Unable modify a corporate users organization field

Article Id: 182901
Status: Published
Updated On: 27-02-2020 10:18
Products:
CA Identity Manager , CA Identity Governance , CA Identity Portal , CA Identity Suite
Issue/Introduction:

After enabling the Organization field on the Modify user screen, I am still unable to modify the organization for a user.

Cause:

The organization field for a corporate user can be set once and only once in the user's lifetime.

Environment:

Release : 14.3

Component : IdentityMinder(Identity Manager)

Resolution:

Supported Solution:
IDM does support for the manipulation of user organization location. You will need to delete the user and recreate them under the desired organization within Identity Manager


Unsupported Workaround:

NOTE: ALL USER MIGRATION ON THE BACKEND CAN CAUSE USER DATA CORRUPTION AND IT IS SUGGEST THAT YOU BACK UP ALL YOUR DATA PRIOR TO ANY CHANGES. ONLY PERFORM THESE STEPS IF YOU ARE PROFICIENT IN THE APPLICATION. ANY ISSUES CAUSED BY THE BELOW STEPS WILL RESULT IN YOU BEING REQUIRED TO REVERT ALL CHANGES. MAKE SURE YOU TAKE SNAPSHOTS OF ALL SYSTEMS INVOLVED INCLUDING SQL. SUPPORT WILL NOT TROUBLESHOOT ISSUES CAUSED BY THE BELOW STEPS.

Caveats: 

1) The user being moved cannot have an active pending workflow against them.

2) The user being moved cannot have a pending task against them.

3) Any rules regarding admin/owner/member policies could affect user integrity... etc

You are not limited to only the above scenarios but there could be others. You should make sure at least the above 3 conditions are focused on before moving the user on the back end.


Work Around Steps:

You will need to utilize modrn functionality against CA Directory.

Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/reference/file-structure-and-file-formats/ldif/format-of-information-in-an-ldif-file.html

You will need to get all the dn values you want to move. Then you will need to build an LDIF file such as the below example. Let's say you want to move this user from ou=Support,ou=Customer,o=DEMOCORP,c=AU to ou=Customer,o=DEMOCORP,c=AU. You will need to make an LDIF file with the modrdn request in it. See below.

Use Case:
Old DN: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
New DN: cn=Glenda STEIN,ou=Customer,o=DEMOCORP,c=AU


Create an LDIF file with the below lines:
dn: cn=Glenda STEIN,ou=Support,ou=Customer,o=DEMOCORP,c=AU
changetype: modrdn
newrdn: cn=Glenda STEIN
deleteoldrdn: 1
newsuperior: ou=Customer,o=DEMOCORP,c=AU

Once you have this done then you will need to execute a dxmodify:

dxmodify -c -h hostname:19389 -D bindDN -f newou.ldif

Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/administrating/tools-to-manage-ca-directory/dxtools/dxmodify-tool-add-new-or-changed-information-to-a-directory.html

Now when you view the user in Identity Manager you will see they are apart of the new Organization.