title: Manager Resolution & Org Chart category: Organization tags: manager, resolution, org-chart, hierarchy, dn priority: Normal
Manager Resolution & Org Chart
Manager resolution is the process by which IdentityCenter transforms raw Distinguished Name (DN) references from Active Directory into navigable organizational relationships. This process is fundamental to building the org chart, routing access reviews, and enforcing manager-based governance policies.
How the Manager Attribute Works in Active Directory
In Active Directory, the manager attribute on a user object stores the Distinguished Name (DN) of that user's manager. For example:
User: CN=Jane Smith,OU=Finance,DC=contoso,DC=com
Manager: CN=Bob Johnson,OU=Finance,DC=contoso,DC=com
The DN is a reference to another AD object, not a simple name or identifier. This means IdentityCenter must resolve the DN to an internal record to build the relationship.
The Resolution Process
Manager resolution occurs during the synchronization pipeline, specifically in the Lookup step. The process works as follows:
Sync Pipeline
├── Directory Query (fetch objects with attributes)
├── Attribute Mapping (map AD attributes to IdentityCenter fields)
├── Bulk Upsert (write objects to database)
├── Lookup Step (resolve manager DNs to ObjectIds) <-- Manager resolution
└── Post-Processing
Step-by-Step Resolution
Read the source DN - During sync, the
managerattribute is read from each AD object and stored asManagerSourceId(the raw DN string).Search for the target object - The Lookup step searches the IdentityCenter database for an object whose
DNmatches theManagerSourceIdvalue and whoseSourceConnectionIdmatches the same connection.Resolve to ObjectId - When a match is found, the resolved object's
Id(a GUID) is written to theManagerObjectIdfield on the source object.Mark unresolved - If no match is found,
ManagerObjectIdremains null and the object appears as "unmanaged" in the Organization Center.
| Field | Type | Description |
|---|---|---|
ManagerSourceId |
String | Raw DN from the AD manager attribute |
ManagerObjectId |
Guid (nullable) | Resolved internal ID of the manager object |
DN |
String | The object's own Distinguished Name |
SourceConnectionId |
Guid | The connection this object was synced from |
Cross-Connection Resolution
Manager resolution is scoped to a single connection by default. If a user in Connection A has a manager DN that points to an object in Connection B, the resolution will not find a match within Connection A.
For cross-forest manager relationships, ensure both forests are synced and consider using identity-level manager resolution (described below).
Two Levels of Manager Relationships
IdentityCenter maintains manager relationships at two levels:
Object-Level Manager
The object-level manager relationship links one AD object (account) to another AD object (the manager's account). This is the direct result of the Lookup step resolution.
| Source | Target | Relationship |
|---|---|---|
| AD User Object (Jane Smith) | AD User Object (Bob Johnson) | Object-to-Object via ManagerObjectId |
This relationship is used by:
- The Organization Center's Manager view
- Sync pipeline post-processing
- Directory-level reporting
Identity-Level Manager
The identity-level manager relationship links one Person (identity) to another Person. This is established after object-to-person matching, where IdentityCenter determines which Person record each object belongs to.
| Source | Target | Relationship |
|---|---|---|
| Person (Jane Smith) | Person (Bob Johnson) | Person-to-Person via ManagerPersonId |
This relationship is used by:
- Access review routing (route to the person's manager)
- Workflow approvals (manager approval steps)
- Policy evaluation (manager-based policies)
The identity-level manager is derived from the object-level manager. When Jane Smith's AD object has Bob Johnson's AD object as its manager, and both objects are matched to their respective Person records, the Person-to-Person relationship is created automatically.
The InternalSyncStepExecutor
The InternalSyncStepExecutor is the component responsible for performing manager resolution during the sync pipeline. It handles:
- DN-to-ObjectId resolution - Matching the manager DN to an existing synced object
- Batch processing - Resolving managers in bulk for performance
- Circular reference detection - Identifying and skipping circular manager chains
- Logging - Recording unresolved managers for troubleshooting
The executor processes all objects for a given connection in a single pass after the objects have been upserted to the database.
Troubleshooting Unresolved Managers
When a manager relationship cannot be resolved, the identity appears without a manager in the Organization Center. Common causes and solutions:
Missing Manager Attribute
Symptom: The ManagerSourceId field is null or empty.
Cause: The manager attribute is not populated on the AD object.
Solution: Update the manager attribute in Active Directory using AD Users and Computers or PowerShell:
Set-ADUser -Identity "jsmith" -Manager "CN=Bob Johnson,OU=Finance,DC=contoso,DC=com"
Manager Account Not Synced
Symptom: ManagerSourceId contains a valid DN, but ManagerObjectId is null.
Cause: The manager's AD account has not been synced into IdentityCenter. This can happen when:
- The manager is in an OU that is excluded from the sync scope
- The manager is in a different connection that has not been synced
- The manager account was deleted or moved after the last sync
Solution:
- Verify the manager's DN exists in AD
- Check that the manager's OU is within the sync project's scope
- Run a sync to import the manager's account
- Run the Lookup step again (or a full sync) to resolve the relationship
Circular Manager References
Symptom: A chain of managers loops back to an earlier member (e.g., A manages B, B manages C, C manages A).
Cause: Incorrect manager attribute assignments in AD.
Solution:
- Identify the circular chain using the Organization Center or the sync logs
- Correct the
managerattribute on the appropriate AD object to break the loop - Re-sync to update the resolution
Stale Manager DN
Symptom: ManagerSourceId points to a DN that no longer exists in AD.
Cause: The manager account was renamed, moved to a different OU, or deleted. Since the manager attribute stores a DN (which includes the full path), any change to the manager's name or location invalidates the reference.
Solution:
- Update the
managerattribute on the affected user to point to the manager's current DN - Re-sync to update the relationship
Tip: AD automatically updates back-references when objects are moved within the same domain. However, if the manager object is deleted and recreated, the reference will break.
Bulk Manager Assignment
For organizations with many unresolved manager relationships, IdentityCenter supports bulk manager assignment:
- Navigate to the Organization Center (
/admin/organization) - Switch to the Manager view
- Locate the Unmanaged section
- Select multiple identities using the checkboxes
- Click Assign Manager
- Search for and select the manager
- Confirm the assignment
Bulk assignment updates the ManagerObjectId directly in IdentityCenter. To persist these changes back to Active Directory, ensure write-back is enabled for your connection. The Object Write-Back Service will update the manager attribute in AD.
Viewing the Org Chart
The Organization Center's Manager view presents the org chart as an expandable tree:
CEO (Bob Johnson)
├── VP Engineering (Sarah Chen)
│ ├── Director, Backend (Mike Davis)
│ │ ├── Senior Engineer (Jane Smith)
│ │ └── Engineer (Tom Wilson)
│ └── Director, Frontend (Lisa Park)
│ └── Senior Engineer (Alex Kim)
└── VP Finance (Carol White)
├── Controller (David Brown)
└── Financial Analyst (Emily Green)
Each node in the tree shows:
- Name and Title
- Direct reports count
- Department
- Account status (active, disabled, expired)
Click any manager to expand their direct reports. Click on an individual identity to navigate to their detail page.
Best Practices
Sync managers before running resolution - Ensure that manager accounts are imported into IdentityCenter before running the Lookup step. If managers are in a separate OU or connection, sync that source first.
Maintain clean AD data - The accuracy of the org chart depends entirely on the
managerattribute in AD. Implement processes to keep this attribute current when organizational changes occur.Monitor unresolved counts - Track the number of unmanaged identities over time. A sudden increase may indicate a sync scope change or AD data issue.
Use identity-level managers for governance - When configuring access reviews, workflows, and policies, prefer the identity-level manager relationship. This ensures governance actions are routed to the correct person even when an identity has multiple accounts.
Handle cross-forest scenarios - If your organization spans multiple AD forests, plan your sync and resolution strategy to account for cross-forest manager references.
Next Steps
- Organization Center - Explore the full Organization Center interface
- Synchronization Overview - Understand the sync pipeline that feeds manager resolution
- Manager Resolution in Sync - Technical details of sync-level manager resolution
- Access Reviews Overview - Route reviews using manager relationships
- Policies Overview - Create manager-based governance policies