Symantec IGA

Expand all | Collapse all

Make a user a member of Active Directory Group via Policy Xpress..

  • 1.  Make a user a member of Active Directory Group via Policy Xpress..

    Posted Oct 18, 2011 05:12 PM

    You may have configured your policy xpress policy to set a user as part of an active directory group, but you're receiving an error message indicating that there was an "[color=#f10000]Error setting account attribute ; Not a valid IAM handle[color]"

    We've implemented a similar PX on IM R12.5 SP8 and it is working.
    These are the steps taken to achive the goal:

    • PX Policy of Type Event execute After ModifyUserEvent
    • For Data Tab, do the following:
      • Get Accounts for endpoint type ActiveDirectory and store into get-accts
      • Use System\Iterator with Next Object function and store into acct-iter
    • For Action, have an Entry condition of get-accts Not equals ""
    • Then do Account\Set Account Data By Identifer with the Add function
    • point to ActiveDirectory endpoint with my acct-iter variable for the Account Identifer
    • choose the Member Of (groupMembership) attribute.

     

     

    The valus should be something like:
    ADSGroup=Administrators,ADSContainer=Builtin,EndPoint=im1251_SSL,Namespace=ActiveDirectory,Domain=im,Server=Server

     

    After performing the above steps, you may then receive an JIAM Exception indicating that there's "No Such Object", if so, please consider the following:

     

    On native ADS, the group DN is in OU, not CN containers.

     

    So the proper format to use in PX Policy would be:
    ADSGroup=x,ADSOrgUnit=x,EndPoint=x,Namespace=ActiveDirectory,Domain=im,Server=Server

     

    If you use ADSContainer, it will resolve to cn instead of ou. In some cases you may need to use a combination of them depending on what the actual DN is on the native ADS system.

     

    Please post with any questions or concerns.
    Thank you.
    Regards,

     

    Chris Thomas
    CA Technologies
    Principal Support Engineer
    Identity Manager Reporting Expert
    Tel: +1-631-342-4360
    Chris.Thomas@ca.com



  • 2.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Mar 01, 2013 06:50 AM
    Hi Chris,

    yes, we are getting using modify user event and able to assign groups and setting manager filed values.

    Scenario is in an organization when new user joins he will get login Id with some groups. while login ID gets created.
    This means groups should assigned at the time of user ID creates.
    We tried same with create user event, and Policy trying to assign groups it that ID before creating it so getting "No account ID found" exception.
    Same exception to setting manager filed value.

    Can we achieve this while calling create user event ?

    Regards,
    Kankdekar


  • 3.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Mar 08, 2013 12:02 PM
    Perhaps create a separate PXP with a lower priority that triggers after the create user event and the user / account sync is completed.


  • 4.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Mar 12, 2013 03:34 AM
    Hi Chris and Kankdekar,

    I had a similar issue with reading an AD account upon initial user creation and provisioning which failed:

    Error category 'Validation' with response 'Fail Event'.
    POLICYXPRESS ERROR MESSAGE: No accounts specified

    Having tried different triggering times (After CreateUserEvent, AssignProvisioningRoleEvent or for Task Submitted etc.) to no avail, I have reached out to CA Support in order to help me with this error (Chris, if you are interested you can look up case ID 21135575-1 for more details).

    The conclusion was the following:
    "
    We got now confirmation that if the Task context does not deal with the
    object or object's attributes then the Policy Xpress data element cannot
    retrieve the information directly.
    "

    But there is an advice which I didn't manage to test : "However it should be possible to retrieve them indirectly through the "Data Sources" data element type but this configuration requires custom code writing."
    I wouldn't like to set up Data Sources as the connection to AD (ldap) will require storing a username and password.

    Also, the documentation hints that it is doable, but having tried that triggering time too, it did not work for me:
    https://support.ca.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP13-ENU/Bookshelf_Files/HTML/idocs/825186.html
    "
    Set the user's groups and OU in Active Directory, based on department
    Run At Events — at the end of the assign provisioning role event. This ensures that an account is already created when setting the values.
    "

    Just sharing my experience and feedback.
    Please let me know if you have any questions or feedback on the above statements.


    Cheers,

    Razvan


  • 5.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 24, 2013 06:09 PM
    you could choose Event After Provisioning


  • 6.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 24, 2013 06:09 PM
    you could choose Event After Provisioning


  • 7.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 19, 2013 09:50 PM
    Chris,

    I tried this on my 12.6 sp1 system (after a modify user task) and to no avail all I get now is "ERROR MESSAGE: Error setting account attribute" no trailing "; Not a valid IAM handle". Now if I make the call with this "Namespace=ActiveDirectory,Domain=im,Server=Server" with any different values (say the domain -eq my provisioning domain) I get that exact error. I remember doing this on another a while ago (different environmnet) so think my syntax is correct but didn't know if something is 12.6 changed this.

    Scott


  • 8.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 24, 2013 04:54 PM
    If you're getting a

    [color=#f40404]Error setting account attribute
    "this is not a valid IAM handle"[color]

    it's because you're not setting the correct information to the provisioning directory.

    Nothing has changed in 12.6 to negatively affect this implementation, please make sure you use the proper syntax:
    >
    [color=#ff0e0e]ADSGroup=x,ADSOrgUnit=x,EndPoint=x,Namespace=ActiveDirectory,Domain=im,Server=Server[color]


  • 9.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 24, 2013 05:55 PM
    Hello, this functionality has been implemented at my site. I cannot take credit though it was a CA employee Dane Jones.

    I am running R12.5.sp6. This company had two Active Directory domains.

    Therefore when I retrieve the AD accounts for a user I have to iterate through them to find the correct one to add the distribution list to.
    I am running two Policy Xpress Policies one figures out the account name
    The second one actually does the modification of adding the distribution list(s)

    PX – Endpoint

    Data

    System Variable Value – StopIterating

    AD Accounts



    Accounts –Get
    -Get

    Active Directory

    AD Account Iterator


    system-iterator-next value value: AD Accounts

    List Size of AD Accounts

    General-List Filter-List Size
    list: AD Accounts

    AD String Search


    General-String Searcher-Index of
    search in:AD Account Iterator











    Sub-String searching for: (AD Endpoint:)

    Two Action Rules (AR)

    Continue Iterating



    AR Condition - Data Element


    AD String Searcher Equals -1

    Stop Iterating


    AR Condition – Data Element


    Set System Variable – StopIterating to value true


    Set Variable ADAccount to AD Account Iterator

    PX - Distribution

    Data

    System Variable Value –ADAccount Variable – Variable Value – Get ADAccount - this is from the previous PX

    String Length of the above value to ensure it is populated.



    Action Rule for adding Distribution List-
    Add Group Membership

    Accounts

    Set Account Data by Identifier

    Add

    Endpoint type: ActiveDirectory

    Account Identifier:
    System Variable Value –ADAccount

    Attribute Name: Member of groupMembership


    Value: NativeGroup=AP CN - Beijing - All Employees,Container_ADSOrgUnit=CNGroups,Container_ADSOrgUnit=China,Container_ADSOrgUnit=APAC,Container_ADSOrgUnit=Regions,EndPoint=XX_AD,Namespace=ActiveDirectory,Domain=IDENTITY_MANAGER,Server=Server







    my question is how do you do the path for eTADSmsRTCSIP-PrimaryHomeServer? this is what I have natively - CN=LC Services,CN=Microsoft,CN=ocsus1,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=net,DC=***,DC=XX,DC=com

    Thank you,
    Glenda


  • 10.  RE: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jul 05, 2013 02:08 PM
    Hi,

    I have the same problem but in my case i need to set the manager DN.

    Lets say the the manager DN is

    CN=ABC DEF,OU=Users,OU=poi,OU=qwe,DC=DEF,DC=ABC,DC=com

    how i need to write this from policy to AD.


  • 11.  Re: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 02, 2016 04:55 PM

    Is there way to get the IdM DN dynamically based on the group name?  For instance can I do search for the group name ***, get back the DN ADSGroup=***,Container_ADSOrgUnit=Regions,EndPoint=XX_AD,Namespace=ActiveDirectory,Domain=IDENTITY_MANAGER,Server=Server



  • 12.  Re: Make a user a member of Active Directory Group via Policy Xpress..

    Posted Jun 25, 2016 12:11 PM

    Praveen,

     

    Brilliant!  It is obvious, that you put a lot of work into this solution.

     

     

    Alan



  • 13.  Re: Make a user a member of Active Directory Group via Policy Xpress..

    Broadcom Employee
    Posted Jun 28, 2016 11:29 AM

    Agreed with Alan.