How to add AD Endpoint groups to an AD Template via TEWS and/or PX Policies
search cancel

How to add AD Endpoint groups to an AD Template via TEWS and/or PX Policies

book

Article ID: 44024

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When working with PX Policies or TEWS in order to add, remove, modify the AD groups on an AD Account or AD Template you need to reference the AD groups by their IAMHandle.

Environment

All Identity Manager

Cause

IM uses the jiam.jar layer to communicate with the Provisioning Server so the AD Endpoint Group value must be in an IAMHandle format.

Resolution

Here is what the IAMHandle for an AD group called "Administrators" in the default Container called "Builtin" on an AD Endpoint called "MyEndpoint" as well as what the IAMHandle for an AD group called "TestGroup" in an Org Unit called "MyOU" on an AD Endpoint called "MyEndpoint" would look like as these would be referenced in a PX Policy:

ADSGroup=Administrators,ADSContainer=Builtin,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server

ADSGroup=TestGroup,ADSOrgUnit=MyOU,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server

ADSGroup=TestGroup,ADSOrgUnit=MySubOU,ADSOrgUnit=MyOU,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server

 

Below is a sample snippet that would be found in a TEWS request that was adding those two mentioned groups to a template:

<wsdl:CreateActiveDirectoryAccountTemplateActiveDirectoryAccountTemplateGroupsTab> 

<wsdl:EndpointCapabilityList> 

<wsdl:add index="0"> 

<wsdl:UniqueName>ADSGroup=Administrators,ADSContainer=Builtin,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server</wsdl:UniqueName> 

<wsdl:Container>ADSContainer=Builtin,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server,Namespace=ActiveDirectory,Domain=im,Server=Server</wsdl:Container> 

</wsdl:add>

<wsdl:add index="1"> 

<wsdl:UniqueName>ADSGroup=TestGroup,ADSOrgUnit=MyOU,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server</wsdl:UniqueName> 

<wsdl:Container>ADSOrgUnit=MyOU,EndPoint=MyEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server,Namespace=ActiveDirectory,Domain=im,Server=Server</wsdl:Container> 

</wsdl:add> 

</wsdl:EndpointCapabilityList> 

</wsdl:CreateActiveDirectoryAccountTemplateActiveDirectoryAccountTemplateGroupsTab> 

Additional Information

Review the product documentation as the interface may have changed with the addition of Time Bound Membership feature:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-exchange-and-skpye-for-business(lync)/active-directory-connector-capabilities/active-directory-time-bound-membership.html

Powered by Wolken Software