Sounds simple and probably something obvious I'm naively missing, but...

Groups in the Vault and memberships sync via the default filter to
Groupwise. However making a policy that simply attempts to add a user as a
"member to" a driver associated group is not working for me. I made a sub
ctp rule that

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"/home/paul/designer/plugins/com.novell.idm.policybuilder_4.0.0.201410091552/DTD/dirxmlscript4.0.2.dtd"><policy>
<rule>
<description>&lt;Specify Name>group add</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="Member" when="after">
<arg-dn>
<token-text xml:space="preserve">\vault\ou\group</token-text>
</arg-dn>
<arg-value type="dn">
<token-dest-dn/>
<token-src-dn convert="false"/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
</policy>

The shim returned the error that the class Group was not supported, which I
found surprising. The entitlement uses the <arg-association> element rather
than <arg-dn>.when specifying the target group, but the code is quite
similar.

Also, am I right in thinking that there would not be an easy way to modify
membership of unassociated groups, ie those that existed only in groupwise
and not in the vault?



---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com