Chat now with support
Chat with Support

Identity Manager 8.2 - Release Notes

Release Notes

One Identity Manager 8.2

Release Notes

29 November 2021, 10:25

These release notes provide information about the One Identity Manager release, version 8.2. You will find all the modifications since One Identity Manager version 8.1.5 listed here.

One Identity Manager 8.2 is a minor release with new functionality and improved behavior. See New features and Enhancements.

If you are updating a One Identity Manager version older than One Identity Manager 8.1.x, read the release notes from the previous versions as well. You will find the release notes and the release notes about the additional modules based on One Identity Manager technology under One Identity Manager Support.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation

  • One Identity Manager Composition API Object Model Documentation

  • One Identity Manager Secure Password Extension Administration Guide

For the most recent version of the product information, see the One Identity Manager documentation.


About One Identity Manager 8.2

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. It gives control over identity management and access decisions to your organization, freeing up the IT team to focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition

  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.

One Identity Starling

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to One Identity Starling. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit

New features

New features in One Identity Manager 8.2:

  • We are introducing inclusive terminology to our products and documentation, replacing non-inclusive terminology during the process. Changes to our user interface elements and error messages will be reflected in the documentation for each product version.

  • SQL Server 2019 support with the database compatibility level SQL Server 2017 (140).

  • Windows Server 2022 support for Job servers, application servers, and web servers.

  • Windows 11 support for workstations.

  • New formatting type to prevent XSS characters being entered. The new QBM | XssCheck und QBM | XssCheck | Sync configuration parameter determines whether a check is carried out.

  • Improved protection against damaging SQL statements. New configuration parameters for risk assessment, QBM | SQLCheck | RiskEvaluation and QBM | SQLCheck | SubSelect.

  • Support for a connection pool for separate sessions for reading and writing on different database servers. In the connection dialog, the Data Source property can contain a pipe (|) delimited list of servers. The first server specified is the primary server used for write access. All other servers are read-only copies with read access only.

  • For password policies, you can specify how many character class rules must be satisfied for a password to match the password policy..

  • Advanced configuration for OAuth 2.0/OpenID Connect.

    • The OAuth 2.0/OpenID Connect configuration for identity providers can be taken from a template. For the One Identity Redistributable STS (RSTS), the file is pre-configured. You can find the RSTS_Template.xml in the One Identity Manager installation directory. The template can be used in the Designer.

    • You can specify whether a check of the ID token takes place.

    • You can specify the acr values that the authorization server can use for processing an authentication request.

    • You can specify the claim type to be additionally checked.

    • You can configure the behavior of the client after logging off from the application.

  • Support for authentication of external applications via OAuth 2.0/OpenID Connect.

    There are new QBM | AppServer | AccessTokenAuth and QBM | AppServer | AccessTokenAuth | RoleBased configuration parameters provided for configuration.

  • Fallback for login using OAuth 2.0/OpenID Connect authentication modules for determining users. If no matching person is found for the claim value, the authentication modules search for the claim value in the system users' permitted logins (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in.

  • Individuals who are considered a security threat will no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

  • A new table QBMColumnLimitedValue has been implemented to map lists of permitted values. A new table QBMColumnBitMaskConfig has been implemented to map bit masks. Editing is done in the Designer's Schema Editor on the Value properties tab. Default values can be deactivated on a custom basis.

  • You can specify whether to check if single MVP column values have to be unique, case sensitive, or accented characters. Editing is done in the Designer's Schema Editor on the Value properties tab.

  • For unique groups of columns, you can enter message texts to be used instead of the default error message.

  • The query type of predefined database queries can be used to specify whether an entire SQL query is being handled or just the Where clause section.

  • If the format is specified, the target type of the expression is a string. If the format is not specified, it is the specified data type.

  • You can specify whether a Job server participates in load balancing.

  • In custom method definitions, a script can be used to conditionally display a method. For example, this way you can control whether a task is only displayed in the Manager if a certain condition is met. The script does not change the user's permissions, only the behavior when loading an object in the One Identity Manager tools.

  • New features for schedules.

    • Schedules can be run on a specific day of the week in a specific month.

    • Multiple start times can be set per day.

    • The start details of schedules is logged.

  • You can define a default country that is taken into account when determining working hours and holidays.

  • Extension of $ notation with optional format specification: $<definition>:<data type>{<format>}$

  • Introduction of a new One Identity Manager query language. The One Identity Manager query language can be used to create queries or Where clause expressions against the One Identity Manager object layer.One Identity Manager For example, the One Identity Manager query language is used to communicate between application servers and clients. Currently, you can use the One Identity Manager query language in the Object Browser's query window . For more information, see the One Identity Manager Configuration Guide.

  • Support for custom configuration files for logging with NLog. The custom-log-variables.config and custom-log-targets.config include files are defined in the globallog.config file. The LogFileLevel variable can overwrite the severity level in a custom configuration file. The eventLogLevel variable can be used to override the information level in a custom configuration file.

  • Transport templates can be created with the Database Transporter. You can use the transport templates when you create transport packages with the Database Transporter or with the DBTransporterCMD.exe command line program. This loads the export criteria from the transport template file.

  • The DBTransporterCMD.exe command line program supports the transport of synchronization projects.

  • New feature in the Quantum.MigratorCmd.exe command line utility.

    • Support for creating, checking, and extending SQL Server logins if granulated permissions are used.

    • New mode for creating an operational database after the database has been restored from a backup.

  • The DBCompilerCMD.exe command line program supports automatic compilation of the database. The database is monitored and compiled if necessary.

  • The AutoUpdate.exe command line program supports automatic software updating of a One Identity Manager installation.

  • The One Identity Manager tools are displayed in the Launchpad in a new Programs menu item and can be started from there.

  • Individual tasks in the Launchpad are also available for users with role-based permission groups.

  • An email configuration wizard is provided to configure email functionality in the One Identity Manager. The wizard can be run in the Launchpad and in the Designer's Configuration Parameter Editor.

  • The user interface of some One Identity Manager components requires Microsoft Edge WebView2 to display certain content. When installing the components, Microsoft Edge WebView2 is also installed.

  • The application server can be limited to a REST API mode.

  • Automatic updating of the application server can be configured in the web.config file. The mode attribute can be used to control whether the update is scheduled or started manually.

  • New Common | Indexing | DefaultResultLimit configuration parameter to specify the maximum number of search results returned for a query.

  • The API Server optionally provides a SCIM V2.0 interface through a plugin. This allows read and write access to a defined set of One Identity Manager tables.

  • The availability of a One Identity Manager Service can be tested over /alive.

  • New DirectConnection setting to configure the One Identity Manager Service for directly connecting to the target database without availability testing.

  • New DoNotWriteConfigBack setting to configure the One Identity Manager Service not to write the configuration back to the database.

  • New FtpComponent process component. This process component can transfer files by SFTP.

  • New CallMethodExclusive process task for the process component HandleObjectComponent to exclusively call a customizer method.

  • The F1 help and One Identity Manager documentation are provided in HTML5 format. You can access One Identity Manager documentation in the Manager by selecting the Help > Search in local help menu item.

  • Integration of Customizer methods into the Typed wrapper classes.

  • Step-by-step preparation of a database update. This runs through the various phases for preparing the database update. This step-by-step preparation is intended to ensure that users are informed about the upcoming update and that processes can be shut down in a targeted manner.

    NOTE: Step-by-step preparation is used only when updating databases that have at least One Identity Manager version 8.2.

Web Portal
  • This One Identity Manager version includes fundamentally redesigned web applications based on HTML5 technology. These web applications are provided through the API Server and cover the following application areas, among others:

    • IT Shop requests and approvals

    • IT shop configuration

    • Management of identities, user accounts, system entitlements, company structures, and system roles

    • Application Governance

    • Management of attestation policies

    • Attestation case approvals

    • Password management

    • Job queue process monitoring

    NOTE: The web applications that were previously part of the product are still available. For reasons of understanding, a distinction is now made between the Web Designer Web Portal and the Web Portal.

  • Application Governance is now part of the Web Portal. Application governance functionality lets you quickly and easily centralize the onboarding process for new applications. A new application combines all the entitlements that application users need for their daily tasks. This allows you to assign application permissions (for example, system entitlements or system roles) to your application and plan when they will be available in the Web Portal as requestable products.

  • In the Operations Support Web Portal it is now possible to view objects marked as outstanding, delete these objects in the database, or add them back to the target system. Additionally, it is possible to reset the status of these objects so that they are no longer marked as outstanding. A new Basic Roles | Operational Support | Post Synchronization Handling application role is provided..

  • It is now possible to decide in the Operations Support Web Portal how to deal with failed processes. For example, you can re-run processes and process steps that contain errors.

  • It is now possible to assign new passwords to identities in the Operations Support Web Portal.

  • In the Web Portal, you can display and request products that other people from your vicinity have already requested. As a manager, you can also see products from your team’s peer groups.

  • It is now possible to create, edit, and delete sample data in the Web Portal. This sample data can then be used in attestation policies to perform attestations for only a subset of objects, for example, if attesting all objects would take too long.

  • In Web Portal you can now display an organizational chart for each identity.

  • In the Web Portal, there is now a Products expiring soon tile on the home page that indicates products that will expire in the near future and need to be renewed.

  • Memberships in objects that were created through dynamic roles can now be excluded in the Web Portal.

  • It is now possible to create, edit, and delete shops and associated shelves in the Web Portal.

  • Using the Administration Portal, you can now view and edit your API configuration.

  • It is now possible to provide your own HTML5 applications as a ZIP file and have them hosted over the API Server.

  • It is now possible to create, edit, and delete service categories in the Web Portal.

Target system connection
  • Support for Microsoft Teams.

    Microsoft Teams teams and channels are mapped in One Identity Manager. The Microsoft Teams connector has the task of synchronizing Azure Active Directory. Installing the Microsoft Teams Module provide synchronization templates for Microsoft Teams. The Azure Active Directory connector uses the Microsoft Graph API for accessing Microsoft Teams. For more information, see the One Identity Manager Administration Guide for Connecting to Microsoft Teams-Umgebung.

    A patch for synchronization projects with patch ID VPR#32454 is provided.

  • Simulation of property mapping for single objects

    In the Synchronization Editor, you can test the results of property mapping rules. In particular, this can be used to check the mapping of virtual schema properties. The test results can be exported and thus used for product support.

  • Support for the Microsoft Cloud for US Government (L4) national cloud deployment.

    Patches for synchronization projects with patch ID VPR#34150 and patch ID VPR#34170 are provided.

  • Support for Azure Active Directory guest users. To send the invitation to guest users, additional modifications are required in the synchronization project.

    Patches for synchronization projects with patch ID VPR#28669 and with patch ID VPR#32665 are provided.

  • For Azure Active Directory user accounts, additional properties are supported for mapping personal and federation information for Azure Active Directory.

    A patch for synchronization projects with patch ID VPR#31389 is provided.

  • The date of the last password change to Azure Active Directory user accounts is loaded.

    A patch for synchronization projects with patch ID VPR#32975 is provided.

  • Support for license assignment to Azure Active Directory user accounts through Azure Active Directory groups. Additional reports are provided for user accounts and subscriptions..

    A patch for synchronization projects with patch ID VPR#32384 is provided.

  • Support for Azure Active Directory applications, service principals, and app roles.

    A patch for synchronization projects with patch ID VPR#33088 is provided.

  • Support for Azure Active Directory activity-based timeout policies, home realm discovery policies, token issuance policies, and Token lifetime policies.

    A patch for synchronization projects with patch ID VPR#33198 is provided.

  • Update employees when Azure Active Directory user accounts are changed.

    The new TargetSystem | AAD | PersonUpdate configuration parameter can be used to control whether the properties of connected employees in One Identity Manager are updated when user accounts in Azure Active Directory are changed.

  • Support for custom Azure Active Directory schema extensions. The Azure Active Directory connector can read and write Azure Active Directory schema extensions.

  • The Azure Active Directory connector supports delta synchronization to speed up Azure Active Directory synchronization. Delta synchronization is not enabled by default, it must be customized.

  • The Hide group from Outlook property in Office 365 groups is mapped.

    A patch for synchronization projects with patch ID VPR#34046 is provided.

  • The Active Directory connector supports Active Directory, which is shipped with Windows Server 2022.

  • With Active Directory synchronization, more restrictive values for the minimum password length and the number of passwords to store are applied from a domain's global account policy to the One Identity Manager password policy for that domain.

  • The Middle Name property of Active Directory user accounts is mapped.

    A patch for synchronization projects with patch ID VPR#32110 is provided.

  • Support for protection against accidental deletion of Active Directory containers, user accounts, contacts, and computers.

    Patches for synchronization projects with patch ID VPR#32759 and with patch ID VPR#32783 are provided.

  • The Azure AD Connect anchor ID of Active Directory user accounts, contacts, groups, and computers is mapped.

    Patches for synchronization projects with patch ID VPR#32950 and with patch ID VPR#32952 are provided.

  • The Password Capture Agent supports Windows Server 2019 and Windows Server 2022.

  • Support for One Identity Active Roles version 7.4.5.

  • Support for the Active Roles Group Family.

    A patch for synchronization projects with patch ID VPR#34634 is provided.

  • A new TargetSystem | ADS | ARS configuration parameter has been added Active Roles. Active Roles specific components are marked with a new preprocessor condition ARS.

  • Support for the Microsoft Exchange mailbox permissions Send as and Full access.

    A patch for synchronization projects with patch ID VPR#21073 is provided. Synchronization is not enabled by default. In request to synchronize mailbox permissions, the synchronization project must be customized.

  • Support for excluding Microsoft Exchange mailbox databases from automatic mailbox distribution.

    A patch for synchronization projects with patch ID VPR#26120 is provided.

  • Support for Microsoft Exchange address book policies.

    A patch for synchronization projects with patch ID VPR#27741 is provided.

  • Support for recovery of individual items of Microsoft Exchange mailboxes.

    A patch for synchronization projects with patch ID VPR#31470 is provided.

  • A new LDAP connector LDAP connector (version 2) is provided. Project templates are provided for OpenDJ, Active Directory Lightweight Directory Services (AD LDS), and Oracle Directory Server Enterprise Edition (DSEE), as well as a generic project template.

  • Support for multiple linking of LDAP systems with the same distinguished name.

    • With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).

    • For existing synchronization projects created with the generic LDAP connector, a patch with patch ID VPR#33513 is provided.

    • LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain).

  • Support for the One Identity Safeguard versions 6.7, 6.10, and 6.11.

  • Support for access requests for SSH keys for One Identity Safeguard.

    A patch for synchronization projects with patch ID VPR#32541 is provided.

  • Support for vault for personal passwords for user accounts in One Identity Safeguard.

    A patch for synchronization projects with patch ID VPR#34392 is provided.

  • Connection of PostgreSQL databases

    With the generic database connector, PostgreSQL databases can now also be connected.

  • The One Identity Manager connector supports synchronization of databases with different product versions or different number of modules.

    A patch for synchronization projects with patch ID VPR#33728 is provided.

  • Generation of synchronization projects for synchronization of two One Identity Manager databases (system synchronization)

    The synchronization project for synchronization of two One Identity Manager databases can be created automatically based on defined criteria. This creates an image of selected application data from a One Identity Manager database. Support for revision filtering. The frequency of synchronization can be set individually for each table to be synchronized.

    System synchronization simplifies the setup and maintenance of the synchronization configuration. One Identity Manager takes care of setting up all the components of the synchronization configuration. Manual adjustments are not necessary. For example, use system synchronization to outsource computationally intensive functions such as attestation and automatic revoking entitlements from the central database.

    A patch for synchronization projects with patch ID VPR#33728 is provided.

  • The scope of the synchronization protocol has been extended. Information about the processed objects, synchronization progress, revision filtering by synchronization step is now output. The level of detail can be configured in the synchronization workflows.

  • Variables can be used for defining quotas.

  • The Oracle E-Business Suite connector and the generic database connector for Oracle Database have been migrated to Oracle Data Provider for .NET (ODP.NET).

    A patch for synchronization projects with patch ID VPR#33804 is provided.


    • The connection parameters of existing synchronization projects for Oracle E-Business Suite are altered when establishing the connection to the target system, where possible, and should be checked afterwards.

    • The connection parameters of existing synchronization projects for the generic database connector for Oracle Database are altered when updating One Identity Manager, where possible, and should be checked afterwards.

  • Mapping of different types of system entitlements .

    Many cloud applications use more than one group type to map entitlements. When connecting cloud applications, other types of system entitlements, such as roles or entitlement sets, can now be mapped in addition to groups. Depending on the target system, assignments are maintained either with the user accounts (user-based assignment) or with the system entitlements (entitlement-based assignment). The types used and with which object types the assignments are maintained is configured when synchronization is set up.

    The different types of system entitlements and their assignments can be integrated into Identity Audit and attestation.

  • When defining schema types in a schema extension file for the SAP connector schema, the InsertCommitDefinition, WriteCommitDefinition, and DeleteCommitDefinition attributes can now also be used.

  • SAP S/4HANA user types and communication data are supported.

    Patches for synchronization projects with patch ID VPR#33301 and VPR#33301_2 are provided.

  • An RFC function module /VIAENET/HELPER with the /VIAENET/ZHELPER function group is provided, which selects the PA0002 table.

  • An RFC function module /VIAENET/READTABLE is provided, which behaves similarly to the RFC_READ_TABLE function module. The function can read data from tables and views in the SAP database, as long as they are not marked as internal tables.

  • For mapping additional HR data to employees, the SAP R/3 HCM employee objects synchronization template provides the mapping and the Employee_PA0000 synchronization step. This mapping can be used instead of the default Employee mapping. To do this, activate the Employee_PA0000 synchronization step and deactivate the Employee synchronization step.

  • The Domino connector supports the Notes Client version 10.0.

  • Support for HCL Domino Server version 12.0 and HCL Notes Client version 12.0

    NOTE: If the connected Domino system uses Domino 12 and the Domino connector has write access to the target system, then the gateway server must have Notes client version 12 installed.

    If read-only access to the target system is required, an older Notes client version can also be used on the gateway server.

  • Creating SharePoint Online site collections and sites

    You can add new site collections and site in the One Identity Manager and publish them in the SharePoint Online target system. Predefined scripts and processes are provided for this purpose. These can be used as templates to make site collections and sites requestable through the IT Shop.

    A patch for synchronization projects with patch ID VPR#31779 is provided.

  • For synchronization of Unix-based target systems, authentication with a private SSH key is supported.

    A patch for synchronization projects with patch ID VPR#33249 is provided.

Identity and Access Governance
  • Improved support for inheritance of target system-specific groups and permissions by user accounts.

    To better distinguish which types of groups and permissions are inherited, additional options for inheritance have been implemented. In addition, you can specify which groups and privileges are to be inherited when you create the account definitions. A note is displayed on the user account overview forms when groups and permissions cannot be inherited.

  • For inheritance of groups and permissions based on categories, 64 categories can now be created.

  • Assignments of employees to multiple business roles can be prevented. You can enable the option for role classes and role types.

  • New default approval procedures KA and OT for attestations and IT Shop requests.

  • New default approval procedure CS for attesting employees.

  • New default objects (attestation policy, attestation procedure, condition types, approval workflow, and approval policy) for attestation of initial manager assignment. With this attestation, missing manager information can be requested and assigned to employees.

  • New report Overview of the results of an attestation run.

  • Attestation policies can be configured to automatically change the certification status of attestation objects when an attestation is approved or denied. The Set certification status to "Certified" and Set certification status to "Denied" options can be enabled if a table is selected in the attestation procedure that has an ApprovalState column. The feature can be used by default for attesting employees, business roles, application roles, and organizations.

  • Shortened process of attestations if an attestor is authorized to make multiple approvals in one attestation case. If this attestor grants approval it is automatically carried over to subsequent approval steps. Thus, the attestation case is submitted to the attestor for approval only once.

    The feature is activated with the QER | Attestation | ReuseDecision configuration parameters.

  • Sample attestation

    With sample attestation, attestation cases can be restricted to a selection of attestation objects. Samples can be compiled manually or based on defined criteria. A default sample Monthly organizational changes to employees is provided. This can be used if the QER | Selections | PersonOrganizationalChanges configuration parameter is set. To create random samples, the QER_PPickedItemInsertRandom SQL procedure can be used.

  • Weekends and public holidays are now taken into account by default when calculating working hours, for example for the due date of attestation cases or the approver reminders. To configure whether weekends or holidays should be treated as working days, additional configuration parameters have been introduced.

    • QBM | WorkingHours | IgnoreHoliday

    • QBM | WorkingHours | IgnoreWeekend

    • For time-limited requests, if the expiration date has passed, requests can now go through a cancellation workflow before the assignment is permanently removed.

    • QER | Attestation | UseWorkingHoursDefinition

  • Assignments of company resources to system roles can now be requested in the Web Portal. For this purpose, the Assignments to system roles default assignment resource is provided.

    When attesting assignments to system roles, the requested assignments can also be removed automatically. The QER | Attestation | AutoRemovalScope | ESetHasEntitlement | RemoveRequested configuration parameter was introduced for this purpose.

  • The definition of SAP functions has been extended so that external services, TADIR services and RFC function modules can be included in the authorization check in addition to transactions. Transactions, external services, TADIR services, and RFC function modules are mapped as SAP applications in One Identity Manager.

    Patches for synchronization projects with patch ID VPR#32963_1 and VPR#32963_2 are provided.

  • The definition of product-specific request properties has been redesigned. Now you can define a lot of additional information for request parameters. This makes the implementation of request properties more flexible. The previous solution can still be used. When creating new request properties, you specify whether you want to use the modern or the obsolete definition.

  • Assigned requests that have passed their expiration date can now go through the cancellation workflow stored in the approval policy before the assignment is finally removed. The feature is activated with the QER | ITShop | ExceededValidUntilUnsubscribe configuration parameters.

  • Employees can excluded automatically from dynamic roles on he basis of a denied attestation or a rule violation. An excluded list is maintained to do this. Excluded lists can also be defined for individual employees.

  • Support for the reorganization of a IT Shop solution. The following tasks can be run on custom IT Shop structures:

    • Simultaneous moving of several selected products from one shelf to another shelf.

    • Moving a complete shelf to another shop.

    • Moving a complete shop to another shopping center.

  • Introduction of a general deputization of all an employee's approval entitlements. An employee can appoint a deputy for all approval powers in one area. This deputy is additionally identified as the approver for all approvals that the employee is required to make during a specified time period. Deputies may be established for attestation, request approvals, and exception approvals of requests.

  • When attesting memberships in application roles, memberships that were created through a dynamic role can also be automatically removed. The QER | Attestation | AutoRemovalScope | AERoleMembership | RemoveDynamicRole configuration parameter was introduced for this purpose.

  • Google Workspace admin role assignments can now be requested in the Web Portal and integrated into Identity Audit.

  • Manually created application roles for product owners are now also automatically deleted if they are not used.

    NOTE: If you have set up your own application roles under the Request & Fulfillment | IT Shop | Product owners application role that you use for custom use cases (tables), then check whether these can be deleted automatically. Otherwise, disable the Clean up application role "Request & Fulfillment | IT Shop | Product owners" schedule.

See also:


The following is a list of enhancements implemented in One Identity Manager 8.2.

Table 1: General


Issue ID

The overview of the system configuration has been improved and extended with new values.

  • The report can be saved as a CSV file

  • The database encryption state is displayed.

  • Improved display of historical data values.

31738, 32890, 32992, 34692

Improved support for the delta method for faster database updates.

32791, 32917

Improved migration performance.

34109, 34587, 34591

The basegroup database role is no longer used. The database role is no longer created for new installations. In existing installations the database role can still be used.


Improved creation of table indexes.


Improved readability of generated view definitions.


New consistency check Mandantory field definition missing to detect potentially missing mandatory field definitions.


The default language of a language code (QBMCulture.UID_DialogCultureDefault) can be customized.


Entries are now generated in the DialogProcess table for deferred operations.


Improved determining of process information about a trigger.


Improved support for BULK operations in the object layer.

31066, 31573, 32249

Improved support for retrieving historical information.

30334, 30437, 31449, 31450, 31451, 34723

Extension of EntityLogic fluent interfaces for running conditionally.


Optimized determining display values.


The hash function SHA-1 is not used anymore.


Improved password quality calculation. Password quality for short passwords can now be lower.


Permissions of logins for administrative users with granulated permissions are extended in the Configuration Wizard, if necessary.


Existing SQL Server logins can be used in Configuration Wizard.


Improved enabling and disabling of authentication modules in the Designer. 33929

The <SpecialSheetData> section from configuring interface forms is no longer supported. The definition now goes in the <Properties> section.

NOTE: Existing configurations will be adjusted during the database update. Check the data if necessary.


Improved documentation of supplied schedules by default.


Improved documentation for overriding templates.


Improved support for uninstalling One Identity Manager components. As long as there are multiple One Identity Manager installations, the configuration data cannot be removed.


In the connection dialog, the database server can now be deleted from the server menu.


When running multiple databases in a managed instance in Azure SQL Database, you can fix the number of slots in the new QBM | DBServerAgent | CountSlotAgents configuration parameter.


Improved support for installing modules later. 33942

Improved documentation of the DBQueue Processor reinitialization after a server hardware upgrade.


The StdIoProcessor.exe checks whether its parent process (VINetworkService.exe) is still up and running.


Improved logging of process handling in the One Identity Manager Service log file.

31536, 32792, 33721, 34330, 34559

Improved output of table names in error number 810005.


New Server\Job Server\Configuration utility machine role for installing the Job Service Configuration.


The Server Installer remembers the directory with the installation files.


Improved installation information for the One Identity Manager Service in the Server Installer and in the Configuration Wizard.


A time delay is now in effect when exiting the One Identity Manager Service to allow the service to synchronize with the database.


Support for custom translations of resource file text.


The Where Clause Wizard for entering database queries supports date comparisons.


Improved feedback for the system status in the One Identity Manager tools' status bar.


The status bar indicates whether the logged-in user is an administrative user.


Update of the controls in the One Identity Manager tools.


Improved display of multi-line values in MVP columns.


Improved display of columns representing a URL.


If a text is too long for translation, a corresponding hint is now displayed at the input field.


To make filters available to all users, you can publish the filters in the Manager or in the Designer, for example.

31025, 33247

Improved display of the primary key in an object's properties dialog. The primary key can be copied in different formats.


Improved SQL export in an object's properties dialog.


Improved support for script editing.

  • The functions in the advanced editing window for scripts have been revised and extended.

  • Additional code snippets are provided.

  • Sorting of the code snippets has been improved.

32026, 32937, 33161, 33162, 33240

Display values for report parameters can be passed to reports.


The maximum number of result rows of report queries can now be modified.


Tooltips are displayed on assignment forms in the Manager.


Outstanding objects are now shown crossed out on the assignment forms.


In the Object Browser, breakpoints are automatically saved in the configuration when the debug dialog is closed and loaded again when the debug dialog is reopened.


Improved prompt when saving changes in the Object Browser.


In the Object Browser, when SQL queries are run, the total number of times and the run time of the query are output.


Enhancements and improvements in the Job Queue Info.

  • Parameters that contain an object key are displayed as a link. The link displays the object properties. The Object Browser can be started. The Synchronization Editor can be started if the object keys refer to a synchronization project.

  • A new start time for a process step can be set.

  • The number of retries for a process step can be changed.

  • Multiple Job servers can be selected at the same time to edit the credentials to determine the status.

30102, 31983, 32851, 33516, 33642

In the Software Loader the root directory is now stored per database.


In the Database Transporter, test whether the logged-in user has sufficient permissions to import.


Improved behavior of the web service integration wizard.


Improved support for mail definitions in the Designer.

31820, 33419

In the Designer, modified configuration parameters are specially flagged in the Configuration Parameter Editor.


Improved support for editing table relations. Dynamic table relations are now displayed in the Schema Editor.

31849, 32582, 32429

View definitions can be checked in the Schema Editor.


In the Script Editor, the font size can be changed using Ctrl + mouse wheel.


The Process Editor points out possible misconfigurations when checking process validity.

32035, 34223

Improved column configuration support in the Schema Extension.


Improved behavior of the command line tools.

  • Version, error messages, and help texts are output.

  • In the /conn parameter of the command line tools, the name of the connection can be entered according to the HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Connections registry entry.

30328, 31082, 34077, 34209, 33010

Improved detection of need to compile in the DBTransporterCMD.exe command line program.


Improved support for importing files with the SoftwareLoaderCMD.exe command line utility. 33943

Documentation of the create-web-dir.exe command line program.


When closing the Launchpad with the Close button, a notice is now displayed that the Launchpad is minimized to the notification area of the Windows task bar.


The Launchpad shows the color of the staging layer in the status bar.


The PowerShell library for One Identity Manager has been extended.


Table 2: General web applications


Issue ID

Improved security in the application server.


REST API application server enhancements and improvements .

32576, 33963, 33728, 33126, 32930, 33923, 34016

Improved session handling in the application server when using tokens to authenticate.


The validity of the session certificate is checked.


In the application server, it is now possible to access the API with requests authenticated by access tokens.


The VI_ITShop_Compliance_DoNotCheckIndirect Web Designer configuration key has been removed.


For security reasons, the VI_Common_UserMessageAdd HTML Web Designer component now encodes the entered text by default. This behavior can be deactivated by the DoNotHtmlEncode() virtual function when calling the component.


For security reasons, the VI_Common_ExternalFormHost Web Designer component can now no longer be used to display arbitrary URLs. If you need this functionality, you must rebuild existing code and use the QBM_Common_ExternalFormHost form component instead. This has the advantage of not passing URLs in the form of URL parameters.


The parameter withPermissions of the Web Designer function dbcount() is now marked as obsolete.


The permissions for debugging web applications have been extended.


Webauthn security keys: The RSTS version has been updated to version 2019.11.22.0. You can now prevent the X-Frame-Options HTTP response header from being output at all by setting the RSTS configuration property DisableAddingXFrameOptionsHeader to true.


Identities with the Basic roles | Operational support application role can now no longer start and stop the DBQueue and JobQueue. If identities are to perform these tasks, they must be assigned the Basic Roles | Operational support | System administrators application role.


Improved performance of grid controls. Less database queries are generated.


When an request item is removed from a shopping cart that has dependent products, the dependent request items are also removed.


When a shopping cart is deleted, its request items are also deleted.


Improved presentation of the results of a peer group analysis.


Managers now see all the delegations of their child identities in the Web Designer Web Portal and in the Web Portal.


It is now possible to set a default size for images. When uploading images to Web Portal, they will be scaled accordingly.


Shopping carts that have already been sent are now marked accordingly and it is no longer possible to add more products to such shopping carts.


In the Web Portal, the request's main data now displays the request status instead of the processing status.


Improved warnings have been introduced for the Web Portal log file and for the Web Portal monitor page, which indicate components that load a conspicuously large number of objects.


Removed check box in front of the date field in the Web Portal. If you do not want a time restriction, do not enter anything in the field.


If a single sign-on session ends in the Web Designer Web Portal, a button is now displayed that can be used to log in again with single sign-on.


In the Web Portal, the set of selectable reference users is limited in the default configuration.


The dialog for deleting secondary memberships of a role in the Web Portal has been extended. It now offers the possibility to optionally delete direct, requested, and dynamic memberships respectively.


In the Web Portal, memberships in system entitlements can now be filtered and paginated.


The label in the Filter on filter dialog has been changed to Filter on the '<column name>' column.


In the Web Portal, an error message is displayed if the date entered is invalid.


The following columns in the QBMWebApplication table have been described in such a way that it is clear that they are only relevant for the Web Designer Web Portal:

  • UID_DialogAEDSWebProject

  • UID_DialogAuthentifier

  • UID_DialogAuthSecondary


Improved design and navigation of the Operations Support Web Portal.


For performance reasons, the API Server result format has been changed so that the value of DisplayValue is only sent if it differs from the value of Value.


The imx/ping API method has been introduced for the API Server. This API method can be used as a "health check" of the API Servers. It can be called without authentication.


It is now possible to configure the logging of the API Servers using a central configuration file.


The API Server now returns unset dates in the JSON serialization as NULL.


For the API Server, the Microsoft Extensibility Framework component has been removed.


  • Marking classes with the [Export] or [Import] attributes is no longer supported.

  • All public classes that implement a given interface are automatically found as a plugin.

  • Plugin classes must no longer be marked as "internal".

    Plugin classes must define a public and parameterless constructor.


The API Server now supports HTTP compression.


A content security policy has been introduced for HTML5 applications.


The source code structure for HTML5 applications has been changed to an Angular workspace to enable a uniform folder structure without symbolic links.


The API Server provides the HTML5 web application documentation.


Halted requests no longer appear in HTML5 web application logs.


For performance reasons, bulk entity processing can now be configured when configuring entity-based API methods.


The entity schema must now be queried at runtime by the API Server.


The following changes have been made to the API model for hierarchical entity structures:

  • The DisableHierarchicalData flag in the API definition has been removed.

  • The noRecursive URL parameter has been removed. The ParentKey URL parameter can be used to control whether results from the top level, a specific level, or all levels of the hierarchy should be returned.


When an API method is defined, not all columns are made writable by default. When developing API methods, the columns must be declared individually or explicitly all made writable.





.WithWritableColumns("FirstName", "LastName")


The Internet Explorer is no longer supported.


Update of the Secure Password Extension to version 5.9.5.


Table 3: Target system connection


Issue ID

Customizer methods are provided to handle outstanding objects in an automated manner. These methods can be called in scripts or processes.


Improved logging of synchronization errors using NLog.


Improved documentation of quotas in synchronization steps.


The synchronization buffer can be disabled for schema properties in the One Identity Manager schema that map members of many-to-many schema types or key resolutions.

IMPORTANT: If the synchronization buffer is disabled, references that are missing in One Identity Manager will be deleted in the target system when synchronizing into the target system or during provisioning. Therefore, check carefully whether the synchronization buffer can be disabled.


New consistency check Outstanding objects with not outstanding assignments to determine outstanding objects with assignments that are not outstanding.


The Synchronization Editor can be run in offline mode when access to the connected system is not required.


The One Identity Manager connector detects if the Customizer sets default values for mandatory fields.


When automatically creating or updating synchronization projects using a command line command or Windows PowerShell CmdLet, a remote connection can now be used to connect to the target system.


In the Synchronization Editor log view color is used to show whether a synchronization was completed successfully or with errors.


When setting up a new synchronization step, a quota of 10% is set by default for objects in One Identity Manager for the Delete processing method. This quota can be adjusted on a project-specific basis.


The home page of the Synchronization Editor shows whether patches are available for existing synchronization projects.


To restart a start up sequence if it was unexpectedly stopped, the instance of the start up sequence can be deleted directly in the Synchronization Editor.


The schema view of the mapping editor now shows which schema property contains the revision counter.


Copies of synchronization projects can now be created in the Synchronization Editor.


Improved membership provisioning when members of an object in One Identity Manager are mapped to different member lists of an object in the target system.


Schema properties with the Property join property type (PropertyJoin) are now writable.


In synchronization projects with the generic database connector, the Windows PowerShell connector, and the CSV connector, a subtype can be entered for each connected system. One Identity Manager needs this information to provision memberships if the objects from several similar generic target systems are mapped in the same One Identity Manager tables.


The Synchronization Editor prevents synchronization projects from being edited and saved simultaneously by multiple users.


Improved revision filtering support.

34101, 34102

The behavior of start up sequences can be configured such that a start up sequence starts multiple times, although multiple start ups are not allowed. The new instance of the start up sequence can be stopped with an error (default behavior) or stopped non-verbosely.


Improved error message for the error: Automatic resolution of the failed workflow's dependencies.


The Synchronization Editor Command Line Interface can be used to update the One Identity Manager schema in synchronization projects.


The condition for applying a property mapping rule can now also be formulated as a script.


Faulty connection parameters can be cleaned up in the system connection wizard.


A new consistency check tests whether the system connection is writable when Correct rogue modifications is set on a property mapping rule.


Improved display of messages in the synchronization log.


Improved display of the origin of Azure Active Directory subscriptions and service plans for employees.


Improved documentation of the features, recommendations, and necessary modifications when operating an Azure Active Directory federation.


Improved support for linking Azure Active Directory user accounts and Active Directory user accounts in an Azure Active Directory federation.


Improved handling of Azure Active Directory group owners when deleting groups.


LDAP containers can be renamed.


The syntax rules for LDAP attributes are now displayed in the Synchronization Editor in addition to the descriptions.


Improved handling of multi-forest structures when resolving the DNS of the Global Catalog. The algorithm for searching the Global Catalog now takes the Active Directory forest root domain into account when searching.


Improved display of Active Directory objects in the Manager and in reports. The full domain name (ADSDomain.ADSDomainName) is now used.


The member schema properties of Active Directory groups is read-only in the target system browser to prevent write accesses that would lead to incorrect results if a group has more than 1500 members.

A patch for synchronization projects with patch ID VPR#34324 is provided.


Improved support for dynamic groups in Active Directory.

34769, 34632

Improved logging in the Active Roles connector.


Improved treatment of dynamic groups in Active Roles.

34287, 34323, 34627

The Microsoft Exchange policy for mobile email queries has been renamed to Mobile device mailbox policy.


The label of the PAGAccessOrder.ValidDurationMinutes column has been changed to Checkout duration [min].


A wait step has been added to the processes ADS_ADSDomain_Publish ADSGroups to ITShop_PostSync and AAD_AADOrganization_Publish AAD objects to ITShop_PostSync to check if the respective process for automatically assigning employees to user accounts (ADS_ADSDomain_SearchandCreate_Person_PostSync and AAD_Organization_SearchAndCreate_Person_PostSync) has finished.

34651, 34658

In the system connection wizard for cloud applications, a reference time zone can be stored for handling date values without UTC offset.

A patch for synchronization projects with patch ID VPR#33978 is provided.


The generic database connector for the generic ADO.NET provider now supports reading back automatically mapped value.


Improved logging in the generic database connector.


Improved support for dynamic groups in custom target systems.


Additional reports are provided about user accounts and groups in all target systems.

33456, 33599

Various reports now also show the origin of a membership or entitlement.


Additional access control settings for Google Workspace groups are mapped.

A patch for synchronization projects with patch ID VPR#32610 is provided.


The HROrgUnitManager schema type has been extended so that the validity period of manager assignments can now also be mapped.


The default company of SAP clients can now be read in by the synchronization.

A patch for synchronization projects with patch ID VPR#33819 is provided.


For target systems in Unified Namespace, an overview form is displayed in the Manager.


The overview form for E-Business Suite systems (VI_EBS_EBSSystem_Overview) displays a message if no synchronization project has been set up.


The Windows PowerShell connector and the One Identity Safeguard connector now treat passwords as secret values.

A patch for synchronization projects with patch ID VPR#34403 is provided.


The edsaIsDynamicGoup property of Active Directory groups is mapped in One Identity Manager.

A patch for synchronization projects with patch ID VPR#34168 is provided.


Additional schema properties are mapped to Google Workspace user accounts.

A patch for synchronization projects with patch ID VPR#33093 is provided.


The SCIM connector now allows parallel access 10 times max. to load single objects during synchronization.

A patch for synchronization projects with patch ID VPR#32564 is provided.


When using Universal Cloud Interface to synchronize cloud applications, it is now possible to configure whether to keep the target system connected.

A patch for synchronization projects with patch ID VPR#33884 is provided.


Table 4: Identity and Access Governance


Issue ID

Additional permitted values for Person.ImportSource.


For automatic approvals of requests and attestation cases the following now applies:

If additional approvers are determined by recalculating the current approvers, then the automatic approval deadline is not extended. Additional approvers must grant or deny approval within the time period that applied to the previous approvers.


User accounts that are intentionally not assigned an employee can be marked accordingly. If attestation of user accounts that are not connected with an employee is approved, these user accounts will not be submitted for attestation in the future. In the Web Portal, user accounts that are not connected with an identity can be filtered by different categories.

33384, 34387

Text templates describing the facts to be attested can be stored in attestation procedures. This text is displayed to attestors in the Web Portal.


Improved performance when setting up attestation cases and attestation runs.

33742, 34017, 34039, 34202, 34217, 34243, 34344, 34431

Attestation policies can have an application role assigned as the owner, so multiple employees can own an attestation policy.


Attestation guidelines can define the language in which to display the information to be attested.


Additional reports on attestation runs are provided, which contain the complete attestation history.


Customized reports can now be assigned to default attestation procedures.


Mail templates used for notifying rule and policy supervisors and exception approvers are now directly mapped to compliance rules and company policies.

The following configuration parameters have been deleted:

  • QER | Policy | EmailNotification | NewExceptionApproval

  • QER | Policy | EmailNotification | NotPermittedViolation

  • QER | ComplianceCheck | EmailNotification | NewExceptionApproval

  • QER | ComplianceCheck | EmailNotification | NotPermittedViolation

When the One Identity Manager database is updated, the values of the configuration parameters are transferred to the new ComplianceRule.UID_DialogRichMailNewViolation and QERPolicy.UID_DialogRichMailNewViolation columns.


Approval steps can now be escalated even if no approver or attestor can be determined and no fallback approver is assigned. In this case, the request or attestation case is no longer canceled or passed on to the chief approval team, but escalated.


The CM approval procedure can now also be used to attest system role assignments and employee's account definitions.


When sending email notifications in the IT Shop and attesting, the sender address entered at the QER | Attestation | DefaultSenderAddress and QER | ITShop | DefaultSenderAddress configuration parameters is now given by default. The employee's default email address is no longer used as the sender address for automatic notifications.


Permissions for the Request & Fulfillment | IT Shop | Administrators application role have been extended.


On the overview forms of departments, locations, cost centers, business roles, application roles, and IT Shop structures, existing delegations of the manager and 2. manager are displayed.


Improved performance when saving requests.


New consistency check Direct memberships in BaseTree that are not allowed to identify direct assignments to roles and organizations for which direct assignment is not allowed.


Recalculation of a dynamic role can be temporarily disabled (DynamicGroup.IsRecalculationDeactivated).


Using the @UID_Org variable, you can access the role or organization referenced by the dynamic role.

33757, 31554

Improved calculation of dynamic rolls.


The usage type of standard reasons can now be edited by users.


The configuration parameters for automatic transfer of groups to the IT Shop have been restructured.

The previous QER | ITShop | GroupAutoPublish configuration parameter and the preprocessor expression GroupAutoPublish applied to Active Directory and SharePoint groups. This has been divided up. The GroupAutoPublish preprocessor expression is still used with the new QER | ITShop | AutoPublish | ADSGroup configuration parameter. For the new QER | ITShop | AutoPublish | SPSGroup configuration parameter, the preprocessor expression AutoPublish_SPSGroup has been introduced.

NOTE: If you have implemented customizations for SharePoint groups that use the GroupAutoPublish preprocessor expression, then change the preprocessor expression to AutoPublish_SPSGroup for this.


Additional properties can now also be assigned to LDAP containers.


Improved preparation of data for faster cross-table searching. It is now possible to additionally specify a path to the Person object in order to determine the employee within the cross-table search for user accounts or email addresses.


When automatically creating application roles for product owners, the display name of the person is now used to form the application role name.


When submitting requests, the valid until date is no longer checked against the current time. For example, errors are avoided if a long time has elapsed between creating and sending a shopping cart.


See also:

Resolved issues

The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Parameter values are not copied entirely from the process simulation to the clipboard.


Blockage when running QBM_PProcessGroupDelete while transferring data to the History Database.


The DateRange class static methods do not yet perform the time zone conversion properly.


Object definitions (DialogObject) can be created without a table reference.


Error in the Schema Editor when editing tables and columns.


Dates with the time 0:00 are not correctly converted to UTC format.


It is not possible to create databases with a name longer than 40 characters.

33549, 33906

High memory consumption when compiling with the Configuration Wizard or the Database Compiler.


Automatic software update does not take the files only option into account.


When process steps with the Frozen status in Job Queue Info are advanced, the subsequent process step loses its retries.


A change to the UseSSL option in the One Identity Manager Service configuration requires a restart of the service, although this is not necessary according to the information displayed in the Job Service Configuration.


Error in the QBM_PDBQueueRunner procedure when removing modules.


Error logging in to the Manager web application with Japanese language.


When testing whether a report contains data, an error may occur.

Error message: Could not find stored procedure 'Report_LimitData'.


Entering a string for an event's process data results in a compilation error.

Error message: '<text>' is not declared. It may be inaccessible due to its protection level.


Data provided by the application server does not fill foreign keys with a NULL but an empty string.


Error in Schema Extension when creating a custom table with a foreign key to a Basetree* view.


Error in the DialogDeferredOperation with overdue actions, activated but without existing job consistency check.


The QER_TIPersonInBaseTree trigger for checking BaseTreeExcludesBaseTree violations does not take the XOrigin column into account.


When generating a preview for simple list reports, errors may occur under certain circumstances.


Reports no longer correctly hide the minimum date (12/30/1899).


A system user who has read-only permissions may be given additional change permissions by program functions.


If a user account password is changed, the Customizer throws an error if the change is discarded rather than saved.


Error in the Missing tables in dialogtable (base) consistency check's repair script.


When saving formation rules in the System Debugger, the code disappears if there is a <summary> section in the code.


Templates are not booked to the change label when saved to the System Debugger.


Translations do not take all language dependencies into account.


In certain circumstances, DialogWatchOperation.OperationUser is not be populated.


Error opening the TimeTrace in the Manager.


Table 6: General web applications

Resolved issue

Issue ID

The New child group button contains the CanInsert("AdsGroup") viewing condition. This viewing condition has been removed.


The following collections have been removed from the VI_ITShop_Approvals Web Designer component:

  • ITShopOrg

  • ITShopOrgForPWOToDecide

  • PWOHelperPWO

  • QERWorkingStep

  • PWOHelperPWOForRecallQuery

The ITShopOrg collection was removed from the VI_ITShop_PWO_MasterDetail component.


In the Web Portal, the reason stored is incorrect if products are automatically canceled due to denied attestation.


In certain circumstances in the Web Portal, an attestation case approver cannot analyze the removal of permissions.


In the Operations Support Web Portal users can create passcodes for themselves.


In the Web Designer Web Portal it is possible to display hyperviews for which you do not have required permissions.


The API Server cannot be installed because a WebDAV module is installed on the same Internet Information Services.


If you search for AE/Ä in the Web Portal, entries with A are also found.

NOTE: Perform a complete re-indexing after an update migration.

278865, 34389

In the Web Portal it ASP.NET sessions can go missing if Linux containers are in continuous operation.


In the Web Portal, identities with the vi_4_PERSONADMIN permissions group do not see all the requests of their child identities.


In the Web Portal, if a cancellation date that is in the past is specified for a cancellation, an error message appears. Subsequently, the product cannot be canceled even with a valid date.


In the Web Portal, it is not possible to resolve compliance violations if the violation involves a primary identity.


Table 7: Target system connection

Resolved issue

Issue ID

Mappings that have the Only suitable for updates option enabled use the Insert processing method.

Patches with the patch IDs VPR#33217_001 and VPR#33217_002 are available for synchronization projects.


Too many entries are logged when detecting and correcting invalid changes.


Synchronization stopped due to an error synchronizing with revision filtering: The revision property type does not match.

Error message: Error filtering by revision. ---> System.ArgumentException: Object must be of type Int32.


Error compiling scripts in C# syntax in Synchronization Editor, if an assignment is missing a space after the equals sign (=).


Error creating a synchronization project with the SynchronizationEditor.CLI.exe command line utility if the database user's password contains a dollar sign ($).


Error loading schema classes with the Unique objects class type using the RemoteConnectPlugin.


Error provisioning the Password cannot be changed property for Active Directory user accounts (ADSAccount.UserCanNotChangePassword).


Poor performance when opening assignment forms for ADSAccountInADSGroup.


The Azure AD Connect anchor ID for Active Directory user accounts (ADSAccount.MSDsConsistencyGuid) cannot be overwritten in the map.

A patch with the patch ID VPR#34715 is available for synchronization projects.


Error saving an Microsoft Exchange mailbox if the Calendar Automate Enabled property (EX0Mailbox.AutomateProcessing) is empty.


In the case of automatic employee assignment, for LDAP user accounts the Groups inheritable option (LDAPAccount.IsGroupAccount) is always set to True.


When deleting an LDAP user account, memberships in LDAP groups are not removed if merge mode is active.

34594, 34601

Error in the SCIM connector during OAuth authentication with user name and password.

Error message: Error 400 BadRequest ({"error": "invalid_request", "error_description": "The request contains invalid parameters or values."})


Error running the EBS_UserInResp procedure.

Error message: Conversion failed when converting date and/or time from character string.


In the SAP connector, the LANGU property of the SAPTSAD3T schema type is not output correctly.


In One Identity Manager, synchronization tries to recreate SAP roles assignments to user accounts with XIsInEffect=0.

A patch with the patch ID VPR#34563 is available for synchronization projects.


Search criteria for automatic employee assignment with an OR link causes a lots of hits if one of the fields is empty.


If the validity period changes, SAP role assignments to user accounts are temporarily deleted.


Problems synchronizing SharePoint Online when a site collection (site) is renamed in the target system.


Defining a hierarchy filter in the scope of the One Identity Manager connection returns the wrong results.


After changing the aliases of a Google Workspace user account, provisioning reloads the old value.

A patch for synchronization projects with patch ID VPR#34645 is provided.


During initial synchronization, the internet password is loaded from Notes user accounts.

A patch for synchronization projects with patch ID VPR#34393 is provided.


In synchronization projects for Notes domains, the MailFileAccessType variable has an incorrect default value.

A patch for synchronization projects with patch ID VPR#25230 is provided.


In synchronization projects for Unix-based target systems, the user's password is not encrypted.

A patch for synchronization projects with patch ID VPR#32500 is provided.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

Wrong name in bitmask configuration for PersonHasObject.InheritInfo.


Querying the origin of entitlements blocks under certain circumstances.


If an employee is deactivated, closed attestation cases are closed again.


The search for specific attestation cases in Web Portal sometimes does not return a result if system entitlements are attested. The reason was the different formatting of display names for the attestation objects.

For some tables mapped in Unified Namespace the display pattern has been changed. As a result, these objects are now displayed with different names in reports or views of the Web Portal.


When an approval level with multiple approval steps times out, an identical process is generated multiple times.


Email notifications about granted request approvals name the wrong approver.


A product cannot be requested for several different workstations for which one employee is responsible. 30069

See also:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating