The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: '<GroupName>'". The PX policy action is updating the memberOf attribute on the DYN account.

All Identity Manager

This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.

In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:

Group=<GroupName>,Account_Container=Groups,Endpoint=ExampleEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server

where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager

Server=Server

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen.  It will show the proper IAM handle format.