-
We are introducing inclusive terminology to our products and documentation, replacing non-inclusive terminology during the process. Changes to our user interface elements and error messages will be reflected in the documentation for each product version.
-
SQL Server 2019 support with the database compatibility level SQL Server 2017 (140).
-
Windows Server 2022 support for Job servers, application servers, and web servers.
-
Windows 11 support for workstations.
-
New formatting type to prevent XSS characters being entered. The new QBM | XssCheck und QBM | XssCheck | Sync configuration parameter determines whether a check is carried out.
-
Improved protection against damaging SQL statements. New configuration parameters for risk assessment, QBM | SQLCheck | RiskEvaluation and QBM | SQLCheck | SubSelect.
-
Support for a connection pool for separate sessions for reading and writing on different database servers. In the connection dialog, the Data Source property can contain a pipe (|) delimited list of servers. The first server specified is the primary server used for write access. All other servers are read-only copies with read access only.
-
For password policies, you can specify how many character class rules must be satisfied for a password to match the password policy..
-
Advanced configuration for OAuth 2.0/OpenID Connect.
-
The OAuth 2.0/OpenID Connect configuration for identity providers can be taken from a template. For the One Identity Redistributable STS (RSTS), the file is pre-configured. You can find the RSTS_Template.xml in the One Identity Manager installation directory. The template can be used in the Designer.
-
You can specify whether a check of the ID token takes place.
-
You can specify the acr values that the authorization server can use for processing an authentication request.
-
You can specify the claim type to be additionally checked.
-
You can configure the behavior of the client after logging off from the application.
-
Support for authentication of external applications via OAuth 2.0/OpenID Connect.
There are new QBM | AppServer | AccessTokenAuth and QBM | AppServer | AccessTokenAuth | RoleBased configuration parameters provided for configuration.
-
Fallback for login using OAuth 2.0/OpenID Connect authentication modules for determining users. If no matching person is found for the claim value, the authentication modules search for the claim value in the system users' permitted logins (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in.
-
Individuals who are considered a security threat will no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.
-
A new table QBMColumnLimitedValue has been implemented to map lists of permitted values. A new table QBMColumnBitMaskConfig has been implemented to map bit masks. Editing is done in the Designer's Schema Editor on the Value properties tab. Default values can be deactivated on a custom basis.
-
You can specify whether to check if single MVP column values have to be unique, case sensitive, or accented characters. Editing is done in the Designer's Schema Editor on the Value properties tab.
-
For unique groups of columns, you can enter message texts to be used instead of the default error message.
-
The query type of predefined database queries can be used to specify whether an entire SQL query is being handled or just the Where clause section.
-
If the format is specified, the target type of the expression is a string. If the format is not specified, it is the specified data type.
-
You can specify whether a Job server participates in load balancing.
-
In custom method definitions, a script can be used to conditionally display a method. For example, this way you can control whether a task is only displayed in the Manager if a certain condition is met. The script does not change the user's permissions, only the behavior when loading an object in the tools.
-
New features for schedules.
-
Schedules can be run on a specific day of the week in a specific month.
-
Multiple start times can be set per day.
-
The start details of schedules is logged.
-
You can define a default country that is taken into account when determining working hours and holidays.
-
Extension of $ notation with optional format specification: $<definition>:<data type>{<format>}$
-
Introduction of a new One Identity Manager query language. The One Identity Manager query language can be used to create queries or Where clause expressions against the One Identity Manager object layer.One Identity Manager For example, the One Identity Manager query language is used to communicate between application servers and clients. Currently, you can use the One Identity Manager query language in the Object Browser's query window . For more information, see the One Identity Manager Configuration Guide.
-
Support for custom configuration files for logging with NLog. The custom-log-variables.config and custom-log-targets.config include files are defined in the globallog.config file. The LogFileLevel variable can overwrite the severity level in a custom configuration file. The eventLogLevel variable can be used to override the information level in a custom configuration file.
-
Transport templates can be created with the Database Transporter. You can use the transport templates when you create transport packages with the Database Transporter or with the DBTransporterCMD.exe command line program. This loads the export criteria from the transport template file.
-
The DBTransporterCMD.exe command line program supports the transport of synchronization projects.
-
New feature in the Quantum.MigratorCmd.exe command line utility.
-
Support for creating, checking, and extending SQL Server logins if granulated permissions are used.
-
New mode for creating an operational database after the database has been restored from a backup.
-
The DBCompilerCMD.exe command line program supports automatic compilation of the database. The database is monitored and compiled if necessary.
-
The AutoUpdate.exe command line program supports automatic software updating of a One Identity Manager installation.
-
The tools are displayed in the Launchpad in a new Programs menu item and can be started from there.
-
Individual tasks in the Launchpad are also available for users with role-based permission groups.
-
An email configuration wizard is provided to configure email functionality in the . The wizard can be run in the Launchpad and in the Designer's Configuration Parameter Editor.
-
The user interface of some One Identity Manager components requires Microsoft Edge WebView2 to display certain content. When installing the components, Microsoft Edge WebView2 is also installed.
-
The application server can be limited to a REST API mode.
-
Automatic updating of the application server can be configured in the web.config file. The mode attribute can be used to control whether the update is scheduled or started manually.
-
New Common | Indexing | DefaultResultLimit configuration parameter to specify the maximum number of search results returned for a query.
-
The API Server optionally provides a SCIM V2.0 interface through a plugin. This allows read and write access to a defined set of One Identity Manager tables.
-
The availability of a One Identity Manager Service can be tested over /alive.
-
New DirectConnection setting to configure the One Identity Manager Service for directly connecting to the target database without availability testing.
-
New DoNotWriteConfigBack setting to configure the One Identity Manager Service not to write the configuration back to the database.
-
New FtpComponent process component. This process component can transfer files by SFTP.
-
New CallMethodExclusive process task for the process component HandleObjectComponent to exclusively call a customizer method.
-
The F1 help and One Identity Manager documentation are provided in HTML5 format. You can access One Identity Manager documentation in the Manager by selecting the Help > Search in local help menu item.
-
Integration of Customizer methods into the Typed wrapper classes.
-
Step-by-step preparation of a database update. This runs through the various phases for preparing the database update. This step-by-step preparation is intended to ensure that users are informed about the upcoming update and that processes can be shut down in a targeted manner.
NOTE: Step-by-step preparation is used only when updating databases that have at least One Identity Manager version 8.2.
-
Support for Microsoft Teams.
Microsoft Teams teams and channels are mapped in One Identity Manager. The Microsoft Teams connector has the task of synchronizing Azure Active Directory. Installing the Microsoft Teams Module provide synchronization templates for Microsoft Teams. The Azure Active Directory connector uses the Microsoft Graph API for accessing Microsoft Teams. For more information, see the One Identity Manager Administration Guide for Connecting to Microsoft Teams-Umgebung.
A patch for synchronization projects with patch ID VPR#32454 is provided.
-
Simulation of property mapping for single objects
In the Synchronization Editor, you can test the results of property mapping rules. In particular, this can be used to check the mapping of virtual schema properties. The test results can be exported and thus used for product support.
-
Support for the Microsoft Cloud for US Government (L4) national cloud deployment.
Patches for synchronization projects with patch ID VPR#34150 and patch ID VPR#34170 are provided.
-
Support for Azure Active Directory guest users. To send the invitation to guest users, additional modifications are required in the synchronization project.
Patches for synchronization projects with patch ID VPR#28669 and with patch ID VPR#32665 are provided.
-
For Azure Active Directory user accounts, additional properties are supported for mapping personal and federation information for Azure Active Directory.
A patch for synchronization projects with patch ID VPR#31389 is provided.
-
The date of the last password change to Azure Active Directory user accounts is loaded.
A patch for synchronization projects with patch ID VPR#32975 is provided.
-
Support for license assignment to Azure Active Directory user accounts through Azure Active Directory groups. Additional reports are provided for user accounts and subscriptions..
A patch for synchronization projects with patch ID VPR#32384 is provided.
-
Support for Azure Active Directory applications, service principals, and app roles.
A patch for synchronization projects with patch ID VPR#33088 is provided.
-
Support for Azure Active Directory activity-based timeout policies, home realm discovery policies, token issuance policies, and Token lifetime policies.
A patch for synchronization projects with patch ID VPR#33198 is provided.
-
Update employees when Azure Active Directory user accounts are changed.
The new TargetSystem | AAD | PersonUpdate configuration parameter can be used to control whether the properties of connected employees in One Identity Manager are updated when user accounts in Azure Active Directory are changed.
-
Support for custom Azure Active Directory schema extensions. The Azure Active Directory connector can read and write Azure Active Directory schema extensions.
-
The Azure Active Directory connector supports delta synchronization to speed up Azure Active Directory synchronization. Delta synchronization is not enabled by default, it must be customized.
-
The Hide group from Outlook property in Office 365 groups is mapped.
A patch for synchronization projects with patch ID VPR#34046 is provided.
-
The Active Directory connector supports Active Directory, which is shipped with Windows Server 2022.
-
With Active Directory synchronization, more restrictive values for the minimum password length and the number of passwords to store are applied from a domain's global account policy to the password policy for that domain.
-
The Middle Name property of Active Directory user accounts is mapped.
A patch for synchronization projects with patch ID VPR#32110 is provided.
-
Support for protection against accidental deletion of Active Directory containers, user accounts, contacts, and computers.
Patches for synchronization projects with patch ID VPR#32759 and with patch ID VPR#32783 are provided.
-
The Azure AD Connect anchor ID of Active Directory user accounts, contacts, groups, and computers is mapped.
Patches for synchronization projects with patch ID VPR#32950 and with patch ID VPR#32952 are provided.
-
The Password Capture Agent supports Windows Server 2019 and Windows Server 2022.
-
Support for One Identity Active Roles version 7.4.5.
-
Support for the Group Family.
A patch for synchronization projects with patch ID VPR#34634 is provided.
-
A new TargetSystem | ADS | ARS configuration parameter has been added . specific components are marked with a new preprocessor condition ARS.
-
Support for the Microsoft Exchange mailbox permissions Send as and Full access.
A patch for synchronization projects with patch ID VPR#21073 is provided. Synchronization is not enabled by default. In request to synchronize mailbox permissions, the synchronization project must be customized.
-
Support for excluding Microsoft Exchange mailbox databases from automatic mailbox distribution.
A patch for synchronization projects with patch ID VPR#26120 is provided.
-
Support for Microsoft Exchange address book policies.
A patch for synchronization projects with patch ID VPR#27741 is provided.
-
Support for recovery of individual items of Microsoft Exchange mailboxes.
A patch for synchronization projects with patch ID VPR#31470 is provided.
-
A new LDAP connector LDAP connector (version 2) is provided. Project templates are provided for OpenDJ, Active Directory Lightweight Directory Services (AD LDS), and Oracle Directory Server Enterprise Edition (DSEE), as well as a generic project template.
-
Support for multiple linking of LDAP systems with the same distinguished name.
-
With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).
-
For existing synchronization projects created with the generic LDAP connector, a patch with patch ID VPR#33513 is provided.
-
LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain).
-
Support for the One Identity Safeguard versions 6.7, 6.10, and 6.11.
-
Support for access requests for SSH keys for One Identity Safeguard.
A patch for synchronization projects with patch ID VPR#32541 is provided.
-
Support for vault for personal passwords for user accounts in One Identity Safeguard.
A patch for synchronization projects with patch ID VPR#34392 is provided.
-
Connection of PostgreSQL databases
With the generic database connector, PostgreSQL databases can now also be connected.
-
The One Identity Manager connector supports synchronization of databases with different product versions or different number of modules.
A patch for synchronization projects with patch ID VPR#33728 is provided.
-
Generation of synchronization projects for synchronization of two One Identity Manager databases (system synchronization)
The synchronization project for synchronization of two One Identity Manager databases can be created automatically based on defined criteria. This creates an image of selected application data from a One Identity Manager database. Support for revision filtering. The frequency of synchronization can be set individually for each table to be synchronized.
System synchronization simplifies the setup and maintenance of the synchronization configuration. One Identity Manager takes care of setting up all the components of the synchronization configuration. Manual adjustments are not necessary. For example, use system synchronization to outsource computationally intensive functions such as attestation and automatic revoking entitlements from the central database.
A patch for synchronization projects with patch ID VPR#33728 is provided.
-
The scope of the synchronization protocol has been extended. Information about the processed objects, synchronization progress, revision filtering by synchronization step is now output. The level of detail can be configured in the synchronization workflows.
-
Variables can be used for defining quotas.
-
The Oracle E-Business Suite connector and the generic database connector for Oracle Database have been migrated to Oracle Data Provider for .NET (ODP.NET).
A patch for synchronization projects with patch ID VPR#33804 is provided.
IMPORTANT:
-
The connection parameters of existing synchronization projects for Oracle E-Business Suite are altered when establishing the connection to the target system, where possible, and should be checked afterwards.
-
The connection parameters of existing synchronization projects for the generic database connector for Oracle Database are altered when updating One Identity Manager, where possible, and should be checked afterwards.
-
Mapping of different types of system entitlements .
Many cloud applications use more than one group type to map entitlements. When connecting cloud applications, other types of system entitlements, such as roles or entitlement sets, can now be mapped in addition to groups. Depending on the target system, assignments are maintained either with the user accounts (user-based assignment) or with the system entitlements (entitlement-based assignment). The types used and with which object types the assignments are maintained is configured when synchronization is set up.
The different types of system entitlements and their assignments can be integrated into Identity Audit and attestation.
-
When defining schema types in a schema extension file for the SAP connector schema, the InsertCommitDefinition, WriteCommitDefinition, and DeleteCommitDefinition attributes can now also be used.
-
SAP S/4HANA user types and communication data are supported.
Patches for synchronization projects with patch ID VPR#33301 and VPR#33301_2 are provided.
-
An RFC function module /VIAENET/HELPER with the /VIAENET/ZHELPER function group is provided, which selects the PA0002 table.
-
An RFC function module /VIAENET/READTABLE is provided, which behaves similarly to the RFC_READ_TABLE function module. The function can read data from tables and views in the SAP database, as long as they are not marked as internal tables.
-
For mapping additional HR data to employees, the SAP R/3 HCM employee objects synchronization template provides the mapping and the Employee_PA0000 synchronization step. This mapping can be used instead of the default Employee mapping. To do this, activate the Employee_PA0000 synchronization step and deactivate the Employee synchronization step.
-
The Domino connector supports the Notes Client version 10.0.
-
Support for HCL Domino Server version 12.0 and HCL Notes Client version 12.0
NOTE: If the connected Domino system uses Domino 12 and the Domino connector has write access to the target system, then the gateway server must have Notes client version 12 installed.
If read-only access to the target system is required, an older Notes client version can also be used on the gateway server.
-
Creating SharePoint Online site collections and sites
You can add new site collections and site in the One Identity Manager and publish them in the SharePoint Online target system. Predefined scripts and processes are provided for this purpose. These can be used as templates to make site collections and sites requestable through the IT Shop.
A patch for synchronization projects with patch ID VPR#31779 is provided.
-
For synchronization of Unix-based target systems, authentication with a private SSH key is supported.
A patch for synchronization projects with patch ID VPR#33249 is provided.
-
Improved support for inheritance of target system-specific groups and permissions by user accounts.
To better distinguish which types of groups and permissions are inherited, additional options for inheritance have been implemented. In addition, you can specify which groups and privileges are to be inherited when you create the account definitions. A note is displayed on the user account overview forms when groups and permissions cannot be inherited.
-
For inheritance of groups and permissions based on categories, 64 categories can now be created.
-
Assignments of employees to multiple business roles can be prevented. You can enable the option for role classes and role types.
-
New default approval procedures KA and OT for attestations and IT Shop requests.
-
New default approval procedure CS for attesting employees.
-
New default objects (attestation policy, attestation procedure, condition types, approval workflow, and approval policy) for attestation of initial manager assignment. With this attestation, missing manager information can be requested and assigned to employees.
-
New report Overview of the results of an attestation run.
-
Attestation policies can be configured to automatically change the certification status of attestation objects when an attestation is approved or denied. The Set certification status to "Certified" and Set certification status to "Denied" options can be enabled if a table is selected in the attestation procedure that has an ApprovalState column. The feature can be used by default for attesting employees, business roles, application roles, and organizations.
-
Shortened process of attestations if an attestor is authorized to make multiple approvals in one attestation case. If this attestor grants approval it is automatically carried over to subsequent approval steps. Thus, the attestation case is submitted to the attestor for approval only once.
The feature is activated with the QER | Attestation | ReuseDecision configuration parameters.
-
Sample attestation
With sample attestation, attestation cases can be restricted to a selection of attestation objects. Samples can be compiled manually or based on defined criteria. A default sample Monthly organizational changes to employees is provided. This can be used if the QER | Selections | PersonOrganizationalChanges configuration parameter is set. To create random samples, the QER_PPickedItemInsertRandom SQL procedure can be used.
-
Weekends and public holidays are now taken into account by default when calculating working hours, for example for the due date of attestation cases or the approver reminders. To configure whether weekends or holidays should be treated as working days, additional configuration parameters have been introduced.
-
QBM | WorkingHours | IgnoreHoliday
-
QBM | WorkingHours | IgnoreWeekend
-
For time-limited requests, if the expiration date has passed, requests can now go through a cancellation workflow before the assignment is permanently removed.
-
QER | Attestation | UseWorkingHoursDefinition
-
Assignments of company resources to system roles can now be requested in the Web Portal. For this purpose, the Assignments to system roles default assignment resource is provided.
When attesting assignments to system roles, the requested assignments can also be removed automatically. The QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested configuration parameter was introduced for this purpose.
-
The definition of SAP functions has been extended so that external services, TADIR services and RFC function modules can be included in the authorization check in addition to transactions. Transactions, external services, TADIR services, and RFC function modules are mapped as SAP applications in One Identity Manager.
Patches for synchronization projects with patch ID VPR#32963_1 and VPR#32963_2 are provided.
-
The definition of product-specific request properties has been redesigned. Now you can define a lot of additional information for request parameters. This makes the implementation of request properties more flexible. The previous solution can still be used. When creating new request properties, you specify whether you want to use the modern or the obsolete definition.
-
Assigned requests that have passed their expiration date can now go through the cancellation workflow stored in the approval policy before the assignment is finally removed. The feature is activated with the QER | ITShop | ExceededValidUntilUnsubscribe configuration parameters.
-
Employees can excluded automatically from dynamic roles on he basis of a denied attestation or a rule violation. An excluded list is maintained to do this. Excluded lists can also be defined for individual employees.
-
Support for the reorganization of a IT Shop solution. The following tasks can be run on custom IT Shop structures:
-
Simultaneous moving of several selected products from one shelf to another shelf.
-
Moving a complete shelf to another shop.
-
Moving a complete shop to another shopping center.
-
Introduction of a general deputization of all an employee's approval entitlements. An employee can appoint a deputy for all approval powers in one area. This deputy is additionally identified as the approver for all approvals that the employee is required to make during a specified time period. Deputies may be established for attestation, request approvals, and exception approvals of requests.
-
When attesting memberships in application roles, memberships that were created through a dynamic role can also be automatically removed. The QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole configuration parameter was introduced for this purpose.
-
Google Workspace admin role assignments can now be requested in the Web Portal and integrated into Identity Audit.
-
Manually created application roles for product owners are now also automatically deleted if they are not used.
NOTE: If you have set up your own application roles under the Request & Fulfillment | IT Shop | Product owners application role that you use for custom use cases (tables), then check whether these can be deleted automatically. Otherwise, disable the Clean up application role "Request & Fulfillment | IT Shop | Product owners" schedule.