<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Markus,</p>
<p>I tried the very first example:</p>
<div style="background-color:#ffffff;color:#080808">
<pre
style="font-family:'JetBrains Mono',monospace;font-size:9.0pt;"><span
style="background-color:#edfced;">queryFor = "assignment/targetRef matches ( oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and relation=deputy)"
</span><span style="background-color:#edfced;">uQuery = midpoint.queryFor(UserType.class, queryFor)
</span><span style="background-color:#edfced;">ceoDelegatedTo = midpoint.searchObjects(uQuery)
</span><span style="background-color:#edfced;">log.info("XXX ceoDelegatedTo = {}", ceoDelegatedTo)
</span></pre>
</div>
<p></p>
<div class="moz-cite-prefix">My approver (with the oid above) has
delegated to administrator and security-officer1 users.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I used the query and expressions in
assignee notification for work items, in expressionFilter.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">When I requested for myself
(non-privileged user), I had the same issue as you, ceoDelegatedTo
returning an empty list.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">midpoint-server-1 | 2025-04-09
10:12:53,035 [MODEL] [http-nio-8080-exec-6] INFO
(com.evolveum.midpoint.expression): XXX
woitem-notifier-workitem-assignee: ceoDelegatedTo = []<br>
midpoint-server-1 | 2025-04-09 10:12:53,042 [MODEL]
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression):
XXX woitem-notifier-workitem-assignee: ceoDelegatedTo = []<br>
midpoint-server-1 | 2025-04-09 10:12:53,047 [MODEL]
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression):
XXX woitem-notifier-workitem-assignee: ceoDelegatedTo = []<br>
midpoint-server-1 | 2025-04-09 10:12:53,051 [MODEL]
[http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression):
XXX woitem-notifier-workitem-assignee: ceoDelegatedTo = []<br>
<br>
</div>
<div class="moz-cite-prefix">When I did this under administrator, I
can clearly see (multiple notifications are used in my case):</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">midpoint-server-1 | 2025-04-09
10:11:55,186 [MODEL] [pool-3-thread-6] INFO
(com.evolveum.midpoint.expression): XXX
woitem-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:11:55,191 [MODEL]
[pool-3-thread-6] INFO (com.evolveum.midpoint.expression): XXX
woitem-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:11:55,194 [MODEL]
[pool-3-thread-6] INFO (com.evolveum.midpoint.expression): XXX
woitem-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:11:55,196 [MODEL]
[pool-3-thread-6] INFO (com.evolveum.midpoint.expression): XXX
woitem-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
<br>
</div>
<div class="moz-cite-prefix">(so two users are returned)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">After adding prigileges/runAsRef:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">
<div style="background-color:#ffffff;color:#080808">
<pre
style="font-family:'JetBrains Mono',monospace;font-size:9.0pt;"><<span
style="color:#0033b3;">expressionFilter</span>>
<b> <<span style="color:#0033b3;">privileges</span>>
<<span style="color:#0033b3;">runAsRef </span><span
style="color:#174ad4;">oid</span><span style="color:#067d17;">="00000000-0000-0000-0000-000000000002" </span><span
style="color:#174ad4;">type</span><span style="color:#067d17;">="UserType"</span>/>
</<span style="color:#0033b3;">privileges</span>>
</b> <<span style="color:#0033b3;">script</span>>
<<span style="color:#0033b3;">code</span>><span
style="background-color:#edfced;">
</span><span style="background-color:#edfced;"> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
</span><span style="background-color:#edfced;">
</span><span style="background-color:#edfced;"> queryFor = "assignment/targetRef matches ( oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and relation=deputy)"
</span><span style="background-color:#edfced;"> uQuery = midpoint.queryFor(UserType.class, queryFor)
</span><span style="background-color:#edfced;"> ceoDelegatedTo = midpoint.searchObjects(uQuery)
</span><span style="background-color:#edfced;"> log.info("XXX work-item-notifier-workitem-assignee: ceoDelegatedTo = {}", ceoDelegatedTo)
. . .
</span></pre>
</div>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">my unprivileged user, requesting for
himself, can use the expression and query just fine:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">midpoint-server-1 | 2025-04-09
10:22:41,760 [MODEL] [http-nio-8080-exec-7] INFO
(com.evolveum.midpoint.expression): XXX
work-item-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:22:41,766 [MODEL]
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression):
XXX work-item-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:22:41,771 [MODEL]
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression):
XXX work-item-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
midpoint-server-1 | 2025-04-09 10:22:41,776 [MODEL]
[http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression):
XXX work-item-notifier-workitem-assignee: ceoDelegatedTo =
[user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
user:00000000-0000-0000-0000-000000000002(administrator)]<br>
<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I need to add that I am currently using
midPoint master, not 4.8.x. but nevertheless, I believe, this
could be caused by permissions.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If you run the expression in Query
playground or in midPoint GUI, you are probably logged as
administrator(?)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Could you please check if your user is
having the privileges for searching? Or you can consider the
expression to be executed under administrator or other privileged
user, as shown above.<br>
</div>
<br>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Best regards,</div>
<div class="moz-cite-prefix">Ivan<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2. 4. 2025 11:21, Markus Calmius via
midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:aEhLNkKr7-L7-vL3VTJdxQcTuuDsJqD97H8xDPsoiKdhvAPHLyIDjmmM8gVVFrlX6vmvR59Xqar_YHwQduofFbcTDIKYwPGPuVKxoxTpSIU=@proton.ch">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: Arial, sans-serif; font-size: 14px;">Hi,</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span
style="scrollbar-width:thin">[Using: midpoint 4.8.5]</span><br>
<span style="scrollbar-width:thin"></span><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">I'm
trying to create an expression filter for notifications, but I
simply cannot get it to work.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">General
idea is this: </div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">"if
CEO has delegated approvals to someone, do not send email to
CEO"</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">Basic
issue:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">using
advanved query in gui, query playground and groovycode in script
returns different values.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">Set
up:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">from
user CEO I have delegated to two users. When using the advanced
search</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>"assignment/targetRef
matches (oid="<oid of ceo>" and targetType=UserType and
relation=deputy)"</span><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>I
get the two users.</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>Since
there is also a delegatedRef, I also tried:</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span>"delegatedRef
matches (oid="<oid of ceo>" and relation=deputy)" and
got two results.</span><br>
</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">All
good, now, moving to the expressionFilter:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">---</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">
<div><span> queryfor= "assignment/targetRef matches
(oid='<oid of ceo>' and targetType=UserType and
relation=deputy)"</span></div>
<div><span> uQuery = midpoint.queryFor(UserType.class,
queryfor)</span></div>
<div><span> ceoDelegatedTo = midpoint.searchObjects(uQuery)</span></div>
<span></span>---</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">the
returned list is empty.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">I
have tried using the delegatedRef as well, same result.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">I
have also tried:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">----</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>
ref =
midpoint.getPrismContext().itemFactory().createReferenceValue(ceoOid,
UserType.COMPLEX_TYPE)</span>
<div><span> ref.setRelation(new QName("deputy")) <- also
tried org:deputy</span></div>
<div><span> query = prismContext.queryFor(UserType.class)</span></div>
<div><span> .item(UserType.F_DELEGATED_REF).ref(ref)</span></div>
<div><span> .build()</span></div>
<div><span> ceoDelegatedTo =
midpoint.searchObjects(UserType.class, query)</span></div>
<span></span><span style="scrollbar-width:thin">----</span><br>
still empty list.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">Using
the query playground, this:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">---</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>import
com.evolveum.midpoint.xml.ns._public.common.common_3.*</span>
<div><span>queryfor="delegatedRef matches
(oid=\"6b1aad6b-02f3-4d2d-8edb-fff371d0bbb6\" and
relation=deputy)"</span></div>
<span>uQuery = midpoint.queryFor(UserType.class, queryfor)</span><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>---</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>returns
the two users.</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>Adding: </span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>---</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span>midpoint.searchObjects(uQuery)</span></span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span>---</span></span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">and
I get an error "<span>Expression returned more than one value
(2) in </span>"</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>I
have to use:</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span>---</span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span
style="display: inline !important; background-color: rgb(255, 255, 255);">midpoint.searchObjects(uQuery).toString()</span></span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span
style="display: inline !important; background-color: rgb(255, 255, 255);">---</span></span></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span
style="display: inline !important; background-color: rgb(255, 255, 255);">
<div style="scrollbar-width:thin"><span
style="display: inline !important; background-color: rgb(255, 255, 255);">to
get expected two values.</span><br>
</div>
<div style="scrollbar-width:thin"><br>
</div>
<div style="scrollbar-width:thin">What am I missing here?</div>
<div style="scrollbar-width:thin"><br>
</div>
<span style="scrollbar-width:thin"></span></span></span></div>
<div class="protonmail_signature_block"
style="font-family: Arial, sans-serif; font-size: 14px;">
<div class="protonmail_signature_block-user"> Markus Calmius<br>
Proton AG </div>
<div
class="protonmail_signature_block-proton protonmail_signature_block-empty">
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Expert Identity Engineer
evolveum.com
</pre>
</body>
</html>