[midPoint] Query for all useres not assigned to a role

Fabian Noll-Dukiewicz fabian.noll-dukiewicz at fndit.de
Thu Aug 5 10:21:13 CEST 2021 

Hi Gabriel,

if in your case the different user types have different roles assigned, you could use a query like the following:
<query>
  <filter>
    <and>
      <not>
        <ref>
          <path>assignment/targetRef</path>
          <value oid="<not assigned Role>">
        </ref>
      </not>
      <ref>
        <path>assignment/targetRef</path>
        <value oid="<assigned Role>">
      </ref>
    </and>
  </filter>
</query>

So if you have a student role and an employee role you can identify all students who are not also employees. 

An alternative is to use archetypes. For your case you could have archetypes "Employee" and "Student". Then you can change the query to get all users with archetype "Student" having the employee role not assigned.

Hope it helps!

Kind regards,
Fabian

Am 03.08.21, 08:54 schrieb "Guckenbiehl, Gabriel" <gabriel.guckenbiehl at uni-due.de>:

    Dear community,

    Is there a way to construct a query returning all users who have been not
    directly assigned to a certain role?

    <query>
        <filter>
           <not>
               <ref>
                   <path>assignment/targetRef</path>
                   <value oid="00000000-0000-0000-0000-000000000004"/>
               </ref>
            </not>
        </filter>
    </query>

    Returns all users that have any assignment which is not to the specific
    role. And it returns them once for each such assignment. The same is
    returned by 

    <query>
       <filter>
          <not>
             <exists>
                <path>assignment</path>
                <filter>
                   <ref>
                      <path>targetRef</path>
                      <value oid="00000000-0000-0000-0000-000000000004"/>
                   </ref>
                </filter>
             </exists>
          </not>
       </filter>
    </query>

    Which seems counterintuitive to me at least, because it inverts the not ->
    exists statement to exists -> not.

    Background information: I want to implement a notification service which
    informs all members of one role 30 days before expiration date, unless they
    are assigned to another role (think of students who should get the
    notification only if they are not employees).

    Thanks for answering

    Gabriel

    Gabriel Guckenbiehl, M.Sc.
    Zentrum für Informations- und Mediendienste (ZIM)
    Universität Duisburg Essen
    Schützenbahn 70
    45127 Essen
    Telefon: +49 (201) 183-3346

More information about the midPoint mailing list