search cancel

How to add a user to an AD Group using PX

book

Article ID: 216788

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

How do you configure a CA Identity Manager (IM) Policy in Policy Xpress (PX) to add a user to an Active Directory Group?

Environment

Release : 14.x

Component :

CA IDENTITY MINDER (IDENTITY MANAGER)

CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

A prerequisite is that an Active Directory Endpoint is configured and AD accounts are already defined.  In the below example we will configure a policy to trigger when a user is modified and they have the "User Type" of "Employee"

 

Steps.

1. Navigate to Tasks -> Policies -> Policy Xpress -> Create Policy Xpress Policy

2. Complete the Profile Tab Mandatory Fields (Policy name, Category, and Priority)

2. Specify the Event State (this is when you want the trigger to be evaluated).  In this example we will evaluate the trigger "After" a "Modify User Event"

3.  The Data tab is used to retrieve information required to evaluate the trigger.  

In this example, you need to

(a) Get the Active Directory Account associated with the IM User (Get AD Accounts),

(b) Build a List of all relevant Accounts (Each Account)

(c) Get the IM User Attributes (User Type)

Get AD Accounts

Each Account

User Type

4. There are no specific Entry Rules for this example.

5. Action Rules.  This defines what actions to take if the trigger criteria are met.  

In this example, if the "Employee Type" contains "Employee".

 

 

We want to add the user to an Active Directory Group.

AD Accounts Update

The Value is in the format

{"memberOf":"ADSGroup=<AD Group Name>,ADSContainer=<AD Container>,EndPoint=<Endpoint Name>,Namespace=ActiveDirectory,Domain=<im domain>,Server=Server"}  

And relates to the conetnt of the provisiong directory

In this example:

{"memberOf":"ADSGroup=TestGroup,ADSContainer=Users,EndPoint=Voonair,Namespace=ActiveDirectory,Domain=im,Server=Server"}

Attachments