Sales Factor

OpenIAM is implementing SuccessFactors Connector to connect with OpenIAM to perform following operations:

Save. Handles both create user and update existing user's functions to in the system.
Search. Allows searching the users based on given filter criteria.
Delete. Makes the user inactive in SFSF, because delete operation is not supported in the system.
Reset password. Resets the given user password.
Suspend. Makes the user inactive in SFSF.
Resume. Makes the user active in SFSF.
Import Users. Enables search operation from SFSF to get users data with entitlement like permissions, groups and roles.

Connection information

To make OData API connection observe the required items from SuccessFactors. They are given in the table below.

Name	Sample values
Datacenter API URL	https://apisalesdemo8.successfactors.com/
Company Id	SFPART060810
Username	sfadmin
client_id	NDJjMDlkMGFiYzc2NWNmMjM1MjZlNzY
token_url	https://apisalesdemo8.successfactors.com/oauth/token
private_key	xxxx
grant_type	urn:ietf:params:oauth:grant-type:saml2-bearer

Data mapping

User entity in SFSF requires some information. The table below gives the data for required fields and filterable fields.

Field name	Required	Filterable
addressLine1	false	false
addressLine2	false	false
addressLine3	false	false
businessPhone	false	false
cellPhone	false	false
citizenship	false	false
city	false	false
companyExitDate	false	false
country	false	false
dateOfBirth	false	false
dateOfPosition	false	false
department	false	true
division	false	true
email	false	false
empId	false	false
fax	false	false
firstName	false	true
gender	false	false
hireDate	false	false
homePhone	false	false
jobCode	false	true
jobTitle	false	false
lastModified	false	true
lastModifiedDateTime	false	true
lastName	false	true
location	false	true
manager	false	true
hr	false	true
married	false	false
mi	false	false
nationality	false	false
ssn	false	false
timeZone	false	false
title	false	false
userId	true	true
status	true	true
username	false	true
password	false	false
zipCode	false	false

Note: Last Modified fields are not for save and update.

SuccessFactors Connector C# Module Information

Create SFSF connector in C# .net framework 4.5 class library project. The purpose of this library is to maintain connection with SFSF with required parameters.

Class Name	Parameters	Description
Connection	1. URL; 2. client_id; 3. username; 4. token_url; 5. private_key; 6. company_id; 7. ConnectorFolder	Makes connection with SFSF and all the parameters, which will be passed by OpenIAM Rabbit IMQ in the form of JSON. After making successful connection, this class returns bearer token to perform further operations.
GetUsers	1. URL; 2. client_id; 3. username; 4. token_url; 5. private_key 6. company_Id; 7. fields 8. filter; 9. ConnectorFolder.	Makes connection with SFSF and all the parameters, as well as fields and filter to get user data from SFSF to send back to OpenIAM. This method can be used for importing existing users from SFSF, entitlements like group and simply sending groups and roles as fields from OpenIAM need roles.
Upsert	1. URL; 2. access_token; 3. Json; 4. ConnectorFolder.	This method will call for save new and existing users in SFSF as well as other operations.
It will receive the JSON from PowerShell and send to SuccessFactors.

PowerShell Information

In PowerShell already has predefined methods such as calling C# module functions.

Get-SAPData: Calling in SEARCH predefined function to get data from SFSF. Save-SAPData: Calling in SAVE, SUSPEND, RESET-PASSORD and RESUME predefined functions.

Security Considerations

SuccessFactors needs to have below permissions to do API operations.

SF API user Security roles:
- Administrator Permissions -> Employee Central API -> Employee Central HRIS OData API (editable).
- Administrator Permissions -> Employee Central API -> Employee Central HRIS SOAP API.
- To get permissions related groups and roles, it is needed to add API user in below section.

Filter Query

Find by single field: username eq 'sfadmin' Find by status field get all active users: status eq 't' Find by delta: lastModified ge '2022-01-01T00:00:00'

Additional notes

If API user will not have required permissions, then nothing will work. Before starting, please make sure API user will have all the required permissions as mentioned above.

Additionally, one need to consider the following when working with suspend users in SuccessFactors:

SEARCH after SUSPEND.

Question: When I try to get user after send SUSPEND - I got empty value. In SFSF if user will be inactive, so it will not appear in query. Is it limit of Susccessfactor? Why cannot we return user with status = f?

Answer: This is SFSF limitation.

Search is used to detect whether user exist before saving.

Provisioning of a new user in OpenIAM.

SuccessFactors have user with userId = test01 and status =f (suspended)

OpenIAM has no such user. We create new user with userId = test01 and sent provision to connector.

Question: What are connector actions for this? Got error? Override suspended user in SuccessFactors?

Answer: It will be active because user ID is already there and the status is sent = t means 'make him active'.

Synchronization

Question: We search users in SuccessFactors and create users in OpenIAM. We can't synchronize a suspended user. And in OpenIAM their status was not changed (We don't know if their status is suspend or such user does not exist).

Answer: Nothing can be said here due to SFSF limitation.

Reconciliation

Question: We have different action for different cases, for example:

User exist in OpenIAM and SuccessFactors - one action (for example update user on OpenIAM from SuccessFactors or update user in SuccessFactors from OpenIAM.)
user exist in OpenIAM but does not exist in SuccessFactors - other action.

Do we create user in SuccessFactors, or delete user in OpenIAM?

We need have information if user exist but have disable status.

Answer: Nothing can be said here due to SFSF limitation.

Dynamics365 Finance&Operations connector

Using PowerShell connectors