Chat now with support
Chat with Support

Identity Manager 8.1 - Release Notes

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID
If you connect to a database with the Database Compiler, the task QBM-K-CommonWaitForCompiler is immediately queued in the DBQueue. If the Database Compiler ends without compiling the database, the task remains in the DBQueue. 23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.


Errors may occur if the Web Installer is started in several instances at the same time.


Headers in reports saved as CSV do not contain corresponding names.


In certain circumstances, objects can be in an inconsistent state after simulation in Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.


Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation.

Cause: The Configuration Wizard was started directly.

Solution: Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.


Schema extensions on a database view of type View (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type View are not permitted. 27203

Error connecting through an application server or the API Server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.


If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.


It is not possible to extend predefined dynamic foreign keys by references to redefined tables. If you define custom dynamic foreign keys, at least one of the parties involved - dynamic foreign key column or referenced table - must be a custom object.


Error resolving events on a view that does not have a UID column as a primary key.

Primary keys for objects in the One Identity Manager always consist of one, or in the case of M:N tables, two UID columns. This is basic functionality in the system.

The definition of a view that uses the XObjectKey as primary key, is not permitted and would result in more errors in a lot of other places.

The consistency check Table of type U or R with wrong PK definition is provided for testing the schema.


The default setting of globallog.config assumes that write access exists for %localappdata%. If an EXE does not have sufficient permissions, the log can be written to a directory that does have the access rights by changing the variable logBaseDir in the globallog.config or by introducing a special log configuration in the *.exe.config or the Web.config file.


The One Identity Manager Service only logs messages in the event log Application, by default.

Cause: To add an event log with another name, you require administrator permissions on the Job server.


  1. Add the file that the One Identity Manager Service should write to manually on the Job server. You can use Windows PowerShell, for example, to do this.

    1. Run Windows PowerShell as administrator on the Job server.

    2. Run the following CmdLet:

      New-EventLog -Source "Foobar" -LogName "<file name>"

  2. Enter this file name in the One Identity Manager Service's configuration file as the name for the event log in the module Logwriter .

  3. Restart the computer.

  4. Restart the One Identity Manager Service.


If the One Identity Manager database is installed in an SQL cluster (High Availability Group) and the option DTC_SUPPORT = PER_DB is set, replication between the server is done by Distributed Transaction. The error, in case a Save Transaction is carried out is: Cannot use SAVE TRANSACTION within a distributed transaction.

Solution: Disable the option DTC_SUPPORT = PER_DB.


Table 10: Web applications

Known Issue

Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.


Table 11: Target system connection
Known Issue Issue ID

Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.


After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as outstanding.

This problem can occur if:

  • SAP role assignments to user accounts were loaded in the One Identity Manager database before installing One Identity Manager 7.0.1
  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1, incorrect assignments are labeled as outstanding after synchronizing again using the appropriate synchronization configuration.

Solution: Delete outstanding assignments in One Identity Manager target system synchronization.


By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.


Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now. 27042

The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.


No passwords can be provisioned when the bind method Fast Bind is in use in Active Directory. The SetPassword method is therefore not available.

The process step AdhocProjection fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).


Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.


Error in IBM Notes connector (Error getting revision of schema type ((Server))).

Probable cause: The IBM Notes environment was rebuilt or numerous entries have been made in the Domino Directory.

Solution: Update the Domino Directory indexes manually in the IBM Notes environment.


Error provisioning licenses in a central user administration's child system.

Message: No company is assigned.

Cause: No company name could be found for the user account.

Solution: Ensure that either:

  • A company, which exists in the central system, is assigned to user account.

    - OR -

  • A company is assigned to the central system.


Error loading single objects with Windows PowerShell if the parameter Identity is used. The error can occur during provisioning of changes made to objects in Microsoft Exchange or Exchange Online, for example, and causes follow-on errors.

Windows PowerShell connector's message: Command yielded <count> objects but only one was expected.

Cause: Multiple objects with the same name exist.


Certain data is not loaded during synchronization of SAP R/3 personnel planning data that will not come into effect until later.

Cause: The function BAPI_EMPLOYEE_GETDATA is always executed with the current date. Therefore, changes are taken into account on a the exact day.

Solution: To synchronize personnel data in advance that will not come into effect later, use a schema extension and load the data from the table PA0001 directly.


Error synchronizing an OpenDJ system, if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.


Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.


The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:

400: Bad Request -- 60639: A valid account must be identified in the request.

The request is denied in One Identity Manager and the error in the request is displayed as the reason.

796028, 30963

The following error message is displayed while setting up a synchronization project for One Identity Safeguard:

404: Not Found -- 0:

Cause: An older One Identity Safeguard version that does not support One Identity Manager is in use.

Solution: Ensure that you are using One Identity Safeguard version 2.5.


Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.


  • Correct the error in the target system.

    - OR -

  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.


Table 12: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers a ArgumentException. For more information, see


Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.


An error, TNS-12516, TNS-12519 or ORA-12520, sporadically occurs when connecting with an Oracle Database. Reconnecting normally solves this.

Possible cause: The number of processes started has reached the limit configured on the server.


Cannot navigate with mouse or arrow keys in a synchronization log with multiple pages.

Cause: the StimulReport.Net-Komponente from Stimulsoft handles the report as one page.


Valid CSS code causes an error under Mono if duplicate keys are used. For more information, see

762534, 762548, 29607

Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016 : KB4462928

  • Windows Server 2012 R2 : KB4462926, KB4462921

  • Windows Server 2008 R2 : KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed from future versions of One Identity Manager once Microsoft has resolved the problem.


Schema changes

The following provides an overview of schema changes from One Identity Manager version 8.0.2 up to version 8.1.

Configuration Module
  • New column DialogColumn.CanEditScript for scripts to conditionally remove edit permissions from columns.

  • New column DialogColumn.CanSeeScript for scripts to conditionally remove viewing permissions from columns.

  • New column DialogColumn.IsElementProperty to flag columns as name components for password validation.

  • New column DialogConfigParm.UID_QBMClrTypeEditor to embed an editor for editing more complex configuration parameters.

  • New column DialogDatabase.LicenceID for flagging license information.

  • New column DialogDatabase.ProductionLevelAddOn (in progress).

  • New column DialogAEDSAction.IsInActive to disable individual objects.

  • New columns DialogReportQuery.HAssignFKColumn, DialogReportQuery.HAssignType, DialogReportQuery.HListColumns and DialogReportQuery.HObjColumns for queries for reports with historical data.

  • New column DialogTag.SortOrder as sort order for change labels.

  • New columns DialogTree.ListActivationFKList and DialogTree.NodeActivationFKList for navigating to a foreign key object, which is loaded when an entry is selected in the user interface.

  • New column DialogUser.IsLockedOut for specifying whether a user is blocked due to failed logins.

  • New column DialogValidDynamicRef.IsForAddElementAffected and QBMRelation.IsForAddElementAffected for flagging whether the parent object in the Job queue is added.

  • New columns Job.IsNoDBQueueDefer, JobQueue.IsNoDBQueueDefer and JobTask.IsNoDBQueueDefer for flagging whether process handling waits until DBQueue Processor tasks have been handled.

  • New column QBMDBQueueSlot.XObjectKey.

  • New column QBMJobqueueOverview.IsInitQueueRunning flags whether the Job queue is initialized.

  • New columns QBMPwdPolicy.IsLowerLetterNotAllowed, QBMPwdPolicy.IsNumberNotAllowed, QBMPwdPolicy.IsSpecialNotAllowed and QBMPwdPolicy.IsUpperLetterNotAllowed for password policies.

  • New column QBMServer.LastJobFetchTime for last time the process was called.

  • New column QBMServer.PortNumber as port for displaying the One Identity Manager Service log in a browser.

  • New columns QBMVSystemOverview.QualityOfValue and QBMVSystemOverview.RecommendedValue for showing system configuration in a report.

  • New column QBMWebApplication.UID_QBMIdentityClient for allocating a OAuth 2.0/OpenID Connect configuration to a web application.

  • New table DialogGroupHasAEDS for mapping API file permissions.

  • New table DialogGroupInProductLimited for mapping permissions groups to applications.

  • New table DialogObjectHasMethod for assigning task definitions to objects definitions.

  • New tables QBMDBPrincipal, QBMDBRoleDef, QBMDBPrincipalHasRoleDef and QBMDBRightsAddOn for mapping granulated permissions to SQL Server and database levels.

  • New table QBMDBQueueTaskPerf for analyzing the DBQueue Processor task performance.

  • New tables QBMDevBranch and QBMDevBranchHasAssembly for version management of API projects.

  • New table QBMHtmlApp for maintaining information about HTML applications.

  • New tables QBMIdentityClient, QBMIdentityProvider, QBMIdentityProvDisabledCol and QBMIdentityProvEnabledCol for OAuth 2.0/OpenID Connect configuration.

  • New table QBMLaunchActionHasFeature for authorizing Launchpad actions through program functions.

  • New table QBMReportQueryCriteria for defining several criteria for historical reports.

  • New table QBMVNonUniqueMAllTable for listing tables without a unique combination of object and foreign key (for optimizing index generating).

  • The following tables have been deleted:



  • The following columns have been deleted:











Target System Synchronization Module
  • New column DPRNameSpaceHasDialogTable.RootObjectPath as path to the base object.

  • New column DPRProjectionConfig.LogVariableSetContents flags whether variable sets are logged with current values.

  • New columns DPRProjectionConfigStep.CommitPropertiesLeft, DPRProjectionConfigStep.CommitPropertiesMode and DPRProjectionConfigStep.CommitPropertiesRight for improving object based synchronization.

  • New column DPRSchemaMethod.MethodType for flagging processing methods.

  • New columns DPRShell.EditedBy and DPRShell.EditedSince for flagging whether a synchronization project is already being processed.

  • New columns DPRShell.ShadowCopy and DPRShell.ShadowCopyMode for optimizing how synchronization projects are loaded.

  • New column DPRSystemConnection.DisplayNameQualified as qualified display name for the system connection.

  • New column DPRTemplate.SortOrder for sorting project templates.

  • New table DPRScript as script library.

  • New tables DPRStartSequence and DPRStartSequenceHasProjection for managing the start order.

Target System Base Module
  • New mandatory field definition for the following columns:



  • The table TSBVGroupTable has been deleted.

  • The column UNSRoot.isMemberOfEnabled has been deleted.

Active Directory Module
  • New column ADSAccount.MSDsConsistencyGuid as reference to the Cloud user account.

  • New column ADSSite.UID_ADSForest as reference to the forest.

  • New mandatory field definition for the following columns:





  • The column ADSSite.UID_ADSDomain has been deleted.

Microsoft Exchange Module
  • New column EX0RoleAssignPolicy.XMarkedForDeletion for flagging whether a policy is marked for deletion or not.

  • New mandatory field definition for the following columns:


















Exchange Hybrid Module
  • New column EXHRemoteMailbox.EmailAddresses for mapping more email addresses to other email addresses for remote mailboxes.

  • New column EXHRemoteMailbox.EmailAddressPolicyEnabled for specifying whether the email address is automatically updated on the basis of the recipient policy.

  • New mandatory field definition for the column EXHRemoteMailbox.UID_EX0Organization.

IBM Notes Module
  • New mandatory field definition for the following columns:








LDAP Module
  • New mandatory field definition for the column LDAPContainer.UID_LDPDomain.

Oracle E-Business Suite Module
  • New mandatory field definition for the following columns:







SharePoint Module
  • New columns SPSGroupPermission.XMarkedForDeletion and SPSUserPermission.XMarkedForDeletion for flagging whether permissions are marked for deletion.

  • New mandatory field definition for the following columns:




SAP R/3 User Management module Module
  • New column SAPUserHasParameter.ParameterValueDirect for finding parameter values assigned directly in the target system.

  • New column SAPUserInSAPRole.DisplayValue as display name for memberships.

  • New tables SAPBaseTreeHasParameter, DepartmentHasSAPParameter, LocalityHasSAPParameter, OrgHasSAPParameter and ProfitCenterHasSAPParameter for assigning SAP parameters to company structures.

  • New table SAPUserMandant for mapping access permissions to CUA systems.

  • New mandatory field definition for the following columns:




  • The table SAPUserInSAPMandant has been deleted.

SAP R/3 Compliance Add-on Module
  • New column XMarkedForDeletion in tables SAPAuthObjectClass, SAPBaseTreeInSAPFunction, SAPFieldHasSAPRCTable, SAPFunctionInstanceDetail, SAPRCTable, SAPRCVariable, SAPTransactionHasSAPAuthObject and SAPUserInSAPFunction for flagging whether the objects are marked for deletion.

  • New mandatory field definition for the following columns:




Privileged Account Governance Module
  • New data model for the Privileged Account Governance Module.

Identity Management Base Module
  • New columns AERole.UID_PersonHead and AERole.UID_PersonHeadSecond for mapping managers for application roles.

  • New column Person.ContactEmail as contact email address for the self-registration portal.

  • New column Person.EmployeeType for mapping employee types.

  • New column Person.IsLockedOut for specifying whether employee is blocked due to failed logins.

  • New column Person.IsLockedPwdAnswer for specifying whether the dialog box for changing the password is blocked due to failed logins.

  • New column Person.UID_DialogCultureFormat for specifying the language for displaying language specific numbers and dates in the Web Portal user interface.

  • New columns PersonWantsOrg.CheckResult, PersonWantsOrg.CheckResultDetail, ShoppingCartItem.CheckResult, ShoppingCartItem.CheckResultDetail and ShoppingCartOrder.CheckStatus for asynchronous processing of requests.

  • New columns PWODecisionMethod.UID_DialogRichMailProlongate and PWODecisionMethod.UID_DialogRichMailUnsubscribe for specifying other mail templates in approval policies.

  • New column QERJustification.JustificationType for specifying a usage type for standard reasons.

  • New table BaseTreeOwnsObject for finding target system managers quicker.

  • New table QEROrgRootHasOrgType for defining role types for role classes.

  • New table QERPasswordQueryAndAnswer for password questions and answers for resetting passwords.

  • New table QERVPersonCentralPwdColumn for defining user account properties that employees' central passwords are mapped to.

  • The following columns have been extended from nvarchar(128) to nvarchar(256):














  • The following columns have been deleted:



Business Roles Module
  • Column Org.Ident_Org extended from nvarchar(128) to nvarchar(256).

Attestation Module
  • New column AttestationHelper.UID_PWORulerOrigin for determining the attestor.

Compliance Rules Module
  • Column NonCompliance.Ident_NonCompliance extended from nvarchar(128) to nvarchar(256).

Helpdesk Module
  • New column HDSSupporterGroup.XMarkedForDeletion for flagging whether a support team is marked for deletion.

Changes to system connectors

The following provides an overview of the modified synchronization templates and an overview of all patches supplied by One Identity Manager version 8.0.2 to version 8.1. Apply the patches to existing synchronization projects. For more information, see Applying patches to synchronization projects.

Modified synchronization templates

The following provides you with an overview of modified synchronization templates. Patches are made available for updating synchronization templates in existing synchronization projects. For more information, see Patches for synchronization projects.

Table 13: Overview of synchronization templates and patches


Synchronization template

Type of modification

Azure Active Directory Module

Azure Active Directory synchronization


Active Directory Module

Active Directory synchronization


Active Roles Module

Synchronize Active Directory Domain via Active Roles


Cloud Systems Management Module

Universal Cloud Interface synchronization


Oracle E-Business Suite Module

Oracle E-Business Suite synchronization


Oracle E-Business Suite CRM data


Oracle E-Business Suite HR data


Oracle E-Business Suite OIM data


Microsoft Exchange Module

Microsoft Exchange 2010 synchronization (deprecated)


Microsoft Exchange 2010 synchronization (deprecated)


Microsoft Exchange 2010 synchronization (v2)


Microsoft Exchange 2013_2016 synchronization (v2)


G Suite Module

G Suite synchronization


LDAP Module

AD LDS Synchronization


OpenDJ Synchronization


IBM Notes Module

Lotus Domino synchronization


Exchange Online Module

Exchange Online synchronization (deprecated)


Exchange Online synchronization (v2)


Privileged Account Governance Module

One Identity Safeguard synchronization


SAP R/3 User Management module Module

SAP R/3 Synchronization (Base Administration)


SAP R/3 (CUA subsystem)


SAP R/3 Analysis Authorizations Add-on Module



SAP R/3 Compliance Add-on Module

SAP R/3 authorization objects


SAP R/3 Structural Profiles Add-on Module

SAP R/3 HCM authentication objects


SAP R/3 HCM employee objects


SharePoint Module

SharePoint synchronization


SharePoint Online Module

SharePoint Online synchronization


Universal Cloud Interface Module

SCIM Connect via One Identity Starling Connect


SCIM synchronization


Unix Based Target Systems Module

Unix Account Management


AIX Account Management


Related Documents