Resolved Issues and Bug Fixes
Read more about resolved issues and bug fixes in this release.
UI and UX
Child resources column displaying incomplete data on Access page
The Child resources column on the Access page caused confusion, as its name did not clearly describe the information it contained. To improve clarity and consistency, the column has been renamed to Child assignments, better reflecting its actual content.
INC-290495
Role and Policy Engine
RoPE ShadowObject Executor not handling transactions correctly
We have fixed an issue where, if a shadow data object for a calculated resource assignment had multiple event definitions defined and one of them failed with an exception, only the failed event’s transaction was rolled back. Now, all the event definitions for the calculated resource assignment event are executed within the same transaction.
INC-294815
Access review verdict bypassing account type filters
Due to an issue, RoPE created multiple assignments when a child resource was linked to more than one account type and its parent resource had the “Review OK” reason. Previously, an assignment was generated for each account the identity had, ignoring the parent role’s limitations. These limits now work correctly for the “Review OK” reason, consistent with the behavior for Direct and Policy reasons.
INC-300310
RoPE wrongly stating RA reason without being account-aware
We have resolved an issue where RoPE created additional child resource assignments when a parent resource had an implicit assignment with the Review OK reason. Previously, the system generated assignments for all account types defined on both the parent and child resources. If the child resource did not have an explicit account type, it defaulted to the standard account type and the one defined on the parent, resulting in unintended extra assignments.
Child resource assignments for parent assignments with the Review OK reason are now limited to the account types defined on the parent role, ensuring consistent and expected behavior.
INC-291143, INC-289596
RoPE: improved handling when no assignment policies are defined
Previously, RoPE attempted to load too many potential contexts in the absence of assignment policies. The process now handles this scenario more efficiently, reducing unnecessary context loading and improving performance.
INC-297764
Enterprise Server
Timer failing with error: Controller has a connection object
There was an issue where the RouteProcessOnDeadline code method attempted to load over 65,000 activities using an IN clause, which caused performance degradation. The method has been optimized to remove the need to call GetWorkItemData with such a large number of activity IDs.
INC-297087
Surveys
Failure to download the survey report from All Surveys
We have enhanced the queued download feature to provide smoother and more reliable survey export operations. These updates improve overall performance and prevent system slowdowns during periods of high activity: exports now run more efficiently with improved connection handling.
INC-292099
Surveys - queued download feature performance
The survey export operations (using the queued download feature) are now smoother and more reliable. These updates improve performance and prevent system slowdowns during high activity.
Omada Provisioning Service
Improved error handling for object display failures
Error handling has been updated when loading objects via email links. Instead of showing a generic application error, the system now displays a more user-friendly message, providing clearer feedback to the user.
INC-293070
Adaptation errors
There was an issue where attempts to remove references to a nonexistent object resulted in adaptation errors during import. Now, the behavior issues have been resolved, and the process completes without generating adaptation errors.
INC-297071
Documentation
Constraint error when adding a child resource to a permission
Previously, the documentation did not explain how to safely modify application roles that were part of active SoD constraints, which caused confusion when updates were blocked by existing violations. A new section now instructs administrators to temporarily disable and re-enable the Resource Internal SoD event definition when making such changes. This ensures consistent, supported handling of constrained resources.
For details, see Modifying child resources in application roles with constraints.
INC-298932
Application accounts used as a trust on business application not working
We have updated the Application onboarding documentation to clarify the configuration of trust and Auto create accounts in the guided onboarding process. The page now clearly distinguishes between manual and trusted management of application accounts, preventing misconfiguration and aligning guidance with intended system behavior.
For details, see the Guided onboarding process documentation.
INC-293533
Compliance status Pending deprovisioning based on constraint on application role
Previously, the documentation did not clearly describe how resource assignments with the valid from set in the future affected SoD violation statuses. When a resource assignment was scheduled to start later, the system set it to Disabled, which changed its violation status from Evaluation pending – usage allowed to Evaluation pending – usage prevented, causing unexpected deprovisioning. The updated definitions now explicitly explain this behavior.
For details, see Violation status calculator.
INC-285390
Connectors
REST/OData - alias mappings variables inside nested URLs not available
For the REST/OData connectors, it was not possible to use alias mapping variables inside nested URLs during data import. This issue has been fixed. The PARENT_ prefix should still be used.
INC-300605
TimeZoneInfo class support
The TimeZoneInfo class is now supported in task mapping expressions.
INC-301194
Certificate-based authentication to Entra ID - thumbprint unauthorized error
The Entra ID connector uses the JWT X.509 certificate thumbprint, adding this value without any changes to the x5t JWT header. The x5t header expects a base64url-encoded SHA-1 thumbprint. The thumbprint in the Azure portal is a hexadecimal representation of the same SHA-1 hash. Copying the thumbprint directly from the Azure portal resulted in unauthorized error.
The connector has now been improved – it checks the format of the provided thumbprint and, if necessary, performs a required conversion.
INC-291204
SOAP and SOAP-based systems not respecting the timeout setting
SOAP and SOAP-based systems (for example, SAP systems) didn't respect the timeout setting, which could lead to timeout errors if the server needed more than 30 seconds to respond. This issue has been fixed.
INC-300622
Exchange Online - not all role/distribution groups are returned
The commands used to retrieve distribution and role groups returned 1000 groups (as maximum) by default. Now all existing groups are returned without any result limit.
INC-300631
Omada Data Warehouse
Policy check error
We have resolved an issue that occurred when exporting resource assignments to the Omada Data Warehouse while RoPE processed identities in Simulation mode. This scenario could cause locks and timeouts during processing. The export now runs reliably without triggering such issues.
INC-301142