[midPoint] Manager
Yakov Revyakin
yrevyakin at gmail.com
Wed Dec 17 13:58:10 CET 2025
For example, if a user has info about his manager, the attribute
provisioning can be as following:
<attribute id="8139">
<ref>ri:manager</ref>
<matchingRule
xmlns:gen346="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen346:distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<path>extension/managerNumber</path>
</source>
<expression>
<script>
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
import com.evolveum.midpoint.prism.query.ObjectQuery
if (basic.isEmpty(managerNumber)) {
return null
}
ObjectQuery query =
midpoint.prismContext.queryFor(UserType.class)
.item(UserType.F_PERSONAL_NUMBER)
.eq(managerNumber)
.build()
UserType[] managers =
midpoint.searchObjects(UserType.class, query)
if (managers == null || managers.size() == 0) {
return null
}
ShadowType managerShadow =
midpoint.getLinkedShadow(managers[0],
"746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2",
ShadowKindType.ACCOUNT, "default")
if (managerShadow == null) {
return null
}
return basic.getAttributeValue(managerShadow, "dn")
</code>
</script>
</expression>
</outbound>
</attribute>
On Wed, 17 Dec 2025 at 13:14, Wim Beck via midPoint <
midpoint at lists.evolveum.com> wrote:
> Hello,
>
>
>
> I have not actually done this yet, but I am guessing you need to look into
> the association/relationhip configuration. I do have it working for AD
> group memberships. Since the manager property is just another type of
> relationship between two AD object, I am guessing you should be able to
> make it work by configuring the relationship and the corresponding source
> and target ref attributes.
>
>
>
> Kind regards,
>
> *Wim Beck | *Identity Expert @ *IS4U*
>
>
>
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *mikhail.nikolaenko
> via midPoint
> *Sent:* Wednesday, 17 December 2025 10:26
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* mikhail.nikolaenko <mikhail.nikolaenko at proton.me>
> *Subject:* [midPoint] Manager
>
>
>
> Hello midPoint Community,
>
> I need some advice for one feature I am currently implementing.
>
> The requirement: every external employee should have a manager, and this
> should be provisioned into the AD manager attribute.
>
> What I’ve done so far:
>
> - Added a custom attribute managerRef in the schema (object reference
> type).
> - On the UI I can select any object (will later try to restrict to
> users).
>
> Where I’m stuck:
>
> - How to provision this into AD? Since managerRef is stored as an
> object reference, I assume I need to resolve it to the DN of the shadow
> object, or maybe reuse the DN calculation logic from the resource adapter.
> - How to reconcile the AD manager attribute back into midPoint? I
> guess I need to search for the user in the midpoint based on a naming
> attribute from the manager's DN.
>
> Has anyone implemented something similar? I have feeling that this could
> be done in more smarter way... Any tips, examples, or best practices would
> be really helpful.
>
> With best regards,
>
> Mike
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20251217/d5772964/attachment-0001.htm>
More information about the midPoint
mailing list