Active Directory: Attribute Sync for the Manager Attribute

stewart_glover · December 1, 2023, 2:01pm

Attribute Sync is the process of updating an attribute on a source if an associated identity attribute changes. Examples include changes to job title, location, department etc. Synchronizing an attribute is only available if it is mapped to an identity attribute on the account create profile of the target source. In the case of the manager attribute in Active Directory, this is typically mapped to an out of the box generator:

Using this method means that attribute sync is not available for the manager attribute, which is often a customer requirement. However, we can facilitate this by using two new identity attributes and a transform as described below.

Step 1:

On the relevant identity profile, create a new identity attribute to hold the distinguished name for the identity, and map it to the distinguishedName attribute on your Active Directory source:

Step 2:

Upload the transform to the tenant:

{ "attributes": { "attributeName": "distinguishedName", "name": "Cloud Services Deployment Utility", "operation": "getReferenceIdentityAttribute", "uid": "manager" }, "name": "Determine Manager DN", "type": "rule" }

Step 3:

Create another new identity attribute to hold the distinguished name of the identity’s manager by mapping it to the new transform just uploaded:

Save and refresh the identity profile and check that the attributes are populated with the expected data.

The Distinguished Name attribute should hold the DN of the identity
The AD Manager Distinguished Name attribute should hold the DN of the identity’s manager

Note: on step 3 you must ensure the identity has a correlated manager and that manager identity has an AD account.

Step 4:

In your Active Directory source, navigate to the create profile and change the mapping of the manager attribute to the new identity attribute:

As this is now mapped to an identity attribute, it will be available to synchronise.

Step 5:

Navigate to Account Sync on the Active Directory source and enable synchronisation for the manager attribute:

Any changes to the manager attribute on an identity will now be synchronised to the Active directory source.

Related Articles:

MVKR7T · December 1, 2023, 3:49pm

Informative post @kirby_fitch

This is what I have implemented in all of my clients.

kirby_fitch · December 1, 2023, 4:05pm

Thanks, @MVKR7T. This is actually @stewart_glover 's work. I just put it somewhere it’s accessible. Thanks, Stewart!

sgeddam003 · December 1, 2023, 4:46pm

Thank you @kirby_fitch and @stewart_glover. This is informative.

I have a quick question on Attribute Sync - Does it trigger and work for inactive users who have AD in disabled state?

MVKR7T · December 1, 2023, 5:30pm

Basically it triggers for all users if there is a change irrespective of Lifecycle state and Account status. If it is same value then it will be filtered, so no sync activity.

MVKR7T · December 1, 2023, 6:00pm

However there is a bug here @kirby_fitch

I will explain with an example.

Provisioning Policy:

Account Attribute: Manager
Mapping Type: Identity Attribute
Identity Attribute Name: Manager DN

Attribute Sync:
Manager DN → Manager : Enabled

New Requirement:
Use Manager DN New Identity attribute

Attribute Sync:
Manager DN → Manager : Enabled
Manager DN New → Manager : Disabled

Unfortunately we deleted Manager DN attribute, so null passed as value and synced. This wiped out all managers in Target system causing P2 incident.

Actually our issue was not with manager, it was with SSO login id which was wiped out. So no user was able to login.

This was an unfortunate incident.

What I do whenever I do a change in attribute mapping,

Under Attribute sync:

Deselect the old attribute sync which is Manager DN → Manager, save and Reload the page.
It will remove the old sync entry (Manager DN → Manager)
Now you will have only one sync entry which is using new identity attribute (Manager DN New → Manager).

This suppose not to be the product behavior. Even if it is, it should have given exception that Manager DN attribute doesn’t exist instead of passing nulls.

Expectation:
Whenever you change the Identity attribute in account mapping, attribute sync should be updated with newly mapped identity attribute. For safety, it is ok if sync is not enabled by default. We can review and enable the sync at once.

adamian · April 7, 2024, 4:45pm

Thanks for providing this info, but I have to ask myself how nice would it be if SailPoint would provide features like this, that are needed by every project using AD (and probably almost all projects), as standard?

A first step would be to integrate all these posts into the AD connector set-up documentation, instead of having bits of information here and there.

Best regards,
Andrei

charlieliujcn · April 13, 2024, 2:10am

now I run into the same use case. we get manager change from our HR. And we sync to identity. Now we want to sync the new manager to AD.

However, I followed exactly the steps, but got blank value in the identity’s AD Manager Distinguished Name attribute. the distinguished name does have value.

Not sure what I missed. Please help out,

thanks,
Charlie

Topic		Replies	Views
How to Sync IDN attributes to Active Directory ISC Discussion and Questions identity-security-cloud , attributes	5	837	July 19, 2023
Clear ‘Manager’ and ‘ManagerDN’ identity attributes for inactive users ISC Discussion and Questions	21	2610	July 19, 2023
Manager Correlation ISC Discussion and Questions identity-security-cloud , provisioning	3	263	March 3, 2024
LDAP Account Move during provisioning (LDAP Connector) ISC Discussion and Questions identity-security-cloud , provisioning	9	212	April 13, 2024
[IdentityNow] Manager DN Transform for AD Create Policy ISC Discussion and Questions transforms , identity-security-cloud , provisioning	15	1044	July 12, 2023

Active Directory: Attribute Sync for the Manager Attribute

Related Topics