Manager Correlation

I’m having issues getting an example of a manager correlation to work with Active Directory.

Source is workday but for testing I’m using a CSV.

The CSV is using MANAGER_ID as the value that holds the employee id or the FILENUMBER of the manager. The Delimited File connector is working in correlating the Manager to IDN. It is mapping the IDN attribute of Manager Name (manager) to the attribute MANAGER_ID. However, I can’t choose the correlation for Active Directory for it to update the manager within AD. Under the manager correlation it does not show Manager Name (manager). With manager being an object it is already searchable. So it wouldn’t be a searchable attribute issue. So I tried creating an IDN attribute called managerId to popualte the MANAGER_ID value. But it doesn’t update on aggregation. Is it because it is currently being used by the manager attribute? I tried doing the periodic refresh on a transform to see if that would help. My thought was to make this searchable, which I have, and then choose it on the AD correlation to match to the AD employeeNumber.

I’m hoping it is a simple mistake or misconception. I see the aggregation count changing when I modify the MANAGER_ID on the CSV. Manager Name is updated, but the new attribute managerId is not updated.

Manager correlation is the process of building out the management hierarchy within IdentityNow based on the authoritative source data. You’d use Manager Correlation on an AD source if AD is the source of your identities and you want to use the AD manager attribute to set Identities’ managers within IdentityNow. There is a built-in rule and this works out of the box if Active Directory is your identity source.

However, your question (specifically the bit I quoted above) seems to be more about updating the manager in Active Directory based on the management hierarchy being aggregated from Workday. It’s possible to set AD manager with attribute synch, but it takes a bit more work. If I’m just confused about your question feel free to ignore the following. Here’s how I keep the AD manager synchronized.
Create 2 new Identity attributes: “adDistinguishedName” and “managerAdDistinguishedName”
Create a transform like the following:

{
    "name": "Get Manager AD DN",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "attributes": {
                    "value": "$identity.manager.attributes.adDistinguishedName"
                },
                "type": "static"
            },
            {
                "attributes": {
                    "value": ""
                },
                "type": "static"
            }
        ],
        "ignoreErrors": "true"
    },
    "internal": false
}

Set “adDistinguishedName” to the users’ distinguishedName attribute from the Active Directory Source.
Set the “managerAdDistinguishedName” attribute to the transform above.
Configure your Account Create profile to populate “manager” with the Identity Attribute “managerAdDistinguishedName”
Enable Attribute Sync on the AD Manager field.

3 Likes

Thanks Kevin!!

I wasn’t able to get your transform to work. I used the below logic based off of your transform.

{
    "id": "ff5970cc-d5a5-4da4-848c-cb6be4ccb62f",
    "name": "Get Manager AD DN",
    "type": "static",
    "attributes": {
        "requiresPeriodicRefresh": "true",
        "managerDN": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "value": "$identity.manager.attributes.adDistinguishedName"
                        },
                        "type": "static"
                    },
                    {
                        "attributes": {
                            "value": "Empty"
                        },
                        "type": "static"
                    }
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($managerDN != 'Empty')$managerDN#end"
    },
    "internal": false
}

The documentation doesn’t seem to clarify that it only handles the source system that I saw. I really appreciate the help.

Configuring Manager Correlation - SailPoint Identity Services

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.