We have a attribute 'is_admin' (special logick requirement) on our user profile with type boolean, as we know from here the booleans attributes have three values on okta (true, false and undefined). At beginning of our project we do not set this attribute as required, so we have a lot of users with value undefined. The problem is that we need to query for all user who is_admin value is not true, so it should be false or undefined. We try a lot of mixes, but for all of them we get bad request:
It's not uri encoded for more clarity.
.../api/v1/users/users?search=profile.is_admin eq false or profile.is_admin eq "" => 400
.../api/v1/users?search=profile.is_admin eq false or profile.is_admin eq undefined => 400
.../api/v1/users?search=profile.is_admin eq false or profile.is_admin eq null => 400
.../api/v1/users?search=profile.is_admin ne true => 400
.../api/v1/users?search=profile.is_admin gt true and profile.is_admin lt true => 400
.../api/v1/users?search=profile.is_admin gt true or profile.is_admin lt true => 400
.../api/v1/users?search=not profile.is_admin eq true => 400
.../api/v1/users?search=not(profile.is_admin eq true) => 400
.../api/v1/users?search=profile.is_admin not eq true => 400
So here is my question: How can I get all user who his 'is_admin' attribute is not equal to true?
Their search API doesn't support ne(not equal) operator.
Note that their doc: https://developer.okta.com/docs/reference/core-okta-api/#operators says
Note: The ne (not equal) operator isn't supported for some objects, but you can obtain the same result by using lt ... or ... gt. For example, to see all user agents except for "iOS", use (client.userAgent.os lt "iOS" or client.userAgent.os gt "iOS").
But this trick of less than + greater than will not work either.
The best thing you can do is to use 'list user' with a filter(https://developer.okta.com/docs/reference/api/users/#list-users-with-a-filter) like profile.is_admin+neq+%22true%22 (profile.is_admin not equal to true):
curl \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://trial-5603560-admin.okta.com/api/v1/users?filter=profile.is_admin%20ne%20%22true%22"
scratch that. My bad thene does not work in this case either you can only filter "true" and "false" but not unassigned value(which in Okta UI maybe display as undefine).
curl GET https://trial-5603560-admin.okta.com/api/v1/users?search=(profile.is_admin+eq+%22false%22) \
--header 'Authorization: SSWS xxxx' \
--header 'Content-Type: application/json'
curl GET https://trial-5603560-admin.okta.com/api/v1/users?search=(profile.is_admin+eq+%22false%22) \
--header 'Authorization: SSWS xxx' \
--header 'Content-Type: application/json'
In fact when you access a particular User directly via
https://...admin.okta.com/admin/user/profile/view/{UserID}
you'll find the users that have undefined shown on UI for the field completely missing that particular node in the JSON compared to ones that hold true or false. I think your original query was correct and their API prob has a bug.
Usually, I'd log in to https://support.okta.com/help/s/?language=en_US with your Okta admin account. And talk to them directly, providing the id in the request/response. Occasionally they can escalate to a dev in to fix things quickly.