Help with removing associations please
Hello I am from a tertiary institution and we have used IDM to Migrate
students from the enrollment database to a IDM Vault tree and then into
the connected system of the production eDir tree.
That all worked well. On the edirectory driver residing on the Prod eDir
(Lets call this Prod eDir Driver)I put a Command Transformation Policy on
the Publisher channel from the Vault to Prod eDir that when a delete
operation occurs it changes it to disable.
In hindsight this should also have a remove association action in it,
because during semester break some students enrollment status has changed
the database has deleted the user in the vault (as it should) and once the
enrollment status has been reinstated it can not modify the existing user
in the Prod edir because there is already an object with an association.
Message: Code(-9063) Object matching policy found an object that is
We can manually get around this by deleting the association and changing
the login disabled to false on the individual object in the Prod eDir
tree. But this is far from Ideal.
1 How can I remove the association that already exists in the dest object
so that it can sync both objects and change the Login disabled value in
the dest object?
2 I do not quite understand the documentation regarding the remove
association and do not understand the syntax. Does anybody have a remove
association example so that I can ammend my existing Command
I have tried to correct the first issue by below, but have encountered a
problem as explained
Because of the problem with the association relating to the Prod eDir
driver, I have done some testing to try and use the eDir Driver on the
Vault edir tree to correct the problem I have added a Event transformation
policy to publisher channel (from prod edit to the Vault edir).
The first rule vetos if the dest-object(Object created by database) is
diabled this condition should actually never be encountered)
The Second if class user and src attribute: Login Disabled true and Dest
Attribute: Login Disabled false then change both attributes to false.
This works for the individual, but the big problem with this that I can
see is that If I try and sync the whole src I am going to be creating a
whole lot of users in the vault that should only be created from the
I have tried putting a creation policy to veto the add operation, but once
I put this in it Veto the rule I described above.
Ideally I want to be able to remove the association on the publisher
channel that resides on the Prod eDir or remove the association of the
before mentioned driver on the subscriber channel of the driver that
resides on the Vault tree.
Any help much appreciated thanks