Hello!

Workforce tree and production trees are synced with IDM 2.0.2. Normally
users are created in both directions but for some user accounts, i.e.
admin-users, there is an option to stop sync or delete user from WFT.

The following rule is placed in the event transform policy in order to
delete user from WFT (the user object is kept in production tree):

<rule>
<description>User: attr L=single, if true delete from WFT/description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-association op="associated"/>
<if-op-attr mode="nocase" name="L" op="equal">single</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-association>
<arg-association>
<token-association/>
</arg-association>
</do-remove-association>
<do-delete-dest-object/>
<do-veto/>
</actions>
</rule>

2 out 3 functions of the above rule work fine:
+ the user is deleted from WFT tree - OK
+ the operations stops (veto) - OK

But the "remove association" part does not work as I would expect. In
user object of product production tree there is still
DirXML-association attribute with "old" values.

Is there something wrong with the rule or should this
remove-association be done in totally other way?

Regards, Harri