Adminua deleted. I rebuilt the security domain for the UserApp and the
new ADMINUA seems functional. I have, for troubleshooting, granted full
supervisor rights to the entire tree for adminua.

However, when I add a user a group assigned to a role, and that role has
5 resources assigned to it... which were 100% functional before the
deletion of AdminUA... I do not get any of the entitlements assigned,
with the following error in trace of the Roles and Resources Driver
(which is security equivalent to ADMIN of the tree):

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20150505145118.266Z" class-name="User"
event-id="CustomerIDV1T-NDS#20150505145118#1#1:f5b47cb0-a5e4-41f9-bdd9-a0c662b9a333"
qualified-src-dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
src-dn="\IDVT\Customer\Data\Users\ameyer31" src-entry-id="73592"
timestamp="1430837478#1">
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1430837478#1"
type="dn">\T=IDVT\O=Customer\OU=Data\OU=Groups\OU= Identity
Types\CN=Primary - EMPLOYEE_IT</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[05/05/15 09:51:18.290]:**RRSD** ST:Applying event transformation
policies.
[05/05/15 09:51:18.291]:**RRSD** ST:Applying policy:
%+C%14CNOVLRSERVB-sub-etp%-C.
[05/05/15 09:51:18.291]:**RRSD** ST: Applying to modify #1.
[05/05/15 09:51:18.291]:**RRSD** ST: Evaluating selection criteria
for rule 'Ignore everything except add, modify, and sync for all
classes'.
[05/05/15 09:51:18.292]:**RRSD** ST: (if-operation not-match
"add|modify|sync") = FALSE.
[05/05/15 09:51:18.292]:**RRSD** ST: Rule rejected.
[05/05/15 09:51:18.293]:**RRSD** ST: Evaluating selection criteria
for rule 'Cleanup the entitlement results for entitlements granted by
NRF'.
[05/05/15 09:51:18.293]:**RRSD** ST: (if-operation equal "modify")
= TRUE.
[05/05/15 09:51:18.294]:**RRSD** ST: (if-op-attr
'DirXML-EntitlementResult' changing) = FALSE.
[05/05/15 09:51:18.294]:**RRSD** ST: Rule rejected.
[05/05/15 09:51:18.294]:**RRSD** ST: Evaluating selection criteria
for rule 'Convert the event into a custom command to send to the
driver'.
[05/05/15 09:51:18.295]:**RRSD** ST: Rule selected.
[05/05/15 09:51:18.295]:**RRSD** ST: Applying rule 'Convert the event
into a custom command to send to the driver'.
[05/05/15 09:51:18.296]:**RRSD** ST: Action:
do-set-local-variable("command",scope="policy",token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())).
[05/05/15 09:51:18.297]:**RRSD** ST:
arg-string(token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name()))
[05/05/15 09:51:18.297]:**RRSD** ST:
token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
[05/05/15 09:51:18.298]:**RRSD** ST:
token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
[05/05/15 09:51:18.299]:**RRSD** ST: token-class-name()
[05/05/15 09:51:18.299]:**RRSD** ST: Token Value:
"User".
[05/05/15 09:51:18.299]:**RRSD** ST: Arg Value: "User".
[05/05/15 09:51:18.299]:**RRSD** ST: Token Value:
"nrf:identity".
[05/05/15 09:51:18.300]:**RRSD** ST: Arg Value:
"nrf:identity".
[05/05/15 09:51:18.300]:**RRSD** ST: Action:
do-append-xml-element("$command$","..").
[05/05/15 09:51:18.301]:**RRSD** ST: Expanded variable reference
'$command$' to 'nrf:identity'.
[05/05/15 09:51:18.301]:**RRSD** ST: Action:
do-set-xml-attr("dn","../nrf:*",token-xpath("@qualified-src-dn")).
[05/05/15 09:51:18.302]:**RRSD** ST:
arg-string(token-xpath("@qualified-src-dn"))
[05/05/15 09:51:18.302]:**RRSD** ST:
token-xpath("@qualified-src-dn")
[05/05/15 09:51:18.302]:**RRSD** ST: Token Value:
"O=Customer\OU=Data\OU=Users\CN=ameyer31".
[05/05/15 09:51:18.303]:**RRSD** ST: Arg Value:
"O=Customer\OU=Data\OU=Users\CN=ameyer31".
[05/05/15 09:51:18.303]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.307]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.308]:**RRSD** ST: (if-op-attr
'nrfChildRoles' changing) = FALSE.
[05/05/15 09:51:18.308]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.308]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.309]:**RRSD** ST: (if-op-attr
'nrfAssignedResources' changing) = FALSE.
[05/05/15 09:51:18.309]:**RRSD** ST: Performing else actions.
[05/05/15 09:51:18.309]:**RRSD** ST: Evaluating selection criteria
for rule 'Get rid of any association that might be there and veto the
original event'.
[05/05/15 09:51:18.310]:**RRSD** ST: Rule selected.
[05/05/15 09:51:18.310]:**RRSD** ST: Applying rule 'Get rid of any
association that might be there and veto the original event'.
[05/05/15 09:51:18.311]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.311]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.311]:**RRSD** ST: (if-association available)
= FALSE.
[05/05/15 09:51:18.312]:**RRSD** ST: Performing else actions.
[05/05/15 09:51:18.312]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.312]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.313]:**RRSD** ST: (if-xpath true
"association/@state='migrate'") = FALSE.
[05/05/15 09:51:18.313]:**RRSD** ST: Action: do-veto().
[05/05/15 09:51:18.313]:**RRSD** ST:Policy returned:
[05/05/15 09:51:18.314]:**RRSD** ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[05/05/15 09:51:18.315]:**RRSD** ST:Subscriber processing identity for
..
[05/05/15 09:51:18.315]:**RRSD** ST:Submitting unknown event to
subscriber shim.
[05/05/15 09:51:18.316]:**RRSD** ST:No command transformation policies.
[05/05/15 09:51:18.316]:**RRSD** ST:Filtering out notification-only
attributes.
[05/05/15 09:51:18.317]:**RRSD** ST:Fixing up association references.
[05/05/15 09:51:18.317]:**RRSD** ST:No schema mapping policies.
[05/05/15 09:51:18.317]:**RRSD** ST:No output transformation policies.
[05/05/15 09:51:18.318]:**RRSD** ST:Submitting document to subscriber
shim:
[05/05/15 09:51:18.318]:**RRSD** ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
event-id="0" xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[05/05/15 09:51:18.320]:**RRSD** ST:: Recalculating roles for identity:
O=Customer\OU=Data\OU=Users\CN=ameyer31
[05/05/15 09:51:18.324]:**RRSD** ST:: Role sync operation ignored
because container is out of scope
Container DN: O=Customer
User-Group root DN: Customer\Data
[05/05/15 09:51:18.340]:**RRSD** ST:: Process Equivalent To Me
Role: Process Equivalent To Me
Role:
O=Customer\OU=services\CN=DriverSet\CN=UserApplica tion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Lev el30\CN=Primary
- EMPLOYEE_IT
Operation: 5
Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
Operation: {1}
Identity: {2}
[05/05/15 09:51:18.358]:**RRSD** ST:SubscriptionShim.execute()
returned:
[05/05/15 09:51:18.358]:**RRSD** ST:
<nds dtdversion="4.0">
<source>
<product instance="Role and Resource Service Driver"
version="4.5.0.0">NetIQ Role Service Driver</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Error creating resource request
DN:
O=Customer\OU=services\CN=DriverSet\CN=UserApplica tion\CN=AppConfig\CN=RoleConfig\CN=ResourceRequest s\CN=20150505095118-a72e18ffdd33454f825bcfa12173c764-0
Reason: novell.jclient.JCException: createEntry -613
ERR_SYNTAX_VIOLATION</status>
<status event-id="0" level="error">Error recalculating roles
Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
Reason: novell.jclient.JCException: createEntry -613
ERR_SYNTAX_VIOLATION</status>
</output>
</nds>

I have verified my entitlements are all using IDM4 syntax, as they were
before adminua was deleted. (i.e. I'm pretty sure it's not the
entitlement config.)

Any ideas where to look next, or even a simple total fix, appreciated.
:-)


--
folboteur
------------------------------------------------------------------------
folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
View this thread: https://forums.netiq.com/showthread.php?t=53432