Chapter 6. Accessing Data Objects
Prev		Next

Chapter 6. Accessing Data Objects

Table of Contents

6.1. Accessing Data Objects by Using Scripts
6.2. Accessing Data Objects by Using the REST API
6.3. Defining and Calling Queries

OpenIDM supports a variety of objects that can be addressed via a URL or URI. You can access data objects by using scripts (through the Resource API) or by using direct HTTP calls (through the REST API).

The following sections describe these two methods of accessing data objects, and provide information on constructing and calling data queries.

6.1. Accessing Data Objects by Using Scripts

OpenIDM's uniform programming model means that all objects are queried and manipulated in the same way, using the Resource API. The URL or URI that is used to identify the target object for an operation depends on the object type. For an explanation of object types, see the Data Models and Objects Reference. For more information about scripts and the objects available to scripts, see the Scripting Reference.

You can use the Resource API to obtain managed objects, configuration objects, and repository objects, as follows:

val = openidm.read("managed/organization/mysampleorg")
val = openidm.read("config/custom/mylookuptable")
val = openidm.read("repo/custom/mylookuptable")

For information about constructing an object ID, see URI Scheme in the REST API Reference.

You can update entire objects with the update() function, as follows.

openidm.update("managed/organization/mysampleorg", mymap)
openidm.update("config/custom/mylookuptable", mymap)
openidm.update("repo/custom/mylookuptable", mymap)

For managed objects, you can partially update an object with the patch() function.

openidm.patch("managed/organization/mysampleorg", rev, value)

The create(), delete(), and query() functions work the same way.

6.2. Accessing Data Objects by Using the REST API

OpenIDM provides RESTful access to data objects via a REST API. To access objects over REST, you can use a browser-based REST client, such as the Simple REST Client for Chrome, or RESTClient for Firefox. Alternatively you can use the curl command-line utility.

For a comprehensive overview of the REST API, see the REST API Reference appendix.

To obtain a managed object through the REST API, depending on your security settings and authentication configuration, perform an HTTP GET on the corresponding URL, for example https://localhost:8443/openidm/managed/organization/mysampleorg.

By default, the HTTP GET returns a JSON representation of the object.

6.3. Defining and Calling Queries

6.3.1. Parameterized Queries
6.3.2. Native Query Expressions
6.3.3. Constructing Queries

OpenIDM supports an advanced query model that enables you to define queries, and to call them over the REST or Resource API.

6.3.1. Parameterized Queries

Managed objects in the supported OpenIDM repositories can be accessed using a parameterized query mechanism. Parameterized queries on repositories are defined in the repository configuration (repo.*.json) and are called by their _queryId.

Parameterized queries provide security and portability for the query call signature, regardless of the back-end implementation. Queries that are exposed over the REST interface must be parameterized queries to guard against injection attacks and other misuse. Queries on the officially supported repositories have been reviewed and hardened against injection attacks.

For system objects, support for parameterized queries is restricted to _queryId=query-all-ids. There is currently no support for user-defined parameterized queries on system objects. Typically, parameterized queries on system objects are not called directly over the REST interface, but are issued from internal calls, such as correlation queries.

A typical query definition is as follows:

"query-all-ids" : "select _openidm_id from ${unquoted:_resource}"

To call this query, you would reference its ID, as follows:

?_queryId=query-all-ids

The following example calls query-all-ids over the REST interface:

$ curl
 --header "X-OpenIDM-Username: openidm-admin"
 --header "X-OpenIDM-Password: openidm-admin"
 "http://localhost:8080/openidm/managed/user/?_queryId=query-all-ids"

6.3.2. Native Query Expressions

Native query expressions are supported for all managed objects and system objects, and can be called directly over the REST interface, rather than being defined in the repository configuration.

Native queries are intended specifically for internal callers, such as custom scripts, in situations where the parameterized query facility is insufficient. For example, native queries are useful if the query needs to be generated dynamically.

The query expression is specific to the target resource. For repositories, queries use the native language of the underlying data store. For system objects that are backed by OpenICF connectors, queries use the applicable query language of the system resource.

Native queries on the repository are made using the _queryExpression keyword. For example:

$ curl
 --header "X-OpenIDM-Username: openidm-admin"
 --header "X-OpenIDM-Password: openidm-admin"
 "http://localhost:8080/openidm/managed/user?_queryExpression=select+*+from+managedobjects"

Unlike parameterized queries, native queries are not portable and do not guard against injection attacks. Such query expressions should therefore not be used or made accessible over the REST interface or over HTTP, other than for development, and should be used only via the internal Resource API. For more information, see the section on Protecting Sensitive REST Interface URLs.

If you really need to expose native queries over HTTP, in a selective manner, you can design a custom endpoint to wrap such access.

6.3.3. Constructing Queries

The openidm.query function enables you to query OpenIDM resource objects for reconciliation processes and workflows. Query syntax is openidm.query(id, params), where id specifies the object on which the query should be performed and params provides the parameters that are passed to the query. For example:

var params = {
    'query' : {
        'Equals': {
            'field' : 'uid',
            'values' : [
                id
            ]
        }
    }
};
var results = openidm.query("system/ScriptedSQL/account", params)

OpenIDM supports nine query filters and a range of keywords that can be applied to these filters. Each filter takes a field and a list as value. The following filters are supported:

Attribute Operations

Equals Filter

Determines whether the resource contains an attribute that matches a specific attribute value.

Returns true if the object satisfies all selection criteria of the filter, otherwise returns false.

For example:

{
    "Equals":{
        "field":"lastname",
            "values":[
                "Doe"
            ]
    }
}

ContainsAllValues Filter

Determines whether the external resource contains an attribute that has the same name as, and contains all of the values of, the attribute placed into the filter.

Returns true if the object satisfies all the selection criteria of the filter, otherwise returns false.

Comparable Attribute Operations

Compares single-value attributes to a given filter.

GreaterThan Filter

Determines whether the attribute value of the resource object is greater than the one provided in the filter.

Returns true if the object value is greater, otherwise returns false.

GreaterThanOrEqual Filter

Determines whether the attribute value of the resource object is greater than or equal to the one provided in the filter.

Returns true if the object value is greater than or equal, otherwise returns false.

LessThan Filter

Determines whether the attribute value of the resource object is less than the one provided in the filter.

Returns true if the object value is less, otherwise returns false.

LessThanOrEqual Filter

Determines whether the attribute value of the resource object is less than or equal to the one provided in the filter.

Returns true if the object value is less than or equal, otherwise returns false.

String Attribute Operations

Compares string values to a given filter.

StartsWith Filter: Returns attributes whose value starts with the string specified in the filter.
Contains Filter: Returns attributes whose value contains the string specified in the filter.
EndsWith Filter: Returns attributes whose value ends with the string specified in the filter.

Filter Operations

Filter operations are used to construct more complex filters by comparing two filters from the preceding section or negating filters defined in the previous section.

AND Filter

A filter that matches entries using the AND boolean operator on two filters.

Example:

{
 "query":{
   "AND":[
     {
        "Equals":{
            "field":"lastname",
            "values":[
               "Doe"
            ]
        }
     },
     {
         "Equals":{
             "field":"firstname",
             "values":[
                "John"
             ]
         }
     }
   ]
 }
}

OR Filter

A filter that matches entries using the OR boolean operator on two filters.

Example:

{
  "query":{
    "OR":[
      {
        "StartsWith":{
            "field":"lastname",
            "values":[
              "A"
            ]
        }
      },
      {
        "StartsWith":{
            "field":"lastname",
            "values":[
              "B"
            ]
        }
      }
    ]
  }
}

NOT Filter

A filter that filters out matched entries by negating another filter.

Example:

{
  "query":{
    "NOT":[
      {
        "Equals":{
          "field":"lastname",
          "values":[
            "Doe"
          ]
        }
      }
    ]
  }
}

Prev		Next
Chapter 5. Configuring OpenIDM	Home	Chapter 7. Using Policies to Validate Data