Symantec IGA

 View Only
  • 1.  member of Active Directory Group via Policy Xpress.

    Posted Mar 25, 2020 01:26 PM
    Hi Team,

    I am unable to figure out how to add member of attribute via policy xpress 

    Lot of people has commented out it should be like this 
    ADSGroup=x,ADSOrgUnit=x,EndPoint=x,Namespace=ActiveDirectory,Domain=im,Server=Server 
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=803668

    But I am unable to understand what is this path is Provisioning directory path or Provisioning manger path , how can i go to this path in my environment can some one guide me please


  • 2.  RE: member of Active Directory Group via Policy Xpress.
    Best Answer

    Broadcom Employee
    Posted Mar 26, 2020 02:37 AM
    What is your IM version?

    Since 14.1 release of the product it has changed the format of the JIAM Handle to now require a JSON value such as:

    {"memberOf":"ADSGroup=<groupname>,ADSOrgUnit=<ou name>,EndPoint=<endpoint name>,Namespace=ActiveDirectory,Domain=im,Server=Server"}

    e.g.
    {"memberOf":"ADSGroup=VIP,ADSOrgUnit=LasVegas,EndPoint=LADomEndpoint,Namespace=ActiveDirectory,Domain=im,Server=Server"}

    Please see the following as well.
    https://docops.ca.com/ca-identity-manager-and-governance-connectors/1-0/EN/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/active-directory-time-bound-membership


  • 3.  RE: member of Active Directory Group via Policy Xpress.

    Posted Mar 29, 2020 01:03 PM
    Thanks Widjaja Sangtoki,

    Thanks Its worked fine,

    I have one issue, when i am trying to Move  AD account from one OU to other OU it always returning NO Account Found, when i search the Account in Provisoining Manager I am able to see the account.

    Can I know how policy xpress search for the account


  • 4.  RE: member of Active Directory Group via Policy Xpress.

    Broadcom Employee
    Posted Mar 29, 2020 09:08 PM
    Hi Bhanu,

    We may need to understand more how you have configured your PX Policy. Please give screen captures or such to visualize the problem.

    Normally, to get AD Accounts from AD Endpoint is PX Policy, we firstly get the account list and then utilize iterator to get each account object from the list. See below. In this case, AccountIterator data will contains each Account object. When it is used PX will iterate based on the number of Account in the ADSAccountList.


    Regards,
    Widjaja.



  • 5.  RE: member of Active Directory Group via Policy Xpress.

    Posted Mar 30, 2020 02:15 AM

    Hi Widjaja Sangtoki,

    I am using below thing to construct to get AD account from one of AD endpoint, because at this time User AD Account is removed OU as his role is removed and now again user got the role so first it needs to find the account in the removed OU and move normal user OU

    Can you please tell me is there any way to move this account then this 

    So i as mentioned in the document 








  • 6.  RE: member of Active Directory Group via Policy Xpress.

    Broadcom Employee
    Posted Mar 31, 2020 12:28 AM
    Hi Bhanu,

    I suggest simplify your PX Policy and use my simple approach (get account and list iterator) above and troubleshoot. 

    Regards,
    Widjaja.
    ====================
    Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.comhttps://www.hcltech.com/enterprise-studio
    ------------------------------