Enable managers to manage their direct reports

While this PingOne Advanced Identity Cloud use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 20 minutes

In this use case, you configure delegated administration to let managers update their direct reports' information and assign provisioning roles to them through the Advanced Identity Cloud end-user UI.

You’ll need to use Relationship-derived virtual properties (RDVPs) to filter users based on their manager relationships in the Advanced Identity Cloud end-user UI. This approach stores references to the target objects of a relationship as a property of the source object, enabling their use in privilege filters.

Goals

After completing this use case, you will know how to do the following:

Define a virtual property to use as a privilege filter.
Set up relationship notifications.
Configure delegated administration by creating an internal role with privileges.
Test delegated administration in the Advanced Identity Cloud end-user UI.

Prerequisites

Before you start work on this use case, ensure you have these prerequisites:

Access to your Advanced Identity Cloud development environment as an administrator.
A basic understanding of:
Two users in the alpha realm:
- A manager user, with username testmanager1
- A report user, with username testuser1

Learn more about creating test users in Create test users and roles.

Tasks

Task 1: Define a virtual property to use as a privilege filter

In this task, you define a virtual property to store the manager ID. To achieve this, you can modify an indexed general purpose extension attribute. The example uses frindexedstring1.

Log in to the Advanced Identity Cloud admin UI as an administrator.
In the left menu pane, select Native Consoles > Identity Management.
Click Configure > Managed Objects and select Alpha_user.
Click the pencil icon () next to frIndexedString1.
On the Details tab, enter the following information:

Field Value

Readable title

custom_managerID

Description

Manager’s ID
1. Click Show advanced options.
2. Select Virtual and Return By Default.
3. Click Save.
Click the Query Configuration tab and enter the following information:

Field Value

Referenced Relationship Fields

["manager"]

Referenced Object Fields

_id

Flatten Properties

Select the checkbox.
Click Save.

Field	Value
Readable title	`custom_managerID`
Description	`Manager’s ID`

Field	Value
Referenced Relationship Fields	`["manager"]`
Referenced Object Fields	`_id`
Flatten Properties	Select the checkbox.

With this configuration, whenever an alpha_user object is updated, Advanced Identity Cloud will resolve its manager relationship and store the relationship data in the frindexedstring1 property along with the updated object.

Task 2: Set up relationship notifications

In this task, you configure relationship notifications so that a user object is notified whenever its manager relationship changes. Relationship notifications are triggered by any activities related to an object update, including the onUpdate and postUpdate, script hooks, and implicit synchronization.

Relationship notifications are necessary because an object can be impacted by a relationship change even if it is not the direct target of the change. Without these notifications, the user object won’t receive updates. Since manager/reports is a reverse relationship, you must ensure the user object is notified when a report is added to a manager.

Enable “Notify Self” on the manager relationship property

In the Identity Management native console, click Configure > Managed Objects, and then select Alpha_user.
Click the manager relationship property.
On the Details tab, click Show advanced options.
Select Notify Self.
Click Save.

Enable notifications on the reports relationship property

In the Identity Management native console, return to Configure > Managed Objects > Alpha_user.
Click the reports relationship property.
On the Details tab > Relationship Configuration, click the pencil icon () next to alpha_user.
Select Notify, and then click Save.

Task 3: Assign a manager user (`testmanager1`) to a report user (`testuser1`)

In this task, you assign a manager to the report user.

In the Advanced Identity Cloud admin UI, go to people Identities > Manage.
On the Manage Identities page, click settings_system_daydream Alpha realm - Users.
Search for and select testuser1.
Scroll down to the Manager field and enter the manager. In our example, this is testmanager1.
Click Save.
Click [.label]Raw JSON# and notice that the frIndexedString1 field is populated, similar to this:
```
 "frIndexedString1": "4d130ce4-1cc9-40c8-899d-468ec1ef0161"
```

Check in

At this point, you:

Defined a virtual property in the Alpha realm to use as a privilege filter.

Set up relationship notifications.

Added the test manager to the test user.

Task 4: Configure delegated administration privileges

In this task, you create an internal role with privileges and assign it to managers, enabling them to view and manage their direct reports through the Advanced Identity Cloud end-user UI.

Create an internal managers role with privileges

In the Advanced Identity Cloud admin UI, go to people Identities > Manage.
On the Manage Identities page, click peopleInternal Roles.
Click + New Internal Role.
Enter the following information, and then click Next:

Field Value

Name

managers

Description

Role for managers
Select Alpha Realm Users - managed/alpha_user from the drop-down list, and then click Add.
Select the View and Update checkboxes, and then click Show advanced.
Under Attribute Permissions, click set all attributes, and select None.
Scroll through the list of attributes and enable the ones to be exposed to the manager:
- Set userName, givenName, cn and sn to Read.
- Set description and roles to Read/Write.
Select Administer only a subset of Alpha realm - Users by applying a filter.
Click Advanced Editor and enter the following query expression:
```
frIndexedString1 eq "{{_id}}""
```
This filter condition means that only objects that have a property named frIndexedString1 whose value matches the value of the authenticated user’s _id are returned.
Click Next.
Click Next (without setting a dynamic internal role assignment).
Click Save (without setting a time constraint).

Field	Value
Name	`managers`
Description	`Role for managers`

Assign the internal role to the manager user (`testmanager1`)

Click the Members tab for the newly created manager internal role.
Click Add Members.
Select testmanager1.
Click Save.

Internal managers role assigned to test manager

Check in

At this point, you:

Defined a virtual property in the Alpha realm to use as a privilege filter.

Set up a relationship notifications.

Added the test manager to the test user.

Created an internal managers role with privileges and assigned the internal role to the test manager user.

Validation

You are now ready to validate the configuration.

Steps

In an Incognito browser window, go to the Advanced Identity Cloud end-user UI login URL.
In the Sign In page, enter the username and password for testmanager1, and then click Next.

Alpha realm - User appears as a menu option on the left menu pane, enabling managers to view and manage their direct reports.
Click Alpha realm - User.

The manager’s direct reports are listed (just testuser1 in this example).
Click testuser1.

The manager can make updates to their report users' details based on the attribute permissions defined in the internal role.

Explore further

Reference material

Reference	Description
Advanced Identity Cloud identity schema	An overview of the identity schema used to organize users, roles, assignments, groups, organizations, and applications.
Relationships	An overview of relationships in the identity model.
Relationship-derived virtual properties (RDVPs)	An overview of virtual properties that can be calculated based on relationships and relationship notifications.
Roles and assignments	An overview of building an entitlement structure in Advanced Identity Cloud.
Modeling Identities - ForgeRock University	On-demand training videos and demos on identity modeling in Advanced Identity Cloud.

Reference

Description

Advanced Identity Cloud identity schema

An overview of the identity schema used to organize users, roles, assignments, groups, organizations, and applications.

Relationships

An overview of relationships in the identity model.

Relationship-derived virtual properties (RDVPs)

An overview of virtual properties that can be calculated based on relationships and relationship notifications.

Roles and assignments

An overview of building an entitlement structure in Advanced Identity Cloud.

Modeling Identities - ForgeRock University

On-demand training videos and demos on identity modeling in Advanced Identity Cloud.

PingOne Advanced Identity Cloud

Enable managers to manage their direct reports

Description

Goals

Prerequisites

Tasks

Task 1: Define a virtual property to use as a privilege filter

Task 2: Set up relationship notifications

Enable “Notify Self” on the manager relationship property

Enable notifications on the reports relationship property

Task 3: Assign a manager user (testmanager1) to a report user (testuser1)

Task 4: Configure delegated administration privileges

Create an internal managers role with privileges

Assign the internal role to the manager user (testmanager1)

Validation

Steps

Explore further

Reference material

Task 3: Assign a manager user (`testmanager1`) to a report user (`testuser1`)

Assign the internal role to the manager user (`testmanager1`)