Step-2: Create a new role identity testrole1
Step-3: Assign testrole1 to testuser1.
Sun AM uses nsRole attribute of DS to store roles for user identity. If you want to verify this, you can do ldapsearch on DS:
ldapsearch -b "dc=red,dc=iplanet,dc=com" -D "cn=Directory Manager" -w
Step-4: Delete testrole1, then DS takes care of deleting testrole1 DN in testuser1 - nsRole attribute. This works only if Referential integrity plugin is enabled in DS. You can check if referential integrity is enabled or disabled by using:
dsconf get-server-prop -p 7389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled
ref-integrity-enabled : on
where dsconf if a tool obtained from DSEE installation. It is available in the following location:
/opt/SUNWdsee/ds6/bin
/opt is the default location of Sun DSEE installation.