Manager Correlation

ts_fpatterson · January 2, 2024, 5:01pm

I’m having issues getting an example of a manager correlation to work with Active Directory.

Source is workday but for testing I’m using a CSV.

The CSV is using MANAGER_ID as the value that holds the employee id or the FILENUMBER of the manager. The Delimited File connector is working in correlating the Manager to IDN. It is mapping the IDN attribute of Manager Name (manager) to the attribute MANAGER_ID. However, I can’t choose the correlation for Active Directory for it to update the manager within AD. Under the manager correlation it does not show Manager Name (manager). With manager being an object it is already searchable. So it wouldn’t be a searchable attribute issue. So I tried creating an IDN attribute called managerId to popualte the MANAGER_ID value. But it doesn’t update on aggregation. Is it because it is currently being used by the manager attribute? I tried doing the periodic refresh on a transform to see if that would help. My thought was to make this searchable, which I have, and then choose it on the AD correlation to match to the AD employeeNumber.

I’m hoping it is a simple mistake or misconception. I see the aggregation count changing when I modify the MANAGER_ID on the CSV. Manager Name is updated, but the new attribute managerId is not updated.

KevinHarrington · January 3, 2024, 2:38am

Manager correlation is the process of building out the management hierarchy within IdentityNow based on the authoritative source data. You’d use Manager Correlation on an AD source if AD is the source of your identities and you want to use the AD manager attribute to set Identities’ managers within IdentityNow. There is a built-in rule and this works out of the box if Active Directory is your identity source.

However, your question (specifically the bit I quoted above) seems to be more about updating the manager in Active Directory based on the management hierarchy being aggregated from Workday. It’s possible to set AD manager with attribute synch, but it takes a bit more work. If I’m just confused about your question feel free to ignore the following. Here’s how I keep the AD manager synchronized.
Create 2 new Identity attributes: “adDistinguishedName” and “managerAdDistinguishedName”
Create a transform like the following:

{
    "name": "Get Manager AD DN",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "attributes": {
                    "value": "$identity.manager.attributes.adDistinguishedName"
                },
                "type": "static"
            },
            {
                "attributes": {
                    "value": ""
                },
                "type": "static"
            }
        ],
        "ignoreErrors": "true"
    },
    "internal": false
}

Set “adDistinguishedName” to the users’ distinguishedName attribute from the Active Directory Source.
Set the “managerAdDistinguishedName” attribute to the transform above.
Configure your Account Create profile to populate “manager” with the Identity Attribute “managerAdDistinguishedName”
Enable Attribute Sync on the AD Manager field.

ts_fpatterson · January 3, 2024, 2:44pm

Thanks Kevin!!

I wasn’t able to get your transform to work. I used the below logic based off of your transform.

{
    "id": "ff5970cc-d5a5-4da4-848c-cb6be4ccb62f",
    "name": "Get Manager AD DN",
    "type": "static",
    "attributes": {
        "requiresPeriodicRefresh": "true",
        "managerDN": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "value": "$identity.manager.attributes.adDistinguishedName"
                        },
                        "type": "static"
                    },
                    {
                        "attributes": {
                            "value": "Empty"
                        },
                        "type": "static"
                    }
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($managerDN != 'Empty')$managerDN#end"
    },
    "internal": false
}

The documentation doesn’t seem to clarify that it only handles the source system that I saw. I really appreciate the help.

Configuring Manager Correlation - SailPoint Identity Services

system · March 3, 2024, 2:44pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Manager Correlation on Active Directory Auth Source ISC Discussion and Questions identity-security-cloud	2	161	March 8, 2024
AD Correlation - Making Identity Attribute Searchable ISC Discussion and Questions identity-security-cloud	2	383	December 29, 2023
Manager Correlation from two different Sources ISC Discussion and Questions	15	2541	July 19, 2023
Manager Correlation requiring a modify event ISC Discussion and Questions aggregation , identity-security-cloud	5	256	March 17, 2024
Manager Correlation with more than one account ISC Discussion and Questions identity-security-cloud , correlation	6	333	November 21, 2023

Manager Correlation

Related Topics