<resource>
...
<schemaHandling>
...
<objectType>
...
<attribute>
<ref>icfs:uid</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
</attribute>
...
</objectType>
</schemaHandling>
</resource>
Matching Rules
feature
This page describes midPoint feature.
Please see the feature page for more details.
|
Matching rules are short expressions that can normalize and match attribute values. Attributes values are normally compared literally, e.g. strings are compared as they come from the resource in a case-sensitive manner. But this is not appropriate for all resources. Some resources use case-insensitive attributes, attributes that can have several equivalent representations (such as URL or LDAP DN) and so on. While this is usually not a problem for ordinary attributes it can be problematic when dealing with identifiers. Failure to detect that two strings match can cause problems during evaluation of identifier uniqueness and identifier allocation. This may undermine significant part of the provisioning logic.
MidPoint allows to optionally specify a matching rule for resource attribute.
The matching rule will be used to match individual values of the attribute. E.g. in this case the values of ICF UID attribute will be matched in case-insensitive way.
Matching rules are identified by QName. The design of the matching rules implementation is extensible and it may be possible to add custom matching rules in the future. However currently the set of matching rules is built-in in midPoint product.
Query matching
Note that besides in attribute definitions, matching rules can also be used in queries using the tag <matching>. An example:
<correlation>
<q:equal>
<q:matching>polyStringNorm</q:matching>
<q:path>name</q:path>
<expression>
<c:path>$account/c:attributes/icfs:uid</c:path>
</expression>
</q:equal>
</correlation>
There are some differences, though.
Some matching rules are universally applicable - in attribute definitions as well as in repository queries.
Others are usable only in the definitions (like distinguishedName
), because there are no suitable normalization algorithms that could be used directly in SQL queries.
Yet other ones exist only for the purpose of querying the repository (like the last three in the table below).
Known matching rules
Existing matching rules are summarized in the following table.
All of them have a namespace of http://prism.evolveum.com/xml/ns/public/matching-rule-3
.
Name | Applicable to | Usable in attribute definition | Usable in repository query | Description |
---|---|---|---|---|
|
all types |
yes |
yes |
Default matching rule compares the values in the default way appropriate for the data type. E.g. strings are compared in a case-sensitive way. |
|
String |
yes |
yes |
Case-ignore matching (case-insensitive). |
|
String |
yes |
no |
Matching rule for LDAP distinguished name (DN). |
|
String |
yes |
no |
A specific matching rule for Microsoft Exchange EmailAddresses attribute consisting of SMTP:/smtp: prefix and email address. It considers the case in the prefix but ignores the case in the email address. |
|
String |
yes |
no |
Matching rule for universally unique identifier (UUID). Currently, it is (almost) simple case ignore matching. |
|
String |
yes |
no |
String matching rule that compares strings as XML snippets. The XML comparison is not schema aware. It will not handle QNames in values correctly. The comparison ignores XML formatting (whitespaces between elements). |
|
PolyString |
N/A (attributes are never PolyString) |
yes |
Strict PolyString matching. Both the original part and the normalized parts are compared. |
|
PolyString |
yes |
Non-strict PolyString matching. Only the original part is compared. |
|
|
PolyString |
yes |
Non-strict PolyString matching. Only the normalized part is compared. |
|
|
PolyString |
yes; in repo only |
Case-insensitive version of |
|
|
PolyString |
yes; in repo only |
Case-insensitive version of |
|
|
PolyString |
yes; in repo only |
Case-insensitive version of |
Applicable to describes to which data types this matching rule can be used. Usable in columns provide information about applicability of the rule.
Note: "yes; in repo only" means that this matching rule is quite special, and can be used really in repository queries.
(Technically, there are no corresponding MatchingRule
classes.)