I guess I am no longer an IDM noobie since I appear to be reaching the
limits of what can be done with policy builder alone.

I have a need to sync a subtree with a lot of groups, the group
memberships, and the ACLs for those groups. One tree is named "AUTH" and
the other is named "AUTHTREE". The user accounts (group members) are
identical between the two trees, other than the tree names.

I quickly discovered that I need to replace the tree name when syncing
the member attribute values. I got that done and it wasn't too hard
since the member attribute is a simple string value. The ACL attribute,
being a structured type, seems to be beyond the capabilities of policy
builder alone to transform.

Here is what I have so far (see policy below), but the local variable
"current-value" causes the three components of the ACL value to be
combined together into one string, which won't work. The three
components must remain as separated components.

I realize that I need to perform a replace-first only on the trustee
component of the ACL value and leave the other components intact. It
doesn't seem like policy builder can do this (without XPATH/XSLT?).
Problem is, I don't know very much about XPATH or XSLT.

It looks to me as if I'm going to have to build the structured attribute
and set all three components, but I don't know how to get the values of
each component without using the current-value local variable.

I think I just need a little example -- an educational nudge. Then I
hope I can finish on my own.

Policy and sample event document show below with minor formatting
changes to hopefully lessen the amount of wrapping.


<?xml version="1.0" encoding="UTF-8"?>
<policy>

<rule>

<description>Transform Member Attribute</description>

<conditions>
<and>
<if-op-attr name="Member" op="available"/>
</and>
</conditions>

<actions>
<do-reformat-op-attr name="Member">
<arg-value type="dn">
<token-replace-first
regex="^\\AUTH\\"
replace-with="\\AUTHTREE\\">
<token-local-variable
name="current-value"/>
</token-replace-first>
</arg-value>
</do-reformat-op-attr>
</actions>

</rule>

<rule>

<description>Transform ACL Attribute</description>

<conditions>
<and>
<if-op-attr name="ACL" op="available"/>
</and>
</conditions>

<actions>

<do-reformat-op-attr name="ACL">

<arg-value type="structured">

<arg-component name="trustee">

<token-replace-first
regex="\\AUTH\\"
replace-with="\\AUTHTREE\\">

<token-local-variable
name="current-value"/>

</token-replace-first>

</arg-component>

</arg-value>

</do-reformat-op-attr>

</actions>

</rule>

</policy>


Sample event:

<nds dtdversion="3.0" ndsversion="8.x">

<source>
<product version="3.0.0.20051118 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>

<input>

<add class-name="User"
event-id="ds2#20060505140313#9#3"
qualified-src-dn="O=org\OU=people\cn=sample"
src-dn="\AUTHTREE\org\people\sample"
src-entry-id="205268"
timestamp="1146837806#26">

<add-attr attr-name="ACL">

<value timestamp="1146837806#19"
type="structured">

<component name="protectedName">
[All Attributes Rights]
</component>

<component name="trustee">
\AUTHTREE\unt\people\jth0104
</component>

<component name="privileges">
2
</component>

</value>

</add-attr>

<add-attr attr-name="ACL">

<value timestamp="1146837806#21"
type="structured">

<component name="protectedName">
Message Server
</component>

<component name="trustee">
\[Public]
</component>

<component name="privileges">
2
</component>

</value>

</add-attr>

<add-attr attr-name="ACL">

<value timestamp="1146837806#24"
type="structured">

<component name="protectedName">
Network Address
</component>

<component name="trustee">
\AUTHTREE
</component>

<component name="privileges">
2
</component>

</value>

</add-attr>

</add>

</input>

</nds>



Thanks in advance,
Yancey