Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Starling Connect Hosted - Active Roles Administration Guide

SuccessFactors

SuccessFactors is an integrated human-resources platform. It offers users tools for onboarding, social business, and collaboration along with tools for learning management, performance management, recruiting, applicant tracking, succession planning, talent management, and HR analytics. It is also cloud-based.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

NOTE: SuccessFactors Web Services API are based on OData protocol which is intended to enable access to data in the SuccessFactors system for create, read, update, or delete (CRUD) operations. For more information on SuccessFactors API, see https://apps.support.sap.com/sap/support/knowledge/public/en/2613670. For more information on SuccessFactors URLs and Data Centers, see https://apps.support.sap.com/sap/support/knowledge/public/en/2089448.

Supported Objects and Operations

Users
Table 12: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete

PUT

Deprovision PUT
Undo Deprovision PUT

Mandatory Fields

Users
  • User Name
  • Employee Number
  • Status
Groups
  • Group Name

  • Group Type
  • Group Members

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 13: User Mapping
SCIM Parameter SuccessFactors Parameter
Id userId
UserName username
Name.GivenName firstName
Name.FamilyName lastName

Name.MiddleName

mi

Name.HonorificSuffix

suffix

Name.Formatted

defaultFullName

DisplayName defaultFullName
Emails.Value email
Addresses.StreetAddress addressLine1
Addresses.Locality state
Addresses.Region city

Addresses.PostalCode

zipCode

Addresses.Country

country

PhoneNumbers.Value

businessPhone

Groups.value

groupId

Groups.display

groupName

Roles.value

user.role.id

Roles.display

user.role.name

UserType

jobTitle

Title

title

Active

status

Locale

location

Timezone

timeZone

userExtension.EmployeeNumber

empId

userExtension.Division

division

userExtension.Department

department

userExtension.Gender

gender

userExtension.HireDate

hireDate

userExtension.DateOfBirth

dateOfBirth

Meta.Created

hireDate

Meta.LastModified

lastModified

 

Table 14: Group Mapping
SCIM Parameter SuccessFactors Parameter
Id groupID
displayName groupName
groupType groupType
groupExtension.value userId
groupExtension.display userName
Meta.LastModified lastModifiedDate

Connector Limitations

  • Create and Delete group operations are not supported due to cloud application limitations.
  • When the active status is updated to false while performing the PUT operation for a user, the following error appears: user not found. This error occurs because a user is considered as a deleted user when the active status is false.

  • User update does not support addition and removal of Groups or Roles for a particular user. We need to get it done via group update. This is not applicable for role update.

  • User employee number cannot be updated because the cloud application considers employee number as a user Id.

Amazon (S3 and AWS)

Amazon (S3 and AWS) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

Supported Objects and Operations

Users
Table 15: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Deprovision PUT
Undo Deprovision PUT
Groups
Table 16: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Deprovision PUT
Undo Deprovision PUT

Group Membership

PUT

Mandatory Fields

Users
  • User Name
  • Password - This is applicable only for the Create operation.
Groups
  • Group Name

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 17: User Mapping
SCIM Parameter Amazon Web Services (AWS) Parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 18: Group Mapping
SCIM Parameter Amazon Web Services (AWS) Parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed

Connector Limitations

  • Signature generation is embedded within a data process. Hence, the application performance is affected.

  • The Last Modified date is not available. Hence, the field contains the value of recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in Active Roles.

ServiceNow

ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Username

  • Password

  • SCIM URL (cloud application's REST API's base URL)

Supported Objects and Operations

Users
Table 19: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Deprovision PUT
Undo Deprovision PUT
Groups
Table 20: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Deprovision PUT
Undo Deprovision PUT

Group Membership

PUT

Mandatory Fields

Users
  • Username
Groups
  • Group Name

Configuring custom attributes in ServiceNow

This feature allows you to configure custom attributes in Starling Connector during connector subscription. You can provide the list of custom attributes in a defined format with the name, type and allowed values of the attributes. The custom mappings in Active Roles provides the values for these custom attributes.

To configure custom attributes in ServiceNow:

  1. Create a Custom Attribute in ServiceNow.

    NOTE: The Starling Platform currently supports only the string types dateTime, True/False and Choice.

  2. To configure the custom attributes in Starling UI, enter the Custom Properties in the specified format in the Starling Platform.

  3. Map the created custom attributes that were specified in the Starling Platform.

  4. Perform a synchronization and verify if the custom attributes are available.

    NOTE:

    • The Starling UI for registering a ServiceNow connector has an input field to provide the custom attributes to be mapped in the connector's User resource type apart from the default mapped attributes.

    • The custom attributes in the User resource type must be in the following format:

      {field_name}|{data_type}|{choice_value1,choice_value2,etc};{field_name}|{data_type}|{choice_value1,choice_value2,etc};etc.

      Example:

      u_employee_status|string;u_date_of_termination_of_employments|DateTime;u_test_field_with_canonical_values|string|Choice 1,Choice 2,Choice 3

    • All custom attributes are mapped in the enterprise user extensions.

    • The supported data types are string, boolean and dateTime.

      Choice type in the ServiceNow will become string type in OneIM with Canonical Values.

    • Only simple attributes are supported.

    • All custom user attributes have 'mutability': 'readWrite', 'returned': 'default', 'caseExact': 'false', 'required': 'false', 'multiValued': 'false','uniqueness': 'none'.

    • The Starling Platform currently supports only the string types dateTime, True/False and Choice.

User and Group Mapping

The user and group mapping is listed in the table below.

Table 21: User Mapping
SCIM Parameter ServiceNow Parameter
userName user_name
name.familyName last_name
name.givenName first_name
name.middleName middle_name
displayName name
emails[0].value email
addresses[0].streetAddress street
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode zip
addresses[0].country country
phoneNumbers[0].value phone
title title
preferredLanguage preferred_language
timeZone time_zone
active active
password user_password
roles.value {resource}.role.value
extension.organization company
extension.department department
extension.manager.value manager.value
extension.employeeNumber employee_number
id sys_id
groups.value {resource}.group.value

extension.lastLogon

last_login_time

Table 22: Group Mapping
SCIM Parameter ServiceNow Parameter
id sys_id
displayName name
members.value {resource}.user.value
extension.description description
extension.email email

extension.groupType

type

extension.manager.value

manager.value

Connector Limitations

  • ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.

  • If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.

  • If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.

  • In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
  • GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).

  • If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
  • If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.

  • Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.

Azure Active Directory

Azure Active Directory is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

For more information on registering the application, providing permissions, retrieving client ID or client secret, see Working with Azure Active Directory.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

Supported Objects and Operations

Users
Table 23: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Deprovision PUT
Undo Deprovision PUT

Mandatory Fields

Users
  • email.value
  • nickName

  • displayName

  • password

  • active
Groups
  • displayName
  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 24: User Mapping
SCIM Parameter Azure AD Parameter
Id id
userName userPrincipalName
name.familyName surname
name.givenName givenName
displayName displayName
nickName mailNickname
emails[0].value userPrincipalName
addresses[0].streetAddress streetAddress
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode postalcode

addresses[0].country

couontry

phoneNumbers[0].value

businessPhones[0]

title

jobTitle

active

accountEnabled

preferredLanguage

preferredLanguage

userType

userType

groups[].value

memberOf[].id

groups[].display

memberOf[].displayName

userExtension.organization

companyName

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.value

manager.id

userExtension.manager.displayName

manager.displayName

meta.created

createdDateTime

Groups
Table 25: User Mapping
SCIM Parameter Azure AD Parameter
Id id
displayName displayName
members[].value members[].id
members[].display members[].displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

meta.created

createdDateTime

Connector Limitations

  • lastModified is not provided along with the Users and Groups.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.
  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Documents connexes