Hi all,
Is it possible to write an IDN search query which checks for the value of an account attribute?
Example: Users with an AD account & with ‘mail’ attribute value equal to ‘[email protected]’ (ideally returns 1 user)
The following query gets me all users with an AD account: @accounts(source.name:“My AD Source”)
But I’m trying to narrow down the search further with the logical equivalent of this invalid query: @accounts(source.name:“My AD Source” AND accountAttributes.mail:"[email protected]")
I’m pretty sure searching for account attributes isnt a functionality of Search. I would recommend creating a placeholder identity attribute(adMail) and source the account attribute into it. Then refresh that user so it populates on their details page. Next search on the identity attribute like so "attributes.adMail:“specific email here”. Personally I always have an identity attribute dedicated to the mail attribute for an ad account, granted usually that populates the mandatory “email” identity attribute anyway.
If you dont need the identity attribute after this search then you can delete it.
Alternatively you can go to your AD source and download the account csv, put a filter on the mail header and search for the specific email you need.
The accounts on this source have other attributes, like location and manager, but they don’t appear in search and thus can’t be searched. However, if the account is from an authoritative source and the account attribute is mapped in the identity profile, then you can just search the identity attributes.
Yeah, that’s what I was thinking. You’re basically required to do the filtering on your end. I had to do this today when I was trying to filter entitlements in my Azure AD source to just include Teams groups. There’s a boolean attribute on some of the entitlements that’s called teamsEnabled, but I can’t search on it.
All that to say the entitlements API endpoint has the same limitation when it comes to searching on attributes.
@colin_mckibben Also I had a feeling that making account attributes searchable can achieve what you initially showed with just specifying mail in the search query. Do you think that’s one way? I can see this might work, but then of course we can’t make every attribute searchable as it is not scalable and could impact performance (or even if we can… should we? I believe it adds a new column to the back-end account ‘table’ equivalent for IDN)
Oh never mind, for a while there I thought making account attributes searchable was similar to the CC API we have for making identity attributes searchable, but looks like there isn’t an API for it.
Thanks @jtmycarkeys, looks like these alternatives you pointed out are the only way for now. I wanted to avoid creating identity attributes so was looking for a way where searching on the account attributes directly.
