IDM 4.5.2

This looks like a bug to me. Can anyone confirm?

Drive matching policy the query that this generates is manipulated by
an output transform which is supposed to replace part of the desired
match value (attr-a) with data from another attribute (call it attr-b).

Match attr-a is schema mapped from CN to UserPrincipalName in the
application namespace
attr-b is not schema mapped.

Using token-attr and specifying attr-b I see no query back to IDvault
and the replaced/appended value that should dervice from attr-b is thus
empty.

Docs say that this should be a union of the current operation and
source.

The add operation which triggered the matching query does have attr-b
as an attribute.

input to matching policy.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add cached-time="20160506111929.050Z" class-name="User"
event-id="dev-idm-01#20160506111929#1#1:804d9387-2da5-448f-2b88-87934d80
a52d" qualified-src-dn="O=ACME\OU=Users\OU=Students\CN=TestA"
src-dn="\DEV\ACME\Users\Students\TestA" src-entry-id="49947"
timestamp="0#0">
<add-attr attr-name="brfkO365UPN">
<value timestamp="1462520704#2"
type="string">TestA@student.ACME.onmicrosoft.com</value>
</add-attr>
<add-attr attr-name="CN">
<value naming="true" timestamp="1458658770#531"
type="string">TestA</value>
</add-attr>
<add-attr attr-name="DirXML-Associations">
<value timestamp="1462524842#11" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\DEV\ACME\Services\IDM\Driver
Set\UserApplication</component>
<component name="path">"AnAssociation"</component>
</value>
</add-attr>
<add-attr attr-name="DirXML-EntitlementRef">
<value timestamp="1462531225#31" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\DEV\ACME\Services\IDM\Driver
Set\O365-ACME-A\License</component>
<component name="path.xml">
<ref>
<src>UA</src>
<id/>

<param>{"ID":"ACME:ENTERPRISEPREMIUM"}</param>
</ref>
</component>
</value>
<value timestamp="1462533330#3" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\DEV\ACME\Services\IDM\Driver
Set\O365-ACME-A\UserAccount</component>
<component name="path.xml">
<ref>
<src>UA</src>
<id/>
<param>{"ID":"ACME.onmicrosoft.com"}</param>
</ref>
</component>
</value>
</add-attr>
<add-attr attr-name="Full Name">
<value timestamp="1458658770#619" type="string">A
Test</value>
</add-attr>
<add-attr attr-name="Given Name">
<value timestamp="1458658770#492"
type="string">A</value>
</add-attr>
<add-attr attr-name="Internet EMail Address">
<value timestamp="1458687614#20"
type="string">TestA@student.ACME.no</value>
</add-attr>
<add-attr attr-name="Login Disabled">
<value timestamp="1461938666#5"
type="state">false</value>
</add-attr>
<add-attr attr-name="nspmDistributionPassword">
<!-- content suppressed -->
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1458658770#506"
type="string">Test</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="Students\TestA"/>
</add>
</input>
</nds>



match generates a query which looks like this just prior to problematic
rule in output transform:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="MSolUser" event-id="0" scope="subtree">
<search-class class-name="MSolUser"/>
<search-attr attr-name="UserPrincipalName">
<value type="string">TestA@ACME.onmicrosoft.com</value>
</search-attr>
<search-attr attr-name="employeeType">
<value type="string">Student</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>

[05/06/16 13:31:30.241]:O365-ACME-A ST: Applying policy:
%+C%14CACMEOFFICUSTA-otp-Transform%-C.
[05/06/16 13:31:30.241]:O365-ACME-A ST: Applying to query #1.
[05/06/16 13:31:30.241]:O365-ACME-A ST: Evaluating selection
criteria for rule 'Update add user event '.
[05/06/16 13:31:30.241]:O365-ACME-A ST: (if-class-name
equal "MSolUser") = TRUE.
[05/06/16 13:31:30.241]:O365-ACME-A ST: (if-operation
equal "add") = FALSE.
[05/06/16 13:31:30.241]:O365-ACME-A ST: Rule rejected.
[05/06/16 13:31:30.241]:O365-ACME-A ST: Evaluating selection
criteria for rule 'Check Query'.
[05/06/16 13:31:30.242]:O365-ACME-A ST: (if-operation
equal "query") = TRUE.
[05/06/16 13:31:30.242]:O365-ACME-A ST: (if-xpath true
"./search-attr[@attr-name='UserPrincipalName']") = TRUE.
[05/06/16 13:31:30.242]:O365-ACME-A ST: (if-xpath true
"./search-attr[@attr-name='employeeType']") = TRUE.
[05/06/16 13:31:30.242]:O365-ACME-A ST: Rule selected.
[05/06/16 13:31:30.242]:O365-ACME-A ST: Applying rule 'Check
Query'.
[05/06/16 13:31:30.242]:O365-ACME-A ST: Action:
do-strip-xpath("./search-attr[@attr-name='employeeType']").
[05/06/16 13:31:30.242]:O365-ACME-A ST: Action:
do-for-each(arg-node-set(token-xpath("./search-attr[@attr-name='UserPrin
cipalName']"))).
[05/06/16 13:31:30.242]:O365-ACME-A ST:
arg-node-set(token-xpath("./search-attr[@attr-name='UserPrincipalName']"
))
[05/06/16 13:31:30.243]:O365-ACME-A ST:
token-xpath("./search-attr[@attr-name='UserPrincipalName']")
[05/06/16 13:31:30.243]:O365-ACME-A ST: Token Value:
{<search-attr> @attr-name = "UserPrincipalName"}.
[05/06/16 13:31:30.243]:O365-ACME-A ST: Arg Value:
{<search-attr> @attr-name = "UserPrincipalName"}.
[05/06/16 13:31:30.243]:O365-ACME-A ST: Performing
actions for local-variable(current-node) = <search-attr> @attr-name =
"UserPrincipalName".
[05/06/16 13:31:30.243]:O365-ACME-A ST: Action:
do-set-local-variable("userPrincipalName",scope="policy",token-xpath("$c
urrent-node/value/text()")).
[05/06/16 13:31:30.243]:O365-ACME-A ST:
arg-string(token-xpath("$current-node/value/text()"))
[05/06/16 13:31:30.243]:O365-ACME-A ST:
token-xpath("$current-node/value/text()")
[05/06/16 13:31:30.244]:O365-ACME-A ST: Token
Value: "TestA@ACME.onmicrosoft.com".
[05/06/16 13:31:30.244]:O365-ACME-A ST: Arg Value:
"TestA@ACME.onmicrosoft.com".
[05/06/16 13:31:30.244]:O365-ACME-A ST: Action:
do-strip-xpath("$current-node/value/text()").
[05/06/16 13:31:30.244]:O365-ACME-A ST: Action:
do-append-xml-text("$current-node/value",token-attr("ACMEO365UPN")).
[05/06/16 13:31:30.244]:O365-ACME-A ST:
arg-string(token-attr("ACMEO365UPN"))
[05/06/16 13:31:30.244]:O365-ACME-A ST:
token-attr("ACMEO365UPN")
[05/06/16 13:31:30.244]:O365-ACME-A ST: Token
Value: "".
[05/06/16 13:31:30.244]:O365-ACME-A ST: Arg Value:
"".