Hello,

We are currently running 2.0.1 (I know, I know...) and attempting to
add/remove users from a group in the Vault based upon a value in a SQL
table and thus using the JDBC driver. The value in the SQL table
dictates the type of update (add/remove) to a manager group.

I have been working with the Group Membership and Security Equals
attributes in order to remove a user from a group. In this case, if the
value in the SQL table is a user and a "director" or "None", then delete
them from the group.

As you can see in the log below within the publishing channel, the rule
is successfully selected and then more output from there. The trace
level is at 5 currently. If you'll notice there are no errors and the
user is NOT removed from the group which is my true issue. I can not
figure out why the Group Membership and Security Equals are NOT deleted
in the Vault! After this policy has completed, the driver logs just
keeps on rolling to the next policy like it never cared.

If someone could search their memory banks, look at the rule and the
logs below it would be appreciated. Let me know if there are glaring
issues.

<rule>
<description>Remove From Manager</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr mode="regex" name="employeeStatus"
op="equal">.*Director.*</if-op-attr>
</and>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr mode="regex" name="employeeStatus"
op="equal">.*None.*</if-op-attr>
</and>
</conditions>

<actions>
<do-remove-dest-attr-value name="Group Membership">
<arg-value type="string">
<token-text xml:space="preserve">OSUMC\users\ManagersList</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-remove-dest-attr-value name="Security Equals">
<arg-value type="string">
<token-text xml:space="preserve">OSUMC\users\ManagersList</token-text>
</arg-value>
</do-remove-dest-attr-value>
</actions>
</rule>


LOG:
Evaluating selection criteria for rule 'Remove From Manager'.
(if-class-name equal "User") = TRUE.
(if-op-attr 'employeeStatus' match ".*Director.*") = FALSE.
(if-class-name equal "User") = TRUE.
(if-op-attr 'employeeStatus' match ".*None.*") = TRUE.
Rule selected.
Applying rule 'Remove From Manager'.
Action: do-remove-dest-attr-value("Group
Membership","Blah\Blah\ManagersList").
arg-string("Blah\Blah\ManagersList")
token-text("Blah\Blah\ManagersList")
Arg Value: "Blah\Blah\ManagersList".
Action: do-remove-dest-attr-value("Security
Equals","Blah\Blah\ManagersList").
arg-string("Blah\Blah\ManagersList")
token-text("Blah\Blah\ManagersList")
Arg Value: "Blah\Blah\ManagersList".

Policy returned:
JDBC_GAL_P2 PT:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20050321_0131" instance="MSSQL_SQL-P2-GAL"
version="1.6.4">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" dest-dn="blah\blah\ID"
dest-entry-id="37504" event-id="99339"
src-dn="EMPNO=695,table=EMP,schema=DIRXML">
<association>EMPNO=123456789,table=EMP,schema=DIRX ML</association>
<modify-attr attr-name="employeeStatus">
<remove-all-values/>
</modify-attr>
</modify>
<modify class-name="User" dest-dn="blah\blah\ID"
dest-entry-id="37504" event-id="99339"
src-dn="EMPNO=123456789,table=EMP,schema=DIRXML">
<association>EMPNO=123456789,table=EMP,schema=DIRX ML</association>
<modify-attr attr-name="employeeStatus">
<add-value>
<value type="string">NONE</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Group Membership">
<remove-value>
<value type="string">blah\blah\ManagersList</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Security Equals">
<remove-value>
<value type="string">blah\blah\ManagersList</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>