On 7/12/2012 4:56 AM, abergvall wrote:
> Hi,
> IDM401
> I've been reading and trying to get the following scenario working:
> Tree1:
> UA RBPM with roles
> eDir driver to tree2 where I have loads of groups that I want to be
> able to add to my roles via entitlements (don't want to have all theese
> groups in tree1)
> In designer I can add the etitlement to a role, the query for it works
> I get the list of groups ok.
> The role can be assigned to a user, which gets the
> dirxml-entitlementRef attribute with some values.
> edir driver in tree1 send this off to tree2 (focusing on ADD right
> now). In create rule on tree2 driver I have a rule that checks for group
> entitlement, like in the AD driver, but if fails with a "query lacks
> assoc" then skips it.
> I don't want to use Admin provided values for the entitlements since
> that will impose administrative burden to keep the list correct.
> I have set up sync of the entitlement itself to get rid of the warnings
> in the trace.
> Will it work with query based entitlements? Seems like I miss somehting
> here. I also can't trigger on modify operation with "entitlement
> changing"
> of dirxml-entitlementRef attribute... Seems like the eDir driver isn't
> really ment to do things like this. I do hope I'm wrong though.
> Any thoughts?
> br
> /Anders

This may be related to the architecture of edirectory driver. It may not
be straight forward. The way we have it working is by setting the
entitlement parameter values (group names/group DN from tree2) into an
unused user attribute which is synched over to tree2. Then in the
command rule the group and user(groupmembership) are updated after the
add is processed.