maybe this should be asked in the enging side, not sure.

When a user is made Inactive we want to simply remove all Roles,
Resources and Entitlements.
I think this is easiest to do in a null driver but if I would use the
"Remove Role" token I need to do a "for each" over every role as well as
having to get the correct LDAP dn translation etc. Doable and correct.
Wan just wondering what the diffrence would be to just "Clear" the
affected attributes, DirXML-EntitlementRef, nrfMemberOf, nrf
AssignedRoles, nrfAssignedResources. As I understand it we miss the
logging function of the UA and the nrfResourceHistory attribute will not
be updated but is there anything else?

joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=47497