We have a need to add users in a region to multiple groups by setting a
value on a MV attribute and remove them if the value is deleted. We
would also like to be able to give some users rights to Admin groups in
multiple regions
I need the policy/rule to meet the following requirements

- If in Region X and attribute MyAttr="X Admin" then add to groups
Admin_DE, Admin_CH and Admin_AT.
- If "X Admin" deleted from MyAttr then remove users from the 3
- If MyAttr has two values "X Admin" and "Y Admin" then add user to
all Admin groups for the 2 regions.

I have created a mapping table which in the first column lists the
values entered into MyAttr and the second column the
groupmembership/securityequals value for each group they need to be
added to

I have a rule which uses regex to check that MyAttr is changing to "X
Admin" or "Y Admin" or "Z Admin" and if any are true the rule is

I have a for-each statement which traverses the node-set and adds the
user to groups which match. It will set the appropriate groupmembership
and securityequals but only for the groups matching the first value of

If I enter two values in MyAttr, the node-set will find both values
e.g. "X Admin" and "Y Admin", but the rule will only process "X Admin"
so will not add the user to any of the groups for "Y Admin".

My first questions is:
How do I make the rule process all values in MyAttr?

The other question is:
How do I delete the user from the appropriate groups if I delete one or
more of the MyAttr values?


ratclma's Profile: http://forums.novell.com/member.php?userid=9588
View this thread: http://forums.novell.com/showthread.php?t=412150