Adding User to Group in AD LDS with Policy Xpress

Article Id: 40603

Status: Published

Updated On: 14-02-2018 07:45

Legacy Id: TEC1451233

Products:

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction:

Issue:

The following error occurs when using a PX policy to add a user to a group or remove them from a group in AD LDS or another DYN endpoint: "Not a valid IAM handle: 'MyGroupName'". The PX policy action is updating the memberOf attribute on the DYN account.

Environment:

Applies to all supported environments for IM.

Cause:

This error occurs because Identity Manager uses JIAM API to communicate with Provisioning and the PX policy must pass the group in a form that JIAM will accept.

Resolution/Workaround:

In the case of a DYN endpoint created in Connector Xpress, the proper format would be similar to:

Group=MyGroupName,Account_Container=Groups,Endpoint=MyDYNEndpoint,Namespace=DYNEndpointType,Domain=im,Server=Server

where the following values are used:

Group=the name of the group

Account_Container=the name of the OU containing the group (there may be multiple Account_Container values)

Endpoint=the name of the acquired endpoint

Namespace=the endpoint type

Domain=the Provisioning domain name, typically "im", which can be confirmed in Provisioning Manager

Server=Server

Additional Information:

To validate the handle, use a PX policy of type UI to get an existing DYN account and its memberOf value, and display that to the screen. It will show the proper IAM handle format.

Environment:

Release:
Component: IDMGR