ARS Upgrade to 8.0 workflow approvals that request information causes error


This is my very first posting to any One Identity forum.  I recently upgraded my Active Roles server from 7.4.3 to 8.0 and noticed that some of my workflows are throwing web errors.  This big red error banner on the approval pop-up states "Object reference not set to an instance of an object".  After getting a few complaints, I noticed a pattern.  The workflows having the issues, are ones that request information from the end user before the approval can be completed.  However, we are getting the error message before any pop-up window presents a prompt to enter in the requested data.  I've tried a couple tricks like removing the requirement for requested data, then saving, then re-runing the request and the approver can actually approve the workflow. However, as soon as I put the requirement to enter data into an attribute, the error returns.  This happens for every workflow I have that requires the approver to enter some data into the approval prior to the operation being completed.

Any ideas as to what might be causing this?  A bug in version 8.0 perhaps?

All workflows were working normally prior to the upgrade.  All approval requests were made after the upgrade was in place (no approvals migrated from 7.4.3 as they get auto cancelled by the upgrade).

  • Recently I looked alittle closer at ARS8.0. Many high-impact bugs were fixed in the release 8.0, in respect to ARS 7.3/7.4/7.5.0. For example, issues I noticed in the chat above (2) msExchHideFromAddressLists and (3) Sync setting $null to -Empty attribute value. In my opinion, it might be worth to stay with ARS 8.0 trying to fix the issue observed, unless Support recommends to rollback to legacy version.

  • Aidar, I'm curious about your focus on msExchHideFromAddressLists.  What is the down side of this now only being manageable for mail enabled objects (that is my understanding of your comments - please correct me if I am missing your point)?  It doesn't have any meaning / use outside of Exchange that I am aware of?

  • John, you are correct. *msExchHideFromAddressLists* What is the down side of this now only being manageable for mail enabled objects *only*.
    I ‘hit’ the following dependencies on my customer:
    Legacy ARS Sync Solution: HR.csv provision goes to legacy AD1 domain with onprem Exch (no Hybrid AADconnect) (many years ago)
    Migration. legacy AD1 to new AD2 (supports cloud AAD/O365 Exchange Hybrid Mode /AADConnect)
    Legacy AD1 lost onprem Exchange.
    Legacy AD1 still contains important network resources and cannot be decommissioned in near future.
    Result: Legacy ARS Sync Solution: HR.csv provision *still* goes to AD1 legacy domain. With additional new ARS Sync support “long-term” sync users/groups with SIDHistory/Password from/to legacy AD1 to/from new AD2.
    Something like that. Hope that explains.

  • (continued...) HR >> AD1 still controls Provision/Term user including mailbox related properties (msExchHideFromAddressLists), though AD1 is not Exchange aware anymore.

  • Legacy AD1 lost onprem Exchange.

    Is it operating as an Exchange Hybrid (i.e. with mail enabled user objects that point to their Cloud equivalents) or did they eliminate Exchange completely?

    If the former, then you should still be able to manage some Exchange properties?

    Or, with the latest version has something been done with the AR Admin service that breaks the ability to manage a Hybrid?

Reply Children