Synchronization Scripts

As discussed in the Administrator's guide, synchronization in OpenIAM allows for both automated provisioning and the importing of data from various systems through connectors. These processes makes extensive use of Groovy scripts which can customized to meet each companies unique requirements. The section below is segregated into User provisioning and importing non-user objects (ie. entitlements).

Scripts to automate user provisioning

Automated user provisioning requires at all steps in the user life cycle are supported. To demonstrate how this can be implemented in OpenIAM, all the examples below will be based on a common dataset (CSV or from a connector). Each step will build on the previous. The result will be a unified transformation script.

Example Data

Field NameData typeDescription
FIRST_NAMEStringEmployee's first name
LAST_NAMEStringEmployee's last name
PREFERRED_NAMESTRINGAlternate employee name
EMPLOYEE_IDStringUnique identifier for the employee within the HR system
SUPERVISORStringManagers username
START_DATEDateDate a person joins the company
LAST_DATEDatePerson's last date at the company
COMPANYStringName of the company
DEPARTMENTStringName of the department the employee works in
EmailStringEmail address.
PHONEStringEmployee's desk phone
MOBILE_PHONEStringEmployee's mobile phone
STATUSStringEmployee's status - Active, Terminated, Leave,terminated
TITLEStringEmployee's corporate title which describes their job function
TYPEStringType of employee - Employee,Contractor,etc
ADDRESSStringEmployee's street address
CITYStringEmployee's City / town
STATEStringState or province
POSTAL_CODEStringZip or postal code
COUNTRYStringTwo character country code.
BADGE_NUMBERStringEmployee BadgeID


Related this, this example assumes that you created a few business roles as described in the Access control section. The script will map job title to these roles and later use demonstrate how you can use this to support position changes.

Roles used in the example:

  • Developer
  • Sr Developer
  • Helpdesk Engineer
  • Architect

The example will also need some test organization which can also be created using the UI. We will use the following Organization data:

  • MyCorp (Type - Organization)
    • North America (Type - Division)
      • NA-Sales (Type - department)
      • NA-Finance (Type - department)
      • NA-Support (Type - department)
    • EU (Type - Division )
      • EU-Sales (Type - department)
      • EU-Finance (Type - department)
      • EU-Support (Type - department)

Below is a data sample that can be used in conjunction with the scripts being developed here

JOHN,MANAGER,JACK,SOMEONE@OPENAM.COM,914-123-456,,Developer,,MyCorp,NA-Sales,ACTIVE,11111,123,123 MAIN ST,BOSTON,MA, 11111,US,EMPLOYEE
THOMAS,HELPDESK,TOMMY,SOMEONE3@OPENAM.COM,914-123-456,646-1234-5674,Helpdesk Engineer,JACK MANAGER,MyCorp,EU-Sales,ACTIVE,11112,124,123 MAIN ST,BOSTON,MA, 22222, US,CONTRACTOR
William,ENDUSER2,Bill,SOMEONE3@OPENAM.COM,914-123-456,407-343-4534,Architect,JACK MANAGER,MyCorp,NA-Support,ACTIVE,11114,126,123 MAIN ST,BOSTON,MA,44444,MX,EMPLOYEE

User life cycle events

Life cycle stageDescription
JoinersScript to support common new activities related to new hire

Importing entitlements from your applications

In an IAM project, a common task is to import entitlements from the systems that you need to connect with so that you can both:

  • Create a user profile which shows the access that user has across all application.
  • Develop the service catalog

OpenIAM does not allow you, by default, to import both users and the list entitlements in one process. You must first:

  • Import your entitlements
  • Import users + their entitlements

The sections below describe how you can achieve the first step: "Import your entitlements". Since OpenIAM allows you to import a variety of entitlement types, the list below is organized by the object type.