<div dir="ltr">For example, if a user has info about his manager, the attribute provisioning can be as following:<br><div><div style="background-color:rgb(30,31,34);color:rgb(188,190,196)"><pre style="font-family:"JetBrains Mono",monospace;font-size:9.8pt"><span style="color:rgb(213,183,120)"><attribute </span>id<span style="color:rgb(106,171,115)">="8139"</span><span style="color:rgb(213,183,120)">><br></span><span style="color:rgb(213,183,120)"> <ref></span>ri:manager<span style="color:rgb(213,183,120)"></ref><br></span><span style="color:rgb(213,183,120)"> <matchingRule </span>xmlns:<span style="color:rgb(199,125,187)">gen346</span><span style="color:rgb(106,171,115)">="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>"</span><span style="color:rgb(213,183,120)">></span>gen346:distinguishedName<span style="color:rgb(213,183,120)"></matchingRule><br></span><span style="color:rgb(213,183,120)"> <outbound><br></span><span style="color:rgb(213,183,120)"> <strength></span>strong<span style="color:rgb(213,183,120)"></strength><br></span><span style="color:rgb(213,183,120)"> <source><br></span><span style="color:rgb(213,183,120)"> <path></span>extension/managerNumber<span style="color:rgb(213,183,120)"></path><br></span><span style="color:rgb(213,183,120)"> </source><br></span><span style="color:rgb(213,183,120)"> <expression><br></span><span style="color:rgb(213,183,120)"> <script><br></span><span style="color:rgb(213,183,120)"> <code></span><span style="color:rgb(213,183,120);background-color:rgb(41,60,64)"><br></span><span style="color:rgb(213,183,120);background-color:rgb(41,60,64)"> </span><span style="background-color:rgb(41,60,64)">import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType<br></span><span style="background-color:rgb(41,60,64)"> import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType<br></span><span style="background-color:rgb(41,60,64)"> import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType<br></span><span style="background-color:rgb(41,60,64)"> import com.evolveum.midpoint.prism.query.ObjectQuery<br></span><span style="background-color:rgb(41,60,64)"><br></span><span style="background-color:rgb(41,60,64)"> if (basic.isEmpty(managerNumber)) {<br></span><span style="background-color:rgb(41,60,64)"> return null<br></span><span style="background-color:rgb(41,60,64)"> }<br></span><span style="background-color:rgb(41,60,64)"><br></span><span style="background-color:rgb(41,60,64)"> ObjectQuery query = midpoint.prismContext.queryFor(UserType.class)<br></span><span style="background-color:rgb(41,60,64)"> .item(UserType.F_PERSONAL_NUMBER)<br></span><span style="background-color:rgb(41,60,64)"> .eq(managerNumber)<br></span><span style="background-color:rgb(41,60,64)"> .build()<br></span><span style="background-color:rgb(41,60,64)"><br></span><span style="background-color:rgb(41,60,64)"> UserType[] managers = midpoint.searchObjects(UserType.class, query)<br></span><span style="background-color:rgb(41,60,64)"> if (managers == null || managers.size() == 0) {<br></span><span style="background-color:rgb(41,60,64)"> return null<br></span><span style="background-color:rgb(41,60,64)"> }<br></span><span style="background-color:rgb(41,60,64)"><br></span><span style="background-color:rgb(41,60,64)"> ShadowType managerShadow = midpoint.getLinkedShadow(managers[0],<br></span><span style="background-color:rgb(41,60,64)"> "746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2", ShadowKindType.ACCOUNT, "default")<br></span><span style="background-color:rgb(41,60,64)"> if (managerShadow == null) {<br></span><span style="background-color:rgb(41,60,64)"> return null<br></span><span style="background-color:rgb(41,60,64)"> }<br></span><span style="background-color:rgb(41,60,64)"><br></span><span style="background-color:rgb(41,60,64)"> return basic.getAttributeValue(managerShadow, "dn")<br></span><span style="background-color:rgb(41,60,64)"> </span><span style="color:rgb(213,183,120)"></code><br></span><span style="color:rgb(213,183,120)"> </script><br></span><span style="color:rgb(213,183,120)"> </expression><br></span><span style="color:rgb(213,183,120)"> </outbound><br></span><span style="color:rgb(213,183,120)"></attribute></span></pre></div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, 17 Dec 2025 at 13:14, Wim Beck via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg6223292497270502153">
<div lang="en-BE" style="overflow-wrap: break-word;">
<div class="m_6223292497270502153WordSection1">
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">Hello,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">I have not actually done this yet, but I am guessing you need to look into the association/relationhip configuration. I do have it working
for AD group memberships. Since the manager property is just another type of relationship between two AD object, I am guessing you should be able to make it work by configuring the relationship and the corresponding source and target ref attributes.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif">Kind regards,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-right:0cm;margin-bottom:3.75pt;margin-left:0cm">
<b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(21,34,123)">Wim Beck |
</span></b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(119,119,119)">Identity Expert @
</span><b><span lang="en-BE" style="font-size:11pt;font-family:"Courier New";color:rgb(21,34,123)">IS4U</span></b><span lang="en-BE"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>mikhail.nikolaenko via midPoint<br>
<b>Sent:</b> Wednesday, 17 December 2025 10:26<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Cc:</b> mikhail.nikolaenko <<a href="mailto:mikhail.nikolaenko@proton.me" target="_blank">mikhail.nikolaenko@proton.me</a>><br>
<b>Subject:</b> [midPoint] Manager<u></u><u></u></span></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="margin-top:10.5pt;margin-bottom:10.5pt">
<p class="MsoNormal">Hello midPoint Community,<u></u><u></u></p>
</div>
<p>I need some advice for one feature I am currently implementing.<u></u><u></u></p>
<p>The requirement: every external employee should have a manager, and this should be provisioned into the AD
<code><span style="font-size:10pt">manager</span></code> attribute.<u></u><u></u></p>
<p>What I’ve done so far:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Added a custom attribute <code><span style="font-size:10pt">managerRef</span></code> in the schema (object reference type).<u></u><u></u></li><li class="MsoNormal">
On the UI I can select any object (will later try to restrict to users).<u></u><u></u></li></ul>
<p>Where I’m stuck:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
How to provision this into AD? Since <code><span style="font-size:10pt">managerRef</span></code> is stored as an object reference, I assume I need to resolve it to the DN of the shadow object, or maybe reuse the DN calculation logic from the resource adapter.<u></u><u></u></li><li class="MsoNormal">
How to reconcile the AD <code><span style="font-size:10pt">manager</span></code> attribute back into midPoint? I guess I need to search for the user in the midpoint based on a naming attribute from the manager's DN.<u></u><u></u></li></ul>
<p>Has anyone implemented something similar? I have feeling that this could be done in more smarter way... Any tips, examples, or best practices would be really helpful.<u></u><u></u></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:black">With best regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:black">Mike<u></u><u></u></span></p>
</div>
</div>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div></blockquote></div>