Is anybody else seeing some odd behavior with Filter.collectionCondition? Specifically, it doesn’t seem to be joining only once on the table, but rather many times. This is the example query from the Filters and Filter Strings documentation page on Compass:
links.collectionCondition("application.name == \"AD\" && privileged == \"true\"")
With HQL debugging on, this renders as follows:
select
identityAlias.id,
identityAlias.name
from
sailpoint.object.Identity identityAlias
inner join identityAlias.links identity_linksAlias0
inner join identity_linksAlias0.application identity_applicationAlias0
inner join identityAlias.links identity_linksAlias1
where
(
(
identity_applicationAlias0.name = ?
and identity_linksAlias1.extended1 = ?
)
and identityAlias.workgroup != ?
)
IIQ seems to be joining a second time on the Link table, which is resulting in the behavior that collectionCondition is intended to prevent. It’s going to return any Identity that has a privileged Link and, separately, an AD link. I would expect only a single join on Link, which would have the expected behavior.
I’m seeing this in 8.2 and 8.3.
If you’re seeing this, the following join filter does work, but translates to a potentially less efficient “IN”:
id.subquery(sailpoint.object.Link, "identity", "application.name == \"AD\" && privileged == \"true\"")