Read Users using Query

fartyalvikram · ‎2018-05-28

I am using Identity Manager 4.7.
I have configured one Job on Null Driver Subscriber channel, In this how can I read all Users who have "testAttrib" is available using Query?

lhaeger · ‎2018-05-28

fartyalvikram wrote:

> how
> can I read all Users who have "testAttrib" is available using Query?

Try this:

<do-for-each>
<arg-node-set>
<token-query class-name="User" datastore="src">
<arg-match-attr name="testAttrib">
<arg-value type="string">
<token-text xml:space="preserve">*</token-text>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Surname</token-text>
</arg-string>
</token-query>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Found: </token-text>
<token-xpath expression="$current-node/@src-dn"/>
<token-text xml:space="preserve"> with Surname "</token-text>
<token-xpath
expression='$current-node/attr[@attr-name="Surname"]/value/text()'/>
<token-text xml:space="preserve">"</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-for-each>

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

______________________________________________
https://www.is4it.de/identity-access-management

fartyalvikram · ‎2018-05-28

Thanks for reply.
Attribute "testAttrib" syntax is "Time" Single Valued.
Rule is given below

<do-for-each>
	<arg-node-set>
		<token-query class-name="User" datastore="src">
			<arg-match-attr name="testAttrib">
				<arg-value type="string">
					<token-text xml:space="preserve">*</token-text>
				</arg-value>
			</arg-match-attr>
			<arg-string>
				<token-text xml:space="preserve">Surname</token-text>
			</arg-string>
		</token-query>
	</arg-node-set>
	<arg-actions>
		<do-trace-message>
			<arg-string>
				<token-text xml:space="preserve">Found: </token-text>
				<token-xpath expression="$current-node/@src-dn"/>
				<token-text xml:space="preserve"> with Surname "</token-text>
				<token-xpath expression='$current-node/attr[@attr-name="Surname"]/value/text()'/>
				<token-text xml:space="preserve">"</token-text>
			</arg-string>
		</do-trace-message>
	</arg-actions>
</do-for-each>

And I am getting the following exception in the log

<status level="error">Code(-9053) One or more errors occurred while processing a query: Code(-8009) Error processing <search-attr>: java.lang.NumberFormatException: For input string: "*".</status>

Can we compare "testAttrib" value (which is in time) with some other time or timestamp?

lhaeger · ‎2018-05-28

fartyalvikram wrote:

> Can we compare "testAttrib" value (which is in time) with some other
> time or timestamp?

Seems like token query does not support the "exists" syntax ("*") for time
syntax attributes. I'd probably use an ldapsearch ecma instead, which should
allow both testAttrib=* as well as testAttrib<=20180528120100Z comparisons.
ECMA versions of ldapsearch are contained in one of the "Common" packages from
MF/NetIQ, iirc, or can be pulled off my public repo at
https://www.brummelhook.com/download/idm/packages/ as part of the "Bits and
Pieces" package. Another version is mentioned at
https://www.netiq.com/communities/cool-solutions/open-call-useful-ecma-functions-use-identity-manager/

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

______________________________________________
https://www.is4it.de/identity-access-management

geoffc · ‎2018-05-28

On 5/28/2018 7:09 AM, Lothar Haeger wrote:
> fartyalvikram wrote:
>
>> Can we compare "testAttrib" value (which is in time) with some other
>> time or timestamp?
>
> Seems like token query does not support the "exists" syntax ("*") for time
> syntax attributes. I'd probably use an ldapsearch ecma instead, which should

I was thinking LDAP ECMA approach as well.

Does Query support * for string syntaxes though?

al_b · ‎2018-05-28

geoffc;2481602 wrote:
On 5/28/2018 7:09 AM, Lothar Haeger wrote:
> fartyalvikram wrote:
>
>> Can we compare "testAttrib" value (which is in time) with some other
>> time or timestamp?
>
> Seems like token query does not support the "exists" syntax ("*") for time
> syntax attributes. I'd probably use an ldapsearch ecma instead, which should

I was thinking LDAP ECMA approach as well.

Does Query support * for string syntaxes though?

I don't think, that Query token support any "wildcard" search syntax.
This is a long time pending request for extension for Query token.

Currently this option available only for LDAP query.

geoffc · ‎2018-05-28

On 5/28/2018 2:36 PM, al b wrote:
>
> geoffc;2481602 Wrote:
>> On 5/28/2018 7:09 AM, Lothar Haeger wrote:
>>> fartyalvikram wrote:
>>>
>>>> Can we compare "testAttrib" value (which is in time) with some other
>>>> time or timestamp?
>>>
>>> Seems like token query does not support the "exists" syntax ("*") for
>> time
>>> syntax attributes. I'd probably use an ldapsearch ecma instead, which
>> should
>>
>> I was thinking LDAP ECMA approach as well.
>>
>> Does Query support * for string syntaxes though?
>
> I don't think, that *Query* token support any "wildcard" search syntax.
> This is a long time pending request for extension for Query token.
>
> Currently this option available only for LDAP query.

Right, and you cannot query for presence = * or absence (Not = *) or
time synatx. Wait... Did I remember something about adding Time syntax
fields and < and > or am I losing my mind?

lhaeger · ‎2018-05-29

al b wrote:

> I don't think, that Query token support any "wildcard" search syntax.

You are probably right when querying the ID Vault. I may have mixed that up
with queries against the application side, which do support * in some cases,
like
https://www.netiq.com/documentation/identity-manager-47-drivers/sap_user/data/byi8iee.html

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)

______________________________________________
https://www.is4it.de/identity-access-management

Alex McHugh · ‎2018-05-29

Lothar Haeger <lothar.haeger@is4it.de> wrote:
> al b wrote:
>
>> I don't think, that Query token support any "wildcard" search syntax.
>
> You are probably right when querying the ID Vault.

Pretty sure it is supported on the ID vault side, but only in specific
cases.

IDM query only can be configured for equality or substring matching rules,
the token and XDS would need enhancement to support other matching rule
types.

If you need substring, look up the relevant attribute syntax: there it
specifies what matching rules are supported.

For example:

Case Ignore String has support for substring.
But not supported with Time syntax.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

geoffc · ‎2018-05-29

On 5/29/2018 9:16 AM, Alex McHugh wrote:
> Lothar Haeger <lothar.haeger@is4it.de> wrote:
>> al b wrote:
>>
>>> I don't think, that Query token support any "wildcard" search syntax.
>>
>> You are probably right when querying the ID Vault.
>
> Pretty sure it is supported on the ID vault side, but only in specific
> cases.
>
> IDM query only can be configured for equality or substring matching rules,
> the token and XDS would need enhancement to support other matching rule
> types.
>
> If you need substring, look up the relevant attribute syntax: there it
> specifies what matching rules are supported.
>
> For example:
>
> Case Ignore String has support for substring.
> But not supported with Time syntax.

Do you have a good URL for the schema reference with that info? I had
found it once, but last time I looked, I missed it somehow.

geoffc · ‎2018-05-29

On 5/29/2018 10:20 AM, Geoffrey Carman wrote:
> On 5/29/2018 9:16 AM, Alex McHugh wrote:
>> Lothar Haeger <lothar.haeger@is4it.de> wrote:
>>> al b wrote:
>>>
>>>> I don't think, that Query token support any "wildcard" search syntax.
>>>
>>> You are probably right when querying the ID Vault.
>>
>> Pretty sure it is supported on the ID vault side, but only in specific
>> cases.
>>
>> IDM query only can be configured for equality or substring matching
>> rules,
>> the token and XDS would need enhancement to support other matching rule
>> types.
>>
>> If you need substring, look up the relevant attribute syntax: there it
>> specifies what matching rules are supported.
>>
>> For example:
>>
>> Case Ignore String has support for substring.
>> But not supported with Time syntax.
>
> Do you have a good URL for the schema reference with that info?Â I had
> found it once, but last time I looked, I missed it somehow.

And I found the links in your later post, thank you again.

geoffc · ‎2018-05-28

> <token-query class-name="User" datastore="src">
> <arg-match-attr name="testAttrib">
> <arg-value type="string">
> <token-text xml:space="preserve">*</token-text>
> </arg-value>
> </arg-match-attr>
> <arg-string>
> <token-text xml:space="preserve">Surname</token-text>
> </arg-string>
> </token-query>

Is asterisk as a wild card legal here? LDAP yes, IDM Query not so much?
I have been bugging Rajiv to get the Query token to have more LDAP
semantic support as well, but I did not think those changes were yet to
be made...

Engine-Drivers