The code listed below provides a better way to determine when an Object should be created in a NetIQ IDM Connector.
Usually it is very common to use the verb <veto-if-attribute-not-available>. This is neither advisable nor efficient. When using this method, there is no information given regarding the reason for the veto, and there is no way to handle multiple missing required attributes; the veto will happen when the first missing attribute is encountered.
Global Configuration Variable
<definition display-name="Required attributes for User Object Create [Employee]" item-separator="|" name="gcvEmployeeRequiredAttributes" type="list">
<description/>
<value>
<item>CN</item>
<item>Surname</item>
<item>Given Name</item>
<item>workforceID</item>
<item>upPersonDepartmentCode</item>
<item>upPersonSubDepartmentCode</item>
<item>upPersonSocialSecurityNumber</item>
<item>upPersonStatusCode</item>
<item>upPersonUserType</item>
</value>
</definition>
DirXML Policy
<rule>
<description>[User] Check required attributes for Create [Employee]</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="upPersonUserType" op="equal">~gcvEmployeeUserType~</if-op-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="varXDSDocumentNodes">
<arg-node-set>
<token-xpath expression="add-attr/@attr-name"/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-global-variable name="gcvEmployeeRequiredAttributes"/>
</arg-node-set>
<arg-actions>
<do-trace-message color="brblue">
<arg-string>
<token-global-variable name="gcvConnectorName"/>
<token-text xml:space="preserve">:</token-text>
<token-text xml:space="preserve">Checking existence of required attribute for Employee: </token-text>
<token-local-variable name="current-node"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-xpath op="not-true">$current-node = $varXDSDocumentNodes</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message color="brblue">
<arg-string>
<token-global-variable name="gcvConnectorName"/>
<token-text xml:space="preserve">:</token-text>
<token-local-variable name="current-node"/>
<token-text xml:space="preserve">is missing!!</token-text>
</arg-string>
</do-trace-message>
<do-set-local-variable name="varUserMissingAttributes">
<arg-string>
<token-local-variable name="varUserMissingAttributes"/>
<token-local-variable name="current-node"/>
<token-text xml:space="preserve">;</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="varUserCreateError">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-trace-message color="brblue">
<arg-string>
<token-global-variable name="gcvConnectorName"/>
<token-text xml:space="preserve">:</token-text>
<token-local-variable name="current-node"/>
<token-text xml:space="preserve">checked out OK!!!</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>