Get manager DN from an Identity in an Update Policy

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi! We’re trying to get the distinguishedName of the manager of an identity. We’ve tried two ways: The first one is a simple tranfrom that gets it directly:

{ "name": "testManager",
    "type": "static",
    "attributes": {
        "managerName": "$identity.getManager().getStringAttribute(\"displayName\")",
        "value": "$managerName"
    },
    "internal": false
}

The problem of this transform is that it only works for identity attributes, not for account attributes. And the manager is an account attribute form the Active Directory account.

We’ve also tried to get it like this:

  
{
"name": "Test",
            "transform": {
                "attributes": {
                    "sourceName": "Active Directory source",
                    "attributeName": "givenName",
                    "accountReturnFirstLink": true,
                    "accountFilter": "(nativeIdentity.equals(\"nameofidentitty\"))"
                },
                "type": "accountAttribute"
}

We want to have in our Update Policy. Do you have any ideas? Thank you in advance.

2

Hey @rcgalvez! This is actually a perfect case for the Get Reference Identity Attribute primitive: Get Reference Identity Attribute | SailPoint Developer Community

Assuming there’s an Identity Attribute called distinguishedName, this should work for you:

{
  "attributes": {
    "name": "Cloud Services Deployment Utility",
    "operation": "getReferenceIdentityAttribute",
    "uid": "manager",
    "attributeName": "distinguishedName"
  },
  "type": "rule",
  "name": "Get Manager DN"
}

(note that manager is a special keyword in the uid field that dynamically references the manager of the current identity)

1 Like
3

Hello @rcgalvez,

You can create an identity “userdn” and add users DN then create another attribute managerDN and here is the transform to get reference from userDN attribute -

{
  
  "name": "Rule - ManagerDN",
  "type": "rule",
  "attributes": {
    "uid": "manager",
    "name": "Cloud Services Deployment Utility",
    "attributeName": "userdn",
    "operation": "getReferenceIdentityAttribute"
  },
  "internal": false
}

Thanks,
IAM-PDU

4

The problem with your solution is that it only works with identity attributes. The attribute that we must get from the AD account is an accountAttribute only and that transform doesn’t work for this scenario. Please try to read carefully my post. We’re trying right now the second solution but we can’t get it to filter anything. Thank in advance.

5

The problem with your solution is that it only works with identity attributes. The attribute that we must get from the AD account is an accountAttribute only and that transform doesn’t work for this scenario. Please try to read carefully my post. We’re trying right now the second solution but we can’t get it to filter anything. Thank in advance.

6

You’d just create an additional Identity Attribute that pulls in the user’s distinguishedName from AD, and reference that attribute in the transform.

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.