Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID

Connector limitations

RSA Archer GRC Platform supports business-level management of governance, risk management, and compliance (GRC). It lets users adapt solutions to their own requirements, build new applications, and integrate with external systems without interacting with code.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name - <RSA Archer>

  • Username

  • Password

  • Instance Name - <Tenant ID ex: 324022>

  • User Record Creation - <Is record creation needed> [only in v3.0]

  • Profile Module ID - <Internal ID of an application as specified in the Application Builder Application Detail Report ex: 486>

  • Profile ID - <User Profile ID ex: 239109>

  • Environment(ISMS) - <Cloud application's environment ex: Test, Prod> [only in v1.0 and v2.0]

  • Field ID - <Filed Id to get specific attribute ex: 18746>

  • Reporting Filter Field Id - <Reporting Filter Field Id> [only in v3.0]

  • ISMS Group Functionality - <Is ISMS Group Functionality Required> [only in v3.0]

  • ISMS Id - <ISMS Id> [only in v3.0]

  • ISMS Module Id - <ISMS Module Id> [only in v3.0]

  • ISMS Name - <ISMS Name> [only in v3.0]

  • ISMS Coach - <ISMS Coach> [only in v3.0]

  • ISMS Lead - <ISMS Lead> [only in v3.0]

  • ISMS Lead Backup - <ISMS Lead Backup> [only in v3.0]

  • Profiles Resource - <Is Profiles Resource Required> [only in v3.0]

  • Delete User - <Is permanent User Delete Required> [only in v3.0]

  • SCIM URL - <Cloud application's instance URL used as targetURI in payload>

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 28: Supported operations for Users

Operation

VERB

Create POST
Update PUT
Get (Id) GET
Get GET
Pagination GET

Delete

DELETE

NOTE:The Delete User operation is supported only in v3.0

Groups

Table 29: Supported operations for Groups

Operation

VERB

Update (Id) PUT
Get (Id) GET
Get GET

NOTE:The Archer API supports the CREATE Group, DELETE Group and DELETE User operations, but they are currently unavailable in the connector. If you need the connector to support these operations, please contact support.

Roles

Table 30: Supported operations for Roles

Operation

VERB

Get (Id) GET
Get GET

Update

PUT

Profiles

Table 31: Supported operations for Profiles

Operation

VERB

Get (Id) GET
Get GET

Mandatory fields

Users

  • userName

  • name.givenName

  • name.familyName

  • active

Groups

  • displayName

Mappings for RSA Archer versions

The user and group mappings for RSA Archer version are listed in the tables below.

Table 32: User mapping for RSA Archer version
SCIM parameter RSA Archer parameter

Active

system.status

Address.country

--

Address.formatted

address

Address.locality

--

Address.postalCode

--

Address.region

--

Address.streetAddress

--

Emails

contactItems.value if <contactItems.type = Email>

Extension.Company (only in v3.0)

system.company

Extension.Notes (only in v3.0)

notes

Extension.SecurityParameter (only in v3.0)

system.securityParameter

Extension.UserDomain (only in v3.0)

system.userDomain

Groups.Id

groups.id

Groups.Name

groups.name

Id system.userId

Locale

system.locale

Name.FamilyName name.last
Name.GivenName name.first
Name.MiddleName name.middle

PhoneNumbers

contactItems.value if <contactItems.type = phone>

Roles.Id

roles.id

Roles.Name

roles.Name

Timezone

timeZone.id

Title

system.title

UserName system.userName
Table 33: Roles mapping for RSA Archer version
SCIM parameter RSA Archer parameter
id id

Name

name

Members.value

RoleMemberships[].RequestedObject.UserIds[]

Table 34: Profiles mapping for RSA Archer version
SCIM parameter RSA Archer parameter
id Profile Id from the Starling UI Config
  • The Created date and last modified date is not retrieved for users / groups.
  • Cursor based pagination for Users is supported but pagination is not supported for groups.

  • User's contact information cannot be created or updated.

  • The following fields are read-only:

    • Phone number
  • Except the 401 error for Unauthorized and 400 error for Bad Requests, the application returns HTTP status code 500 for all other errors.

  • If members are provided in group create/update request, the member type is mandatory to differentiate between a user or a group member.

  • RSA Archer ISMS Groups that are retrieved in the Standard GROUPS object type are read-only.

    NOTE:Test Connection validates the target system credentials and endpoints but not the configuration parameters.

  • For the feature Update User's default Email, RSA Archer provides an option to update contact information. However, the API document does not have any information about how to pass ContactRecordId into update contact info. The operation fails with a BadRequest error. As a workaround, the existing default email ID is deleted and the required email ID is created.
  • While doing role memberships update, it is not possible to remove those users that only have this role assigned to it (no other role assigned).

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in RSA Archer v.2.0

Following are the features that are available exclusively in RSA Archer v.2.0:

In version 2.0 of the connector, the following fields have been removed from User Mapping and schema:

  • StreetAddress
  • Locality
  • Country
  • PostalCode

    NOTE: To avoid any breakage in the existing system, these changes have been implemented only in the version 2.0 of the connector.

Features available exclusively in RSA Archer v.3.0

  • v3.0 of the Archer connector, supports generic User, Groups, Roles and Profiles endpoints.

  • The ids for each resource is modified as id@ResourceName - > where ResourceName can be User, Group, Role & Profile.

  • Supports update role to manage the role memberships.

Connector versions and features

RSA Archer GRC Platform supports business-level management of governance, risk management, and compliance (GRC). It lets users adapt solutions to their own requirements, build new applications, and integrate with external systems without interacting with code.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name - <RSA Archer>

  • Username

  • Password

  • Instance Name - <Tenant ID ex: 324022>

  • User Record Creation - <Is record creation needed> [only in v3.0]

  • Profile Module ID - <Internal ID of an application as specified in the Application Builder Application Detail Report ex: 486>

  • Profile ID - <User Profile ID ex: 239109>

  • Environment(ISMS) - <Cloud application's environment ex: Test, Prod> [only in v1.0 and v2.0]

  • Field ID - <Filed Id to get specific attribute ex: 18746>

  • Reporting Filter Field Id - <Reporting Filter Field Id> [only in v3.0]

  • ISMS Group Functionality - <Is ISMS Group Functionality Required> [only in v3.0]

  • ISMS Id - <ISMS Id> [only in v3.0]

  • ISMS Module Id - <ISMS Module Id> [only in v3.0]

  • ISMS Name - <ISMS Name> [only in v3.0]

  • ISMS Coach - <ISMS Coach> [only in v3.0]

  • ISMS Lead - <ISMS Lead> [only in v3.0]

  • ISMS Lead Backup - <ISMS Lead Backup> [only in v3.0]

  • Profiles Resource - <Is Profiles Resource Required> [only in v3.0]

  • Delete User - <Is permanent User Delete Required> [only in v3.0]

  • SCIM URL - <Cloud application's instance URL used as targetURI in payload>

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 28: Supported operations for Users

Operation

VERB

Create POST
Update PUT
Get (Id) GET
Get GET
Pagination GET

Delete

DELETE

NOTE:The Delete User operation is supported only in v3.0

Groups

Table 29: Supported operations for Groups

Operation

VERB

Update (Id) PUT
Get (Id) GET
Get GET

NOTE:The Archer API supports the CREATE Group, DELETE Group and DELETE User operations, but they are currently unavailable in the connector. If you need the connector to support these operations, please contact support.

Roles

Table 30: Supported operations for Roles

Operation

VERB

Get (Id) GET
Get GET

Update

PUT

Profiles

Table 31: Supported operations for Profiles

Operation

VERB

Get (Id) GET
Get GET

Mandatory fields

Users

  • userName

  • name.givenName

  • name.familyName

  • active

Groups

  • displayName

Mappings for RSA Archer versions

The user and group mappings for RSA Archer version are listed in the tables below.

Table 32: User mapping for RSA Archer version
SCIM parameter RSA Archer parameter

Active

system.status

Address.country

--

Address.formatted

address

Address.locality

--

Address.postalCode

--

Address.region

--

Address.streetAddress

--

Emails

contactItems.value if <contactItems.type = Email>

Extension.Company (only in v3.0)

system.company

Extension.Notes (only in v3.0)

notes

Extension.SecurityParameter (only in v3.0)

system.securityParameter

Extension.UserDomain (only in v3.0)

system.userDomain

Groups.Id

groups.id

Groups.Name

groups.name

Id system.userId

Locale

system.locale

Name.FamilyName name.last
Name.GivenName name.first
Name.MiddleName name.middle

PhoneNumbers

contactItems.value if <contactItems.type = phone>

Roles.Id

roles.id

Roles.Name

roles.Name

Timezone

timeZone.id

Title

system.title

UserName system.userName
Table 33: Roles mapping for RSA Archer version
SCIM parameter RSA Archer parameter
id id

Name

name

Members.value

RoleMemberships[].RequestedObject.UserIds[]

Table 34: Profiles mapping for RSA Archer version
SCIM parameter RSA Archer parameter
id Profile Id from the Starling UI Config

Connector limitations

  • The Created date and last modified date is not retrieved for users / groups.
  • Cursor based pagination for Users is supported but pagination is not supported for groups.

  • User's contact information cannot be created or updated.

  • The following fields are read-only:

    • Phone number
  • Except the 401 error for Unauthorized and 400 error for Bad Requests, the application returns HTTP status code 500 for all other errors.

  • If members are provided in group create/update request, the member type is mandatory to differentiate between a user or a group member.

  • RSA Archer ISMS Groups that are retrieved in the Standard GROUPS object type are read-only.

    NOTE:Test Connection validates the target system credentials and endpoints but not the configuration parameters.

  • For the feature Update User's default Email, RSA Archer provides an option to update contact information. However, the API document does not have any information about how to pass ContactRecordId into update contact info. The operation fails with a BadRequest error. As a workaround, the existing default email ID is deleted and the required email ID is created.
  • While doing role memberships update, it is not possible to remove those users that only have this role assigned to it (no other role assigned).

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in RSA Archer v.2.0

Following are the features that are available exclusively in RSA Archer v.2.0:

In version 2.0 of the connector, the following fields have been removed from User Mapping and schema:

  • StreetAddress
  • Locality
  • Country
  • PostalCode

    NOTE: To avoid any breakage in the existing system, these changes have been implemented only in the version 2.0 of the connector.

Features available exclusively in RSA Archer v.3.0

  • v3.0 of the Archer connector, supports generic User, Groups, Roles and Profiles endpoints.

  • The ids for each resource is modified as id@ResourceName - > where ResourceName can be User, Group, Role & Profile.

  • Supports update role to manage the role memberships.

SuccessFactors

SuccessFactors is an integrated human-resources platform. It offers users tools for onboarding, social business, and collaboration along with tools for learning management, performance management, recruiting, applicant tracking, succession planning, talent management, and HR analytics. It is also cloud-based.

Supervisor configuration parameters

To configure the connector, following parameters are required:

Supported objects and operations

Users

Table 35: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete (only till v3.0)

DELETE

Get User (Id)

GET

Get All Users

GET

Get All Users with pagination

GET

Groups

Table 36: Supported operations for Groups

Operation

VERB

Update Group PUT
Get All Groups GET

Get Groups (Id)

GET

Get All Groups with pagination GET

Mandatory fields

Users (v1.0-v3.0)

  • User Name
  • Employee Number
  • Status

Users v4.0

  • UserName

  • UserId

  • Status

User and Group mapping

The user and group mappings are listed in the tables below.

Table 37: User mapping
SCIM parameter SuccessFactors parameter
Id userId
UserName username
Name.GivenName firstName
Name.FamilyName lastName

Name.MiddleName

mi

Name.HonorificSuffix

suffix

Name.Formatted

defaultFullName

DisplayName defaultFullName
Emails.Value email
Addresses.StreetAddress addressLine1
Addresses.Locality city
Addresses.Region state

Addresses.PostalCode

zipCode

Addresses.Country

country

PhoneNumbers.Value

businessPhone

Groups.value

groupId

Groups.display

groupName

Roles.value

user.role.id

Roles.display

user.role.name

UserType

jobTitle

Title

title

Active

status

Locale

defaultLocale

Timezone

timeZone

userExtension.EmployeeNumber

empId

userExtension.Division

division

userExtension.Department

department

userExtension.Gender

gender

userExtension.HireDate

hireDate

userExtension.DateOfBirth

dateOfBirth

Meta.Created

hireDate

Meta.LastModified

lastModified

Table 38: Additional mapping from v4.0 onwards
SCIM parameter SuccessFactors parameter
Location location
UserExtension.UserId userId
userExtension.JobCode jobCode
userExtension.Custom01 custom01
userExtension.Custom02 custom02
userExtension.Custom03 custom03
userExtension.Custom04 custom04
userExtension.Custom05 custom05
userExtension.Custom06 custom06
userExtension.Custom07 custom07
userExtension.Custom08 custom08
userExtension.Custom09 custom09
userExtension.Custom10 custom10
userExtension.Custom11 custom11
userExtension.Custom12 custom12
userExtension.Custom13 custom13
userExtension.Custom14 custom14
userExtension.Custom15 custom15
userExtension.Hr.UserId hr.userId
userExtension.Hr.Email hr.email
userExtension.Hr.Username hr.username
userExtension.Hr.Active hr.status
userExtension.Manager.UserId manager.userId
userExtension.Manager.Email manager.email
userExtension.Manager.Username manager.username
userExtension.Manager.Active manager.status
Table 39: Group mapping
SCIM parameter SuccessFactors parameter
Id groupID
displayName groupName

members.value

userId

members.display

userName

groupExtension.groupType groupType
groupExtension.staticGroup staticGroup
Meta.LastModified lastModifiedDate

Connector limitations

  • Create and Delete group operations are not supported due to cloud application limitations.
  • When the active status is updated to false while performing the PUT operation for a user, the following error appears: user not found. This error occurs because a user is considered as a deleted user when the active status is false. (applicable for version V1 to V3)

  • User update does not support addition and removal of Groups or Roles for a particular user. It is done using group update. This is not applicable for role update.

  • Due to the API limitation of the target system, only the groups with type "permission" and "ectworkflow" are supported by version 3.0 of the connector.

  • User employee number cannot be updated because the cloud application considers employee number as a user Id. (applicable from version V1 till V3)

  • The UPDATE of Static Group supports the change of name and memberships. However, the UPDATE of Dynamic Group supports only the change of name but not the memberships. This is due to the target system behavior.

  • The manager/hr attribute gets added under user only if manager/hr in the request has the status as active.

  • Non-existing users should not be assigned as manager/hr while creating/updating user.

Disable attributes

The Disable attribute feature can be used when you want to skip an attribute that exists in the target system.

For the SuccessFactors connector, the attributes of the User object, including those of Enterprise User, can be disabled or enabled while configuring the connector based on your requirements.

NOTE:

  • Mandatory attributes cannot be disabled.
  • For more information about how to disable attributes in Starling Connect, see Disabling attributes in the Appendix section.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in SuccessFactors v.1.0

Following are the features that are available exclusively in SuccessFactorsv.1.0:

  • Update of basic attributes on Static and Dynamic Groups are supported.

  • Update of Group membership on Static and Dynamic Groups are supported.

  • Update of Dynamic Groups will remove the associated Dynamic Clauses.

  • Supported insert / update / upsert on inactive users using extended permissions.

Features available exclusively in SuccessFactors v.2.0

Following are the features that are available exclusively in SuccessFactors v.2.0:

  • Update of basic attributes on Dynamic Groups are supported.

  • Update of Group membership on Static Groups are supported.

  • Dynamic Group supports group basic attributes update, but not group memberships.

  • Supported insert / update / upsert on inactive users using extended permissions.

  • Static Group Update (supports only Add and Remove operations for Group Members)
  • Dynamic Group Update (supports Group Update without removing the existing dynamic clauses)

    NOTE:

    • These features are available from version 2.0 onwards.
    • In version 1.0, only Dynamic Group Update is supported. Static Group Update is not supported in version 1.0.
    • Version 2.0 is enhanced to allow you to use the Dynamic Group Update operation to update the attributes of a Dynamic Group without removing the dynamic clause that you have added for that Dynamic Group.

      This feature is available from version 2.0 onwards. In version 1.0 of the connector, the Dynamic Group Update function removes the existing dynamic clause that was added for the Dynamic Group.

Features available exclusively in SuccessFactors v.3.0

Following are the features that are available exclusively in SuccessFactorsv.3.0:

  • Supports all the features from v2.0.

  • Synchronization has been improved by limiting the groups type to ‘Permission’ and ‘ectworkflow’.

  • Supports insert / update / upsert on inactive users using extended permissions.

Features available exclusively in SuccessFactors v.4.0

Following are the features that are available exclusively in SuccessFactorsv.4.0:

  • Supported insert / update / upsert on inactive users using extended permissions.

  • Additional attributes ( userId, jobCode, location, All available "CustomXX", hr(complex), manager(complex) ) supported under users.

  • Setting up a custom unique UserID on CREATE is supported.

  • DELETE operation not supported in Users endpoint.

  • Supported Custom Attributes for Users. Refer How to create custom attributes for users in Successfactors portal

Features available exclusively in SuccessFactors v.5.0

Following are the features that are available exclusively in SuccessFactorsv.5.0:

  • v.5.0 has no feature change only addition is that it supports OAuth Authentication.
  • For detailed explanation on setting up OAuth Authentication, refer SetUp OAuth.

Support for filter condition

SuccessFactors connector supports filter condition for User objects. Filter condition can be applied, and the Users can be retrieved selectively. Based on the supported operators and values provided at the filter the User objects are returned in the response from the connector.

To configure changes to One Identity Manager to support filter conditions

  1. Open the Synchronization Editor tool.

  2. Select SCIM connector.

  3. Select the Target system and navigate to Schema Classes.

    For example - id ne '10056' AND (locale eq 'Cleveland (1000-2011)')

  4. Add a new schema class for the user.

  5. Add the System filter and Select Object condition.

    Click Commit to Database.

  6. In User mappings, create or edit the Target system schema class with the recently created schema and click Commit to Database.

  7. Run the synchronization.

  8. Filter conditions are created.

Supported attributes for filter

  • id
  • userName
  • lastModified
  • meta.lastModified
  • givenName
  • familyName
  • division
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
  • department
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department

NOTE:

  • The connector supports filter condition in all versions but only for User objects.

  • Supports only AND and OR logical operators.

  • Supports only parenthesis () for grouping the condition.

  • Unsupported attributes in the filter request will be ignored, no error will be thrown.

  • Only the sub-attributes of a complex attribute are supported in filter condition. For example, givenName or familyName

Table 40: Supported operators to filter values
S. No

Operators

OneIM System Filters

OneIM Select Objects

1

eq → equal to

lastModified eq 2020-08-27T15:22:52

lastModified = 2020-08-27T15:22:52

2

ne → not equal to

lastModified ne 2020-08-27T15:22:52

lastModified <> 2020-08-27T15:22:52

3

gt → greater than

lastModified gt 2020-08-27T15:22:52

lastModified > 2020-08-27T15:22:52

4

lt → less than

lastModified lt 2020-08-27T15:22:52

lastModified < 2020-08-27T15:22:52

5

ge → greater than or equal to

lastModified ge 2020-08-27T15:22:52

lastModified >= 2020-08-27T15:22:52

6

le → less than or equal to

lastModified le 2020-08-27T15:22:52

lastModified <= 2020-08-27T15:22:52

Supervisor configuration parameters

SuccessFactors is an integrated human-resources platform. It offers users tools for onboarding, social business, and collaboration along with tools for learning management, performance management, recruiting, applicant tracking, succession planning, talent management, and HR analytics. It is also cloud-based.

To configure the connector, following parameters are required:

Supported objects and operations

Users

Table 35: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete (only till v3.0)

DELETE

Get User (Id)

GET

Get All Users

GET

Get All Users with pagination

GET

Groups

Table 36: Supported operations for Groups

Operation

VERB

Update Group PUT
Get All Groups GET

Get Groups (Id)

GET

Get All Groups with pagination GET

Mandatory fields

Users (v1.0-v3.0)

  • User Name
  • Employee Number
  • Status

Users v4.0

  • UserName

  • UserId

  • Status

User and Group mapping

The user and group mappings are listed in the tables below.

Table 37: User mapping
SCIM parameter SuccessFactors parameter
Id userId
UserName username
Name.GivenName firstName
Name.FamilyName lastName

Name.MiddleName

mi

Name.HonorificSuffix

suffix

Name.Formatted

defaultFullName

DisplayName defaultFullName
Emails.Value email
Addresses.StreetAddress addressLine1
Addresses.Locality city
Addresses.Region state

Addresses.PostalCode

zipCode

Addresses.Country

country

PhoneNumbers.Value

businessPhone

Groups.value

groupId

Groups.display

groupName

Roles.value

user.role.id

Roles.display

user.role.name

UserType

jobTitle

Title

title

Active

status

Locale

defaultLocale

Timezone

timeZone

userExtension.EmployeeNumber

empId

userExtension.Division

division

userExtension.Department

department

userExtension.Gender

gender

userExtension.HireDate

hireDate

userExtension.DateOfBirth

dateOfBirth

Meta.Created

hireDate

Meta.LastModified

lastModified

Table 38: Additional mapping from v4.0 onwards
SCIM parameter SuccessFactors parameter
Location location
UserExtension.UserId userId
userExtension.JobCode jobCode
userExtension.Custom01 custom01
userExtension.Custom02 custom02
userExtension.Custom03 custom03
userExtension.Custom04 custom04
userExtension.Custom05 custom05
userExtension.Custom06 custom06
userExtension.Custom07 custom07
userExtension.Custom08 custom08
userExtension.Custom09 custom09
userExtension.Custom10 custom10
userExtension.Custom11 custom11
userExtension.Custom12 custom12
userExtension.Custom13 custom13
userExtension.Custom14 custom14
userExtension.Custom15 custom15
userExtension.Hr.UserId hr.userId
userExtension.Hr.Email hr.email
userExtension.Hr.Username hr.username
userExtension.Hr.Active hr.status
userExtension.Manager.UserId manager.userId
userExtension.Manager.Email manager.email
userExtension.Manager.Username manager.username
userExtension.Manager.Active manager.status
Table 39: Group mapping
SCIM parameter SuccessFactors parameter
Id groupID
displayName groupName

members.value

userId

members.display

userName

groupExtension.groupType groupType
groupExtension.staticGroup staticGroup
Meta.LastModified lastModifiedDate

Connector limitations

  • Create and Delete group operations are not supported due to cloud application limitations.
  • When the active status is updated to false while performing the PUT operation for a user, the following error appears: user not found. This error occurs because a user is considered as a deleted user when the active status is false. (applicable for version V1 to V3)

  • User update does not support addition and removal of Groups or Roles for a particular user. It is done using group update. This is not applicable for role update.

  • Due to the API limitation of the target system, only the groups with type "permission" and "ectworkflow" are supported by version 3.0 of the connector.

  • User employee number cannot be updated because the cloud application considers employee number as a user Id. (applicable from version V1 till V3)

  • The UPDATE of Static Group supports the change of name and memberships. However, the UPDATE of Dynamic Group supports only the change of name but not the memberships. This is due to the target system behavior.

  • The manager/hr attribute gets added under user only if manager/hr in the request has the status as active.

  • Non-existing users should not be assigned as manager/hr while creating/updating user.

Disable attributes

The Disable attribute feature can be used when you want to skip an attribute that exists in the target system.

For the SuccessFactors connector, the attributes of the User object, including those of Enterprise User, can be disabled or enabled while configuring the connector based on your requirements.

NOTE:

  • Mandatory attributes cannot be disabled.
  • For more information about how to disable attributes in Starling Connect, see Disabling attributes in the Appendix section.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in SuccessFactors v.1.0

Following are the features that are available exclusively in SuccessFactorsv.1.0:

  • Update of basic attributes on Static and Dynamic Groups are supported.

  • Update of Group membership on Static and Dynamic Groups are supported.

  • Update of Dynamic Groups will remove the associated Dynamic Clauses.

  • Supported insert / update / upsert on inactive users using extended permissions.

Features available exclusively in SuccessFactors v.2.0

Following are the features that are available exclusively in SuccessFactors v.2.0:

  • Update of basic attributes on Dynamic Groups are supported.

  • Update of Group membership on Static Groups are supported.

  • Dynamic Group supports group basic attributes update, but not group memberships.

  • Supported insert / update / upsert on inactive users using extended permissions.

  • Static Group Update (supports only Add and Remove operations for Group Members)
  • Dynamic Group Update (supports Group Update without removing the existing dynamic clauses)

    NOTE:

    • These features are available from version 2.0 onwards.
    • In version 1.0, only Dynamic Group Update is supported. Static Group Update is not supported in version 1.0.
    • Version 2.0 is enhanced to allow you to use the Dynamic Group Update operation to update the attributes of a Dynamic Group without removing the dynamic clause that you have added for that Dynamic Group.

      This feature is available from version 2.0 onwards. In version 1.0 of the connector, the Dynamic Group Update function removes the existing dynamic clause that was added for the Dynamic Group.

Features available exclusively in SuccessFactors v.3.0

Following are the features that are available exclusively in SuccessFactorsv.3.0:

  • Supports all the features from v2.0.

  • Synchronization has been improved by limiting the groups type to ‘Permission’ and ‘ectworkflow’.

  • Supports insert / update / upsert on inactive users using extended permissions.

Features available exclusively in SuccessFactors v.4.0

Following are the features that are available exclusively in SuccessFactorsv.4.0:

  • Supported insert / update / upsert on inactive users using extended permissions.

  • Additional attributes ( userId, jobCode, location, All available "CustomXX", hr(complex), manager(complex) ) supported under users.

  • Setting up a custom unique UserID on CREATE is supported.

  • DELETE operation not supported in Users endpoint.

  • Supported Custom Attributes for Users. Refer How to create custom attributes for users in Successfactors portal

Features available exclusively in SuccessFactors v.5.0

Following are the features that are available exclusively in SuccessFactorsv.5.0:

  • v.5.0 has no feature change only addition is that it supports OAuth Authentication.
  • For detailed explanation on setting up OAuth Authentication, refer SetUp OAuth.

Support for filter condition

SuccessFactors connector supports filter condition for User objects. Filter condition can be applied, and the Users can be retrieved selectively. Based on the supported operators and values provided at the filter the User objects are returned in the response from the connector.

To configure changes to One Identity Manager to support filter conditions

  1. Open the Synchronization Editor tool.

  2. Select SCIM connector.

  3. Select the Target system and navigate to Schema Classes.

    For example - id ne '10056' AND (locale eq 'Cleveland (1000-2011)')

  4. Add a new schema class for the user.

  5. Add the System filter and Select Object condition.

    Click Commit to Database.

  6. In User mappings, create or edit the Target system schema class with the recently created schema and click Commit to Database.

  7. Run the synchronization.

  8. Filter conditions are created.

Supported attributes for filter

  • id
  • userName
  • lastModified
  • meta.lastModified
  • givenName
  • familyName
  • division
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
  • department
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department

NOTE:

  • The connector supports filter condition in all versions but only for User objects.

  • Supports only AND and OR logical operators.

  • Supports only parenthesis () for grouping the condition.

  • Unsupported attributes in the filter request will be ignored, no error will be thrown.

  • Only the sub-attributes of a complex attribute are supported in filter condition. For example, givenName or familyName

Table 40: Supported operators to filter values
S. No

Operators

OneIM System Filters

OneIM Select Objects

1

eq → equal to

lastModified eq 2020-08-27T15:22:52

lastModified = 2020-08-27T15:22:52

2

ne → not equal to

lastModified ne 2020-08-27T15:22:52

lastModified <> 2020-08-27T15:22:52

3

gt → greater than

lastModified gt 2020-08-27T15:22:52

lastModified > 2020-08-27T15:22:52

4

lt → less than

lastModified lt 2020-08-27T15:22:52

lastModified < 2020-08-27T15:22:52

5

ge → greater than or equal to

lastModified ge 2020-08-27T15:22:52

lastModified >= 2020-08-27T15:22:52

6

le → less than or equal to

lastModified le 2020-08-27T15:22:52

lastModified <= 2020-08-27T15:22:52

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation