Novell Identity Manager Engine and Precedence for Operations

  • 3262313
  • 28-Nov-2007
  • 16-Mar-2012

Environment

Novell Identity Manager 3.0
Novell Identity Manager 3.5
Novell Identity Manager 3.5.1

Situation

Sometimes policy based querieshave failed due to a source object having been renamed during the time an IDM driver isprocessing a different event on the renamed object. How can this be overcome. The query had both the dest-dn and the association. It failed using the DN. Why didn't it use the association?

Resolution

Even if you have both a dest-dn and the association in your query. The engine will use only one of the items based on the precedence. The precedence for operations is: dest-entry-id, dest-dn, association. That said, best practices recommendations are:

1. Use policy builder to query attributes using the current object. It will always pick the most specific way of identifying the target object that isavailable to it (which is almost always the entry-id when querying eDirectory). Ditto everything else the engine does.

2. If you are building you own queries (as in your example) and want the association to be used as the target, then don't specify the destination dn.
There is never a reason to specify both because IDM will never use both, only the one it considers to be the most specific.

The above listed precedence are only for querying eDirectory. When querying the connected application, Association should have the highest precedence. The reason for the difference in precedence is that the Association is required to uniquely identify a single object in the connected application, but an eDirectory object can be associated with multiple objects in the connected application and multiple objects in eDirectory can be associated with a single object in the connected application.