Unable to assign default group membership in Top Secret
search cancel

Unable to assign default group membership in Top Secret


Article ID: 92619


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


Using Top Secret v2 Connector to provision to CA Top Secret 15.0, the connector could successfully provision accounts on CA Top Secret and assign Group Membership AND Default Group Membership.  After an upgrade of the Top Secret Endpoint from 15.0 to 16.0, the Default Group Membership isn't getting assigned and account creation fails.  If the Default Group Membership is removed from the Account Template and the Group Membership left with its original values, the account gets provisioned successfully.  The error message with the Deafult Group Membership is similar to:

:ETA_E_0016, Account for Global User 'XYZ' on Endpoint 'Topsecret' creation failed: :ETA_E_0004, User Account 'XYZ' on 'Topsecret' creation failed: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTDYNAccountName=XYZ,eTDYNAccountContainerName=ACIDs,eTDYNDirectoryName=Topsecret,eTNamespaceName=CA Top Secret v2,dc=im,dc=etasa: JCS@SERVERNAME: JNDI: [LDAP: error code 80 - LDP2108E TSS error adding tssacid(TSS0626E DEFAULT GROUP NOT DEFINED OR IS NOT IN USER'S LIST OF GROUPS)]: failed to add tssacid=XYZ,tssadmingrp=acids,host=ldap_im,o=MyOrg,c=us (ldaps://servername.ca.com:20411)

The Group used as Default Group exists on the endpoint and it is provisioned as a Group but not as a Default Group.


Identity Manager 12.6.x
CA Top Secret 16.0
CA LDAP Server r15


CA LDAP Server r15 does not support dynamically setting Default Group (DFTLGRP) if the group is not already set on the account.


This issue is resolved by upgrading CA LDAP Server to r15.1 which has special TSS r16 support to dynamically add groups that don't exist before setting DFLTGRP.