So, it appears CODE MAP is not populating correctly.

Turning up the com.novell.idm.nrf.persist and com.novell.idm.nrf.service logging to TRACE doesn't appear to give anything useful.

The EntitlementConfiguration object appears to be correctly written:

Code:
<?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20170712014044">
    <entitlements>
        <entitlement data-collection="true" dn="CN=ExchangeMailbox,CN=TAD-CRUDE,CN=DS1,OU=IDM,O=admin" parameter-format="idm4" resource-mapping="true" role-mapping="true">
            <type category="other account" id="mailbox" name="mailbox">
                <display-name>
                    <value langCode="de">Postfach</value>
                    <value langCode="en">Mailbox</value>
                </display-name>
            </type>
            <native-value source="src-dn"/>
        </entitlement>
        <entitlement data-collection="true" dn="CN=Group,CN=TAD-CRUDE,CN=DS1,OU=IDM,O=admin" parameter-format="idm4" resource-mapping="true" role-mapping="true">
            <type category="security grouping" id="group" name="group">
                <display-name>
                    <value langCode="de">Gruppe</value>
                    <value langCode="en">Group</value>
                </display-name>
            </type>
            <parameters>
                <parameter mandatory="true" name="ID" source="association"/>
                <parameter mandatory="true" name="ID2" source="src-dn"/>
            </parameters>
            <native-value source="src-dn"/>
            <member-assignment-extensions>
                <query-xml>
                    <read-attr attr-name="member"/>
                </query-xml>
            </member-assignment-extensions>
            <query-extensions>
                <query-xml>
                    <read-attr attr-name="owner"/>
                    <read-attr attr-name="sAMAccountName"/>
                    <operation-data data-collection-query="true"/>
                </query-xml>
            </query-extensions>
        </entitlement>
        <entitlement data-collection="true" dn="CN=UserAccount,CN=TAD-CRUDE,CN=DS1,OU=IDM,O=admin" parameter-format="idm4" resource-mapping="true" role-mapping="true">
            <type category="security account" id="user" name="account">
                <display-name>
                    <value langCode="de">Benutzer</value>
                    <value langCode="en">User</value>
                </display-name>
            </type>
            <parameters>
                <parameter mandatory="true" name="ID" source="read-attr" source-name="ADDomainValue"/>
            </parameters>
            <member-assignment-query>
                <query-xml>
                    <nds dtdversion="2.0">
                        <input>
                            <query class-name="User" scope="subtree">
                                <search-class class-name="User"/>
                                <read-attr/>
                            </query>
                        </input>
                    </nds>
                </query-xml>
            </member-assignment-query>
            <query-extensions>
                <query-xml>
                    <read-attr attr-name="dirxml-uACAccountDisable"/>
                    <read-attr attr-name="userPrincipalName"/>
                    <read-attr attr-name="sAMAccountName"/>
                    <operation-data data-collection-query="true"/>
                </query-xml>
            </query-extensions>
            <account>
                <account-id source="read-attr" source-name="sAMAccountName"/>
                <account-id source="read-attr" source-name="userPrincipalName"/>
                <account-id source="src-dn"/>
                <account-id source="association"/>
                <account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
            </account>
        </entitlement>
    </entitlements>
</entitlement-configuration>
The Group_Values object is eventually populated with the 37,863 rows correctly formatted with the DN and JSON reference (which takes close to an hour to complete).

However, the CODE MAP REFRESH says it fails on the CN=Group,CN=TAD-CRUDE,CN=DS1,OU=IDM,O=admin entitlement and, when I look at the dbo.PROVISIONING_CODE_MAP table, there is no entries for the above entitlements. There are also 2 legacy entitlements on the driver and they appear in the table, but when using the Resources UI that had them previously assigned, it correctly warns that they are no longer available.

This setup is fine in 2 previous environments where the group numbers are obviously significantly less.

- IDM45-Apps-SP-5
- IDM Engine Version 4.5.5.0
- netiq-DXMLrrsd-4.5.0-2