Specify a rule string for setting the list of groups in Active Directory Account Template
search cancel

Specify a rule string for setting the list of groups in Active Directory Account Template

book

Article ID: 9512

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Active Directory Account Template attribute (eTADSPolicy.eTADSmemberOf) as managed via Provisioning Manager does not allow you to specify a rule string for setting the list of groups.



The Provisioning Manager GUI and the Identity Manager tasks screens only allows you to pick a set of groups from a search list and there is no dynamic aspect exposed thru.

Environment

Release: CAIDMB99000-14.1-Identity Manager-B to B
Component:

Resolution

So workaround deployments have done through an ldap modify of the specific eTADSPolicy.eTADSMemberOf attribute in the Identity Manager Provisioning Directory to set a rulestring for the value. 

The provisioning server when reading the attribute, will evaluate rule string value, prior to passing the value(s) on to the connector.

 

Usual implementation maintains a multi-value attribute on the Corporate User that mapps to one of the Provisioning User eTCustomFields ( also multi-valued) and then used the appropriate rule string for that custom field as the value for eTADSMemberOf.

 

The down side and word of caution is regarding the lost of this setting if the Active Directory Account Template attribute is later modified through one of the user interfaces.