Powered by Algolia

    Known issues related to updating OpenIAM from 4.2.1.x versions to the newest 4.2.2 version

    IAM configuration and script migration

    1. Move IAM Groovy Scripts. Start with registering Groovy scripts in the database. Since this is an upgrade, there is a possibility that there may new Groovy scripts have been added to meet some business requirements. In such cases, those scripts should have corresponding entries in the database, specifically in the GROOVY_FILE table. For each new or customized Groovy script:
    • Add a record to the groovy_file table.
    • Ensure the entry is created in the Groovy database. This allows IAM to recognize and manage the script.
    INSERT INTO groovy_file (...);

    Copy scripts with versioned file names. Use the copy_with_modified_names.sh script to move Groovy files. This script appends the version number to the end of each file name, helping with version tracking and avoiding overwrites.

    ./copy_with_modified_names.sh <source_path> <destination_path>

    Modify the copy script if required. In case the environment-specific changes are needed:

    • Update copy_with_modified_names.sh.
    • Adjust file paths, naming rules, or version logic as necessary.
    vi copy_with_modified_names.sh

    Ensure correct permissions are applied to all moved files and folders. IAM must have read and execute access to the Groovy scripts.

    chmod -R 755 <groovy_scripts_directory>

    Update Groovy script references. Modify the GroovyScriptURL field in the relevant database tables. Replace file-based URLs with the corresponding ID from the groovy_file table.

    UPDATE <table_name>
    SET GroovyScriptURL = <groovy_file_id>
    WHERE <condition>;

    Page template changes

    Enable the template-based user page. Verify that it is visible in the UI. Page template changes

    Configuration steps depend on the IAM UI / deployment setup.

    Managed System configuration

    Fix blank attribute values issue. A possible issue here is that Managed System attributes may appear blank even when values are entered. If so, the workaround is as follows.

    1. Enter the attribute value in the field.
    2. Press Enter.
    3. Click Save. Pressing Enter ensures the value is registered before saving.

    Updating Groovy script references in OpenIAM tables

    This section describes how to update database references from Groovy file paths to Groovy script IDs stored in the groovy.GROOVY_FILE table. The process applies to Business Rules, properties, batch tasks, and synchronization configurations.

    ⚠️ Important. Always back up the database before running UPDATE statement. Run SELECT queries first to validate the impact.

    Update Business Rule Groovy references.

    Business Rules may store Groovy script references as file paths. These must be replaced with the corresponding GROOVY_SCRIPT_ID. Validate current Business Rule values. Run the following SELECT to identify Business Rules that reference Groovy scripts by path and to determine the correct Groovy script ID.

    SELECT 
        b.my_row_id,
        b.BR_ACTION_ID,
        b.VALUE AS CURRENT_PATH,
        g.GROOVY_SCRIPT_ID AS SELECTED_GROOVY_ID
    FROM openiam.BR_ACTION_VAL b
    JOIN (
        SELECT 
            MAX(GROOVY_SCRIPT_ID) AS GROOVY_SCRIPT_ID,
            FILE_NAME,
            PATH
        FROM groovy.GROOVY_FILE
        GROUP BY FILE_NAME, PATH
    ) g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(b.VALUE, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(b.VALUE, 2),
        '/',
        LENGTH(SUBSTRING(b.VALUE, 2)) 
        - LENGTH(REPLACE(SUBSTRING(b.VALUE, 2), '/', ''))
    )
    WHERE b.VALUE LIKE '/%';

    Review the results carefully to ensure each file path resolves to the correct Groovy script ID. Afterward, update Business Rule values. Once validated, update the Business Rule values to store the Groovy script ID instead of the file path.

    UPDATE openiam.BR_ACTION_VAL b
    JOIN (
        SELECT 
            MAX(GROOVY_SCRIPT_ID) AS GROOVY_SCRIPT_ID,
            FILE_NAME,
            PATH
        FROM groovy.GROOVY_FILE
        GROUP BY FILE_NAME, PATH
    ) g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(b.VALUE, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(b.VALUE, 2),
        '/',
        LENGTH(SUBSTRING(b.VALUE, 2)) 
        - LENGTH(REPLACE(SUBSTRING(b.VALUE, 2), '/', ''))
    )
    SET b.VALUE = g.GROOVY_SCRIPT_ID
    WHERE b.VALUE LIKE '/%';

    Update Groovy references in the properties table.

    Groovy scripts can also be referenced in PROPERTY_FILE_VALUES. Validate property values by running the following SELECT to verify which properties reference Groovy scripts by path and what their new IDs will be.

    SELECT 
        p.PROPERTY_ID,
        p.PROPERTY_VALUE AS OLD_VALUE,
        g.GROOVY_SCRIPT_ID AS NEW_VALUE,
        p.CATEGORY
    FROM openiam.PROPERTY_FILE_VALUES p
    JOIN groovy.GROOVY_FILE g 
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(p.PROPERTY_VALUE, '/', -1), '.groovy', '')
    AND g.PATH = CASE 
        WHEN p.PROPERTY_VALUE LIKE '/%' THEN
            SUBSTRING_INDEX(
                SUBSTRING(p.PROPERTY_VALUE, 2),
                '/',
                LENGTH(SUBSTRING(p.PROPERTY_VALUE, 2)) -
                LENGTH(REPLACE(SUBSTRING(p.PROPERTY_VALUE, 2), '/', ''))
            )
        ELSE
            SUBSTRING_INDEX(
                p.PROPERTY_VALUE,
                '/',
                LENGTH(p.PROPERTY_VALUE) -
                LENGTH(REPLACE(p.PROPERTY_VALUE, '/', ''))
            )
    END
    WHERE p.PROPERTY_TYPE = 'GROOVY'
    AND p.PROPERTY_VALUE LIKE '%/%'
    ORDER BY p.CATEGORY, p.PROPERTY_ID;

    After validation, update the properties to store the Groovy script ID.

    UPDATE openiam.PROPERTY_FILE_VALUES p
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(p.PROPERTY_VALUE, '/', -1), '.groovy', '')
    AND g.PATH = CASE
        WHEN p.PROPERTY_VALUE LIKE '/%' THEN
            SUBSTRING_INDEX(
                SUBSTRING(p.PROPERTY_VALUE, 2),
                '/',
                LENGTH(SUBSTRING(p.PROPERTY_VALUE, 2)) -
                LENGTH(REPLACE(SUBSTRING(p.PROPERTY_VALUE, 2), '/', ''))
            )
        ELSE
            SUBSTRING_INDEX(
                p.PROPERTY_VALUE,
                '/',
                LENGTH(p.PROPERTY_VALUE) -
                LENGTH(REPLACE(p.PROPERTY_VALUE, '/', ''))
            )
    END
    SET p.PROPERTY_VALUE = g.GROOVY_SCRIPT_ID
    WHERE p.PROPERTY_TYPE = 'GROOVY'
    AND p.PROPERTY_VALUE LIKE '%/%';

    Update batch task Groovy references.

    Batch tasks may also store Groovy scripts as file paths. Validate batch task mappings and identify batch tasks with incorrect Groovy script references.

    SELECT 
        b.TASK_ID,
        b.TASK_NAME,
        b.GROOVY_SCRIPT_ID AS CURRENT_PATH,
        g.GROOVY_SCRIPT_ID AS CORRECT_GROOVY_ID,
        g.FILE_NAME,
        g.PATH
    FROM openiam.BATCH_CONFIG b
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(b.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = TRIM(BOTH '/' FROM SUBSTRING_INDEX(
        b.GROOVY_SCRIPT_ID,
        '/',
        CHAR_LENGTH(b.GROOVY_SCRIPT_ID) -
        CHAR_LENGTH(REPLACE(b.GROOVY_SCRIPT_ID, '/', ''))
    ))
    WHERE b.GROOVY_SCRIPT_ID LIKE '%/%'
    AND b.GROOVY_SCRIPT_ID != g.GROOVY_SCRIPT_ID;

    Update batch task values by replacing file paths with Groovy script IDs.

    UPDATE openiam.BATCH_CONFIG b
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(b.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = TRIM(BOTH '/' FROM SUBSTRING_INDEX(
        b.GROOVY_SCRIPT_ID,
        '/',
        CHAR_LENGTH(b.GROOVY_SCRIPT_ID) -
        CHAR_LENGTH(REPLACE(b.GROOVY_SCRIPT_ID, '/', ''))
    ))
    SET b.GROOVY_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE b.GROOVY_SCRIPT_ID LIKE '%/%'
    AND b.GROOVY_SCRIPT_ID != g.GROOVY_SCRIPT_ID;

    Update synchronization configuration scripts.

    Synchronization configurations may reference validation scripts by path. This step must be repeated for each managed system. Example for the WORKDAY_MANAGED_SYS.

    SELECT 
        s.SYNCH_CONFIG_ID,
        s.NAME,
        s.VALIDATION_SCRIPT_ID AS VALIDATION_SCRIPT_PATH,
        g.GROOVY_SCRIPT_ID
    FROM openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.VALIDATION_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.VALIDATION_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.VALIDATION_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.VALIDATION_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';
    1. Update validation script references. Once validated, update the synchronization configuration.
    UPDATE openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.VALIDATION_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.VALIDATION_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.VALIDATION_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.VALIDATION_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    SET s.VALIDATION_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update transformation scripts in synchronization configuration

    Transformation scripts in SYNCH_CONFIG may reference Groovy scripts using file paths. These must be replaced with the corresponding GROOVY_SCRIPT_ID. Validate transformation script mappings. Verify the current transformation script paths and identify the correct Groovy script IDs.

    SELECT 
        s.SYNCH_CONFIG_ID,
        s.NAME,
        s.TRANSFORMATION_SCRIPT_ID AS TRANS_SCRIPT_PATH,
        g.GROOVY_SCRIPT_ID
    FROM openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.TRANSFORMATION_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update transformation script references. Replace file paths with Groovy script IDs.

    UPDATE openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.TRANSFORMATION_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.TRANSFORMATION_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    SET s.TRANSFORMATION_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update attribute name lookup scripts

    Start with validating attribute lookup script mappings. Identify attribute lookup scripts that still reference file paths.

    SELECT 
        s.SYNCH_CONFIG_ID,
        s.NAME,
        s.ATTR_NAMES_LOOKUP_SCRIPT_ID AS TRANS_SCRIPT_PATH,
        g.GROOVY_SCRIPT_ID
    FROM openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update attribute lookup script references.

    UPDATE openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.ATTR_NAMES_LOOKUP_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    SET s.ATTR_NAMES_LOOKUP_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update pre-processor scripts in synchronization

    First, validate pre-processor script mappings.

    SELECT 
        s.SYNCH_CONFIG_ID,
        s.NAME,
        s.PREPROCESSOR_SCRIPT_ID AS TRANS_SCRIPT_PATH,
        g.GROOVY_SCRIPT_ID
    FROM openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.PREPROCESSOR_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update pre-processor script references.

    UPDATE openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.PREPROCESSOR_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.PREPROCESSOR_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    SET s.PREPROCESSOR_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update post-processor scripts in synchronization

    Validate post-processor script mappings.

    SELECT 
        s.SYNCH_CONFIG_ID,
        s.NAME,
        s.POSTPROCESSOR_SCRIPT_ID AS TRANS_SCRIPT_PATH,
        g.GROOVY_SCRIPT_ID
    FROM openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.POSTPROCESSOR_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update post-processor script references.

    UPDATE openiam.SYNCH_CONFIG s
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(s.POSTPROCESSOR_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2)) 
        - LENGTH(REPLACE(SUBSTRING(s.POSTPROCESSOR_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    SET s.POSTPROCESSOR_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE s.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update reconciliation Groovy scripts

    First, validate reconciliation script mappings and then identify reconciliation attribute mappings that still use file paths.

    SELECT 
        m.MANAGED_SYS_ID,
        r.RECON_RES_ATTR_MAP_ID,
        r.GROOVY_SCRIPT_ID AS OLD_VALUE,
        g.GROOVY_SCRIPT_ID AS NEW_VALUE
    FROM openiam.RECON_RES_ATTR_MAP r
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(r.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(r.GROOVY_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(r.GROOVY_SCRIPT_ID, 2)) -
        LENGTH(REPLACE(SUBSTRING(r.GROOVY_SCRIPT_ID, 2), '/', ''))
    )
    JOIN openiam.ATTRIBUTE_MAP a
    ON a.RECON_RES_ATTR_MAP_ID = r.RECON_RES_ATTR_MAP_ID
    JOIN openiam.MNG_SYS_POLICY m
    ON m.MNG_SYS_POLICY_ID = a.MNG_SYS_POLICY_ID
    WHERE r.GROOVY_SCRIPT_ID LIKE '/%'
    ORDER BY m.MANAGED_SYS_ID, r.RECON_RES_ATTR_MAP_ID;

    Update reconciliation script references.

    UPDATE openiam.RECON_RES_ATTR_MAP r
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(r.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(r.GROOVY_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(r.GROOVY_SCRIPT_ID, 2)) -
        LENGTH(REPLACE(SUBSTRING(r.GROOVY_SCRIPT_ID, 2), '/', ''))
    )
    JOIN openiam.ATTRIBUTE_MAP a
    ON a.RECON_RES_ATTR_MAP_ID = r.RECON_RES_ATTR_MAP_ID
    JOIN openiam.MNG_SYS_POLICY m
    ON m.MNG_SYS_POLICY_ID = a.MNG_SYS_POLICY_ID
    SET r.GROOVY_SCRIPT_ID = g.GROOVY_SCRIPT_ID
    WHERE r.GROOVY_SCRIPT_ID LIKE '/%';

    Add or update policy map scripts for a managed system

    Validate policy map script mappings.

    SELECT 
        r.RECON_RES_ATTR_MAP_ID,
        r.GROOVY_SCRIPT_ID AS OLD_VALUE,
        g.GROOVY_SCRIPT_ID AS NEW_VALUE
    FROM openiam.RECON_RES_ATTR_MAP r
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(r.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(r.GROOVY_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(r.GROOVY_SCRIPT_ID, 2)) -
        LENGTH(REPLACE(SUBSTRING(r.GROOVY_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    JOIN openiam.ATTRIBUTE_MAP a
    ON a.RECON_RES_ATTR_MAP_ID = r.RECON_RES_ATTR_MAP_ID
    JOIN openiam.MNG_SYS_POLICY m
    ON m.MNG_SYS_POLICY_ID = a.MNG_SYS_POLICY_ID
    AND m.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS';

    Update policy map scripts.

    UPDATE openiam.RECON_RES_ATTR_MAP r
    JOIN groovy.GROOVY_FILE g
    ON g.FILE_NAME = REPLACE(SUBSTRING_INDEX(r.GROOVY_SCRIPT_ID, '/', -1), '.groovy', '')
    AND g.PATH = SUBSTRING_INDEX(
        SUBSTRING(r.GROOVY_SCRIPT_ID, 2),
        '/',
        LENGTH(SUBSTRING(r.GROOVY_SCRIPT_ID, 2)) -
        LENGTH(REPLACE(SUBSTRING(r.GROOVY_SCRIPT_ID, 2), '/', ''))
    )
    AND g.DESCRIPTION = '<name>'
    JOIN openiam.ATTRIBUTE_MAP a
    ON a.RECON_RES_ATTR_MAP_ID = r.RECON_RES_ATTR_MAP_ID
    JOIN openiam.MNG_SYS_POLICY m
    ON m.MNG_SYS_POLICY_ID = a.MNG_SYS_POLICY_ID
    AND m.MANAGED_SYS_ID = 'WORKDAY_MANAGED_SYS'
    SET r.GROOVY_SCRIPT_ID = g.GROOVY_SCRIPT_ID;

    Update managed system handler scripts as required

    UPDATE MANAGED_SYS
    SET
        ADD_HNDLR = '.../connector/groovy/nls/SaveScript_1.0.groovy',
        MODIFY_HNDLR = '.../connector/groovy/nls/SaveScript_1.0.groovy',
        SEARCH_HNDLR = '/...C/connector/groovy/nls/NLSUserSearch_1.0.groovy;/.../connector/groovy/nls/NLSGroupSearchScript_1.0.groovy',
        LOOKUP_HNDLR = NULL,
        TEST_CONNECTION_HNDLR = 'connector/groovy/example/TestScriptConnector_1.0.groovy'
    WHERE NAME = '03 NLS -instance (restAPI provisioning)';

    Final verification

    After completing all steps:

    • Re-run validation SELECT queries to confirm no path-based Groovy references remain.
    • Test synchronization, reconciliation, and provisioning flows. Make sure to repeat managed-system–specific steps for all other managed systems.

    Post-upgrade tasks

    Update access_certification schedule types.

    It will normalize deprecated schedule values after upgrade. Identify affected records and run the following query to review certifications with a defined schedule.

    SELECT id, name, schedule_type
    FROM access_certification
    WHERE schedule_type IS NOT NULL;

    Update deprecated schedule values. Convert legacy INTERVAL_4 values to the supported QUARTERLY value.

    BEGIN;
    UPDATE access_certification
    SET schedule_type = 'QUARTERLY'
    WHERE schedule_type = 'INTERVAL_4';
    COMMIT;

    All access certifications previously using INTERVAL_4 will now use QUARTERLY.

    Script updates required

    This ensures all Groovy scripts properly handle responses introduced or enforced after the upgrade. Perform validation and updates for the following script categories:

    • All policy map scripts.
    • Preprocessor scripts.
    • Postprocessor scripts.
    • ConnectorResponse scripts.
    • All transformation scripts.
    • Validation scripts.
    • DefaultProvisionServiceEventProcessor.groovy.
    • TestScriptConnector.groovy.
    • All connector scripts.
    • CustomNotificationDelegate.groovy.
    • All batch scripts. Expected changes may include the following.
    • Improved error parsing and logging.
    • Adjusted return values or exception handling.

    UI customization and custom CSS deployment

    UI custom styling must be reapplied after system upgrade. Deploy custom.css. Move the customized stylesheet to the UI static storage volume.

    /docker/volumes/ui_static_storage/_data
    Notes: Ensure correct file permissions after copying.

    Restart the UI service if styles do not apply immediately.

    Post-upgrade content pattern restoration

    It helps to maintain backward compatibility for content and templates used before the upgrade. Reapply default patterns. After upgrading the system.

    • Add the default content pattern that was used in the previous version.
    • Ensure the pattern matches the structure expected by existing templates and pages.

    Fixing missing connector.response.handler.script in IDM

    Use this procedure if an IDM error occurs indicating that the connector response handler script is missing or not configured.

    1. Check if the property is already configured. First, verify whether the required property exists in the PROPERTY_FILE_VALUES table.
    SELECT *
    FROM PROPERTY_FILE_VALUES
    WHERE PROPERTY_ID = 'org.openiam.idm.connector.response.handler.script';

    If this query returns a result, the property is already configured and no further action is required. If no rows are returned, the property is missing and must be added manually. You can also go to webconsole > Administration > System configuration after the upgrade, go through the tabs and check that all scripts are presented in the configurations. This will check not just connector listener, but all other default ones that now are defined through the properties table. Property Another option is to check the count of such properties from DB. The below query can be used and as of today count is equal to 38.

    SELECT COUNT(*)
    FROM PROPERTY_FILE_VALUES
    WHERE PROPERTY_TYPE = 'Groovy';

    Properties table In case the count is different or the groovy is missing after the manual review, the property must be added manually. 2. Find the Groovy script ID. If the property is missing, switch to the groovy schema and locate the Groovy script that should be used as the connector response handler.

    SELECT *
    FROM GROOVY_FILE
    WHERE FILE_NAME LIKE 'CustomConnectorResponse%';

    This query retrieves the Groovy script metadata. Note the value of GROOVY_SCRIPT_ID from the result. This ID will be used as the property value in the next step. 3. Insert the missing property. Switch to the OpenIAM schema and insert a new record into PROPERTY_FILE_VALUES using the GROOVY_SCRIPT_ID obtained in step 2.

    INSERT INTO PROPERTY_FILE_VALUES
    (
      category,
      is_empty_value_allowed,
      is_multilangual,
      is_multiple,
      is_read_only,
      property_id,
      property_type,
      property_value
    )
    VALUES
    (
      'IDM',
      'Y',
      'N',
      'N',
      'N',
      'org.openiam.idm.connector.response.handler.script',
      'Groovy',
      'id_from_previous_query_here'
    );
    • property_id defines the IDM configuration key.
    • property_type = 'Groovy' tells OpenIAM that the value references a Groovy script.
    • property_value must be replaced with the actual GROOVY_SCRIPT_ID.
    1. Commit the transaction (if required). Depending on your database configuration, explicitly commit the transaction:
    COMMIT;
    Important notes:
    • ⚠️Adjust SQL syntax as needed based on the database type (Oracle, MySQL, PostgreSQL, etc.).
    • Always validate the inserted value by re-running the query from Step 1.
    • Restart the application if the configuration is cached and the change does not take effect immediately.

    Summary checklist

    ✅ Access certification schedules updated.
    ✅ All Groovy scripts reviewed for HTTP 422 handling.
    ✅ Custom UI styles restored.
    ✅ Legacy content patterns reintroduced.

    Previous
    Operational
    Next
    Increasing the JDBC connection pool size