A Forum reader recently asked:

“We have an Identity Source using eDirectory, with some connected systems, such as Oracle DB, Lotus notes and OpenLDAP. The Identity source can synchronize the user’s identity information to the connected system by drivers, and we can control the user’s provision to the connected systems by

We need to delete users in the connected system who exist in the Identity Source eDirectory. The user can be recreated in the connected system by “migrate form the vault,” but it is hard to be recreated and synchronized by the policy or by the user’s provision. Also, the way that the connected system disables the user is to delete the user. There is no “login disable ” attribute in the user’s information structure.

Is there some other ways can implement the user’s recreation in the connected system?”

And here’s the response from Ofer Gigi …


One way to do that involves a service driver (eg Loopback driver, Null driver) and an attribute to be used as a flag (let’s say: UnDeleteFlag, type Boolean):

On the connected system driver’s Publisher event transformation policy, if the incoming operation is Delete:

1. Put the value “false” on the UnDeleteFlag attribute.

2. Remove the association on the IdV object (important!).

3. Block (Veto) the incoming Delete operation.

4. (Optional) Send some email notifications.

On the Service driver’s Subscriber event transformation policy, if the operation attribute UnDeleteFlag equals “false”:

1. Put the value “true” on the (source) UnDeleteFlag attribute.

Then, recreating the deleted object should happen automatically. Your connected system driver will follow the normal path of creating a new object based on whatever policies (including Entitlement policies) you may already have.

Note: Make sure the UnDeleteFlag atribute is on the connected system and the service drivers’ subscriber filter. “Notify” will do.

The filter would need to allow events on the publisher channel, although you don’t really want to syncrhonize them in your case (publisher=”sync”). You should be good to go with publisher=”sync” on the User Class only (and not on any user attribute). You would also want to prevent incoming events from actually flowing in. Put a veto on add, modify, move, rename and delete (which was already mentioned).

You could also try something like this:

<?xml version="1.0" encoding="UTF-8"?><policy>
    <description>Set Delete Flag</description>
        <if-operation op="equal">delete</if-operation>
        <if-association op="associated "/>
      <do-set-dest-attr-value name="unDeleteFlag">
        <arg-value type="string">
          <token-text xml:space="preserve">false</token-text>

Note again that the “unDeleteFlag” attrbute was given as an example only.

It does not exist in the schema.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: ofg
Sep 26, 2007
8:13 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow