not equal
notEqual
Introduction to midPoint Query Language
This page introduces the structure of the midPoint Query Language (MQL) and describes available filters.
Language Description
MQL is designed to construct complex queries.
A query is a combination of a filter and additional parts, such as paging and sorting.
Simple filters usually take the form of triplets consisting of:
-
Item path: Specifies the searchable item to which the filter is applied.
-
Filter name: Defines the name of the filter.
-
Value: Defines a value literal or item path that should be matched according to the filter specification. Note that strings need to be enclosed in quotes (
'
) or double-quotes ("
).
Some examples of valid filters are:
-
fullName = "John Doe"
-
givenName startsWith "J"
-
activation/effectiveStatus = "enabled"
Item Path
Item path specifies the item by which data are filtered. In its simplest form, it is a name of an object property, or names of items and containers separated by slashes, such as:
-
fullName
-
activation/administrativeStatus
-
attributes/uid
For details, refer to Item path.
Filter Name
The filter name, or its alias, specifies a filtering condition that should be used.
Value
Values are usually string literals enclosed in double quotes. However, values can take various forms. For example, a value may be a path to another item, e.g. when the query compares two items.
In some cases, values may be complex. The exact form of the value part of the filter depends on the operator and the type of the value.
Querying Values of Different Types
The exact syntax of queries for values of different types is described in the following table:
Type | Query | Note |
---|---|---|
boolean |
|
Boolean values do not require quotes. Valid values are |
string |
|
String values are enclosed in quotes ( |
PolystringType |
|
Values of the polystring type are enclosed in quotes ( |
int |
|
Number values do not require quotes. Only common property filters (=,>, ..) are defined for number types. |
float |
|
Number values do not require quotes. Only common property filters (=,>, ..) are defined for number types. |
dateTime |
|
DateTime values are enclosed in quotes ( |
|
While comparing time values, datetime values entered without a timezone are considered to be in the same timezone as the running midPoint. |
|
|
As datetime values contain the exact time value (down to milliseconds), you need to compare dates as intervals. |
|
ObjectReferenceType |
|
Object references are queried using the |
QName |
|
QName values (a relation in this example) are entered into queries without quotation marks. |
|
QNames may use namespaces. Unless values conflict, namespaces are not necessary in queries. In this case, both |
Simple Filters
Comparison Filters
The following table summarizes common comparison filters:
Name | Alias | Description |
---|---|---|
|
|
Matches items equal to a value. |
!= |
Matches items different from a value. |
|
|
|
Matches items smaller than a value. |
|
|
Matches items smaller or equal to a value. |
|
|
Matches items greater than a value. |
|
|
Matches items greater or equal to a value. |
familyName = "Doe"
-
Equals filter, searches for all users with the familyName of "Doe".
familyName = ("Doe", "Smith")
-
Equals multi-value filter, searches for all users with the familyName of "Doe" or "Smith".
name != "Administrator"
-
Not equals filter, searches for everyone except for "Administrator".
name != ("Administrator", "Leonardo")
-
Not equals multi-value filter, searches for everyone except for "Administrator" and "Leonardo".
activation/validTo < "2022-01-01"
-
Less filter, searches for all users that will not be valid after 2021.
In Equal (=
) and notEqual (!=
) filters, you can enclose values within brackets on the right side of the query.
The query name = ("adam","john")
provides the same results as name = "adam" or name = "john"
.
In these filters, only values are allowed within the set.
Comparison filters also support item path on the right side of filters.
For example, activation/validFrom > activation/validTo
should return all objects with incorrectly set activations, i.e. objects for which the activation starts after it ends.
Matching Rules
Comparison filters can be further enhanced with matching rules.
The syntax of a matching rule in a query is: filter[matchingRuleName]
givenName =[origIgnoreCase] "Adam"
-
Query matches all cases of "Adam" in givenName with various casings, such as 'Adam', 'adam', or 'ADAM'.
emailAddress endsWith[stringIgnoreCase] "@test.com"
-
Query matches users with email addresses that end with the "test.com" domain.
For a list of all matching rules, refer to the Matching Rules page.
String Filters
The following table summarizes additional filters that can be applied to string and polystring values.
Name | Description |
---|---|
|
Matches items starting with a specified string. |
|
Matches string properties that contain a specified substring. |
|
Matches string properties that end in a specified substring. |
|
Performs a full text search. The item path must be a dot ( |
Logical Filters
Logical filters are used to combine several subfilters into one filter, or to negate a filter, for example:
givenName = "John" and familyName = "Doe"
You can use the following logic operators:
Operator | Example | Description |
---|---|---|
|
|
All subfilters must be |
|
|
Any of the subfilters has to be |
|
|
Logical negation where |
You can use brackets to group logical statements for better readability, for example:
familyName = "Doe" and (givenName = "John" or givenName ="Bill")
Object Selection
Midpoint performs queries over a defined set of objects. In GUI, this set is defined by the currently opened view.
In configuration, the object type must be explicitly specified for a query.
However, not within the query itself.
See the configuration snippet below in which the query selects User
with the name "XYZ".
<activity>
<work>
<recomputation>
<objects>
<type>UserType</type>
<query>
<q:filter>
<q:text>name = "XYZ"</q:text>
</q:filter>
</query>
</objects>
</recomputation>
</work>
</activity>
Advanced Filters
Matches Filter
The Matches filter operates on a container or a structured value, and specifies conditions that must be met by a single container value.
It is in the form of itemPath matches (subfilter)
, where subfilter
(and item paths) are relative to the container, for example assignment/validTo < "2022-01-01"
is the same as assignment matches (validTo < "2022-01-01")
.
The subfilter
is any of the supported filters in which paths are relative to the container.
It enables you to specify multiple conditions (joined using Logical Filters) that must be met by container values.
An example of the matches filter:
activation matches ( validFrom > "2022-01-01" and validTo <"2023-01-01" )
For filters that match multiple properties of multi-value containers (such as If these multiple criteria are to be met by a single container value, you must use the Matches filter. The filter |
inOid Filter
You can query objects by their object identifiers (OID) in inOid filters.
An inOid query is a triplet consisting of an object representation, an inOid
filter, and a list of OID values enclosed in brackets.
The midPoint object is represented by the dot (.
) character.
An example of querying one specific object by its OID:
. inOid ("00000000-0000-0000-0000-000000000702")
An example of querying 2 specific objects by their OIDs:
. inOid ("eb21455d-17cc-4390-a736-f1d6afa82057", "87e048ae-6fcf-47bb-a55e-60acb8604ead")
Reference Filters
Reference filters match references utilizing Matches filters on properties of referenced objects, using the dereferencing operator (@
).
You can also perform inverse queries using a referencedBy filter to search for an object by properties of its referencer. For example, you can search for roles by properties of their members.
Matches Filter in References
A reference is a structured value which contains the target OID, type, and relationship.
You can use Matches filters with nested subfilters to target these properties of an object reference:
-
oid matches the target OID exactly (UUID as a string). Example:
assignment/targetRef matches (oid = efaf89f4-77e9-460b-abc2-0fbfd60d9167)
-
relation matches any reference with a specified relation (QName). Example:
roleMembershipRef matches (relation = manager)
-
targetType matches any reference with a specified target type (QName). Example:
roleMembershipRef matches (targetType = OrgType)
It is possible to match any combination of these three properties of a reference, however, only equals
and and
filters are supported.
roleMembershipRef matches ( oid = "bc3f7659-e8d8-4f56-a647-2a352eead720" and relation = manager and targetType = OrgType )
If you need to query referenced objects of a specified type you must use the targetType keyword. See the example above. |
Dereferencing
With dereferencing, you can write filter conditions which are executed on referenced objects.
Dereferencing is done using the @
special character in the item path after the reference.
For example, the assignment/targetRef/@
item path points to an object referenced by targetRef
instead of targetRef
itself.
This enables you to enhance paths with properties of referenced objects, such as assignment/targetRef/@/name
which means the name
of the assigned object.
For example, dereferencing enables you to search for users with a specific assigned role by the role name instead of its OID, even if the execution time will be slightly longer since we need to dereference objects.
assignment/targetRef/@/name = "Superuser"
matches any user who is directly assigned the superuser role.
|
Dereferencing Inside Reference Matches Filter
This feature is currently supported only in the midPoint native repository. It is not supported in authorizations, in-memory and in resource searches.
You can use dereferencing inside a Reference Matches filter to match properties of a reference, and also properties of its target.
In order to match a target, you can use dereferencing and matching: @ matches (…)
.
Business Role
archetypeassignment/targetRef matches ( (1) targetType = RoleType (2) and relation = manager (3) and @ matches ( (4) archetypeRef/@/name = "Business Role" (5) ) )
1 | We are matching references in assignment/targetRef . |
2 | The type of the referenced target should be RoleType . |
3 | The relation of users to the assigned role is manager . |
4 | We dereference the target and match its properties. |
5 | Name of the role archetype should be Business Role .
This is done by dereferencing archetypeRef , using @ in the item path. |
referencedBy Filter
With referencedBy filters, you can find objects based on properties of objects that reference them since the object as a whole is referenced in the item path.
In order to use a referencedBy filter, you must also specify the type
of objects which it references, and the path
of the object reference which is used for the reference (e.g. assignment/targetRef
or inducement/targetRef
).
. referencedBy ( (1) @type = UserType (2) and @path = assignment/targetRef (3) and name = "Administrator" (4) )
1 | . referencedBy is the filter name. |
2 | @type (required) is a special filter property which specifies the type of objects that should be considered when evaluating the filter. In this case, we are interested in users. |
3 | @path (required) is a special filter property which specifies which object reference should be used in the filter.
In this case, we are interested in directly assigned roles (assignment/targetRef ). |
4 | The filter which the referencing object must match.
In this case, the name of the referencing object must be Administrator . |
referencedBy filters are not supported for object references defined via schema extensions. |
ownedBy Filter
ownedBy filters are currently only supported in the midPoint native repository. They are not supported in authorizations, in-memory, and in resource searches.
With ownedBy filters, you can match indexed containers based on the properties of their parent, i.e. the owning object or container.
The syntax of this filter is similar to that of the referencedBy filter.
You can only apply ownedBy filters to the current object path (.
).
The properties of ownedBy filter are:
-
type: (Required) Defines the type of the parent/owner.
-
path: Defines the name/location of the container inside the parent.
-
filter: Specifies a filter to which the parent needs to conform. The filter is an explicit element in XML/YAML/JSON. In midPoint queries, any filter that is not a special property of ownedBy is automatically treated as a nested filter.
. ownedBy ( @type = AbstractRoleType and @path = inducement)
Organization Filters
Organization filters are used to filter objects based on their organization membership.
These filters operate on an object as a whole and so the item path must be .
(the dot).
Name | Value | Description |
---|---|---|
inOrg |
OID (UUID) |
Matches an object if it is a part of an organization unit or its subunits. |
isRoot |
N/A |
Matches an object if it is the organization root. This filter does not have any values. |
. inOrg "f9444d2d-b625-4d5c-befd-36c9b5861ac4"
-
Matches all objects that are members of the specified organization and all its subunits (whole SUBTREE).
. inOrg[ONE_LEVEL] "f9444d2d-b625-4d5c-befd-36c9b5861ac4"
-
If you only need to match users in a specified organization, use the ONE_LEVEL matching rule.
. isRoot
-
Matches all roles and organization units that are organization tree roots.
Similarity Filters
Similarity filters are only supported in the midPoint native repository.
To perform fuzzy (not exact) matching, midPoint query language provides 2 filters: levenshtein
and similarity
.
Contrary to other filters, the right side of the query consists of a triplet of parameters enclosed in brackets. Their meaning is explained in following table:
Name | Value | Description | Parameters |
---|---|---|---|
Levenshtein |
(value, threshold, inclusive) |
Matches objects for which the queried attribute has the Levenshtein distance lower than (or equal to, depending on the inclusive parameter value) the specified threshold. |
|
Similarity |
(value, threshold, inclusive) |
Matches objects for which the queried attribute has similarity greater than (or equal to, depending on the inclusive parameter value) the specified threshold. |
|
As similarity filters are implemented using levenshtein PostgreSQL function and similarity PostgreSQL function, they only work with the native repository.
name levenshtein ("ang",2,true)
-
Matches all users whose name attribute has Levenshtein distance 2 or lower from the string "ang".
name levenshtein ("ang",2,false)
-
Matches all users whose name has Levenshtein distance lower than 2 from the string "ang".
name similarity ('gren', 0.5, true)
-
Matches all users whose name has similarity of 0.5 or lower from the string 'gren'.
The Levenshtein distance between two strings is the number of modifications required to transform one string (s1) into the other string (s2). It allows for single-character edits such as deletion, insertion, and substitution. For example, for s1=“helloIndia” and s2=“halloindia,” the Levenshtein distance is 2. |
Other Filters
Name | Value | Description |
---|---|---|
exists |
N/A |
Matches an item if it exists, i.e. if it has a value. This filter does not have a value. |
type |
object type |
Matches an object if it is of the specified type. This is usually used in combination with the |
Filtering All Objects of Specified Type
Sometimes, in configuration files, you need to select all objects of a specific object type. An example of such a case would be selecting all users in midPoint through an object collection.
To select all objects, just omit the <filter>
element in the query, or the entire query.
The object collection below lists all roles (all objects of RoleType) in midPoint.
<objectCollection oid="72b1f98e-f587-4b9f-b92b-72e251dbb255">
<name>All roles</name>
<type>RoleType</type>
</objectCollection>
Basic Query Examples
This section provides examples of MQL role queries that can be utilized when configuring midPoint.
For additional examples, refer to Query Examples.
Search by Archetype Name
You can search for reports with an archetype using the archetype name:
archetypeRef/@/name = "Report export task"
Where archetypeRef/@
specifies that we are not matching a reference value but its target. In this case, it is an archetype.
Search by Assigned Role Name
assignment/targetRef/@/name = "Role Name"
Where assignment/targetRef/@
specifies that we are not matching a reference value but its target. In this case, it is an assigned role.
Users with Account on Specific Resource
You can search for users who have an account specified resource by using the default intent.
linkRef/@ matches ( . type ShadowType and resourceRef matches (oid = "ff735c0a-21e3-11e8-a91a-df0065248d2d") and intent = "default" )
Where:
-
linkRef/@
specifies the dereference target oflinkRef
. This behaves similarly to SQLJOIN
and enables you to filter properties of the target. -
matches
specifies a subfilter for the dereferenced target, i.e. the filter thatlinkRef
must match.-
. type ShadowType
searches for shadows on the resource. This is necessary to be able to use shadow properties for the filter. -
resourceRef matches (oid = "…" )
matches a specific resource to which the shadow belongs. -
intent = "default"
matches the shadow with the default intent.
-
All Roles which Are Assigned to System Users
UserType
in a referencedBy filter. referencedBy ( @type = UserType and @path = assignment/targetRef and archetypeRef/@/name = "System user" )
AssignmentType
in a referencedBy filter. referencedBy ( @type = AssignmentType and @path = targetRef and . ownedBy ( @type = UserType and @path = assignment and archetypeRef/@/name = "System user" ) )
All Roles Assigned Using Inducement
The following filter is only supported in the midPoint native repository.
. referencedBy ( @type = AbstractRoleType and @path = inducement/targetRef )
All Roles Assigned to Administrator Using Full Text Search
. referencedBy ( @type = UserType and @path = roleMembershipRef and . fullText "administrator" )
Search Assigned Role Using Full Text Search
assignment/targetRef/@ matches ( . fullText "secret" )