Version: Cloud

Resolved Issues and Bug Fixes

Read more about resolved issues and bug fixes in this release.

Access request

New assignment explorer showing wrong history data

We have fixed an issue where the missing calculationId parameter caused the system to always display current data instead of historical data. Historical results are now correctly shown when applicable.

INC-303583

Prioritization policies not working correctly

We have fixed an issue where prioritization policies correctly disabled parent role assignments but failed to disable the corresponding child resource assignments.

#INC-305529

Regression in the Access request

We have fixed a bug related to the automatic account type selection in the new Access UI by adding a new customer setting SetDefaultAccountTypeInAccessRequest with default value set to True; when True, the default account is automatically selected as before, and when set to False, users with more than one valid account are forced to choose which account to use during access request.

INC-302761

Approvals show incorrect Requested By for Extend access

We have fixed a bug that caused the field to be incorrectly mapped. Now, the field is correctly mapped to the identity requesting the extension.

CalculatedAssignmentVerdictSurveyPostActionHandler setting verdictDate to 9999 days

We have fixed a bug that caused negative verdicts to be created for implicit assignments during survey launch. Two new survey settings have been introduced for Access review for Managers and Access review for Resource Owners: dontCreateNegativeVerdictsForImplicitAssignments, which prevents negative verdicts for implicit assignments when enabled, and applyExpiresAfterDaysToRemoveVerdict, which controls whether Remove verdicts use the configured expiry period or the default 9999 days.

INC-301760

Unable to turn on mass edit and reassignment in approvals

We have fixed a bug that prevented users from turning on mass edit. Mass edit is now enabled by default in the Access request approval survey, and a new user group, Approve requested access survey admins, has been added as survey admins for the Access request approval survey. You can add members to this user group to configure the survey admins.

For more information, go to the Users and user groups documentation.

INC-302778

Enterprise Server

Prolonged imports

We've resolved an issue with prolonged imports caused by unstable or broken PowerShell sessions when retrieving distribution group members. The error handling in the Exchange connector has been improved to properly detect and recover from failed PowerShell sessions.

INC-305766

Import status inconsistencies

There was an issue with a warning being visible with no related errors in the import execution log present. The inconsistencies have been removed and unwarranted warnings are no longer displayed.

INC-305009

Missing employments

There was an issue with missing employments in the Enterprise Server related to context data not available during the adaptation stage, and as a result, not exported. The issue has been resolved by improving the handling of context and context assignment synchronization and fixing the way deferred export mappings are processed.

INC-300291

Fixed update failure for long property values

We fixed an issue where updating object property values longer than 200 characters could fail for properties marked as Unique.

The error was caused by an nvarchar length mismatch in temporary normalization tables when processing long property values.

INC-304654

Resource assignment properties dialog did not apply changes when selecting OK

We've fixed an issue where the Properties dialog for the Resource Assignment data object type did not respond when clicking OK, preventing users from modifying and saving property values.

INC-304747

Role and Policy Engine

ES Policy & Risk check re-run on long RoPE simulations

We have fixed an issue where the Policy & Risk check in ES was executed multiple times if the RoPE simulation took longer than five minutes. The Policy & Risk check now runs only once, regardless of simulation duration.

INC-301142

RoPE fetches all deleted DataObjects and executes individual SQL statements

We have improved the synchronization mechanism for deleted resources between Enterprise Server and RoPE to ensure more efficient handling and optimized database operations.

SR-301504

Long running recalculations

We have optimized the performance of Policy and Risk checks, resulting in reduced RoPE calculation times, especially in environments where SoD is enabled.

INC-305199

Identity Validity is not extended to EndOfDay when a new DataObjectVersion exists

We've fixed an issue that could occur when an Identity was modified in Enterprise Server shortly after being loaded into a RoPE calculation batch, potentially resulting in incorrect provisioning or deprovisioning. This could happen, for example, when a new value was imported and a timer-based event definition was triggered soon afterwards.

Previously, when the Identity was reloaded, the Identity Validity was not extended in accordance with the RoPE ExtendValidityPeriods setting.

INC-305013

Security

Web service: improved access control in `GetViewInfo`

We have enhanced access control for the GetViewInfo web method. The method now consistently enforces existing authorization rules.

INC-294061

Surveys

Transfer survey property is not copied

We have fixed a bug in the Transfer identity assignments process where the System property was not copied to transferred identities.

INC-304445

Closure of recertification survey has some limitations

We have fixed a bug where resource assignments were not properly updated after recertification campaigns. Resource assignments descriptions now clearly reflect access removals during recertification, including non-response cases, ensuring the latest and most relevant status is shown.

Go to Changes for more information.

INC-304445

Approval surveys close only for transferred identity

We have fixed a bug where approval surveys were incorrectly closed during identity transfer when multiple identities were involved. Approval surveys are now closed only if they contain assignments exclusively for the transferred identity, while surveys with other pending identities remain open. Pending assignments for the transferred identity are correctly marked as Obsolete without affecting others.

INC-304593

Manager can not submit survey tasks

We have fixed an issue where resource assignments were incorrectly transferred during the Transfer identity survey. The system now detects Expired assignments, marks them as Obsolete, and skips transferring them with a clear explanatory message.

INC-304470

Post action handler `OIS_ResourceAssignmentSurvey` fails with error

We've resolved an issue with the OIS_ResourceAssignmentSurvey post action handler which was failing and returning an error. We've restored the legacy survey-related SQL tables and reinstated the corresponding post action handler code to resolve the issue.

INC-305210

UI and UX

Changes not saved in access right tab

We fixed a bug where grid layout changes were not persisted after navigating away from the screen.

INC-304218

Connectors

Active Directory delta import does not retun old assignments

In the Active Directory connector, if the following options were enabled (and the domain controller was changed):

[x] Full import in case of domain controller change
[x] Full import in case of domain controller change and error

then a full import was performed, but it also included deleted assignments. This issue was fixed.

INC-303565

Identity Governance – missing option (OData connector)

There was an option missing for Windows authentication methods in the connector settings. It can now be selected during the setup.

INC-304683

REST Relay anchor property

Anchor values were not properly resolved between the tasks in the REST Relay connectivity (it occurred because of the architecture of the relayed connectivity). We introduced a new anchor placeholder to handle this issue, see REST Relay for details.

INC-297154

SAP connector as a template connector

SAP Connectivity Framework 6.0 connector was not a template connector, it was not an intended behavior. The connector is now a template connector.

For all systems using this connectivity package, a copy of the connector was created using the following naming convention: SAP Connectivity Framework 6.0 (system name).

INC-305028

OAuth2 Custom authorization support

OAuth2 Custom authorization is now supported when testing the connection with the Cloud Application Gateway enabled.

INC-304718

Cloud Application Gateway OAuth JWT authorization not supported

OAuth2 JWT authorization is now supported when testing the connection with the Cloud Application Gateway enabled.OAuth2 JWT authorization is now supported when testing connection with the Cloud Application Gateway enabled.

INC-305059

Review mode for RLM/DOLM task mappings

The review mode setting was not respected for RLM/DOLM task mappings. This issue was fixed.

INC-300290

LDAP connector – byte array attributes

The LDAP connector now supports attributes sent as a byte array.

The following format is supported: bytes:Base64OrHexRepresentationOfBytes.

INC-303205

Review mode not working for multiple task mappings

If the review mode was set for several task mappings (for the same resource type), it was read from incorrect mappings (for example, from a disabled one). This issue was fixed.

INC-303668

REST connector - multiple parent variables

The January 2026 Cloud Update introduced a new functionality for the REST connector, providing support for multiple parent variables in the nested URL.

If the URL included anything else in the curly brackets, it was recognized (expected) as a variable. This behavior was changed: If the part in the curly brackets contains special characters, it is not treated as a variable.

INC-306689

Documentation

Updated obsolete ReferencePathAttributesValueResolver references

We've updated documentation examples to use the AttributeValueResolver RoPE extension instead of the obsolete ReferencePathAttributesValueResolver.

The obsolete resolver remains supported for backward compatibility.

Missing documentation on the effect of blocking access in SoD

We've updated the documentation about blocked and revoked assignments in SoD.

INC-302766

Updated documentation about Policy & Risk check configuration

We have updated the documentation about configuration options in the Policy & Risk check. Go to Policy & Risk check configuration options for more information.

INC-303684

Missing information on Access rights grid view

We have updated the documentation about how access rights are populated in the Access right tab. Go to Access right for more information.

INC-302921

Details on how $AccessReqOrgApprover calculates an approver

We have updated the documentation for the $AccessReqOrgApprover virtual reference property to provide additional clarification on approver resolution behavior. Go to Virtual reference properties for more information.

INC-305186

Omada Identity Graph API - Changelog

We have fixed an incorrect documentation path in the Omada Identity Graph API changelog for version 3.0.

INC-305186

TD Resource Revocation Status and deprovisioning job issue

We have fixed the issue. As part of this update, several product improvements were introduced, including renaming the Revoke access feature to Remove access for better clarity and alignment across the product.

INC-301193

Entra ID – connector documentation update

Entra ID connector documentation was updated to capture the queries and mappings execution order correctly.

INC-300419

Strict mode for Eligibility Filtering

We have updated the documentation for Eligibility Filtering to correctly describe how Strict Mode works. Go to Access request for more information.

INC-307258

Other

Time Service Perform throws a delete error

We have fixed an issue where the Time Service repeatedly failed to delete a user due to foreign key constraints.

#INC-303552

Resource exhaustion in GraphQL

We have fixed a performance vulnerability in the full-text search functionality by introducing validation that prevents excessive repetition of search terms, mitigating potential resource exhaustion and DoS (Denial of Services) risks caused by repeated search values.

#INC-293834

Translations - Error message in English

We have fixed a bug where the error message translation was missing. The translation has now been added for all supported languages.

#INC-302596

Expiry date in Delegation request gets overwritten

We have fixed a bug that caused entire delegation objects to expire when a delegator lost access to a single resource, now ensuring only the affected resources are removed while the remaining valid delegations stay active.

#INC-295972

Scroll bars in views with small screens using Firefox

We have fixed a CSS issue where the scrollbar overlapped the last row in grids, for example, in Identities.

#INC-302324

Access request​

New assignment explorer showing wrong history data​

Prioritization policies not working correctly​

Regression in the Access request​

Approvals show incorrect Requested By for Extend access​

CalculatedAssignmentVerdictSurveyPostActionHandler setting verdictDate to 9999 days​

Unable to turn on mass edit and reassignment in approvals​

Enterprise Server​

Prolonged imports​

Import status inconsistencies​

Missing employments​

Fixed update failure for long property values​

Resource assignment properties dialog did not apply changes when selecting OK​

Role and Policy Engine​

ES Policy & Risk check re-run on long RoPE simulations​

RoPE fetches all deleted DataObjects and executes individual SQL statements​

Long running recalculations​

Identity Validity is not extended to EndOfDay when a new DataObjectVersion exists​

Security​

Web service: improved access control in GetViewInfo​

Surveys​

Transfer survey property is not copied​

Closure of recertification survey has some limitations​

Approval surveys close only for transferred identity​

Manager can not submit survey tasks​

Post action handler OIS_ResourceAssignmentSurvey fails with error​

UI and UX​

Changes not saved in access right tab​

Connectors​

Active Directory delta import does not retun old assignments​

Identity Governance – missing option (OData connector)​

REST Relay anchor property​

SAP connector as a template connector​

OAuth2 Custom authorization support​

Cloud Application Gateway OAuth JWT authorization not supported​

Review mode for RLM/DOLM task mappings​

LDAP connector – byte array attributes​

Review mode not working for multiple task mappings​

REST connector - multiple parent variables​

Documentation​

Updated obsolete ReferencePathAttributesValueResolver references​

Missing documentation on the effect of blocking access in SoD​

Updated documentation about Policy & Risk check configuration​

Missing information on Access rights grid view​

Details on how $AccessReqOrgApprover calculates an approver​

Omada Identity Graph API - Changelog​

TD Resource Revocation Status and deprovisioning job issue​

Entra ID – connector documentation update​

Strict mode for Eligibility Filtering​

Other​

Time Service Perform throws a delete error​

Resource exhaustion in GraphQL​

Translations - Error message in English​

Expiry date in Delegation request gets overwritten​

Scroll bars in views with small screens using Firefox​