Symantec IGA

  • Private Community
 View Only

  • 1.  Erro Return px - More than one account found

    Posted Dec 23, 2016 11:36 AM

    Dear, good afternoon. I'm having a difficulty in the Identity Manager user console, where I need to run through a PX, an action rule to write "Locked by IDM" in the Active Directory description field. Since the users' global user has one user object and one associated contact type. When the action rule is executed, the following error occurs: More than one account found From what I've seen, the IDM user console has no ability to differentiate the "user" object from the "Contact" object in Active Directory, nor does it offer a possibility to browse those objects. Has anyone had any kind of situation like this?



  • 2.  Re: Erro Return px - More than one account found

    Broadcom Employee
    Posted Dec 28, 2016 06:43 AM

    Hi, I am not an AD expert but if you create a user object as well as a contact object for a person in AD it should still have a unique identifier as far as I understand. If this is correct then from policy xpress you can get all user accounts for an endpoint type (ex. Active Directory) by account identifier. If you cannot distinguish whether an account is a contact or a user based on the identifier itself, then you can look up these AD accounts in Provisioning Server using LDAP search in the policy xPress data tab to determine the object type (eTADSobjectClass=user or eTADSobjectClass=contact). For example,

     

     

     

    Once you have identified the right account identifier then in the actions set Account Data by Account Identifier.

    KR
    Russi



  • 3.  Re: Erro Return px - More than one account found

    Posted Jan 05, 2017 09:02 AM

    Hi losru01, Good morning.

     

    I have already done this, and I can recover the value this way. The problem is when there in the action rules under "Category Accounts / Define Account Data by Identifier / Set" I need to have an "Account Identifier" in the following format:

    Endpoint: [container path:] account name

    Then we work on the data elements of PX to get the values from the LDAP query with the user filter

    The Endpoint part we have = OK
    Part of the account we get easy = OK
    The part of the container path we have most need to deal with. (Here is the problem now)

    When we paste the result of the LDAP query, we eliminate all the part "DC = X, DC = Y, DC = Z"

    Then we delete the "CN = X"

    Then we delete all strings "OU ="

    Subtracting the example path "C1, C2, C3"

    Done all this we have in the data elements all the values so that we can concatenate to form the account identifier for the action rule.

    Since the "Container Path" should be written "C3, C2, C1" instead of "C1, C2, C3".

    Identity Manager has no function that can handle the value of the form above.