How to add a user to an AD Group using PX
Article ID: 216788
Updated On:
Products
Issue/Introduction
How do you configure a CA Identity Manager (IM) Policy in Policy Xpress (PX) to add a user to an Active Directory Group?
Environment
Release : 14.x
Component :
CA IDENTITY MINDER (IDENTITY MANAGER)
CA IDENTITY SUITE (VIRTUAL APPLIANCE)
Resolution
A prerequisite is that an Active Directory Endpoint is configured and AD accounts are already defined. In the below example we will configure a policy to trigger when a user is modified and they have the "User Type" of "Employee"
Steps.
1. Navigate to Tasks -> Policies -> Policy Xpress -> Create Policy Xpress Policy
2. Complete the Profile Tab Mandatory Fields (Policy name, Category, and Priority)
2. Specify the Event State (this is when you want the trigger to be evaluated). In this example we will evaluate the trigger "After" a "Modify User Event"
3. The Data tab is used to retrieve information required to evaluate the trigger.
In this example, you need to
(a) Get the Active Directory Account associated with the IM User (Get AD Accounts),
(b) Build a List of all relevant Accounts (Each Account)
(c) Get the IM User Attributes (User Type)
Get AD Accounts
Each Account
User Type
4. There are no specific Entry Rules for this example.
5. Action Rules. This defines what actions to take if the trigger criteria are met.
In this example, if the "Employee Type" contains "Employee".
We want to add the user to an Active Directory Group.
AD Accounts Update
The Value is in the format
{"memberOf":"ADSGroup=<AD Group Name>,ADSContainer=<AD Container>,EndPoint=<Endpoint Name>,Namespace=ActiveDirectory,Domain=<im domain>,Server=Server"}
And relates to the conetnt of the provisiong directory
In this example:
{"memberOf":"ADSGroup=TestGroup,ADSContainer=Users,EndPoint=Voonair,Namespace=ActiveDirectory,Domain=im,Server=Server"}
Feedback
