[midPoint] Manager

Thu Dec 18 16:22:52 CET 2025

Hello Yakov,

Thank you for the provided example!

In my case I use reference object as a manager so I can use oid from it. I have implemented provisioning and it works.

Thank you again.

With best regards,
Mike
On Wednesday, December 17th, 2025 at 1:58 PM, Yakov Revyakin via midPoint <midpoint at lists.evolveum.com> wrote:

> For example, if a user has info about his manager, the attribute provisioning can be as following:
>
> <attribute
>
> id
>
> ="8139"
>
>>
>
> <ref>
>
> ri:manager
>
> </ref>
>
> <matchingRule
>
> xmlns:
>
> gen346
>
> ="
> http://prism.evolveum.com/xml/ns/public/matching-rule-3
> "
>
>>
>
> gen346:distinguishedName
>
> </matchingRule>
>
> <outbound>
>
> <strength>
>
> strong
>
> </strength>
>
> <source>
>
> <path>
>
> extension/managerNumber
>
> </path>
>
> </source>
>
> <expression>
>
> <script>
>
> <code>
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
>
> import com.evolveum.midpoint.prism.query.ObjectQuery
>
> if (basic.isEmpty(managerNumber)) {
>
> return null
>
> }
>
> ObjectQuery query = midpoint.prismContext.queryFor(UserType.class)
>
> .item(UserType.F_PERSONAL_NUMBER)
>
> .eq(managerNumber)
>
> .build()
>
> UserType[] managers = midpoint.searchObjects(UserType.class, query)
>
> if (managers == null || managers.size() == 0) {
>
> return null
>
> }
>
> ShadowType managerShadow = midpoint.getLinkedShadow(managers[0],
>
> "746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2", ShadowKindType.ACCOUNT, "default")
>
> if (managerShadow == null) {
>
> return null
>
> }
>
> return basic.getAttributeValue(managerShadow, "dn")
>
> </code>
>
> </script>
>
> </expression>
>
> </outbound>
>
> </attribute>
>
> On Wed, 17 Dec 2025 at 13:14, Wim Beck via midPoint <midpoint at lists.evolveum.com> wrote:
>
>> Hello,
>>
>> I have not actually done this yet, but I am guessing you need to look into the association/relationhip configuration. I do have it working for AD group memberships. Since the manager property is just another type of relationship between two AD object, I am guessing you should be able to make it work by configuring the relationship and the corresponding source and target ref attributes.
>>
>> Kind regards,
>>
>> Wim Beck | Identity Expert @ IS4U
>>
>> From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of mikhail.nikolaenko via midPoint
>> Sent: Wednesday, 17 December 2025 10:26
>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>> Cc: mikhail.nikolaenko <mikhail.nikolaenko at proton.me>
>> Subject: [midPoint] Manager
>>
>> Hello midPoint Community,
>>
>> I need some advice for one feature I am currently implementing.
>>
>> The requirement: every external employee should have a manager, and this should be provisioned into the AD manager attribute.
>>
>> What I’ve done so far:
>>
>> -  Added a custom attribute managerRef in the schema (object reference type).
>> -  On the UI I can select any object (will later try to restrict to users).
>>
>> Where I’m stuck:
>>
>> -  How to provision this into AD? Since managerRef is stored as an object reference, I assume I need to resolve it to the DN of the shadow object, or maybe reuse the DN calculation logic from the resource adapter.
>> -  How to reconcile the AD manager attribute back into midPoint? I guess I need to search for the user in the midpoint based on a naming attribute from the manager's DN.
>>
>> Has anyone implemented something similar? I have feeling that this could be done in more smarter way... Any tips, examples, or best practices would be really helpful.
>>
>> With best regards,
>>
>> Mike
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20251218/542ba360/attachment-0001.htm>