Retrieve a manager's attribute data from another Source

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , , ,
1

Dear Community,

in our tenants we have integrated a Tiered Active Directory structure based on 3 different Sources. Each source manages a different OU for users, for example the Tier 0 manages “OU=Tier 0,OU=Admin,OU=TestOU,DC=CABK” while Tier 2 manages “OU=Employees,OU=Users,OU=CA,OU=Customer Objects,OU=TestOU,DC=CABK”.

One requirement that we have to implement for our customer is the following:

  • create an account on Tier 2 for all users (we got this)
  • the user can request Entitlements of Tier 0 or Tier 1 on the Request Center, (we got this)
  • when the request is approved we create an account on the specific Tier (we got this)
  • The account on Tier 0 (similarly for Tier 1) must have the “managerDN” attribute populated retrieved from the manager’s account on the Tier 2 source. Here is where we have troubles.

The “managerDN” for the Tier 0 account must be retrieved from the user’s manager account on Tier 2. The user’s manager is registered on the Tier 2 source and not necessarily on the Tier 0 (similarly on Tier 1).
Please recall that each Tier is on a different OU and implemented on different sources.

Restrictions:

  • We cannot join all tiers on the same source for security reasons.
  • We cannot create a manager account on the Tier 0 or Tier 1 automatically just to retrieve its DN. The only DN we need is from the Tier 2 source.
  • We know that there is a built-in Transform to retrieve a user’s managerDN but this only works within the accounts of the same Source so it cannot be applied to our case.

Questions:

  1. How would it be possible to retrieve a user’s manager attribute (in this scenario the managerDN) from a user’s manager account on a different Source?
  2. In general, how would it be possible to retrieve any user’s manager attribute from a user’s manager account on a different Source?
2

In the Identity object, have an attribute called “DN reference” (or however you want to name it). Purpose of this attribute is to store the DN as an identity attribute value, for reportee’s identity to reference.

For this attribute, write the transform to determine which tier’s DN to be used as the value of this attribute. (Tier’s DN from the tier 0-2 accounts of each identity)

From the reportee’s identity perspective, the manager’s DN is simply the manger’s identity’s DN reference attribute’s value.

i.e. You’re using the identity layer as your data bridge from one source to another.

3

Hi Terry,

I understood that I would need to create an Identity Attribute for the ManagerDN and populate it via Identity Profile and a Transform.

However, how would the Transform be implemented to retrieve the DN of the manager of a user on the specific “AD T2” source?

4

1. Confirm Manager’s Distinguished Name Is Populated

First, check that the distinguishedName attribute from AD T2 is:

  • Aggregated into the identity cube.
  • Appears on the manager’s account.
  • Part of the account schema for AD T2.

:small_blue_diamond: 2. Create the Transform

Here’s an example transform definition using getManagerAttribute:

json

{
  "name": "ManagerDN_Transform",
  "type": "getManagerAttribute",
  "attributes": {
    "attributeName": "distinguishedName"
  }
}

This will retrieve the distinguishedName attribute from the identity object of the manager (not directly from the AD account), assuming it’s populated from AD T2 during aggregation.

:small_blue_diamond: 3. Map to an Identity Attribute in the Identity Profile

  1. Go to Admin Console > Identity Profiles
  2. Edit your profile (e.g., Default Identity Profile)
  3. Under Mappings, add a new entry:
  • Attribute Name: managerDN (or whatever you want to call it)
  • Source: Use the Transform you just created (ManagerDN_Transform)
  1. Save the profile and trigger an Identity Refresh
5

Thank you, I created 2 Identity Attributes (namely adTier2Dn and managerAdTier2Dn) and the transform below:

{
    "name": "Transform - Find Manager AD Tier2 DN",
        "type": "firstValid",
        "attributes": {
            "values": [
                {
                    "type": "rule",
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getReferenceIdentityAttribute",
                        "uid": "manager",
                        "attributeName": "adTier2Dn"
                    }
                },
                "No manager DN found!"
            ]
        },
        "internal": false
    },

This works for all Identity profiles.
Thank you again

6

Thanks for the feedback.