Last modified 22 Apr 2021 17:31 +02:00


The search scripting expression retrieves a set of objects via searchObjects or searchObjectsIterative model call.


The input is ignored.


Objects fetched, or results of embedded scripting expression. (See Processing fetched objects below.)


Property name Meaning


Type of objects to be retrieved


Query to be executed (optional)


Search filter to be used (optional). It is mutually exclusive with query, suitable when there’s no paging to be applied. If no query nor filter is used, all objects of a given type are fetched.


Options to be used when searching. Since 3.6.


Expression to be executed for each object found (optional). See Processing fetched objects section below.


Parameters do not have static schema. Currently only one is supported:

Parameter name Meaning


If set to true, suppresses fetching account data from a resource. Overrides "noFetch" option in "options" property if present.


Retrieve the user named 'jack'
Search for account shadows for a given resource (without actually fetching them) and delete them
<s:search xmlns:s=""
        <and xmlns="">
                <value xsi:type="c:ObjectReferenceType" oid="10000000-0000-0000-0000-000000000004"/>
                <value xmlns:ri="">ri:AccountObjectClass</value>
Using query instead of searchFilter
Returns users, with the names of roleMembershipRef references resolved (and operation results hidden)
<s:executeScript xmlns:s="" xmlns:c="">

Processing fetched objects

There are two options how to process data fetched by the search expression.

  1. Process each object individually, just like in seachObjectsIterative method (in fact, this method is used to fetch the data).

  2. Process all objects at once - i.e. extract them into a list of PrismObjects, and pass this list as a whole to subsequent expressions.

As an example, let us take a simple command that takes all users and enables them.

The first option is written in XML form in the following way:

Iterative search
<s:search xmlns:s=""

During execution, the search expression will call searchObjectsIterative, and for each PrismObject found, it creates one-item PipelineData instance (PipelineData is the class encapsulating the data being exchanged between expressions), and passes it to to enable action expression. Results of the called expression (if there would be any) would be collected and then passed as an output of the search expression.

Second option, i.e. taking all data together and processing them at once, is written in the following way:

Search with bulk processing
<s:pipeline xmlns:s="">
    <s:search xmlns:c="">

In this case, search expression will take all users in one PipelineData object, and hands them over to the enable`_ action. Because common actions (_`enable among them) can act not only upon individual objects, but also on lists of objects, the result is that all users will be enabled.

This "bulk processing" model will be changed in the future, reducing the memory requirements and enabling parallelization. After that change, there will be no run-time differences between the two processing options, only syntactical ones.

Both options (using embedded action or using pipeline) have the same result. The difference is mainly in the memory requirements for executing the script on large data: The second option (pipeline) is more memory-consuming, because there a need to construct a list containing all processed objects. However, if there would be any need to work with all objects at once (e.g. to select a user with maximum number of accounts), the second option is preferable.

In usual conditions, i.e. no special requirements, and reasonably-sized data, you can use any of the options.