Here is are a couple of options to identify the version of the Exchange Schema version. Option #1 – Using ADSI Edit. Open Schema Context with ADSI Edit. Go to the Pproperties of ms-Exch-Schema-Version-Pt and look for the rangeUpper value. Option #2 – DSQUERY Command. Here’s a PowerShell HashTable pre-built with the Active Directory and Exchange schema versions as of September 2014. Active Directory (Forest Prep) Schema Versions.
- Active Directory Schema Version Table Of 10
- Active Directory Schema Version Table Of Size
- Active Directory Schema Tool
- Active Directory Schema Table
One Identity Manager 8.0
Release Notes
January 2018
These release notes provide information about the One Identity Manager release. For changes to the Web Designer and the Web Portal since the last version, see the document 'Web Designer and Web Portal Changes'.
The documentation is available in both English and German. The following documents are only available in English:
- One Identity Manager Password Capture Agent Administration Guide
- One Identity Manager LDAP Connector for CA Top Secret Reference Guide
- One Identity Manager LDAP Connector for IBM RACF Reference Guide
- One Identity Manager LDAP Connector for IBM AS/400 Reference Guide
- One Identity Manager LDAP Connector for CA ACF2 Reference Guide
- One Identity Manager REST API Reference Guide
- One Identity Manager Web Runtime Documentation
- One Identity Manager Object Layer Documentation
Topics:
About One Identity Manager8.0
One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.
With this product, you can:
- Implement group management using self service and attestation for Active Directory with the One Identity ManagerActive Directory Edition
- Realize Access Governance demands cross-platform within your entire concern with One Identity Manager
Every one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of 'traditional' solutions.
One Identity Manager8.0 is a major releasewith enhanced features and functionality. See Features and Enhancements.
Features
New features in One Identity Manager8.0:
Basic functionality
- SQL Server 2017 is supported.
- Oracle Database 12.2 is supported.
- Improved security measures for accessing the One Identity Manager.
- Cyclical checking of authentication for existing connections.The system runs validity checks for open connections to prevent users from working with existing connections if they have been deactivated after they logged in. The check is carried out by the next permissions-based action on the connection after a configurable interval of 20 minutes. The interval is defined in the configuration parameter 'CommonAuthenticationCheckInterval'.
- Support for password policies in the One Identity Manager.You can implement password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.A default password policy is supplied that protects the password for system users and employee-based authentication modules. Other predefined password policies are also supplied.
- Support for expired passwords.The user is advised that their password is about to expire and can change the password if necessary. In the case of employee-based authentication modules, the system sends reminder emails starting from 7 days before the password's expiry date. You can configure the time in days in the configuration parameter 'CommonAuthenticationDialogUserPasswordReminder'. The emails are triggered by a schedule and use the mail template 'Employee - system user password expires'.To prevent password of certain system users from expiring, you can mark these system users so that their passwords never expire.
- Issues a random, temporary passcode for a one-off login on the Password Reset Portal.
- Support for password history.
- Failed login attempts are logged.
- Wrong answers to the password question for resetting the central password are logged.
- Login with empty passwords is no longer supported.
- Restricted password lists are supported.
- Support for load balancing of all SQL processes.A new server function 'SQL processing server' is available. The server can execute SQL tasks. Several SQL processing servers can be set up to spread the load of SQL processes. The system distributes the generated SQL processes throughout all the Job servers with this server function.
- Improved identification of the server for automatic software updating.A new server function 'Update server' is available. This server executes automatic software updating of all other servers. The server requires a direct connection to the database server that the One Identity Manager database is installed on.
The values for columns can be prepared for faster cross-table searching. Searching for single values in MVP columns is supported.
Fallback for translations can be disabled for columns that are labeled as translation targets. Another value 'Without fallback translation source' has been added to do this.
The configuration of initial data for LDAP authentication modules is done with the configuration parameters 'TargetSystemLDAPAuthentication', 'TargetSystemLDAPAuthenticationAuthentication', 'TargetSystemLDAPAuthenticationPort', 'TargetSystemLDAPAuthenticationRootDN' and 'TargetSystemLDAPAuthenticationServer'.
The initial configuration data for existing installations remains valid and is used as a fallback.
Web Portal
- New Password Reset Portal.The Password Reset Portal allows users to reset passwords of the user accounts they manage, securely. Users can navigate from the Web Portal directly to the Password Reset Portal.To utilize the Password Reset Portal, it must be installed as a dedicated web application. The required security is guaranteed by Starling Two-Factor Authentication.
- New Operations Support Web Portal.The Operations Support Web Portal supports help desk users with their tasks in One Identity Manager. You can use the Operations Support Web Portal to create passcodes, display DBQueue and Job queue entries for specific objects, show process steps and restart them if necessary, monitor processing handling performance.To utilize the Operations Support Web Portal, it must be installed as a dedicated web application. A new application role Base roles | Operations support is provided for use with the Operations Support Web Portal. The required security is guaranteed by Starling Two-Factor Authentication.
- To improve user friendliness, the Web Portal's user interface and the navigation structure has been completely reworked and new functions have been added.
- Support for the Starling 2FA App for multi-factor authentication.In addition to the login, a further access control (multi-factor authentication) can be configured.
- Managers can generate a passcode for their staff.
- Users can set their password question and answer.
- New wizards for defining reports and report subscriptions.
- Bookmarks for service categories can be added.
- Changed data values are marked.
- Processes triggered by users are displayed.
- Users specify whether diagrams are permanently hidden.
- Managers can view their staff's rule violations.
- The chief approval team can immediately escalate a request.
- Owners of departments, location and cost centers can also manage child objects.
- Request templates can be created from a reference user and its assignments.
- Request templates can be created for assignment requests.
- Permissions, which contribute to a rule violation can be removed.
- An additional test of possible exclusion definitions is made before sending a request.
- A product can be unsubscribed for several people at the same time, also for multi-requestable/unsubscribable resources.
- Renewals and cancellations do not have to be done strictly through the shopping cart.
- Users can temporarily switch to another language.
Web Designer
- New version of the Secure Token Server. For more information, see the document 'Web Designer and Web Portal Changes'.
- Custom configuration settings for a given web project can be managed in a central overview.
Target system connection
- Support for G Suite as a target system. The key aspects are the mapping of user accounts and their entitlements. To do this, groups, organizations, permissions, admin roles, products and SKUs are mapped in One Identity Manager.
- Support for Oracle E-Business Suite as a target system. The key aspects are the mapping of user accounts, responsibilities and entitlements.
- Support for SharePoint Online as target system. The key aspects are the mapping of user accounts, groups, site collections, sites, roles and role assignments. The SharePoint Online connector and a default project template are installed.
- Mapping remote mailboxes for Exchange hybrid support. The mapping for remote mailboxes is part of the Microsoft Exchange project template. Remote mailboxes are synchronized using the Microsoft Exchange connector.
- The member filter's excluded lists for the target system Microsoft Exchange have been altered in connection with Exchange hybrid support.A patch for synchronization projects with the patch ID VPR#28904 is available.
- Support for Outlook Web App mailbox policies for the Microsoft Exchange target system.
- The way the Microsoft Exchange version is determined has been changed. The schema property ObjectVersion is used to determine the version.A patch for synchronization projects with the patch ID VPR#27447 is available.
- The Microsoft Exchange connector now supports connections through HTTPS.NOTE:Microsoft Exchange does not support this type of connection by default. You must configure support for HTTPS in your Microsoft Exchange.
- The schema property 'Recovery' is provided to mark Microsoft Exchange mailbox databases as recovery databases.
- Introduction of a revision filter for Microsoft Exchange.Microsoft Exchange synchronization has been changed as follows to support customer environments with large numbers of objects:
- The schema type 'Mailbox' has been divided into the sub types 'Mailbox', 'Calendar Processing' and 'Mailboxstatistics'.
- A revision criterion has been defined for the schema types 'Mailbox', 'MailUser', 'MailContact', 'MailPublicFolder', 'DistributionGroup' and 'DynamicDistributionGroup'. This is based on the 'whenChanged' property of the underlying Active Directory object.
- Automatic dependency resolution of the synchronization workflow's steps has been disabled, which has reduced the number of synchronization steps.Due to this, reference objects arise in the synchronization buffer during synchronization (DPRAttachedDataStore), possibly at short notice, which are resolved afterward by a maintenance step. This happens exclusively on the One Identity Manager side, therefore requiring no other access to the Microsoft Exchange infrastructure.
IMPORTANT: The revision algorithm can only be enabled in synchronization projects created with version 8.0. If usage of revisions is activated in old 7.x synchronization projects, modifications made directly in Microsoft Exchange are not necessarily recognized. NOTE: Due to the complexity of the changes, existing synchronization projects are not automatically converted by using the patch. You can, however, continue to use existing synchronization projects (from 7.x installations), unchanged until the next major release because the schema is compatible. The properties of the old 'mailbox' schema type that has been transferred to the new schema types named above, are marked as obsolete in the 'mailbox' type. This does not, however, have any affect on the functionality. These properties will certainly be removed in the next major release.Even if your 7.x synchronization projects are compatible, it is recommended you recreate the synchronization project using the synchronization project template implemented in the version 8.0. - Introduction of a revision filter for Exchange Online.Exchange Online synchronization has been changed as follows to support customer environments with large numbers of objects:
- The schema type 'Mailbox' has been divided into the following types:
- Mailbox (Basic information about mailboxes)
- CalendarProcessingSettings_RoomEquipment (calender processing settings for room and equipment mailboxes)
- CalendarProcessingSettings_UserShared (calender processing settings for user and room mailboxes)
- MailboxStatistics_RoomEquipment (status information for room and equipment mailboxes)
- MailboxStatistics_UserShared (status information for user and room mailboxes)
- A revision criterion has been defined for the schema types 'Mailbox', 'MailUser', 'MailContact', 'MailPublicFolder', 'DistributionGroup', 'UnifiedGroup' and 'DynamicDistributionGroup'. This is based on the 'whenChanged' property of the underlying Azure Active Directory object.
- Automatic dependency resolution of the synchronization workflow's steps has been disabled, which has reduced the number of synchronization steps. Due to this, reference objects arise in the synchronization buffer during synchronization (DPRAttachedDataStore), possibly at short notice, which are resolved afterward by a maintenance step. This happens exclusively on the One Identity Manager side, therefore requiring no other access to the Exchange Online infrastructure.
- The synchronization steps for CalendarProcessingSettings_UserShared and MailboxStatistics_RoomEquipment are disabled by default. Calendar processing settings for user mailboxes (CalendarProcessingSettings_UserShared) are not usually relevant but can be queried by the appropriate commands. The same is valid for status information (for example, the number of emails, last login) from room and equipment mailboxes (MailboxStatistics_RoomEquipment). The steps in the workflow 'Initial Synchronization' can be enabled at any time if required. However, this can cause a noticeable increase in the runtime.
IMPORTANT: The revision algorithm can only be enabled in synchronization projects created with version 8.0. If usage of revisions is activated in old 7.x synchronization projects, modifications made directly in Exchange Online are not necessarily recognized. NOTE: Due to the complexity of the changes, existing synchronization projects are not automatically converted by using the patch. You can, however, continue to use existing synchronization projects (from 7.1.2 installations), unchanged until the next major release because the schema is compatible. The properties of the old 'mailbox' schema type that has been transferred to the new schema types named above, are marked as obsolete in the 'mailbox' type. This does not, however, have any affect on the functionality. These properties will certainly be removed in the next major release.Even if your 7.1.2 synchronization projects are compatible, it is recommended you recreate the synchronization project using the synchronization project template implemented in the version 8.0. - The LDAP connector supports connections at rootDSE level.
- The LDAP connector provides information about object class hierarchy.
- The Windows PowerShell connector supports SecureString parameters.A ConversionMethod can now be entered in the SetParameter definition. The ConversionMethod='ToSecureString' is currently supported. This allows connections parameters to be passed securely.
- Extensions in the Synchronization Editor
- New view for managing custom project templates in expert mode.
- Synchronization workflows can be copied.
- A schema editor for improved editing of virtual properties is integrated in the Schema Browser.
- Start up configurations can be grouped. Behavior for simultaneous start up within a group can be defined.The delay between retries is specified in the configuration parameter 'CommonJobserviceRedoDelayMinutes'.
- Comprehensive logging and improved displaying of entries in the system journal.
- New virtual property of type 'Data mapping' for mapping predefined value lists.
- New schema class type 'Unique Objects' for creating unique objects to simplify the import of multiple object types from a single source such as a CSV file or a database table.
- Patches can be automatically applied during One Identity Manager schema updates.
Identity and Access Governance
- Introduction and versioning of approval workflows for IT Shop requests and attestations.
- The configuration parameters 'QERITShopOnWorkflowAssign' and 'QERITShopOnWorkflowUpdate' specify whether pending requests are reset when the approval workflow is changed.
- The configuration parameters 'QERAttestationOnWorkflowAssign' and 'QERAttestationOnWorkflowUpdate' specify whether pending attestations are reset when the approval workflow is changed.
NOTE: If you have set up you own approval procedures and have used properties from approval steps in your queries for finding approvers, modify these queries as follows:If you referenced the table PWODecisionStep over the column UID_PWODecisionStep until now, then change this reference to the column UID_QERWorkingStep in the table QERWorkingStep. - The approval step of an attestation case can be used to specify whether the employee affected by the attestation case can also approve it. This overrides the setting in the configuration parameter 'QERAttestationPersonToAttestNoDecide'.
- Assignment resources can be created for One Identity Manager application roles. The assignment resource can be requested in the Web Portal like any other company resource. After the request has been successfully assigned, the employee, for whom it was requested, becomes a member of the associated application role through internal inheritance processes.
See also:
Enhancements
The following is a list of enhancements implemented in One Identity Manager8.0.
Enhancement | Issue ID |
---|---|
An employee's main identity can now be used for authentication with the authentication module 'Person'. | 27863, 3962834 |
Improved performance in the DBQueue Processor. | 27284, 28522, 28569, 27675, 4064153, 4064153 |
Labeling of DBQueue Processor tasks for load limiting. Limits for changes within an operation are configured in the configuration parameters 'QBMDBQueueChangeLimitMin' and 'QBMDBQueueChangeLimitMax'. | 12081 |
Dynamically determining statistics under Oracle Database. This is configured in the configuration parameter 'QBMDBQueueOptimizerDynamicSampling'. | 28004 |
Tasks that require a connection to the application server are displayed in the Launchpad. | 26864 |
Instead of only offering access to single values, an entity (and therefore all its values), accessed by FKs can now be returned through the IEntityWalker. | 27105 |
Improved configuration options for importing transport with change labels. | 26557 |
Improved monitoring of the entire Job queue in Job Queue Info. | 26785 |
Improved identification of database staging levels by modifying colors in the status bar in all front-ends. | 27148 |
Columns with a list of permitted values can be added in the full text search. | 27469, 667442 |
Pending changes are now displayed in the | 28656, 4093596 |
Minimum process query interval set to 10 seconds for the Job service. | 27112, 3867374 |
Multiple One Identity Manager Service instances can be installed on one server using One Identity Manager Installation Wizards and the Server Installer. The different installation directories are numbered sequentially. | 27231, 3965347 |
Out-Parameters are shown in the process history. | 27237 |
The SQL Editor in the Designer and the Object Browser support auto-completion. | 27688 |
The Script Editor in the Designer supports auto-completion for configuration parameters. | 27422 |
Improved sorting by column in the Schema Editor in the Designer. | 27482 |
Improved representation of result lists in the SQL Editor in the Designer and the Object Browser. | 27445 |
Improved display of base data in the Designer. | 28246 |
Customizations to default processes and default tables displayed in the Designer. | 28230 |
Hidden parameters are displayed by a new program function in the Job Queue Info. To use this function, assign the respective permissions groups to the program function 'JobQueue_ShowHiddenParameters' | 27665, 3975588 |
The columns that trigger templates can be displayed in the Designer. | 27852 |
Improved generation of indexes. | 27921, 3988910 |
Extended functions for editing change labels in the Designer. The changes sort order can be modified. You can search inside the change labels. The change label's XML data can be edited. | 26894 |
Improved transporting by change label. | 28011 |
Syntax check for preprocessor condition now takes place on saving. | 28021, 4053085, 4053085 |
Improved the Software Loader to prevent error conditions. | 28158, 4051728 |
Custom event can now be added to default processes in the Designer. | 28231 |
IT Shop tags can be transported. | 28418, 4085515, 4085518 |
The generic form 'VI_Generic_MasterData' supports the definition of bit masks. | 28536 |
Improved representation of schema tables extensions in the Web Designer. | 26980, 3705851 |
Improved definition of indexes in the Schema Extension program. | 28598, 4064153 |
Optimized the Database Transporter to prevent deadlocks when transporting schema extensions. | 28603, 4107215 |
Data modifications are no longer possible in the One Identity Manager database when triggers are disabled. | 28610, 4107215 |
Improved re-enabling of triggers and constraints. | 28637, 4107215, 4109588 |
The System Debugger differentiates between system scripts and custom scripts when exporting. | 27667 |
The System Debugger can be used to upload templates, formatting scripts, table scripts and method definitions. | 27918 |
Language culture codes can now be used in #LD notation in scripts. | 28852 |
The configuration parameter 'CommonProcessStateProgressViewWaitInJobChain' has been deleted. Customized usage might required modification. | 27870 |
Issue ID | |||
---|---|---|---|
The authentication module setting installed in the Web Portal and the Web Designer is limited to authentication modules that are not capable of SSO. | 20870, 690405 | ||
Certain CSS outlines are only shown in accessibility mode for visual reasons. | 26254, 657785 | ||
The views 'Object state' and 'Solution' have been merged. | 24475, 673888 | ||
The special definition of Hyper Views has been removed from the Web Portal code. The view is now exclusively generated from the content of the table DialogTree. | 673729 | ||
Visual representation of read-only properties has been reworked. | 676883 | ||
Visual representation of the heatmap has been reworked. | 25974, 677572 | ||
A switch for controlling object dependent references has been added. | 678334 | ||
The old data model for configuring search fields has been removed because the search index can be used instead. | 678828 | ||
Some Web Portal functions cannot be used sensibly on smartphones. In these cases, an appropriate message is displayed. | 681359 | ||
A list view, which is optimized for smartphones can be defined for a grid in addition to a table-based view. | 692352 | ||
Processing of an employee's data is centralized in the component VI_Common_ObjectSheet_Person. | 693632 | ||
Validator conditions can be defined in the control tree. | 27671, 694770 | ||
The compiler checks object dependent links for ambiguity and generates an error message. | 695200 | ||
'Create interactive entities' is disabled for new objects. | 705753 | ||
Improved handling of user configuration (QBMXUser), if a non-employee related authentication module is used. | 706509 | ||
There is now a property on an extension to disable it. | 711465 | ||
Improved handling of control for auto-completion. | 714531 | ||
The total number or results is shown in grids. | Enhancement Issue ID | ||
Faster loading of synchronization projects in the Synchronization Editor. | 27555 | ||
Diverse optimizations of the synchronization buffer and cache behavior. | 26832, 27662, 27563, 28350, 28576 | ||
Improved behavior of the Synchronization Editor when working with encrypted values. The default value of the configuration parameter 'DPRUIEncryptedValueHandling' has been changed to 'IgnoreAll'. This means the encryption dialog is not shown when the synchronization project is opened. All encrypted values are ignored by default. | 27274 | ||
German display names of property mapping rules and virtual schema properties are converted to English. A patch for synchronization projects with the patch ID VPR#28560 is available. | 28560 | ||
Converts connection parameter names and values. A patch for synchronization projects with the patch ID VPR#27769 is available. | 27769 | ||
Optimized pre-scripts for generating target system relevant processes. | 28042, 3859791 | ||
The domain object SID is determined by Active Directory synchronization. A patch for synchronization projects with the patch ID VPR#27457 is available. | 27457 | ||
When Active Directory group memberships are synchronized, the global catalog query for resolving the SID is not carried out. The mapping 'group' has been extended with additional virtual schema properties. A patch for synchronization projects with the patch ID VPR#27997 is available.
| 27997 | ||
Improved mapping SAP license information for system measurement. A patch for synchronization projects with the patch ID VPR#27289 is available. | 27289 | ||
Improved transfer of the validity period for SAP role assignments and memberships in structural profiles. | 26883, 28031, 3677202, 4041294, 4054671 | ||
The schema type SAPRCRange has been removed. A patch for synchronization projects with the patch ID VPR#27539 is available. | 27539 | ||
An additional tab for passwords is displayed on the Unix user account's master data form. | 27947 | ||
Optimized provisioning of objects changes for the Universal Cloud Interface interface. A patch for synchronization projects with the patch ID VPR#27371 is available. | 27371 | ||
Changed the SCIM interface's property mapping rules for the schema properties 'id', 'canonical name' and 'distinguished name' to the new schema properties added for them in the One Identity Manager schema. A patch for synchronization projects with the patch ID VPR#27860 is available. | 27860 | ||
Email notifications can be configured through login data in the case of custom target systems. This is configured in the configuration parameter 'TargetSystemUNSAccountsInitialRandomPassword' and its sub-parameters. | 28111 | ||
The following configuration parameters have been deleted. When you update One Identity Manager version 7.x to version 8.0, the configuration parameter settings for forming passwords are passed on to the target system specific password policies. Configuration parameters for Azure Active Directory
Configuration parameters for Active Directory
Configuration parameters for the new Universal Cloud Interface interface
Configuration parameters for LDAP
Configuration parameters for IBM Notes
Configuration parameters for SAP R/3
Configuration parameters for Unix
| 28111 | ||
The following configuration parameters have been deleted. Customized usage might required modification. Configuration parameters for Active Directory
Configuration parameters for IBM Notes
Configuration parameters for SAP R/3
Configuration parameters for SharePoint
| 28607 |
![Active Directory Schema Version Table Active Directory Schema Version Table](/uploads/1/3/3/2/133277921/353989484.jpg)
Issue ID | ||
---|---|---|
The employee's overview reports have been extended to include additional information about assigned entitlements and sub identities. | 27913 | |
Permitted values for employees' identity types have been extended by the value 'Machine identity'. | 28573 | |
Employees can be deleted from the One Identity Manager using the procedures QBM_PDeleteDeep. | 27431 | |
Improved performance loading attestation cases. | 27815, 4011577 | |
Active Directory Schema Version Table Of 10 See also: Deprecated featuresActive Directory Schema Version Table Of SizeThe following features are no longer supported with this version of One Identity Manager:
Active Directory Schema ToolThe following functions will be discontinued in later One Identity Manager versions and should no longer be utilized: Active Directory Schema Table
|