Transform to get a managers UPN

Hi how do I write a transform to get the upn identity attribute of the users manager.
We use the managers email in the lookup which we get by using split and replace operations on the assigned identity attribute which is the manager field.
This is the transform that we use:

{
    "id": "005589c0-9d07-48a8-ba90-e2fcbea141b4",
    "name": "NERM Format Manager Identity Attribute",
    "type": "replace",
    "attributes": {
        "regex": "\\)",
        "replacement": "",
        "input": {
            "attributes": {
                "delimiter": " \\(",
                "index": 1,
                "input": {
                    "type": "rule",
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getReferenceIdentityAttribute",
                        "uid": "manager",
                        "attributeName": "upn"
                    }
                }
            },
            "type": "split"
        }
    },
    "internal": false
}

It just returns empty.
The manager is definitely on IdentityNow and the email that we are passing through is definitely valid

I think your transform is a bit too long - try this

{
  "attributes": {
    "name": "Cloud Services Deployment Utility",
    "operation": "getReferenceIdentityAttribute",
    "uid": "manager",
    "attributeName": "upn"
  },
  "type": "rule",
  "name": "Get Manager UPN"
}

We get the manager as managername and email like:
“John Doe ([email protected])”
We use the replace and split transforms to extract the managers email address to used in the rule. Once those have been run we then call getReferenceIdentityAttribute transform.

@Yaseenl with transform simple transform provided :

 {
                    "type": "rule",
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getReferenceIdentityAttribute",
                        "uid": "manager",
                        "attributeName": "upn"
                    }
                }

Can you confirm if that work ?

It does not work. Again the way the manager field is formatted is probably affecting this.

Hi @Yaseenl,

Have you configured the manager correlation in your auth source.? If not, take a look at the below documentation.

Once the correlation is setup, you should be able to refernce the user’s manager attributes.

Try this

{
    "id": "005589c0-9d07-48a8-ba90-e2fcbea141b4",
    "name": "NERM Format Manager Identity Attribute",
    "type": "replace",
    "attributes": {
        "regex": ")",
        "replacement": "",
        "input": {
            "attributes": {
                "delimiter": " (",
                "index": 1,
                "input": {
                    "type": "rule",
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getReferenceIdentityAttribute",
                        "uid": "manager",
                        "attributeName": "email"
                    }
                }
            },
            "type": "split"
        }
    },
    "internal": false
}

As additionnal you can achieve also that with following IdentityAttribute rule :

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="Example Rule" type="IdentityAttribute">
  <Description>Describe your rule here.</Description>
  <Source><![CDATA[

import sailpoint.object.*;
 
if (identity != null) {
	Identity manager = identity.getManager();
        
	if (manager != null  && manager.getAttribute("upn") != null && !manager.getAttribute("upn").isEmpty()){
	  return manager.getAttribute("upn");
	}
	else {
	  return "";
	}
}

  ]]></Source>
</Rule>

Hi @baoussounda , sorry for hijacking the thread, but when can the identity be null in an IdentityAttribute rule?

if (identity != null) {
	...
}

Hi @adamian ,

In programming, especially when dealing with nested object, it’s always a good practice to check for null values, even if the documentation or the system (like SailPoint) suggests that an identity cannot be null

The client is not willing to pay for a cloud executed rule.

nope that does not work

Okay, What do you mean by pay ?

You can test then suggested transform by other persons above.

We are specifically avoiding using manager correlation as it could affect other manager fields.

You have to pay expert services to get cloud executed rules deployed if I am not mistaken.

Yeah for deployment i think also. You must create a ticket on support by submit your rule deployment.

It’s better to ask your PS.

Hi @Yaseenl

This Transform reads email identity attribute of manager and then split with " (", take 2nd item, remove “)”

If you are reading upn identity attribute of manager then change the attributeName to upn and try again.

This is doable with Transform, no need of any Rule.

@Yaseenl Do you have an example of identity manager object format ?

I also not understand why you want to replace : " (" and “)”

image1548×854 65.1 KB

Sailpoint will deal with manager object whatever his format and in your case you only want to get identity attribute upn from manager.

@MVKR7T “This Transform reads email identity attribute of manager and then split with " (”, take 2nd item, remove “)”" , in the email attribute " (" “)” cannot be present i think

So on the identity profile the mapping for the manager identity attribute is a field on the source that returns the manager as: “John Doe ([email protected])”
We try to extract this email from the string using a split and replace operation to be used for the getReferenceIdentity which cannot use the field as is.

Hi @Yaseenl,

Did you mean to say that you do not have the manager correlation defined.?

If that is the case, I don’t think getReferenceIdentityAttribute transform works by defining the attribute as "uid": "manager"

The uid attribute expects the manager’s uid value to be passed.