Unfortunately if somehow you cannot get the account name from IM User's attribute value then we will fall into the your very first approach (I believe this will be the optimum approach you have), i.e. to get the list of the accounts and iterate. In other words, to directly get the account locked status we need to know the account name before hand. In my lab, I can easily get the IM User's fullname attribute for account name, but I understand it is not straight forward in your environment.
Original Message:
Sent: 03-26-2020 10:45 AM
From: Mark Ma
Subject: Policy Xpress Question - Get User AD Account refresh info
Widjaja,
In my provision directory, I found my test user account name is in the eTAccountName field.
Do you how can I get that from Px?
Thanks
Mark
Original Message:
Sent: 03-26-2020 09:55 AM
From: Mark Ma
Subject: Policy Xpress Question - Get User AD Account refresh info
Widjaja,
Thanks your information. I made same change but noticed Account name is not user Full name.
I use my existing Px to find out Account Name and found the Account Name is user AD account Name.
In my case, my test user account name is testUser0122 and here is my screen shot from provision manager tool.
If I hardcore testUser0122 into my new Px, I can get locked status.
Now I have question, how can I get that information from IDM?
Original Message:
Sent: 03-25-2020 11:37 PM
From: Widjaja Sangtoki
Subject: Policy Xpress Question - Get User AD Account refresh info
Hi Mark,
If you utilize
Category : Account, Type : Account Values
you can specify the AD endpoint name. As long as you get the Account Name (user's full name) then you should be able to get the locked status directly without iteration.
Regards,
Widjaja.
Original Message:
Sent: 03-25-2020 11:55 AM
From: Mark Ma
Subject: Policy Xpress Question - Get User AD Account refresh info
Hi,
I have one question. Right now I have one Px and it can get user AD account locked status.
Since each user has multiple AD accounts in the provision side, in my Px, I have to do these steps
1. get AD Account list from that user.
2. use iterator to get list
3. get AD endpoint name from account values by the account identifier.
4. in action, check AD endpoint name. If AD endpoint name match, it will get AD account locked status.
But with this solution, I noticed provision will try to get user's all AD accounts every time when PX get trigger.
I just wondering in Px, is it possible to allow me directly access to one AD account instead of get all AD accounts..
Thanks
Mark