IDM Best Practices Documents

Remote Loader Best Practices#

Whenever possible use a Best Practices Remote Loader]

Be sure to configure limits on the Remote Loader log files. We have seen the log files consume all the disk space on servers they were installed on.

Writing Policies#

First write policies that work—then make them efficient, elegant, clever, etc.
  • Use Designer
  • Review the trace file
  • Use consistent policy and variable naming
  • Document your policy with a description
  • Refine your methodology

Common Mistakes#

Event Transformation Policies#

Event transformation policies that attempt to operate on add events. Unassociated modifies pass by & then turn into an add and those <sync> events that turn into adds later. Generally, deal with add events in creation policy and/or ctp.


  • Check query times in the trace file
  • Create indexes for attributes you query
  • Avoid unnecessary queries
    • Use Attribute instead of Source Attribute
    • Query once for all the attributes you'll need in a policy
    • Check for required create attributes before matching

Custom Associations#

You have a DTF, SOAP, Manual or Null driver and you're setting association values with policies manually.
  • An associated object ends up with another association via <add-association>
  • You end up with two associations on that object which will produce two events when touched again
  • Check for existing associations and use <modifyassociation> instead to replace the existing association

AD Specific#

The Identity Vault Street Address typically uses the Unix end-of-line convention (a single new line character) while Active Directory uses the Windows convention (carriage return plus new line characters). This rule converts values to the Identity Vault format so that the synchronized values display properly in both systems.
	<description>streetAddress: Convert CR-LF to LF</description>
	<comment xml:space="preserve">Corrected this KNOWN to be broken policy to use the utility</comment>
	<comment name="author" xml:space="preserve">jim@willeke.com</comment>
	<comment name="version" xml:space="preserve">2</comment>
	<comment name="lastchanged" xml:space="preserve">2010-07-04</comment>
		<do-reformat-op-attr disabled="true" name="streetAddress">
			<arg-value type="string">
				<token-replace-all regex="\r\n" replace-with="\r">
					<token-local-variable name="current-value"/>
		<do-reformat-op-attr name="streetAddress">
			<arg-value type="string">
				<token-xpath expression="jadutil:fixLines($curr-address)"/>
The original rule provices in the 3.6.1 driver, sends a "\r\n" to AD which does not work.

More Information#

There might be more information for this subject on one of the following: