Filter out Deprovisioned Users with a not equals fails 400 bad request

killian.moore · October 26, 2021, 4:00pm

Hi,
I’ve a general question on the filtering of users.
I’ve an api call where I get all users in my Okta instance with (calling from postman):
https://xxxxxxxxxxx.okta.com/api/v1/users?filter=lastUpdated%20gt%20%222021-09-30T00:00:00.000Z%22 but I want to filter out Deprovisioned users and return all the rest so I tried:

https://xxxxxxxxxxx.okta.com/api/v1/users?filter=lastUpdated%20gt%20%222021-09-30T00:00:00.000Z%22%20and%20status%20ne%20%22DEPROVISIONED%22

Without the urlencoding:
https://xxxxxxxxxxx.okta.com/api/v1/users?filter=lastUpdated gt "2021-09-30T00:00:00.000Z" and status ne "DEPROVISIONED"
But this fails with a 400 bad request.

I know you can do a status eq "ACTIVE" or status eq "STAGED".

My question is why does ne (not equals) give a bad request but eq (equals) works?
Seems like I’ll need a string of status eq XXX or ... for all status except the one I want to filter out.
Is this correct?
This doesn’t seem very maintainable if there is a new status introduced, I’ll need to manually update my api calls that filter on status.

Filter status api doc section: Users | Okta Developer
Filter condition api doc section: Core Okta API | Okta Developer

Cale · October 26, 2021, 5:19pm

Hmmm, unfortunately this does look to be the case. The note in the filter docs states:

Note: The ne (not equal) operator isn’t supported for some objects, but you can obtain the same result by using lt ... or ... gt . For example, to see all user agents except for “iOS”, use (client.userAgent.os lt "iOS" or client.userAgent.os gt "iOS") .

I tried filter=status lt "DEPROVISIONED" or status gt "DEPROVISIONED" and doesn’t look like it’s supported either.

killian.moore · October 26, 2021, 5:32pm

Thanks for the reply Cale, would it be worth adding? At the moment I have added below as a work around but it’s messy and hard to read (this is post urlencoded).

lastUpdated%20gt%20%222021-09-30T00:00:00.000Z%22%20and%20%28status%20eq%20%22ACTIVE%22%20or%20status%20eq%20%22STAGED%22%20or%20status%20eq%20%22PROVISIONED%22%20or%20status%20eq%20%22RECOVERY%22%20or%20status%20eq%20%22PASSWORD_EXPIRED%22%20or%20status%20eq%20%22LOCKED_OUT%22%29
I’ll mark your answer as the solution.

Cale · October 26, 2021, 6:15pm

I certainly think so - no one should have to read/write that atrocious URL!

Certainly not a bad submission for Okta Ideas.

Glad you found a workaround.

Post		Replies	Views
The sw operator not working for filtering in user API Questions	5	3910	March 30, 2022
OKTA users API Filters SCIM	4	6405	September 25, 2019
Java SDK - fitlering users API java	6	5824	June 6, 2018
How to get the Deactivated users c# SDK Questions	2	4984	August 25, 2022
"sw" no longer a valid filter for Users API? API	5	3963	July 14, 2021

Filter out Deprovisioned Users with a not equals fails 400 bad request

Related topics