It should be possible to use DN's in helpdesk profiles.
E.g. create a profile where managers can reset password for direct reports based on the manager-directReports DN relationship. Of course it shouldn't be limited to just those attributes but any DN type attributes.