Re: [scim] Question about Filtering in SCIM Spec
Florian Wilhelm <f.wilhelm@tarent.de> Mon, 24 August 2015 15:46 UTC
Return-Path: <f.wilhelm@tarent.de>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5411A888B for <scim@ietfa.amsl.com>; Mon, 24 Aug 2015 08:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.3
X-Spam-Level: *
X-Spam-Status: No, score=1.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_36=0.6, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COlQwha6RB0A for <scim@ietfa.amsl.com>; Mon, 24 Aug 2015 08:46:18 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B9571A8923 for <scim@ietf.org>; Mon, 24 Aug 2015 08:46:18 -0700 (PDT)
Received: by widdq5 with SMTP id dq5so54414615wid.1 for <scim@ietf.org>; Mon, 24 Aug 2015 08:46:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=rhLiYvsMncC+UXcTkGdgUeUnWEGHUkMd03K9G64MXg0=; b=T4zyzPS4k+n18estTbt6VVrkDpbgcqcc41QaMx/zBF/+yjy0ckWye0Y/kCyoXKWO4S kdo1siwCk8Z3HIT+5ArKxV3Ah8g9Ang8LmgQQS8jSi9tVDMxcjmZypN9tsowRCe9bs2L K9c6fbruj8p6R5aAoZeocsSO35FjAPxH4jgmPmwHREVcIa49KttsQO6Eeerskw/63zzq wE/vTwQ8R4cUBN9jCOvfA+WXThiocVhkcEuUAk+Cki1rzk3L7DedfSJiCOCFAAb7erPB 9vVcBn2AlsC22VQO8jE8Lv7iTt4xciSP7c5tkt3I9fcA1TjTIB14GFl4FSefjZNsmCi9 ClXQ==
X-Gm-Message-State: ALoCoQlETZBmVeuPdu2HWn9VTFlD6eFD74gxpou4HdGZxS12+zLfWBJo+7oBKXSGbrp03M7Etz5Q
X-Received: by 10.194.239.167 with SMTP id vt7mr43243473wjc.5.1440431177034; Mon, 24 Aug 2015 08:46:17 -0700 (PDT)
Received: from [172.24.13.54] (fb-n15-11.unbelievable-machine.net. [94.198.62.204]) by smtp.googlemail.com with ESMTPSA id en5sm2853507wib.18.2015.08.24.08.46.16 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 24 Aug 2015 08:46:16 -0700 (PDT)
Message-ID: <55DB3C47.3090003@tarent.de>
Date: Mon, 24 Aug 2015 17:46:15 +0200
From: Florian Wilhelm <f.wilhelm@tarent.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <55D449A2.4010205@tarent.de> <3CC44393-39EE-48F6-AFF8-BAD11F252C14@oracle.com>
In-Reply-To: <3CC44393-39EE-48F6-AFF8-BAD11F252C14@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/f0o6g4hNNQO6HjkVHzyGkuFBR1Q>
Cc: scim@ietf.org
Subject: Re: [scim] Question about Filtering in SCIM Spec
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 15:46:20 -0000
Hello Phil, thank you for your reply. It seems as if I could not make my question clear enough. We are trying to implement the SCIM spec and are not clear on what it says about this specific case. Quote from Page 22, first paragraph, https://tools.ietf.org/html/draft-ietf-scim-api-19#page-22 > the filter matches if any of the values of the specified attribute match the specified criterion Definition of the "not" operator, https://tools.ietf.org/html/draft-ietf-scim-api-19#page-19: > The filter is a match if the expression evaluates to false. To what "match" from section 3 does the "not" apply? Case 1: The "not" is related to the first "match", so 'not (expression)' means: "the filter matches if not any (= none) of the values of the specified attribute match the specified criterion". Case 2: The "not" is related to the second "match", so 'not (expression)' means: "the filter matches if any of the values of the specified attribute don't match the specified criterion". To illustrate my question, please consider the following example: User 1 Groups: A, B, C User 2 Groups: B User 3 Groups: A, C When I query "Group eq 'B'", the result is User 1 and User 2, which is perfectly fine and conforms to the spec. But when I query "not(Group eq 'B')", what should be the actual the result? Case 1: "the filter matches if not any (= none) of the values of the specified attribute match the specified criterion" The result would be only User 3, because all others have an attribute that contains "B". Case 2: "the filter matches if any of the values of the specified attribute don't match the specified criterion" The result would be User 1 and User 3, because each of them has at least one attribute that doesn't contain "B". Compare this with the following table, that shows the data in some kind of relational structure: User | Group | eq | not(eq) -----+-------+----+-------- 1 | A | - | + 1 | B | + | - 1 | C | - | + 2 | B | + | - 3 | A | - | + 3 | C | - | + * User 1 matches, because it has at least on "+" in the last column * User 2 doesn't match, because all values in the last column are "-" * User 3 matches again, because it has at least on "+" in the last column My question is: What is the correct interpretation of the "not" operator in the context of a multi-valued attribute according to the spec? Best regards, Florian Wilhelm Am 19.08.2015 um 19:02 schrieb Phil Hunt: > Florian… > > You’ve managed to hit on a couple of oddities that go back to SCIM 1 (I think). > > For the query against the Groups resource, try: > > not(members.value eq “<userid>”) > > “members” is a complex attribute and thus the comparison attribute is value. Some SCIM systems may accept this, but it was never actually defined in the specs that “value” could be assumed to be the default comparison sub-attribute for a complex attribute. I just learned this myself a couple of weeks ago. :-) > > Regarding querying against members (of the User resource): > Because the specification indicates the “members” attribute mutability is “readOnly” many implementations will only calculate its contents when returning the user resource and thus members is likely not indexed. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > >> On Aug 19, 2015, at 2:17 AM, Florian Wilhelm <f.wilhelm@tarent.de> wrote: >> >> Hello, >> >> I'm working on the osiam.org project, which implements SCIMv2. We have >> an issue [1] in our project. I'm not quite sure if that is specified by >> the SCIM spec. >> >> Our user wants to filter >> not(groups eq "<groupId>") >> [Expected result: All users that are not included in a given group] >> >> and >> >> not(members eq "<userId>") >> [Expected result: All groups in which is the user not a member] >> >> Our current implementation does not deliver the expected results. >> My question: Is this defined in the SCIM spec? I've read [2], but did >> not find anything about that there. >> If it is valid: What would be the expected result? What does not() on >> groups or members mean? >> >> Best regards, >> Florian Wilhelm >> >> [1] https://github.com/osiam/resource-server/issues/7 >> [2] https://tools.ietf.org/html/draft-ietf-scim-api-19#section-3.4.2.2 >> >> -- >> Florian Wilhelm >> Software Development >> >> tarent solutions GmbH Niederlassung Berlin >> Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ >> Tel: +49 30 138803-0 • Fax: +49 30 56829495 >> >> Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ >> Tel: +49 228 54881-0 • Fax: +49 228 54881-235 >> HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 >> Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander >> Steeg >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim > -- Florian Wilhelm Softwareentwicklung tarent solutions GmbH Niederlassung Berlin Voltastraße 5, D-13355 Berlin • http://www.tarent.de/ Tel: +49 30 138803-0 • Fax: +49 30 56829495 Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-0 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
- [scim] Question about Filtering in SCIM Spec Florian Wilhelm
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt
- Re: [scim] Question about Filtering in SCIM Spec Florian Wilhelm
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt
- Re: [scim] Question about Filtering in SCIM Spec Thomas Krille
- Re: [scim] Question about Filtering in SCIM Spec Phil Hunt