Skip to main content
Version: On prem: 15.0.1

Resolved Issues and Bug Fixes

Read more about resolved issues and bug fixes in this release.

Access request

Access request error message

There was an issue during the access request that triggered an error message and closed the approval task, leaving the resources in a Pending status. This issue has now been resolved.

INC-280890

Resources from obsolete resource assignments are not visible

Previously, if a user had an obsolete resource assignment, the resource was not shown in the resource search. Now, this issue has been fixed, and obsolete assignments can be selected in the Access Request process.

INC-272362

Access Request regional settings for data pickers

Previously, the date field in the Access request did not display the date according to the regional settings. This has now been fixed, and the date field is formatted correctly.

INC-274688

Field unsanctioned use

Previously, an issue was present enabling a field unsanctioned use. A cross-site scripting vulnerability has been fixed and unsanctioned use of the field has been contained.

INC-275517

Omada Data Warehouse

Systems in slowly changing dimensioning processing

There was an issue where, during import of multisystem categories, not successfully staged systems were included in the slowly changing dimensioning processing. This involved a risk of deleting data from the failing system. The issue has been resolved and only successfully staged systems are now included in the slowly changing dimension processing.

INC-275838

Inefficient processing of extension attributes in account data flow

There was an issue resulting in import errors due to inefficient preparation of account extension attributes in the prepare data for processing step of import process. The issue has been resolved and import are successful.

INC-274975

Connectivity

Issue with preview for multivalue source property

There was an issue with the preview service when the Multivalue source property was used for non-extension attributes mappings. The preview failed to generate any results, indicating that orphan rows had been removed. This issue has now been resolved.

Enterprise Server

Issue with archiving DOTs without assigned properties

There was a situation where a data object type existed without any assigned properties, leading to a timeout issue. We have addressed this by fixing the archiving of data object types without properties.

INC-271174

DateTime filter expression issue

We've fixed an issue with evaluation of filter expressions comparing two DateTime properties with modifications, where the modification result yields a DateTime value outside the range supported by SQL datetime.

INC-271383

Issue with event definition filter

We've fixed a bug that prevented customers from accessing the value on the right side of the event definition filter accurately.

INC-272859

Missing customer settings for purging property value and data object version

We have added a few archive-related customer settings that were missing:

  • ArchiveTimerWaitCycle
  • ArchiveTimerWaitCycleLong
  • ArchiveVersionBatchSize
  • MaintenanceArchiveEntries
  • MaintenanceArchiveDeleteAfterDays

INC-272934

Issue with GraphAPI queries in ValueGenerator

We have fixed the value generator's unique value check with Microsoft Graph to address potential failures when unique values contain special characters.

INC-272982

Issue with offboarded users in Production environment

We have implemented additional validation for assignment policies during their loading into RoPE. This enhancement aims to prevent such situations from occurring in the future.

Error in accessApprovalPolicyChecks in Graph v2.7

We fixed a known issue regarding the error encountered when querying the createdBy field within the identity, resource, or context fields in the accessApprovalPolicyChecks query.

INC-273090

Attribute window shows no attributes in the legacy Access Request

We have fixed a bug in which a resource with no attribute was displaying the attribute pop-up window for selecting an attribute. However, since there were none, it was impossible to select one. Now, the attribute pop-up window does not appear in that scenario.

INC-270792

New UI Access Request do not work with account types

We have fixed a bug that prevent account types to work correctly when requesting access. This issue has been fixed.

INC-271093, 273730

Issue with event definition not being triggered

There was an issue with triggering the event definition. We have fixed the issue and updated the documentation. Currently, reference paths in event definition are only allowed for:

  • timer events for a regular data object type
  • non-timer events for shadow resource assignment object type

INC-272300

Copy Action option "Always run as internal operation" is not recorded in changeset

We've solved an issue with configuration change logging and configuration change import of the Always run as internal operation attribute in the Copy action option, in the Event definition.

INC-273738

Implicit Assigned Enterprise Role removes all other child resources

We have addressed an issue wherein an auto-generated account was unable to enter the desired state, specifically when its desired state was set as true, due to the associated permission not being in the desired state. This fix ensures the auto-generated account won't remain in the system unnecessarily if the reason for its creation is no longer valid, thus preventing it from being deprovisioned.

INC-271814

View state validation issue for Windows Integrated security

We've resolved periodic issue with view state validation that was causing premature session timeout error messages. This problem was specific to instances utilizing Windows Integrated security.

INC-273437

Event definition with Main.CreateObjectFromTemplate2 code method fails

An issue with the event definition, involving a code method and copy action rule, resulting in failure has been resolved with the following improvements to the Main.CreateObjectFromTemplate2 code method:

  • The securityOverride flag is respected for both when Users and UserGroups creation, as well as during update events.
  • The skipCreateEvents flag is now respected when creating Users and UserGroups.

INC-273610

The global search function consistently times out whenever an identity is queried

The SQL query for column search utilizing the full-text index now includes "OPTION (HASH JOIN)" at the beginning if the customer setting Full Text search with option hash join is activated, mirroring the approach taken in the SQL query for global search. This addition of the SQL query option can, under certain circumstances, mitigate SQL timeouts in view searches, whether global or column-based.

INC-273304

Resource assignment updates blocked via OData despite proper authorization

We've fixed a bug that prevented updates to Resource Assignments via OData.

INC-273474

Import failing due to issue with false duplicate

We've resolved and issue, when resilient SSIS packages are utilized, resulting in import failure with the following warning:

OleDb Bulk Error encountered. Will begin attempt number 1 of 5 max

The bulk insert is now done in a single transaction, allowing to rollback the entire bulk if the connection is broken.

Outdated library Renci.SshNet.dll and missing HostKey validation in the Flat file CSV connectivity

The flat file collector has a new configuration parameter: Host Key Fingerprint. It is used for the host key validation, to prevent man-in-the-middle attacks. If the value is not provided, the validation is skipped. MD5 and SHA256 fingerprints are supported.

Format: algorithm:fingerprint
Example: SHA256:jlDPKCCRr1TkufVsZJf02ejXNQ7RB/vg09uGwKeSwnU

INC-273664

SAP HCM import failing

We have resolved an issue with the Data Preview service not releasing memory utilized by the collector, resulting in the imports not being performed. The issue has now been fixed and the imports are performed correctly.

INC-272953

Issues with the EXPLICITOWNER property

There was an issue with the import failing with the following error message:

Error assigning value(s) for property **EXPLICITOWNER** to data object: Could not locate data object with value **xxx** in property **ODWBUSIKEY** with type id(s) 905

The error occurred during update of resources, identities or contexts.

The issue has been resolved by avoiding exporting ownerships referencing non-primary identities.

INC-272361

New access request filter is showing wrong data

We have resolved an issue where resource types marked with the prevent self-service option were incorrectly appearing in the filter options during access requests. Now, these resources will no longer be displayed as an option in the filter.

INC-273241

Calculation failed for the unresolved identity

Previously, if a calculation of the unresolved identity failed, the identity would automatically be re-added to the queue, even if the skipQueuingUnresolved setting was configured to true. This behavior has been enhanced to ensure that the skipQueuingUnresolved setting is respected when re-queuing failed identity calculations.

INC-273580

Errors with import jobs

We have added new IX_tblCalculatedAttributeValue_AssnId_ValueRef_AttrId index to the RoPE database and improved the SQL statement for lookup of child resources to a parent role as a performance improvements.

INC-274760

INC-274631

Issues in the delivery of email notifications

There was an issue with the delivery of email notifications from Omada Identity. While some notifications were received correctly, the majority failed to arrive. This issue has been resolved. Previously, the "no authentication" setting failed when the SMTP server supported other authentication methods.

INC-274824

Missing indexes in ArchiveDB causes full table scans due to TimerService Maintenance

We have added an SQL Index in the ArchiveDB on tables with the _DELETETIME column. This action was taken to address the performance issue arising from full table scans triggered by the Timer Service.

INC-273847

Delay in scheduled imports

We've addressed an issue where the calculation determining the start and end times of an hourly timer failed to incorporate the local time zone of the system, particularly when the RunTimerInSystemUserTimeZone customer setting was activated.

INC-274779

Event Definition (and View) Filter do not work with "Estimate" and a reference path property simultaneously

The combination of Reference Path and Property to Property filters is not supported. We've added a new validation error that triggers on filter definition save. If this error is triggered, the following message will be displayed:

Filter expressions containing Reference Path expression with Property on left and right side of expression are not supported

Role and Policy Engine

SOD evaluation failed to trigger

There was an error in RoPE/SoD related to toxic combinations in resource assignments for resources linked to an account type. Following the review evaluation, if conflicting resources were allowed/resolved for an account, the same evaluation was mistakenly applied to the subsequent assignments related to the same resources but for a different account. Now, RoPE and SoD check both the resource and account type to prevent the reuse of previous evaluations when it is not warranted.

INC-269825

Omada Provisioning Service

Issue with ServiceNow ITSM Relay provisioning

We've enhanced the ServiceNow ITSM Relay connector (Service Catalog) with the following improvements:

  • Provisioning tasks now consistently attain their final states (completed/failed) when the provisioning job is marked as completed or failed.
  • For situations where all provisioning tasks should be created in a single request on the ServiceNow (SNOW) side (REQ), the connector now always orders them using a cart, even if the job contains only one task. This ensures that result values remain consistent across all provisioning tasks.

Issue with ServiceAccount that doesn't have a resolved account

There was an issue in the RoPE AttestationSurveyExtension causing an identity calculation to fail under some circumstances with the following error message: ...doesn't have a resolved account. The issue has been fixed.

INC-273568

Missing attribute name in Always Provision Attribute Changes setting notification

Previously, when the Always Provision Attribute Changes setting was enabled and an attribute value altered, RoPE would only display "Provisioning attribute 'System.Collections.Generic.List...'" in the calculation message, lacking the specific attribute name. However, following an update, RoPE now includes the attribute name in the format: Provisioning attribute '<attribute name>' changed.

INC-274721

Error calculating unresolved identity

There was an issue with the unresolved identity failing and blocking the RoPE calculation queue. The issue has been fixed. If RoPE is configured to not queue the unresolved identity automatically, then RoPE will also not queue it automatically after a failed calculation.

INC-271866

Error calculating identity: Error executing non-query command: The connection is broken and recovery is not possible

If a RoPE identity calculation fails with a transient SQL problem, it will be logged as a warning in the Operation dashboard, and the calculation is being retried after the next scheduled re-queuing of failed calculations.

INC-271386

Issue with re-queuing unresolved identities

If the calculation of an unresolved identity fails, it remains excluded from recalculation until the configured time in 'unlockQueueItemsOlderThan' elapses, plus an additional 4 hours.

INC-274501

Surveys

Boolean property was not working in Survey template

We've fixed a bug where a new Boolean property added to a Resource DOT was saved with the null value rather than the actual value when the Data Source filters of the Transfer identity assignments survey template were modified with new criteria. The correct value is now being saved.

Resources displayed multiple times in Identity and Survey

We've resolved an issue where duplicate calculated assignments were being created when the Omada Identity self-management resource assignment had multiple review verdicts assigned.

INC-264467

Endless RoPE calculations issue

We have resolved an issue concerning endless RoPE calculations occurring for accounts with an initial password attribute in configurations where running imports were not initiated, and the actual state is determined by claims.

INC-273668

RoPE calculation fails for identity type Machine

We've fixed an issue with calculating implicit assignments for machine identities.

INC-273668

Download PDF is not working in Surveys

We have fixed a bug that prevents the user from exporting surveys in PDF format.

INC-271300

Overextended access to historical data

There was an issue with possible overextended access to surveys' historical data. To improve the security, additional safety measures were implemented verifying user access rights ensuring that only appropriate users can access the data.

INC-275332

System Onboarding

Issue with filtering in system onboarding queries

There was an issue with the #MAXROW and #MINROW filter expression resulting in the identities being read multiple times. The issue has been resolved by adding the paging support to the #MAXROW and #MINROW filtering in the system onboarding queries.

INC-273806

Connectors

Powershell connector doesn't accept relative paths for scripts

The Powershell connector didn't accept relative paths for scripts. This issue has been fixed: both relative and absolute paths are now accepted.

INC-273424

ServiceNow ITSM connector mixing items from two provisioning jobs

In some scenarios, the ServiceNow ITSM connector updated the same SNOW cart from two OPS instances, resulting in REQ with mixed items from two provisioning jobs. This issue has been fixed.

INC-273148

Paging type set incorrectly as a mandatory field during data import

During data import using REST and OData connectors, when change paging in nested requests tab is enabled, the paging type for non-nested queries was set as a mandatory field. This issue has been fixed.

INC-274572

JSON paths in double quotation marks are not processed correctly in the REST connector data model

Property values in double quotation marks were not recognized correctly. Double quotes are now replaced with single quotes (for property values, if they are not valid paths).

REST data import continuation token paging incorrect behavior (after April 2024 update)

After the April 2024 update, REST data import (collector) pagination continuation token did not work correctly if the token location in the request was set to header. This issue has been resolved.

#INC-275461

Documentation

Auto-account management for a system

We've updated the auto-account documentation with the following note:

If you enable the auto-account for a system, it's advisable to make the account non-requestable and refrain from running any attestation on it, including removing or expiring all attestation verdicts associated with that particular system.

INC-271765

Grace days description

We have updated the description for Grace days customer setting in the Rope customer settings section.

INC-272905

Access Request Reason field

We have added information about how to configure the Reason field in the Access Request process. Refer to Access Request to see how to do it.

INC-275811

The following script files contains illegal characthers

We fixed a bug in the documentation related to adding arbitrary javascript files in forms. For more information, refer to the Creating a form section.

INC-274982

Other

SoD blocking of resources shows error

We fixed a bug that occurred when creating a constraint involving SalesForcer Trader and Sales Manager. Previously, when multiple Trader requests were made, there was an issue where a block SoD decision with revoke only set on the Resource Assignment became obsolete.

INC-270608

Cannot drag and drop in new UI

We fixed a bug that prevents you from using the drag & drop method to change the order of the table columns in the new UI. This has been now fixed.

Never expires does not work in the new UI

We have resolved an issue where the year 9999 was displayed whenever a Valid to date was set to Never Expires. This has now been corrected and now Never Expires will be shown for dates that are on or after the year 3000.

INC-274078

Issue with OpenIDLogoutRedirect customer setting in the New UI

This update addresses an issue where the OpenIDLogoutRedirect customer setting failed to function properly with the New UI. With this fix, users are now correctly redirected to the logout page after logging out of the IdP.

Error with post-logout redirect with Okta

After logging out from the Identity Provider (IdP), you should be redirected back to the New UI logoff page, for example, https://localhost:44323/logoff?LANG=1000.

However, while doing that, an error occurred: Your request resulted in an error. The post_logout_redirect_uri parameter must be a Logout redirect URI in the client app settings.

To resolve this issue, when configuring the Okta OpenID Connect Application, ensure that you include the LANG=<Language ID> parameter in the Sign-out redirect URIs. This parameter should contain the ID for any language you anticipate users will use, for example:

  • https://localhost/logoff.aspx?LANG=1000
  • https://localhost/logoff.aspx?LANG=1001

For more information, refer to the Configure OKTA with Open ID Connect documentation.

Sorting by Visible to in Views

We have fixed an issue that prevented users from sorting by the 'Visible to' field in the Views pane.

INC-274971

Security Vulnerability in Windows Installer XML (WiX) toolset

We've upgraded the Vault Service installer due to a vulnerability identified in the Windows Installer XML (WiX) toolset used to generate the MSI package.

Operations Dashboard - provisioning jobs queue does not allow ordering by the task creation date

It is now possible to sort jobs by the date of creation in the Operations Dashboard (in the provisioning jobs section).

#INC-274825

CSV download of Access review survey question

There was an issue when downloading a CSV from the survey questions in the Access review survey. This has now been fixed by adding a new line to all values of set property columns. The line appends if there is more than one set property value.

#INC-274940