FIM 2010 - XPath : How to check null value on a datetime attribute
Hi there,
I am Syam Pinnaka, Dev in Identity and Access (IAM) team in Microsoft. Today lets see one of my recent learning with Forefront Identity Manager (FIM) Xpath and datetime attribute values.
Forefront Identity Manager (FIM) 2010 can read XPath (XML Path language) queries and return the result set matching the given XPath query. XPath queries can be issued using FIM WCF endpoints and/or FIM PowerShell scripts. That’s a completely different subject and we will touch upon them on a different post(s). Everything with XPath will be good until we reach to a point where we test null value for a dateTime attribute. FIM XPath filter dialect supports checking null values on string attributes using “contains” phrase. For example the following expression defines all persons for which the displayName attribute is not defined.
/Person[not(contains(DisplayName, ‘’))]
However the above construct will fail when tried on a dateTime attribute as FIM didn’t have an option to directly test null value on a datetime attributes. Meaning the following will not work as expected.
/Group[not(contains(ExpiryTime, ‘’))]
The reason for that is that unlike string attributes, FIM only supports querying against invalid values for dateTime and Integer based attributes. In specific scenarios as in this case, null is a perfectly valid value hence it cannot used as an Invalid value to query against. However we can work around this scenario by querying against a positive value and inverting the result set. For example when we wanted to check all objects with a null expiryTime, we can search for all objects with an expiryTime of absolute out of range value, lets say >= ‘1900/01/01’ and then negate the result set to find all objects with a null value. The XPath query will look something like below.
/Group[not(ExpirationTime >= ‘1900-01-01T00:00:000’)]
However, beware that the above query will also return all objects with an expiration time < ‘1900/01/01’ hence you got to choose the lower bound carefully to get only the objects with null expiry time.
I went through this so fully aware of the effort required to find this. Hence thought this post will be useful for someone looking for the same answer.
Happy coding!
Comments
Anonymous
April 06, 2011
A thousand thank you's Syam. We spent hours trying to figure this out. We ended up creating a Boolean "IsPresent" attribute to check if it was null or not. But that introduced other problems because there was a time lag between the setting (or clearing) of the date and the workflow setting the IsPresent value. The users would transition in and out of the same set during that lag. This works much better. Thanks!!!Anonymous
May 30, 2011
No problem; Glad that my learning has helped some one.Anonymous
June 21, 2011
Syam, Thanks for the post. I really appreciate you blogging about the way to do the nulls on the dates. I do also want to point out that the first filter you used /Person[not(contains(DisplayName,''))] works fine in a query but can give vastly erroneous results in a set or group. blog.ilmbestpractices.com/.../fim-sets-xpath-finding-nulls-with.html In my blog post I illustrate how that filter added a whole lot more people to my set than I expected. Another article covering the same ground is found here: www.apollojack.com/.../xpath-in-fim-sets.htmlAnonymous
November 15, 2011
I tried this and FIM logged an event: System.InvalidOperationException: The Contains filter is not supported What gives? 4.0.3594.2Anonymous
March 20, 2012
Minor correction - datetime constant should be '1900-01-01T00:00:00.000'Anonymous
September 10, 2012
Thank you for sharing. This is exactly what I was looking for. After FIMBob correction filter worked for me. Happy Coding. Thanks, Bhavesh Patel