I have an IDM 3.5.1 AD driver in which I want to block deletes from AD
and remove the user association in the IDvault.

I can get this working by adding a publisher Event Transformation rule
that deletes the association and vetoes. However, there is a pub
command trans rule (remove managed attributes when object
disassociated) which tidies up the dirxml-adcontext and alias
attributes when the operation is 'remove association' - but this does
not work as the association has already been removed.

How can I fix this?