Re: [scim] Question about Filtering in SCIM Spec

Phil Hunt <phil.hunt@oracle.com> Wed, 19 August 2015 17:02 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB0F41A1B6A for <scim@ietfa.amsl.com>; Wed, 19 Aug 2015 10:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.011
X-Spam-Level:
X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_36=0.6, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFZaPYxm2UAB for <scim@ietfa.amsl.com>; Wed, 19 Aug 2015 10:02:37 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A59D1A1AE6 for <scim@ietf.org>; Wed, 19 Aug 2015 10:02:37 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t7JH2ZXT001792 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 19 Aug 2015 17:02:36 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t7JH2ZZq017718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 19 Aug 2015 17:02:35 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t7JH2ZeY010993; Wed, 19 Aug 2015 17:02:35 GMT
Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 19 Aug 2015 10:02:35 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <55D449A2.4010205@tarent.de>
Date: Wed, 19 Aug 2015 10:02:40 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CC44393-39EE-48F6-AFF8-BAD11F252C14@oracle.com>
References: <55D449A2.4010205@tarent.de>
To: Florian Wilhelm <f.wilhelm@tarent.de>
X-Mailer: Apple Mail (2.2102)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/91NyzdgtbLmqoAKWAAYwxYvGehA>
Cc: scim@ietf.org
Subject: Re: [scim] Question about Filtering in SCIM Spec
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2015 17:02:38 -0000

Florian…

You’ve managed to hit on a couple of oddities that go back to SCIM 1 (I think).

For the query against the Groups resource, try:

not(members.value eq “<userid>”)

“members” is a complex attribute and thus the comparison attribute is value.  Some SCIM systems may accept this, but it was never actually defined in the specs that “value” could be assumed to be the default comparison sub-attribute for a complex attribute. I just learned this myself a couple of weeks ago.  :-)

Regarding querying against members (of the User resource):
Because the specification indicates the “members” attribute mutability is “readOnly” many implementations will only calculate its contents when returning the user resource and thus members is likely not indexed. 

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

> On Aug 19, 2015, at 2:17 AM, Florian Wilhelm <f.wilhelm@tarent.de> wrote:
> 
> Hello,
> 
> I'm working on the osiam.org project, which implements SCIMv2. We have
> an issue [1] in our project. I'm not quite sure if that is specified by
> the SCIM spec.
> 
> Our user wants to filter
>    not(groups eq "<groupId>")
> [Expected result: All users that are not included in a given group]
> 
> and
> 
>    not(members eq "<userId>")
> [Expected result: All groups in which is the user not a member]
> 
> Our current implementation does not deliver the expected results.
> My question: Is this defined in the SCIM spec? I've read [2], but did
> not find anything about that there.
> If it is valid: What would be the expected result? What does not() on
> groups or members mean?
> 
> Best regards,
> Florian Wilhelm
> 
> [1] https://github.com/osiam/resource-server/issues/7
> [2] https://tools.ietf.org/html/draft-ietf-scim-api-19#section-3.4.2.2
> 
> -- 
> Florian Wilhelm
> Software Development
> 
> tarent solutions GmbH Niederlassung Berlin
> Voltastraße 5, D-13355 Berlin • http://www.tarent.de/
> Tel: +49 30 138803-0 • Fax: +49 30 56829495
> 
> Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
> Tel: +49 228 54881-0 • Fax: +49 228 54881-235
> HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
> Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander
> Steeg
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim