Re: [scim] Question about Filtering in SCIM Spec
Phil Hunt <phil.hunt@oracle.com> Tue, 25 August 2015 11:02 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889431A6FF9 for <scim@ietfa.amsl.com>; Tue, 25 Aug 2015 04:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_36=0.6, J_CHICKENPOX_37=0.6, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1ZGcYg6zokq for <scim@ietfa.amsl.com>; Tue, 25 Aug 2015 04:02:22 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D392F1ACC92 for <scim@ietf.org>; Tue, 25 Aug 2015 04:02:15 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t7PB2EQo017207 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 25 Aug 2015 11:02:14 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t7PB2E2J027708 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 25 Aug 2015 11:02:14 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t7PB2CJj015082; Tue, 25 Aug 2015 11:02:13 GMT
Received: from [25.167.246.237] (/72.143.235.141) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Aug 2015 04:02:11 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-43FFA2CB-5B7E-4353-ACEF-BD46ECBE86E6"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (12H321)
In-Reply-To: <CAO89xFE+92TzsLde8rAiK14Pzw1G3VtaTB3138VF7pMmg_amFw@mail.gmail.com>
Date: Tue, 25 Aug 2015 04:02:01 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <EC9AADA9-7287-49E9-9E7D-4A60672B7C49@oracle.com>
References: <55D449A2.4010205@tarent.de> <3CC44393-39EE-48F6-AFF8-BAD11F252C14@oracle.com> <55DB3C47.3090003@tarent.de> <5023D08C-E33C-429F-B438-3D8AA275855A@oracle.com> <CAO89xFE+92TzsLde8rAiK14Pzw1G3VtaTB3138VF7pMmg_amFw@mail.gmail.com>
To: Thomas Krille <t.krille@tarent.de>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/GbyEcE4FbYZDCFL5cihC9sYryds>
Cc: Florian Wilhelm <f.wilhelm@tarent.de>, "scim@ietf.org" <scim@ietf.org>
Subject: Re: [scim] Question about Filtering in SCIM Spec
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 11:02:25 -0000
If the attrib is indexed, yes. Phil > On Aug 25, 2015, at 01:53, Thomas Krille <t.krille@tarent.de> wrote: > > Hello Phil, > > I assume, that this is also true for all other comparison operators and all other multi-valued attributes? > > Regards > > Thomas Krille > > 2015-08-24 17:59 GMT+02:00 Phil Hunt <phil.hunt@oracle.com>: >> User 3. >> >> In this respect, the behavior would be similar to ldap and multi values. >> >> Phil >> >> > On Aug 24, 2015, at 08:46, Florian Wilhelm <f.wilhelm@tarent.de> wrote: >> > >> > Hello Phil, >> > >> > thank you for your reply. It seems as if I could not make my question >> > clear enough. >> > >> > We are trying to implement the SCIM spec and are not clear on what it >> > says about this specific case. >> > >> > Quote from Page 22, first paragraph, >> > https://tools.ietf.org/html/draft-ietf-scim-api-19#page-22 >> >> the filter matches if any of the values of the specified attribute >> > match the specified criterion >> > >> > Definition of the "not" operator, >> > https://tools.ietf.org/html/draft-ietf-scim-api-19#page-19: >> >> The filter is a match if the expression evaluates to false. >> > >> > To what "match" from section 3 does the "not" apply? >> > >> > Case 1: >> > >> > The "not" is related to the first "match", so 'not (expression)' means: >> > "the filter matches if not any (= none) of the values of the specified >> > attribute match the specified criterion". >> > >> > Case 2: >> > >> > The "not" is related to the second "match", so 'not (expression)' means: >> > "the filter matches if any of the values of the specified attribute >> > don't match the specified criterion". >> > >> > To illustrate my question, please consider the following example: >> > >> > User 1 >> > Groups: A, B, C >> > >> > User 2 >> > Groups: B >> > >> > User 3 >> > Groups: A, C >> > >> > When I query "Group eq 'B'", the result is User 1 and User 2, which is >> > perfectly fine and conforms to the spec. >> > >> > But when I query "not(Group eq 'B')", what should be the actual the result? >> > >> > Case 1: "the filter matches if not any (= none) of the values of the >> > specified attribute match the specified criterion" >> > >> > The result would be only User 3, because all others have an attribute >> > that contains "B". >> > >> > Case 2: "the filter matches if any of the values of the specified >> > attribute don't match the specified criterion" >> > >> > The result would be User 1 and User 3, because each of them has at least >> > one attribute that doesn't contain "B". Compare this with the following >> > table, that shows the data in some kind of relational structure: >> > >> > User | Group | eq | not(eq) >> > -----+-------+----+-------- >> > 1 | A | - | + >> > 1 | B | + | - >> > 1 | C | - | + >> > 2 | B | + | - >> > 3 | A | - | + >> > 3 | C | - | + >> > >> > * User 1 matches, because it has at least on "+" in the last column >> > * User 2 doesn't match, because all values in the last column are "-" >> > * User 3 matches again, because it has at least on "+" in the last column >> > >> > My question is: What is the correct interpretation of the "not" operator >> > in the context of a multi-valued attribute according to the spec? >> > >> > Best regards, >> > Florian Wilhelm >> > >> > >> >> Am 19.08.2015 um 19:02 schrieb Phil Hunt: >> >> Florian… >> >> >> >> You’ve managed to hit on a couple of oddities that go back to SCIM 1 (I think). >> >> >> >> For the query against the Groups resource, try: >> >> >> >> not(members.value eq “<userid>”) >> >> >> >> “members” is a complex attribute and thus the comparison attribute is value. Some SCIM systems may accept this, but it was never actually defined in the specs that “value” could be assumed to be the default comparison sub-attribute for a complex attribute. I just learned this myself a couple of weeks ago. :-) >> >> >> >> Regarding querying against members (of the User resource): >> >> Because the specification indicates the “members” attribute mutability is “readOnly” many implementations will only calculate its contents when returning the user resource and thus members is likely not indexed. >> >> >> >> Phil >> >> >> >> @independentid >> >> www.independentid.com >> >> phil.hunt@oracle.com >> >> >> >>> On Aug 19, 2015, at 2:17 AM, Florian Wilhelm <f.wilhelm@tarent.de> wrote: >> >>> >> >>> Hello, >> >>> >> >>> I'm working on the osiam.org project, which implements SCIMv2. We have >> >>> an issue [1] in our project. I'm not quite sure if that is specified by >> >>> the SCIM spec. >> >>> >> >>> Our user wants to filter >> >>> not(groups eq "<groupId>") >> >>> [Expected result: All users that are not included in a given group] >> >>> >> >>> and >> >>> >> >>> not(members eq "<userId>") >> >>> [Expected result: All groups in which is the user not a member] >> >>> >> >>> Our current implementation does not deliver the expected results. >> >>> My question: Is this defined in the SCIM spec? I've read [2], but did >> >>> not find anything about that there. >> >>> If it is valid: What would be the expected result? What does not() on >> >>> groups or members mean? >> >>> >> >>> Best regards, >> >>> Florian Wilhelm >> >>> >> >>> [1] https://github.com/osiam/resource-server/issues/7 >> >>> [2] https://tools.ietf.org/html/draft-ietf-scim-api-19#section-3.4.2.2 >> >>> >> >>> -- >> >>> Florian Wilhelm >> >>> Software Development >> >>> >> >>> tarent solutions GmbH Niederlassung Berlin >> >>> Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ >> >>> Tel: +49 30 138803-0 • Fax: +49 30 56829495 >> >>> >> >>> Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ >> >>> Tel: +49 228 54881-0 • Fax: +49 228 54881-235 >> >>> HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 >> >>> Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander >> >>> Steeg >> >>> >> >>> _______________________________________________ >> >>> scim mailing list >> >>> scim@ietf.org >> >>> https://www.ietf.org/mailman/listinfo/scim >> > >> > -- >> > Florian Wilhelm >> > Softwareentwicklung >> > >> > tarent solutions GmbH Niederlassung Berlin >> > Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ >> > Tel: +49 30 138803-0 • Fax: +49 30 56829495 >> > >> > Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ >> > Tel: +49 228 54881-0 • Fax: +49 228 54881-235 >> > HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 >> > Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander >> > Steeg >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim > > > > -- > Thomas Krille > Softwareentwicklung > tarent solutions GmbH > > Telefon +49 (0) 30 555785-128 > Telefax +49 (0) 228 54881-235 > t.krille@tarent.de > > Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ > Tel: +49 228 54881-0 • Fax: +49 228 54881-235 > HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 > Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Question about Filtering in SCIM Spec Florian Wilhelm
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt
- Re: [scim] Question about Filtering in SCIM Spec Florian Wilhelm
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt
- Re: [scim] Question about Filtering in SCIM Spec Thomas Krille
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt