Is present and is not present on reference attributes

How can you tell whether or not a resource in FIM has a value for a reference attribute?  The tongue-in-cheek answer is “much easier than if you want to check for the presence of a non-reference attribute”.

Using the FIM XPath dialect it’s just a matter of dereferencing a resource type, e.g.

  • /Person[Manager = /Person] yields all Person resources with a Manager attribute (single-value reference).
  • /Person[DetectedRulesList = /DetectedRuleEntry] yields all Person resources with something in their DRL (multivalued reference).

But those kinds of queries are not permitted in Set definitions (see my previous post for more information on limitations in criteria-membership filters).  And if you want to react to the change in presence, e.g. you want to fire a notification activity when a Group resource no longer has an Owner or DisplayedOwner then you need a set of resources with a value at least.

To achieve this with sets you generally require two sets.  The first set defines the set of valid resources –those that make the reference valid, e.g. the “All People” set is used to ascertain whether you have a manager or not.  And the second dereferences the first, so instead of having /Group[Owner != /Person] you perform the not equal, or “not in” in the case of the filter builder, against the computed membership of the set of valid resources.  This is best served with an example or two:

The “All People” set has a resource ID of 8887df8e-6e84-49f2-a794-f9e9802077e0.  We’re going to use that in both of these examples.

Example 1: All users without a manager

Create a set where the criteria is:

Select user that match all of the following conditions:
     Manager not in All People

This will give us all users that don’t have a manager.  In XPath this looks like this:

/Person[Manager != /Set[ObjectID = '8887df8e-6e84-49f2-a794-f9e9802077e0']/ComputedMember]

Example 2: All groups without an owner

Bizarrely the filter builder doesn’t permit “in” or “not in” with multivalued reference attributes.  But the filter itself is permitted.  The UI simply cannot render it (I bugged this as a DCR and it was rejected by the way).

So we create a new set “All groups without an owner” with a dummy filter –I recommend the filter of:

Select group that match all of the following conditions:
     Displayed Owner not in All People

Note.  Because Displayed Owner is a single-value reference the Filter builder permits the use of the “not in” operator.

Open the set to edit and click Advanced view.  Click Extended Attributes and, in the Filter attribute, replace DisplayedOwner with Owner; change != to =; and enclose everything inside the square brackets inside of not().  The filter, wrapped between XML tags, should now look like this:

/Group[not(Owner = /Set[ObjectID = '8887df8e-6e84-49f2-a794-f9e9802077e0']/ComputedMember)]

Note.  The creation of filters that include the != operator with a multivalued attributes is not supported –see this post for more info.

If you want to pick up groups that don’t have an owner or displayed owner then you can extend the filter to look like this:

/Group[not(DisplayedOwner = /Set[ObjectID = '8887df8e-6e84-49f2-a794-f9e9802077e0']/ComputedMember) or not(Owner = /Set[ObjectID = '8887df8e-6e84-49f2-a794-f9e9802077e0']/ComputedMember)]

Hopefully that clears things up.

About these ads

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010 and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s