[midPoint] query issue/confusion

Ivan Noris ivan.noris at evolveum.com
Wed Apr 9 12:27:33 CEST 2025 

Hi Markus,

I tried the very first example:

queryFor = "assignment/targetRef matches ( 
oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and 
relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor) 
ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX 
ceoDelegatedTo = {}", ceoDelegatedTo)

My approver (with the oid above) has delegated to administrator and 
security-officer1 users.

I used the query and expressions in assignee notification for work 
items, in expressionFilter.

When I requested for myself (non-privileged user), I had the same issue 
as you, ceoDelegatedTo returning an empty list.

midpoint-server-1  | 2025-04-09 10:12:53,035 [MODEL] 
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = []
midpoint-server-1  | 2025-04-09 10:12:53,042 [MODEL] 
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = []
midpoint-server-1  | 2025-04-09 10:12:53,047 [MODEL] 
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = []
midpoint-server-1  | 2025-04-09 10:12:53,051 [MODEL] 
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = []

When I did this under administrator, I can clearly see (multiple 
notifications are used in my case):

midpoint-server-1  | 2025-04-09 10:11:55,186 [MODEL] [pool-3-thread-6] 
INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:11:55,191 [MODEL] [pool-3-thread-6] 
INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:11:55,194 [MODEL] [pool-3-thread-6] 
INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:11:55,196 [MODEL] [pool-3-thread-6] 
INFO (com.evolveum.midpoint.expression): XXX 
woitem-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]

(so two users are returned)

After adding prigileges/runAsRef:

<expressionFilter>
*<privileges> <runAsRef oid="00000000-0000-0000-0000-000000000002" 
type="UserType"/> </privileges> *    <script>
         <code>import com.evolveum.midpoint.xml.ns._public.common.common_3.* queryFor = 
"assignment/targetRef matches ( 
oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and 
relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor) 
ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX 
work-item-notifier-workitem-assignee: ceoDelegatedTo = {}", 
ceoDelegatedTo) . . .



my unprivileged user, requesting for himself, can use the expression and 
query just fine:

midpoint-server-1  | 2025-04-09 10:22:41,760 [MODEL] 
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX 
work-item-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:22:41,766 [MODEL] 
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX 
work-item-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:22:41,771 [MODEL] 
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX 
work-item-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]
midpoint-server-1  | 2025-04-09 10:22:41,776 [MODEL] 
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX 
work-item-notifier-workitem-assignee: ceoDelegatedTo = 
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1), 
user:00000000-0000-0000-0000-000000000002(administrator)]


I need to add that I am currently using midPoint master, not 4.8.x. but 
nevertheless, I believe, this could be caused by permissions.

If you run the expression in Query playground or in midPoint GUI, you 
are probably logged as administrator(?)

Could you please check if your user is having the privileges for 
searching? Or you can consider the expression to be executed under 
administrator or other privileged user, as shown above.


Best regards,
Ivan


On 2. 4. 2025 11:21, Markus Calmius via midPoint wrote:
> Hi,
>
> [Using: midpoint 4.8.5]
>
> I'm trying to create an expression filter for notifications, but I 
> simply cannot get it to work.
> General idea is this:
> "if CEO has delegated approvals to someone, do not send email to CEO"
>
> Basic issue:
> using advanved query in gui, query playground and groovycode in script 
> returns different values.
>
> Set up:
> from user CEO I have delegated to two users. When using the advanced 
> search
> "assignment/targetRef matches (oid="<oid of ceo>" and 
> targetType=UserType and relation=deputy)"
> I get the two users.
> Since there is also a delegatedRef, I also tried:
> "delegatedRef matches (oid="<oid of ceo>" and relation=deputy)" and 
> got two results.
>
> All good, now, moving to the expressionFilter:
> ---
>     queryfor= "assignment/targetRef matches (oid='<oid of ceo>' and 
> targetType=UserType and relation=deputy)"
>     uQuery = midpoint.queryFor(UserType.class, queryfor)
>     ceoDelegatedTo = midpoint.searchObjects(uQuery)
> ---
>
> the returned list is empty.
> I have tried using the delegatedRef as well, same result.
>
> I have also tried:
> ----
>   ref = 
> midpoint.getPrismContext().itemFactory().createReferenceValue(ceoOid, 
> UserType.COMPLEX_TYPE)
>     ref.setRelation(new QName("deputy")) <- also tried org:deputy
>     query = prismContext.queryFor(UserType.class)
>             .item(UserType.F_DELEGATED_REF).ref(ref)
>             .build()
>     ceoDelegatedTo = midpoint.searchObjects(UserType.class, query)
> ----
> still empty list.
>
> Using the query playground, this:
> ---
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
> queryfor="delegatedRef matches 
> (oid=\"6b1aad6b-02f3-4d2d-8edb-fff371d0bbb6\" and relation=deputy)"
> uQuery = midpoint.queryFor(UserType.class, queryfor)
> ---
> returns the two users.
> Adding:
> ---
> midpoint.searchObjects(uQuery)
> ---
> and I get an error "Expression returned more than one value (2) in "
> I have to use:
> ---
> midpoint.searchObjects(uQuery).toString()
> ---
> to get expected two values.
>
> What am I missing here?
>
> Markus Calmius
> Proton AG
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Expert Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250409/99c9d1ec/attachment-0001.htm>

More information about the midPoint mailing list