title: Manager Resolution & Org Charts category: Synchronization tags: manager, resolution, hierarchy, org-chart, lookup, reporting-chain priority: Normal
Manager Resolution & Org Charts
IdentityCenter automatically builds your organizational hierarchy by resolving manager relationships from Active Directory. This enables manager-based access reviews, reporting chains, and organizational insights.
How Manager Resolution Works
Active Directory stores manager relationships as Distinguished Name (DN) references. For example, a user's manager attribute might contain:
CN=Jane Doe,OU=Managers,OU=Users,DC=corp,DC=local
This is just a text reference — it doesn't tell you anything useful on its own. IdentityCenter resolves these references into actual linked relationships:
- During sync, the user object is imported with its raw
managerDN value - The Lookup step searches for the manager DN among all synced objects
- When found, the user is linked to their manager's record
- This builds a complete reporting chain from individual contributor up to CEO
What Gets Resolved
Manager resolution works for any object type that has a manager or managedBy attribute:
| Object Type | Manager Attribute | Use Case |
|---|---|---|
| Users | manager |
Organizational reporting chain |
| Groups | managedBy |
Group ownership and accountability |
| Computers | managedBy |
Asset ownership |
| Contacts | manager |
External contact relationships |
Viewing Manager Relationships
On User Detail Pages
When you open a user's detail page (Directory > Objects > click a user), the Overview tab shows:
- Manager — The user's direct manager (clickable link to their profile)
- Direct Reports — List of people who report to this user
Click the manager name to navigate up the chain. Click a direct report to navigate down.
On Group Detail Pages
Groups show their Managed By field, which indicates who is responsible for the group. This is especially useful for:
- Routing access review decisions to the group owner
- Identifying who to contact about group membership questions
How It Affects Access Reviews
Manager resolution is critical for access reviews:
- Manager-Based Reviews — When you create a campaign with manager-based review assignment, each user's access is sent to their resolved manager for approval
- Escalation Chains — If a manager doesn't respond, the review can escalate up the reporting chain
- Delegation — Managers can delegate reviews to their direct reports or peers
Without manager resolution, manager-based access reviews would not know who to send reviews to.
Troubleshooting Manager Resolution
Some Users Show No Manager
Common causes:
- The user's
managerattribute is empty in Active Directory - The manager account hasn't been synced yet (run sync for all users first)
- The manager is in a different OU that isn't included in the sync scope
How to fix:
- Check if the user has a manager set in AD (use Active Directory Users and Computers or the Attributes tab in IdentityCenter)
- Ensure the manager's user object has been synced
- If the manager is in a different OU, expand your sync scope to include it
Manager Shows as "Unresolved"
This means the DN reference exists but IdentityCenter couldn't find a matching synced object.
Common causes:
- The manager account is disabled and was excluded from sync
- The manager DN points to a deleted or moved object
- The manager is in a different domain/forest that isn't connected
How to fix:
- Verify the manager DN exists in AD
- Check that your sync includes disabled accounts (if the manager is disabled)
- If the manager is in another domain, create a connection to that domain
Circular Manager References
Occasionally, AD data contains circular manager references (User A → User B → User A). IdentityCenter detects and handles these gracefully without creating infinite loops.
Best Practices
- Sync all users first — Run a full user sync before relying on manager resolution. Both the user and their manager must be synced for the link to resolve.
- Keep manager data clean in AD — IdentityCenter reflects what's in your directory. If managers are wrong in AD, they'll be wrong here too.
- Sync disabled accounts — If managers leave and their accounts are disabled, you may want to include disabled accounts in your sync to preserve the reporting chain history.
- Check resolution after initial sync — After your first sync, browse some users and verify their manager links resolved correctly.
Next Steps
- Creating a Sync Project — Configure sync with manager attributes
- Access Reviews — Use manager-based review assignment
- Directory Browser — View resolved manager relationships