Symantec IGA

  • Private Community
Back to discussions
Expand all | Collapse all

Change Active Directory User DN via Identity Manager PXP

  • 1.  Change Active Directory User DN via Identity Manager PXP

    Posted Oct 15, 2014 04:39 PM
      |   view attached

    Perhaps you're contemplating on how to construct a Policy Xpress Policy that will move a user's AD account from one container to another (in AD)


    In the IDM Portal select Policies > Policy Xpress > Create Policy Xpress, Select the option to create a new PX.

     

    In the Profile fill the attributes, for Event select one of them, for example "Submitted Task"

    Now the event will trigger the PX, for example, After / Modify User

    In the Data you need to get the ADS Account Identifier which you want to move

    In the Entry Rules, Entry Rules define the conditions for when a policy should run

    In Action Rules, in the "Add Action when Matched" use the option:

     

    Category: Accounts

    Type: Move Account

    Function: Move To

     

    After that select your Endpoint Type, the Account Identifier that you need to get before in the Data tab, and the New Container.


    You might be wondering what I am supposed to enter for "Account Identifier" and "New Container" fields in the Edit Action Rule form.

     

    PXP.png

    The Function Description provides a clue, but no example in the integrated help. Currently there's no examples of this in the CA Bookshelf documentation either.


    Solution:


    For the Account Identifier enter "EndpointName:{'Full Name'}" where endpointName is the name that shows up for the endpoint in the provisioning manager and {Full Name} is the provisioning accountID mapped attribute as defined in your configuration / mapping with Identity Manager.


    In new container only enter the OU values "support,longisland" NOT the full DN syntax. Now when you trigger the PXP the user will be moved from their existing container to "OU=support,OU=longisland,DC=ca,DC=com".


    Forward thinking:


    Have attached an example XML for extending this PXP to be a bit more dynamic with data elements and iterators to make it more flexible in real life. The example is provided as is and isn't fit for any particular purpose other than to provide more clarity as to what's possible whit PXP customization, especially in the area of AD account ModRDN operations. 

     

    Please Post with any questions or concerns.

    Thank you.

    Regards,

     

     

    Chris Thomas

    CA Technologies

    Principal Support Engineer

    Identity Manager Reporting Expert

    Tel:  +1-631-342-4360

    Chris.Thomas@ca.com

    https://communities.ca.com/people/Chris_Thomas


    Attachment(s)

    zip
    PX_MoveADSAccounts_samples.xml.zip   2 KB 1 version