Solved: ISE ERS API Filtering

lukas.leung · ‎06-13-2017

Greetings,

In numerous places on the External Restful Service (ERS) SDK site [https://<ISE-ADMIN-NODE>:9060/ers/sdk] there are references to being able to filter searches via a combination of attributes, operations, and values. This is done through issuing a GET request using the a request URL such as https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=<attribute>.<operation>.<value>

Though I have been able to find a list of valid operations in the Quick Reference > Searching a Resource section, I have been unable to find an accurate list of valid "attributes" for any of the searchable nodes (internaluser, networkdevice, identitygroup, etc...). There is a list of attributes provided on these but they are not all filterable, do not filter correctly, or are missing valid attributes. For example, within the Quick Reference > Searching a Resource and the Developer Resources > Use Cases – curl scripts > Search Users sections, there are examples doing a GET request using the attribute "identityGroup" for the node "internaluser". This attribute is not on the list of attributes for internaluser and does not filter as shown in the examples (tested using Perl, Curl, and Postman).

For more information, I have attached a word document with our results of testing the basic format with every combination of attribute (for internaluser) and operation (from the aforementioned list). This has 3 main sections: Works, Gives and error, and Unknown; each one detailing some of the messages I've seen or how they work in an unexpected way. For this testing we had 26 users in our system.

The question boils down to is there an updated API site which I can reference to determine which attributes I can filter searches on for each of the nodes?

Thank you for your time.

lukas.leung · ‎10-05-2017

Hi Jeppe,

Here is the associated bug link that has been opened (CSCvf60064). If you view it, you will see that only the attributes 'enabled' , 'passwordIDStore' and 'expiryDate' are referenced. As of right now, there are no listed workarounds or documented updates which would fix the issue. Not sure if this helps, but if you continue to run into issues I would recommend opening up a TAC case as well!

Best,

Lukas

View solution in original post

vibobrov · ‎06-13-2017

The attributes that can be used for filtering can be found under https://1.2.3.4:9060/ers/sdk in API documentation section.

Here's a snipper for Internal User:

Supported Filter and Sorting Fileds:

Filter: [expiryDate, firstName, lastName, passwordIDStore, identityGroup, name, description, email, enabled, expiryDateEnabled]

Sorting: [name, description]

lukas.leung · ‎06-14-2017

Hi Viktor,

I have found the portion you were referring to in the API section, however not all of those filter as they should (or at least are not intuitive). Specifically the fields that I have had issues with are [expiryDate, passwordIDStore, identityGroup, enabled, expiryDateEnabled].

For 'expiryDate' the date format of "YYYY-MM-DD" does not work (see the word doc I attached with my original post)

For 'passwordIDStore' the filter does not work. I can pull up an individual user's information (/internaluser/<id>) and they will have i.e. "passwordIDStore": "testAD". However when I filter with: ?filter=passwordIDStore.CONTAINS.testAD, I get nothing. However when I filter with: ?filter=passwordIDStore.CONTAINS.AD, I get the proper accounts. though ?filter=passwordIDStore.CONTAINS.b gives me all users. Where does it list what each user passwordIDStore is since the one provided does not match with the filters?

For 'identityGroup' the following two requests return the same thing (all users) :

https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=identityGroup.EQ.level_15_user

https://<ISE-ADMIN-NODE>:9060/ers/config/internaluser?filter=identityGroup.NEQ.level_15_user

What are the values that I should be using to filter for Boolean fields? I have tried 'true', 'True', 'TRUE', and 1 so far, but none have worked. For 'enabled' I get back every single user no matter what combination of operations and values I use. Whereas, for 'expiryDateEnabled', when I delve into the error messages more, I find a "java.lang.ClassCastException" being thrown.

Thank you for your time.

Jason Kunst · ‎06-15-2017

I would suggest working through Tac on a defect

hslai · ‎06-15-2017

Please post the TAC case number when it opens so we may track and work on your requirements better.

lukas.leung · ‎07-06-2017

The TAC case number is: SR 682530433

Jeppe Schoubye · ‎10-05-2017

Hi Lukas,

Any update on this?

I'm especially looking for filtering in endpoint custom attributes

Regards

Jeppe

lukas.leung · ‎10-05-2017

Hi Jeppe,

Here is the associated bug link that has been opened (CSCvf60064). If you view it, you will see that only the attributes 'enabled' , 'passwordIDStore' and 'expiryDate' are referenced. As of right now, there are no listed workarounds or documented updates which would fix the issue. Not sure if this helps, but if you continue to run into issues I would recommend opening up a TAC case as well!

Best,

Lukas