Symantec IGA

Environment: CA Identity Manager R12.6 SP5 (CORP=PROV)

I'm trying convert some email templates to managed e-mail policies, and I want the Recipient TO: to be the "Manager" of the "User".  The email templates are able to do this with _util.getNotifiers("USER_MANAGER","ManagerLookup=commonattribute").  Managed e-mail policies have a "canned" function for "Manager", as described in the Administration Guide:

Manager

Sends the email to the manager of the user whom the task has been performed on.

Note: To use the Manager recipient option, configure the manager attribute for the

environment. To configure the manager attribute, go to Environments,

EnvironmentName, Advanced Settings, Miscellaneous in the Management Console.

Set managerattribute to the name of the physical attribute that stores the unique

name of a user's manager.

We don't use a physical attribute to store the unique name of a user's manager.  In other roles and tasks, we prefer to use a dynamic query that looks for the user's manager based on the user's %DEPARTMENT% attribute, and on the manager's %TITLE% attribute.  We also have these User Defined Properties in our management console:

I'm guessing that the managed e-mail policies "Manager" recipient is using the "managerattribute" value, when we really want it to use the "commonattribute/ismanagerfilter" method, instead.  Is that something we can change?  If not, how else might we be able to get a user's manager's e-mail address dynamically, for use by the managed e-mail policy?

Thanks in advance for your time and help.

I think I answered the second question on my own, "how else might we get a user's manager?"  Here's how I did it, in case anyone else is interested, or can recommend a better way to do it.

First, I created a Group for the managers, as a prerequisite step.  All of the managers for all of the departments are made members of this group.  While I did this manually, I can imagine it would be easy to set up an Identity Policy to automatically populate that group in the future, by triggering off the Title attribute.  I also tested it using Access Roles and Admin Roles, which were created previously for other tasks.

The "trick" is to use the group/role members list to identify all of the managers, and use the System/List Iterator function of Custom Data Elements to step through each one of them, capturing their email addresses in another CDE.  A Comparator CDE is then used to evaluate the user's department string against the manager's department string.  Finally, an Entry Rule tests for the value returned by the Comparator CDE, proceeding with the email policy only when it returns "EQUALS" (the user's dept matches the manager's dept).  The email policy use's the captured manager email CDE as the Recipient TO value.

Custom Data Elements

Data Element: Dept Managers

Name:  Dept Managers

Category:  Groups

Type:  Group Members List

Function:  Get Members' User IDs

Group Name:  Department Managers Group

Data Element: Manager Name

Name:     Manager Name

Category:     System

Type:     List Iterator

Function:     Next Value

Value or List:     {'Dept Managers'}

Data Element: Match Dept

Name:     Match Dept

Category:     Comparators

Type:     Comparators

Function:     Compare Strings

First String:     {'User Dept'}

Second String:    {'Manager Dept'}

Email Entry Rules

Match Dept Equals "EQUALS"

My only concern is that this approach may be "expensive", as the CDE System/List Iterator function restarts the entire policy for each item in the list provided.  Our environment has 15 departments, so the policy executes 15 times.  The email itself is generated only when the Entry Rule matches, so it's not sending 15 emails -- it sends only 1 per match (assuming that there's a one-to-one relationship between manager and department).

What do you think?  I welcome your feedback.  Thanks!

So does this mean its the best/only answer?  Thanks!