Query Examples

Find users with a specific given name.

givenName = "John"

Find users with the last name starting with a specific string.

familyName startsWith "Wo"

Find roles with the name ending with a specific string.

name endsWith "LAST"

Searching in All roles view.

Find services where the Application URL extension attribute contains a specific string.

extension/appUrl contains "mycompanyname.com"

Attributes specific to a deployment are in objects stored as extension attributes in the <extension> XML element.

To search for these attributes, you need to include "extension/" in the attribute name.

Find disabled users in the All users view.

activation/administrativeStatus = "disabled"

Find multiple roles specified by name.

name = ("Role A", "Role B", "Role C")

The = and != filters allow specifying sets of values.

Search by attributes in referenced objects

Find a user with a specific assignment.

assignment/targetRef/@/name = "End user"

The dereferencing operator “@” states that everything coming after it relates to the referenced object.

Find users with an indirectly assigned service object.

roleMembershipRef/@/name = "SAP application"

The indirect assignment of a service object represents "access to application".

Find users of a specific archetype.

archetypeRef/@/name = "External Users"

Find members (not owners) of the ABC role.

assignment/targetRef matches (relation = org:default and @ matches (name = "ABC"))

The role owners have the role assigned as relation = owner. This query only captures users with the default relation.

Logical operators in search

Find all external users with a specific given name.

archetypeRef/@/name = "External Users" and givenName = "John"

Search by dates and times

Find all users created after a particular date.

metadata/createTimestamp > "2022-09-21"

Find all users created on a particular date (e.g. 22/10/2022).

metadata/createTimestamp >= "2022-10-22" and metadata/createTimestamp < "2022-10-23"

createTimestamp is a datetime value. The value containing time is larger than the value that only contains the date, i.e. 2022-10-22T01:05:13 is larger than "2022-10-22".

Find users modified at a specific second.

metadata/modifyTimestamp >= "2022-10-02T12:53:32"and metadata/modifyTimestamp < "2022-10-02T12:53:33"

Search by object OID

Find 1 object specified by its OID.

. inOid ("eb21455d-17cc-4390-a736-f1d6afa82057")

The list of OIDs may contain one or more OIDs.

Find users with directly assigned specific roles.

assignment/targetRef/@/name = "End user"

Find users with specific roles assigned (directly or indirectly).

roleMembershipRef/@/name = "End user"

roleMembershipRef contains both direct and indirect assignments.

Note that roleMembershipRef may not be up-to-date if the role definition was updated, and if its members were not recomputed.

Find users without a service assigned (directly or indirectly).

roleMembershipRef not matches (targetType = ServiceType)

roleMembershipRef contains both direct and indirect assignments.

Find users without a role or service assigned (directly or indirectly).

roleMembershipRef not matches (targetType = RoleType) AND roleMembershipRef not matches (targetType = ServiceType)

Find roles without inducements.

inducement not exists

This combines the exists and not operators. Cannot be used with assignments if roles have assigned archetypes.

Find users without a directly assigned role or service.

assignment/targetRef not matches ( targetType = RoleType) AND assignment/targetRef not matches ( targetType = ServiceType)

The assignment attribute only contains direct assignments.
The query is complex because each user has at least one assignment (the archetype assignment).

Find owners of roles, i.e. users with roles to which they are assigned as owners.

assignment/targetRef matches (targetType=RoleType and relation=owner)

The relation value is of the QName type and therefore no quotation marks are used.
The namespace (org:owner) is optional.
See Matches filter in references.

Find users with accounts in a specific resource.

linkRef/@ matches (
. type ShadowType
and resourceRef matches (oid = "093ba5b5-7b15-470a-a147-889d09c2850f")
and intent = "default" )

The resource is identified by OID.

Find users with an account in a specific resource.

linkRef/@ matches (
. type ShadowType
and resourceRef/@/name = "LDAP"
and intent = "default" )

Same as the previous query, only in this case, the resource is identified by its name.

Find users who have roles with specific extension attributes assigned.

assignment/targetRef/@ matches (
. type RoleType and extension/sapType="SAP555")

This is a complex query that searches for all assignments of a role identified by the value of a specific extension attribute.
In this case, the . type RoleType type filter clause is necessary as midPoint needs to know which type of object to search for using the extension attribute.

Searching within ORGs

Find all users who are members of an ORG.

. inOrg[ONE_LEVEL] "fee70b8b-e7c3-4f62-af7c-7d5095100775"

The dot describes the user object.
The ONE_LEVEL matching rule limits the search to the specified ORG only. If omitted, the query will search for a specified organization unit and its subunits. It makes no difference if the user is a member or manager of the ORG.

Find all users who are members of an ORG specified by its name.

parentOrgRef/@/name = "DeptA"

The query is the same as the previous query, only in this case, the ORG is conveniently specified by its name.

Find a manager of an ORG.

parentOrgRef matches (relation=org:manager and @ matches (name = "DeptA"))

If the ORG is specified by its name, then the @ matches (name = "DeptA") construction is necessary.
The relation=org:manager filter must be used without quotes.

Searching in referenced objects

With MQL, you can search in objects that are referenced by other objects.

In the roles view, find all roles that are assigned to a specific user.

. referencedBy (@type = UserType AND name = "adam" AND @path = assignment/targetRef)

The dot is important in the query as it specifies the object.
The exact meaning of the query is: "Return objects that are referenced in the user named "adam" in the attribute assignment/targetRef."

Find all shadows with the "Suspicious" object mark.

effectiveMarkRef/@/name = "Suspicious"

If used within the resource Accounts or Entitlements panels in GUI, the query returns only shadows related to the particular resource.

Find all users that have shadows with the "Suspicious" object mark.

linkRef/@/effectiveMarkRef/@/name = "Suspicious"

The exact meaning of the query is: "Return objects with linked shadows that have an active object mark with the name Suspicious."

Find all assigned roles.

. matches (targetType = RoleType)

You can also use ServiceType for services or OrgType for organizational units.

Find all accesses starting with the gallery in the display name.

@/displayName startsWith "gallery"

The view shows display names of objects, i.e. searching for a name element could return confusing results if the name and displayName are different.

Find all applications to which a user has access.

@/archetypeRef/@/name="Application"

This searches for all references with the "Application" archetype. You can search for "Application role" or "Business role" in the same way.

Find all directly assigned roles.

targetRef matches (targetType = RoleType)

Find all assignments (roles or other) with the name starting with "C".

targetRef/@/name startsWith "C"

Dereferencing (searching with “@”) only works in the assignment panel when repository search is enabled.

Find all tasks running on users.

affectedObjects/activity/objects/type = "c:UserType"

Find all tasks that perform reconciliation.

affectedObjects/activity/activityType = "c:reconciliation"

Include namespace specification "c:" in the activity type.
Technically, the reconciliation tasks may be searched also via archetype.

Find all tasks that perform an operation with the XYZ resource.

affectedObjects/activity/resourceObjects/resourceRef/@/name = "XYZ"

Find all tasks that perform reconciliation on the XYZ resource.

affectedObjects/activity/activityType = "c:reconciliation" and affectedObjects/activity/resourceObjects/resourceRef/@/name = "XYZ"

You can use archetypes or resource OIDs, however, dereferenced names are easier to read.

Find all simulation tasks.

affectedObjects/activity/executionMode = "preview"

Simulation tasks are in the "preview" mode. Standard tasks that also execute changes have the "full" execution mode.

Find all events initiated by a specific user.

initiatorRef/@/name = "administrator"

Find all events related to a specific user.

targetRef/@/name="johndoe"

This is also possible via object OID, without dereferencing: targetRef matches (oid = "a560613e-ce4c-4020-a7c7-3de1af706234")

Find all events in a specific day.

timestamp >= "2023-09-18" and timestamp < "2023-09-19"

Find all events within a specific time range.

timestamp >= "2023-09-19T11:00:00" and timestamp < "2023-09-19T13:10:00"

Find all events of a specific type.

eventStage = "request"

Find all events in which a specific attribute was updated.

changedItem = c:fullName

Include the "c:" prefix in the name of the attribute.
This query finds all events in which the "fullName" attribute was modified.

Find all failed events since a specific date.

outcome != "success" and timestamp > "2023-09-18"

You cannot use scripting in GUI searches. Therefore, the dates must be defined explicitly and updated if necessary.

Find all events related to the "XYZ" resource.

delta matches (resourceName = "XYZ")

You can also use the resource OID, without dereferencing: delta matches (resourceOid = "71dcd12f-dba3-437e-bc0d-b021d937832d")

Find all events related to the "john" account in the "XYZ" resource.

delta matches (resourceName = "Target2-with-roles" and shadowKind = "account" and objectName = "john")

The delta components resourceName and objectName contain values relevant during the event creation. These may be modified at a later point.

Find all events related to user "JohnDoe" in the "XYZ" resource.

targetRef/@/name="JohnDoe" and delta matches (resourceName = "XYZ")

While the previous query was searching for modifications of an account in a resource, this query provides audit events in the specified resource related to a specific user (not only accounts but potentially also entitlements or accounts with different names).

Find all events generated by specific task (any run).

taskOID="4a9b055d-2d31-474a-8e39-6a2e6ac104a2"

Find all events generated by a specific task (single run).

taskIdentifier = "1695198082065-43516-1"

The task identifier is unique for each run of the task.

Find all object modifications that did not go well.

eventType = "modifyObject" and eventStage = "execution" and outcome != "success"

Searching in audit deltas

Find all events in which accounts in the "XYZ" resource were created or modified.

delta matches (resourceName = "XYZ" and shadowKind = "account")