A Forum reader recently asked:
“Here’s the functionality I need:
In the “IDV” tree, an admin places a user into group “UsersForOtherTree”. Insertion into this group triggers a user create with password sync in the second tree.
In the “IDV” tree, an admin removes a user from group “UsersForOtherTree”. Removal from this group triggers a user delete from the second tree.
That’s it – nothing elaborate. I don’t need to manage group memberships on the second tree. I need a create and a delete operation based on insertion into or removal from one specific group in the authoritative tree.”
And here’s the response from Father Ramon …
This is what you are going to want to do on the source tree:
1. Edit your filter to have in it only the Classes and Attributes that you want to synchronize.
2. Add Group Membership to the filter for Users and set to Ignore on Publisher Channel, and notify on subscriber channel.
3. Add an event transformation policy on the subscriber channel with a rule like this:
<rule> <description>Handle controlling group membership</description> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-src-dn op="available"/> <if-src-attr mode="src-dn" name="Group Membership" op="not-equal">org\groups\UsersForOtherTree</if-src-attr> </and> </conditions> <actions> <do-if> <arg-conditions> <and> <if-association op="associated"/> </and> </arg-conditions> <arg-actions> <do-delete-dest-object direct="true"/> <do-remove-association> <arg-association> <token-association/> </arg-association> </do-remove-association> </arg-actions> </do-if> <do-veto/> </actions> </rule>
If you are using a version of IDM older than 3.5, you would have to rewrite the policy to use more than one rule because you wouldn’t be able to nest conditions.