[midPoint] field manager in AD

Ivan Noris ivan.noris at evolveum.com
Wed May 6 13:21:54 CEST 2020 

Hi Chris,

I understood that the original poster was asking about inbound mapping.
Which may or may not be true.

But the trick for outbound you are using is also nice. I remember to use
something similar to populate AD's (or edirectory's?) "managerDn"
attribute. I think I was actually having the manager relation in
midPoint already, but the midpoint.getLinkedShadow method was used for sure.

Best regards,

Ivan

On 6. 5. 2020 12:27, Chris Woods wrote:
> Hi Anton, Ivan,
>
> we have a similar scenario with ServiceNow. The "Manager" field in
> ServiceNow is the UUID of an existing ServiceNow User (in the AD the
> manager field is the DN of an existing user).
>
> This is our outbound mapping for the manager field in ServiceNow:
>
> <attribute id="103">
>                 <c:ref
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:manager</c:ref>
>                 <tolerant>false</tolerant>
>                 <exclusiveStrong>false</exclusiveStrong>
>                 <outbound>
>                     <name>ServiceNow Manager Outbound Mapping</name>
>                     <authoritative>true</authoritative>
>                     <exclusive>false</exclusive>
>                     <strength>normal</strength>
>                     <source>
>                        
> <c:path>$focus/extension/rsManager1stLevel</c:path>
>                     </source>
>                     <expression>
>                         <script
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xsi:type="c:ScriptExpressionEvaluatorType">
>                             <code>import
> com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
>
>                             // Get Manager object and then obtain
> their servicenow dev account uid
>
>                             UserType manager =
> midpoint.searchObjectByName(UserType.class, rsManager1stLevel);
>                             return midpoint.getLinkedShadow(manager,
> "rs-resource-servicenow-dev", true)?.getPrimaryIdentifierValue();
>                             </code>
>                         </script>
>                     </expression>
>                 </outbound>
>             </attribute>
>
> in this case we are using an extended attribute rsManager1stLevel.
> This is, however, only a workaround until our org tree is complete.
> Then you can use midpoint.getManagers(Usertype usertype) this will
> return you UserType objects so the additional search will be
> unnecessary. usertype would be the focus object. You would then have
> to select which manager you want to use (midpoint.getManagers returns
> a collection of UserType objects as a user may be assigned to multiple
> organisations with manager.
>
> The interesting line is the return line as this would get you the DN
> from your AD resource (in the same way we get the UUID of the
> ServiceNow user).
>
> Regards,
> Chris
>
> On 2020-05-06 11:29, Ivan Noris wrote:
>> Hi,
>>
>> if I understand correctly, you would like to import the information
>> about user's manager from AD.
>>
>> You are right there is no attribute for this in midPoint. This is by
>> design as the organization structure defines, who is the manager.
>>
>> Example:
>>
>> User "employee1" in midPoint is in organization Top -> Sales Division
>> -> Sales Team 1
>>
>> In organization Sales Team 1 there is another user "manager1" assigned
>> to Sales Team 1 as manager (this is a relation of the assignment).
>>
>> That makes user "manager1" manager of "employee1". It can be used for:
>>
>>
>> - displaying in the org. structure
>>
>> - delegated administration: the manager can do something with his/her
>> subordinate employees
>>
>> - approvals: the manager can approve requests of his/her subordinate
>> employees
>>
>> There is no default attribute in UserType that would contain the
>> information "who is my manager". It is always computed by midPoint and
>> you can use methods in midpoint scripting library, e.g.
>>
>> https://www.evolveum.com/downloads/midpoint/4.1/midpoint-api-4.1-javadoc/com/evolveum/midpoint/model/api/expr/MidpointFunctions.html#getManagersOidsExceptUser(com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)
>>
>>
>>
>> If you don't want to use it, you can define an extension attribute and
>> populate the manager from AD there. But then you would lose the
>> default functionality for deriving the managers from organizational
>> structure as described above.
>>
>> Best regards,
>>
>> Ivan
>> On 6. 5. 2020 11:14, Щенев Антон Вячеславович
>> wrote:
>>
>>> Hi,
>>>
>>> The user in the AD has a field its leader(manager). In midPoint,
>>> such a field was not found in Users. Of course, you can use any of
>>> the unoccupied, but as provided by the system?
>>>
>>> С уважением,
>>>
>>> Щенев Антон Вячеславович
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> -- 
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list