I noticed an old thread
from Shon Vella explaining that as long as you preserved the query-token
node in the returned document that a do-for-each would continue querying
for more results using that cookie.

So I tried a twist on this - but it didn't work as I expected.

What it does is -

1. query-ex for max 100 instances where the object has an entitlement
and assign those to a variable
2. do-for-each over the variable using an xpath that means that only
those instances that contain a specific entitlement are processed + keep
the query-token node
3. when the do-for-each encounters the query-token node, query for
another max 100 instances - but this time they aren't filtered by the
xpath expression. I assume because these new instances are directly
added to the do-for-each loop.

<description>Process Only Users With Specified Entitlement</description>
<do-set-local-variable name="lvEmployees" scope="policy">
<token-query class-name="User" datastore="src" max-result-count="100">
<token-text xml:space="preserve">DirXML-EntitlementRef</token-text>
<do-set-local-variable name="lvEnt" scope="policy">
xml:space="preserve">\TREE\Services\IDM\DriverSet\ TestDriver\UserAccount</token-text>
expression="$lvEmployees/attr[@attr-name='DirXML-EntitlementRef' and
..//component[@name='volume' and .=$lvEnt]/../component[@name='nameSpace'
and .='1']]/.. | $lvEmployees/../query-token"/>
<token-xpath expression="$current-node/@src-dn"/>

Does anyone know of another solution?

Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.