Issue: 

The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: 'MyGroupName'".  The PX policy action is updating the memberOf attribute on the DYN account.

Environment:  

Applies to all supported environments for IM.

Cause: 

This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.

Resolution/Workaround:

In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:

Group=MyGroupName,Account_Container=Groups,Endpoint=MyDYNEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server

where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager

Server=Server

Additional Information:

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen.  It will show the proper IAM handle format.