<div dir="ltr">Hello,<div>We have an AD resource configured to protect an Organizational Unit from being modified with the following code:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><protected><br>            <filter><br>                  <q:substring><br>                     <q:matching>stringIgnoreCase</q:matching><br>                     <q:path>declare namespace icfs='<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>'; attributes/ri:dn</q:path><br>                     <q:value>OU=VIPs,OU=Groups&amp;Users,OU=-SMG-,DC=qaswm,DC=com,DC=ar</q:value><br>                     <q:anchorEnd>true</q:anchorEnd><br>                  </q:substring><br>            </filter><br>         </protected><br></blockquote><div><div><br></div><div>We recently ran into the need to apply this logic only to enabled account within that organizational unit, so we modified the <protected> node to look like this:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><protected><br>    <filter><br>        <q:and><br>            <q:substring><br>                <q:matching>stringIgnoreCase</q:matching><br>                <q:path>declare namespace icfs='<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>'; attributes/ri:dn</q:path><br>                <q:value>OU=VIPs,OU=Groups&amp;Users,OU=-SMG-,DC=qaswm,DC=com,DC=ar</q:value><br>                <q:anchorEnd>true</q:anchorEnd><br>            </q:substring><br>            <q:equal><br>                <q:matching>polyStringNorm</q:matching><br>                <q:path>declare namespace icfs='<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>'; attributes/ri:userAccountControl</q:path><br>                <q:value>512</q:value><br>            </q:equal><br>        </q:and><br>    </filter><br></protected><br></blockquote><div><br></div><div>After adding that condition, the filter is not working and it is not preventing modifications.</div><div>Is this a bug? Or can you only use that filter for shadow identifiers?</div><div><br></div><div>Thanks in advance.</div><div>Regards,</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font style="background-color:rgb(255,255,255)" color="#000000">Javier Martínez</font></font></div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font></font><div style="font-size:12.8px"></div><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><br></font></div></div></div></div>