Get identity's manager's manager when Identity's manager lifecycleState is inactive

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi experts,

I am trying to set the manager value of a non-employee identity to manager’s manager when the current manager lifecycleState is inactive by using a transform on the identity profile. I have tried to write the transform using the types “static” and “conditional”. But both the transforms are not working as expected. Below are is the code:

Conditional Transform:

{
“name”: “Bot-Machine User Manager Change Transform”,
“type”: “conditional”,
“attributes”: {
“expression”: “$cloudLifecycleState eq inactive”,
“positiveCondition”: “$mgrOwner”,
“negativeCondition”: “$owner”,
“cloudLifecycleState”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “managerRef”,
“attributeName”: “lifecycleState.stateName”
},
“type”: “rule”
},
“mgrOwner”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “managerRef”,
“attributeName”: “managerRef.id”
},
“type”: “rule”
},
“owner”: {
“attributes”: {
“name”: “manager”
},
“type”: “identityAttribute”
}
},
“internal”: false
}

Static Transform:

{
“name”: “Machine-Bot User Manager Change Transform”,
“type”: “static”,
“attributes”: {
“cloudLifecycleState”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “managerRef”,
“attributeName”: “lifecycleState.stateName”
},
“type”: “rule”
},
“managersManager”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “managerRef”,
“attributeName”: “managerRef.id”
},
“type”: “rule”
},
“manager”: {
“attributes”: {
“name”: “manager”
},
“type”: “identityAttribute”
},
“value”: “#if($cloudLifecycleState == ‘inactive’)$managersManager#else$manager#end”
}
}

The attribute reference for non employee identity attributes looks like this:
“lifecycleState”: {
“stateName”: “active”,
“manuallyUpdated”: true
}

“managerRef”: {
“type”: “IDENTITY”,
“id”: “XXXXXXXXXXXXXXXXXXXXXXX”,
“name”: “Test.User”
}

Can someone please confirm if it is even possible to get identity’s manager’s manager using a transform and if so how? If not is there any alternative way to achieve this? Any leads or suggestions would be appreciated.

2

I think that it is doable.
You need to create the following identity.attributes:
isManager : are they a manager True/false
isActive : is their LCS inactive
Then create a static transform like this:

{
  "name": "ManagerCheck",
  "type": "static",
  "attributes": {
      "value": "#if($isManager = 'false')No Manager#{elseif}($isManagerActive != 'inactive')$getManagerName#{else}$getMManagerName#end",
"isManager" : {*HR source query*},
"isManagerActive" : {*getReferenceIdentityAttribute rule* - get LCS of manager)
"getManagerName" : {*getReferenceIdentityAttribute rule* - get Manager name)
"getMManagerName" : {*getReferenceIdentityAttribute rule* - get Manager's Manager name)
  }
}

Throw in some error catching and you should be fine. I would build several test identity.attibutes to check that each rule is working before building the hold thing

3

Hi @phil_awlings,

Thanks a lot for your suggestion.

I tried with the logic that you have suggested but I am having difficulty in retrieveing the managers attributes - LCS, name and manager’s manager name. Below is the code I have used to retrieve manager’s attribute values:

“isManagerActive”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “manager”,
“attributeName”: “status”
},
“type”: “rule”
},
“getManagerName”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “manager”,
“attributeName”: “name”
},
“type”: “rule”
},
“getMManagerName”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “manager”,
“attributeName”: “managerRef.name”
},
“type”: “rule”
}

4

Hi,
Presumably you have created identity.attributes of ‘status’ & ‘managerRef.name’?

I did realise after posting that you don’t need to use a rule to get the manager’s name as that should already be on the user’s cube.

Also, I think that you need the ‘uid’ to match the identityCube id, which probably isn’t their name. You may need to create another attribute which pulls in the manager’s ID from the HR module, and then reference that.
This for example uses a transform to calculate the manager’s ID and then references that to retrieve the ‘displayName’

{
  "type": "rule",
  "attributes": {
      "type": "reference",
      "attributeName": "displayName",
      "name": "Cloud Services Deployment Utility",
      "operation": "getReferenceIdentityAttribute",
      "uid": {
          "type": "identityAttribute",
          "attributes": {
              "name": "managerIdCalculate"
          }
      }
  }
}

I do know that the above snippet is only part of a massive firstValid transform that iterates through loads of variations trying confirm what the UID is. (But that was because of legacy issues and non-standard naming conventions)

5

I have tried with your suggested login but it didnt work. But I have tried with another logic and it worked (partially). Below is the logic that I used.

{
name": “Machine-Bot User Manager Change Transform”,
“type”: “static”,
“attributes”: {
“cloudLifecycleState”: {
“attributes”: {
“name”: “Cloud Services Deployment Utility”,
“operation”: “getReferenceIdentityAttribute”,
“uid”: “manager”,
“attributeName”: “cloudLifecycleState”
},
“type”: “rule”
},
“getMManagerName”: {
“attributes”: {
“value”: “$identity.getManager().getManager().getStringAttribute(‘displayName’)”
},
“type”: “static”
},
“getManagerName”: {
“attributes”: {
“name”: “manager”
},
“type”: “identityAttribute”
},
“value”: “#if($cloudLifecycleState==‘Inactive’)$getMManagerName#{else}$getManagerName#end”
},
“internal”: false
}

The manager result is only visible on the identity profile preview and not updating on the Identity in the identity list. I cannot use an attribute sync on the identity as the identites belong to Non-Employee source.

I have also thought of using connector rule but I am not sure if a non-employee source supports manager correlation connector rule. Is there any other way to achieve this?

6

Hey @saiteja_anupindi
Long shot, i know because its a flat file type source you will not have the attribute sync page/create profile page. But i do know that the Non-Employee source (NELM) has some set of API’s to update the data directly.
Maybe you can use workflows to do a writeback on the manager field. You’ll know the field where the value needs to be done as writeback based on what value the field is expecting you can send same using workflows and achieve the writeback functionality.

Try this api to update the record’s certain information.

Hope this helps :slight_smile:

7

Sure, I will try that and see if it works.

Thank you for your suggestions @phil_awlings and @neeraj99

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.