search cancel

Adding User to Group in AD LDS with Policy Xpress

book

Article ID: 40603

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: 'MyGroupName'". The PX policy action is updating the memberOf attribute on the DYN account.

 

 

 

Environment

All Identity Manager

Cause

This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.

Resolution

In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:

Group=MyGroupName,Account_Container=Groups,Endpoint=MyDYNEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server

where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager

Server=Server

Additional Information

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen.  It will show the proper IAM handle format.