Have created IDM 4.0.1 Identity Vault and configured a flat AD Driver.

Users are created in the Identity Vault.

I want all user creations/deletions/modifies and password changes to be
sync from the Identity Vault to AD (which happens by default) and *only
want* AD password changes to be sync from AD the Identity Vault.

I have created the following rule on the Publisher Event Transformation
and added it to the bottom of the NOVLADENTEX-pub-etp-EntitlementsImpl
policy and everything seems to works fine

<rule>
<description>AD Block</description>
<comment xml:space="preserve">This rule blocks all add, delete and
modifies.</comment>
<conditions>
<or>
<if-operation mode="case" op="equal">delete</if-operation>
<if-operation mode="case" op="equal">add</if-operation>
<if-operation mode="case" op="equal">modify</if-operation>
</or>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>


My question, is this a good way to achieve what I want to do or could I
do it better? The following is part of the trace for a modify in AD


14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Applying schema
mapping policies to input.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Applying policy:
NOVLADDCFG-smp.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Mapping class-name
'user' to 'User'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Mapping attr-name
'description' to 'Description'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Resolving
association references.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Applying event
transformation policies.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Applying policy:
NOVLADENTEX-pub-etp-EntitlementsImpl.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Applying to modify
#1.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Evaluating
selection criteria for rule 'Disallow user account delete when using
entitlements'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: (if-operation
equal "delete") = FALSE.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Rule rejected.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Evaluating
selection criteria for rule 'Strip Login Disabled from operation
(Disable Option)'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:
(if-global-variable 'drv.entitlement.UserAccount' equal "true") =
FALSE.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Rule rejected.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Evaluating
selection criteria for rule 'AD Block'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: (if-operation
equal "delete") = FALSE.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: (if-operation
equal "add") = FALSE.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: (if-operation
equal "modify") = TRUE.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Rule selected.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Applying rule 'AD
Block'.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT: Action:
do-veto().
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Policy returned:
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:
<nds dtdversion="2.2">
<source>
<product version="4.0.1.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Applying policy:
NOVLADDCFG-pub-etp-HandleMovesAndRenames.
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:Policy returned:
14:32:52 4E68C940 Drvrs: Active Directory Driver PT:


--
johngallagher
------------------------------------------------------------------------
johngallagher's Profile: http://forums.novell.com/member.php?userid=22034
View this thread: http://forums.novell.com/showthread.php?t=443896