Enable managers to manage their direct reports
Description
Estimated time to complete: 20 minutes
In this use case, you configure delegated administration to let managers update their direct reports' information and assign provisioning roles to them through the Advanced Identity Cloud end-user UI.
You’ll need to use Relationship-derived virtual properties (RDVPs) to filter users based on their manager relationships in the Advanced Identity Cloud end-user UI. This approach stores references to the target objects of a relationship as a property of the source object, enabling their use in privilege filters.
Goals
After completing this use case, you will know how to do the following:
-
Define a virtual property to use as a privilege filter.
-
Set up relationship notifications.
-
Configure delegated administration by creating an internal role with privileges.
-
Test delegated administration in the Advanced Identity Cloud end-user UI.
Prerequisites
Before you start work on this use case, ensure you have these prerequisites:
-
Access to your Advanced Identity Cloud development environment as an administrator.
-
A basic understanding of:
-
Two users in the alpha realm:
-
A manager user, with username
testmanager1
-
A report user, with username
testuser1
-
Learn more about creating test users in Create test users and roles.
Tasks
Task 1: Define a virtual property to use as a privilege filter
In this task, you define a virtual property to store the manager ID. To achieve this, you can modify an indexed general purpose extension attribute. The example uses frindexedstring1
.
-
Log in to the Advanced Identity Cloud admin UI as an administrator.
-
In the left menu pane, select Native Consoles > Identity Management.
-
Click Configure > Managed Objects and select
Alpha_user
. -
Click the pencil icon () next to
frIndexedString1
. -
On the Details tab, enter the following information:
Field Value Readable title
custom_managerID
Description
Manager’s ID
-
Click Show advanced options.
-
Select Virtual and Return By Default.
-
Click Save.
-
-
Click the Query Configuration tab and enter the following information:
Field Value Referenced Relationship Fields
["manager"]
Referenced Object Fields
_id
Flatten Properties
Select the checkbox.
-
Click Save.
With this configuration, whenever an alpha_user
object is updated, Advanced Identity Cloud will resolve its manager relationship and store the relationship data in the frindexedstring1
property along with the updated object.
Task 2: Set up relationship notifications
In this task, you configure relationship notifications so that a user object is notified whenever its manager relationship changes. Relationship notifications are triggered by any activities related to an object update, including the onUpdate
and postUpdate
, script hooks, and implicit synchronization.
Relationship notifications are necessary because an object can be impacted by a relationship change even if it is not the direct target of the change. Without these notifications, the user object won’t receive updates. Since manager/reports is a reverse relationship, you must ensure the user object is notified when a report is added to a manager.
Enable “Notify Self” on the manager relationship property
-
In the Identity Management native console, click Configure > Managed Objects, and then select
Alpha_user
. -
Click the
manager
relationship property. -
On the Details tab, click Show advanced options.
-
Select Notify Self.
-
Click Save.
Enable notifications on the reports relationship property
-
In the Identity Management native console, return to Configure > Managed Objects >
Alpha_user
. -
Click the
reports
relationship property. -
On the Details tab > Relationship Configuration, click the pencil icon () next to
alpha_user
. -
Select Notify, and then click Save.
Task 3: Assign a manager user (testmanager1
) to a report user (testuser1
)
In this task, you assign a manager to the report user.
-
In the Advanced Identity Cloud admin UI, go to Identities > Manage.
-
On the Manage Identities page, click Alpha realm - Users.
-
Search for and select
testuser1
. -
Scroll down to the Manager field and enter the manager. In our example, this is
testmanager1
. -
Click Save.
-
Click [.label]Raw JSON# and notice that the
frIndexedString1
field is populated, similar to this:"frIndexedString1": "4d130ce4-1cc9-40c8-899d-468ec1ef0161"
Task 4: Configure delegated administration privileges
In this task, you create an internal role with privileges and assign it to managers, enabling them to view and manage their direct reports through the Advanced Identity Cloud end-user UI.
Create an internal managers role with privileges
-
In the Advanced Identity Cloud admin UI, go to Identities > Manage.
-
On the Manage Identities page, click Internal Roles.
-
Click + New Internal Role.
-
Enter the following information, and then click Next:
Field Value Name
managers
Description
Role for managers
-
Select
Alpha Realm Users - managed/alpha_user
from the drop-down list, and then click Add. -
Select the View and Update checkboxes, and then click Show advanced.
-
Under Attribute Permissions, click set all attributes, and select
None
. -
Scroll through the list of attributes and enable the ones to be exposed to the manager:
-
Set
userName
,givenName
,cn
andsn
to Read. -
Set
description
androles
to Read/Write.
-
-
Select Administer only a subset of Alpha realm - Users by applying a filter.
-
Click Advanced Editor and enter the following query expression:
frIndexedString1 eq "{{_id}}""
This filter condition means that only objects that have a property named
frIndexedString1
whose value matches the value of the authenticated user’s_id
are returned. -
Click Next.
-
Click Next (without setting a dynamic internal role assignment).
-
Click Save (without setting a time constraint).
Validation
You are now ready to validate the configuration.
Steps
-
In an Incognito browser window, go to the Advanced Identity Cloud end-user UI login URL.
-
In the Sign In page, enter the username and password for
testmanager1
, and then click Next.Alpha realm - User appears as a menu option on the left menu pane, enabling managers to view and manage their direct reports.
-
Click Alpha realm - User.
The manager’s direct reports are listed (just
testuser1
in this example). -
Click
testuser1
.
The manager can make updates to their report users' details based on the attribute permissions defined in the internal role.
Explore further
Reference material
Reference | Description |
---|---|
An overview of the identity schema used to organize users, roles, assignments, groups, organizations, and applications. |
|
An overview of relationships in the identity model. |
|
An overview of virtual properties that can be calculated based on relationships and relationship notifications. |
|
An overview of building an entitlement structure in Advanced Identity Cloud. |
|
On-demand training videos and demos on identity modeling in Advanced Identity Cloud. |