A Forum reader recently asked:

“Based on some events in IDVault, I want to trigger a policy on Subscrber/Evebt Transformation, which should remove all group-membership for the “current-user” / currentObject , so that user is not the member of any type of Groups in the IDVault at all.”

And here is the response from Father Ramon …


Actually, you have to remove each group membership individually in order for the reverse link to be removed. What you want to do is something more like this:

   <token-src-attr name="Group Membership"/>
   <do-remove-src-attr-value name="Group Membership">
     <token-local-variable name="current-node"/>
   <do-remove-src-attr-value name="Security Equals">
     <token-local-variable name="current-node"/>

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: coolguys
Mar 26, 2008
8:15 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow