Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CompoundFilter

CompoundFilter

 

Introduction

The CompoundFilter object is used in several places within IdentityIQ to select or filter data. An example of its use is in policy rules in the the advanced policies. Another example is in assignment rules for roles. The CompoundFilter is a wrapper for a filter definition, but doesn't do any filtering itself.

 

Search versus filter

Filters in IdentityIQ are used for searching and for filtering. The way these filters are used is different for searching and filtering. While searching, only searchable attributes can be used. In case of an identity that is most of the standard attributes (name, id, correlated, assigned roles, detected roles, etc.) and identity or link extended attributes marked as searchable. If non-searchable attributes would be used the search would either take very long, since the data is not indexed, or result in an error. This also means that while searching one cannot search for account attribute values, since these are not indexed as part of the identity.

 

When filtering, IdentityIQ iterates over a list of objects, like Identities, and any readable attribute can be extracted and compared. Any matching object will be returned. In this case the filter can look at object attributes, but also at attributes of nested objects, like a link within an identity.

 

Basic syntax

A CompoundFilter, when represented as XML starts with <CompoundFilter> and ends with </CompoundFilter>.

 

 

<CompoundFilter>
  <!-- filter definition goes here -->
</CompoundFilter>

 

 

A CompoundFilter can contain a simple filter using a Filter object or a complex filter using a CompositeFilter object. Filters and CompositeFilters are explained in detail below. The simplest form of a CompoundFilter would look as follows.

 

 

<CompoundFilter>
  <Filter operation="EQ" property="attribute" value="value"/>
</CompoundFilter>

 

 

If the filter refers to application links (account attributes), a section with application references can be added:

 

 

<CompoundFilter>
  <Applications>
    <Reference class="sailpoint.object.Application" name="LDAP"/>
  </Applications>
  <!-- filter definition goes here -->
</CompoundFilter>

 

 

Filters refer to these applications using a number and colon as a prefix for the attribute. The number is the ordinal number of the application in the list, starting with 0. In the example LDAP is referred to as 0:, a second application as 1:., the next as 2:, etc.

 

 

<CompoundFilter>
  <Applications>
    <Reference class="sailpoint.object.Application" name="LDAP"/>
  </Applications>
  <Filter operation="EQ" property="0:memberOf" value="cn=myGroup, ou=groups, dc=example, dc=com"/>
</CompoundFilter>

 

 

Instead of using the numerical references, it is also possible to use the name of the application.

 

 

<CompoundFilter>
  <Filter operation="EQ" property="LDAP:memberOf" value="cn=myGroup, ou=groups, dc=example, dc=com"/>
</CompoundFilter>

 

 

The best reason for using a reference is that, when saved, IdentityIQ will automatically fill in the id of the application. Whenever the name of the application changes, the reference stays intact. When using a name for the prefix, this relation is lost and the filter will no longer work.

 

Filter

Filter tags can have the following attributes and values. Only the most commonly used are mentioned here.

Attribute Value Explanation
operation EQ Checks whether the property is equal to the specified value. This operation is used for text strings and numeric values.
NE Checks whether the property is unequal to the specified value. This operation is used for text strings and numeric values.
LT Checks whether the property is less than the specified value. This operation is used for text strings and numeric values.
GT Checks whether the property is greater than the specified value. This operation is used for text strings and numeric values.
LE Checks whether the property is less than or equal to the specified value. This operation is used for text strings and numeric values.
GE Checks whether the property is greater than or equal to the specified value. This operation is used for text strings and numeric values.
IN

Checks whether the string or numeric property is in the specified list.

Example:

<Filter operation="IN" property="0:teamcode">
  <Value>
    <List>
      <String>t101</String>
      <String>t102</String>
    </List>
  </Value>
</Filter>
CONTAINS_ALL

Checks whether the list type (multi-valued) property contains all of the values specified in the <Value> tag.

Example:

<Filter operation="CONTAINS_ALL" property="teams">
  <Value>
    <List>
      <String>t101</String>
      <String>t102</String>
    </List>
  </Value>
</Filter>
LIKE Checks whether the property's value is like the string specified as value. This operation is used together with the matchMode attribute.
NOTNULL Matches if the specified property has any value.
ISNULL Matches if the specified property has no value.
ISEMPTY Matches if the specified multi-valued property (list type) has no items or is null.
JOIN

See below (joinProperty).

Example:

<Filter operation="JOIN" property="id" joinProperty="ManagedAttribute.owner.id"/>
matchMode ANYWHERE Combined with operation LIKE this mode will test for  the value anywhere in the value of the property. The attribute matchMode has no meaning with other operations.
START Combined with operation LIKE this mode will test whether the value of the property starts with the specified value.
END Combined with operation LIKE this mode will test whether the value of the property end with the specified value.
EXACT This mode will make the operation LIKE behave like EQ and test for an exact match of value and property.
ignoreCase true or false

Set to true to compare string values case insensitively. The default is false.

Example:

<Filter operation="EQ" ignoreCase="true" property="department" value="HR"/>
property   The identity attribute or, when prefixed with an application name or reference number, account attribute to be matched. Note that filtering account attributes will not work in search operations.
value  

The value to be matched. This attribute can only be used for string, numeric and boolean values. For other types of values, the <Value> tag needs to be used. For example for lists, this would look like:

<Value>
  <List>
    <String>A</String>
    <String>B</String>
  </List>
</Value>
joinProperty   The joinProperty attribute is used with operation JOIN and specifies the object type and property to match the property's value.

Example:

<Filter operation="JOIN" property="id" joinProperty="ManagedAttribute.owner.id"/>

 

CompositeFilter

The CompositeFilter is used to combine Filter and other CompositeFilter objects using a logical and or or operation, or to negate the contained Filter's result. The operation to apply is specified by the operation attribute.

Operation Explanation
AND

Apply a logical and on the included Filters or CompositeFilters. A match is found if all included Filters and/or CompositeFilters match.

<CompositeFilter operation="AND">
  <Filter operation="EQ" property="0:memberOf" value="cn=myFirstGroup, ou=groups, dc=example, dc=com"/>
  <Filter operation="EQ" property="0:memberOf" value="cn=mySecondGroup, ou=groups, dc=example, dc=com"/>
</CompositeFilter>
OR

Apply a logical or on the included Filters or CompositeFilters. A match is found if any of the included Filters and/or  CompositeFilters matches.

<CompositeFilter operation="OR">
  <Filter operation="EQ" property="0:memberOf" value="cn=myFirstGroup, ou=groups, dc=example, dc=com"/>
  <Filter operation="EQ" property="0:memberOf" value="cn=mySecondGroup, ou=groups, dc=example, dc=com"/>
</CompositeFilter>
NOT

Apply a logical not on the included Filter or CompositeFilter (only one!). A match is found if the included Filter or CompositeFilter does not match.

<CompositeFilter operation="NOT">
  <Filter operation="EQ" property="0:memberOf" value="cn=myGroup, ou=groups, dc=example, dc=com"/>
</CompositeFilter>

 

Examples

More examples are presented in Examples of XML for a CompoundFilter in the UI.

 

Further reading

Also see:

Comments
suren_info
‎Oct 26, 2016 03:37 PM
‎Oct 26, 2016 03:37 PM

This is interesting. Can we have nested CompoundFilter? Like NE, LIKE and IN operation together.  For an instance,  I want to apply Filter to a bundle for list of users who's username doesnt starts with "CON" and "GLB" .

menno_pieters
‎Oct 26, 2016 04:00 PM
‎Oct 26, 2016 04:00 PM

The CompoundFilter is a wrapper class around the actual Filter objects (Filter and CompositeFilter). For advanced filtering, have a look at Filters and Filter Strings​ and specifically this section.

scott_petry
‎May 03, 2018 11:44 AM
‎May 03, 2018 11:44 AM

Is it possible to do a date comparison? I know I can compare for an EQ condition...

<CompoundFilter>

  <CompositeFilter operation="AND">

    <Filter operation="EQ" property="jobCode" value="490"/>

    <Filter operation="EQ" property="startDate" value="06/04/2018"/>

  </CompositeFilter>

</CompoundFilter>

The startDate is actually a string value, but I would like to do a before or after date comparison.

mike_klug
‎May 03, 2018 11:50 AM
‎May 03, 2018 11:50 AM

This is how I have done date comparisons before (the date d ends up being 30 days before today, created is stored in epoch, so you will need to do a Format string conversion):

                long millisBefore = 30*86400000l;

                long today = System.currentTimeMillis();

                long diff = today - millisBefore;

                Date d = new Date(diff);

                Filter created = Filter.lt("created", d);

menno_pieters
‎May 04, 2018 05:08 AM
‎May 04, 2018 05:08 AM

Using that, it should be possible (although I did not try, yet), to use the CompoundFilter like this:

<CompoundFilter>

  <CompositeFilter operation="AND">

    <Filter operation="EQ" property="jobCode" value="490"/>

    <Filter operation="LT" property="startDate">

      <Value>

        <Date>1522972800000</Date> <!-- April 6, 2018 GMT https://www.epochconverter.com/  -->

      </Value>

    </Filter>

  </CompositeFilter>

</CompoundFilter>

Also see the DTD (DTD Information​)

varunvj
‎Jun 19, 2019 05:58 AM
‎Jun 19, 2019 05:58 AM

Hi Everyone,

need code review, when we use composite filter do we need to specify name of the application.

Here i want to remove External Users and terminnated will this script works.

<CompoundFilter>

  <Applications>

<Reference class="sailpoint.object.Application" id="" name="App"/>

  </Applications>

  <CompositeFilter operation="AND">

  <Filter ignoreCase="true" operation="NE" property="App:SOURCE_SYSTEM" value="External_User"/>

  <Filter ignoreCase="true" operation="NE" property="App:STATUS" value="T"/>

  </CompositeFilter>

</CompoundFilter>

varunvj
‎Jun 19, 2019 06:00 AM
‎Jun 19, 2019 06:00 AM

Hi Scott Petry,

is it not required to mention application reference?.

menno_pieters
‎Jun 19, 2019 07:43 AM
‎Jun 19, 2019 07:43 AM

Not if the attribute is an identity attribute.

menno_pieters
‎Jun 19, 2019 07:49 AM
‎Jun 19, 2019 07:49 AM

Instead of "App:", you could use "0:" to make use of the referenced application, or just "App:" and leave out the application reference.

For the condition: external user with status "T" (terminated), this should work if you change the operation to "EQ" instead of "NE". As it is now, it will match all non-external users that are not terminated.

Or, do I misunderstand and you want to ignore all terminated users and all external users? If that is the case, it should work.

varunvj
‎Jun 20, 2019 04:58 AM
‎Jun 20, 2019 04:58 AM

yes menno.pieters i want to exclude all terminated users and external users.

It worked for me.

Thank you.

Version history
Revision #:
4 of 4
Last update:
‎Jul 19, 2023 06:09 PM
Updated by:
Community Administrator
 
View Article History