Unable modify a corporate users organization field
Article ID: 182901
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
CA Identity Suite
Issue/Introduction
After enabling the Organization field on the Modify user screen, I am still unable to modify the organization for a user.
Cause
The organization field for a corporate user can be set once and only once in the user's lifetime.
Environment
Release : 14.3
Component : IdentityMinder(Identity Manager)
Resolution
Supported Solution:
IDM does support for the manipulation of user organization location. You will need to delete the user and recreate them under the desired organization within Identity Manager
Unsupported Workaround:
NOTE: ALL USER MIGRATION ON THE BACKEND CAN CAUSE USER DATA CORRUPTION AND IT IS SUGGEST THAT YOU BACK UP ALL YOUR DATA PRIOR TO ANY CHANGES. ONLY PERFORM THESE STEPS IF YOU ARE PROFICIENT IN THE APPLICATION. ANY ISSUES CAUSED BY THE BELOW STEPS WILL RESULT IN YOU BEING REQUIRED TO REVERT ALL CHANGES. MAKE SURE YOU TAKE SNAPSHOTS OF ALL SYSTEMS INVOLVED INCLUDING SQL. SUPPORT WILL NOT TROUBLESHOOT ISSUES CAUSED BY THE BELOW STEPS.
Caveats:
1) The user being moved cannot have an active pending workflow against them.
2) The user being moved cannot have a pending task against them.
3) Any rules regarding admin/owner/member policies could affect user integrity... etc
You are not limited to only the above scenarios but there could be others. You should make sure at least the above 3 conditions are focused on before moving the user on the back end.
Work Around Steps:
You will need to utilize modrn functionality against CA Directory.
Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/reference/file-structure-and-file-formats/ldif/format-of-information-in-an-ldif-file.html
You will need to get all the dn values you want to move. Then you will need to build an LDIF file such as the below example. Let's say you want to move this user from ou=Support,ou=Customer,o=DEMOCORP,c=AU to ou=Customer,o=DEMOCORP,c=AU. You will need to make an LDIF file with the modrdn request in it. See below.
Use Case:
Old DN: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
New DN: cn=Glenda STEIN,ou=Customer,o=DEMOCORP,c=AU
Create an LDIF file with the below lines:
dn: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
changetype: modrdn
newrdn: cn=Glenda STEIN
deleteoldrdn: 1
newsuperior: ou=Customer,o=DEMOCORP,c=AU
Once you have this done then you will need to execute a dxmodify:
dxmodify -c -h hostname:19389 -D bindDN -f newou.ldif
Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/administrating/tools-to-manage-ca-directory/dxtools/dxmodify-tool-add-new-or-changed-information-to-a-directory.html
Now when you view the user in Identity Manager you will see they are apart of the new Organization.
IDM does support for the manipulation of user organization location. You will need to delete the user and recreate them under the desired organization within Identity Manager
Unsupported Workaround:
NOTE: ALL USER MIGRATION ON THE BACKEND CAN CAUSE USER DATA CORRUPTION AND IT IS SUGGEST THAT YOU BACK UP ALL YOUR DATA PRIOR TO ANY CHANGES. ONLY PERFORM THESE STEPS IF YOU ARE PROFICIENT IN THE APPLICATION. ANY ISSUES CAUSED BY THE BELOW STEPS WILL RESULT IN YOU BEING REQUIRED TO REVERT ALL CHANGES. MAKE SURE YOU TAKE SNAPSHOTS OF ALL SYSTEMS INVOLVED INCLUDING SQL. SUPPORT WILL NOT TROUBLESHOOT ISSUES CAUSED BY THE BELOW STEPS.
Caveats:
1) The user being moved cannot have an active pending workflow against them.
2) The user being moved cannot have a pending task against them.
3) Any rules regarding admin/owner/member policies could affect user integrity... etc
You are not limited to only the above scenarios but there could be others. You should make sure at least the above 3 conditions are focused on before moving the user on the back end.
Work Around Steps:
You will need to utilize modrn functionality against CA Directory.
Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/reference/file-structure-and-file-formats/ldif/format-of-information-in-an-ldif-file.html
You will need to get all the dn values you want to move. Then you will need to build an LDIF file such as the below example. Let's say you want to move this user from ou=Support,ou=Customer,o=DEMOCORP,c=AU to ou=Customer,o=DEMOCORP,c=AU. You will need to make an LDIF file with the modrdn request in it. See below.
Use Case:
Old DN: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
New DN: cn=Glenda STEIN,ou=Customer,o=DEMOCORP,c=AU
Create an LDIF file with the below lines:
dn: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
changetype: modrdn
newrdn: cn=Glenda STEIN
deleteoldrdn: 1
newsuperior: ou=Customer,o=DEMOCORP,c=AU
Once you have this done then you will need to execute a dxmodify:
dxmodify -c -h hostname:19389 -D bindDN -f newou.ldif
Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/administrating/tools-to-manage-ca-directory/dxtools/dxmodify-tool-add-new-or-changed-information-to-a-directory.html
Now when you view the user in Identity Manager you will see they are apart of the new Organization.
Feedback
Yes
No
Powered by
