Filter by manager relationship for Cloud Rule

Hello all,

Trying to create a Cloud Rule to take the place of what we used to do in IIQ with an Identity Selector Rule - Identity Selector Rule Alternative in ISC

Basically, we need to identify managers who are NOT in Canada but have Canadian direct reports.

I’m several versions into the rule and still can’t get it to work.

  1. Is there any supported way to filter by manager relationship in findIdentitiesBySearchableIdentityAttribute without creating a flat intermediate Identity Attribute?
  2. Has anyone successfully queried direct reports in an Identity Attribute Cloud Rule?

We have tried searching against manager.id and manager.name and get IllegalStateException: Unable to find definition of attribute named 'manager.id'

Current rule -

    import java.util.List;
    import java.util.Map;

    String CANADA = "Canada";

    try {
        String identityCountry = (String) identity.getAttribute("countryName");
        if (CANADA.equalsIgnoreCase(identityCountry)) {
            return "false";
        }

        String managerEmployeeId = (String) identity.getAttribute("identificationNumber");
        if (managerEmployeeId == null || managerEmployeeId.trim().equals("")) {
            return "false";
        }

        List directReports = idn.findIdentitiesBySearchableIdentityAttribute(
            "manager.name", "Equals", managerEmployeeId, "uid"
        );

        if (directReports != null) {
            for (Object reportObj : directReports) {
                sailpoint.object.Identity report = (sailpoint.object.Identity) reportObj;
                Map reportAttributes = report.getAttributes();
                if (reportAttributes != null) {
                    String reportCountry = (String) reportAttributes.get("countryName");
                    if (CANADA.equalsIgnoreCase(reportCountry)) {
                        return "true";
                    }
                }
            }
        }
        return "false";
    } catch (IllegalStateException ise) {
        return "false";
    } catch (Exception e) {
        return "false";
    }

Thanks in advance for any insight!

@chrisk

The IllegalStateException you’re getting is expected — in ISC, manager.id and manager.name are not registered as searchable identity attributes in any identity profile, and you can’t promote them to be searchable through the UI. The findIdentitiesBySearchableIdentityAttribute method strictly rejects any name that isn’t in the identity profile’s searchable attribute list, hence the “Unable to find definition of attribute” error.

This is one of the more painful gaps between IIQ and ISC Cloud Rules: IIQ’s BeanShell had a working Context.findObjectsByFilter() over the DB, and IIQ’s findIdentitiesBySearchableIdentityAttribute was much more permissive. ISC Cloud Rules run in a sandboxed API surface and the manager relationship isn’t queryable in that direction (only read on the current identity via identity.getManager()).

Hello @chrisk,

If I understand the requirement correctly, we need to identify managers who are not located in Canada but have one or more direct reports located in Canada and then assign a specific role to those managers.

I can think of an approach using workflows to achieve this. However, this would be a request-based approach rather than a criteria-based role assignment.

High-Level Steps

Step 1: Create a scheduled workflow that runs periodically.

Step 2: Use the Search API to retrieve all managers who are not located in Canada. You can use the following search query:

isManager:true AND NOT attributes.location:“CANADA”

Step 3: Loop through each manager returned by the query and retrieve their direct reports using the Search API. Use a query similar to:

manager.id:“${managerEmpId}”

Step 4: Iterate through the direct reports and check whether any of them are located in Canada.

Step 5: If at least one direct report is located in Canada, verify whether the manager already has the required role assigned. If not, assign the role using either the Access Request APIs or the Manage Access action.

Workflow Design

This approach would require two separate workflows:

  1. Parent Workflow – Retrieves and loops through all eligible managers.
  2. Child Workflow – Processes each manager’s direct reports and determines whether the role assignment criteria are met.

This should help automate the identification and role assignment process for managers who are outside Canada but manage employees located in Canada.