Symantec IGA

Hey all, 

I've seen a few posts on here referencing some documentation on this matter but i havent yet found exactly what i need to get my policy working. i'm currently attempting to remove a specific group from an AD account via a PX using Category: Accounts > Type: Set Account Data > Function: Remove. Currently i can clear the memberOf attribute by changing function to clear which tells me im identifying the account successfully, but cant seem to identify a specific group in the same fashion. 

Can anyone tell me in what format PX is expecting the group name? I've attempted supplying the DN of the group which leads to a "Error setting account attribute" exception.

Is it possible for PX to manage endpoint groups in this way?

Thanks,

Link

Hi Link,

As mentioned in some previous post :

proper format to use in PX Policy would be:
ADSGroup=x,ADSOrgUnit=x,EndPoint=x,Namespace=ActiveDirectory,Domain=im,Server=Server

For Details check:

https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/message-board/-/message_boards/message/101345385?p_p_auth=7LkwUWjz&_19_redirect=https%3A%2F%2Fcommunities.ca.com%2Fweb%2Fca-identity-and-access-mgmt-distributed-global-user-community%2Fmessage-board%2F-%2Fmessage_boards%2Fsearch%3Fp_p_auth%3D7LkwUWjz%26_19_keywords%3Dcn%253D%26_19_searchCategoryId%3D2252815%26_19_breadcrumbsCategoryId%3D2252815%26_19_redirect%3Dhttps%253A%252F%252Fcommunities.ca.com%252Fweb%252Fca-identity-and-access-mgmt-distributed-global-user-community%252Fmessage-board%252F-%252Fmessage_boards%252Fcategory%252F2252815%253Fp_p_auth%253D7LkwUWjz%2526%2523p_19%26_19_%23p_19%3D%26_19_formDate%3D1400749141314%26%23p_19&#p_19

Thanks that worked perfectly!

In an effort to adhere better to the way in which GovernanceMinder adds groups, is there alternative way add groups via the assignment of a role/template combo? I've experimented a bit with this in the past day and although the group is successfully added to the endpoint account, it looks as though per template assigned idm is attempting a create on the endpoint. I say attempting because after our 'birthright' role is added, each subsequent role/template pair results in the error: 

"Exception encountered: Global 'Userid' provisioning role memberships added successfully, Associated accounts creations added successfully. Associated accounts creation or update failed: ( ... failures: 1)"

Thanks

Link