A Forum reader recently asked:
“I am trying to create an account on active directory and have it synchronized to IDM. The Driver filter has the surname, given name, and various other fields set to Publisher Reset and Subscriber Synchronize.
When the account is created in Active Directory, you can see in the trace that the values are there. Then, later in the trace, the values get reset before IDM gets to the placement policy. At that point, a MISSING MANDATORY error is generated. When I change the filter to Synchronize on
both the Publisher and the Subscriber, the account is created in IDM.
How do I prevent users from chaining values in AD and synchronizing to IDM? I need those values to be reset in AD so that IDM is the “keeper” of information, and the values in AD always reflect those in IDM. This works with existing accounts but not with new accounts.”
And here’s the response from Father Ramon …
Filters are somewhat of an all or nothing kind of thing. What you are trying to do is make AD (or your policies) authoritative on create, but not on modify. To get the behavior you want, you are basically left with two options:
I would think that the latter would be the easiest. What you probably want is something like the following rule, in the last policy of your publisher command transformation:
<rule> <description>Perform adds directly to bypass the reset filter</description> <conditions> <and> <if-operation op="equal">add</if-operation> </and> </conditions> <actions> <do-set-xml-attr expression="." name="direct"> <arg-string> <token-text>dest</token-text> </arg-string> </do-set-xml-attr> </actions> </rule>
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.