IDM Designer and workflow activities allow for various entity operations, namely Create, Modify, and Delete operations.

There is no entity operation to move an object, and none to rename.

As a workaround you may consider writing some driver that does the move/rename for you, but imagine how much easier your life could be with a Move/Rename entity operation within the workflow.

Here’s an easy way to accomplish this.

The key element in this Cool Solution is a mapping activity named “Rename/Move” where all the logic is encapsulated. If you are in a hurry, just take a look at that activity.

The rest of this article illustrates step by step, how to use this activity in a simple test workflow.

Instructions to create a simple Rename/Move workflow:

Start your IDM Designer and create a simple “No Approval” workflow with 4 elements:

  • Start
  • Mapping Activity
  • Workflow Status
  • Finish


In the request form, we will use 3 input fields:

fldObjectDn holds the source DN of the object that you’d like to move (e.g., “cn=testUser,ou=test_a,o=test”)

fldNewCn holds the target CN (e.g., “newName”)

fldNewOu holds the target container (e.g., “ou=test_b,o=test”)

The program logic allows you to change both, target CN and target OU, thereby enabling a simple rename (different CN, same OU), a simple move (same CN, different OU), or a combined rename/move (different CN, different OU)

For the sake of testing and simplicity you may use simple text fields; alternatively use more fancy fields like object selectors.


Use post activity Data Item Mapping to transport your input into the workflow.


The key element of this sample is the mapping activity (that we use to emulate the Move/Rename entity activity).


Add a Data Item Mapping and use the following code segment in the source expression.

function ldapRenameOrMove( dnOld, dnNew )
                "ldapRenameOrMove ( '" + dnOld + "', '" + dnNew + "' ) " );
	var result = "";
		var ctx = false );
		ctx.rename( dnOld, dnNew );;
		result = dnNew;
	catch (e) 
		result =  " ldapRenameOrMove () " + e.toString();;
	return( result );

	"cn=" + flowdata.get('start/request_form/fldNewCn') 
	+ "," + flowdata.get('start/request_form/fldNewOu') )


We are using straight LDAP calls (ctx.rename) to do the Rename/Move.

Instead of establishing a new context with host names, credentials and such, we are using the method getAdminContext() to let IDM pass us its Admin LDAP context; this means we’re acting with admin rights.

Use a target expression of your choice (like” flowdata.start/group/success”); you may use it to validate the operation’s success.

Well, that’s about it. Deploy the Workflow and do your tests.

Obviously, there are some generic considerations and side effects when moving objects in your tree:

Be aware that after moving/renaming objects you need to allow some time for eDirectory synchronization before doing further operations (modify/move/rename) on the same object.

To enforce a delay after the move, you may consider adding a dummy approval step (60 seconds timeout approves) after the move action.

Since the workflow engine is unaware of the programmatic object move, use special care when you need to operate on the object in the same workflow (notifications, entity operations and the like).

If you move objects that have workflows in progress, you might see errors on these old workflows, since they reference users and groups by their DN. Moved user will not be able to see their old workflows.

Consider such side effects before moving objects around.

This approach has successfully been tested in RBPM 3.7 and IDM 4.0

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • hello_amigo says:

    Hi! Unfortunately the solution is not working for RBPM 4.0.2.
    Wschreiber, can you update an article? Thank you!

  • wschreiber wschreiber says:

    I’ve just made a test on IDM 4.0.2 – both, renames and moves, still work as described.

    Make sure that you’ve followed all instructions outlined in the Cool Solution and keep an eye on the server.log where any issues should be logged.


    • hello_amigo says:

      One more question. Why do you create DirContext twice? As I understand this line of code
      ctx = false );
      overwrite this one:
      var ctx = new;
      Thank you for reply!

      • wschreiber wschreiber says:

        Yes, indeed the code could be shortened to

        var ctx = false );


  • hello_amigo says:

    Wschreiber, I would be very appreciated if you take a look at the error appeared in my case. I created a post (Rename/move object couse an error) on the NetIq forum with a snippet of the error. If you need any additional information please let me know.

    • wschreiber wschreiber says:

      I’d suggest to test on a different setup – the code I’ve outlined works on older IDM versions (3.7 and perhaps older) up to the current 4.0.2c

      Double-check for typos.

      Good luck

  • alexoliveira_cielo says:

    I have used this method in IDM 3.6.1 it worked fine. Congrats.


  • aortizmicrofocus says:

    Thanks a lot!!! It works great for me. I had IDM 4.5 with Designer

Apr 5, 2011
12:57 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow