Retrieve a manager's attribute data from another Source

Markharoll · May 2, 2025, 4:08pm

Dear Community,

in our tenants we have integrated a Tiered Active Directory structure based on 3 different Sources. Each source manages a different OU for users, for example the Tier 0 manages “OU=Tier 0,OU=Admin,OU=TestOU,DC=CABK” while Tier 2 manages “OU=Employees,OU=Users,OU=CA,OU=Customer Objects,OU=TestOU,DC=CABK”.

One requirement that we have to implement for our customer is the following:

create an account on Tier 2 for all users (we got this)
the user can request Entitlements of Tier 0 or Tier 1 on the Request Center, (we got this)
when the request is approved we create an account on the specific Tier (we got this)
The account on Tier 0 (similarly for Tier 1) must have the “managerDN” attribute populated retrieved from the manager’s account on the Tier 2 source. Here is where we have troubles.

The “managerDN” for the Tier 0 account must be retrieved from the user’s manager account on Tier 2. The user’s manager is registered on the Tier 2 source and not necessarily on the Tier 0 (similarly on Tier 1).
Please recall that each Tier is on a different OU and implemented on different sources.

Restrictions:

We cannot join all tiers on the same source for security reasons.
We cannot create a manager account on the Tier 0 or Tier 1 automatically just to retrieve its DN. The only DN we need is from the Tier 2 source.
We know that there is a built-in Transform to retrieve a user’s managerDN but this only works within the accounts of the same Source so it cannot be applied to our case.

Questions:

How would it be possible to retrieve a user’s manager attribute (in this scenario the managerDN) from a user’s manager account on a different Source?
In general, how would it be possible to retrieve any user’s manager attribute from a user’s manager account on a different Source?

David_Norris · May 2, 2025, 7:29pm

In the Identity object, have an attribute called “DN reference” (or however you want to name it). Purpose of this attribute is to store the DN as an identity attribute value, for reportee’s identity to reference.

For this attribute, write the transform to determine which tier’s DN to be used as the value of this attribute. (Tier’s DN from the tier 0-2 accounts of each identity)

From the reportee’s identity perspective, the manager’s DN is simply the manger’s identity’s DN reference attribute’s value.

i.e. You’re using the identity layer as your data bridge from one source to another.

Markharoll · May 4, 2025, 11:29am

Hi Terry,

I understood that I would need to create an Identity Attribute for the ManagerDN and populate it via Identity Profile and a Transform.

However, how would the Transform be implemented to retrieve the DN of the manager of a user on the specific “AD T2” source?

dheerajk27 · May 4, 2025, 8:10pm

1. Confirm Manager’s Distinguished Name Is Populated

First, check that the distinguishedName attribute from AD T2 is:

Aggregated into the identity cube.
Appears on the manager’s account.
Part of the account schema for AD T2.

2. Create the Transform

Here’s an example transform definition using getManagerAttribute:

json

{
  "name": "ManagerDN_Transform",
  "type": "getManagerAttribute",
  "attributes": {
    "attributeName": "distinguishedName"
  }
}

This will retrieve the distinguishedName attribute from the identity object of the manager (not directly from the AD account), assuming it’s populated from AD T2 during aggregation.

3. Map to an Identity Attribute in the Identity Profile

Go to Admin Console > Identity Profiles
Edit your profile (e.g., Default Identity Profile)
Under Mappings, add a new entry:

Attribute Name: managerDN (or whatever you want to call it)
Source: Use the Transform you just created (ManagerDN_Transform)

Save the profile and trigger an Identity Refresh

Markharoll · May 6, 2025, 9:00am

Thank you, I created 2 Identity Attributes (namely adTier2Dn and managerAdTier2Dn) and the transform below:

{
    "name": "Transform - Find Manager AD Tier2 DN",
        "type": "firstValid",
        "attributes": {
            "values": [
                {
                    "type": "rule",
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getReferenceIdentityAttribute",
                        "uid": "manager",
                        "attributeName": "adTier2Dn"
                    }
                },
                "No manager DN found!"
            ]
        },
        "internal": false
    },

This works for all Identity profiles.
Thank you again

dheerajk27 · May 7, 2025, 1:47am

Thanks for the feedback.

system · July 6, 2025, 1:47am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[IdentityNow] Manager DN Transform for AD Create Policy ISC Discussion and Questions transforms , identity-security-cloud , provisioning	15	1703	September 10, 2023
Get manager Name from ManagerID attrbute ISC Discussion and Questions transforms , identity-security-cloud , provisioning	4	254	July 29, 2024
Get manager DN from an Identity in an Update Policy ISC Discussion and Questions transforms , identity-security-cloud	6	275	October 18, 2024
MANAGER Display when ACTIVE DIRECTORY is AUTH source ISC Discussion and Questions identity-security-cloud , provisioning , identity-profiles	12	202	July 16, 2024
Having issue with the manager dn transform that fetch AD DN of user's manager ISC Discussion and Questions identity-security-cloud	16	123	May 10, 2025

Retrieve a manager's attribute data from another Source

1. Confirm Manager’s Distinguished Name Is Populated

2. Create the Transform

3. Map to an Identity Attribute in the Identity Profile

Related topics