I'm trying to create a CEL query for a Google dynamic group to match a custom attribute defined in customSchemas. It's defined that way (looking at it via gam) :
Schema: EmployeeType
schemaId: xxx
displayName: EmployeeType
Field: UserType
fieldId: _xxx
fieldType: STRING
displayName: UserType
multiValued: False
readAccessType: ADMINS_AND_SELF
indexed: True
which, when looking at the user's info, is mapped this way : customSchemas.EmployeeType.UserType
My issue is that I can't seem to build a query to return users for a given UserType value. I tried the following :
user.EmployeeType.exists(x x.UserType=='MyValue')
user.customSchemas.EmployeeType.exists(x x.UserType=='MyValue')
user.customSchemas.exists(x x.EmployeeType.UserType=='MyValue')
Nothing is working. I think dynamic groups might not handle custom attributes, but I could also just have the wrong query. Can someone shed some light on it ?
As of today, custom attributes are not valid attributes for dynamic groups CEL query, see https://cloud.google.com/identity/docs/how-to/dynamic-groups-attributes?hl=en
Moreover, I've been trying to build CEL queries for dynamic groups, expanding on the graphical query builder in the admin console and reading the CEL spec. I can confirm that only queries that can be built via the graphical query builder will be validated for dynamic group queries. Builiding a valid CEL query that isn't offered by the graphical query builder (such as using startsWitch, endsWith, matches()) does not work, whether via the web interface or the API. Hopefully Google changes that.