Nested Query on Managers

Is it possible to query identities who have managers in an ‘inactive’ Lifecycle State?

If so, can you conduct this query through the Search UI and API, and what would the query look like?

Hi Blaise,

It would probably be easiest to run two search queries in a script. The first query would get the list of inactive managers, and the second query would get the employees of each inactive manager. You can use the search API in a script to automate this. To get the list of inactive managers, use this body:

{
    "indices": [
        "identities"
    ],
    "query": {
        "query": "isManager:true AND inactive:true"
    }
}

Then, construct one big query with all the inactive managers, or loop over each manager to get the identities. For examle:

{
    "indices": [
        "identities"
    ],
    "query": {
        "query": "manager.id:<managerId>"
    }
}

Thanks @colin_mckibben, I thought about this as well and it was going to be my fall back plan if no one replied to the thread.

I was hoping to learn a bit more about Elasticsearch and its implementation in IdentityNow.

To confirm, is this request just not possible in IdentityNow or to difficult to solution to the point the script is the easier approach?

Note, the intention would be ultimately turn this into a policy for HR so that we can help them keep their data clean.

Admittedly, I don’t have enough experience in elastic search to determine if this is possible or not with a single query.

No worries @colin_mckibben, thanks for the reply. Hopefully some other IDN developers can shed some light.

You can have identity attribute on each identity level which shows LCS of manager and then use that attribute directly in search to find out those identities.

Use this to build that transform: IdentityNow Transforms - Get Reference Identity Attribute - Compass

Thank you for the idea @chirag_patel! It would definitely be a simple solution that would support policies.

It is unfortunate that IdentityNow does not appear to support nested queries. Would love to get some further insight from the development team at SailPoint to determine if this is a product limitation or just a lack of documentation.

Making a new Identity Profile attribute any time we want to do a search on a different manager attribute does not seem very efficient. :frowning:

Hey Blaise, we would love to hear this feedback on our ideas portal, which is monitored by our product team.

@colin_mckibben, I have no issues submitting this to the idea portal, but do we know for certain if this is a limitation in IdentityNow or just a knowledge gap in everyone’s understanding? Or do I submit an idea for the development team to tell me if this can already be done or not?

FYI I would use the updated docs on this transform operation here: IdentityNow Transforms - Get Reference Identity Attribute.

Thanks @jordan_violet, I suppose this tip is for perusing @chirag_patel recommended solution?

I don’t believe you can reference transforms within searches?

I will let Colin or Chirag answer for posterity and making sure you get the most accurate answer. I just saw the docs link Chirag posted was out of date and wanted to make sure you at least had the latest one :stuck_out_tongue:

Ah, thank you for the heads up. It helped as I had no idea the documents on compass were moved to the developer site and not being maintained anymore.

If that is the case then you might want to add a disclaimer at the top of the relevant articles in compass.

1 Like

We’re slowly working on that one!