Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • FIM Set and Group Attribute Criteria

FIM Set and Group Attribute Criteria

As with many quests, the one I embarked on to figure out how to create criteria based sets and groups where membership was based on an attribute in the FIM portal being “empty” turned out to be more complex than first thought.

We start our story with a mythical client and a problem. The client was not certain that “Office Location” was populated with either an office or store location for every user in the FIM Portal. They wanted to create a criteria-based set that identified all of the users where the provisioning process had not specified an office location. The use for this set will be left to your imagination.

Skipping over the condition criteria that did not work or seemed overly complex, we found a somewhat obscure reference to the percent sign (%) and the “Not Starts With” operator. As seen in the video below, we found that using the criteria “Office Location” not starts with % returned a membership of all the Users that didn’t have an “Office Location.”

What we set out to find, and what was actually found, was something completely different.

Thinking more about the “Not Starts With” and “Starts With” conditions, it made sense that somewhere deep down in the code of the FIM Portal, it was being translated to “Not Like” and “Like” with a percent sign (%) added in the right position of the select value. Knowing this, and knowing what other wildcard characters could be used with “Like” we found that we could create sets of users that not only “Started With,” but also “Contained” or did “Not Contain” target characters and strings.

As demonstrated in the video below, we could create a criteria-based set that contained users from office locations that contained a “1” by using “Office Location” starts with %1. We could also create a criteria-based set that started with “1,” but did not include “10” by using “Office Location” starts with 1[^0] or a set that only consisted of users at office locations 11, 12, 21 and 22 by using “Office Location” starts with _[12].

The criteria possibilities became numerous when embedding the characters in the middle of select value. For example, a set of Users where the first letter of their Display Name is “R” with “User” as the last part, by using “Display Name” starts with R%User.

But like any good quest there are unforeseen events. The percent sign (%) being added deep in the FIM Portal code came back to haunt us.

A criteria of “Office Location” starts with 1[^0], returned office locations of 11, 12, 13 and 110. Or the criteria of “Display Name” starts with R%User returned user with “User” concatenated with something else, like “Roger User-Other.”

Even with this unintended result, the usefulness of these characters was apparent. With careful thought and implementation, we were able to solve the client’s initial problem and others that were identified as the FIM Portal implementation progressed.