Currently the TGA REST APIs link the user(s) assigned in the TGA using the distinguishedName attribute of the user(s) via the userIdentifiers property.
The problem is that when we enumerate TGAs, the distinguishedName(s) of user(s) in userIdentifiers list might have changed since the TGA was created.
For example: Create a TGA for a user, and then move the user to a different OU, rename it, or delete it to the NetIQRecycleBin. For this TGA, the userIdentifiers property contains the distinguishedName of the user before it was moved, renamed, or deleted. This means it is not possible to identify the actual user account based on the userIdentifiers property in the TGA. This is problematic for automation.
Instead, it would be better if TGAs had a separate property that used an AD attribute (e.g., objectGUID) that never changes throughout the lifetime of the object. In this way we could identify the accounts in the TGA regardless if the account was moved, renamed, or deleted.
Support
Documentation
Learning Services
Partner Programs