I am using a mapping table to match employee jobcodes to eDirectory
groups (This is in IDM 3.51). Currently there are one jobcode column and
2 group columns.

In my loopback driver I am watching for changes on the jobcode
attribute and if an event occurs I lookup the matching groups for the
old jobcode in the table and remove the user from those groups and then
add the user to the groups for the new jobcode.

This works great until HR comes up with a new jobcode (or a typo :-))
that does not yet exist in my mapping table in which case the entire
operation fails. Meaning the employee will neither be removed from old
groups, nor added to new ones.

I am trying to find a way how I can perform a lookup for the removed
attribute and the operation attribute in the mapping table before I
actually kick of the rule, on match I proceed, on failure I would send
an email with the failing jobcode.

I was not able to find an obvious way to accomplish this yet (I guess
xpath might be the way to go but I havent quite mastered xpath yet), any
suggestions?

Thanks,

Frank

Here is the rule:

<rule>
<description>Update Enterprise Roles on Jobcode Change</description>
<comment xml:space="preserve">This policy monitors changes to the
jobcode attribute and modifies group memberships based on a mapping
table.</comment>
<conditions>
<and>
<if-op-attr name="jobCode" op="changing"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="OldjobCode" scope="policy">
<arg-string>
<token-removed-attr name="jobCode"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="NewjobCode" scope="policy">
<arg-string>
<token-op-attr name="jobCode"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="OldjobCode"
op="gt">0</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-remove-src-attr-value class-name="User" name="Group
Membership">
<arg-value type="string">
<token-map dest="group" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-removed-attr name="jobCode"/>
</token-map>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value class-name="User" name="Security
Equals">
<arg-value type="string">
<token-map dest="group" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-removed-attr name="jobCode"/>
</token-map>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value class-name="User" name="Group
Membership">
<arg-value type="string">
<token-map dest="group2" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-removed-attr name="jobCode"/>
</token-map>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value class-name="User" name="Security
Equals">
<arg-value type="string">
<token-map dest="group2" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-removed-attr name="jobCode"/>
</token-map>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="NewjobCode"
op="gt">0</if-local-variable>
<if-local-variable mode="nocase" name="NewjobCode"
op="not-equal">80000</if-local-variable>
<if-local-variable mode="nocase" name="NewjobCode"
op="not-equal">80001</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-value type="string">
<token-map dest="group" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-op-attr name="jobCode"/>
</token-map>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value class-name="User" name="Security Equals">
<arg-value type="string">
<token-map dest="group" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-op-attr name="jobCode"/>
</token-map>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-value type="string">
<token-map dest="group2" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-op-attr name="jobCode"/>
</token-map>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value class-name="User" name="Security Equals">
<arg-value type="string">
<token-map dest="group2" src="jobcode"
table="..\..\PGW-IDMLibrary\JobCode to Groups">
<token-op-attr name="jobCode"/>
</token-map>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>


--
fweigert
------------------------------------------------------------------------
fweigert's Profile: http://forums.novell.com/member.php?userid=3975
View this thread: http://forums.novell.com/showthread.php?t=378383