[midPoint] field manager in AD

Chris Woods chris at cmwoods.com
Wed May 6 12:27:43 CEST 2020 

Hi Anton, Ivan,

we have a similar scenario with ServiceNow. The "Manager" field in 
ServiceNow is the UUID of an existing ServiceNow User (in the AD the 
manager field is the DN of an existing user).

This is our outbound mapping for the manager field in ServiceNow:

<attribute id="103">
                 <c:ref 
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:manager</c:ref>
                 <tolerant>false</tolerant>
                 <exclusiveStrong>false</exclusiveStrong>
                 <outbound>
                     <name>ServiceNow Manager Outbound Mapping</name>
                     <authoritative>true</authoritative>
                     <exclusive>false</exclusive>
                     <strength>normal</strength>
                     <source>
                         
<c:path>$focus/extension/rsManager1stLevel</c:path>
                     </source>
                     <expression>
                         <script 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xsi:type="c:ScriptExpressionEvaluatorType">
                             <code>import 
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType

                             // Get Manager object and then obtain their 
servicenow dev account uid

                             UserType manager = 
midpoint.searchObjectByName(UserType.class, rsManager1stLevel);
                             return midpoint.getLinkedShadow(manager, 
"rs-resource-servicenow-dev", true)?.getPrimaryIdentifierValue();
                             </code>
                         </script>
                     </expression>
                 </outbound>
             </attribute>

in this case we are using an extended attribute rsManager1stLevel. This 
is, however, only a workaround until our org tree is complete. Then you 
can use midpoint.getManagers(Usertype usertype) this will return you 
UserType objects so the additional search will be unnecessary. usertype 
would be the focus object. You would then have to select which manager 
you want to use (midpoint.getManagers returns a collection of UserType 
objects as a user may be assigned to multiple organisations with 
manager.

The interesting line is the return line as this would get you the DN 
from your AD resource (in the same way we get the UUID of the ServiceNow 
user).

Regards,
Chris

On 2020-05-06 11:29, Ivan Noris wrote:
> Hi,
> 
> if I understand correctly, you would like to import the information
> about user's manager from AD.
> 
> You are right there is no attribute for this in midPoint. This is by
> design as the organization structure defines, who is the manager.
> 
> Example:
> 
> User "employee1" in midPoint is in organization Top -> Sales Division
> -> Sales Team 1
> 
> In organization Sales Team 1 there is another user "manager1" assigned
> to Sales Team 1 as manager (this is a relation of the assignment).
> 
> That makes user "manager1" manager of "employee1". It can be used for:
> 
> 
> - displaying in the org. structure
> 
> - delegated administration: the manager can do something with his/her
> subordinate employees
> 
> - approvals: the manager can approve requests of his/her subordinate
> employees
> 
> There is no default attribute in UserType that would contain the
> information "who is my manager". It is always computed by midPoint and
> you can use methods in midpoint scripting library, e.g.
> 
> https://www.evolveum.com/downloads/midpoint/4.1/midpoint-api-4.1-javadoc/com/evolveum/midpoint/model/api/expr/MidpointFunctions.html#getManagersOidsExceptUser(com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)
> 
> 
> If you don't want to use it, you can define an extension attribute and
> populate the manager from AD there. But then you would lose the
> default functionality for deriving the managers from organizational
> structure as described above.
> 
> Best regards,
> 
> Ivan
> On 6. 5. 2020 11:14, Щенев Антон Вячеславович
> wrote:
> 
>> Hi,
>> 
>> The user in the AD has a field its leader(manager). In midPoint,
>> such a field was not found in Users. Of course, you can use any of
>> the unoccupied, but as provided by the system?
>> 
>> С уважением,
>> 
>> Щенев Антон Вячеславович
>> 
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list