In code the assignment rule is a IdentitySelector object and the filter is a CompoundFilter object. What you enter in the UI if you try to make a filter is the XML for a CompoundFilter. The reason this is more complex than profile filters is because there is more than one application in play here, the assignment rule can use combinations of attributes from all application links as well as identity attributes. The following is a collection of information gathered regarding these types of filters.
Here's an example of a filter, it's like XML format for the filters:
<CompoundFilter>
<Applications>
<Reference class="sailpoint.object.Application" id="4028758130badb630130badc231a0211" name="Active_Directory"/>
<Reference class="sailpoint.object.Application" id="4028758130badb630130badc24a40222" name="ERP_Global"/>
<Reference class="sailpoint.object.Application" id="4028758130badb630130badc2435021f" name="Composite_ERP_Global_Platform"/>
</Applications>
<CompositeFilter operation="AND">
<CompositeFilter operation="OR">
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="1:groupmbr">
<Value>
<List>
<String>PayrollAnalysis</String>
</List>
</Value>
</Filter>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="2:groupmbr">
<Value>
<List>
<String>PayrollAnalysis</String>
</List>
</Value>
</Filter>
</CompositeFilter>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="0:groupmbr">
<Value>
<List>
<String>InvntryAnalysis</String>
</List>
</Value>
</Filter>
</CompositeFilter>
</CompoundFilter>
In the example above, the index in the property "index:groupmbr" refers to the index of the application listed at the start.
If you're writing these by hand, you may find it marginally easier to use the application name as the property prefix rather than a number. For example instead of this:
<CompoundFilter>
<Applications>
<Reference class="Application" name="Active_Directory"/>
</Applications>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="1:groupmbr">
<Value>
<List>
<String>PayrollAnalysis</String>
</List>
</Value>
</Filter>
</CompoundFilter>
You could also write this:
<CompoundFilter>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="Active_Directory:groupmbr">
<Value>
<List>
<String>PayrollAnalysis</String>
</List>
</Value>
</Filter>
</CompoundFilter>
It saves a few lines but you will lose tracking of Application renames.
Another thing you can do to make this simpler in some cases is use the "value" property of the Filter rather than the <Value> element.
These two forms are the same:
<CompoundFilter>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="Active_Directory:groupmbr">
<Value>
<List>
<String>PayrollAnalysis</String>
</List>
</Value>
</Filter>
</CompoundFilter>
<CompoundFilter>
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="Active_Directory:groupmbr" value='PayrollAnalysis'/>
</CompoundFilter>
The Value/List/String stuff is only required if you need more than one value, but code that generates filters usually uses this form consistently.
Since this is XML code, where would the compound filter be placed?
Hi steven.goin, I recommend asking this question in the IdentityIQ Forums to get a larger response. Please reference this wiki document and what version of IdentityIQ you are using when posting.
See Filters and Filter Strings for more on Compound Filter usage. These can be used as the "Filter" option in role assignment rules, identity filters for lifecycle events, dynamic scope definitions, and advanced policy definitions.
doesn't the attribute matchMode has no meaning with other operations apart from LIKE? if yes, then why it is used ?
matchMode has valid values ANYWHERE, START, END, and EXACT.
Agreed, however my question was in regards to lines like (in this example)-
<Filter matchMode="ANYWHERE" operation="CONTAINS_ALL" property="1:groupmbr">
does matchmode have any meaning in this scenario ?
refer CompoundFilter
matchMode | ANYWHERE | Combined with operation LIKE this mode will test for the value anywhere in the value of the property. The attribute matchMode has no meaning with other operations. |
Is it possible to refer a custom object entry list and see if user's identity attribute is in that list?