--- title: Enable managers to manage their direct reports description: "Estimated time to complete: 20 minutes" component: pingoneaic page_id: pingoneaic:use-cases:use-case-manage-reports canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-manage-reports.html keywords: ["Implementation Guide", "Use Case", "Identities"] page_aliases: ["implementation:use-case-manage-reports.adoc"] section_ids: managers-description: Description managers-goals: Goals managers-prereqs: Prerequisites managers-tasks: Tasks managers-task-1: "Task 1: Define a virtual property to use as a privilege filter" managers-task-2: "Task 2: Set up relationship notifications" enable_notify_self_on_the_manager_relationship_property: Enable "Notify Self" on the manager relationship property enable_notifications_on_the_reports_relationship_property: Enable notifications on the reports relationship property managers-task-3: "Task 3: Assign a manager user (testmanager1) to a report user (testuser1)" managers-task-4: "Task 4: Configure delegated administration privileges" create_an_internal_managers_role_with_privileges: Create an internal managers role with privileges assign_the_internal_role_to_the_manager_user_testmanager1: Assign the internal role to the manager user (testmanager1) managers-validation: Validation managers-validation-steps: Steps managers-explore-further: Explore further managers-reference-material: Reference material --- # Enable managers to manage their direct reports ## Description Estimated time to complete: 20 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* In this use case, you configure delegated administration to let managers update their direct reports' information and assign provisioning roles to them through the hosted account pages. You'll need to use [Relationship-derived virtual properties (RDVPs)](../idm-objects/managed-object-virtual-properties.html#relationship-derived-virtual-properties) to filter users based on their manager relationships in the hosted account pages. This approach stores references to the target objects of a relationship as a property of the source object, enabling their use in privilege filters. ### Goals After completing this use case, you will know how to do the following: * Define a virtual property to use as a privilege filter. * Set up relationship notifications. * Configure delegated administration by creating an internal role with privileges. * Test delegated administration in the hosted account pages. ## Prerequisites Before you start work on this use case, ensure you have these prerequisites: * Access to your Advanced Identity Cloud development environment as an administrator. * A basic understanding of: * The [Advanced Identity Cloud identity schema](../identities/identity-cloud-identity-schema.html) * [Relationships](../planning/plan-object-modeling-relationships.html) * [Relationship-derived virtual properties (RDVPs)](../idm-objects/managed-object-virtual-properties.html#relationship-derived-virtual-properties) * Two users in the alpha realm: * A manager user, with username `testmanager1` * A report user, with username `testuser1` Learn more about creating test users in [Create test users and roles](use-case-test-users-and-roles.html). ## Tasks ### Task 1: Define a virtual property to use as a privilege filter In this task, you define a virtual property to store the manager ID. To achieve this, you can modify an indexed [general purpose extension attribute](../identities/user-identity-properties-attributes-reference.html#general-purpose-extension-attributes). The example uses `frindexedstring1`. 1. Sign on to the Advanced Identity Cloud admin console as an administrator. 2. In the left menu pane, select Native Consoles > Identity Management. 3. Click Configure > Managed Objects and select `Alpha_user`. 4. Click the pencil icon ([icon: pencil-alt, set=fa]) next to `frIndexedString1`. 5. On the Details tab, enter the following information: | Field | Value | | -------------- | ------------------ | | Readable title | `custom_managerID` | | Description | `Manager's ID` | 1. Click Show advanced options. 2. Select Virtual and Return By Default. ![Virtual property - Details tab](_images/use-case-manage-reports/use-case-managers-manager-id-virtual-property.png) 3. Click Save. 6. Click the Query Configuration tab and enter the following information: | Field | Value | | ------------------------------ | -------------------- | | Referenced Relationship Fields | `["manager"]` | | Referenced Object Fields | `_id` | | Flatten Properties | Select the checkbox. | ![Virtual property - Query Configuration tab](_images/use-case-manage-reports/use-case-managers-query-config.png) 7. Click Save. With this configuration, whenever an `alpha_user` object is updated, Advanced Identity Cloud will resolve its manager relationship and store the relationship data in the `frindexedstring1` property along with the updated object. ### Task 2: Set up relationship notifications In this task, you configure relationship notifications so that a user object is notified whenever its manager relationship changes. Relationship notifications are triggered by any activities related to an object update, including the `onUpdate` and `postUpdate`, [script hooks](../idm-objects/managed-objects-scripts.html), and [implicit synchronization](../idm-synchronization/sync-types.html). Relationship notifications are necessary because an object can be impacted by a relationship change even if it is not the direct target of the change. Without these notifications, the user object won't receive updates. Since manager/reports is a reverse relationship *(tooltip: A reverse relationship means both sides point to the other in a bidirectional flow.)*, you must ensure the user object is notified when a report is added to a manager. #### Enable "Notify Self" on the manager relationship property 1. In the Identity Management native console, click Configure > Managed Objects, and then select `Alpha_user`. 2. Click the `manager` relationship property. 3. On the Details tab, click Show advanced options. 4. Select Notify Self. 5. Click Save. ![Manager property with Notify Self selected](_images/use-case-manage-reports/use-case-managers-relationship-notify-self.png) #### Enable notifications on the reports relationship property 1. In the Identity Management native console, return to Configure > Managed Objects > `Alpha_user`. 2. Click the `reports` relationship property. 3. On the Details tab > Relationship Configuration, click the pencil icon ([icon: pencil-alt, set=fa]) next to `alpha_user`. 4. Select Notify, and then click Save. ![Reports property with Notify selected](_images/use-case-manage-reports/use-case-managers-reports-enable-notify.png) ### Task 3: Assign a manager user (`testmanager1`) to a report user (`testuser1`) In this task, you assign a manager to the report user. 1. In the Advanced Identity Cloud admin console, go to [icon: people, set=material, size=inline] Identities > Manage. 2. On the Manage Identities page, click [icon: settings_system_daydream, set=material, size=inline] Alpha realm - Users. 3. Search for and select `testuser1`. 4. Scroll down to the Manager field and enter the manager. In our example, this is `testmanager1`. ![Test user record with manager populated](_images/use-case-manage-reports/use-case-managers-test-user-with-test-manager.png) 5. Click Save. 6. Click \[.label]Raw JSON# and notice that the `frIndexedString1` field is populated, similar to this: ```json "frIndexedString1": "4d130ce4-1cc9-40c8-899d-468ec1ef0161" ``` Check in At this point, you: | | | | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------- | | [icon: check, set=fa]Defined a virtual property in the Alpha realm to use as a privilege filter. | [icon: check, set=fa]Set up relationship notifications. | | [icon: check, set=fa]Added the test manager to the test user. | | ### Task 4: Configure delegated administration privileges In this task, you create an internal role with privileges and assign it to managers, enabling them to view and manage their direct reports through the hosted account pages. #### Create an internal managers role with privileges 1. In the Advanced Identity Cloud admin console, go to [icon: people, set=material, size=inline] Identities > Manage. 2. On the Manage Identities page, click [icon: people, set=material, size=inline]Internal Roles. 3. Click + New Internal Role. 4. Enter the following information, and then click Next: | Field | Value | | ----------- | ------------------- | | Name | `managers` | | Description | `Role for managers` | 5. Select `Alpha Realm Users - managed/alpha_user` from the drop-down list, and then click Add. 6. Select the View and Update checkboxes, and then click Show advanced. 7. Under Attribute Permissions, click set all attributes, and select `None`. 8. Scroll through the list of attributes and enable the ones to be exposed to the manager: * Set `userName`, `givenName`, `cn` and `sn` to Read. * Set `description` and `roles` to Read/Write. ![Internal managers role permissions](_images/use-case-manage-reports/use-case-managers-internal-role-permissions.png) 9. Select Administer only a subset of Alpha realm - Users by applying a filter. 10. Click Advanced Editor and enter the following query expression: ```js frIndexedString1 eq "{{_id}}"" ``` This filter condition means that only objects that have a property named `frIndexedString1` whose value matches the value of the authenticated user's `_id` are returned. ![Internal role permissions query expression](_images/use-case-manage-reports/use-case-managers-internal-role-query-expresion.png) 11. Click Next. 12. Click Next (without setting a dynamic internal role assignment). 13. Click Save (without setting a time constraint). #### Assign the internal role to the manager user (`testmanager1`) 1. Click the Members tab for the newly created `manager` internal role. 2. Click Add Members. 3. Select `testmanager1`. 4. Click Save. ![Internal managers role assigned to test manager](_images/use-case-manage-reports/use-case-managers-internal-role-test-manager.png)Check in At this point, you: | | | | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa]Defined a virtual property in the Alpha realm to use as a privilege filter. | [icon: check, set=fa]Set up a relationship notifications. | | [icon: check, set=fa]Added the test manager to the test user. | [icon: check, set=fa]Created an internal managers role with privileges and assigned the internal role to the test manager user. | ## Validation You are now ready to validate the configuration. ### Steps 1. In an incognito browser window, go to the hosted pages sign-on URL. 2. In the Sign In page, enter the username and password for `testmanager1`, and then click Next. Alpha realm - User appears as a menu option on the left menu pane, enabling managers to view and manage their direct reports. ![Manage reports through though the hosted account pages](_images/use-case-manage-reports/use-case-managers-end-user-ui.png) 3. Click Alpha realm - User. The manager's direct reports are listed (just `testuser1` in this example). ![Manager's reports listed in the hosted account pages](_images/use-case-manage-reports/use-case-managers-end-user-ui-test-users.png) 4. Click `testuser1`. ![Testuser1 details in hosted account pages](_images/use-case-manage-reports/use-case-managers-end-user-managed-user.png) The manager can make updates to their report users' details based on the attribute permissions defined in the internal role. ## Explore further ### Reference material | Reference | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | [Advanced Identity Cloud identity schema](../identities/identity-cloud-identity-schema.html) | An overview of the identity schema used to organize users, roles, assignments, groups, organizations, and applications. | | [Relationships](../planning/plan-object-modeling-relationships.html) | An overview of relationships in the identity model. | | [Relationship-derived virtual properties (RDVPs)](../idm-objects/managed-object-virtual-properties.html) | An overview of virtual properties that can be calculated based on relationships and relationship notifications. | | [Roles and assignments](../identities/roles-assignments.html) | An overview of building an entitlement structure in Advanced Identity Cloud. | | [Modeling Identities - ForgeRock University](https://backstage.forgerock.com/university/forgerock/on-demand/path/TGVhcm5pbmdQYXRoOjEy/chapter/Q291cnNlOjE2MTgx) | On-demand training videos and demos on identity modeling in Advanced Identity Cloud. |