Skip to main content
Version: On prem: 15.0.0

Postrequisites

Deployment of reports

After any upgrade, you need to redeploy all the standard reports.

Useful links

Installation guide

Reports guide

Advanced Analytics guide

info

Additionally, in the case of Omada Identity v14.0.4 (Update 4), in the tblApplicationSetting table of the ODW database, the ES database user (e.g., srvc_omada) should be assigned as the [ValueStr] of the ssrsServiceAccount [Key].

Deprecated components

After installing the software, run the SystemInfo.sql script in the ES database.

This script is located in the Omada Identity installation folder at C:\ProgramFiles\Omada Identity Suite\Enterprise Server\Sql scripts.

This script creates a stored procedure (spSystemDiagnostics) that produces information about the Omada Identity system that is usable for diagnostics and bug investigation. The stored procedure should be executed with text output.

The script can, for example, detect the use of deprecated components that require special attention when upgrading, including:

  • Use of deprecated access modifiers.
  • Use of deprecated code methods.
  • Other issues that should be handled if reported (for example, issues related to data objects with mandatory fields that have empty values).

SoD Evaluate Identity Violations process migration

If you want to migrate to the new SoD Evaluate Identity Violations process, you need to run the MigrateXMLViolationData migration tool. The MigrateXMLViolationData tool will:

  • migrate any existing data and decisions
  • terminate any running processes
  • disable the SoD process.
note

If you use a custom process template for the existing SoD Evaluate Identity Violations process, it won't be terminated by the migration tool. You need to manually complete or close all your active tasks. If any active Evaluate violation (ed2) process is terminated by the migrations tool, with Recalculate Identity, the new Evaluate Identity Violations task won't be launched automatically. The new Evaluate Identity Violations task will be automatically launched when an identity's violated assignments have changed.

We recommend that before executing the migration tool, you complete all of your active tasks for the Evaluate violation (ed2). Optionally, if you want to relaunch the new SoD Evaluate Identity Violations process for terminated tasks, the Reset SoD violations functionality can be used.

The process template will remain in the system database but will no longer be triggered by the system. Once the migration is complete, the old process template and all related forms, data objects and properties can be deleted from the system.

info

It is impossible to return to the previous process once the migration is done.

How to Execute MigrateXMLViolationData tool

info

The migration tool migrates the IDENTSODXML data into the tblCalculationViolation table in the RoPE database and the tblCalculatedViolationDecision table in the ES database.

Before performing the migration on the live system, please execute a test migration on an evaluation system corresponding to your infrastructural setup. This test migration will allow you to assess the time required for the proper migration, depending on the amount of data.

In addition, before you execute the migration tool, perform a backup of your databases.

After upgrading the system, if you want to use the new Evaluate Identity Violations process you must execute the MigrateXMLViolationData tool. The utility will migrate existing SodXMLViolations and remove the IDENTSODXML property from the system. To do so:

  1. Stop the running services (Timer service, Provisioning Service, Role and Policy Engine Services).
  2. Stop Enterprise Server website from the IIS.
  3. Locate the MigrateXMLViolationData tool in the bin folder of the Enterprise Server installation folder.
  4. Execute the tool from the Command Prompt, providing the customer name as a parameter, for example MigrateXMLViolationData.exe -c Omada.
  5. After the Command Prompt closes, check the Windows Event Log to see if the upgrade was successful or any errors occurred.
  6. When the migration is executed successfully, restart the services and the ES portal.
  7. Since the new SoD Evaluate Identity Violations process is launched by the API, you must adjust your API settings.

Republish old surveys

Some of the surveys defined in the previous versions of the Omada Identity can display multiple statements SQL errors on question generation after this update. To mitigate the issue, Omada recommends republishing the Access Review for Managers, the Access Review for Resource Owners, and the Account Ownership Review surveys. To do so, follow these steps:

  1. Rename the system name of the existing survey template, for example, change it to RoPE_ResourceAssignmentSurvey_legacy.

  2. Republish the CalcResourceAssignmentSurvey_Manager.xml survey located in C:\Program Files\Omada Identity Suite\Enterprise Server\Survey templates.

  3. Ensure that references such as Survey schedules, Compliance workbench, and the Services menu reflects the correct survey template.

Repeat the steps for other mentioned surveys.

Optional steps

Surveys update (Omada Identity Cloud only)

As a part of the upgrade scripts, the survey upload tool will reupload the new version of the survey template. Cloud customers will get two versions of the survey template and must update the event definition that launches the deleted context survey to use the new survey, and must edit the compliance workbench configuration if they wish to use the new CRA survey.

Commit Provisioning Monitor settings

The way OPS represents the connector data model in the OPS database has changed. Make sure to Commit settings from the Provisioning Monitor widget in the Operations Dashboard after the upgrade.

The changes are made to avoid clashes on object types and property types.

Check the Required Authentication Level for Platform Administrators User Group

The upgrade to Omada Identity 14.0.11 will force the Required Authentication Level of the Platform Administrators user group to be High. If it has been set to another level manually (for example, Medium in the screenshot below), then it must be manually updated after the upgrade.

Change the Action on objects originating from ES option for Context manager - Organizational Units

The Action on objects originating from ES option for Context manager - Organizational Units was set to Include.

CIAM data objects types capability for OData

For security purposes, each data object type used in CIAM has to be explicitly enabled for OData in the Enterprise Server.

Go to Setup -> Administration > Data management > Data object types and make sure that the Enable type for OData option is checked for your required data object types.

Import Review Joined Identities survey template

Delete the Review Joined Identities survey template and import it from the template file. If the template was modified manually the changes will have to be reapplied.

Alternatively, the fix can be manually applied in the survey template. The following steps need to be done:

  1. Go to Survey Templates view in Setup and open Review Joined Identities template.

  2. Select Forms tab. From the form1 elipsis menu, click Fields.

  3. Click Select fields button to open fields list editor.

  4. Deselect OISID field and select SURVFLD_TEXT8. Click OK.

  5. Scroll down to the last field (Survey text field) and edit it.

  6. Fill Caption text field with "OISID" and click OK.

  7. Check the field in a list and click Move up button until the field is moved to the top.

  8. Close the form1 form fields editor and click OK to apply changes to survey template.

Paging and Delta SAP Access Data collector

Upgrading will not affect the behavior of existing onboarded SAP Access Data. A new use Delta option will be visible in Advanced section of the collector, but it will have no effect. Paging on individual query should be left disabled.

To enable the use of the paging functionality and delta functionalities, perform the following steps:

  1. Upgrade the SAP Connectivity Package to 106. This upgrade will have no effect on Paging or Delta, and imports will continue as previously.

  2. Get access to clean queries and mappings from an onboarded system in the current upgraded version of Omada Identity.

  3. Onboard a dummy SAP Access Data system.

  4. Go to Queries and Mappings while holding Ctrl to expose the underlying XML. This then must be manually merged with the same XML from the system where paging should be enabled.

    The easiest way to merge is to copy the <expr>, <dest>, <map>, and <set> from the onboarded system .xml to the clean .xml. Also copy the filters for each query. Any manual customizations like additional fields added in the xpaths section should also be transferred to the new .xml.

To verify that Paging and Delta are working, check the log messages:

The first import will run import in Full mode as a fallback because there is no watermark and data will be collected in paging batches of 1000.

Next imports will start using Delta mode and Paging may not be visible due to less than 1000 changes:

Policy & risk checks in Access Requests

This feature introduces changes in the policy check functionality in the Access Request flow.

If you are using the Policy check in the Access Request and approval processes, you need to import the Policy & Risk Check standard application feature package.

Additional configuration options for the policy check are introduced that are used to control which policy checks should be performed, which policy checks should be made visible, and whether the checks are optional or mandatory.

If you are using mandatory policy checks, any mandatory checks are still performed on Submit, but you also have the possibility to inspect the result prior to submitting.

Since this feature changes the visibility settings of some of the objects and properties used in the Access Request process, it's recommended that you verify these settings after the upgrade to ensure that they have been correctly migrated.

SAP HCM Delta support

  1. Upgrade the SAP Connectivity Framework to Patch Release 107. This upgrade will have no effect on Delta and imports will continue as previously.
  2. Get access to clean queries and mappings from an onboarded system in the current upgraded version of Omada Identity.
  3. Onboard a dummy SAP Access Data system.
  4. Go to Queries and Mappings while holding Ctrl to open it in .xml format.
  5. Merge it with the .xml format from the system where paging should be enabled. The easiest way is to copy the <expr>, <dest>, and <set> from the onboarded system .xml to the clean .xml. Also copy the filters for each query. Any manual customizations like additional fields added in the xpaths section should also be transferred to the new .xml.
info

The first import will run import in Full mode as a fallback because there will be no watermarks. Next imports will start using Delta mode.

Access Request migration tool

info

Before running the migration utility, open the Enterprise Server portal and import all updates to feature packages. After the utility has completed the migration, you need to open the Enterprise Server portal again and import additional feature package changes which appear after the migration has completed.

The MigrateResourceAssignmnents.exe utility migrates the old ACCOUNTKEY property value on Resource assignment data objects to the ACCOUNTTYPE property.

  1. Navigate to C:\Program Files\Omada Identity Suite\Enterprise Server\website\bin.

  2. As administrator, press Shift+right-click in File Explorer and then select Open command window here.

  3. Run migration tool, using command:

    MigrateResourceAssignments.exe -c CustomerName -b BatchSize

    where -c is a parameter determining the customer name and -b is a parameter determining the size of the batch, for example: MigrateResourceAssignments.exe -c Omada -b 500.

    note

    The default batch value is set to 5000.

  4. The Resource assignments migration log_[date]__[time].txt log file is saved inside the folder after the migration is complete.

Technical identities

If you deleted some Technical Identities in the past, and you marked the account assignments as Obsolete, but left the permissions assignments Active, all the permission assignments which belonged to that Technical Identity will be transferred to all other technical accounts by the migration tool. To check if you have some Technical Identities with resources still available, run the following query against the Auditing Data Base.

SELECT ra._NUMBER, ra._DISPLAYNAME, ra._CREATETIME
FROM [dbo].[tblResourceAssignment] ra
JOIN [dbo].[tblIdentity] i on i._ID = ra.IDENTITYREF_ID and i._DELETEDBY IS NULL and i.IDENTITYSTATUS_ENGLISH = 'Active'
WHERE ra._DELETETIME IS NULL
AND ra.ROLEASSNSTATUS_ENGLISH = 'Active'
AND ISNULL(ra.ACCOUNTKEY,'') !=''
AND ISNULL(ra.ACCOUNTKEY,'') NOT IN
(
SELECT AssignmentKey
FROM [RoPE].[RoPE].[tblCalculatedAssignment]
)

Postrequisites for 14.0.8

Changes affecting OData proxy clients

After upgrading from a previous version of Omada Identity to Omada Identity v14.0.8 (Update 8) and running the MigrateViolationDataXML utility, the property with the system name IDENTSODXML will be deleted. The property is included in the Identity data object type.

If you have generated any proxy clients for the OData API in Omada Identity, the proxy clients must be re-generated after the migration utility has been executed successfully.

note

If the proxy clients are not re-generated, it could result in errors when querying the OData API using the proxy clients.

Toggle delta support for MIM

Since Omada Identity v14.0.8 (Update 8), the RoPE configuration file is supplied with new setting: updateResourcesAndAssignmentsForMIM.

If you are using Microsoft Identity Management (MIM), make sure that the setting is present in the RoPE configuration file and the value is set to true.

If MIM is not being used, Omada suggests to set the value to false, as this will improve the performance of RoPE's calculations.

Enable Paging for SAP systems

After the upgrade from version 14.0.8 or lower, please follow these steps after the upgrade is complete, but before the first import:

  • Add the filter attribute for the Profiles query:

    status!="P"

  • Enable the Distinct option for all queries.