Adding User to Group in AD LDS with Policy Xpress
search cancel

Adding User to Group in AD LDS with Policy Xpress


Article ID: 40603


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: '<GroupName>'". The PX policy action is updating the memberOf attribute on the DYN account.


All Identity Manager


This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.


In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:


where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager


Additional Information

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen.  It will show the proper IAM handle format.