06-13-2017 12:54 PM
Greetings,
In numerous places on the External Restful Service (ERS) SDK site [https://<ISE-ADMIN-NODE>:9060/ers/sdk] there are references to being able to filter searches via a combination of attributes, operations, and values. This is done through issuing a GET request using the a request URL such as https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=<attribute>.<operation>.<value>
Though I have been able to find a list of valid operations in the Quick Reference > Searching a Resource section, I have been unable to find an accurate list of valid "attributes" for any of the searchable nodes (internaluser, networkdevice, identitygroup, etc...). There is a list of attributes provided on these but they are not all filterable, do not filter correctly, or are missing valid attributes. For example, within the Quick Reference > Searching a Resource and the Developer Resources > Use Cases – curl scripts > Search Users sections, there are examples doing a GET request using the attribute "identityGroup" for the node "internaluser". This attribute is not on the list of attributes for internaluser and does not filter as shown in the examples (tested using Perl, Curl, and Postman).
For more information, I have attached a word document with our results of testing the basic format with every combination of attribute (for internaluser) and operation (from the aforementioned list). This has 3 main sections: Works, Gives and error, and Unknown; each one detailing some of the messages I've seen or how they work in an unexpected way. For this testing we had 26 users in our system.
The question boils down to is there an updated API site which I can reference to determine which attributes I can filter searches on for each of the nodes?
Thank you for your time.
Solved! Go to Solution.
10-05-2017 06:55 AM
Hi Jeppe,
Here is the associated bug link that has been opened (CSCvf60064). If you view it, you will see that only the attributes 'enabled' , 'passwordIDStore' and 'expiryDate' are referenced. As of right now, there are no listed workarounds or documented updates which would fix the issue. Not sure if this helps, but if you continue to run into issues I would recommend opening up a TAC case as well!
Best,
Lukas
06-13-2017 07:11 PM
The attributes that can be used for filtering can be found under https://1.2.3.4:9060/ers/sdk in API documentation section.
Here's a snipper for Internal User:
Supported Filter and Sorting Fileds:
Filter: [expiryDate, firstName, lastName, passwordIDStore, identityGroup, name, description, email, enabled, expiryDateEnabled]
Sorting: [name, description]
06-14-2017 06:40 AM
Hi Viktor,
I have found the portion you were referring to in the API section, however not all of those filter as they should (or at least are not intuitive). Specifically the fields that I have had issues with are [expiryDate, passwordIDStore, identityGroup, enabled, expiryDateEnabled].
For 'expiryDate' the date format of "YYYY-MM-DD" does not work (see the word doc I attached with my original post)
For 'passwordIDStore' the filter does not work. I can pull up an individual user's information (/internaluser/<id>) and they will have i.e. "passwordIDStore": "testAD". However when I filter with: ?filter=passwordIDStore.CONTAINS.testAD, I get nothing. However when I filter with: ?filter=passwordIDStore.CONTAINS.AD, I get the proper accounts. though ?filter=passwordIDStore.CONTAINS.b gives me all users. Where does it list what each user passwordIDStore is since the one provided does not match with the filters?
For 'identityGroup' the following two requests return the same thing (all users) :
https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=identityGroup.EQ.level_15_user
https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=identityGroup.NEQ.level_15_user
What are the values that I should be using to filter for Boolean fields? I have tried 'true', 'True', 'TRUE', and 1 so far, but none have worked. For 'enabled' I get back every single user no matter what combination of operations and values I use. Whereas, for 'expiryDateEnabled', when I delve into the error messages more, I find a "java.lang.ClassCastException" being thrown.
Thank you for your time.
06-15-2017 07:14 AM
I would suggest working through Tac on a defect
06-15-2017 03:58 PM
Please post the TAC case number when it opens so we may track and work on your requirements better.
07-06-2017 05:41 AM
The TAC case number is: SR 682530433
10-05-2017 03:52 AM
Hi Lukas,
Any update on this?
I'm especially looking for filtering in endpoint custom attributes
Regards
Jeppe
10-05-2017 06:55 AM
Hi Jeppe,
Here is the associated bug link that has been opened (CSCvf60064). If you view it, you will see that only the attributes 'enabled' , 'passwordIDStore' and 'expiryDate' are referenced. As of right now, there are no listed workarounds or documented updates which would fix the issue. Not sure if this helps, but if you continue to run into issues I would recommend opening up a TAC case as well!
Best,
Lukas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide