Connector limitations
RSA Archer GRC Platform supports business-level management of governance, risk management, and compliance (GRC). It lets users adapt solutions to their own requirements, build new applications, and integrate with external systems without interacting with code.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name - <RSA Archer>
-
Username
-
Password
-
Instance Name - <Tenant ID ex: 324022>
-
User Record Creation - <Is record creation needed> [only in v3.0]
-
Profile Module ID - <Internal ID of an application as specified in the Application Builder Application Detail Report ex: 486>
-
Profile ID - <User Profile ID ex: 239109>
-
Environment(ISMS) - <Cloud application's environment ex: Test, Prod> [only in v1.0 and v2.0]
-
Field ID - <Filed Id to get specific attribute ex: 18746>
-
Reporting Filter Field Id - <Reporting Filter Field Id> [only in v3.0]
-
ISMS Group Functionality - <Is ISMS Group Functionality Required> [only in v3.0]
-
ISMS Id - <ISMS Id> [only in v3.0]
-
ISMS Module Id - <ISMS Module Id> [only in v3.0]
-
ISMS Name - <ISMS Name> [only in v3.0]
-
ISMS Coach - <ISMS Coach> [only in v3.0]
-
ISMS Lead - <ISMS Lead> [only in v3.0]
-
ISMS Lead Backup - <ISMS Lead Backup> [only in v3.0]
-
Profiles Resource - <Is Profiles Resource Required> [only in v3.0]
-
Delete User - <Is permanent User Delete Required> [only in v3.0]
-
SCIM URL - <Cloud application's instance URL used as targetURI in payload>
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 28: Supported operations for Users
Create |
POST |
Update |
PUT |
Get (Id) |
GET |
Get |
GET |
Pagination |
GET |
Delete |
DELETE |
NOTE:The Delete User operation is supported only in v3.0
Groups
Table 29: Supported operations for Groups
Update (Id) |
PUT |
Get (Id) |
GET |
Get |
GET |
NOTE:The Archer API supports the CREATE Group, DELETE Group and DELETE User operations, but they are currently unavailable in the connector. If you need the connector to support these operations, please contact support.
Roles
Table 30: Supported operations for Roles
Get (Id) |
GET |
Get |
GET |
Update |
PUT |
Profiles
Table 31: Supported operations for Profiles
Get (Id) |
GET |
Get |
GET |
Mandatory fields
Users
-
userName
-
name.givenName
-
name.familyName
-
active
Groups
Mappings for RSA Archer versions
The user and group mappings for RSA Archer version are listed in the tables below.
Table 32: User mapping for RSA Archer version
Active |
system.status |
Address.country |
-- |
Address.formatted |
address |
Address.locality |
-- |
Address.postalCode |
-- |
Address.region |
-- |
Address.streetAddress |
-- |
Emails |
contactItems.value if <contactItems.type = Email> |
Extension.Company (only in v3.0) |
system.company |
Extension.Notes (only in v3.0) |
notes |
Extension.SecurityParameter (only in v3.0) |
system.securityParameter |
Extension.UserDomain (only in v3.0) |
system.userDomain |
Groups.Id |
groups.id |
Groups.Name |
groups.name |
Id |
system.userId |
Locale |
system.locale |
Name.FamilyName |
name.last |
Name.GivenName |
name.first |
Name.MiddleName |
name.middle |
PhoneNumbers |
contactItems.value if <contactItems.type = phone> |
Roles.Id |
roles.id |
Roles.Name |
roles.Name |
Timezone |
timeZone.id |
Title |
system.title |
UserName |
system.userName |
Table 33: Roles mapping for RSA Archer version
id |
id |
Name |
name |
Members.value |
RoleMemberships[].RequestedObject.UserIds[] |
Table 34: Profiles mapping for RSA Archer version
id |
Profile Id from the Starling UI Config |
- The Created date and last modified date is not retrieved for users / groups.
-
Cursor based pagination for Users is supported but pagination is not supported for groups.
-
User's contact information cannot be created or updated.
-
The following fields are read-only:
-
Except the 401 error for Unauthorized and 400 error for Bad Requests, the application returns HTTP status code 500 for all other errors.
-
If members are provided in group create/update request, the member type is mandatory to differentiate between a user or a group member.
-
RSA Archer ISMS Groups that are retrieved in the Standard GROUPS object type are read-only.
NOTE:Test Connection validates the target system credentials and endpoints but not the configuration parameters.
- For the feature Update User's default Email, RSA Archer provides an option to update contact information. However, the API document does not have any information about how to pass ContactRecordId into update contact info. The operation fails with a BadRequest error. As a workaround, the existing default email ID is deleted and the required email ID is created.
-
While doing role memberships update, it is not possible to remove those users that only have this role assigned to it (no other role assigned).
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in RSA Archer v.2.0
Following are the features that are available exclusively in RSA Archer v.2.0:
In version 2.0 of the connector, the following fields have been removed from User Mapping and schema:
- StreetAddress
- Locality
- Country
- PostalCode
NOTE: To avoid any breakage in the existing system, these changes have been implemented only in the version 2.0 of the connector.
Features available exclusively in RSA Archer v.3.0
-
v3.0 of the Archer connector, supports generic User, Groups, Roles and Profiles endpoints.
-
The ids for each resource is modified as id@ResourceName - > where ResourceName can be User, Group, Role & Profile.
-
Supports update role to manage the role memberships.
Connector versions and features
RSA Archer GRC Platform supports business-level management of governance, risk management, and compliance (GRC). It lets users adapt solutions to their own requirements, build new applications, and integrate with external systems without interacting with code.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name - <RSA Archer>
-
Username
-
Password
-
Instance Name - <Tenant ID ex: 324022>
-
User Record Creation - <Is record creation needed> [only in v3.0]
-
Profile Module ID - <Internal ID of an application as specified in the Application Builder Application Detail Report ex: 486>
-
Profile ID - <User Profile ID ex: 239109>
-
Environment(ISMS) - <Cloud application's environment ex: Test, Prod> [only in v1.0 and v2.0]
-
Field ID - <Filed Id to get specific attribute ex: 18746>
-
Reporting Filter Field Id - <Reporting Filter Field Id> [only in v3.0]
-
ISMS Group Functionality - <Is ISMS Group Functionality Required> [only in v3.0]
-
ISMS Id - <ISMS Id> [only in v3.0]
-
ISMS Module Id - <ISMS Module Id> [only in v3.0]
-
ISMS Name - <ISMS Name> [only in v3.0]
-
ISMS Coach - <ISMS Coach> [only in v3.0]
-
ISMS Lead - <ISMS Lead> [only in v3.0]
-
ISMS Lead Backup - <ISMS Lead Backup> [only in v3.0]
-
Profiles Resource - <Is Profiles Resource Required> [only in v3.0]
-
Delete User - <Is permanent User Delete Required> [only in v3.0]
-
SCIM URL - <Cloud application's instance URL used as targetURI in payload>
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 28: Supported operations for Users
Create |
POST |
Update |
PUT |
Get (Id) |
GET |
Get |
GET |
Pagination |
GET |
Delete |
DELETE |
NOTE:The Delete User operation is supported only in v3.0
Groups
Table 29: Supported operations for Groups
Update (Id) |
PUT |
Get (Id) |
GET |
Get |
GET |
NOTE:The Archer API supports the CREATE Group, DELETE Group and DELETE User operations, but they are currently unavailable in the connector. If you need the connector to support these operations, please contact support.
Roles
Table 30: Supported operations for Roles
Get (Id) |
GET |
Get |
GET |
Update |
PUT |
Profiles
Table 31: Supported operations for Profiles
Get (Id) |
GET |
Get |
GET |
Mandatory fields
Users
-
userName
-
name.givenName
-
name.familyName
-
active
Groups
Mappings for RSA Archer versions
The user and group mappings for RSA Archer version are listed in the tables below.
Table 32: User mapping for RSA Archer version
Active |
system.status |
Address.country |
-- |
Address.formatted |
address |
Address.locality |
-- |
Address.postalCode |
-- |
Address.region |
-- |
Address.streetAddress |
-- |
Emails |
contactItems.value if <contactItems.type = Email> |
Extension.Company (only in v3.0) |
system.company |
Extension.Notes (only in v3.0) |
notes |
Extension.SecurityParameter (only in v3.0) |
system.securityParameter |
Extension.UserDomain (only in v3.0) |
system.userDomain |
Groups.Id |
groups.id |
Groups.Name |
groups.name |
Id |
system.userId |
Locale |
system.locale |
Name.FamilyName |
name.last |
Name.GivenName |
name.first |
Name.MiddleName |
name.middle |
PhoneNumbers |
contactItems.value if <contactItems.type = phone> |
Roles.Id |
roles.id |
Roles.Name |
roles.Name |
Timezone |
timeZone.id |
Title |
system.title |
UserName |
system.userName |
Table 33: Roles mapping for RSA Archer version
id |
id |
Name |
name |
Members.value |
RoleMemberships[].RequestedObject.UserIds[] |
Table 34: Profiles mapping for RSA Archer version
id |
Profile Id from the Starling UI Config |
Connector limitations
- The Created date and last modified date is not retrieved for users / groups.
-
Cursor based pagination for Users is supported but pagination is not supported for groups.
-
User's contact information cannot be created or updated.
-
The following fields are read-only:
-
Except the 401 error for Unauthorized and 400 error for Bad Requests, the application returns HTTP status code 500 for all other errors.
-
If members are provided in group create/update request, the member type is mandatory to differentiate between a user or a group member.
-
RSA Archer ISMS Groups that are retrieved in the Standard GROUPS object type are read-only.
NOTE:Test Connection validates the target system credentials and endpoints but not the configuration parameters.
- For the feature Update User's default Email, RSA Archer provides an option to update contact information. However, the API document does not have any information about how to pass ContactRecordId into update contact info. The operation fails with a BadRequest error. As a workaround, the existing default email ID is deleted and the required email ID is created.
-
While doing role memberships update, it is not possible to remove those users that only have this role assigned to it (no other role assigned).
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in RSA Archer v.2.0
Following are the features that are available exclusively in RSA Archer v.2.0:
In version 2.0 of the connector, the following fields have been removed from User Mapping and schema:
- StreetAddress
- Locality
- Country
- PostalCode
NOTE: To avoid any breakage in the existing system, these changes have been implemented only in the version 2.0 of the connector.
Features available exclusively in RSA Archer v.3.0
-
v3.0 of the Archer connector, supports generic User, Groups, Roles and Profiles endpoints.
-
The ids for each resource is modified as id@ResourceName - > where ResourceName can be User, Group, Role & Profile.
-
Supports update role to manage the role memberships.
SuccessFactors
SuccessFactors is an integrated human-resources platform. It offers users tools for onboarding, social business, and collaboration along with tools for learning management, performance management, recruiting, applicant tracking, succession planning, talent management, and HR analytics. It is also cloud-based.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name
- Username (Format: <userId (not the value for username) of the SuccessFactors service account>@<company_id>)
- Password (needed till v.4.0)
-
OData URL (Refer the note below)
- Private Key (v.5.0)
- Client Id (v.5.0
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
-
Retry Server Call
IMPORTANT:
-
Retry Server Call is used to make a retry request to the Successfactors system in-case of failures related with an unreachable instance at a given point in time.
-
By default the value is set to false. The customer can enable it in-case such failures are encountered.
-
Api Option Profile ID (in v.5.0)
Supported objects and operations
Users
Table 35: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete (only till v3.0) |
DELETE |
Get User (Id) |
GET |
Get All Users |
GET |
Get All Users with pagination |
GET |
Groups
Table 36: Supported operations for Groups
Update Group |
PUT |
Get All Groups |
GET |
Get Groups (Id) |
GET |
Get All Groups with pagination |
GET |
Mandatory fields
Users (v1.0-v3.0)
- User Name
- Employee Number
- Status
Users v4.0
User and Group mapping
The user and group mappings are listed in the tables below.
Table 37: User mapping
Id |
userId |
UserName |
username |
Name.GivenName |
firstName |
Name.FamilyName |
lastName |
Name.MiddleName |
mi |
Name.HonorificSuffix |
suffix |
Name.Formatted |
defaultFullName |
DisplayName |
defaultFullName |
Emails.Value |
email |
Addresses.StreetAddress |
addressLine1 |
Addresses.Locality |
city |
Addresses.Region |
state |
Addresses.PostalCode |
zipCode |
Addresses.Country |
country |
PhoneNumbers.Value |
businessPhone |
Groups.value |
groupId |
Groups.display |
groupName |
Roles.value |
user.role.id |
Roles.display |
user.role.name |
UserType |
jobTitle |
Title |
title |
Active |
status |
Locale |
defaultLocale |
Timezone |
timeZone |
userExtension.EmployeeNumber |
empId |
userExtension.Division |
division |
userExtension.Department |
department |
userExtension.Gender |
gender |
userExtension.HireDate |
hireDate |
userExtension.DateOfBirth |
dateOfBirth |
Meta.Created |
hireDate |
Meta.LastModified |
lastModified |
Table 38: Additional mapping from v4.0 onwards
Location |
location |
UserExtension.UserId |
userId |
userExtension.JobCode |
jobCode |
userExtension.Custom01 |
custom01 |
userExtension.Custom02 |
custom02 |
userExtension.Custom03 |
custom03 |
userExtension.Custom04 |
custom04 |
userExtension.Custom05 |
custom05 |
userExtension.Custom06 |
custom06 |
userExtension.Custom07 |
custom07 |
userExtension.Custom08 |
custom08 |
userExtension.Custom09 |
custom09 |
userExtension.Custom10 |
custom10 |
userExtension.Custom11 |
custom11 |
userExtension.Custom12 |
custom12 |
userExtension.Custom13 |
custom13 |
userExtension.Custom14 |
custom14 |
userExtension.Custom15 |
custom15 |
userExtension.Hr.UserId |
hr.userId |
userExtension.Hr.Email |
hr.email |
userExtension.Hr.Username |
hr.username |
userExtension.Hr.Active |
hr.status |
userExtension.Manager.UserId |
manager.userId |
userExtension.Manager.Email |
manager.email |
userExtension.Manager.Username |
manager.username |
userExtension.Manager.Active |
manager.status |
Table 39: Group mapping
Id |
groupID |
displayName |
groupName |
members.value |
userId |
members.display |
userName |
groupExtension.groupType |
groupType |
groupExtension.staticGroup |
staticGroup |
Meta.LastModified |
lastModifiedDate |
Connector limitations
- Create and Delete group operations are not supported due to cloud application limitations.
-
When the active status is updated to false while performing the PUT operation for a user, the following error appears: user not found. This error occurs because a user is considered as a deleted user when the active status is false. (applicable for version V1 to V3)
-
User update does not support addition and removal of Groups or Roles for a particular user. It is done using group update. This is not applicable for role update.
-
Due to the API limitation of the target system, only the groups with type "permission" and "ectworkflow" are supported by version 3.0 of the connector.
-
User employee number cannot be updated because the cloud application considers employee number as a user Id. (applicable from version V1 till V3)
-
The UPDATE of Static Group supports the change of name and memberships. However, the UPDATE of Dynamic Group supports only the change of name but not the memberships. This is due to the target system behavior.
-
The manager/hr attribute gets added under user only if manager/hr in the request has the status as active.
-
Non-existing users should not be assigned as manager/hr while creating/updating user.
Disable attributes
The Disable attribute feature can be used when you want to skip an attribute that exists in the target system.
For the SuccessFactors connector, the attributes of the User object, including those of Enterprise User, can be disabled or enabled while configuring the connector based on your requirements.
NOTE:
- Mandatory attributes cannot be disabled.
- For more information about how to disable attributes in Starling Connect, see Disabling attributes in the Appendix section.
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in SuccessFactors v.1.0
Following are the features that are available exclusively in SuccessFactorsv.1.0:
-
Update of basic attributes on Static and Dynamic Groups are supported.
-
Update of Group membership on Static and Dynamic Groups are supported.
-
Update of Dynamic Groups will remove the associated Dynamic Clauses.
-
Supported insert / update / upsert on inactive users using extended permissions.
Features available exclusively in SuccessFactors v.2.0
Following are the features that are available exclusively in SuccessFactors v.2.0:
-
Update of basic attributes on Dynamic Groups are supported.
-
Update of Group membership on Static Groups are supported.
-
Dynamic Group supports group basic attributes update, but not group memberships.
-
Supported insert / update / upsert on inactive users using extended permissions.
- Static Group Update (supports only Add and Remove operations for Group Members)
- Dynamic Group Update (supports Group Update without removing the existing dynamic clauses)
NOTE:
- These features are available from version 2.0 onwards.
- In version 1.0, only Dynamic Group Update is supported. Static Group Update is not supported in version 1.0.
-
Version 2.0 is enhanced to allow you to use the Dynamic Group Update operation to update the attributes of a Dynamic Group without removing the dynamic clause that you have added for that Dynamic Group.
This feature is available from version 2.0 onwards. In version 1.0 of the connector, the Dynamic Group Update function removes the existing dynamic clause that was added for the Dynamic Group.
Features available exclusively in SuccessFactors v.3.0
Following are the features that are available exclusively in SuccessFactorsv.3.0:
-
Supports all the features from v2.0.
-
Synchronization has been improved by limiting the groups type to ‘Permission’ and ‘ectworkflow’.
-
Supports insert / update / upsert on inactive users using extended permissions.
Features available exclusively in SuccessFactors v.4.0
Following are the features that are available exclusively in SuccessFactorsv.4.0:
-
Supported insert / update / upsert on inactive users using extended permissions.
-
Additional attributes ( userId, jobCode, location, All available "CustomXX", hr(complex), manager(complex) ) supported under users.
-
Setting up a custom unique UserID on CREATE is supported.
-
DELETE operation not supported in Users endpoint.
-
Supported Custom Attributes for Users. Refer How to create custom attributes for users in Successfactors portal
Features available exclusively in SuccessFactors v.5.0
Following are the features that are available exclusively in SuccessFactorsv.5.0:
Support for filter condition
SuccessFactors connector supports filter condition for User objects. Filter condition can be applied, and the Users can be retrieved selectively. Based on the supported operators and values provided at the filter the User objects are returned in the response from the connector.
To configure changes to One Identity Manager to support filter conditions
-
Open the Synchronization Editor tool.
-
Select SCIM connector.
-
Select the Target system and navigate to Schema Classes.
For example - id ne '10056' AND (locale eq 'Cleveland (1000-2011)')
-
Add a new schema class for the user.
-
Add the System filter and Select Object condition.
Click Commit to Database.
-
In User mappings, create or edit the Target system schema class with the recently created schema and click Commit to Database.
-
Run the synchronization.
-
Filter conditions are created.
Supported attributes for filter
- id
- userName
- lastModified
- meta.lastModified
- givenName
- familyName
- division
- urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
- department
- urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department
NOTE:
-
The connector supports filter condition in all versions but only for User objects.
-
Supports only AND and OR logical operators.
-
Supports only parenthesis () for grouping the condition.
-
Unsupported attributes in the filter request will be ignored, no error will be thrown.
-
Only the sub-attributes of a complex attribute are supported in filter condition. For example, givenName or familyName
Table 40: Supported operators to filter values
1 |
eq → equal to |
lastModified eq 2020-08-27T15:22:52 |
lastModified = 2020-08-27T15:22:52 |
2 |
ne → not equal to |
lastModified ne 2020-08-27T15:22:52 |
lastModified <> 2020-08-27T15:22:52 |
3 |
gt → greater than |
lastModified gt 2020-08-27T15:22:52 |
lastModified > 2020-08-27T15:22:52 |
4 |
lt → less than |
lastModified lt 2020-08-27T15:22:52 |
lastModified < 2020-08-27T15:22:52 |
5 |
ge → greater than or equal to |
lastModified ge 2020-08-27T15:22:52 |
lastModified >= 2020-08-27T15:22:52 |
6 |
le → less than or equal to |
lastModified le 2020-08-27T15:22:52 |
lastModified <= 2020-08-27T15:22:52 |
Supervisor configuration parameters
SuccessFactors is an integrated human-resources platform. It offers users tools for onboarding, social business, and collaboration along with tools for learning management, performance management, recruiting, applicant tracking, succession planning, talent management, and HR analytics. It is also cloud-based.
To configure the connector, following parameters are required:
-
Connector Name
- Username (Format: <userId (not the value for username) of the SuccessFactors service account>@<company_id>)
- Password (needed till v.4.0)
-
OData URL (Refer the note below)
- Private Key (v.5.0)
- Client Id (v.5.0
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
-
Retry Server Call
IMPORTANT:
-
Retry Server Call is used to make a retry request to the Successfactors system in-case of failures related with an unreachable instance at a given point in time.
-
By default the value is set to false. The customer can enable it in-case such failures are encountered.
-
Api Option Profile ID (in v.5.0)
Supported objects and operations
Users
Table 35: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete (only till v3.0) |
DELETE |
Get User (Id) |
GET |
Get All Users |
GET |
Get All Users with pagination |
GET |
Groups
Table 36: Supported operations for Groups
Update Group |
PUT |
Get All Groups |
GET |
Get Groups (Id) |
GET |
Get All Groups with pagination |
GET |
Mandatory fields
Users (v1.0-v3.0)
- User Name
- Employee Number
- Status
Users v4.0
User and Group mapping
The user and group mappings are listed in the tables below.
Table 37: User mapping
Id |
userId |
UserName |
username |
Name.GivenName |
firstName |
Name.FamilyName |
lastName |
Name.MiddleName |
mi |
Name.HonorificSuffix |
suffix |
Name.Formatted |
defaultFullName |
DisplayName |
defaultFullName |
Emails.Value |
email |
Addresses.StreetAddress |
addressLine1 |
Addresses.Locality |
city |
Addresses.Region |
state |
Addresses.PostalCode |
zipCode |
Addresses.Country |
country |
PhoneNumbers.Value |
businessPhone |
Groups.value |
groupId |
Groups.display |
groupName |
Roles.value |
user.role.id |
Roles.display |
user.role.name |
UserType |
jobTitle |
Title |
title |
Active |
status |
Locale |
defaultLocale |
Timezone |
timeZone |
userExtension.EmployeeNumber |
empId |
userExtension.Division |
division |
userExtension.Department |
department |
userExtension.Gender |
gender |
userExtension.HireDate |
hireDate |
userExtension.DateOfBirth |
dateOfBirth |
Meta.Created |
hireDate |
Meta.LastModified |
lastModified |
Table 38: Additional mapping from v4.0 onwards
Location |
location |
UserExtension.UserId |
userId |
userExtension.JobCode |
jobCode |
userExtension.Custom01 |
custom01 |
userExtension.Custom02 |
custom02 |
userExtension.Custom03 |
custom03 |
userExtension.Custom04 |
custom04 |
userExtension.Custom05 |
custom05 |
userExtension.Custom06 |
custom06 |
userExtension.Custom07 |
custom07 |
userExtension.Custom08 |
custom08 |
userExtension.Custom09 |
custom09 |
userExtension.Custom10 |
custom10 |
userExtension.Custom11 |
custom11 |
userExtension.Custom12 |
custom12 |
userExtension.Custom13 |
custom13 |
userExtension.Custom14 |
custom14 |
userExtension.Custom15 |
custom15 |
userExtension.Hr.UserId |
hr.userId |
userExtension.Hr.Email |
hr.email |
userExtension.Hr.Username |
hr.username |
userExtension.Hr.Active |
hr.status |
userExtension.Manager.UserId |
manager.userId |
userExtension.Manager.Email |
manager.email |
userExtension.Manager.Username |
manager.username |
userExtension.Manager.Active |
manager.status |
Table 39: Group mapping
Id |
groupID |
displayName |
groupName |
members.value |
userId |
members.display |
userName |
groupExtension.groupType |
groupType |
groupExtension.staticGroup |
staticGroup |
Meta.LastModified |
lastModifiedDate |
Connector limitations
- Create and Delete group operations are not supported due to cloud application limitations.
-
When the active status is updated to false while performing the PUT operation for a user, the following error appears: user not found. This error occurs because a user is considered as a deleted user when the active status is false. (applicable for version V1 to V3)
-
User update does not support addition and removal of Groups or Roles for a particular user. It is done using group update. This is not applicable for role update.
-
Due to the API limitation of the target system, only the groups with type "permission" and "ectworkflow" are supported by version 3.0 of the connector.
-
User employee number cannot be updated because the cloud application considers employee number as a user Id. (applicable from version V1 till V3)
-
The UPDATE of Static Group supports the change of name and memberships. However, the UPDATE of Dynamic Group supports only the change of name but not the memberships. This is due to the target system behavior.
-
The manager/hr attribute gets added under user only if manager/hr in the request has the status as active.
-
Non-existing users should not be assigned as manager/hr while creating/updating user.
Disable attributes
The Disable attribute feature can be used when you want to skip an attribute that exists in the target system.
For the SuccessFactors connector, the attributes of the User object, including those of Enterprise User, can be disabled or enabled while configuring the connector based on your requirements.
NOTE:
- Mandatory attributes cannot be disabled.
- For more information about how to disable attributes in Starling Connect, see Disabling attributes in the Appendix section.
Connector versions and features
The following subsections describe the different connector version(s) and features available with them.
Features available exclusively in SuccessFactors v.1.0
Following are the features that are available exclusively in SuccessFactorsv.1.0:
-
Update of basic attributes on Static and Dynamic Groups are supported.
-
Update of Group membership on Static and Dynamic Groups are supported.
-
Update of Dynamic Groups will remove the associated Dynamic Clauses.
-
Supported insert / update / upsert on inactive users using extended permissions.
Features available exclusively in SuccessFactors v.2.0
Following are the features that are available exclusively in SuccessFactors v.2.0:
-
Update of basic attributes on Dynamic Groups are supported.
-
Update of Group membership on Static Groups are supported.
-
Dynamic Group supports group basic attributes update, but not group memberships.
-
Supported insert / update / upsert on inactive users using extended permissions.
- Static Group Update (supports only Add and Remove operations for Group Members)
- Dynamic Group Update (supports Group Update without removing the existing dynamic clauses)
NOTE:
- These features are available from version 2.0 onwards.
- In version 1.0, only Dynamic Group Update is supported. Static Group Update is not supported in version 1.0.
-
Version 2.0 is enhanced to allow you to use the Dynamic Group Update operation to update the attributes of a Dynamic Group without removing the dynamic clause that you have added for that Dynamic Group.
This feature is available from version 2.0 onwards. In version 1.0 of the connector, the Dynamic Group Update function removes the existing dynamic clause that was added for the Dynamic Group.
Features available exclusively in SuccessFactors v.3.0
Following are the features that are available exclusively in SuccessFactorsv.3.0:
-
Supports all the features from v2.0.
-
Synchronization has been improved by limiting the groups type to ‘Permission’ and ‘ectworkflow’.
-
Supports insert / update / upsert on inactive users using extended permissions.
Features available exclusively in SuccessFactors v.4.0
Following are the features that are available exclusively in SuccessFactorsv.4.0:
-
Supported insert / update / upsert on inactive users using extended permissions.
-
Additional attributes ( userId, jobCode, location, All available "CustomXX", hr(complex), manager(complex) ) supported under users.
-
Setting up a custom unique UserID on CREATE is supported.
-
DELETE operation not supported in Users endpoint.
-
Supported Custom Attributes for Users. Refer How to create custom attributes for users in Successfactors portal
Features available exclusively in SuccessFactors v.5.0
Following are the features that are available exclusively in SuccessFactorsv.5.0:
Support for filter condition
SuccessFactors connector supports filter condition for User objects. Filter condition can be applied, and the Users can be retrieved selectively. Based on the supported operators and values provided at the filter the User objects are returned in the response from the connector.
To configure changes to One Identity Manager to support filter conditions
-
Open the Synchronization Editor tool.
-
Select SCIM connector.
-
Select the Target system and navigate to Schema Classes.
For example - id ne '10056' AND (locale eq 'Cleveland (1000-2011)')
-
Add a new schema class for the user.
-
Add the System filter and Select Object condition.
Click Commit to Database.
-
In User mappings, create or edit the Target system schema class with the recently created schema and click Commit to Database.
-
Run the synchronization.
-
Filter conditions are created.
Supported attributes for filter
- id
- userName
- lastModified
- meta.lastModified
- givenName
- familyName
- division
- urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
- department
- urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department
NOTE:
-
The connector supports filter condition in all versions but only for User objects.
-
Supports only AND and OR logical operators.
-
Supports only parenthesis () for grouping the condition.
-
Unsupported attributes in the filter request will be ignored, no error will be thrown.
-
Only the sub-attributes of a complex attribute are supported in filter condition. For example, givenName or familyName
Table 40: Supported operators to filter values
1 |
eq → equal to |
lastModified eq 2020-08-27T15:22:52 |
lastModified = 2020-08-27T15:22:52 |
2 |
ne → not equal to |
lastModified ne 2020-08-27T15:22:52 |
lastModified <> 2020-08-27T15:22:52 |
3 |
gt → greater than |
lastModified gt 2020-08-27T15:22:52 |
lastModified > 2020-08-27T15:22:52 |
4 |
lt → less than |
lastModified lt 2020-08-27T15:22:52 |
lastModified < 2020-08-27T15:22:52 |
5 |
ge → greater than or equal to |
lastModified ge 2020-08-27T15:22:52 |
lastModified >= 2020-08-27T15:22:52 |
6 |
le → less than or equal to |
lastModified le 2020-08-27T15:22:52 |
lastModified <= 2020-08-27T15:22:52 |