Certification Campaigns are being assigned to Me, not Managers

Good morning/afternoon,

I am currently trying to integrate part of my workflow to check with managers on the current status of their vendors (whether they are current, have been discontinued, new vendors to add, etc.). Currently we are having to email the managers of our departments and are working manually out of a spreadsheet. However, we have the vendors in AD and Azure AD, and we have AD and Azure AD synced with SailPoint. Our goal is to move this process into SailPoint so that managers can simply respond via SailPoint to revoke or retain access for vendors.

While great in theory, we are having some issues. If I query for a/some normal user(s) (such as myself) and select an entitlement that applies to the identities queried, their manager is appropriately listed as a reviewer for the campaign, but if I query for and select an entitlement to which our Vendors get, the campaign reviewer is set to me or one of my colleagues, depending on which one of us is generating the campaign.

To walk you through what it is that we are trying is as follows:

Selecting Certification Campaigns in the Search Tab

Querying with the following: @accounts(source.name:“Vendor Accounts” AND disabled:false)

Selecting Certify These Identities

Selecting Refine Access Items

Selecting an entitlement that is applied to all of our vendors’ accounts and adding it to the campaign

Naming the campaign and giving it a description and turning on Email Notifications

Manager is selected as the Reviewer

Leaving Maintain access to undecided items on

Requiring Comments for decisions marked as revoked

Generating the campaign now and having a due date for 2 weeks after the campaign starts

When viewing the campaign, rather than the manager, who is appropriately set in both AD and Azure AD, the reviewer is the person generating the campaign. If you have any insight or recommendations for me to look at, please feel free to share.

Thanks!

Hi @jacobsullivan , Do the vendor identities have a valid manager associated on their identity object? If the vendor identities do not have a manager associated then the campaign is auto-assigned to the creator for review. This needs to be configured at the identity profile and source level.

Here is the documentation on manager correlation for more information - Configuring Manager Correlation - SailPoint Identity Services

Let me know if that helps!

Thanks,

Liam

Hey Liam,

Thanks for replying, I followed the documentation you provided. I did think that it was possibly a problem due to our vendors not having a last name, but I made sure that it reached to a different source in the Identity Profile Mappings for a last name. There is one vendor in particular who I know has a last name in AD but even when just trying to do a campaign for him alone, it gives the same issue, assigning me for the review.

Anything else you know of that I can try?

Hey Jacob,

That is a good call, identities with a processing error (eg. missing required attributes) may not be able to be included as a reviewer of a campaign.

So just to confirm, the vendor identity you are testing with has a manager configured on their identity object like the screenshot below?

Screenshot 2025-12-11 at 11.14.36 AM614×240 10.2 KB

So that is the thing, none of these accounts I’m querying have managers in their Identity Object.

But if I look myself up, I do have my manager in my Identity Object.

I modified the Manager Name in the Identity Profile to pull from Azure AD as it’s recorded as an email there. I then set the Source to Correlate the Manager with the Identity Attribute “Name” against the “manager” Account Attribute, because our “Names” are our company emails in Azure AD. I also tried setting Manager Correlation to Work Email equals manager.

Okay and just to confirm your identity profile mapping for ‘Manager Name’ is also mapped to Azure AD’s ‘manager’ attribute? And Azure AD’s ‘manager’ attribute is the email of the manager?

Can you also confirm that the Identity Attribute ‘Name’ value is unique across your identities? If there are multiple identities with the Identity Attribute ‘Name’ of ‘jdoe@xyz.com’ the Source Manager Correlation Config wouldn’t know which identity to correlate the manager to.

If it is not unique, you will need to configure a unique correlating attribute or look into a manager correlation rule - Manager Correlation Rule | SailPoint Developer Community

So I was able to resolve it. I’m not exactly sure how, but I stepped away and it seems that the change I made to the ID Profile to look for the Azure AD manager attribute and then correlated the Azure AD source to look for Work Email Equals manager fixed it. Now I have only 6 accounts to remediate that have not been moved over to Azure AD. It just took over an hour for it to sync for some reason.

I don’t know why that was so complicated, but I’m glad it’s nearly complete. This will definitely save us some heartache as our managers tend to respond to emails with SailPoint faster than our request.

Thank you so much for your help with this Liam!

No problem, glad it is resolved!