IDM 4.5.2 (will try and test with 4.5.3 shortly)

This is a pretty standard sub-ctp entitlement policy.

Entitlement revoked, associated
command transform cleanup/revoke association as determined by gcv

Expected result, remove association and veto original event.
Actual result, every *second* time I test, the association is not
removed even though the trace says success.


[06/10/16 11:32:22.464]:acme ST:Applying policy:
%+C%14Csub-ctp-EntitlementsImpl%-C.
[06/10/16 11:32:22.464]:acme ST: Applying to modify #1.
[06/10/16 11:32:22.464]:acme ST: Evaluating selection criteria for
rule 'UserAccount Entitlement change (Delete Option)'.
[06/10/16 11:32:22.465]:acme ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[06/10/16 11:32:22.465]:acme ST: (if-global-variable
'drv.entitlement.remove' equal "delete") = FALSE.
[06/10/16 11:32:22.465]:acme ST: Rule rejected.
[06/10/16 11:32:22.465]:acme ST: Evaluating selection criteria for
rule 'UserAccount Entitlement change (Disable Option)'.
[06/10/16 11:32:22.465]:acme ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[06/10/16 11:32:22.465]:acme ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[06/10/16 11:32:22.465]:acme ST: (if-class-name equal "User") =
TRUE.
[06/10/16 11:32:22.465]:acme ST: (if-operation match "add|modify")
= TRUE.
[06/10/16 11:32:22.465]:acme ST: (if-entitlement 'UserAccount'
changing) = TRUE.
[06/10/16 11:32:22.466]:acme ST: Rule selected.
[06/10/16 11:32:22.466]:acme ST: Applying rule 'UserAccount
Entitlement change (Disable Option)'.
[06/10/16 11:32:22.466]:acme ST: Action:
do-for-each(arg-node-set(token-removed-entitlement("UserAccount"))).
[06/10/16 11:32:22.466]:acme ST:
arg-node-set(token-removed-entitlement("UserAccount"))
[06/10/16 11:32:22.466]:acme ST:
token-removed-entitlement("UserAccount")
[06/10/16 11:32:22.466]:acme ST: Token Value:
{<entitlement-impl> @id = "" @name = "UserAccount" @qualified-src-dn =
"O=acme\OU=people\OU=employees\CN=user1" @src = "UA" @src-dn =
"\acme-TREE\acme\Pers
oner\employees\user1" @src-entry-id = "12345" @state = "0"}.
[06/10/16 11:32:22.466]:acme ST: Arg Value:
{<entitlement-impl> @id = "" @name = "UserAccount" @qualified-src-dn =
"O=acme\OU=people\OU=employees\CN=user1" @src = "UA" @src-dn =
"\acme-TREE\acme\Person
er\employees\user1" @src-entry-id = "12345" @state = "0"}.
[06/10/16 11:32:22.467]:acme ST: Performing actions for
local-variable(current-node) = <entitlement-impl> @id = "" @name =
"UserAccount" @qualified-src-dn =
"O=acme\OU=people\OU=employees\CN=user1" @src = "UA
" @src-dn = "\acme-tree\acme\people\employees\user1" @src-entry-id =
"12345" @state = "0".
[06/10/16 11:32:22.470]:acme ST: Action:
do-remove-association(when="after",arg-association(token-association()))
..
[06/10/16 11:32:22.470]:acme ST:
arg-association(token-association())
[06/10/16 11:32:22.470]:acme ST: token-association()
[06/10/16 11:32:22.470]:acme ST: Token Value:
"{6BEE6FD9-9298-c146-1DB4-6BEE6FD99298}".
[06/10/16 11:32:22.471]:acme ST: Arg Value:
"{6BEE6FD9-9298-c146-1DB4-6BEE6FD99298}".
[06/10/16 11:32:22.471]:acme ST: Action: do-veto().
[06/10/16 11:32:22.488]:acme ST: Direct command from policy
[06/10/16 11:32:22.488]:acme ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<remove-association
event-id="sr-ped-idm-01#20160610093222#1#1:3213196f-1296-4daa-fbb0-6f191
3329612">{6BEE6FD9-9298-c146-1DB4-6BEE6FD99298}<operation-data>
<entitlement-impl id="" name="UserAccount"
qualified-src-dn="O=acme\OU=people\OU=employees\CN=user1" src="UA"
src-dn="\acme-tree\acme\people\employees\user1" src-entry-id="12345"
state="0">{"ID":"acme-tree"}</en
titlement-impl>
</operation-data>
</remove-association>
</input>
</nds>
[06/10/16 11:32:22.489]:acme ST: Pumping XDS to eDirectory.
[06/10/16 11:32:22.489]:acme ST: Performing operation
remove-association for .
[06/10/16 11:32:22.500]:acme ST: Processing returned document.
[06/10/16 11:32:22.500]:acme ST: Processing operation <status> for .
[06/10/16 11:32:22.500]:acme ST:
DirXML Log Event -------------------
Driver: \acme-TREE\acme\ICT\DirXML\Driver Set\acme
Channel: Subscriber
Object: \acme-tree\acme\people\employees\user1
Status: Success
[06/10/16 11:32:22.511]:acme ST: Direct command from policy result
[06/10/16 11:32:22.511]:acme ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status
event-id="sr-ped-idm-01#20160610093222#1#1:3213196f-1296-4daa-fbb0-6f191
3329612" level="success"><operation-data>
<entitlement-impl id="" name="UserAccount"
qualified-src-dn="O=acme\OU=people\OU=employees\CN=user1" src="UA"
src-dn="\acme-tree\acme\people\employees\user1" src-entry-id="12345"
state="0">{"ID":"acme-tree"}</en
titlement-impl>
</operation-data>
<application>DirXML</application>
<module>acme</module>
<object-dn>\acme-tree\acme\people\employees\user1</object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[06/10/16 11:32:22.512]:acme ST:Policy returned:
[06/10/16 11:32:22.512]:acme ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>