Adding User to Group in AD LDS with Policy Xpress


Article ID: 40603


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On



The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: 'MyGroupName'".  The PX policy action is updating the memberOf attribute on the DYN account.


Applies to all supported environments for IM.


This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.


In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:


where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager


Additional Information:

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen.  It will show the proper IAM handle format.



Component: IDMGR