I have a requirement to do a role-based provisioning to an LDAP end
system. I am able to add and remove account at the end system based on
the role assignment. Also, there is only a single role to perform the
role provisioning. However, I have noticed an issue when I tried to add
the role again (second time for a user) to a user to provision again to
the end system. The role got added to the user. However, the account did
not get created in the end system and hence the association also did not
happen. On examining the logs, I identified that the Subscriber matching
policy is vetoing the operation due to the below reason:

Applying policy: %+C%14CLDAPCFG-sub-mp-MatchEntitlementCheck%-C.
Applying to add #1.
Evaluating selection criteria for rule 'Veto if User not entitled to an
(if-class-name equal "TestLDAP") = TRUE.
(if-global-variable 'drv.entitlement.Account' equal "true") = TRUE.
Query from policy
(if-entitlement 'Account' not-available) = TRUE.
Rule selected.
Applying rule 'Veto if User not entitled to an account'.
Policy returned:
Action: do-veto().

Can someone please suggest a solution for this issue.


srin's Profile: https://forums.netiq.com/member.php?userid=12885
View this thread: https://forums.netiq.com/showthread.php?t=57480