCIM provider is not taken into account.


Exception error during initial synchronization of a cloud application with the SCIM connector: Invalid token header. No credentials provided.


Authentication failure due to missing encoding when logging in to an Oracle cloud application using the SCIM connector.


The length of the AADUser.State column is too short.


Performance problems during synchronization if many-to-all tables are included in the mapping.


Simultaneous provisioning of multiple G Suite organizations fails (quota exceeded).


The Customizer prevents the primary email address of a G Suite user account from being changed if this involves using an email address that is already assigned as an alias.


The Customizer prevents the modification of Microsoft Exchange mailboxes when the Active Directory user account is disabled.


When exiting the System Connection Wizard for Microsoft Exchange, an error occurs if a password with two dollar signs ($) is entered in the connection parameters.

Error message: Unknown Variable (T)!


The Delete sensitive data process step does not always run reliably when the employee's central password is propagated to the user account. It might result in password fields in the database not being cleared.

The behavior has been changed as follows:

  • An employee's central password is now only passed on to user accounts belonging to target systems that are synchronized by the One Identity Manager (NamespaceManagedBy=VISYNC). In custom target systems, it must also be possible to perform write operations (IsNoWrite=0).

  • For read-only target systems (NamespaceManagedBy=ReadOnly), the employee's central password is no longer propagated to the employee's user accounts.

  • An additional process step has been implemented in the processes for user accounts. This waits until all user account's processes have completed. Then the user account's password data is deleted from the database.

    The following processes were modified:





    ADS_ADSAccount_Insert (ReadOnly)

















    NDO_NDOUser_Insert (ReadOnly)




Changing an employee's central password several times quickly results in an error.

Error: <Central Account> was changed by another user.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

When calculating whether the an approval step has timed out for an approver or attestor, the members of the chief approval team are taken into consideration. This may result in the approval step not being escalated or broken off although the timeout has been exceeded for all the regular approvers.


If attestation cases for permanently deactivated employees are closed automatically, no publishing date (DateHead) is set.


If there are several thousand Reminder for attestation cases tasks being processed in the DBQueue, blocked sessions and deadlocks may occur. This prevents the DBQueue from being processed quickly.


If several attestors have been determined for one approval step where the number of approvers is set to 1 and one attestor has already made an approval decision, the other attestors are still sent a reminder email. This error occurs in the scheduled demand for attestation.


Attestation cases do not come to an end when attestations for several attestation policies are started simultaneously and generation of an attestation case fails.


Performance issues approving attestation cases.


Very high memory usage and performance issues running attestations for attestation policies that create a lot of attestation cases.


  1. Transaction repetition has been disabled in the objects layer. Now there might be more error messages during processing.

  2. The VI_GetAttestationObject script can be customized. An optimized version that only contains the foreign key references can significantly reduce the runtime.


If the approval policy that applies to a product is defined on the service item or the service category, the product cannot be moved without breaking off any active requests.


Error unsubscribing a product with a limited period. If the request of a limited period product has been renewed several time such that the total validity period exceed the validity period define in the service item, an error occurs when unsubscribing the product.


Double entries in the PWOHelperPWO table. Sporadically, entries in the auxiliary table for request procedures (PWOHelperPWO) are add twice. This leads to a doubling of email notifications. If the approval workflow contains an approval step for external approval, the process for external approval is generated twice.


Renewing a limited period request fails although the renewal's expiry date is withing the validity period.


The main data forms for departments, locations, cost centers, and business roles also show countries that are not enabled in the Country menu. Only enabled countries are allowed.


Assignments created through inheritance of SAP roles and SAP user accounts become active one day late. This happens if the database server is in a timezone to the west of UTC.


In One Identity Manager, if the validity period of an SAP user account is changed, no recalculation of company resource assignments to employees is triggered.


New keywords for service items will only be found after a complete re-indexing has been performed on the application server.


For automatic approvals, the processes do not go to the Frozen status when they fail.


Error saving completed requests if a validity period (Max. days valid) is subsequently set on the service item.


When approving requests, an error occurs under the following conditions:

  • The approval has been delegated and the delegator would like to be notified of the approval decision.

  • The reason for the approval decision is too long.


A request for recalculating the approvers is queued in the DBQueue, although the NoRecalc is set on the QER | ITShop | ReducedApproverCalculation configuration parameter.


Renewals and cancellations fail if the request's valid until date has already passed at the time of approval.


It is not possible to reduce the value of Max. days valid for a single service position.

Changes to this value now affect new requests and renewals. If the value is changed from 0 to greater than 0, the change also affects existing requests.


Requests receive the status Pending after final approval, although no other request is active.


If a cancellation date that is in the past is specified for a cancellation, an error message appears. Subsequently, the product cannot be canceled even with a valid date.


On the overview forms of resources and service items, columns that do not exist are used in the Display columns property (DialogTree.ElementColumns).


If an exclusion clause is defined for two business roles (BaseTreeExcludesBaseTree), it may happen that a dynamic role should nevertheless assign a employee to the business role. The DBQueue Processor assignment is not processed and an error is logged: Cannot make assignment because there are already employee assignments to roles that exclude the roles to be added.


If a new employee is created in the Manager or the Web Portal and the manager (UID_PersonHead) is entered at the same time, the process defined in the HelperHeadPerson table that is supposed to start by setting the manager, is not triggered.


Missing indexing for the BaseTreeOwnsObject table.


Incorrect German translation for the entry The following employees are currently entitled to approve this request.


When approving rule violations, exception approvers can specify a valid until date that exceeds the validity period specified in the compliance rule.


The employee group affected by a compliance rule is determined incorrectly, if main and subidentities need to be determined.


When deserializing objects of an attestation case, an error may occur if the logged in user does not have sufficient edit permissions.


Table 9: IT Service Management

Resolved issue

Issue ID

In the Manager, it is not possible to maintain the number of CPUs per computer or server


See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating