Resolved Issues and Bug Fixes
Read more about resolved issues and bug fixes in this release.
UI and UX
Child resources column displaying incomplete data on Access page
The Child resources column on the Access page caused confusion, as its name did not clearly describe the information it contained. To improve clarity and consistency, the column has been renamed to Child assignments, better reflecting its actual content.
INC-290495
Encoding wrong in Process templates because of opening of process template
An issue caused unnecessary text encoding in the Process Designer. It has now been fixed: special characters now display correctly, ensuring proper readability and consistent formatting.
INC-298435
Changes not saved in access right tab
We fixed a bug where grid layout changes were not persisted after navigating away from the screen.
INC-304218
Access request
Issue with access requests and account types
We have fixed an issue where the request access form required selecting an account type before proceeding, causing unnecessary confusion.
INC-300270
Homepage shows legacy access request card
We have fixed a bug where the homepage continued to show the legacy access request card. To fix this, we have added a new customer setting UseNewUIAR. When set to True, the system now automatically updates the default homepage configuration to display the new UI access request card.
Go to January 2026 Cloud Update Release Notes to know more.
No applicable account type in access request
We have fixed an issue where, after the November 2025 update, the access request process for Exchange hybrid user mailboxes failed with the error ‘No applicable account type’ despite the identity having a valid AD account.
INC-301895
INC-302390
Send on behalf request for Exchange Online not working
We have fixed an issue where the Send on behalf request for Exchange Online in the access request workflow did not work because a mailbox could not be selected as a parameter.
INC-299942
Account type issue in access request
We have fixed an issue where a personal account was auto‑assigned even when a valid non‑personal account was available.
INC-303190
New assignment explorer showing wrong history data
We have fixed an issue where the missing calculationId parameter caused the system to always display current data instead of historical data. Historical results are now correctly shown when applicable.
INC-303583
Prioritization policies not working correctly
We have fixed an issue where prioritization policies correctly disabled parent role assignments but failed to disable the corresponding child resource assignments.
#INC-305529
Regression in the Access request
We have fixed a bug related to the automatic account type selection in the new Access UI by adding a new customer setting SetDefaultAccountTypeInAccessRequest with default value set to True; when True, the default account is automatically selected as before, and when set to False, users with more than one valid account are forced to choose which account to use during access request.
INC-302761
Approvals show incorrect Requested By for Extend access
We have fixed a bug that caused the field to be incorrectly mapped. Now, the field is correctly mapped to the identity requesting the extension.
CalculatedAssignmentVerdictSurveyPostActionHandler setting verdictDate to 9999 days
We have fixed a bug that caused negative verdicts to be created for implicit assignments during survey launch. Two new survey settings have been introduced for Access review for Managers and Access review for Resource Owners: dontCreateNegativeVerdictsForImplicitAssignments, which prevents negative verdicts for implicit assignments when enabled, and applyExpiresAfterDaysToRemoveVerdict, which controls whether Remove verdicts use the configured expiry period or the default 9999 days.
INC-301760
Unable to turn on mass edit and reassignment in approvals
We have fixed a bug that prevented users from turning on mass edit. Mass edit is now enabled by default in the Access request approval survey, and a new user group, Approve requested access survey admins, has been added as survey admins for the Access request approval survey. You can add members to this user group to configure the survey admins.
For more information, go to the Users and user groups documentation.
INC-302778
Cancelled access request should not be considered as Direct assignment during RoPE calculation
We have fixed a bug that caused cancelled resource assignments to be incorrectly loaded in RoPE because assignments with the status Cancelled were not excluded during processing. The filtering logic has been updated to also exclude assignments with the status Cancelled, ensuring that only relevant resource assignments are loaded.
INC-294979
Role and Policy Engine
RoPE ShadowObject Executor not handling transactions correctly
We have fixed an issue where, if a shadow data object for a calculated resource assignment had multiple event definitions defined and one of them failed with an exception, only the failed event’s transaction was rolled back. Now, all the event definitions for the calculated resource assignment event are executed within the same transaction.
INC-294815
Access review verdict bypassing account type filters
Due to an issue, RoPE created multiple assignments when a child resource was linked to more than one account type and its parent resource had the “Review OK” reason. Previously, an assignment was generated for each account the identity had, ignoring the parent role’s limitations. These limits now work correctly for the “Review OK” reason, consistent with the behavior for Direct and Policy reasons.
INC-300310
RoPE wrongly stating RA reason without being account-aware
We have resolved an issue where RoPE created additional child resource assignments when a parent resource had an implicit assignment with the Review OK reason. Previously, the system generated assignments for all account types defined on both the parent and child resources. If the child resource did not have an explicit account type, it defaulted to the standard account type and the one defined on the parent, resulting in unintended extra assignments.
Child resource assignments for parent assignments with the Review OK reason are now limited to the account types defined on the parent role, ensuring consistent and expected behavior.
INC-291143, INC-289596
RoPE: improved handling when no assignment policies are defined
Previously, RoPE attempted to load too many potential contexts in the absence of assignment policies. The process now handles this scenario more efficiently, reducing unnecessary context loading and improving performance.
INC-297764
RoPE calculation
An incorrect update of internal IDs during changeset import resulted in RoPE failing to calculate actual assignments for the system. The issue has been resolved.
INC-301695
Performance and identity calculations
We have addressed a performance issue in RoPE where implicit assignment calculations in trusted system scenarios experienced severe performance degradation as the number of trusted systems increased. The optimization now maintains consistent performance regardless of scale.
INC-300254
RoPE calculations failing with Null reference exception
When SOD policy checks (simulations) were executed at the same time as RoPE calculations, the RoPE calculations could fail, logging the Null reference exception. This issue has now been fixed.
INC-301142, INC-301890
RoPE: enhanced error message for account pool lock conflicts
We've improved the Can't merge – account pool locks differ! error message shown during RoPE calculations when two assignments for the same identity and resource reference different accounts (a scenario commonly seen when trusted systems are involved). The updated message now includes details about the affected resource, as well as the specific accounts and systems involved, making it easier to identify and resolve the conflict.
INC-291771
Failed calculations requeued every day when new calculation discarded
There was an issue where calculations that failed due to a transient error, and then were recalculated with no changes (discarded calculations), were requeued again as failed calculations. It has now been fixed.
Governance feature package overwriting ALLOWDELEGATION property
Due to an issue, applying the Governance feature package caused certain resource type properties to revert to their default values instead of retaining their existing configurations. Now, resource type properties are preserved correctly during package application, ensuring that no unintended changes occur.
INC-297327
RoPE OutOfMemoryException in the Self-management extension
There were issues with RoPE throwing an OutOfMemoryException in the Self-management extension. We've improved the memory usage for this extension by storing results in custom data structure.
Slow RoPE processing
To fix the issue with slow RoPE processing, we have improved the process for removing historical RoPE calculation data.
INC-303239
Timezone issues creating deprovisioning jobs
An incorrect valid from date was set to direct resource assignments when created automatically as a result of a Keep survey verdict. This has now been fixed.
INC-301739
RoPE queues all identities with child roles when a new role is added
RoPE now queues identities with child roles only when a new role is added and CalculateImplicitAssignments is enabled. This resolves a performance issue where RoPE unnecessarily queued identities for calculation.
INC-303239
RoPE using a provisioning claim date for valid to on a SAP account
We have added the Provisioning claims and validity of assignments section to the Assignments documentation to clarify:
- why RoPE can use the provisioning claim date as the valid to value for SAP account assignments
- how long-running review periods can result in provisioning claims being purged based on the configured retention period.
INC-297022
ES Policy & Risk check re-run on long RoPE simulations
We have fixed an issue where the Policy & Risk check in ES was executed multiple times if the RoPE simulation took longer than five minutes. The Policy & Risk check now runs only once, regardless of simulation duration.
INC-301142
RoPE fetches all deleted DataObjects and executes individual SQL statements
We have improved the synchronization mechanism for deleted resources between Enterprise Server and RoPE to ensure more efficient handling and optimized database operations.
SR-301504
Long running recalculations
We have optimized the performance of Policy and Risk checks, resulting in reduced RoPE calculation times, especially in environments where SoD is enabled.
INC-305199
Identity Validity is not extended to EndOfDay when a new DataObjectVersion exists
We've fixed an issue that could occur when an Identity was modified in Enterprise Server shortly after being loaded into a RoPE calculation batch, potentially resulting in incorrect provisioning or deprovisioning. This could happen, for example, when a new value was imported and a timer-based event definition was triggered soon afterwards.
Previously, when the Identity was reloaded, the Identity Validity was not extended in accordance with the RoPE ExtendValidityPeriods setting.
INC-305013
Role assignments were not exported as Actual assignments
We've fixed an issue where RoPE did not export certain role assignments (including legacy roles without CBKs) as Actual assignments, causing missing or inconsistent data in Omada Data Warehouse.
INC-296532
Enterprise Server
Timer failing with error: Controller has a connection object
There was an issue where the RouteProcessOnDeadline code method attempted to load over 65,000 activities using an IN clause, which caused performance degradation. The method has been optimized to remove the need to call GetWorkItemData with such a large number of activity IDs.
INC-297087
Triggering continuous jobs and deleting the ENDUSER role
We have fixed an issue where some child resource assignments with multiple parents were incorrectly disabled when only one of the parent assignments was revoked. The issue was related to the order in which the parent assignments were merged.
INC-301985
Updated default error page behavior and HTTP status codes
The default Error page behavior in ES has been changed. Previously, it always returned HTTP 500 – Internal Server Error. Now, it returns the HTTP status code associated with the underlying exception. When no specific status is provided, the default is HTTP 400 – Bad Request.
All unhandled application errors are still redirected to error.aspx, which includes a reference code that can be used to look up detailed information in the logs.
Fetching secrets from Omada Vault in ES causing multiple loads
To resolve an issue where fetching secrets from Omada Vault in Enterprise Server triggered multiple loads, we have improved the speed of loading secrets from the vault.
SR-300534
Policy check error
We have applied the following optimizations in the performance of simulated RoPE calculations executed during policy checks:
- Optimizing resource loading during the batch preparation phase.
- Executing simulation calculations within the same RoPE engine instance to reduce redundant data loading.
INC-301142
INC-293583
Missing export mappings
We have resolved an issue with the missing export mappings in the Advanced view for the Omada Identity system.
INC-302706
Prolonged imports
We've resolved an issue with prolonged imports caused by unstable or broken PowerShell sessions when retrieving distribution group members. The error handling in the Exchange connector has been improved to properly detect and recover from failed PowerShell sessions.
INC-305766
Import status inconsistencies
There was an issue with a warning being visible with no related errors in the import execution log present. The inconsistencies have been removed and unwarranted warnings are no longer displayed.
INC-305009
Missing employments
There was an issue with missing employments in the Enterprise Server related to context data not available during the adaptation stage, and as a result, not exported. The issue has been resolved by improving the handling of context and context assignment synchronization and fixing the way deferred export mappings are processed.
INC-300291
Fixed update failure for long property values
We fixed an issue where updating object property values longer than 200 characters could fail for properties marked as Unique.
The error was caused by an nvarchar length mismatch in temporary normalization tables when processing long property values.
INC-304654
Resource assignment properties dialog did not apply changes when selecting OK
We've fixed an issue where the Properties dialog for the Resource Assignment data object type did not respond when clicking OK, preventing users from modifying and saving property values.
INC-304747
Omada Provisioning Service
Improved error handling for object display failures
Error handling has been updated when loading objects via email links. Instead of showing a generic application error, the system now displays a more user-friendly message, providing clearer feedback to the user.
INC-293070
Adaptation errors
There was an issue where attempts to remove references to a nonexistent object resulted in adaptation errors during import. Now, the behavior issues have been resolved, and the process completes without generating adaptation errors.
INC-297071
Incorrect ExpiresOn value for provisioning claims
We have resolved an issue where the ExpiresOn parameter value for relayed provisioning jobs and failed claims was incorrectly set to two days. The value is now configured to ten days, resolving the issue.
INC-297420
Parallel processing of provisioning jobs
There was an issue with provisioning jobs running one at a time rather than in parallel, despite the Block parallel processing setting was unchecked. In Review mode and for provisioning jobs exceeding the configured threshold, the concurrent connections are ignored, causing the issue. To address it, we have introduced the Enable concurrent connections for review mode setting, allowing parallel processing even when Review mode is enabled.
INC-299684
Surveys
Failure to download the survey report from All Surveys
We have enhanced the queued download feature to provide smoother and more reliable survey export operations. These updates improve overall performance and prevent system slowdowns during periods of high activity: exports now run more efficiently with improved connection handling.
INC-292099
Surveys - queued download feature performance
The survey export operations (using the queued download feature) are now smoother and more reliable. These updates improve performance and prevent system slowdowns during high activity.
Attestation surveys not launching
There could be issues with launching attestation surveys. To fix it, we have enhanced the Surveys and Compliance Workbench RoPE views.
INC-302175
Error returned by server blocking survey completion
Users could face an Error returned by server that prevented them from completing surveys. This has now been fixed.
For details, see the updated the documentation of the technical preview feature Approve survey questions create direct resource assignments documentation.
INC-302004
Transfer survey property is not copied
We have fixed a bug in the Transfer identity assignments process where the System property was not copied to transferred identities.
INC-304445
Closure of recertification survey has some limitations
We have fixed a bug where resource assignments were not properly updated after recertification campaigns. Resource assignments descriptions now clearly reflect access removals during recertification, including non-response cases, ensuring the latest and most relevant status is shown.
Go to Changes for more information.
INC-304445
Approval surveys close only for transferred identity
We have fixed a bug where approval surveys were incorrectly closed during identity transfer when multiple identities were involved. Approval surveys are now closed only if they contain assignments exclusively for the transferred identity, while surveys with other pending identities remain open. Pending assignments for the transferred identity are correctly marked as Obsolete without affecting others.
INC-304593
Manager can not submit survey tasks
We have fixed an issue where resource assignments were incorrectly transferred during the Transfer identity survey. The system now detects Expired assignments, marks them as Obsolete, and skips transferring them with a clear explanatory message.
INC-304470
Post action handler OIS_ResourceAssignmentSurvey fails with error
We've resolved an issue with the OIS_ResourceAssignmentSurvey post action handler which was failing and returning an error. We've restored the legacy survey-related SQL tables and reinstated the corresponding post action handler code to resolve the issue.
INC-305210
Connectors
REST/OData - alias mappings variables inside nested URLs not available
For the REST/OData connectors, it was not possible to use alias mapping variables inside nested URLs during data import. This issue has been fixed. The PARENT_ prefix should still be used.
INC-300605
TimeZoneInfo class support
The TimeZoneInfo class is now supported in task mapping expressions.
INC-301194
Certificate-based authentication to Entra ID - thumbprint unauthorized error
The Entra ID connector uses the JWT X.509 certificate thumbprint, adding this value without any changes to the x5t JWT header. The x5t header expects a base64url-encoded SHA-1 thumbprint. The thumbprint in the Azure portal is a hexadecimal representation of the same SHA-1 hash. Copying the thumbprint directly from the Azure portal resulted in unauthorized error.
The connector has now been improved – it checks the format of the provided thumbprint and, if necessary, performs a required conversion.
INC-291204
SOAP and SOAP-based systems not respecting the timeout setting
SOAP and SOAP-based systems (for example, SAP systems) didn't respect the timeout setting, which could lead to timeout errors if the server needed more than 30 seconds to respond. This issue has been fixed.
INC-300622
Exchange Online - not all role/distribution groups are returned
The commands used to retrieve distribution and role groups returned 1000 groups (as maximum) by default. Now all existing groups are returned without any result limit.
INC-300631
Salesforce connector - malformed URL when using ResourceGetPath
The Salesforce connector incorrectly combined the value from the path for Salesforce objects setting with the ResourcePathGet object detail (if defined). It occurred in operations that checked if the object exists, and it resulted in malformed URLs (for example: .../services/data/v45.0/sobjects/.../services/data/v45.0/query?q=...). The issue has been fixed. The path for Salesforce objects value is not used anymore for checking if the object exists (if the ResourcePathGet object detail is specified).
INC-301617
Active Directory delta import does not retun old assignments
In the Active Directory connector, if the following options were enabled (and the domain controller was changed):
[x] Full import in case of domain controller change
[x] Full import in case of domain controller change and error
then a full import was performed, but it also included deleted assignments. This issue was fixed.
INC-303565
Identity Governance – missing option (OData connector)
There was an option missing for Windows authentication methods in the connector settings. It can now be selected during the setup.
INC-304683
REST Relay anchor property
Anchor values were not properly resolved between the tasks in the REST Relay connectivity (it occurred because of the architecture of the relayed connectivity). We introduced a new anchor placeholder to handle this issue, see REST Relay for details.
INC-297154
SAP connector as a template connector
SAP Connectivity Framework 6.0 connector was not a template connector, it was not an intended behavior. The connector is now a template connector.
For all systems using this connectivity package, a copy of the connector was created using the following naming convention: SAP Connectivity Framework 6.0 (system name).
INC-305028
OAuth2 Custom authorization support
OAuth2 Custom authorization is now supported when testing the connection with the Cloud Application Gateway enabled.
INC-304718
Cloud Application Gateway OAuth JWT authorization not supported
OAuth2 JWT authorization is now supported when testing the connection with the Cloud Application Gateway enabled.OAuth2 JWT authorization is now supported when testing connection with the Cloud Application Gateway enabled.
INC-305059
Review mode for RLM/DOLM task mappings
The review mode setting was not respected for RLM/DOLM task mappings. This issue was fixed.
INC-300290
LDAP connector – byte array attributes
The LDAP connector now supports attributes sent as a byte array.
The following format is supported: bytes:Base64OrHexRepresentationOfBytes.
INC-303205
Review mode not working for multiple task mappings
If the review mode was set for several task mappings (for the same resource type), it was read from incorrect mappings (for example, from a disabled one). This issue was fixed.
INC-303668
REST connector - multiple parent variables
The January 2026 Cloud Update introduced a new functionality for the REST connector, providing support for multiple parent variables in the nested URL.
If the URL included anything else in the curly brackets, it was recognized (expected) as a variable. This behavior was changed: If the part in the curly brackets contains special characters, it is not treated as a variable.
INC-306689
Vault service and multiline settings
Using the Vault Service for multiline settings (for example, private keys) did not work correctly. This issue was fixed.
Omada Data Warehouse
Updated OdwUpdater assemblies
We've fixed an issue causing OISIT failures on NVOB environments due to missing and outdated ODW product files.
The ODW build has been updated with new assemblies located in DataWarehouse\Support Files\OdwUpdater. The following files have been added:
Omada.Identity.HistoryTracking.Database.Contract.dllOmada.Identity.HistoryTracking.Database.Migrations.dllOmada.Identity.OperationalDataStore.Database.Contract.dllOmada.Identity.OperationalDataStore.Database.Migrations.dll
These assemblies replace the previous Omada.Identity.OdwUpdater.Master.Migrations.dll assembly.
Policy check error
We have resolved an issue that occurred when exporting resource assignments to the Omada Data Warehouse while RoPE processed identities in Simulation mode. This scenario could cause locks and timeouts during processing. The export now runs reliably without triggering such issues.
INC-301142
Security
Web service: improved access control in GetViewInfo
We have enhanced access control for the GetViewInfo web method. The method now consistently enforces existing authorization rules.
INC-294061
Authorization of display name retrieval
As part of ongoing security improvements, access validation in the web service has been strengthened to improve the authorization of display name retrieval for data objects. The viewId parameter is now mandatory for the endpoint.
INC-289703
Translations
Missing translation of menu item Compliance Workbench in all languages
We have fixed an issue where the Compliance Workbench menu item lacked translation and remained in English across all supported languages.
Translations - Error message in English
We have fixed a bug where the error message translation was missing. The translation has now been added for all supported languages.
#INC-302596
Other
ODW import logs are not sent to Azure Log Analytics
When configuring logging to Azure Log Analytics via Azure Log Ingestion, logs from ODW imports are not sent unless additional configuration is applied.
On the SSIS server, add the following binding redirects to the correct DTEXEC.exe.config file (located next to the DTEXEC.exe used by the environment):
<dependentAssembly>
<assemblyIdentity name="Azure.Core" publicKeyToken="92742159e12e44c8" culture="" />
<bindingRedirect oldVersion="1.47.1.0-1.50.0.0" newVersion="1.50.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Threading.Tasks.Extensions" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
<bindingRedirect oldVersion="4.2.0.1-4.2.1.0" newVersion="4.2.0.1" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
<bindingRedirect oldVersion="6.0.0.1-9.0.0.3" newVersion="9.0.0.3" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Text.Json" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
<bindingRedirect oldVersion="8.0.0.5-9.0.0.3" newVersion="9.0.0.3" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="4.0.4.1-6.0.3.0" newVersion="6.0.0.0" />
</dependentAssembly>
Since multiple folders may contain DTEXEC.exe, ensure you update the DTEXEC.exe.config file located in the same directory as the DTEXEC.exe instance used by the environment.
Internal high watermarks not resetting
There was an issue where scheduled data synchronization was not resetting internal high watermarks. The issue has been resolved with the introduction of the StartFullSyncImportProfile code method that also resets the internal high watermarks. This allows scheduling a full synchronization of master data, either by configuring the Master data import profile or pairing it with a full source system data import.
INC-291379
Failing clean-up import
The clean-up import consistently failed and rolled back deletions, preventing a correct audit trail clean-up. This issue has been resolved.
INC-299338
Inconsistencies in environments with Horizons enabled
We have resolved an inconsistency issue in environments with the Horizons solution enabled, including issues with the recalculation of identities while the import was still running.
INC-298001
System overview loading time
We have improved the performance of the System overview page for the Horizons users, reducing loading times and improving user experience.
INC-301552
Request of app role not possible when user already has an account
We have fixed an issue where you couldn't request an app role if they already had an existing account in the system. To address this, we introduced a new customer setting that ensures the system correctly processes app role requests for users with pre‑existing accounts. For more details, see the Changes section in Release notes
INC-298443
GraphQL introspection queries
We fixed an issue that prevented you from configuring certain GraphQL API behaviors. You can now enable or disable GraphQL introspection by using the new customer setting IntrospectionEnabled.
INC-302112
Multi-byte Unicode icons not displayed properly
We have fixed an issue where the Unicode icons were not rendering correctly in the Reference tree.
INC-294577
Function-level access controls issues
We have fixed an issue where improper access controls allowed lower‑privileged users to perform actions intended only for higher‑privileged roles.
INC-294061
Trying to delete an assignment
We have fixed an issue where the error message was not displayed correctly when deleting an assignment.
INC-301029
Issue with reading specific characters during installation
We've fixed an issue where on-prem installations could fail during OIS database configuration due to incorrect handling of specific characters in the dbcr.sql script.
INC-300627
Time Service Perform throws a delete error
We have fixed an issue where the Time Service repeatedly failed to delete a user due to foreign key constraints.
#INC-303552
Resource exhaustion in GraphQL
We have fixed a performance vulnerability in the full-text search functionality by introducing validation that prevents excessive repetition of search terms, mitigating potential resource exhaustion and DoS (Denial of Services) risks caused by repeated search values.
#INC-293834
Expiry date in Delegation request gets overwritten
We have fixed a bug that caused entire delegation objects to expire when a delegator lost access to a single resource, now ensuring only the affected resources are removed while the remaining valid delegations stay active.
#INC-295972
Scroll bars in views with small screens using Firefox
We have fixed a CSS issue where the scrollbar overlapped the last row in grids, for example, in Identities.
#INC-302324
Preview installer checks wrong .Net core version
There was an issue where the data preview installer was checking for an incorrect version of the .Net core. The issue has been resolved and the installer now checks for the correct .Net core version.
INC-305495
Expire resource assignments is not working
We have fixed a bug that prevented the ExpireResourceAssignmentsIfLastContextAssignmentExpired feature from expiring resource assignments when the last related context assignment had expired, even though the scheduled event executed successfully. The event processing logic has been corrected to properly evaluate the context condition and expire the affected resource assignments as intended.
#INC-302197
Omada Password Filter issue
We’ve fixed an issue with the Password Filter installer where required dependency DLLs were not added correctly to the GAC.
The installer has been updated to ensure all necessary assemblies are installed properly.
INC-298897
Documentation
Outdated CSP
We have updated the Upgrade guide steps for on-prem 15.0.4.
INC-306091
Updated obsolete ReferencePathAttributesValueResolver references
We've updated documentation examples to use the AttributeValueResolver RoPE extension instead of the obsolete ReferencePathAttributesValueResolver.
The obsolete resolver remains supported for backward compatibility.
Missing documentation on the effect of blocking access in SoD
We've updated the documentation about blocked and revoked assignments in SoD.
INC-302766
Updated documentation about Policy & Risk check configuration
We have updated the documentation about configuration options in the Policy & Risk check. Go to Policy & Risk check configuration options for more information.
INC-303684
Missing information on Access rights grid view
We have updated the documentation about how access rights are populated in the Access right tab. Go to Access right for more information.
INC-302921
Details on how $AccessReqOrgApprover calculates an approver
We have updated the documentation for the $AccessReqOrgApprover virtual reference property to provide additional clarification on approver resolution behavior. Go to Virtual reference properties for more information.
INC-305186
Omada Identity Graph API - Changelog
We have fixed an incorrect documentation path in the Omada Identity Graph API changelog for version 3.0.
INC-305186
TD Resource Revocation Status and deprovisioning job issue
We have fixed the issue. As part of this update, several product improvements were introduced, including renaming the Revoke access feature to Remove access for better clarity and alignment across the product.
INC-301193
Entra ID – connector documentation update
Entra ID connector documentation was updated to capture the queries and mappings execution order correctly.
INC-300419
Strict mode for Eligibility Filtering
We have updated the documentation for Eligibility Filtering to correctly describe how Strict Mode works. Go to Access request for more information.
INC-307258
SoD simulation during access request does not use validity period
The documentation has been updated to clarify how validity dates are handled for SoD checks during both access requests and access approvals.
Go to the Segregaton of Duties documentation to learn more.
INC-303144
Future revoke behavior
New documentation has been added to clarify the behavior of the Revoke action when a future date is selected, including how and when recalculation and deprovisioning are triggered. You can find it in the Survey verdicts – Revoke section, in the info box titled Important behavior for future revocation.
INC-301193
Cannot change to default layout view
The documentation has been updated to include additional guidance on view layout configuration.
Go to the Creating a view documentation to learn more.
INC-303458
Constraint error when adding a child resource to a permission
Previously, the documentation did not explain how to safely modify application roles that were part of active SoD constraints, which caused confusion when updates were blocked by existing violations. A new section now instructs administrators to temporarily disable and re-enable the Resource Internal SoD event definition when making such changes. This ensures consistent, supported handling of constrained resources.
For details, see Modifying child resources in application roles with constraints.
INC-298932
Application accounts used as a trust on business application not working
We have updated the Application onboarding documentation to clarify the configuration of trust and Auto create accounts in the guided onboarding process. The page now clearly distinguishes between manual and trusted management of application accounts, preventing misconfiguration and aligning guidance with intended system behavior.
For details, see the Guided onboarding process documentation.
INC-293533
Compliance status Pending deprovisioning based on constraint on application role
Previously, the documentation did not clearly describe how resource assignments with the valid from set in the future affected SoD violation statuses. When a resource assignment was scheduled to start later, the system set it to Disabled, which changed its violation status from Evaluation pending – usage allowed to Evaluation pending – usage prevented, causing unexpected deprovisioning. The updated definitions now explicitly explain this behavior.
For details, see Violation status calculator.
INC-285390