Alternate Manager Lookup

Overview

Alternate manager lookups provide enhanced review auto-assignment by allowing Veza to identify managers from multiple sources of identity metadata. This is particularly useful if your organization has complex identity structures with more than one identity provider (IdP).

You may need to configure an alternate identity provider for manager assignments to enable:

• Automatic manager assignment for contractors tracked in a separate IdP (e.g., a custom OAA IdP) with managers from a primary IdP (e.g., Okta).

• Auto-assigning access reviews involving users in the main IdP (e.g., Okta Users), when manager information is maintained in another system (e.g., Oracle HCM).

By supporting cross-source manager lookups, Veza ensures consistent and accurate access review assignments, regardless of where user or manager identities are maintained.

Example Implementation

Alternate lookups are intended for situations where you have a primary identity provider and additional sources of identity in another system. For example, you might import identity data for contractors via a custom CSV, and want to have their access reviewed by managers who are Okta users. In this case, you want to ensure that:

• Contractor access reviews are assigned to their actual managers (who are Okta users).

• Even if the contractor identity lacks a direct manager attribute in the custom IdP, Veza can still identify the correct manager from Okta.

With an alternate manager lookup, you can configure Okta as a primary IdP, and a the imported CSV provider as the secondary IdP. When a contractor's access is reviewed, the system will first check if they have a linked user in Okta. If no linked user or manager is found, it uses the alternate lookup settings to find the appropriate manager in Okta.

How It Works

When creating an Access Review, administrators can choose to auto-assign rows to individual managers. Veza will identify managers using one or more identity providers.

For auto-assignment to function:

• Users in the review must be linked to an identity, either in the main IdP, or one of the alternate lookups. This connection is made based on the attribute mapping in your Global IdP settings.

• The connected identities must have an attribute that contains one or more identifiers used to look up each user's manager(s). The attribute could be managers or any other attribute configured in your settings (manager_identity_property). The value in this attribute must match the value of the main IdP's user_identity_property.

Veza supports looking up managers from both primary and alternate identity providers:

2. Alternate Manager Lookup Settings: When the primary lookup fails, the system can use one or more alternate IdP settings to find managers.

The lookup settings configuration includes:

• User Type: The type of user in the alternate IdP User, e.g., OAA.Oracle HCM.HRISEmployee

• User Identity Property: The property used to identify users across systems, e.g., customprop_manager_employee_number

• Manager Identity Property: The property containing the manager reference, e.g., customprop_manager_employee_number

• Instance Id Property: The property containing the instance ID, e.g., datasource_id

• Instance Id: The ID of the alternate IdP instance, e.g., 05bbc13d-bf25-45f2-ba09-03e5625a3b66

Order matters when configuring more than one alternate source of identity. Veza will check the primary IdP first, then the first alternate lookup, then the second, and so on, until a manager is found or all options are exhausted.

Notes:

• For reviews initiated using the main IdP (e.g., Okta), the system will look up managers from alternate sources (e.g., Oracle HCM).

• The system will also try alternate lookup methods if the primary lookup fails.

• The manager identity property can contain a single value or a list of values.

Manager Lookup Process Flow

API Configuration

Currently, identity providers for review auto-assignment are managed using a private/ API request. Your Veza support representative can help configure this global setting.

• PUT /api/private/workflows/access/global_settings/idp_settings

• GET /api/private/workflows/access/global_settings/idp_settings

The global IdP settings request takes an idp settings object for the primary IdP configuration, and one or more secondary IdPs defined in alternate_manager_lookup_settings

For example:

{
    "value": {
        "enabled": true,
        "idp": {
            "auth_provider_id": "87549440-ef3d-4f8c-a3d8-ed1569a79ed6",
            "user_type": "OktaUser",
            "instance_id": "instance.okta.com",
            "user_identity_property": "employee_id",
            "instance_id_property": "datasource_id",
            "manager_identity_property": "x_manager_id"
        },
        "alternate_manager_lookup_settings": [
            {
                "user_type": "OAA.Oracle HCM.HRISEmployee",
                "instance_id": "05bbc13d-bf25-45f2-ba09-03e5625a3b66",
                "user_identity_property": "employee_number",
                "instance_id_property": "datasource_id",
                "manager_identity_property": "managers"
            },
            {
                "user_type": "OAA.Contractors.IDPUser",
                "instance_id": "9fb32fc1-4db2-4ac6-9ab1-b5c24836ddd4",
                "user_identity_property": "idp_unique_id",
                "instance_id_property": "datasource_id",
                "manager_identity_property": "customprop_manager_employee_number"
            }
        ]
    }
}