I'm feeling abit stupid here, but I simply cannot see what the problem is:

The following code, should in my opinion match, and thus set the local variable lOK to "false".
But it does not..... why oh why, here is the rule:

Code:
<do-for-each>
	<arg-node-set>
		<token-src-attr name="nrfAssociatedRoles"/>
	</arg-node-set>
	<arg-actions>
		<do-set-local-variable name="lcurrChild" scope="policy">
			<arg-node-set>
				<token-query datastore="src">
					<arg-dn>
						<token-xpath expression="$current-node/component[@name='volume']/text()"/>
					</arg-dn>
				</token-query>
			</arg-node-set>
		</do-set-local-variable>
		<do-for-each>
			<arg-node-set>
				<token-local-variable name="lcurrChild"/>
			</arg-node-set>
			<arg-actions>
				<do-set-local-variable name="lOK" scope="policy">
					<arg-string>
						<token-text xml:space="preserve">true</token-text>
					</arg-string>
				</do-set-local-variable>
				<do-set-local-variable name="lCurrentRole" scope="policy">
					<arg-string>
						<token-xpath expression="$current-node/@src-dn"/>
					</arg-string>
				</do-set-local-variable>
				<do-for-each>
					<arg-node-set>
						<token-global-variable name="drv.except"/>
					</arg-node-set>
					<arg-actions>
						<do-set-local-variable name="lContainer" scope="policy">
							<arg-string>
								<token-xpath expression='$current-node/definition[@name="container"]/value/text()'/>
							</arg-string>
						</do-set-local-variable>
						<do-if>
							<arg-conditions>
								<and>
									<if-local-variable mode="regex" name="lCurrentRole" op="equal">.*$lContainer$.*</if-local-variable>
								</and>
							</arg-conditions>
							<arg-actions>
								<do-set-local-variable name="lOK" scope="policy">
									<arg-string>
										<token-text xml:space="preserve">false</token-text>
									</arg-string>
								</do-set-local-variable>
							</arg-actions>
							<arg-actions/>
						</do-if>
					</arg-actions>
				</do-for-each>
				<do-if>
					<arg-conditions>
						<and>
							<if-local-variable mode="nocase" name="lOK" op="equal">true</if-local-variable>
						</and>
					</arg-conditions>
					<arg-actions>
						<do-set-local-variable name="lAssignments" scope="policy">
							<arg-string>
								<token-local-variable name="lAssignments"/>
								<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
									<token-xpath expression="$current-node/@qualified-src-dn"/>
								</token-parse-dn>
								<token-text xml:space="preserve">|</token-text>
							</arg-string>
						</do-set-local-variable>
					</arg-actions>
					<arg-actions/>
				</do-if>
			</arg-actions>
		</do-for-each>
	</arg-actions>
</do-for-each>
And here is the relevant portion of the trace:

Code:
Action: do-set-local-variable("lOK",scope="policy","true").
  arg-string("true")
    token-text("true")
    Arg Value: "true".
Action: do-set-local-variable("lCurrentRole",scope="policy",token-xpath("$current-node/@src-dn")).
  arg-string(token-xpath("$current-node/@src-dn"))
    token-xpath("$current-node/@src-dn")
      Token Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
    Arg Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
Action: do-for-each(arg-node-set(token-global-variable("drv.except"))).
  arg-node-set(token-global-variable("drv.except"))
    token-global-variable("drv.except")
    Token Value: {<instance>}.
    Arg Value: {<instance>}.
  Performing actions for local-variable(current-node) = <instance>.
    Action: do-set-local-variable("lContainer",scope="policy",token-xpath("$current-node/definition[@name="container"]/value/text()")).
      arg-string(token-xpath("$current-node/definition[@name="container"]/value/text()"))
        token-xpath("$current-node/definition[@name="container"]/value/text()")
          Token Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
        Arg Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
    Action: do-if().
      Evaluating conditions.
        Expanded variable reference '$lContainer$' to 'system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
        (if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
      Performing else actions.
Action: do-if().
  Evaluating conditions.
    (if-local-variable 'lOK' equal "true") = TRUE.
Why does it not match? Anyone?

-Nicolai