FIM XPath Filter Dialect Examples
Microsoft Forefront Identity Manager 2010 (FIM) uses the FIM XPath Filter Dialect to define queries and retrieve the results. This topic contains examples of XPath queries.
Note
The FIM XPath Filter Dialect is case-sensitive. Consider this when you are writing your XPath filters. For example, /Person[displayname = 'value']
is not the same as /Person[DisplayName = 'value']
.
Examples: Identifying a User's Pending Approvals
You can use the following XPath filters to build a query that lists all the approvals that are pending a response from a specific user.
These examples assume that the user has an Account Name of 'mmeyers' and an ObjectID of '11111111-1111-1111-1111-111111111111'.
Pending Approvals Based on ObjectID
The following XPath filter demonstrates how to identify the pending approvals based on the user's ObjectID.
/Approval[ApprovalStatus = 'Pending' and Approver = '11111111-1111-1111-1111-111111111111']
Pending Approvals Based on Account Name
The following XPath filter demonstrates how to identify the pending approvals based on the user's Account Name.
/Approval[ApprovalStatus = 'Pending' and Approver = /Person[AccountName = 'mmeyers']]
Notice that this example contains a location path expression, /Person[AccountName = 'mmeyers']
, inside the predicate to identify approvals where the Approver is a user who has the specified Account Name.
Example: All Security Groups That Are Expiring
You can use the following XPath filter to build a query that lists all security groups that are expiring in the next seven days.
/Group[Type= 'Security' and ExpirationTime <= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))]
Example: All Security Groups That Have No Owner
You can use the following XPath filter to build a query that lists all security groups that no longer have an owner.
/Group[Type = 'Security' and not(Owner = /Person)]
The previous example is an example of searching for an attribute that has a multi-valued reference type. For more information, see Examples: Checking for the Presence of Reference Type Attribute Values.
Example: Identifying Users Who Have Conflicting Roles or Permissions
The following XPath filter identifies users who are members of both the "Interns" group and the "Full Time Employees" group. You can use this XPath filter to determine whether there are users in sets or groups that produce conflicting roles or permissions.
/Person[ObjectID = /Group[DisplayName = 'Interns']/ComputedMember and ObjectID = /Group[DisplayName = 'Full Time Employees']/ComputedMember]
The previous code example uses the DisplayName attribute to identify the groups of interest. However, a better practice would be to use a unique identifier to identify the groups, such as their ObjectID attribute.
Example: Changes to Security Groups
The following XPath filter identifies all requests to modify a security group within the last 10 days.
/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]
The following XPath filter identifies all security groups that have been modified within the last 10 days. It returns all requests to modify all security groups in the last 10 days that have a status of 'Completed'.
/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and RequestStatus = 'Completed' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]
For more information, see Request Processing.
Examples: Checking for the Presence of Reference Type Attribute Values
This section provides examples of XPath filters that you can use to build a query that identifies whether a resource has a value for an attribute that has a data type of reference. A reference data type references another resource. (For more information, see Schema Data Types.) For example, a Person has a Manager attribute whose value is a reference to another Person resource.
Checking for Single-Valued Reference Type Attributes
You can check single-valued reference attribute values to verify whether the value of the attribute is of the expected type by using the = or != operations. The following example identifies all users who have a manager.
/Person[Manager = /Person]
The following example identifies all users who do not have a manager.
/Person[Manager != /Person]
Checking for Multi-Valued Reference Type Attributes
You can check multi-valued reference attribute values to verify whether the value of the attribute is of the expected type by using the not operator. The Owner attribute of a Group is a multi-valued attribute. The following example identifies all security groups that do not have an owner.
/Group[Type = 'Security' and not(Owner = /Person)]
Example: Checking for the Presence of Non-Reference Type Attribute Values
This section provides examples of XPath filters that you can use to determine whether a resource has a value for an attribute that is not of type reference, such as Boolean, string, or number values. (For more information, see Schema Data Types.)
The following example identifies all users who have an account name. (For more information, see Person.)
/Person[AccountName != '&Invalid&']
For more information about the != operator, see FIM XPath Filter Dialect. When you use the != operator with a literal value as the right-hand operator, the != operator returns FALSE if the attribute on the left-hand term is NULL. The example that is provided returns all resources of the Person type that have a value for the AccountName attribute that is not equal to '&Invalid&'.
The following example identifies all users who do not have an account name.
/Person[ObjectID != /Person[AccountName != '&Invalid&'] ]