PingOne Advanced Identity Cloud

Enable managers to manage their direct reports

While this PingOne Advanced Identity Cloud use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 20 minutes

In this use case, you configure delegated administration to let managers update their direct reports' information and assign provisioning roles to them through the Advanced Identity Cloud end-user UI.

You’ll need to use Relationship-derived virtual properties (RDVPs) to filter users based on their manager relationships in the Advanced Identity Cloud end-user UI. This approach stores references to the target objects of a relationship as a property of the source object, enabling their use in privilege filters.

Goals

After completing this use case, you will know how to do the following:

  • Define a virtual property to use as a privilege filter.

  • Set up relationship notifications.

  • Configure delegated administration by creating an internal role with privileges.

  • Test delegated administration in the Advanced Identity Cloud end-user UI.

Prerequisites

Before you start work on this use case, ensure you have these prerequisites:

Learn more about creating test users in Create test users and roles.

Tasks

Task 1: Define a virtual property to use as a privilege filter

In this task, you define a virtual property to store the manager ID. To achieve this, you can modify an indexed general purpose extension attribute. The example uses frindexedstring1.

  1. Log in to the Advanced Identity Cloud admin UI as an administrator.

  2. In the left menu pane, select Native Consoles > Identity Management.

  3. Click Configure > Managed Objects and select Alpha_user.

  4. Click the pencil icon () next to frIndexedString1.

  5. On the Details tab, enter the following information:

    Field Value

    Readable title

    custom_managerID

    Description

    Manager’s ID

    1. Click Show advanced options.

    2. Select Virtual and Return By Default.

      Virtual property - Details tab
    3. Click Save.

  6. Click the Query Configuration tab and enter the following information:

    Field Value

    Referenced Relationship Fields

    ["manager"]

    Referenced Object Fields

    _id

    Flatten Properties

    Select the checkbox.

    Virtual property - Query Configuration tab
  7. Click Save.

With this configuration, whenever an alpha_user object is updated, Advanced Identity Cloud will resolve its manager relationship and store the relationship data in the frindexedstring1 property along with the updated object.

Task 2: Set up relationship notifications

In this task, you configure relationship notifications so that a user object is notified whenever its manager relationship changes. Relationship notifications are triggered by any activities related to an object update, including the onUpdate and postUpdate, script hooks, and implicit synchronization.

Relationship notifications are necessary because an object can be impacted by a relationship change even if it is not the direct target of the change. Without these notifications, the user object won’t receive updates. Since manager/reports is a reverse relationship, you must ensure the user object is notified when a report is added to a manager.

Enable “Notify Self” on the manager relationship property

  1. In the Identity Management native console, click Configure > Managed Objects, and then select Alpha_user.

  2. Click the manager relationship property.

  3. On the Details tab, click Show advanced options.

  4. Select Notify Self.

  5. Click Save.

    Manager property with Notify Self selected

Enable notifications on the reports relationship property

  1. In the Identity Management native console, return to Configure > Managed Objects > Alpha_user.

  2. Click the reports relationship property.

  3. On the Details tab > Relationship Configuration, click the pencil icon () next to alpha_user.

  4. Select Notify, and then click Save.

    Reports property with Notify selected

Task 3: Assign a manager user (testmanager1) to a report user (testuser1)

In this task, you assign a manager to the report user.

  1. In the Advanced Identity Cloud admin UI, go to people Identities > Manage.

  2. On the Manage Identities page, click settings_system_daydream Alpha realm - Users.

  3. Search for and select testuser1.

  4. Scroll down to the Manager field and enter the manager. In our example, this is testmanager1.

    Test user record with manager populated
  5. Click Save.

  6. Click [.label]Raw JSON# and notice that the frIndexedString1 field is populated, similar to this:

     "frIndexedString1": "4d130ce4-1cc9-40c8-899d-468ec1ef0161"
Check in

At this point, you:

Defined a virtual property in the Alpha realm to use as a privilege filter.

Set up relationship notifications.

Added the test manager to the test user.

Task 4: Configure delegated administration privileges

In this task, you create an internal role with privileges and assign it to managers, enabling them to view and manage their direct reports through the Advanced Identity Cloud end-user UI.

Create an internal managers role with privileges

  1. In the Advanced Identity Cloud admin UI, go to people Identities > Manage.

  2. On the Manage Identities page, click peopleInternal Roles.

  3. Click + New Internal Role.

  4. Enter the following information, and then click Next:

    Field Value

    Name

    managers

    Description

    Role for managers

  5. Select Alpha Realm Users - managed/alpha_user from the drop-down list, and then click Add.

  6. Select the View and Update checkboxes, and then click Show advanced.

  7. Under Attribute Permissions, click set all attributes, and select None.

  8. Scroll through the list of attributes and enable the ones to be exposed to the manager:

    • Set userName, givenName, cn and sn to Read.

    • Set description and roles to Read/Write.

      Internal managers role permissions
  9. Select Administer only a subset of Alpha realm - Users by applying a filter.

  10. Click Advanced Editor and enter the following query expression:

    frIndexedString1 eq "{{_id}}""

    This filter condition means that only objects that have a property named frIndexedString1 whose value matches the value of the authenticated user’s _id are returned.

    Internal role permissions query expression
  11. Click Next.

  12. Click Next (without setting a dynamic internal role assignment).

  13. Click Save (without setting a time constraint).

Assign the internal role to the manager user (testmanager1)

  1. Click the Members tab for the newly created manager internal role.

  2. Click Add Members.

  3. Select testmanager1.

  4. Click Save.

Internal managers role assigned to test manager
Check in

At this point, you:

Defined a virtual property in the Alpha realm to use as a privilege filter.

Set up a relationship notifications.

Added the test manager to the test user.

Created an internal managers role with privileges and assigned the internal role to the test manager user.

Validation

You are now ready to validate the configuration.

Steps

  1. In an Incognito browser window, go to the Advanced Identity Cloud end-user UI login URL.

  2. In the Sign In page, enter the username and password for testmanager1, and then click Next.

    Alpha realm - User appears as a menu option on the left menu pane, enabling managers to view and manage their direct reports.

    Manage reports through though the Advanced Identity Cloud end-user UI
  3. Click Alpha realm - User.

    The manager’s direct reports are listed (just testuser1 in this example).

    Manager’s reports listed in the Advanced Identity Cloud end-user UI
  4. Click testuser1.

    Testuser1 details in Advanced Identity Cloud end-user UI

The manager can make updates to their report users' details based on the attribute permissions defined in the internal role.

Explore further

Reference material

Reference Description

Advanced Identity Cloud identity schema

An overview of the identity schema used to organize users, roles, assignments, groups, organizations, and applications.

Relationships

An overview of relationships in the identity model.

Relationship-derived virtual properties (RDVPs)

An overview of virtual properties that can be calculated based on relationships and relationship notifications.

Roles and assignments

An overview of building an entitlement structure in Advanced Identity Cloud.

Modeling Identities - ForgeRock University

On-demand training videos and demos on identity modeling in Advanced Identity Cloud.