Hi, I cant figure this out. Maybe I have wrong approach, I am still newbie.

What I am trying to do:
Based on some attribute changing on subscriber channel, I want the policy to remove user from all its groups (except the default one ofcourse - the connected application is AD).

My approach:
The rule has an action that queries Destination Attribute Values (nodeset): memberOf and does for-each on them, in each iteration it should remove users DN from the group.

My issue:
The main issue is when policy queries for the memberOf attributes, the schema mapping policy gets in the way and the returned nodeset is in the IDVaults format, and it is expected to be in AD format.


The rule in policy looks very close to this (I have just removed some extra stuff that should not be relevant, also removed 'remove destination attribute value' because the the issue is before it)
Code:
	<rule>
		<description>Move User to new destination</description>
		<conditions>
			<and>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-operation mode="nocase" op="equal">modify</if-operation>
				<if-op-attr name="Some attribute" op="changing"/>
			</and>
		</conditions>
		<actions>
			<do-set-local-variable name="target-container" scope="policy">
				<arg-string>
					<token-parse-dn src-dn-format="dest-dn">
						<token-attr name="Some attribute"/>
					</token-parse-dn>
				</arg-string>
			</do-set-local-variable>
			<do-set-local-variable name="XXX-user-dn" scope="policy">
				<arg-string>
					<token-resolve datastore="dest">
						<arg-association>
							<token-association/>
						</arg-association>
					</token-resolve>
				</arg-string>
			</do-set-local-variable>
			<do-for-each>
				<arg-node-set>
					<token-dest-attr class-name="User" name="memberOf">
						<arg-dn>
							<token-local-variable name="XXX-user-dn"/>
						</arg-dn>
					</token-dest-attr>
				</arg-node-set>
				<arg-actions>
					<do-trace-message>
						<arg-string>
							<token-text xml:space="preserve">Debug memberOf: </token-text>
							<token-local-variable name="current-node"/>
						</arg-string>
					</do-trace-message>
					<do-remove-dest-attr-value class-name="Group" disabled="true" name="member" notrace="true">
						<arg-dn>
							<token-local-variable name="current-node"/>
						</arg-dn>
						<arg-value type="dn">
							<token-parse-dn>
								<token-local-variable name="XXX-user-dn"/>
							</token-parse-dn>
						</arg-value>
					</do-remove-dest-attr-value>
				</arg-actions>
			</do-for-each>
			<do-for-each>
				<arg-node-set>
					<token-dest-attr class-name="User" name="Group Membership">
						<arg-dn>
							<token-local-variable name="XXX-user-dn"/>
						</arg-dn>
					</token-dest-attr>
				</arg-node-set>
				<arg-actions>
					<do-trace-message>
						<arg-string>
							<token-text xml:space="preserve">Debug: Grp member: </token-text>
							<token-local-variable name="current-node"/>
						</arg-string>
					</do-trace-message>
					<do-remove-dest-attr-value class-name="Group" disabled="true" name="member" notrace="true">
						<arg-dn>
							<token-local-variable name="current-node"/>
						</arg-dn>
						<arg-value type="dn">
							<token-parse-dn>
								<token-local-variable name="XXX-user-dn"/>
							</token-parse-dn>
						</arg-value>
					</do-remove-dest-attr-value>
				</arg-actions>
			</do-for-each>
		</actions>
	</rule>

Here is Level 3 trace


Here you can see, how the Destination Attribute query gets changed by smp (memberOf-> Group Membership), and then the for each does not have anything to loop thru: Arg Value: {}.

Code:
<nds dtdversion="1.1" ndsversion="8.7">
  <source>
    <product asn1id="" build="20170106_120000" instance="\IDVAULT\xxx\DriverSet\Active Directory Driver" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <output>
    <instance class-name="user" event-id="0" src-dn="CN=user,OU=SomeOU,OU=Users,OU=XXX,DC=XX">
      <association>fec4b293294ee54a8e65d594da60db1d</association>
      <attr attr-name="memberOf">
        <value association-ref="4ee4fbc922701d4ea8e07f3db8009f0e" naming="true" type="dn">CN=SG-AAA,OU=AAA,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="ee8b4d6d71b27f46a4814429f15b8558" naming="true" type="dn">CN=SG-BBB,OU=BBB,OU=XXX-AMB,OU=XXX XX,OU=XXX,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="174221a6180a90458432740029200047" naming="true" type="dn">CN=SG-CCC,OU=CCC,OU=CCCCC,OU=KRO,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="dc7a0ae5a4225b4ba60491ebaea6dadf" naming="true" type="dn">CN=SG-DDD,OU=DDD,OU=DDDDD,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="bde1c05c0ac67a4198310ca34219f49f" naming="true" type="dn">CN=SG-EEE,OU=EEE,OU=EEEEE,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="ebf0ded76db88e46833706dd06633565" naming="true" type="dn">CN=SG-FFF,OU=SomeOU,OU=Users,OU=XXX,DC=XX</value>
        <value association-ref="82238ed7daa16b4a85aabca8c9f7ad6d" naming="true" type="dn">CN=SG-GGG,OU=GGG,OU=Users,OU=XXX,DC=XX</value>
      </attr>
    </instance>
    <status event-id="0" level="success"/>
  </output>
</nds>
[07/02/17 19:52:01.803]:Active Directory Driver ST:            Applying schema mapping policies to input.
[07/02/17 19:52:01.804]:Active Directory Driver ST:            Applying policy: %+C%14CNOVLADDCFG-smp%-C.
[07/02/17 19:52:01.804]:Active Directory Driver ST:              Mapping class-name 'user' to 'User'.
[07/02/17 19:52:01.804]:Active Directory Driver ST:              Mapping attr-name 'memberOf' to 'Group Membership'.
[07/02/17 19:52:01.805]:Active Directory Driver ST:            Applying policy: %+C%14CNOVLADENTEX-smp%-C.
[07/02/17 19:52:01.805]:Active Directory Driver ST:              No mapping for class-name 'User'.
[07/02/17 19:52:01.806]:Active Directory Driver ST:            Resolving association references.
[07/02/17 19:52:01.810]:Active Directory Driver ST:            Query from policy result
[07/02/17 19:52:01.811]:Active Directory Driver ST:            
<nds dtdversion="1.1" ndsversion="8.7">
  <source>
    <product asn1id="" build="20170106_120000" instance="\IDVAULT\xxx\DriverSet\Active Directory Driver" version="4.0.2.1">AD</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <output>
    <instance class-name="User" event-id="0" src-dn="CN=user,OU=SomeOU,OU=Users,OU=XXX,DC=XX">
      <association>fec4b293294ee54a8e65d594da60db1d</association>
      <attr attr-name="Group Membership">
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-AAA</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-BBB</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-CCC</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-DDD</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-EEE</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-FFF</value>
        <value naming="true" type="dn">\IDVAULT\data\groups\SG-GGG</value>
      </attr>
    </instance>
    <status event-id="0" level="success"/>
  </output>
</nds>
[07/02/17 19:52:01.814]:Active Directory Driver ST:            arg-dn(token-local-variable("xxx-user-dn"))
[07/02/17 19:52:01.815]:Active Directory Driver ST:              token-local-variable("xxx-user-dn")
[07/02/17 19:52:01.815]:Active Directory Driver ST:                Token Value: "CN=user,OU=SomeOU,OU=Users,OU=XXX,DC=XX".
[07/02/17 19:52:01.815]:Active Directory Driver ST:              Arg Value: "CN=user,OU=SomeOU,OU=Users,OU=XXX,DC=XX".
[07/02/17 19:52:01.816]:Active Directory Driver ST:          Token Value: {}.
[07/02/17 19:52:01.816]:Active Directory Driver ST:          Arg Value: {}.

If I query Destination Attribute "Group Membership", there is stuff to loop thru, but it is in IDV format. Can someone please look at what I am doing here and tell me, how to achieve correct format or suggest another approach? I tried more approaches, but decided to use this one, because in production it will be possible, that user in AD will be in a group, that is not synced to IDV, and the only thing the policy has to care about, is to remove ALL groups from the user.