Search syntax for multi-valued attributes - Exact match

11 Kudos

IdentityIQ supports querying for objects using Filters. These can be written in Java code (for example, when used in rules or workflows) or in a string-based filter syntax (for example, as a task argument). Searching for identities that have a specific multi-valued attribute requires a more complex filter that joins to IdentityExternalAttribute.

In Java, it looks like this:

String attrName = "myMultiValuedAttr";
String attrValue = "Attribute Name 1";
Filter filter =
Filter.and(Filter.join("id","IdentityExternalAttribute.objectId"),
Filter.eq("IdentityExternalAttribute.attributeName", attrName),
Filter.eq("IdentityExternalAttribute.value", attrValue));

Or this for case-insensitive:

String attrName = "myMultiValuedAttr";
String attrValue = "Attribute Name 1";
Filter filter =
Filter.and(Filter.join("id", "IdentityExternalAttribute.objectId"),
Filter.eq("IdentityExternalAttribute.attributeName", attrName),
Filter.ignoreCase(Filter.eq("IdentityExternalAttribute.value", attrValue)));

If you'd like to do a filter for an exact match within multi-valued attributes, the filter string will look like this:

(id.join(IdentityExternalAttribute.objectId) && IdentityExternalAttribute.attributeName == "myMultiValuedAttr" && IdentityExternalAttribute.value == "Attribute Name 1")

Or this for case-insensitive:
(id.join(IdentityExternalAttribute.objectId) && IdentityExternalAttribute.attributeName == "myMultiValuedAttr" && IdentityExternalAttribute.value i== "Attribute Name 1")

This syntax will display results with an exact match instead of a partial match. (Example: It will pull back results for "Attribute Name 1" but not "Attribute Name 1 a".)

tmbart · ‎Mar 07, 2017

Hi...I'm trying to find Active Directory accounts without the accountFlag of User Account is Disabled. I created a mulitvalue attribute, ADAccountDisabled to house this info. Per your post I have tried to find only accounts with Normal User Account but all accounts are listed. I also tried a != options and no luck. Any ideas?

Neither of these work:

((links.id.join(LinkExternalAttribute.objectId) && LinkExternalAttribute.attributeName i== "ADAccountDisabled") && LinkExternalAttribute.value != "User Account is Disabled")

((links.id.join(LinkExternalAttribute.objectId) && LinkExternalAttribute.attributeName i== "ADAccountDisabled") && LinkExternalAttribute.value == "Normal User Account")

waqarali1 · ‎Sep 08, 2024

Above works for me in a rule but when trying to filter in a population, getting an error:

Caused by: java.lang.IllegalArgumentException: org.hibernate.hql.internal.ast.QuerySyntaxException: Invalid path: 'linkExternalAttributeAlias.objectId' [select distinct count(distinct identityAlias) from sailpoint.object.Identity identityAlias inner join identityAlias.links identity_linksAlias0 inner join identity_linksAlias0.application identity_applicationAlias0 inner join identityAlias.links identity_linksAlias1, sailpoint.object.LinkExternalAttribute where (((upper(identity_applicationAlias0.name) = :param0 and (identity_linksAlias1.id = linkExternalAttributeAlias.objectId and upper(linkExternalAttributeAlias.attributeName) = :param1 and upper(linkExternalAttributeAlias.value) like :param2))) and identityAlias.workgroup != :param3)]
at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:138)

Search syntax for multi-valued attributes - Exact match