Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive
search cancel

Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive

book

Article ID: 189955

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Issue When attempting to update Active Directory (AD) group membership via Policy Xpress (PX) in Identity Manager, the operation fails with one or more of the following errors:

  • LDAP: error code 70 - Unable to set Group Membership Attribute: memberOf Reason: Group-Membership modification error
  • Failed to execute AddToRelationshipEvent. ERROR MESSAGE: JIAMOperationException:javax.naming.NamingException: [LDAP: error code 80 - :ETA_E_0008

Environment

Release : 14.X
CA Identity Suite (Virtual Appliance)
CA Identity Manager (Standalone Appliance)
Policy Xpress (PX) / Provisioning Server

Cause

The failure occurs because the AD Group Distinguished Name (DN) is provided in a standard LDAP format (e.g., using eTADSGroupName and eTADSOrgUnitName). The Identity Manager memberOf provisioning attribute requires a specific JSON-wrapped format that maps these attributes to internal identifiers like EndPoint and Namespace. Without this conversion, the Provisioning Server cannot correctly identify the target group object. 

Resolution

To resolve this issue, the AD group DN must be converted into the accepted JSON structure before being assigned via Policy Xpress.The most common problem with the PxPolicy is the declaration of the group itself. Most times the DN value is configured incorrectly.

Please see the below guide on how to create your DN value appropriately.

1. Retrieve the Original DN

Use an LDAP browser (such as JXplorer) to connect to the Provisioning Server and copy the raw DN of the target AD group.

  • FormateTADSGroupName=MyTestGroup,eTADSOrgUnitName=Org1,eTADSDirectoryName=MyAD,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

2. Convert to Accepted Format

Apply the following transformation rules to the raw DN:

  1. Remove Attributes: Strip the leading eT and trailing Name from all attributes (e.g., eTADSOrgUnitName becomes ADSOrgUnit).
  2. Rename Directory: Change ADSDirectory to EndPoint.
  3. Rename Namespace: Change ADSNamespace to Namespace.
  4. Update Domain Suffix: Replace the trailing dc=im,dc=eta with Domain=im,Server=Server.

Example ResultADSGroup=MyTestGroup,ADSOrgUnit=Org1,EndPoint=MyAD,Namespace=ActiveDirectory,Domain=im,Server=Server

3. Configure Policy Xpress Automation

Implement these steps within a Policy Xpress policy to automate group assignments:

  • Data Element (String Manipulation): Use Replace Text functions to perform the conversion steps above.
  • Data Element (Concatenate): Wrap the converted string in a JSON object: {"memberOf" : "Converted_DN_String"}
  • Action Rule: Use a Set User Attribute action to assign this final JSON string to the memberOf attribute.
Powered by Wolken Software