I am using IDM3 with the RACF driver and need to check for
the existance of a RACF group from the subscriber channel but
am not able to find a group when it exists.

The code I have written is:

<rule>
<description>Look for a matching RACF Group object</description>
<conditions/>
<actions>
<do-set-local-variable name="RACF-Group">
<arg-string>
<token-text xml:space="preserve">$</token-text>
<token-local-variable name="RACF-Location"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="RACF-Group-found">
<arg-string>
<token-xpath
expression="count(query:search($destQueryProcessor ,'subtree','','GROUPS/','GROUP','CN',$RACF-Group,''))"/>
</arg-string>
</do-set-local-variable>
<do-trace-message color="brpurple" level="1">
<arg-string>
<token-text xml:space="preserve">RACF group object search for
'</token-text>
<token-local-variable name="RACF-Group"/>
<token-text xml:space="preserve">', has found '</token-text>
<token-local-variable name="RACF-Group-found"/>
<token-text xml:space="preserve">'.</token-text>
</arg-string>
</do-trace-message>
</actions>
</rule>

The variable RACF-Location is being set to the source users 'L' attribute
in the previous rule, same policy, and the DStrace shows the query being
issued with a valid RACF group name, eg $TEST.

There is no error message.
I always receive the DSTRACE message that the
group wasn't found, i.e. the count was '0'.

Can someone tell me what is wrong with my XPATH expression?
Note, that I do something similar with a source query and it works.
I have tried the above without 'subtree', without a '/' on GROUPS and with
a '\' on GROUPS.

The DStrace shows:

<input>
<query class-name="GROUP" dest-dn="GROUPS/" scope="subtree">
<search-class class-name="GROUP"/>
<search-attr attr-name="CN">
<value>$TEST</value>
</search-attr>
<read-attr/>
</query>
</input>


Cheers,
Mike.