Hi there,

does anyone know if it is possible to trick idm 3.5.1 or 3.6 into optimizing modifies when setting src attr values on the subscriber channel? I only find this working on the publisher so that I need to use a loopback shim and actually loop events over to the publisher if I do not want all values getting removed from an attribute on object resync, only to have the same values being added back a split second later.
I have a few policies that rebuild certain policies from scratch on sync events, so that I can sync user objects and fix missing/unnecessary values, as well as it provides a bit of self-healing agains manual admin edits, e.g.

<rule>
<description>Clear and assign NSM policy</description>
<comment xml:space="preserve">Remove all existing policy assignments and reassign them all from granted entitlements</comment>
<conditions>
<or>
<if-entitlement name="NSM Policy" op="changing"/>
<if-operation mode="case" op="equal">sync</if-operation>
</or>
</conditions>
<actions>
<do-clear-src-attr-value name="cccFSFactoryContainerPolicy"/>
<do-for-each>
<arg-node-set>
<token-query class-name="cccFSFactoryPolicy" datastore="src">
<arg-match-attr name="cccFSFactoryAppliedContainers">
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</arg-match-attr>
</token-query>
</arg-node-set>
<arg-actions>
<do-remove-src-attr-value name="cccFSFactoryAppliedContainers">
<arg-dn>
<token-xpath expression="$current-node/@src-dn"/>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-entitlement name="NSM Policy"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value name="cccFSFactoryContainerPolicy">
<arg-value type="dn">
<token-entitlement name="NSM Policy"/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="cccFSFactoryAppliedContainers">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
</actions>
</rule>


Of course I could check and compare present values to should-be-values in policy and strip things down to push only the difference back into edir, but that's overly complicated and much more work than doing real loopback and having the "optimze modify" filter setting on the publisher sort it all out for me. It would be even less work, though, if the set/add src attr value tokens on the subscriber would honor that filter setting, too...

Any ideas?

Cheers, Lothar

--