[midPoint] query issue/confusion

Markus Calmius markus.calmius at proton.ch
Wed Apr 9 14:35:13 CEST 2025 

Hi Ivan,

thank you!
This was driving me nuts, I should have thought about the permissions...
I'll see if we can add that specific permissions, or if we run this part privileged as your example.

Thanks again!
Markus

On Wednesday, 9 April 2025 at 12:27, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:

> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
> 
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
> 
> 
> Today's Topics:
> 
> 1. Re: query issue/confusion (Ivan Noris)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 9 Apr 2025 12:27:33 +0200
> From: Ivan Noris ivan.noris at evolveum.com
> 
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] query issue/confusion
> Message-ID: 9fda7e51-619d-4937-8c3f-57710df4fc7c at evolveum.com
> 
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Hi Markus,
> 
> I tried the very first example:
> 
> queryFor = "assignment/targetRef matches (
> oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and
> relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor)
> ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX
> ceoDelegatedTo = {}", ceoDelegatedTo)
> 
> My approver (with the oid above) has delegated to administrator and
> security-officer1 users.
> 
> I used the query and expressions in assignee notification for work
> items, in expressionFilter.
> 
> When I requested for myself (non-privileged user), I had the same issue
> as you, ceoDelegatedTo returning an empty list.
> 
> midpoint-server-1? | 2025-04-09 10:12:53,035 [MODEL]
> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
> midpoint-server-1? | 2025-04-09 10:12:53,042 [MODEL]
> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
> midpoint-server-1? | 2025-04-09 10:12:53,047 [MODEL]
> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
> midpoint-server-1? | 2025-04-09 10:12:53,051 [MODEL]
> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
> 
> When I did this under administrator, I can clearly see (multiple
> notifications are used in my case):
> 
> midpoint-server-1? | 2025-04-09 10:11:55,186 [MODEL] [pool-3-thread-6]
> INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:11:55,191 [MODEL] [pool-3-thread-6]
> INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:11:55,194 [MODEL] [pool-3-thread-6]
> INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:11:55,196 [MODEL] [pool-3-thread-6]
> INFO (com.evolveum.midpoint.expression): XXX
> woitem-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> 
> (so two users are returned)
> 
> After adding prigileges/runAsRef:
> 
> <expressionFilter>
> 
> *<privileges> <runAsRef oid="00000000-0000-0000-0000-000000000002"
> 
> type="UserType"/> </privileges> * <script>
> 
> <code>import com.evolveum.midpoint.xml.ns._public.common.common_3.* queryFor =
> 
> "assignment/targetRef matches (
> oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and
> relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor)
> ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX
> work-item-notifier-workitem-assignee: ceoDelegatedTo = {}",
> ceoDelegatedTo) . . .
> 
> 
> 
> my unprivileged user, requesting for himself, can use the expression and
> query just fine:
> 
> midpoint-server-1? | 2025-04-09 10:22:41,760 [MODEL]
> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
> work-item-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:22:41,766 [MODEL]
> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
> work-item-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:22:41,771 [MODEL]
> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
> work-item-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> midpoint-server-1? | 2025-04-09 10:22:41,776 [MODEL]
> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
> work-item-notifier-workitem-assignee: ceoDelegatedTo =
> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
> user:00000000-0000-0000-0000-000000000002(administrator)]
> 
> 
> I need to add that I am currently using midPoint master, not 4.8.x. but
> nevertheless, I believe, this could be caused by permissions.
> 
> If you run the expression in Query playground or in midPoint GUI, you
> are probably logged as administrator(?)
> 
> Could you please check if your user is having the privileges for
> searching? Or you can consider the expression to be executed under
> administrator or other privileged user, as shown above.
> 
> 
> Best regards,
> Ivan
> 
> 
> On 2. 4. 2025 11:21, Markus Calmius via midPoint wrote:
> 
> > Hi,
> > 
> > [Using: midpoint 4.8.5]
> > 
> > I'm trying to create an expression filter for notifications, but I
> > simply cannot get it to work.
> > General idea is this:
> > "if CEO has delegated approvals to someone, do not send email to CEO"
> > 
> > Basic issue:
> > using advanved query in gui, query playground and groovycode in script
> > returns different values.
> > 
> > Set up:
> > from user CEO I have delegated to two users. When using the advanced
> > search
> > "assignment/targetRef matches (oid="<oid of ceo>" and
> > targetType=UserType and relation=deputy)"
> > I get the two users.
> > Since there is also a delegatedRef, I also tried:
> > "delegatedRef matches (oid="<oid of ceo>" and relation=deputy)" and
> > got two results.
> > 
> > All good, now, moving to the expressionFilter:
> > ---
> > ? ? queryfor= "assignment/targetRef matches (oid='<oid of ceo>' and
> > targetType=UserType and relation=deputy)"
> > ? ? uQuery = midpoint.queryFor(UserType.class, queryfor)
> > ? ? ceoDelegatedTo = midpoint.searchObjects(uQuery)
> > ---
> > 
> > the returned list is empty.
> > I have tried using the delegatedRef as well, same result.
> > 
> > I have also tried:
> > ----
> > ? ref =
> > midpoint.getPrismContext().itemFactory().createReferenceValue(ceoOid,
> > UserType.COMPLEX_TYPE)
> > ? ? ref.setRelation(new QName("deputy")) <- also tried org:deputy
> > ? ? query = prismContext.queryFor(UserType.class)
> > ? ? ? ? ? ? .item(UserType.F_DELEGATED_REF).ref(ref)
> > ? ? ? ? ? ? .build()
> > ? ? ceoDelegatedTo = midpoint.searchObjects(UserType.class, query)
> > ----
> > still empty list.
> > 
> > Using the query playground, this:
> > ---
> > import com.evolveum.midpoint.xml.ns._public.common.common_3.*
> > queryfor="delegatedRef matches
> > (oid=\"6b1aad6b-02f3-4d2d-8edb-fff371d0bbb6\" and relation=deputy)"
> > uQuery = midpoint.queryFor(UserType.class, queryfor)
> > ---
> > returns the two users.
> > Adding:
> > ---
> > midpoint.searchObjects(uQuery)
> > ---
> > and I get an error "Expression returned more than one value (2) in "
> > I have to use:
> > ---
> > midpoint.searchObjects(uQuery).toString()
> > ---
> > to get expected two values.
> > 
> > What am I missing here?
> > 
> > Markus Calmius
> > Proton AG
> > 
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> --
> Ivan Noris
> Expert Identity Engineer
> evolveum.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250409/99c9d1ec/attachment.htm
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> ------------------------------
> 
> End of midPoint Digest, Vol 156, Issue 8
> ****************************************

More information about the midPoint mailing list