Issue:
The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: 'MyGroupName'". The PX policy action is updating the memberOf attribute on the DYN account.
Environment:
Applies to all supported environments for IM.
Cause:
This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.
Resolution/Workaround:
In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:
Group=MyGroupName,Account_Container=Groups,Endpoint=MyDYNEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server
where the following values are used:
Group=the name of the group
Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)
Endpoint=the name of the acquired endpoint
Namespace=the endpoint type
Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager
Server=Server
Additional Information:
To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen. It will show the proper IAM handle format.