Is anybody else seeing some odd behavior with Filter.collectionCondition? Specifically, it doesn’t seem to be joining only once on the table, but rather many times. This is the example query from the Filters and Filter Strings documentation page on Compass:
select
identityAlias.id,
identityAlias.name
from
sailpoint.object.Identity identityAlias
inner join identityAlias.links identity_linksAlias0
inner join identity_linksAlias0.application identity_applicationAlias0
inner join identityAlias.links identity_linksAlias1
where
(
(
identity_applicationAlias0.name = ?
and identity_linksAlias1.extended1 = ?
)
and identityAlias.workgroup != ?
)
IIQ seems to be joining a second time on the Link table, which is resulting in the behavior that collectionCondition is intended to prevent. It’s going to return any Identity that has a privileged Link and, separately, an AD link. I would expect only a single join on Link, which would have the expected behavior.
I’m seeing this in 8.2 and 8.3.
If you’re seeing this, the following join filter does work, but translates to a potentially less efficient “IN”:
I can’t recall seeing that before myself, but I also haven’t gone down to HQL-level logging. It’s possible your filterString is being evaluated as an OR condition instead of an AND as you intend. Can you try this filterString out and see if it works properly?
Here’s one that I just tested out in my sandbox (8.3p2) that returns everyone with an AD account sAMAccountName (which is my AD account displayName attribute) starting with the letter H: links.collectionCondition("(application.name == \"AD\" && displayName.startsWithIgnoreCase(\"h\"))")
I agree that you’ll get at least the result set you want with your query (AD + display name starting with H), but I suspect you’d actually get MORE than that. You’ll get all identities who have at least one link with display name starting with H who also have an AD account - even if the “H” displayName is on some other Link.
In a small environment, that may be the same result set.
If this is behavior you can easily replicate and could document how to reproduce, I’d suggest opening a support case. Sounds like this might be a product regression/bug.