Version: On prem: 15.0.2

Resolved Issues and Bug Fixes

Read more about resolved issues and bug fixes in this release.

Access Approvals

Access approvals does not work properly

We fixed bugs that prevented correct functioning of the Access approval and did not allow:

Reassigning an access approval to a new user or viewing and approving them.
Displaying questions correctly when Everyone does not have access to a specific resource.

Access Request

Unable to submit a written request in Access request

We fixed a bug where attempting to submit a written Access request with the SoD policy check enabled resulted in no action when clicking the Submit button.

INC-279050

We fixed a bug in the Access request where, if a user had two account types within a system and a resource was marked for both types, the popup to select the account type did not display correctly. The field is now correctly displayed when there is one or fewer account types, and auto account creation is enabled.

INC-279453

Unmanageable pending request

We fixed an issue where an error occurred when submitting survey questions that lacked the workflowStepLog element in the survey object XML. The survey object is now automatically updated to include the missing element when not present.

INC-280218

Error message when requesting access

We resolved an issue in the Access request. Now, the objectType parameter in the omada.wsproxy.ConvertId function is optional and defaults to DataObject if not specified

INC-279757

Enterprise Server

Incorrect UserHostAddress in Splunk logs for load balancing scenario

There was an issue where the metadata sent to Splunk contained the UserHostAddress of the load balancer instead of the actual client's IP (HTTP_X_FORWARDED_FOR).

This has been fixed. Now, when determining the client's IP address, we consistently use the X_FORWARDED_FOR header value if it is provided in the HTTP request. Previously, it was only used in some cases.

INC-275877

Changes made via Changeset for AppString do not persist

We've fixed an issue with transporting the Type of an AppString object using changeset logging. Previously, the Type could be recorded in one environment, but the change could not be imported into another environment.

INC-274908

ViewStateFailure - intermittent and unexpected session expired error

There was an intermittent This session has expired error. We have now fixed this issue.

INC-275687

Data object property handling in Access Requests

An issue was identified with hiding classification information in the GetDataObjects response during access request creation. We have reduced the number of properties fetched for data objects in the legacy UI Access Requests page to only the necessary ones.

INC-275169

Issue with filter expression combinations

We have changed the handling of unsupported combinations of filter expressions. Instead of blocking the saving of a new filter with an error message, it now shows a warning in the list of filter expressions.

INC-277956

Issue with changeset saved after session timeout

We have fixed an issue where a changeset was saved after a session timeout. Now, if you leave the Create changeset view open and click the OK button, the changeset will not be created if the session has expired.

INC-275110

Issue with expired identities

In the Enterprise Server, expired identities were not removed as an owner of identities, contexts, and resources. The ownerships were transferred to unresolved identity. The issue has been resolved by expiring the ownerships with the identity.

INC-274989

Calling GetDataObjects over Webservice with `viewId` parameter does not respect columns in view

We have updated the WebService call at WebService/UIWebService.asmx/GetDataObjects, which is also accessed via the JavaScript API omada.wsproxy.getDataObjects(). With this update, when the API is called with a viewId argument, it will now return only the property values specified in the view's definition (previously, it returned all property values for the objects). Additionally, the API now respects the DownloadLimit setting from the view configuration.

INC-274970

Survey verdict incorrectly prolongs CRA validity

There was an issue with survey verdict prolonging the CRA validity. Now, for CRAs with no actual state, the Days before verdict expires field in the survey form will not extend the survey verdict's validity. Instead, the validity will remain as initially set during the direct assignment. This behavior now applies to any desired state.

INC-278561

Governance for Omada Identity - changeset with new User group is non-importable

We've resolved an issue in Governance for Omada Identity feature related to the creation of management resources for user groups. Now, a management resource is no longer created when a user group is added through a changeset, as the changeset already includes the necessary record of the resource

INC-278223

Renewal Survey Post Action

We have resolved a bug that caused an exception to be thrown when no active event definitions were configured for the survey.

INC-279369

Lengthy attribute values fail identity calculations

We fixed a calculation error when a differentiator exceeding 200 characters was stored in SQL server with an insufficient column size. Now, the differentiator length is unlimited.

INC-277951

Issue with managing two users with the same username on the same day

We fixed a bug where two users with the same username couldn't be created and deleted on the same day.

INC-277589

Access to Email log

We have fixed an issue where setting the ReqAdmRightToMailLog customer setting to False granted access to email log to everyone.

We have introduced Email log, a new authorization element for accessing email details. It is added to the Administrator role by default. If you had the ReqAdmRightToMailLog customer setting set to False, it is also added to the Operation Administrator and Service Desk roles.

The ReqAdmRightToMailLog customer setting is now deprecated. From now on, all access to email log and sent emails is dependent on the Email log authorization element.

INC-280067

The ShowIndirect setting missing in resource assignment reports

The WRE005 Resource assignment in period and WRE004 Resource assignment change log resource assignment reports were missing the setting to either include or exclude indirect assignments. The issue has been resolved and the ShowIndirect configurable setting has been added to relevant reports.

INC-272681

Role and Policy Engine

Disabled auto accounts

We have added a warning message regarding RoPE calculation in the following situation:

If auto account creation is enabled for a system or resource type, it will not be created if an existing account for that identity and system already exists. This can cause an issue if the existing account is disabled, as the auto account would generate an enabled one. In such cases, RoPE will generate a warning message explaining why the account remains disabled.

INC-275193

Issue with provisioning tasks repeating multiple times

We have implemented an update in the merging process of actual state and desired state attributes. Previously, in scenarios where the desired state assignment was disabled and the actual state was enabled, the attribute from the actual state object would be copied, and the desired state attribute would be ignored. This has been improved so that the desired state attribute takes precedence, even if the desired state assignment is disabled.

INC-271514

Slow calculations with Auto Accounts with Child Resources

An issue has been fixed where a combination of trusted systems, child resources, and multiple account types caused an indefinite delay in calculations.

INC-277369

Failed calculations for multiple identities

There was an issue with failed calculations for multiple identities. The logging indicated the following: Value cannot be null. Parameter name: onlyUseAccountType (level Medium). The problem occurred when user deleted Account Type(s). This bug fix includes code to block the deletion of account types via the UI (by removing delete buttons) and to block deletion via OData (by throwing an exception when attempting to delete an account type).

INC-274107

RoPE invalid DateTime issue

We've resolved an issue where the Identity ValidFrom field was imported with a Date only value and a time of 00:00. If the Date coincides with a Daylight Savings Transition Date for the specified TimeZone and the transition time is 00:00, RoPE cannot convert the ValidFrom value to a local datetime. This is because such a time does not exist in the TimeZone. The solution is to adjust the time component by applying the Daylight Savings offset on these dates.

INC-277406

The risk score calculator was crashing for certain identities

We have fixed the errors related to the asynchronous calculations of the risk score, which were introduced by enabling the AsyncRiskScoreUpdates option on the RiskScoreCalculator2 RoPE extension.

INC-272925

RoPE calculates Pending Update when attribute is empty

We have fixed an issue where the RoPE Provisioning extension generates a PendingUpdate when an attribute is an empty string in both the actual state and the desired state.

RoPE calculation issue

There was a performance issue with RoPE calculations. The preparation of default account names was ineffective for large numbers of account resources. We have optimized the process for calculating default account names in RoPE, and the issue has now been resolved.

INC-279797

ResourceType change of a Resource is not reflected in RoPE

When the resource was changed during the calculation of irrelevant properties (and calculation was discarded), this resource was not updated in the RoPE resource table. This is now fixed.

INC-276848

RoPE Exchange Integration extension not working with latest EntraID Collector

ExchangeIntegrationExtension for RoPE checked only the systems onbaorded with Microsoft Azure Active Directory connectivity. Now it also checks for systems onboarded with the Microsoft Entra ID connector.

INC-280853

Backwards reference path not working in AttributeValueResolver extension

We fixed an issue with the RoPE AttributeValueResolver extension. The reference path expressions with backward references (with a backslash \) caused the expression to fail. This issue was fixed.

INC-279715

Issue with provisioning some users until manual recalculation

We fixed an issue where changes to identities were registered in RoPE as handled events but the identities were not added to the calculation queue.

INC-278074

Issue with resource-driven attributes

The AttributeValueResolver RoPE extension has been improved. Resource-driven attributes are now calculated before the expression-based attributes, which means that the result of the resource-driven attributes can now be used in expressions.

INC-277917

Connectors

SAP HCM data import (collector) extended XPaths settings

The SAP HCM data import (collector) now has extended default XPaths settings to read 20 custom fields (compared to 10 custom fields in the previous version).

INC-275054

Omada Provisioning Service extension methods - null checks

Omada Provisioning Service (OPS) extension methods used in the task mappings have been improved with null checks. In the previous versions, if null value was provided as input, some of the functions returned NullReferenceException. Currently, null or default value is returned in such cases, exceptions are not thrown.

INC-275117

OAuth token type field available for all OAuth types

For the REST-based data imports (collector), The OAuth token type field is now available for all OAuth types (before it was visible only for OAuth static and custom types). The field is not mandatory - if the authentication service returns the type, it will be used. Some APIs do not return the token type - for such cases, this field can be used to specify the token type.

INC-275021

REST data import failed for some types of private keys

The REST data import (collector) failed with the error Unable to cast object of type Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair to type Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters for some types of private keys. This issue has been fixed.

INC-275532

Issue with copying `SYSONB_JOBREQUESTSUPPORT` value from template to new connector

We resolved an issue where, when a new OPS connector was created based on the template, the value of the SYSONB_JOBREQUESTSUPPORT property was not copied to the new template.

Active Directory connector proxyaddresses existing values cleared (string splitter, value set to NO)

In a provisioning scenario, when using a multi-value expression or string splitter mappings type, the values were cleared if it was set on the task mappings or in property values settings in OPS DB. This behavior was changed: now the value from the task mappings is used. Values from the database are used only if there are no task mappings defined.

INC-279581

Provisioning monitor fails for system owners

The provisioning monitor dialog didn't work correctly for the system owners, returning the following error:

Error performing monitor client action. Error message: Provisioning configuration for system '{system name}' contains an error. Data object of type 'Task Mapping' with UId or name '{task mapping name'} could not be found.

This bug has been fixed.

INC-280812

Surveys

Unable to change admin form on existing survey template

We fixed a bug in the survey template UI that prevented users from changing the administration form to a different one.

INC-278519

Event definition: Update Survey assignees' bug

We have fixed a bug that prevents completed activities being reactivated when the RecalculateSurveyAssignees method is executed, particularly in cases where these activities lack assignees and questions.

INC-275107

Mass update data object fails for XML with utf-16

We have fixed a bug that caused an error when attempting to update the XML property of a Survey template using the XML retrieved from the Survey template UI.

INC-278520

Remove verdict in CRA surveys should not use Verdict expires after days

We resolved a bug by modifying the logic in the survey templates Access Review for Managers and Access Review for Resource Owners. When an assignment is set to the Remove action, the generated verdict will now have an infinite expiration time, overriding the Verdict expires after days survey setting.

INC-280881

Other

Code methods information

The information about the Code method OnboardingContractor.CreateContractorIdentity2 has been updated.

INC-277318

Filtering missing on transition object

Fixed bug where event definition in process template does not respected Target object type.

INC-273718

Authentication RETURNURL XSS Vulnerability

We've fixed an issue where, in some cases, the authentication code did not validate that the RETURNURL was a valid relative URL. This prevents any links to the login page from containing external or absolute URLs.

Issue with unresponsive imports

An issue with unresponsive imports have been resolved. In the SSIS data flows the extension attributes are included as strings. Including extension attributes in a more structured shape allows to improve import performance.

INC-274975

Jobs purging prevents storing new jobs

Creation of new jobs usually peaks during specific hours. Purging of archived jobs should be done outside of these peak hours. You can configure OPS to perform purging during selected time windows (in UTC) in the omada.ops.service.exe.config file:

Setting both values to 0 disables the operating window (purging will take place throughout the day). Note that PurgingEndingHour must be greater than PurgingStartingHour.

To determine the peak hours when new jobs are created in your system, use the following SQL:

select createHour=datepart(hour, CreatedTime) , count(*)
from Jobs 
group by datepart(hour, CreatedTime) 
order by createHour 

INC-271429

Missing resource logic key

There was an issue with the resource logic key missing, when the import threshold was exceeded. The issue has been resolved and resource logic key is retained.

INC-277344

Inconsistencies in analytics processing

For Horizons functionality, all Account and Resource assignment extension attributes configured in both Queries and Mappings for all systems, as well as Resource Type attributes, will be transferred to the Omada Data Warehouse.

Setting up delegation to a technical identity

Till this point, you could select a technical identity as the delegation target. We have added filtering that excludes technical identities.

INC-278044

Can't view data object as a manager

We fixed a bug that prevents viewing data objects as a manager.

Missing attribute fields in Control policy form

We have resolved issues where the Exceptions attribute button and other controls were missing in control policies.

INC-278127

UpdateAndRouteSurveyObjects fails with unexpected exception

We fixed a bug where submitting completed survey objects resulted in an exception.

INC-278437

Work item process not localized

We resolved an issue where the work item widget on the home page was not displaying in the appropriate language. This fix ensures that the widget now correctly adheres to the user's selected language settings across all supported languages.

INC-279493

Password maximum length validation in both fields

We fixed an issue in the password reset confirmation field. The field did not have a limit of the number of characters allowed, which could cause a validation error when the password limit was exceeded in the first field.

INC-278670

SoD constraints are calculated wrong in RoPE when using business process and scoping attributes

We have resolved an issue where two conflicting assignments were incorrectly calculated as non-conflicting when adding a third non-conflicting resource. This occurred in scenarios using business processes combined with scoping attributes.

INC-280125

Slow Omada Delegate Identity Lookup

We have resolved a bug that improves performance when the IdentitiesAccessModifier is invoked by a resource owner managing a substantial number of resources. This enhancement is particularly evident in identity views where the access modifier is applied.

INC-274261

Documentation

Email templates with event definitions

An issue was identified with the reference paths in the mail template not working as expected. This problem occurs when the email recipient does not have permission to view the objects referenced in the paths, resulting in these keys being replaced by empty values. The explanation for this behavior has been added to the Email notification documentation.

INC-274584

Update to Validity period and disabled status documentation

We've updated the Validity period and disabled status documentation regarding the validity calculation logic. The following information has been added to the guide:

If an identity is not active and the resource for which we are calculating validity is an account resource, the validity of any other objects involved in the resource validity calculation will be disregarded if they do not intersect with the identity's validity period.

INC-275290

Incorrect default settings for the database scripts to be executed

The installation section was corrected - it now accurately lists the SQL scripts.

INC-280140

Removal of RoPE warning and update to auto accounts documentation

We have removed the following RoPE warning that was introduced in the August release: An auto account has not been created for resource 'X' because of an existing but disabled account for the system. Now, this behaviour is only described in the auto accounts documentation. The following information has also been added to the guide:

If auto account creation is enabled for a system or resource type, it will not create an account if an existing account for that identity and system already exists and has no defined desired state. This can cause an issue if the existing account is disabled, as the auto account would generate an enabled account.

PRB-96, INC-279355

Update to Delegate access documentation

We've updated the Delegate access documentation regarding the RoPE automatic recalculation when a delegation is created. The following information has been added:

If RoPE is configured to recalculate upon the creation of a delegation (which is the default setting), it will automatically calculate the identity of the delegate to grant the appropriate access. Additionally, if the delegation exclusive customer setting is enabled, the delegator's access will also be recalculated, as they will lose access to the resources that the delegate gains access to.

INC-277866

Governance for Omada Identity - initial recalculation is failing

The configuration of the Omada Identity System (OIS) after the installation of the Governance for Omada Identity feature package requires manual setup. Provisioning within the OIS will not be enabled until the system administrator completes the configuration process.

Task Mappings and Data Model are overwritten with CU35 update

We have resolved an issue where updates to the Omada Identity Connector Data Model and Task Mappings were being overwritten during the update of the Omada Identity connectivity package:

The Omada Identity Connector Data Model and Task Mappings are now treated as templates when installing the Governance for Omada Identity feature.
A new update process has been introduced that creates copies of the existing Omada Identity Connector Data Model and Task Mappings for systems where the Governance for Omada Identity feature is already installed.
The latest version of the Omada Identity Connectivity Package has been enhanced to register the Omada Identity Connector Data Model and Task Mappings as templates.

INC-279146

Issue with custom groups with self-management

When the Governance for Omada Identity feature is installed, the migration of self-management roles will now ensure that resource types for custom self-management roles are updated to include child resources. Consequently, a child resource is added to the self-management resources.

INC-277563

Issue with reconciliation for Users

We have fixed an issue with attribute reconciliation for the FirstName, LastName, and Email provisioning attributes. This fix adds FirstName and LastName to the OIS Account query and converts the User's FirstName, LastName, and Email properties into EXTENSIONATTRIBUTES with HISTORY.

If you have Governance for Omada Identity already installed, it is necessary to update the OIS system queries and mappings for the Account object type:

Removed dependency

We have removed the dependency from the feature package Governance for Omada Identity to the Business Contexts feature package.

INC-277494 INC-277497

Missing documentation for setup Azure KeyVault for Omada Vault usage

We have updated the documentation for the Azure Key Vault connection:

We have clarified the Authmethod parameter description when creating a connection to an Azure Key Vault.
- We have added the information about the requirement for the Key Vault Secrets User role assignment on the Azure Key Vault resource for proper permissions.

INC-278891

Governance for Omada Identity - Technical identities

We have added a new procedure that describes the steps required for creating a technical identity for service accounts. See Activation postrequisites in the Governance for Omada Identity Activation section.

INC-277402

Governance for Omada Identity feature is missing default culture and default language for newly created users

We have updated the documentation to clarify that when creating a new account, if the culture, langId, or timeZoneId properties are not specified in the task mappings, their values will default to the corresponding settings in the customer configuration: DefaultCulture, DefaultLanguage, and DefaultTimeZone.

For more information, refer to the following documentation:

INC-277580

Access Approvals​

Access approvals does not work properly​

Access Request​

Unable to submit a written request in Access request​

Account selection popup doesn't appear in classic view of Access request UI​

Unmanageable pending request​

Error message when requesting access​

Enterprise Server​

Incorrect UserHostAddress in Splunk logs for load balancing scenario​

Changes made via Changeset for AppString do not persist​

ViewStateFailure - intermittent and unexpected session expired error​

Data object property handling in Access Requests​

Issue with filter expression combinations​

Issue with changeset saved after session timeout​

Issue with expired identities​

Calling GetDataObjects over Webservice with viewId parameter does not respect columns in view​

Survey verdict incorrectly prolongs CRA validity​

Governance for Omada Identity - changeset with new User group is non-importable​

Renewal Survey Post Action​

Lengthy attribute values fail identity calculations​

Issue with managing two users with the same username on the same day​

Access to Email log​

The ShowIndirect setting missing in resource assignment reports​

Role and Policy Engine​

Disabled auto accounts​

Issue with provisioning tasks repeating multiple times​

Slow calculations with Auto Accounts with Child Resources​

Failed calculations for multiple identities​

RoPE invalid DateTime issue​

The risk score calculator was crashing for certain identities​

RoPE calculates Pending Update when attribute is empty​

RoPE calculation issue​

ResourceType change of a Resource is not reflected in RoPE​

RoPE Exchange Integration extension not working with latest EntraID Collector​

Backwards reference path not working in AttributeValueResolver extension​

Issue with provisioning some users until manual recalculation​

Issue with resource-driven attributes​

Connectors​

SAP HCM data import (collector) extended XPaths settings​

Omada Provisioning Service extension methods - null checks​

OAuth token type field available for all OAuth types​

REST data import failed for some types of private keys​

Issue with copying SYSONB_JOBREQUESTSUPPORT value from template to new connector​

Active Directory connector proxyaddresses existing values cleared (string splitter, value set to NO)​

Provisioning monitor fails for system owners​

Surveys​

Unable to change admin form on existing survey template​

Event definition: Update Survey assignees' bug​

Mass update data object fails for XML with utf-16​

Remove verdict in CRA surveys should not use Verdict expires after days​

Other​

Code methods information​

Filtering missing on transition object​

Authentication RETURNURL XSS Vulnerability​

Issue with unresponsive imports​

Jobs purging prevents storing new jobs​

Missing resource logic key​

Inconsistencies in analytics processing​

Setting up delegation to a technical identity​

Can't view data object as a manager​

Missing attribute fields in Control policy form​

UpdateAndRouteSurveyObjects fails with unexpected exception​

Work item process not localized​

Password maximum length validation in both fields​

SoD constraints are calculated wrong in RoPE when using business process and scoping attributes​

Slow Omada Delegate Identity Lookup​

Documentation​

Email templates with event definitions​

Update to Validity period and disabled status documentation​

Incorrect default settings for the database scripts to be executed​

Removal of RoPE warning and update to auto accounts documentation​

Update to Delegate access documentation​

Governance for Omada Identity - initial recalculation is failing​

Task Mappings and Data Model are overwritten with CU35 update​

Issue with custom groups with self-management​

Issue with reconciliation for Users​

Removed dependency​

Missing documentation for setup Azure KeyVault for Omada Vault usage​

Governance for Omada Identity - Technical identities​

Governance for Omada Identity feature is missing default culture and default language for newly created users​