FirstValid Transform for Manager DN in AD Provisioning

Hi Community,

I need help with a transform for an Active Directory (AD) provisioning plan in SailPoint IdentityNow (IDN).

I want to check whether a user’s manager exists in AD based on their SamAccountName. If the manager exists, I need to fetch their Distinguished Name (DN) from AD. If the manager does not exist, the value should be set to null.

Since my DN format differs between AD and IDN, I believe a FirstValid transform is needed:

1. Check if the manager’s SamAccountName exists in AD.
2. If it exists, retrieve the DN of the manager.
3. If it doesn’t exist, return null.

Can someone guide me on how to configure this transform correctly?

1. Create an Identity attribute AD DN, use Account Attribute Transform to read
   distinguishedname from your AD source
2. Create Manager DN Identity attribute, use get referenced Identity attribute transform

{
  "attributes": {
    "name": "Cloud Services Deployment Utility",
    "operation": "getReferenceIdentityAttribute",
    "uid": "manager",
    "attributeName": "adDn"
  },
  "type": "rule",
  "name": "Get Reference Identity Attribute Transform"
}

Use this Manager DN attribute in your AD provisioning policy form, enable attribute sync for it.

{

    "name": "GetManager-ActiveDirectory",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "type": "static",
                "attributes": {
                    "value": "$identity.getManager().getLinksByAppIdOrName(\"e4a89a2a104145cfb9e223e8d504f\",null)[0].getNativeIdentity()"
                }
            },
            "null"
        ],
        "ignoreErrors": true
    }
   
}

replace the id with the ID of your active directory source and map this transform at the manager field of the provisioning policy, I think it will work fine

Thanks Krishna for your response

Thanks Tulasi for your response