Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter reference

Filter reference

In IdentityIQ there are a few places where you can edit your own filter source and have it compiled into a search filter.  Some of these areas are:

  1. When editing search criteria for an identity search in Analyze > Advanced Analytics > Identity Search (tab) > Advanced Search
  2. When editing a role profile under Define > Roles
  3. In the API, as you call:  Filter filter = Filter.compile( "some filter expression" );

 

A compiler that can create a Filter from a string representation using the following grammar (note the Java-like syntax):

  • String literals should have double-quotes.
    • e.g.  firstname == "Neil"
  • True / false values are treated as boolean literals
    • e.g.  inactive != false
  • Digits are treated as numbers
    • e.g.  age < 100
  • The string value 'null' (no quotes) is treated as null
    • e.g. name != null
  • Fully-qualified constants are resolved to enums
    • e.g. type == sailpoint.object.ResourceObject.TYPE_ACCOUNT
  • Everything else is assumed to be the property name
    • e.g. email == contactAddress

 

Composite Filters:

  • And
    • AND - (expr && expr)
    • e.g. ( inactive == false && type == "Employee" )
  • Or
    • OR - (expr || expr)
    • e.g. ( type == "Employee" || type == "Contractor" )
  • Not
    • NOT - !(expr)
    • e.g.  !( company == "SailPoint" )

 

Leaf Filters:

Note: Any comparison operator can be prepended with an 'i' to signify a case-insensitive comparison (eg - i==, i!=, etc...).

 

  • Equals
    • EQ - propertyName == value
    • e.g. firstname == "Neil"
  • Not Equals
    • NE - propertyName != value
    • e.g. lastname != "Smith"
  • Less Than
    • LT - propertyName < value
    • e.g. riskScoreWeight < 500
  • Greater Than
    • GT - propertyName > value
    • e.g. riskScoreWeight > 0
  • Less Than, Equals
    • LE - propertyName <= value
    • e.g. riskScoreWeight <=1000
  • Greater Than, Equals
    • GE - propertyName >= value
    • e.g. riskScoreWeight >=500
  • Contains All
    • CONTAINS_ALL - propertyName.containsAll({ "foo", "bar", "baz" }) (or containsAllIgnoreCase())
    • e.g. Groups.containsAll( { "A", "B", "C" } )
  • In
    • IN - propertyName.in({ "foo", "bar", "baz" }) (or inIgnoreCase())
    • e.g. Groups.in( { "A", "B", "C" } )
  • Is Null
    • ISNULL - propertyName.isNull()
    • e.g. email.isNull()
  • Not Null
    • NOTNULL - propertyName.notNull()
    • e.g. company.notNull()
  • Is Empty
    • ISEMPTY - propertyName.isEmpty()
    • e.g. Groups.isEmpty()
  • Like, Exact
    • EXACT - propertyName == value
    • e.g. firstname == "Neil"
  • Like, Start
    • START - propertyName.startsWith(value) (or startsWithIgnoreCase())
    • e.g. lastname.startsWith( "Mc" )
  • Like, End
    • END - propertyName.endsWith(value) (or endsWithIgnoreCase())
    • e.g. email.endsWith( "@sailpoint.com" )
  • Like, Anywhere
    • ANYWHERE - propertyName.contains(value) (or containsIgnoreCase())
    • e.g. email.contains( "sail" )
  • Join
    • JOIN - propertyName.join( ClassName.propertyName )
  • Collection Condition
    • COLLECTION_CONDITION - propertyName.collectionCondition( "fooProp == \"bar\"" )
    • Note that the parameter to collectionCondition() is the string representation (with quotes escaped) of the collection element filter.
  • Subquery
    • SUBQUERY - propertyName.subquery( property, subquery class, subquery property,  subquery filter );
    • e.g. propertyName.subquery("firstname", sailpoint.object.Bundle, "name", "riskScoreWeight > 500");
    • A subquery takes the following parameters:
      1. property
      2. subquery class
      3. subquery property
      4. subquery filter: Either a string representation of a filter (with quotes escaped) or null.
Comments
shaun_clarke
‎Jun 05, 2014 09:50 AM
‎Jun 05, 2014 09:50 AM

This is a life saver. Thanks Neil

shaun_clarke
‎Jun 05, 2014 10:32 AM
‎Jun 05, 2014 10:32 AM

Hello Neil, I want to filter out any Identity that contains "Disabled" in the Fullname field. How do I do that via the Application Filter string?

mark_goodin
‎Jun 05, 2014 11:08 AM
‎Jun 05, 2014 11:08 AM

Hello Shaun,

Not sure if you are leveraging a direct connector into AD.  If so, you can add the following to your Iterate Search Filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2)) ... this will filter our all disabled AD accounts.

shaun_clarke
‎Jun 05, 2014 11:28 AM
‎Jun 05, 2014 11:28 AM

This is a flat file. The Columns are

Application

Server

ID

FullName

The Data is

PRODUCTION_Principia:Nuke:e12354:John Smith Disabled

I would like this ID not to show in my application since it contains Disabled in the Fullname field.

shaun_clarke
‎Jun 05, 2014 12:02 PM
‎Jun 05, 2014 12:02 PM

I got it to work. FullName.endsWith("Disabled")

mark_goodin
‎Jun 05, 2014 12:08 PM
‎Jun 05, 2014 12:08 PM

Good to hear Shaun.  If 'Disabled' ever changes from the end of field, consider using Contains.

ubu_ted
‎May 16, 2016 05:56 AM
‎May 16, 2016 05:56 AM

Hi, I want to filter a refresh identities task to include failed identities. How do i do that through the Refresh Identity Cube Options?

Thanks and Kind Regards

Ted

jennifer_mitchell
‎May 16, 2016 10:19 AM
‎May 16, 2016 10:19 AM

Ted,

The IdentityIQ Forums​ are a better place to post questions like this -- many more people will see this question there and you are more likely to get helpful responses.  Your question is unclear, so when you post it there, please explain what you mean by "failed identities".  What have they failed?  There is no identity attribute OOTB called "failed".

ubu_ted
‎May 17, 2016 01:13 AM
‎May 17, 2016 01:13 AM

Thanks Jennifer,


Apologies for the confusion caused. I will revisit my question and post it through the IdentityIQ Forum.

Thanks and Kind Regards

Ted

waqarali1
‎Sep 08, 2024 09:18 AM
‎Sep 08, 2024 09:18 AM
A filter involving multi-valued extended link attribute
 
I'm trying to write a filter (for a population) to get all accounts of an AD app which has a specific group. For this, I need a filter on the memberOf attribute, but I cannot filter by an account attribute directly. I therefore created an extended multi-valued link attribute and set it using the following account/link mapping: 
 
  <ObjectAttribute displayName="Group Members" editMode="ReadOnly" multi="true" name="groupMembers" type="string">
    <AttributeSource name="memberOf">
      <ApplicationRef>
        <Reference class="sailpoint.object.Application" name="Active Directory App"/>
      </ApplicationRef>
    </AttributeSource>
  </ObjectAttribute>
 
Ran identity refresh task, which set the extended link attribute (in the Identity object) as follows:
          <entry key="groupMembers">
            <value>
              <List>
                <String>CN=Test Contractors,OU=Groups,OU=Identity Management,OU=Products,DC=adstg2,DC=hilton,DC=com</String>
              </List>
            </value>
          </entry>
 
 
Next, configured population's filter as follows:  
  
<GroupDefinition indexed="true" name="My Population" private="true">
  <GroupFilter>
    <CompositeFilter operation="AND">
      <Filter operation="COLLECTION_CONDITION" property="links">
        <CollectionCondition>
          <CompositeFilter operation="AND">
            <Filter operation="EQ" property="application.name" value="Active Directory App"/>
            <CompositeFilter operation="AND">
              <Filter joinProperty="LinkExternalAttribute.objectId" operation="JOIN" property="id"/>
              <Filter ignoreCase="true" operation="EQ" property="LinkExternalAttribute.attributeName" value="groupMembers"/>
              <Filter ignoreCase="true" matchMode="START" operation="LIKE" property="LinkExternalAttribute.value" value="CN=MyGroup,OU=Groups,DC=abc,DC=com"/>
            </CompositeFilter>
          </CompositeFilter>
        </CollectionCondition>
      </Filter>
    </CompositeFilter>
  </GroupFilter>
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
</GroupDefinition>
 
But when I try to view this population, its giving me this error:
 
javax.servlet.ServletException: org.hibernate.hql.internal.ast.QuerySyntaxException: Invalid path: 'linkExternalAttributeAlias.objectId' [select distinct  count(distinct identityAlias)  from sailpoint.object.Identity identityAlias inner join identityAlias.links identity_linksAlias0 inner join identity_linksAlias0.application identity_applicationAlias0 inner join identityAlias.links identity_linksAlias1, sailpoint.object.LinkExternalAttribute where (((upper(identity_applicationAlias0.name) = :param0 and (identity_linksAlias1.id = linkExternalAttributeAlias.objectId and upper(linkExternalAttributeAlias.attributeName) = :param1 and upper(linkExternalAttributeAlias.value) like :param2))) and identityAlias.workgroup != :param3)]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:671)
...
Caused by: java.lang.IllegalArgumentException: org.hibernate.hql.internal.ast.QuerySyntaxException: Invalid path: 'linkExternalAttributeAlias.objectId' [select distinct  count(distinct identityAlias)  from sailpoint.object.Identity identityAlias inner join identityAlias.links identity_linksAlias0 inner join identity_linksAlias0.application identity_applicationAlias0 inner join identityAlias.links identity_linksAlias1, sailpoint.object.LinkExternalAttribute where (((upper(identity_applicationAlias0.name) = :param0 and (identity_linksAlias1.id = linkExternalAttributeAlias.objectId and upper(linkExternalAttributeAlias.attributeName) = :param1 and upper(linkExternalAttributeAlias.value) like :param2))) and identityAlias.workgroup != :param3)]
at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:138)
 
What am I doing wrong?
 
Version history
Revision #:
2 of 2
Last update:
‎Jul 26, 2023 05:56 PM
Updated by:
Community Administrator
 
View Article History
Top