Hello,
I’m looking to create a role which includes all users that have direct reports, i.e. another user has this individual marked as their manager.
Is there a way to do this within a Role?
Not all line managers are marked as Supervisor, Manager, Team Leader etc, so using “contains” is not an option for us.
Thanks, Daniel.
The “Manager” attribute usually holds the distinguished name (DN) or unique identifier of an employee’s manager. By utilizing this attribute as criteria , you can create role .
Hello,
Thanks so much for you prompt response and suggestion.
Using this attribute, would this not give me all users that have a manager?
Thanks, Daniel.
Hi @danieljackson ,
You need to find unique vals for each manager to create multiple role ,
as example :
Role 1 can have “contains DN=Daniel” in criteria , so this role will include all the reportees of Daniel.
In this way multiple roles can be created for each manager
Do you have a manager coming from SOT and have a manager correlation? If yes, ISC will automatically populate ‘isManager’ flag on these identities that are manager or has direct report.
Use Identity attribute rule and IdnUtil has method as below.
Populate true/false in any identity attribute using above rule and then use in role assignment.
Identity attribute Rule will already have identity object so getIdentityByID method might not be required
Need to be tested.
Thanks
Hi there, @danieljackson!
I think we’ll want to split this into two separate parts:
For the first part, you’ll want to use a static transform that references the identity attribute context; specifically, $identity.getManagerStatus(), which will return true if the user is a manager, or false if they are not.
Note that if you have a user whose role is something management-related, but does not have any direct reports, they will not be considered a manager by this transform.
For the second part, you should be able to configure your role as normal leveraging your new Identity Attribute.
Hope that helps!
Thank you so much everyone for your help with this, much appreciated!
Hello,
Apologies if this is an obvious one, once the transform is added to SailPoint this will need assigned to the IdentityProfile to map against the Identity. To add this, I can see the option to set the new transform within Mappings in the GUI, but how would I assign this without setting an attribute?
Perhaps I’m missing something in the documentation.
Thanks again, Daniel.
Good question! In a case where the attributes are defined inside the transform, what you select on the Identity Profile Mapping page is ignored. I typically just select my authoritative source and the ID attribute.
You can create a new Delimited file source that is supposed to have only users who are managers. This source can have minimum required fields to uniquely identify a user and correlate with corresponding identity in ISC.
Initially you can add existing managers to the source. For future, set up a workflow that triggers on creation of new identity, from which you can read the manager details and update the Delimited source.
Now have an Identity attribute (say isManager) which can be set to trur or false based on if identity has an account in the newly created Delimited file source
Thank you so much, this has worked - will mark your answer as the Solution.
Thanks again, Daniel.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
