2 AD's, IDM in the middle
We need to be able to sync groups across from one AD to another, but the destination AD may have different members of the same groups. destination AD does not write back to the vault.
Tried to do this on the sub OTP for groups only
<actions> <do-strip-xpath expression="modify-attr[remove-all-values and not(add-value)]"/> </actions>
but that didn't seem to work properly .
Basically, we need to remove the "remove-all-values" from the transactions so that only the members from the Vault get sync'd without overwriting the complete group membership in the destination AD
Thanks in Advance!