IDM 3.51 SLES 10, eDir 8.8 SP1

I need to scope something to a list of containers.

This is easy in Policy, a series of if Source DN not in subtree tests
for each container that is allowed, AND'ed together.


since the client may need to update these later, it is much nicer if the
list of containers allowed can be stored in a GCV and then I have a
single test of if Source DN not in subtree ~GCVName~

I tried a list type GCV, not knowing which seperator to use, I specified
none, and the GCV was replaced with

03/13/08 14:15:10.670]:IDV-Auth ST: (if-class-name equal "Group") =
[03/13/08 14:15:10.671]:IDV-Auth ST: (if-src-dn not-in-subtree
"acme\sapacme\SMBGroupsacme\SAPPortalGroups\devacm e\HFMGroups") = TRUE.
[03/13/08 14:15:10.672]:IDV-Auth ST: Rule selected.
[03/13/08 14:15:10.672]:IDV-Auth ST: Applying rule '[iff] Scope
Groups to a list of groups'.
[03/13/08 14:15:10.672]:IDV-Auth ST: Action: do-veto().

I tried a multiline string GCV, and it basically passed the carriage

[03/13/08 14:20:05.198]:IDV-Auth ST: (if-src-dn not-in-subtree
") = TRUE.
[03/13/08 14:20:05.199]:IDV-Auth ST: Rule selected.
[03/13/08 14:20:05.199]:IDV-Auth ST: Applying rule '[acme] Scope
Groups to a list of groups'.
[03/13/08 14:20:05.200]:IDV-Auth ST: Action: do-veto().

What other approaches could I take? I suspect I could store an XML
snippet as a string, use XML Parse into a local variable as a nodeset,
then iterate through in a for-each, veto if no match found...

But that seems a lot harder than just testing against a GCV if it is