Specify a rule string for setting the list of groups in Active Directory Account Template

Document ID : KB000009512
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Active Directory Account Template attribute (eTADSPolicy.eTADSmemberOf) as managed via Provisioning Manager does not allow you to specify a rule string for setting the list of groups.

Background:

The Provisioning Manager GUI and the Identity Manager tasks screens only allows you to pick a set of groups from a search list and there is no dynamic aspect exposed thru.

Instructions:

So workaround deployments have done through an ldap modify of the specific eTADSPolicy.eTADSMemberOf attribute in the Identity Manager Provisioning Directory to set a rulestring for the value. 

The provisioning server when reading the attribute, will evaluate rule string value, prior to passing the value(s) on to the connector.

 

Usual implementation maintains a multi-value attribute on the Corporate User that mapps to one of the Provisioning User eTCustomFields ( also multi-valued) and then used the appropriate rule string for that custom field as the value for eTADSMemberOf.

 

The down side and word of caution is regarding the lost of this setting if the Active Directory Account Template attribute is later modified through one of the user interfaces.