0% found this document useful (0 votes)
77 views36 pages

SF EC and MS Active Directory en-US

This document provides guidance on integrating SuccessFactors Employee Central with Microsoft Active Directory to automatically synchronize employee data between the two systems. It describes the integration overview, use cases for new hires and terminations, technical setup instructions, and data mapping details.

Uploaded by

raghu veer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
77 views36 pages

SF EC and MS Active Directory en-US

This document provides guidance on integrating SuccessFactors Employee Central with Microsoft Active Directory to automatically synchronize employee data between the two systems. It describes the integration overview, use cases for new hires and terminations, technical setup instructions, and data mapping details.

Uploaded by

raghu veer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Integration Guide CUSTOMER

SAP SuccessFactors Employee Central


Document Version: Q1 2017 – 2017-03-10

SuccessFactors Employee Central and Microsoft


Active Directory
Content

1 Integration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Using the Integration Solution As a Process Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

3 Business Process with Microsoft Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Use Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.1 New Hire/Create a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Termination/Disable User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

5 Landscape Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Accessing the Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10


6.1 Accessing the Process Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.2 Deploying the Process Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.3 Configurations for Employee Central API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

7 Employee Data Replication (Create User). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13


7.1 Integration Specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Person Information [EC hris-element-id: personInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Personal Information [EC hris-element-id: personInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Phone Information [EC hris-element-id: phoneInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Email Information [EC hris-element-id: emailInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Job Information [EC hris-element-id: jobInformation]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.2 Integration Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Branch 1 – Build Query for Fetching Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Branch 2 – Process Data to Be Sent to Active Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.3 Branch 3 – Capture Execution Timestamp for Next Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
7.4 Branch 4 – Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.5 Setting Up the Standard Data Integration (New Hire). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Extensions for Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Process Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Cross-Reference Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

8 Employee Data Replication (Disable User). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24


8.1 Integration Specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Person Information [EC hris-element-id: personInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Personal Information [EC hris-element-id: personInfo]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Job Information [EC hris-element-id: jobInformation]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SuccessFactors Employee Central and Microsoft Active Directory


2 CUSTOMER Content
8.2 Integration Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Branch 1 – Build Query for Fetching Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Branch 2 – Process Data to Be Sent to Active Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Branch 3 – Capture Execution Timestamp for Next Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Branch 4 – Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8.3 Setting Up the Standard Data Integration (Disable User). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Extensions for Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Process Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Cross-Reference Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

9 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

SuccessFactors Employee Central and Microsoft Active Directory


Content CUSTOMER 3
1 Integration Overview

This guide is for Professional Services, SAP consultants, and partner consultants to integrate SuccessFactors
Employee Central with Microsoft Active Directory, which is deployed on-premise in the customer landscape inside
their firewall. Integration is through the process library.

SuccessFactors Employee Central and Microsoft Active Directory


4 CUSTOMER Integration Overview
2 Using the Integration Solution As a
Process Library

Use the following steps as a guideline to successfully integrate Employee Central with Active Directory. After
determining your customer's business requirements, adjust this process as needed.

1. Review the Employee Data Replication (Create User) chapter to understand how employee data from
Employee Central is mapped to data in Active Directory.
2. Set up Employee Central. For more information about Employee Central, see the Employee Central Master
Implementation Guide.
3. Make Active Directory specific settings.
4. Get access to the process library.
5. Set up the standard data integration.
6. Extend the standard data integration.

SuccessFactors Employee Central and Microsoft Active Directory


Using the Integration Solution As a Process Library CUSTOMER 5
3 Business Process with Microsoft Active
Directory

Active Directory is a directory service that Microsoft developed for Windows domain networks and is included in
most Windows Server operating systems as a set of processes and services.

It is a directory (list) of network objects; it stores information about network components, that is, organizations,
sites, systems, users, or any other network object. It also includes the ability to record different types of
information about objects, for example, who accessed a network object and when.

Active Directory uses LDAP and DNS technology; it relies on DNS to locate objects within Active Directory. (DNS
provides name resolution between common names, that is, raw IP address and component name.)

The Active Directory domain controller authenticates and authorizes all users and computers in a domain type
network. Every employee in an organization should have an account in Active Directory to access the systems
(resources) in the origination network. (For example, when a user logs on to a computer that is part of the
Windows domain, Active Directory checks the submitted password and determines whether the user is allowed to
log on to the network and whether the user is an administrator or normal user.)

In the absence of a standard integration with Employee Central, the creation of an account in Active Directory is a
manual process, that is, a list of new hires for whom system access needs to be provided is emailed to the network
administrator, which involves a couple of approval processes before the accounts are created manually in Active
Directory. Maintaining the information in Active Directory in the case of a master data change, and disabling the
account in Active Directory in the case of an employee termination are also manual processes.

With the integration of Active Directory and Employee Central, the current manual process can be automated to
create a user account in Active Directory after a new hire event occurs in Employee Central, or a user account in
Active Directory can be disabled without manual intervention after an employee is terminated in Employee Central.

SuccessFactors Employee Central and Microsoft Active Directory


6 CUSTOMER Business Process with Microsoft Active Directory
4 Use Cases

4.1 New Hire/Create a User

When a new employee is hired in Employee Central, a network user account has to be created automatically in
Active Directory for the new employee to log on to the network. The user account credentials for the new
employee need to be emailed to the HR administrator (appropriate contact).

Note
Notification to the employee of the user account credentials is handled by the HR administrator based on the
company process and policies and is outside the scope of this integration.

SuccessFactors Employee Central and Microsoft Active Directory


Use Cases CUSTOMER 7
4.2 Termination/Disable User

When an employee is terminated in Employee Central, a network user account in Active Directory has to be
blocked (disabled) automatically so that the network permission for that employee is revoked. The HR
administrator (appropriate contact) is notified of the account termination in Active Directory by email.

SuccessFactors Employee Central and Microsoft Active Directory


8 CUSTOMER Use Cases
5 Landscape Setup

Customers must deploy a local Boomi Atom on their local server. This will communicate with on-premise Active
Directory via an SSL connection, that is, through TCP port 636.

If the Boomi Atom is installed on a different server than Active Directory, the TCP port 636 must be opened both
ways on a Boomi local Atom server to communicate with Active Directory.

The local Atom must be able to access Employee Central in the cloud outside the customer firewall.

The local Atom must be able to access the Boomi platform, that is, the local Atom must be able to communicate
with the Boomi platform.

Communication with Active Directory via SSL requires the public certificates of the certificate authority (CA) to be
stored on both Active Directory (trusted root certificate) and in the Java key store of the local Atom server.

SuccessFactors Employee Central and Microsoft Active Directory


Landscape Setup CUSTOMER 9
6 Accessing the Solution

The current solution is available only through the process library.

The following two processes are available:

● Packaged Integration: EC Microsoft Active Directory – Create User Account


● Packaged Integration: EC Microsoft Active Directory – Disable User Account

6.1 Accessing the Process Library

A process library is a collection of processes published for the purpose of sharing with managed accounts on a per
account group basis.

Users of managed accounts install copies of library processes in their accounts and typically use the installed
processes as templates for new processes. These activities take place on the Process Library page (Manage →
Process Library).

This solution, when consumed as a process library, makes the current integration process for Active Directory
available as a process in the process library. You can then enhance this process as per the customer's
requirements.

SuccessFactors Employee Central and Microsoft Active Directory


10 CUSTOMER Accessing the Solution
Example
A published and available process library can be used in the following way:

6.2 Deploying the Process Library

Prerequisites

The user account must have the appropriate permissions to deploy, configure, and monitor a process. The
customer Boomi account must be provisioned for access to both the process library and the Atom cloud where it
will be deployed. It assumes that an environment has been created in the customer account and attached to the
Boomi cloud.

To Deploy the Process Library

1. Log on to the customer Boomi account at http://platform.boomi.com using the user name and password.
2. On the Deploy tab, click Processes.
3. Search for and choose either of the following processes: o Packaged Integration: EC Microsoft Active Directory
– Create User Account o Packaged Integration: EC Microsoft Active Directory – Disable User Account
4. Choose the environment on the right-hand side and click Save and Deploy to attach the process to the
selected environment.
5. Navigate to Manage → Atom Management.
6. Click the environment on the left-hand side.
7. Click Environment Extensions on the right-hand side. The Extensions pop-up appears.

SuccessFactors Employee Central and Microsoft Active Directory


Accessing the Solution CUSTOMER 11
6.3 Configurations for Employee Central API

The EmpJob OData API for Employee Central extracts the employee data from Employee Central. It returns the
employee data in a hierarchically structured response XML.

The Employee Central data is fetched using the Employee Central OData API. To extract this data, you must enable
the OData API.

Prerequisites

You have enabled the OData API via Provisioning. The API user has admin access for the OData API. This
permission can be granted in Admin Tools. For more information about OData API configurations, see the
SuccessFactors HCM Suite OData API Programmer's Guide

Note
Currently, location data is fetched via OData API. If you want to use location data, you must configure the OData
API.

SuccessFactors Employee Central and Microsoft Active Directory


12 CUSTOMER Accessing the Solution
7 Employee Data Replication (Create User)

The replication of employee master data from Employee Central to Active Directory uses the OData service from
Employee Central. The data used for replication contains the following elements.

Table 1:

For Information About Compound Employee Element Struc­ See Employee Central hris-element
ture …

Person Information Person Information [EC hris-element-id: personInfo]

Personal Information Personal Information [EC hris-element-id: personInfo]

Phone Information Phone Information [EC hris-element-id: phoneInfo]

Email Address Information E-Mail Information [EC hris-element-id: emailInfo]

Employment Information Job Information [EC hris-element-id: employmentInfo]

7.1 Integration Specification

The following tables list the Employee Central fields required to replicate Employee Central data via middle ware to
Active Directory. They also show which fields you need to map manually and the corresponding picklist IDs.
Descriptions are given of the mapping activities required.

7.1.1 Person Information [EC hris-element-id: personInfo]

Table 2:

Employee Central Description Obligatory for Code Mapping Re­ Picklist ID Active Directory
hris Field Replication? quired? Attribute

person_id_external Employee identifi­ X sAMAccountName


cation number

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 13
7.1.2 Personal Information [EC hris-element-id: personInfo]

Table 3:

Employee Cen­ Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc­
tral hris Field Replication? Required? Constant Value Cross-Refer­ tory Attribute
ence ID

firstName First name X X EC Active Direc­ givenName


tory Location
Code Domain
Email

lastName Last name X X EC Active Direc­ sn


tory Location
Code Domain
Email

middleName Middle name X X EC Active Direc­


tory Location
Code Domain
Email

First Name, Last Name, Middle Name

These fields are mapped in Boomi to the fields userDN, displayName, cn, and userPrincipalName via the function
Common Name Formatting. This function uses the following to determine the distinguished name: •

● Process property Common Name Format


● Cross-reference table EC Active Directory Location Code Domain Email
● Employee Central fields First Name, Last Name, Middle Name, Person ID External, Location

The field userDN is determined as a combination of the common name format and the domain name. Domain
names are maintained as a cross-reference table and are defined according to the location of the employee.

The field displayName is determined as a combination of first name and last name.

The field cn is determined according to the value of the process property Common Name Format.

The field userPrincipalName is derived from the combination of the Employee Central field Person ID External and
the domain name maintained in the cross-reference table EC Active Directory Location Code Domain Email against
the employee's location.

SuccessFactors Employee Central and Microsoft Active Directory


14 CUSTOMER Employee Data Replication (Create User)
7.1.3 Phone Information [EC hris-element-id: phoneInfo]

Due to a constraint in Boomi, phone information is transferred according to phone_type.

Table 4:

Employee Cen­ Description Obligatory for Code Mapping Constraint Picklist ID/ Active Direc­
tral hris Field Replication? Required? Value Cross-Refer­ tory Attribute
ence ID

phone_type Phone type X B = Business

phone_number Phone number X telephoneNum­


ber

7.1.4 Email Information [EC hris-element-id: emailInfo]

Due to a constraint in Boomi, email information is transferred according to email_type.

Table 5:

Employee Cen­ Description Obligatory for Code Mapping Constraint Picklist ID/ Active Direc­
tral hris Field Replication? Required? Value Cross-Refer­ tory Attribute
ence ID

email-address Email address mail

email-type Email address B = Business


type

email-type

The Employee Central field email-address is mapped to the field mail in the Active Directory request where email-
type is B (business).

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 15
7.1.5 Job Information [EC hris-element-id: jobInformation]

Table 6:

Employee Cen­ Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc­
tral hris Field Replication? Required? Constant Value Cross-Refer­ tory Attribute
ence ID

Location Location X EC Active Direc­


tory Location
Code Domain
Email

Location

The Employee Central field Location is used to derive the domain name, domain path where the user accounts
have to be created in Active Directory, and also the email ID of the HR administrator to whom the notifications of
the process are to be sent.

The field is used in the function Common Name Formatting

7.2 Integration Process Overview

To understand the standard capabilities provided, the integration process as captured in Boomi is described
below.

You need to adjust this process to your customer's needs. The process spans the following four branches:

● Branch 1 – Build Query for Fetching Data


● Branch 2 – Process Data to Be Sent to Active Directory Server
● Branch 3 – Capture Execution Timestamp for Next Execution
● Branch 4 – Error Handling

7.2.1 Branch 1 – Build Query for Fetching Data

This branch checks if an earlier execution is stored in the property LastExecutionTime.

If an earlier execution is not stored there, this branch sets the last execution date of the process as the current
date; otherwise it fetches the last execution date from the previous execution and sends it to the sub process for
building the query to fetch the data.

SuccessFactors Employee Central and Microsoft Active Directory


16 CUSTOMER Employee Data Replication (Create User)
7.2.1.1 Sub: EC Active Directory (Create): Build Employee
Selection Query

1. This process truncates the last 5 digits of the property LOCAL_LAST_MODIFIED_ON and stores the value in
the property TEMP_LAST_MODIFIED_ON.
2. The process checks if Employee Person ID External is set in the extensions by the customer.
○ If set, the process uses the employee configured to define the where clause for the user ID to be fetched.
○ If not set, the process prepares a where clause to fetch the newly hired employee based on the condition
of the last execution timestamp.
OData query:
&$filter=(eventNav/externalCode eq 'H' and ((lastModifiedDateTime ge
datetimeoffset'<LastExecutionDateTime> ' and createdDateTime ge
datetimeoffset'<LastExecutionDateTime> ') or (startDate ge datetime'<LastExecutionDateTime> ' and
startDate le
datetime'<CurrentExecutionDate>')))&fromDate=<CurrentExecutionDate>&toDate=<CurrentExecution
Date>3
Finally, it cleanses the where clause by enclosing the commas with quotes and sets the where clause.

7.2.2 Branch 2 – Process Data to Be Sent to Active Directory


Server

This branch sets the current date and time.

It queries the EMPJOB entity via an OData operation with a depth of 5.

The OData operation has a dynamic filter set as a dynamic process property that is replaced by the WHERE
property set above.

The data fetched as part of the query is now sent for further processing; LOCAL_LAST_MODIFIED_ON is replaced
with the current date and time.

7.2.2.1 Sub: EC Active Directory (Create) – LDAP Call to


Create User Account

Each document is processed individually as follows:

1. The process sets the following local variables: FIRSTNAME, LASTNAME, EMPLOYEEID, LOCATION. These are
used while creating a response message after successful processing of the create user request.
2. The process maps the EMPJOB data to the LDAP create request; it also has logic to format the Employee
Central captured names to the schema of the LDIF output. The rest of the fields are mapped as per the
mapping captured in Integration Specification.
3. The process checks if the mandatory field location is captured in the output field for the LDAP profile
LDAPObject/userDN).

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 17
○ If the location is not set, it replaces the response payload with the error message Location Code Not
Found. This error message is then routed to the common success error notification map that sets the
response message out for this payload. Note: An email notification would be sent to the default email
address specified at the Process Level when the employee's location is not set in the value-lookup table.
○ If the location is set, the data is sent to the configured LDAP server using the create request. If the data is
created successfully, a response message is created by replacing the <, > tags from the response body of
the LDAP call. The message then follows the map that maps the message to EC Active Directory Create
CSV Response Profile.
4. The process resumes back to the main process branch and combines the individual document response data
sent by the subprocess LDAP Call to Create User Account as defined above.
5. The process handles each document sent to LDAP and, depending on whether the email connector is
configured, sends the response to the email ID configured as part of the process property HR Email ID and
pushes the data to the Boomi logs, or just pushes the data to the Boomi logs.

Exception Handling

Any exceptions are caught in the exception branch and a flag is set. This flag is used later in the error handling
branch. The exception is also sent to the notification logs in Boomi for further processing in troubleshooting. You
can also attach the exception to the mail connector if the customer would like someone to be notified of such
exceptions.

7.3 Branch 3 – Capture Execution Timestamp for Next


Execution
During postprocessing of the messages, the process property LastExecutionTimeStamp can be updated with the
local property LOCAL_LAST_MODIFIED_ON.

This is used to find the delta run for the next execution.

If the process was executed for a specific set of employees (by setting the process property Employee Person ID
External), the last execution timestamp is not updated.

Kindly ensure that the process property Employee Person ID External is cleaned up after execution; otherwise the
process will not take care of delta updates and will continue to process only a specific set of employees. Normally,
the process is run for a set of employees during troubleshooting because some employees were not processed
successfully in previous runs and now need to be sent again.

7.4 Branch 4 – Error Handling


For individual errors, you can decide whether you want to mark the process as an error, even if only a few
employees were not processed successfully.

Keep in mind that this will mark the process as red in process monitoring until all errors are resolved, that is, even
if only one employee was not processed, the process will be red.

Usage of this branch depends on the customer's requirements. Currently, Boomi provides only two kinds of states:
Error or successful. There is no warning state. Customers can therefore treat warnings as success or error.

SuccessFactors Employee Central and Microsoft Active Directory


18 CUSTOMER Employee Data Replication (Create User)
7.5 Setting Up the Standard Data Integration (New Hire)

7.5.1 Extensions for Connection Settings

SF API/OData Connection

To configure the SuccessFactors connection to the identity provider, make the following entries:

Table 7:

Field Entry

Endpoint Datacenter

Company ID Customer Employee Central company ID

Username/Password API user and password with permission to retrieve data from
the API

LDAP Connection

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 19
To configure the process to connect to the LDAP server, make the following entries:

Table 8:

Field Entry

Server Name Hostname of Active Directory server

Port Number 636 (Active Directory uses TCP port 636 for secured commu­
nication)

Username/Password User and password for the server

Mail Connection

To configure the process to connect to the provider’s mail/SMTP server, make the following entries:

SuccessFactors Employee Central and Microsoft Active Directory


20 CUSTOMER Employee Data Replication (Create User)
Table 9:

Field Entry

Host Hostname of provider’s mail/SMTP server

Port Port of provider’s mail/SMTP server

User/Password User and password for provider’s mail/SMTP server

7.5.2 Process Properties

The process properties contain customizing options. To configure the process properties you can override the
default values.

Employee General Settings

You can set the following general properties:

Table 10:

Property Description

Full Name Format This option derives the full name formatting in Active Direc­
tory. The following Full Name type formatting’s are now al­
lowed.

● FirstName (space) LastName


● LastName(comma) FirstName

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 21
Property Description

Common Name Format This option derives the common name formatting in Active Di­
rectory. Formatting options are:

● FirstName + LastName
● FirstName + MiddleName + LastName
● LastName + FirstName
● LastName + FirstName + MiddleName
● Employee Central Person_ID_External
● FirstName.LastName

Password Common password for all user accounts

Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter­
nals to include in the extract

Email Select this checkbox to enable email notifications. By default,


it is not selected.

Email From Email ID of the sender

Default Email Address Default email address for communication. Email notification is
sent to this email address specified at the Process Level when
the employee’s location is not set in the value-lookup table

Advance Replication Period This enables you to replicate the employee data in advance
based on the specified period. This allows you to transfer the
new hire data into the active directory even before the start
date, there-by giving you sufficient time to configure the em­
ployee data for the new employee.

Filter Options

To fetch data based on a particular filter, you can change the same under the process properties of the Boomi
process. The following filters are available for the current integration process:

Table 11:

Filter Description

Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter­
nals to include in the extract

7.5.3 Cross-Reference Tables

The cross-reference tables are translation tables between the Employee Central picklist entries and the Active
Directory values.

To add or override the existing values, fill out the cross-reference tables as follows:

SuccessFactors Employee Central and Microsoft Active Directory


22 CUSTOMER Employee Data Replication (Create User)
1. Navigate to Manage → Atom Management.
2. Click Environment on the left-hand side.
3. Click Environment Extensions on the right-hand side.
The Extensions pop-up appears.
4. Click Cross-Reference.
5. In the dropdown, choose the cross-reference to be changed.
The following cross-reference tables are available.

Domain and Email

In the first column, enter the Employee Central location code. In the next columns, enter the domain path, HR
email ID, and domain name.

The domain path is used to create the distinguished name. The domain name is used to derive the user principal
name. The HR email ID is used to send the email notifications of the process.

Example
If the distinguished name of the user Carla Grant in Active Directory is CN=Carla
Grant,CN=User,DN=example,DN=com, the UserDN path field contains the path
CN=User,DN=example,DN=com that is, only the path and not the user information.

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Create User) CUSTOMER 23
8 Employee Data Replication (Disable User)

The replication of employee master data from Employee Central to Active Directory uses the OData service from
Employee Central. The data used for replication contains the following elements.

Table 12:

For Information About Compound Employee Element Struc­ See Employee Central hris-element
ture …

Person Information Person Information [EC hris-element-id: personInfo] [HYPER­


LINK REMOVED]

Personal Information Personal Information [EC hris-element-id: personInfo] [HY­


PERLINK REMOVED]

Employment Information Job Information [EC hris-element-id: jobInformation] [HYPER­


LINK REMOVED]

8.1 Integration Specification

The following tables list the Employee Central fields required to replicate Employee Central data via middleware to
Active Directory.

They also show which fields you need to map manually and the corresponding picklist IDs. Descriptions are given
of the mapping activities required.

8.1.1 Person Information [EC hris-element-id: personInfo]

Table 13:

Employee Central Description Obligatory for Code Mapping Re­ Picklist ID Active Directory
hris Field Replication? quired? Attribute

person_id_external Employee identifi­ X


cation number

No further mapping activities are required for these fields.

SuccessFactors Employee Central and Microsoft Active Directory


24 CUSTOMER Employee Data Replication (Disable User)
8.1.2 Personal Information [EC hris-element-id: personInfo]

Table 14:

Employee Cen­ Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc­
tral hris Field Replication? Required? Constant Value Cross-Refer­ tory Attribute
ence ID

firstName First name X X EC Active Direc­


tory Location
Code Domain
Email

lastName Last name X X EC Active Direc­


tory Location
Code Domain
Email

middleName Middle name X X EC Active Direc­


tory Location
Code Domain
Email

First Name, Last Name, Middle Name

These fields are mapped in Boomi to the field userDN via the function Common Name Formatting. This function
uses the following to determine the distinguished name:

● Process property Common Name Format


● Cross-reference table EC Active Directory Location Code Domain Email
● Employee Central fields First Name, Last Name, Middle Name, Person ID External, Location

The field userDN is determined as a combination of common name format and domain name. Domain names are
maintained as a cross-reference table and are defined according to the location of the employee.

8.1.3 Job Information [EC hris-element-id: jobInformation]

Table 15:

Employee Cen­ Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc­
tral hris Field Replication? Required? Constant Value Cross-Refer­ tory Attribute
ence ID

Location Location X EC Active Direc­


tory Location
Code Domain
Email

Location

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Disable User) CUSTOMER 25
The Employee Central field Location is used to derive the domain name, domain path where the user accounts
have to be created in Active Directory, and also the email ID of the HR administrator to whom the notifications of
the process are to be sent. The field is used in the function Common Name Formatting.

8.2 Integration Process Overview

To understand the standard capabilities provided, the integration process as captured in Boomi is described
below.

You need to adjust this process to your customer's needs.

The process spans the following four branches:

● Branch 1 – Build Query for Fetching Data


● Branch 2 – Process Data to Be Sent to Active Directory Server
● Branch 3 – Capture Execution Timestamp for Next Execution
● Branch 4 – Error Handling .

8.2.1 Branch 1 – Build Query for Fetching Data

This branch checks if an earlier execution is stored in the property LastExecutionTime.

If an earlier execution is not stored there, this branch sets the last execution date of the process as the current
date; otherwise it fetches the last execution date from the previous execution and sends it to the subprocess for
building the query to fetch the data.

8.2.1.1 Sub: EC Active Directory (Disable): Build Employee


Selection Query

1. This process truncates the last 5 digits of the property LOCAL_LAST_MODIFIED_ON and stores the value in
the property TEMP_LAST_MODIFIED_ON.
2. 2. The process checks if Employee Person ID External is set in the extensions by the customer.
○ If set, the process uses the employee configured to define the where clause for the user ID to be fetched.
○ If not set, the process prepares a where clause to fetch the terminated employee based on the condition of
the last execution timestamp.
OData query:
&$filter=(eventNav/externalCode eq '26' and ((lastModifiedDateTime ge
datetimeoffset'<LastExecutionDateTime> ' and createdDateTime ge
datetimeoffset'<LastExecutionDateTime> ') or (startDate ge datetime'<LastExecutionDateTime> ' and
startDate le
datetime'<CurrentExecutionDate>')))&fromDate=<CurrentExecutionDate>&toDate=<CurrentExecution
Date>3.

SuccessFactors Employee Central and Microsoft Active Directory


26 CUSTOMER Employee Data Replication (Disable User)
Finally, it cleanses the where clause by enclosing the commas with quotes and sets the where clause.

8.2.2 Branch 2 – Process Data to Be Sent to Active Directory


Server

This branch sets the current date and time.

It queries the EMPJOB entity via an OData operation with a depth of 5.

The OData operation has a dynamic filter set as a dynamic process property that is replaced by the WHERE
property set above.

The data fetched as part of the query is now sent for further processing; LOCAL_LAST_MODIFIED_ON is replaced
with the current date and time.

8.2.2.1 Sub: EC Active Directory (Create) – LDAP Call to


Create User Account

Each document is processed individually as follows:

1. 1. The process sets the local variables FIRSTNAME, LASTNAME, EMPLOYEEID, LOCATION. These are used
while creating a response message after successful processing of the create user request.
2. 2. The process maps the EMPJOB data to the LDAP disable account request; it also has logic to format the
Employee Central captured names to the schema of the LDIF output. The rest of the fields are mapped as per
the mapping captured in Integration Specification.
3. 3. The process checks if the mandatory field location is captured in the output field for the LDAP profile
LDAPObject/userDN).
○ If the location is not set, it replaces the response payload with the error message Location Code Not
Found. This error message is then routed to the common success error notification map that sets the
response message out for this payload.
○ If the location is set, the data is sent to the configured LDAP server using the update request. If the data is
updated successfully, a response message is created by replacing the <, > tags from the response body of
the LDAP call . The message then follows the map that maps the message to EC Active Directory (Disable)
CSV Response Profile.
4. 4. The process resumes back to the main process branch and combines the individual document response
data sent by the subprocess LDAP Call to Update User Account as defined above.
5. 5. The process handles each document sent to LDAP and, depending on whether the email connector is
configured, sends the response to the email ID configured as part of the process property HR Email ID and
pushes the data to the Boomi logs, or just pushes the data to the Boomi logs.

Exception Handling

Any exceptions are caught in the exception branch and a flag is set. This flag is used later in the error handling
branch. The exception is also sent to the notification logs in Boomi for further processing in troubleshooting. You
can also attach the exception to the mail connector if the customer would like someone to be notified of such
exceptions.

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Disable User) CUSTOMER 27
8.2.3 Branch 3 – Capture Execution Timestamp for Next
Execution
During postprocessing of the messages, the process property LastExecutionTimeStamp can be updated with the
local property LOCAL_LAST_MODIFIED_ON.

This is used to find the delta run for the next execution. If the process was executed for a specific set of employees
(by setting the process property Employee Person ID External), the last execution timestamp is not updated.
Kindly ensure that the process property Employee Person ID External is cleaned up after execution; otherwise the
process will not take care of delta updates and will continue to process only a specific set of employees.

Normally, the process is run for a set of employees during troubleshooting because some employees were not
processed successfully in previous runs and now need to be sent again.

8.2.4 Branch 4 – Error Handling

For individual errors, you can decide whether you want to mark the process as an error, even if only a few
employees were not processed successfully. Keep in mind that this will mark the process as red in process
monitoring until all errors are resolved, that is, even if only one employee was not processed, the process will be
red.

Usage of this branch depends on the customer's requirements. Currently, Boomi provides only two kinds of states:
Error or successful. There is no warning state. Customers can therefore treat warnings as success or error.

8.3 Setting Up the Standard Data Integration (Disable User)


8.3.1 Extensions for Connection Settings

SuccessFactors Employee Central and Microsoft Active Directory


28 CUSTOMER Employee Data Replication (Disable User)
To configure the SuccessFactors connection to the identity provider, make the following entries:

Table 16:

Field Entry

Endpoint Datacenter

Company ID Customer Employee Central company ID

Username/Password API user and password with permission to retrieve data from
the API

LDAP Connection

To configure the process to connect to the LDAP server, make the following entries:

Table 17:

Field Entry

Server Name Hostname of Active Directory server

Port Number 636 (Active Directory uses TCP port 636 for secured commu­
nication)

Username/Password User and password for the server

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Disable User) CUSTOMER 29
Mail Connection

To configure the process to connect to the provider’s mail/SMTP server, make the following entries:

Table 18:

Field Entry

Host Hostname of provider’s mail/SMTP server

Port Port of provider’s mail/SMTP server

User/Password User and password for provider’s mail/SMTP server

8.3.2 Process Properties

The process properties contain customizing options. To configure the process properties, you can override the
default values.

Employee General Settings

SuccessFactors Employee Central and Microsoft Active Directory


30 CUSTOMER Employee Data Replication (Disable User)
You can set the following general properties:

Table 19:

Property Description

Full Name Format This option derives the full name formatting in Active Direc­
tory. The following Full Name type formatting’s are now al­
lowed.

FirstName (space) LastName

LastName(comma) FirstName

Common Name Format This option derives the common name formatting in Active Di­
rectory. Formatting options are:

FirstName + LastName

FirstName + MiddleName + LastName

LastName + FirstName

LastName + FirstName + MiddleName

Employee Central Person_ID_External

FirstName.LastName

Password Common password for all user accounts

Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter­
nals to include in the extract

SuccessFactors Employee Central and Microsoft Active Directory


Employee Data Replication (Disable User) CUSTOMER 31
Property Description

Email Select this checkbox to enable email notifications. By default,


it is not selected.

Email From Email ID of the sender

Default Email Address Default email address for communication. Email notification is
sent to this email address specified at the Process Level when
the employee’s location is not set in the value-lookup table

Filter Options

To fetch data based on a particular filter, you can change the same under the process properties of the Boomi
process. The following filters are available for the current integration process:

Table 20:

Filter Description

Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter­
nals to include in the extract

8.3.3 Cross-Reference Tables

The cross-reference tables are translation tables between the Employee Central picklist entries and the Active
Directory values.

To add or override the existing values, fill out the cross-reference tables as follows:

1. Navigate to Manage → Atom Management.


2. Click Environment on the left-hand side.
3. Click Environment Extensions on the right-hand side. The Extensions pop-up appears.
4. Click Cross-Reference.
5. In the dropdown, choose the cross-reference to be changed. The following cross-reference tables are
available.

Domain and Email

In the first column, enter the Employee Central location code. In the next columns, enter the domain path, HR
email ID, and domain name.

The domain path is used to create the distinguished name. The domain name is used to derive the user principal
name. The HR email ID is used to send the email notifications of the process.

SuccessFactors Employee Central and Microsoft Active Directory


32 CUSTOMER Employee Data Replication (Disable User)
9 Limitations

Only the new hire and termination scenarios are supported in the current release.

Rehire, transfer, and data changes are out of scope. Activating an inactive account in Active Directory is not
supported. The distinguished name (that is, the key in Active Directory to uniquely identify the user) is not stored
in the middleware. This means that whenever a user needs to be created or disabled, the distinguished name is
built in the middleware based on the configuration. We therefore strongly recommend not changing the formatting
option once initially decided or set. The common name formatting settings must be the same for both create and
disable user account processes.

SuccessFactors Employee Central and Microsoft Active Directory


Limitations CUSTOMER 33
Important Disclaimers and Legal Information

Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.

Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
http://help.sap.com/disclaimer).

SuccessFactors Employee Central and Microsoft Active Directory


34 CUSTOMER Important Disclaimers and Legal Information
SuccessFactors Employee Central and Microsoft Active Directory
Important Disclaimers and Legal Information CUSTOMER 35
go.sap.com/registration/
contact.html

© 2017 SAP SE or an SAP affiliate company. All rights reserved.


No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

You might also like