The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: '<GroupName>'". The PX policy action is updating the memberOf attribute on the DYN account.
All Identity Manager
This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.
In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:
Group=<GroupName>,Account_Container=Groups,Endpoint=ExampleEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server
where the following values are used:
Group=the name of the group
Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)
Endpoint=the name of the acquired endpoint
Namespace=the endpoint type
Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager
Server=Server
To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen. It will show the proper IAM handle format.