Novell Identity Manager 2.x
Novell Identity Manager 3.x
Novell Identity Manager Active Directory Driver
The best solution for this situation is to user Role Based Entitlements, as that is what they were designed for. But you can still accomplish this through a policy if you desire to implement it that way.
The solution below will allow for synching of only users, using Identity manager ( IDM ), that are a member of a specific group.
All changes have been made on the Subscriber Channel
1. In the Driver Filter, Highlight the User Object Class and add the attribute "Group Membership" and select Publish: Ignore and Subscribe: Notify for "Gorup Membership"
2. Under the Matching Policies, Insert a new Matching Policy, I called mine "Veto if not in Group", but you can call it anything you want. When it opens up the DirXML Policy, select EDIT XML on the top tab, and check Enable XML Editing, then paste the the DirXML text at the end of the message to it, overwriting everything currently in the box. You will have to change the Treename, context and groupname
Or in other words, append a new rule, giving it any name such as Group Test, and add the condition if class name equals User AND if Attribute "Group Membership" not equal to the group you want the users to be in to sync. With the following syntax "\YOUR-TREE-NAME\Organization\Organizational-Unit\Group-Name" less the quotes. Then set an action of Do Veto
Note that you have to add \YOUR-TREE-NAME\ to the context you get when you browse for your group.
This will test for group membership and veto everthing that is not a member of the group you want the members to be in to sync to AD.
<description>Group Test</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-attr name="Group Membership" op="not-equal">\YOUR-TREE-NAME\Organization\Organizational-Unit\Group-Name</if-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
Now that he the user is over in Active Directory, if you want to remove them from Active Directory based upon the removal from the group. This can be accomplished in one of two methods.
1. Act upon the change event that removes the group from the users Group Membership attribute. The gotcha with this approach if that if for some reason you have to clear the cache on the driver, you could potentially lose the change events that would trigger this action. Below is the XML to accomplish this method. It should be placed in the top of the command transformation policy on the subscriber channel.
<rule>
<description>Act on Group Membership change</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="Group Membership" op="changing-from">\\YOUR-TREE-NAME\Organization\Organizational-Unit\Group-Name</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-association when="before">
<arg-association>
<token-association/>
</arg-association>
</do-remove-association>
<do-delete-dest-object/>
</actions>
</rule>
2. Alternatively you can test all users change events to see if the group membership has changed. The issue with this approach is that it adds overhead for the driver as it requires a query back to eDirectory on any user change event that comes through to verify that the user is still a member of the group. This rule should also be placed in the top of the command transformation policy in the subscriber channel.
<rule>
<description>Act on all users, verify Group Membership</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-attr name="Group Membership" op="not-equal">\YOUR-TREE-NAME\Organization\Organizational-Unit\Group-Name</if-attr>
</and>
</conditions>
<actions>
<do-remove-association when="before">
<arg-association>
<token-association/>
</arg-association>
</do-remove-association>
<do-delete-dest-object/>
</actions>
</rule>