Version: On prem: 15.0.3

Resolved Issues and Bug Fixes

Read more about resolved issues and bug fixes in this release.

Language versions

Portuguese language support

We have added a workaround for customers who have added the Portuguese language to Omada Identity. If you have previously added the Portuguese language to Omada Identity, do not update the database with the Portuguese language. This workaround is required to ensure that Portuguese is not updated in the database. Execute the following SQL query:

IF NOT EXISTS (
    SELECT 1 
    FROM tblCustomerSetting 
    WHERE [Key] = 'ExecutedSystemUpdateActions' 
    AND (ValueStr LIKE 'AddPortugueseLanguageSupport,%' OR ValueStr LIKE '%,AddPortugueseLanguageSupport,%' OR ValueStr LIKE '%,AddPortugueseLanguageSupport')
)
BEGIN
    UPDATE tblCustomerSetting 
    SET ValueStr = ValueStr + ',AddPortugueseLanguageSupport' 
    WHERE [Key] = 'ExecutedSystemUpdateActions'
END

Access Approvals

Approval task is auto-completed when it is reassigned

We have fixed a bug in the Access request approval flow that caused an approval step to be auto-completed in some cases where the approval was reassigned to a different user.

INC-281357

Encountering a 404 error on the Approval task page

We have fixed a bug where users were encountering a 404 error when clicking on Approval task links in email notifications.

INC-283097

Survey escalation not working as intended - sending unnecessary emails

We have fixed a bug in the new approval UI that caused emails to be sent to survey assignees who had already completed their questions when the approval survey was configured with an escalation event definition.

INC-284546

Access Request

Request flow can not handle UTF-8

We have fixed a bug in which the descriptions of the resource assignments were not decoded in the UI.

INC-281826

Cannot reliably copy text out of a DataGrid cell

It was not possible to copy text from DataGrid cells. This is now fixed, and you can copy any text by selecting the cell within the grid.

New Access request - Not visible account types which are available for identity

We have fixed a bug that prevented the selection of account types for identities in the new Access request. Now, it is possible to select account types that the resource can handle.

Personal account is auto-selected for identities without personal accounts

We have fixed a bug in the Access request that prevented selecting account types defined for a resource. If the resource folder didn't have any account types, the default account type was returned.

INC-282110

Problem when viewing resource info containing Booleans after updating

We have fixed an issue that was causing errors when opening details form for identities or resources. This problem occurred if any Boolean was present on the data object.

INC-285330

New Access request is slow to submit

We have fixed a bug where submitting via the new Access request UI was very slow. The submission speed decreased as the number of resources increased.

INC-274268

Request process not possible to hide from Home page for specific user groups

We have fixed an issue in the request process in the new UI. Now, the Request access and Extend access cards are hidden from the home page in case the user doesn't have the Create permission for those processes. In addition, we have hidden the Request access and Extend access cards in the Add shortcut dialog from the Edit mode of the home page.

Enterprise Server

OIM_RoPECRACSV.aspx view fails if target is not screen but CSV

We have fixed an issue with the OIM_RoPECRACSV.aspx view. Now, when you try to export the data in the CSV or PDF format, and do not select at least one of the required criteria, there is a new warning saying: The export needs at least one of the criteria selected.

INC-279599

Browser search in XML editor scopes to viewport only

We have improved the XML input fields in the ES portal to allow searching (CTRL + F) in the whole field instead of the viewport only.

INC-282341

RefPath expression not working for empty string

We have fixed an issue with RefPath: previously, it only accepted string parameters that contained at least 1 character. Now, we have reduced it to 0 so that it also supports empty strings.

SR-282934

Event definitions page not showing context dots

We have fixed an issue with the event definition screen, where the code method log option was not displayed for a user with proper access.

INC-283158, INC-283132

Expression filter (on view) works differently if right side value or property compared by "like"

There was an issue with the Like operator in event definition filter expressions. We have now fixed it: there is a warning stating that we do not support the Like operator and property on the left and right side of an expression.

INC-282890

Logging Framework with async targets don't discard on error

We have implemented a change that will prevent the Log Request Queue for asynchronous loggers to grow and cause OutOfMemory issues. By default, we now use the configuration for AsyncTargetWrapper, that is, QueueLimit 10000 and OverflowAction Discard. This default configuration means that if the log request queue exceeds 10,000 items, then log items will be discarded until there is space in the queue again when items in the queue are written to the target. The configuration also disables logging below warning level after the target has started discarding log entries.

INC-282996

Performance issue - failed data imports

We have fixed an issue with object type logging that occured when the EnableSystemEventLogging customer settings was enabled and the data object did not have a previous version.

INC-285755

PropertyAccessModifier is ignored with the Modern UI My identity form

We have fixed an issue where Authoritative Source Policies were not applied in the new UI, which made managers unable to edit forms (for example, My identity form), as the forms were displayed in the read-only mode.

INC-284424

Issues in the new Identity form

There was an issue with the reference property hidden field causing the new Identity form to fail on sending. There was also a bug in which the set property with Boolean values displayed on checkboxes group caused an error in the form. We have now fixed both.

INC-284507

File attachments no longer copied from process to data object

There was an issue with file attachments not being copied from processes to data objects. Now, the CreateDataObjectFromTemplate2 code method respects the copy attachments copy rule configuration.

INC-284068

Update actions removed and SQL script revised

As part of the maintenance of the product code, we have revised the ES database script dbcr.sql and removed a number of update actions (schema updates and migrations). Only update actions added prior to version 14.0.16 are affected.

Master setting with MIM Password Reset Client

We have removed an unused master setting, PWRFIMCLIENT.

INC-284552

Import of changes without status

There was an issue in the Configuration change import screen. Previously, the status message of some imported changes would remain empty even though the configuration changes were imported successfully. The empty message prevented proper filtering on the status column. We have now fixed it.

INC-282346

Role and Policy Engine

Provisioning status issue

The documentation was missing details about skipping the OK (Pending Confirmation) status of provisioning. Now, we have updated the documentation with the information that this state can be skipped in the flow under certain circumstances: for example, if you disable provisioning for a resource data object, the provisioning status will be directly set to OK, or if a provisioning task fails because the object already exists in the target system, then the status will be set to Failed before changing to OK after the next import.

For more details on the provisioning statuses, see: Provisioning status values.

INC-281077

RoPE error: Expression has to contain only multiple value parameters with the same amount of values in each parameter

We have fixed an issue in the RoPE AttributeValueResolver expression handler that, when comparing a multi-value attribute with null, caused the error: Expression has to contain only multiple value parameters with the same amount of values in each parameter.

INC-281839

RoPE performance issue

We have fixed a performance issue where the discovery of auto accounts for logical applications generated many duplicate auto accounts. We have also fixed a performance issue where resolving the assignment attribute values was impacted by the number of context memberships and assignment attributes.

INC-280861

Implicitly assigned resources without "is managed" are being removed

We have fixed the way we calculate an implicit parent. Now, to become implicitly assigned, a role must meet the following conditions:

The identity is assigned to all the child resources of the role.
None of the child resources is in disabled state. If any of them is in disabled state, then the role will not be implicitly assigned. However, if a child resource is marked as deleted, typically because it is deleted in the target system, RoPE will still assign the parent role implicitly if the remaining child resources are assigned.

For more details, see the Implicit assignments of roles section in Assignments.

INC-282343

Calculations not being triggered

We have implemented a change in the self-management RoPE extension. The calculated assignment attributes for referencing the managed objects were previously persisted in RoPE.tblCalculatedAttributeValue.ValueStr as strings containing the property value of the ID property, for example, OUID or SYSTEMID. Now, the reference values are persisted in RoPE.tblCalculatedAttributeValue.ValueRef as GUIDs containing the UID of the referenced DataObject, for example the UID of an OrgUnit.

This change fixes issues with timeouts in the queuing mechanism when looking up, and improves the general performance of the extension.

note

All Self-management attributes must now be configured as reference attributes in the RoPEReferenceAttributes customer setting. An update action migrates the existing self-management configurations, but after that, the idAttribute system name must be added to this customer setting for new self-management configurations. For more details, see Add self-management configuration to additional data object types.

INC-282773, INC-283861

RoPE timeout in `GetIdentitiesWithNowValidPreValidAssignments`

We have implemented an improvement to an SQL statement causing a timeout exception in the call GetIdentitiesWithNowValidPreValidAssignments().

Issue with RoPE handling relayed deprovisioning claims

We have implemented a change in the handling of relayed deprovisioning claims. Previously, a relayed deprovisioning task was duplicated if an import was run before the provisioning task were completed. Now, a relayed deprovisioning claim does not expire with an import.

INC-283564

Connectors

Committing provisioning settings using the SSH Connector results in an empty error

It was not possible to use some combinations of collectors/connectors. For example, using the LDAP collector and SSH connector in one system resulted in an error message when committing OPS settings. This issue has been fixed.

INC-281842

SQL data import (collector) – user is encrypted when editing connection details

In the SQL collector, with the connection string provided, the password was encrypted after saving. If the password was weak, it was unintentionally encrypted, too (it occurred in other places of the connection string). For example, the password test and username testUser resulted in the username changed to [encryptedValueForTest]User. This issue has been fixed.

Active Directory OPS didn't accept a slash (/) in the organizational unit field

The Active Directory connector returned an error if the organizational unit contained a slash (/). This issue has been fixed.

INC-284508

REST connectivity - EndpointAddress object detail

In the REST and REST-based connectors, the EndpointAddress object detail was used to replace the entity root setting, even if it contained a full URL (with protocol). This behavior was modified: if the EndpointAddress object detail contains a full URL (with protocol), it now replaces the base address and entity root (in some cases only the entity root, as before).

INC-285447

Relay connectivity - updates

We have fixed the following issues:

Task results were not updated when various errors occurred (the get status operation).
If a task ended with failure at the get status operation (and during the next run it was pending), only the provisioning job result was changed back to relay. The task status was still failed.
(REST Relay only) If a task was rejected at the target system side, the task message was very unclear and result values were not updated.

INC-286052

REST/SCIM - content-type header charset

The REST/SCIM connectors had the content-type header charset (for example: application/json; charset=utf-8) set even if the header was explicitly set to, for example, application/json. We have fixed this issue - now, if the header is explicitly set in configuration without charset, the charset won't be added to the header.

INC-286990

Other

We have fixed a bug in the Compliance Workbench by updating the tooltip for the compliance status column to provide a clearer explanation of its meaning.

Unable to complete application onboarding process

We have fixed a bug in the application onboarding process that, in certain cases, prevented you from completing the onboarding if you did not have elevated permissions for resources.

INC-282339

Ignore duplicate keys in translation files

We have fixed an issue with duplicate keys in translation files. Before, some custom translation files had duplicate elements with the same original value, while the original value should be a unique key. This caused ES to fail when loading the custom translation files. Now, the duplicate keys are ignored in the custom translation files.

Measures preventing Cross-Site Scripting (XSS) attacks

As a part of an ongoing effort to improve the security of our application, we have implemented a number of measures to prevent Cross-Site Scripting (XSS) attacks. We have addressed both the new UI and the old UI pages, including the Access Request flow and a number of other pages that rely on displaying formatted data.

SR-283987

Documentation

Issue with enabling a custom data object type for OData

We have added missing information in the documentation on data object types. We have specified that when the Require process to create and modify objects data object type is checked, it cannot be queried through OData, and when the Enable this type for OData data object type is checked, it can only be queried if Require process to create and modify objects is unchecked. For more details, see Data object types – Advanced fields.

INC-284245

Governance for Omada Identity - OData permissions?

We have made the OData API documentation more precise, specifying which users are excluded from the users entity type in cloud and on-prem versions of Omada Identity. For more details, see the Data object type section of OData REST API.

INC-282670

Potential SQL Injection in JSON POST Parameter

We have fixed a bug where a JSON POST request with the sidx parameter modified to include a quotation mark would return an error message. To address this issue, we have added an additional validation for the sidx parameter in the http://webservice/JQGridPopulationWebService.asmx/GetPagingData API endpoint.

INC-284331

Potential XPath Injection in JSON POST Parameter

We have fixed a bug where a JSON POST request sent to the application with te GroupBy parameter modified to include a single quote would return an error message. To address this issue, we have added an additional validation for parameter GroupBy in http://webservice/JQGridPopulationWebService.asmx/GetPagingData API endpoint.

INC-284329

Visibility issues for export warning

There was an issue with the visibility of the export warnings after the November 2024 update. Warnings were not visible on the Omada Identity system if the Governance feature was not enabled. The issue has been resolved and the warnings are now displayed correctly.

Translations: custom translations are not overriding master file

We have added documentation on how to configure translations in the Cloud portal. If you want to know more, go to Translations.

INC-280295

Microsoft Exchange connectivity - distribution groups documentation update

The documentation for Microsoft Exchange connectivity has been updated. It now describes the use of any field returned by the Get-DistributionGroup command. You can incorporate them in your queries and mappings.

Language versions​

Portuguese language support​

Access Approvals​

Approval task is auto-completed when it is reassigned​

Encountering a 404 error on the Approval task page​

Survey escalation not working as intended - sending unnecessary emails​

Access Request​

Request flow can not handle UTF-8​

Cannot reliably copy text out of a DataGrid cell​

New Access request - Not visible account types which are available for identity​

Personal account is auto-selected for identities without personal accounts​

Problem when viewing resource info containing Booleans after updating​

New Access request is slow to submit​

Request process not possible to hide from Home page for specific user groups​

Enterprise Server​

OIM_RoPECRACSV.aspx view fails if target is not screen but CSV​

Browser search in XML editor scopes to viewport only​

RefPath expression not working for empty string​

Event definitions page not showing context dots​

Expression filter (on view) works differently if right side value or property compared by "like"​

Logging Framework with async targets don't discard on error​

Performance issue - failed data imports​

PropertyAccessModifier is ignored with the Modern UI My identity form​

Issues in the new Identity form​

File attachments no longer copied from process to data object​

Update actions removed and SQL script revised​

Master setting with MIM Password Reset Client​

Import of changes without status​

Role and Policy Engine​

Provisioning status issue​

RoPE error: Expression has to contain only multiple value parameters with the same amount of values in each parameter​

RoPE performance issue​

Implicitly assigned resources without "is managed" are being removed​

Calculations not being triggered​

RoPE timeout in GetIdentitiesWithNowValidPreValidAssignments​

Issue with RoPE handling relayed deprovisioning claims​

Connectors​

Committing provisioning settings using the SSH Connector results in an empty error​

SQL data import (collector) – user is encrypted when editing connection details​

Active Directory OPS didn't accept a slash (/) in the organizational unit field​

REST connectivity - EndpointAddress object detail​

Relay connectivity - updates​

REST/SCIM - content-type header charset​

Other​

Compliance workbench tooltip correction​

Unable to complete application onboarding process​

Ignore duplicate keys in translation files​

Measures preventing Cross-Site Scripting (XSS) attacks​

Documentation​

Issue with enabling a custom data object type for OData​

Governance for Omada Identity - OData permissions?​

Potential SQL Injection in JSON POST Parameter​

Potential XPath Injection in JSON POST Parameter​

Visibility issues for export warning​

Translations: custom translations are not overriding master file​

Microsoft Exchange connectivity - distribution groups documentation update​