Dear All,

I am using IDM3 and the RACF driver but I'm having trouble when
checking for the existence of a RACF group from the subscriber channel.

The code I have written is:

<rule>
<description>Look for a matching RACF Group object</description>
<conditions/>
<actions>
<do-set-local-variable name="RACF-Group">
<arg-string>
<token-text xml:space="preserve">$</token-text>
<token-local-variable name="RACF-Location"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="RACF-Group-found">
<arg-string>
<token-xpath
expression="count(query:search($destQueryProcessor ,'subtree','','GROUPS/','GROUP','CN',$RACF-Group,''))"/>
</arg-string>
</do-set-local-variable>
<do-trace-message color="brpurple" level="1">
<arg-string>
<token-text xml:space="preserve">RACF group object search for
'</token-text>
<token-local-variable name="RACF-Group"/>
<token-text xml:space="preserve">', has found '</token-text>
<token-local-variable name="RACF-Group-found"/>
<token-text xml:space="preserve">'.</token-text>
</arg-string>
</do-trace-message>
</actions>
</rule>

The variable RACF-Location is being set in an earlier rule in the same
policy.
I have tried the query without 'subtree'; with 'GROUPS\'; and also just
'GROUPS'.

The DStrace shows:

<nds dtdversion="3.0" ndsversion="8.x">
<source>
<product version="3.0.0.20051118 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="Group" dest-dn="GROUPS/" event-id="0" scope="subtree">
<search-class class-name="Group"/>
<search-attr attr-name="DirXML-RACF-group">
<value>$TEST</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>

ST: RACF group object search for '$TEST', has found '0'.

NB RACF does have a group called '$TEST'.

Your corrections to my XPATH statement would be much appreciated.

Cheers,
Mike.