On a modify event within the NetIQ IDM Engine, the destination DN is not available as it is on an add event. This is because it is already associated to a corresponding object in the connected system.

I ran into a situation where I needed to add the user in the current input document to a group in Active Directory. This requires finding the user’s DN in the connected system and then adding that DN in the member attribute for that group.

There is a Resolve Token that will lookup a DN based on an association or it will look up an association based on a DN.

Below is an example of this being done. We are setting a local variable to contain the DN of the user by using the Resolve Token.

We then take that local variable and use it to add the user to an existing group in Active Directory, or whatever the connected system is.

Adding A User To A Group On A Modify Event Using the Resolve Token With NetIQ IDM

Okta: Solving the Joiner, Mover, Leaver Challenge with Lifecycle Automation

What Is ABR? Why Should It Be a Top Priority for CISOs in 2021? Part One: IAM Assessment

10 Proven Steps to Guarantee Budget for Your CIAM Project