Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-11-12) FIM 2010 – NOT NOT Is Empty And NOT equal, I Think…

Posted by Jorge on 2009-11-12


For a customer, a few colleagues and I are building a FIM 2010 RC1 environment. Within this customer, internals and externals were identified as follows:

  1. Internals –> Attribute ‘SomeID’ has a value
  2. Externals –> Attribute ‘SomeID’ does not have a value

Now how would you do that in a dynamic SET as the functions ‘IsPresent’ or ‘NotPresent’ are not available?

For [1]…

SET XPATH –> /Person[SomeID != ‘_$$$_’]

REMARKS:

  • ‘_$$$_’ is just a value, it has NO special meaning! This can be anything else as long as the value does not exist as a valid value
  • This XPATH says: All People having a value for SomeID, but it is not equal to ‘_$$$_’
  • This XPATH must be specified in the Advanced View as the GUI cannot be used

For [2]…

SET XPATH –> /Person[not(SomeID != ‘_$$$_’)]

REMARKS:

  • ‘_$$$_’ is just a value, it has NO special meaning! This can be anything else as long as the value does not exist as a valid value
  • This XPATH says: All People not having a value for SomeID or it equals ‘_$$$_’
  • This XPATH must be specified in the Advanced View as the GUI cannot be used
  • This is a double negation and DOES NOT WORK anymore as it is NOT SUPPORTED! (was removed in RC1 and I understood it had worked in a preview of RC1)

Let’s retry this one

SET XPATH –> /Person[ObjectID != /Set[ObjectID = ‘ID of Reverse SET’]/ComputedMember]

REMARKS:

  • ‘ID of Reverse SET’ is the Resource ID of the SET as specified in [1] (e.g. ‘ID of Reverse SET’ = ‘ed1b12ac-e371-4b1d-9066-c53ca51af9c8’)
  • This XPATH says: All People not returned in the result of the SET as specified in [1]
  • As you can see, in this case you ALWAYS need two sets, even if you are not using the SET in [1] in some MPR

EXAMPLE…

Now let’s say you need to find all externals without an AccountName using the same logic as explained on the first lines of this post.

STEP1:

Create a SET with the following configuration:

  • Name –> All Internals
  • XPath –> /Person[SomeID != ‘_$$$_’]

STEP2:

Create a SET with the following configuration:

  • Name –> All People with an AccountName
  • XPath –> /Person[AccountName != ‘_$$$_’]

STEP3:

Create a SET with the following configuration:

  • Name –> All Externals without an AccountName
  • XPath –> /Person[(ObjectID != /Set[ObjectID = ‘ID of the SET called All Internals’]/ComputedMember) and (ObjectID != /Set[ObjectID = ‘ID of the SET called All People with an AccountName’]/ComputedMember)]

I do not know, but I really wonder what the impact is of this on performance as it is always calculating multiple SETs (at least more than one). Time will tell! J

NOTE: ‘not()’ =/= ‘!=’ J

‘not()’ is NOT the same as ‘!=’. For example:

SET XPATH –> /Person[SomeID != ‘_$$$_’]

–> This XPATH says: All People having a value for SomeID, but it is not equal to ‘_$$$_’

SET XPATH –> /Person[not(SomeID = ‘_$$$_’)]

–> This XPATH says: All People having any other value for SomeID (also including no value), but it is not equal to ‘_$$$_’

UPDATE (11-12-2009):

For String attributes, to determine if it has a string value:

  • SET XPATH –> /Person[AttributeString != ‘_$$$_’]

For DateTime attributes if it has a datetime value:

  • SET XPATH –> /Person[AttributeDateTime < ‘9999-12-31T08:00:00Z’]

For Reference attributes if it has a Reference value:

  • SET XPATH –> /Person[AttributeReference = /Set[ObjectID = ‘<ID of SET containing possible values in AttributeReference>’]/ComputedMember]

For Integer attributes if it has a Integer value:

  • SET XPATH –> /Person[AttributeInteger != 123456789123456789]
    OR
  • SET XPATH –> /Person[AttributeInteger &lt; 123456789123456789]

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2009-11-12) FIM 2010 – NOT NOT Is Empty And NOT equal, I Think…”

  1. […] Read more about it here: https://jorgequestforknowledge.wordpress.com/2009/11/12/fim-2010-not-not-is-empty-and-not-equal-i-thi… […]

  2. […] specify your custom XPATH query (/Person, /Person[AccountName=’ADM.ROOT’]) (also have a look at this post and this […]

  3. more information said

    Greetings! I’ve been reading your site for some time now and finally got the bravery to go ahead and give you a shout out from New Caney Texas! Just wanted to say keep up the good job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: