OpenIAM is implementing SuccessFactors Connector to connect with OpenIAM to perform following operations:

• Save. Handles both create users and update existing user's functions to in the system.
• Search. Allows searching the users based on given filter criteria.
• Delete. Makes the user inactive in SFSF, because delete operation is not supported in the system.
• Reset password. Resets the given user password.
• Suspend. Makes the user inactive in SFSF.
• Resume. Makes the user active in SFSF.
• Import Users. Enables search operation from SFSF to get users data with entitlement like permissions, groups and roles.

Connection information

To make an OData API connection observe the required items from SuccessFactors. They are given in the table below.

Data mapping

User entity in SFSF requires some information. The table below gives the data for required fields and filterable fields.

Note: Last Modified fields are not for save and update.

SuccessFactors Connector C# Module Information

Create SFSF connector in C# .net framework 4.5 class library project. The purpose of this library is to maintain connection with SFSF with required parameters.

PowerShell Information

In PowerShell already has predefined methods such as calling C# module functions.

Get-SAPData: Calling in SEARCH predefined function to get data from SFSF. Save-SAPData: Calling in SAVE, SUSPEND, RESET-PASSORD and RESUME predefined functions.

Security Considerations

SuccessFactors needs to have below permissions to do API operations.

• SF API user Security roles:
  • Administrator Permissions -> Employee Central API -> Employee Central HRIS OData API (editable).
  • Administrator Permissions -> Employee Central API -> Employee Central HRIS SOAP API.
  • To get permissions related to groups and roles, it is needed to add an API user in the section below.

Filter Query

Find by single field: username eq 'sfadmin' Find by status field get all active users: status eq 't' Find by delta: lastModified ge '2022-01-01T00:00:00'

Additional notes

If API users will not have required permissions, then nothing will work. Before starting, please make sure API users will have all the required permissions as mentioned above.

Additionally, one need to consider the following when working with suspend users in SuccessFactors:

1. SEARCH after SUSPEND.

Question: I’m trying to get a user after sending SUSPEND - I got an empty value. In SFSF if the user is inactive, it will not appear in the query. Is it the limit of SuccessFactors? Why cannot we return a user with status = f?

Answer: This is a SFSF limitation.

Search is used to detect whether a user exists before saving.

2. Provisioning of a new user in OpenIAM.

SuccessFactors have user with userId = test01 and status =f (suspended)

OpenIAM has no such user. A new user is created with userId = test01 and sent provision to the connector.

Question: What are connector actions for this? Got an error? Override suspended users in SuccessFactors?

Answer: It will be active because the user ID is already there and the status is sent = t means 'make him active'.

3. Synchronization

Question: We search users in SuccessFactors and create users in OpenIAM. We can't synchronize a suspended user. And in OpenIAM their status was not changed (We don't know if their status is suspended or such user does not exist).

Answer: Nothing can be said here due to SFSF limitations.

4. Reconciliation

Question: We have different action for different cases, for example:

• Users exist in OpenIAM and SuccessFactors - one action (for example update user on OpenIAM from SuccessFactors or update user in SuccessFactors from OpenIAM.)
• Users exist in OpenIAM but do not exist in SuccessFactors - other actions.

Do we create users in SuccessFactors, or delete users in OpenIAM?

We need to have information if a user exists but has a disabled status.

Answer: Nothing can be said here due to SFSF limitations.