My team has been experiencing difficulties obtaining the DN value of an Identity’s manager that’s assigned and setting it to be the value of the Manager attribute in the Active Directory connection source. The data we are testing with is currently in a delimited file and we are making transforms for the Create Account provisioning policy.
We have tried firstValue transforms for the VDI that calls a static value of “value”: “$identity.manager.attributes.networkDn” and we have tried a firstValue nesting a rule transform.
Each time we have tried, the value of the manager’s distinguishedName in the Identity Profile (which we had checked to see it filled) would return empty when a new user account is created for the AD account, and all values are filled except for manager.
Does anyone know why this might be? Thank you for reading.
Hi, Animesh! I can confirm that when I go to the list of identities that are in the delimited file auth source, each one has a DN value, and this includes the manager that is correlated with them.
It’s DN. The reason we used networkDn before is because the document for this page at the bottom said that the static value for networkDN pulls distinguishedName from the AD itself.
The documentation you quoted is just an example that if your Identity Attribute is “Network DN” and it is mapped to get the AD DN then you could use it like "$identity.manager.attributes.networkDn". In your scenario, it will be "$identity.manager.attributes.dn".
Think of Manager as a map of identity attributes.
No, you do not need to correlate this in order for the rule transform to work. The manager it is looking is from the identity attribute “manager”. If nothing is populated in manager field of Identity Cube, then the rule will not work.
I would suggest you to create a identity attribute to hold manager DN and plug this transform to the attribute mapping. This way, you will be able to see if the field is being populated or not.
I made sure to confirm that the manager name was in the Identity I put in and it is.
However, when I made an access request for the identity with an entitlement from the AD, it had failed and said that the account was created for AD but the values weren’t populated. So, I rewrote the code to be the following:
The response returned will look similar to below, there will be quite a lot more preview attributes. You can search for the attributeName you provided above, I used personalEmail.
The getReferenceIdentityAttribute from the Cloud Services Deployment Utility uses the same code to retrieve the manager identity so it does need to be correlated.
We are using the Identity Profile mappings to get the DN through a transform there and put it as an identity attribute in the Create Account for AD account creation.