Hi,
I am working on a project in a College of Further Education. We have an
IDM where we use a single account for Employees and Students. By this I
mean that if you are an Employee and a Student, you use the same
account. We carry Memberships on the Group Object which means that we
can enforce authority on managed Groups, whilst adding unmanaged Group
Memberships to the user (no authority enforced here). This all works
well with provisioning, but gives us a problem with deprovisioning.

If you are a student or an employee and you lose access to the network,
then there is obviously no issue. However, if you transition from being
a Employee and Student to solely, you still have an enabled account. We
can easily remove the managed employee Group Memberships, but
identifying the ad hoc Groups is a problem. An imperfect solution is to
remove all managed Group Memberships, clear the ad hoc Group
Memberships, and then add back the Student Group Memberships. This is
unattractive as we have Storage Manager building collaborative storage
of the Groups and we would be removing, then adding back users. Ugly and
with big overhead.

I would ideally like to remove all managed Employee Groups, then clear
all the unassociated Groups. Sadly, I cannot think of the logic to frame
this :-( Can anyone give me a push in the right direction?

I have been based on the following code snippets:

> <rule>
> <description>User: Modify scn-ustatus to not CE - Remove from all Groups (Setup)</description>
> <conditions>
> <and>
> <if-op-attr mode="regex" name="scn-ustatus" op="changing-from">.+</if-op-attr>
> <if-op-attr mode="regex" name="scn-ustatus" op="not-changing-to">.*CE.*</if-op-attr>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="dest-memberships">
> <arg-node-set>
> <token-dest-attr name="Group Membership"/>
> </arg-node-set>
> </do-set-local-variable>
> </actions>
> </rule>
> <rule>
> <description>User: Modify scn-ustatus to not CE - Remove from all Groups</description>
> <conditions>
> <and>
> <if-local-variable name="dest-memberships" op="available"/>
> </and>
> </conditions>
> <actions>
> <do-for-each>
> <arg-node-set>
> <token-local-variable name="dest-memberships"/>
> </arg-node-set>
> <arg-actions>
> <do-remove-dest-attr-value name="Group Membership">
> <arg-value type="string">
> <token-local-variable name="current-node"/>
> </arg-value>
> </do-remove-dest-attr-value>
> <do-remove-dest-attr-value name="Security Equals">
> <arg-value type="string">
> <token-local-variable name="current-node"/>
> </arg-value>
> </do-remove-dest-attr-value>
> </arg-actions>
> </do-for-each>
> </actions>
> </rule>