Skip to main content
Skip table of contents

Search Expressions

Definition

Search Expressions are domain-specific language used to search objects (Managed Objects, Reporting collections,…) or express constraints on them.

They are composed of Property Expressions (e.g. firstName LIKE 'John*') and Functions combined with Logical Operators (AND, OR, NOT)

CODE 
securityOrganization <<= 'Finance' AND hasRoleMatching(role IN ('sap_user', 'sap_admin'))

Property Expression

A Property Expression expresses a constraint on a single object property. For Managed Objects, those properties are the Object Attributes.

They consist of a Property, an Operator and Values, for instance firstName = 'John'.

Expression operators

The table below lists all the available operators.

Available operators depend on the use case

Operator

Formula Operator

Values count

Meaning for mono-valued Properties

Meaning for multi-valued Properties

Allowed value type

EQUALS

=

1

The Property must be exactly equal to the specified value

At least one Property Value matches the constraint

All

EQUALS_LIKE

~

1

Same as EQUALS but with insensitive case.

At least one Property Value matches the constraint

String

NOT_EQUALS

!=

1

The negation of EQUALS.

At least one Property Value matches the constraint

All

NOT_EQUALS_LIKE

!~

1

Same as NOT_EQUALS but case insensitive, the negation of EQUALS_LIKE.

At least one Property Value matches the constraint

String

LIKE

LIKE

1

Allows for more extensive searches, using wildcards (e.g. ma*). Case insensitive.

At least one Property Value matches the constraint

String

NOT_LIKE

NOT LIKE

1

the negation of LIKE.

At least one Property Value matches the constraint

String

STARTS_WITH

STARTS WITH

1

Allows to search for string that begins with a precise sub-string. Case sensitive.

At least one Property Value matches the constraint

String

STARTS_WITH_LIKE

STARTS WITH LIKE

1

Same as STARTS_WITH but it is case insensitive.

At least one Property Value matches the constraint

String

ENDS_WITH

ENDS WITH

1

Allows to search for string that ends with a precise sub-string. Case sensitive.

At least one Property Value matches the constraint

String

ENDS_WITH_LIKE

ENDS WITH LIKE

1

Same as ENDS_WITH but it is not case sensitive.

At least one Property Value matches the constraint

String

CONTAINS

CONTAINS

1

Allows to search for string that contains a precise sub-string. Case sensitive.

At least one Property Value matches the constraint

String

CONTAINS_LIKE

CONTAINS LIKE

1

Same as CONTAINS but it is not case sensitive.

At least one Property Value matches the constraint

String

BETWEEN

BETWEEN

2

Allows to search for a value between a minimum and a maximum.

All Property Values match the constraint

Integer Number, Decimal Number, Date, Date & Time

IN_LAST

IN LAST

1

Allows to search for a past date, within a given period.

All Property Values match the constraint

Period

IN_NEXT

IN NEXT

1

Allows to search for a future date, within a given period.

All Property Values match the constraint

Period

IN_THE_PAST

IN THE PAST

0

Allows to search for a past date (the period cannot be chosen, defined according to the current date).

All Property Values match the constraint

Date & Time

IN_THE_FUTURE

IN THE FUTURE

0

Allows to search for a future date (the period cannot be chosen, defined according to the current date).

All Property Values match the constraint

Date & Time

IN

IN

1 or more

The Property must be exactly equal to one of the specified values.

At least one Property Value matches the constraint

Integer Number, Decimal Number, String, Date, Date & Time

NOT_IN

NOT IN

1 or more

The negation of IN.

At least one Property Value matches the constraint

Integer Number, Decimal Number, String, Date, Date & Time

GREATER

>

1

Allows to search values strictly greater than a value.

All Property Values match the constraint

Integer Number, Decimal Number, Date, Date & Time

GREATER_OR_EQUALS

>=

1

Allows to search values greater or equals than a value.

All Property Values match the constraint

Integer Number, Decimal Number, Date, Date & Time

LESS

<

1

Allows to search values strictly less than a value.

All Property Values match the constraint

Integer Number, Decimal Number, Date, Date & Time

LESS_OR_EQUALS

<=

1

Allows to search values less or equals than a value.

All Property Values match the constraint

Integer Number, Decimal Number, Date, Date & Time

BELOW

<<

1

Allows to search for children strictly below an Organization. The Organization is not included.

At least one Property Value matches the constraint

Organization Reference

BELOW_OR_EQUALS

<<=

1

Allows you to search for children below an Organization. The Organization is included.

At least one Property Value matches the constraint

Organization Reference

JUST_BELOW

<<!

1

Allows you to search for direct children of an Organization.

At least one Property Value matches the constraint

Organization Reference

ABOVE

>>

1

Allows you to search for ancestors strictly above an Organization. The Organization is not included.

At least one Property Value matches the constraint

Organization Reference

ABOVE_OR_EQUALS

>>=

1

Allows you to search for ancestors above an Organization. The Organization is included.

At least one Property Value matches the constraint

Organization Reference

JUST_ABOVE

>>!

1

Allows you to search for objects just above an Organization (belonging to the parent of the given Organization id).

At least one Property Value matches the constraint

Organization Reference

IS_NULL

IS NULL

0

Displays all results with an attribute that is not blank or empty.

Not applicable

All

IS_NOT_NULL

IS NOT NULL

0

The negation of IS_NULL.

Not applicable

All

Dotted Property Paths

It is possible to express constraints on referenced objects using dotted property paths, like manager.firstName

For instance, for Manage Objects, manager.firstName = 'John' would match all identities whose manager’s first name is John.

Logical Operators

Logical operators AND, OR and NOT are used to combine Search Expressions (including other Logical Operators).

For instance: (firstName = 'John' OR firstName = 'Jane') AND lastName = 'Doe'

The Empty Expression

The Empty Expression () is a special Expression matching everything. Its negation NOT () matches nothing.

Search Expression Functions

Search Expression functions accept one or more Search Expression arguments. they are builtin tools to implement complex scenarios that cannot be expressed simply with search expressions:

  • Search Identities having at least one Role Assignment matching a criterion: hasRoleMatching(role = 'someRole' AND status = 'ASSIGNED')

  • Search Identities having a Security Organization matching a criterion: hasSecurityOrganizationMatching(id BELOW_OR_EQUALS 'europe' AND NOT (id BELOW_OR_EQUALS 'france'))

  • Role Request engine, to find assignable Roles based on Role Request Policies

  • Object Recertification Metadata, to find the recertifications of an object: hasRecertificationMetadataMatching(recertifiedAt IN LAST 'P3M')

  • Etc.

Usage

UI

In the user portal, search expressions is one of the two means to search on objects, in complement with full text search.

They can be input either graphically for simple expressions, or using a DSL for complex cases:

Search Expression using the UI

Text DSL

Depending on configuration, Search Expression may be input in plain text:

CODE 
securityOrganization <<= 'Finance' AND hasRoleMatching(role IN ('sap_user', 'sap_admin'))

Formula search with a text DSL Search Expression

Property Expressions

Property Expressions must be written as <property name> <operator> <value>:

CODE 
firstName = 'John'

Syntax rules:

  • Property name may be a single property (firstName) or a dotted Property Path (manager.securityOrganization.type).

  • Property names that do not start with a latin letter or an underscore, or that other characters than latin letters, numbers must be quoted with double quotes ("), e.g "some \"weird\" property".

  • Operators are the Formula Operators in the table above.

  • Use parenthesis for IN and NOT IN operators, e.g firstName IN ('John', 'Jane')

  • Use an AND separator for BETWEEN operator: enabledFrom BETWEEN '2022-01-01T00:00:00Z' AND '2023-01-01T00:00:00Z'

  • String values must be quoted using single quotes ('), e.g. 'John \'Johnny\' Doe')

  • Date and Date & Time values must be written as ISO-8601 strings, e.g. ‘2022-11-04' / '2022-11-04T07:30:43Z'

  • Numbers must be written using the dot (.) as decimal separator, e.g. -42, +43.756

Operator Expressions

On may combine arbitrary Search expressions using AND, OR and NOT operators, and parenthesis:

CODE 
(securityOrganization <<= 'Finance' OR securityOrganization <<= 'Sales') AND hasRoleMatching(role IN ('sap_user', 'sap_admin'))

Functions

Function Expressions must be written as <function name>(<argument1>, <argument2>,...):

CODE 
hasRoleMatching(role IN ('sap_user', 'sap_admin'))

Syntax rules:

  • Function names follow the same quoting rules as Property names

  • Function arguments are always Search Expressions, separated by commas (,)

XML configuration

Search Expressions appear in the Configuration mostly in Scopes:

  • Features: Feature Scope, Search widgets, Reporting Widgets,…

  • Policies

  • Reference Attributes

They use the dedicated search namespace.

Property Expressions

XML 
<search:Prop op="EQUALS" name="enabled">
    <value>true</value>
</search:Prop>
XML 
<search:Prop op="IN" name="firstName">
    <value>John</value>
    <value>John</value>
</search:Prop>

In the context of Dynamic Scopes, the value element may contain Groovy code:

XML 
<search:Prop op="EQUALS" name="manager">
    <value script="true">OBJECT.id</value>
</search:Prop>

See Scopes for further details.

Logical Expressions

XML 
<search:And>
    <search:Prop op="EQUALS" name="lastName">
        <value>Doe</value>
    </search:Prop>
    <search:Prop op="EQUALS" name="firstName">
        <value>John</value>
    </search:Prop>
</search:And>
XML 
<search:Or>
    <search:Prop op="EQUALS" name="firstName">
        <value>Jane</value>
    </search:Prop>
    <search:Prop op="EQUALS" name="firstName">
        <value>John</value>
    </search:Prop>
</search:Or>
XML 
<search:Not>
    <search:Prop op="EQUALS" name="manager.firstName">
        <value>John</value>
    </search:Prop>
</search:Not>

Empty Expression

XML 
<search:Empty/>

Functions

XML 
<search:Func name="hasRoleMatching">
    <search:And>
        <search:Prop op="EQUALS" name="status">
            <value>ASSIGNED</value>
        </search:Prop>
        <search:Prop op="EQUALS" name="role.application">
            <value>o365</value>
        </search:Prop>
    </search:And>
</search:Func>

Groovy Rules

A groovy DSL is available to easily construct search expressions:

GROOVY 
def emptyExpression = expr {}
def firstNameAndLastNameConstraint = expr {firstName.eq("John") & lastName.eq("Doe")}
def hasO365Role = expr {hasRoleMatching(status.eq(RoleAssignmentStatus.ASSIGNED) & prop("role.application").eq("o365"))}

See Rules and Actions API for further details.

Special builtin attributes

Some builtin attributes, especially on Identities are not of a simple type (String, Integer,…). This section explains how to search on them

Identity Rights

To match Identities having a Right Grant, use a Property Expression with the EQUALS or IN operators on the rights Attribute. The Property Expression value must be a String of the form <right name>:<right target>:<right privilege> where each part can be omitted:

  • Match all identities having a specific right, with any target or privilege:

    CODE 
    rights = 'app.o365.access'

  • Match all identities having a specific right on a specific target, with any privilege:

    CODE 
    rights = 'user.manager:France'

  • Match all identities having a specific right on any target, with a specific privilege:

    CODE 
    rights = 'feat.user-card-read::2'

  • Match all identities having a specific right on a specific target with a specific privilege:

    CODE 
    rights = 'app.sap.sales:France:1000000'

Identity Roles

It is also possible to match Identities using criteria on Role Assignments using the hasRoleMatching Function. For instance:

CODE 
hasRoleMatching(status = 'ASSIGNED' AND "role.application" = 'o365')

Will match all identities having at least one Role Assignment whose status is ASSIGNED and whose Role matches application = 'o365'

Role Assignment Dimensions

To match Role Assignments having a certain dimension values, use a Property Expression with the CONTAINS operator on the dimensions Property. The Property Expression value the JSON serialization of the dimension values to match:

CODE 
dimensions CONTAINS '{"dim1": "foo", "dim2": ["bar", "baz"]}'

Will match all Role Assignments where

  • Dimension dim1 is equal to foo

  • Dimension dim2 contains at least bar and baz in any order.

Read Next

  • Scope

    A Scope describes a population of objects (Managed Objects such as Identities, Role Assignments,…). They are used throughout IM configuration to specify on which Data a Configuration Entity operates. For instance, which Objects are accessible through a Feature, or to which Identities a Password Policy applies to.

  • Rules

    A rule is an extension point of the application to implement custom behavior, for example (validation ....).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close