Add ADSAccount or ADSGroup to categories based on template

Question

Hola, 
 Version: OIM 7.1 
 So I have successfully tested AD user account creation against account definitions, and have assigned these account definitions to categories that match specific groups, and everything functions as expected.. 
 One thing that I find to be a bit of a challenge is that it does not appear simple to automate the assignment of categories to the account when it is being created as part of the resource entitlement. 
 When looking at the defined categories against the ADSDomain, I see that what is defined lives in an embedded XML document. And after manually adding the categories to the object, it is rendered in the individual ADSAccount/ADSSGroup records as a numerical bitmask. 
 Two questions:

Is it possible to add the categories to the Account Definition so that the corresponding ADSAccount/ADSGroup being created can automatically inherit the categories? 
 If not, what would be the best approach to explore an alternative to making this happen? 
 
 I was looking at possible parsing the XML into a custom table that I could reference as an alternate mapping but I wanted to make sure that there was not a more simple way to accomplish this before attempting that approach. 
 Thanks!

Markus Weiss-Ehlers · Accepted Answer

Sorry for taking so long to provide an answer but here is my solution. 
 It assumes, that you want to set the value of the MatchPatternForMembership based on the account definition (TSBAccountDef) and not based on the automation level (TSBBehavior) like your select case implies. 
 With the following template on ADSAccount.MatchPatternForMembership , you are able to provide the value as IT Operating Data. 
 In your original code you used the script call VID_IsTrue(...) around your call of the script TSB_ITDataFromOrg which was the reason that your code didn't work without the select...case block. 
 HtH 
 '$FK(UID_Person).UID_Department$
'$FK(UID_Person).UID_Locality$
'$FK(UID_Person).UID_ProfitCenter$

#If ORG Then
'$FK(UID_Person).UID_Org$

#End If

If CBool(Connection.Variables.Get("FULLSYNC")) = False Then
	Select Case ($FK(UID_TSBBehavior).ITDataUsage:Int$)
 Case 0:'do not get data from employee
 Case -1:'fill property initially from the ITData of the employee
 If Not $[IsLoaded]:Bool$ Then
 Value = TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership"))
 End If
 Case 1:'update property depending on ITData of the employee
 Value = TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership"))
	End Select
End If

Markus Weiss-Ehlers · Answer

The numerical bitmask can be set at the ADS user account during creation using IT Operating Data . 
 The only thing you have to do, is to create a template at the column ADSAccount.MatchPatternForMembership that uses the script TSB_ITDataFromOrg as described here 
 https://support.oneidentity.com/technical-documents/identity-manager/7.1/administration-guide-for-connecting-to-active-directory/7#TOPIC-560675 
 and here 
 https://support.oneidentity.com/technical-documents/identity-manager/7.1/target-system-base-module-administration-guide/3#TOPIC-563864 
 After you have done that, you are able to select the column on the IT operating data mapping page.

Endpoint Privilege Management

Add ADSAccount or ADSGroup to categories based on template