Some identities not linking with manager in IDN

jeev1 · December 6, 2024, 3:30am

Hi developers,

I’m facing issue with some identities are not getting updated of manager. The environment is IDN

Source is SAP (authoritative) and Supervisor is the account attribute that holds the supervisor employee number.

I have set the manager correlation as Employee Number equals to Supervisor under SAP source.

In identity profile, I have set the manager name as Supervisor and attached transform to fetch the latest created account’s Supervisor value.

This transform has been set because some identities are having more than one SAP accounts and we only require to get latest Supervisor/manager value.

I have tried removing and reaggregating the SAP accounts, process identity for specific users and also all users under identity profile. Still those accounts were failed to link with the manager’s identity.

Why this is happening and what are the other steps I can do to solve troubleshoot and solve this issue?

JackSparrow · December 6, 2024, 2:11pm

Hi @jeev1 ,

Is the issue with specific identities or all the identities from SAP source?

margocbain · December 6, 2024, 2:23pm

HI Sanjeevan,
Since you have multiple accounts on your authoritative source for some users, to select which account to use the manager for you will need to use a Manager Correlation Rule (Manager Correlation Rule | SailPoint Developer Community). This rule will need to be developed, then submitted in a support ticket to be reviewed by SailPoint, who will upload it to your tenant.

For users who only have 1 SAP account, the default manager correlation should work. Check that the Employee Number identity attribute and the Supervisor from SAP match exactly - if a leading zero has been removed, this can cause the correlation to fail.

Thanks,
Margo

vasanthrajsp29 · December 6, 2024, 2:53pm

Hi Sanjeev,

Have you tried full aggregation from Postman? Rather than aggregating from UI.

Regards,
Vasanth

jeev1 · December 7, 2024, 8:27am

Hi @JackSparrow

The issue is with specific identities.

jeev1 · December 7, 2024, 9:35am

Hi @margocbain @JackSparrow

Thank you for the prompt responses.

I noticed few identities with multiple SAP accounts having manger correctly. Due to sensitive information, I didn’t reveal the names of the identity.

User A:

Previously, User A’s manager was missing. To resolve this, I removed the SAP account containing the Supervisor value and performed a full aggregation. Following the aggregation, the identity manager was updated based on the latest record.

For users with multiple SAP accounts, only the most recent account typically has the Supervisor field populated. I applied the same approach for User B and manually processed the identity; however, it did not work as expected.

This method has worked successfully for many identities, but a few cases, such as User B, remain unresolved. Upon checking, the Supervisor values for both User A and User B are the same. The attached screenshot shows that identities with multiple SAP accounts have managers assigned, except for the second record (User B).

Below is the identity profile and correlation configuration for manager:

The attached transform with manager:

The preview for User B. The Preview value is displaying correctly:

The manager correlation configuration in SAP source:

The Employee Number identity attribute also attached with transform to fetch the value from the latest SAP account.

In this case, is it still required to update manager correlation rule?

If possible, could you kindly provide the rule to refer to the latest created SAP account in SailPoint? I am new to creating rules and would appreciate your guidance.

jeev1 · December 7, 2024, 9:44am

Hi @vasanthrajsp29,

I haven’t attempted executing a full aggregation from Postman; however, I have successfully performed a full aggregation through the UI.

I am unable to run a full aggregation with optimization disabled because many identities have multiple SAP accounts, and their identity attributes are configured with transformations to reference the most recently created account. As I understand, disabling optimization would recreate all accounts, which could potentially disrupt the ‘created’ field in SailPoint.

vasanthrajsp29 · December 7, 2024, 3:40pm

Hi @jeev1,

Thanks for the response. I think better approach would be go for Manager correlation rule.

Regards,
Vasanth

system · February 5, 2025, 3:41pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.