Having issue with the manager dn transform that fetch AD DN of user's manager

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hey Guys,

i have made a transform that fetch user’s manager dn of AD.

It is working fine for existing users and fetching manager dn but when i onboarded new user( i am using flat file connector for mimiking the real workday for testing) so when i am onboaridng new users it is giving me error :

There was an exception while calculating the value for this attribute. Error during transformation for attribute: managerdn (Transform ID: manager name ccalc) Cause: Error rendering template: $identity.getManager().getLinksByAppIdOrName(“7b0f109967d041c690abd9”, null).get(0).getAttribute(“distinguishedName”)

and below is the transform i used :
{
“name”: “manager name ccalc”,
“type”: “static”,
“attributes”: {
“value”: “$identity.getManager().getLinksByAppIdOrName("7b0f1099690abd946", null).get(0).getAttribute("distinguishedName")”
},
“internal”: false
}

and this is how i defined it in identity profile

image
image1459×213 12.1 KB

pls help

2

Because you are building methods on null object.

Create AD DN Identity attribute, which will have value from AD account.

Use Get Referenced Identity attribute transform

3

hey krishna i used this as well but that wasnot giving me any error but always showed blank in managerdn while previwing it in identity priflie i used this :

{
“name”: “Get manager distinguishedName”,
“type”: “rule”,
“attributes”: {
“uid”: “manager”,
“name”: “Cloud Services Deployment Utility”,
“attributeName”: “adDn”,
“operation”: “getReferenceIdentityAttribute”
},
“internal”: false
}

4

You need to check adDn attribute of manager, refresh the manager first.

5

so i defined two attr in identuty profile one is addn and one is manager dn where both on both attr sources are active directory and attributes are distinguisdhed name i mapped with and on managerdn i applied getrereceidenattr rule but i got addn populated but managerdn is not populating

6

@Carlatto Can u please help here?

7

You need to check if every user including manager has adDn attribute populated first.

Later you will get the value for managerDn attribute.

Did you create these 2 attributes at a time ?

8

yes

image
image1468×244 11.8 KB

image
image1333×271 13 KB

it is populating for existing users who got AD account already but when i am onboaridng new users the transform fails and as a result (AD account dont get provison as BR)

9

In your create profile for AD are you pointing the Manager attribute to the ManagerDN cube attribute?

You might also need to do an unoptimized agg on your AD source in order to have adDn populate for all users.

10

yes but the problem is for existing users who have ad account (both user and his manager) the transform is runnung good but when we are onboarding new user from workday then it is having error

11

Are you tracking the DN in Workday?
So basically you need a way to map the Workday Manager to the DN.

Workday Idenity Profile:

{D34BB498-2CA2-4162-8803-8757DA9476B3}
{D34BB498-2CA2-4162-8803-8757DA9476B3}932×472 14.6 KB

AD Create Account Profile:

{4CD242CF-86FD-49EB-AE65-7A4F11E47EB9}
{4CD242CF-86FD-49EB-AE65-7A4F11E47EB9}799×254 4.97 KB

 {
            "name": "manager",
            "transform": {
                "attributes": {
                    "name": "Get Manager LDAP DN"
                },
                "type": "rule"
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
 }
12

yes i made manager dn and addn attributes in identity prifile of workday

13

When an identity’s manager is not yet created then that identity will not have manager DN, but I don’t think manager attribute is mandatory to create AD account.

For a new identity if manager exists already, first Identity will be created with all attributes defined in Identity Profile. So you should have managerDN already for that Identity if manager has AD account already.

You need to check
→ If newly created Identity has manager or not
→ If manager exists, manager has AD account or not
→ If manager has AD account then manager should have AD DN attribute populated

– Krish

1 Like
14

and suppose if the user and his manager both got hired on same time then they will come together in sailpoint through aggreagtion from workday then how that case can be covered . i was talking about this scenario . But usually it don’t happen maager is an old employee or user which already exist in the organization

15

then user gets created without manager in AD, but we do enable attribute sync for manager, so it will be updated in next refresh, no big deal.

Manager is not a mandatory attribute to create account in AD, if it is in your case, ask your AD team to make it optional.

16

Thanks @KRM7 a lot i was onboarding user and his manager at the same time through feed file but when i made the already existing user as their manager then the trasnform worked and i got ad dn and manger dn both that i mapped with create AD account in AD as idetnityt attribute thanks

1 Like