On Wed, 25 Jul 2012 12:26:01 +0000, jimc wrote:

> My current IDM Infrastructure has
> SAp HR connecting to a flat eDirectory in an ID vault used mainly for
> Edir to Edir between the flat ID vault and a deeply tree structured tree
> used for File and Print across multiple sites Edir to MsAD from the F&P
> tree to an AD domain.

That's kinda unusual, but if it's working for you, I can't complain. I'd
have connected the MAD system to the flat ID vault instead. But I'd also
be using the HR system to create accounts. Creating them by hand then
matching them up with HR works, but duplicates effort.

> All well and good, but there are a bunch of attributes in HR/ID Vault I
> need to populate in the MAD domain that don't need to be in the File and
> print Tree.
> I was mulling over the possibility of running a second driver from the
> IS vault direct to the AD tree with suitable logic in to keep the extras
> out of the F&P schema.

Sure, that'll work. It seems needlessly complex, from an IDM point of
view, but if it works with your business logic, go for it.

> The code and logic is simple enough, and reasonable checking in Designer
> plus IDMs own functions ought to prevent attribute changes going round
> in circles or anything untoward like that, but I still feel a bit
> nervous about the idea.

Yes, you may need a bit of policy to keep changes from looping, if you
have the same attribute in both drivers' filters, but that's easy enough
to do. Ideally, you won't have the same attributes in both drivers'
filters, though, so this should be a non-issue.

David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.