Sales Factor
OpenIAM is implementing SuccessFactors Connector to connect with OpenIAM to perform following operations:
- Save. Handles both create user and update existing user's functions to in the system.
- Search. Allows searching the users based on given filter criteria.
- Delete. Makes the user inactive in SFSF, because delete operation is not supported in the system.
- Reset password. Resets the given user password.
- Suspend. Makes the user inactive in SFSF.
- Resume. Makes the user active in SFSF.
- Import Users. Enables search operation from SFSF to get users data with entitlement like permissions, groups and roles.
Connection information
To make OData API connection observe the required items from SuccessFactors. They are given in the table below.
Name | Sample values |
---|---|
Datacenter API URL | https://apisalesdemo8.successfactors.com/ |
Company Id | SFPART060810 |
Username | sfadmin |
client_id | NDJjMDlkMGFiYzc2NWNmMjM1MjZlNzY |
token_url | https://apisalesdemo8.successfactors.com/oauth/token |
private_key | xxxx |
grant_type | urn:ietf:params:oauth:grant-type:saml2-bearer |
Data mapping
User entity in SFSF requires some information. The table below gives the data for required fields and filterable fields.
Field name | Required | Filterable |
---|---|---|
addressLine1 | false | false |
addressLine2 | false | false |
addressLine3 | false | false |
businessPhone | false | false |
cellPhone | false | false |
citizenship | false | false |
city | false | false |
companyExitDate | false | false |
country | false | false |
dateOfBirth | false | false |
dateOfPosition | false | false |
department | false | true |
division | false | true |
false | false | |
empId | false | false |
fax | false | false |
firstName | false | true |
gender | false | false |
hireDate | false | false |
homePhone | false | false |
jobCode | false | true |
jobTitle | false | false |
lastModified | false | true |
lastModifiedDateTime | false | true |
lastName | false | true |
location | false | true |
manager | false | true |
hr | false | true |
married | false | false |
mi | false | false |
nationality | false | false |
ssn | false | false |
timeZone | false | false |
title | false | false |
userId | true | true |
status | true | true |
username | false | true |
password | false | false |
zipCode | false | false |
Note: Last Modified fields are not for save and update.
SuccessFactors Connector C# Module Information
Create SFSF connector in C# .net framework 4.5 class library project. The purpose of this library is to maintain connection with SFSF with required parameters.
Class Name | Parameters | Description |
---|---|---|
Connection | 1. URL; 2. client_id; 3. username; 4. token_url; 5. private_key; 6. company_id; 7. ConnectorFolder | Makes connection with SFSF and all the parameters, which will be passed by OpenIAM Rabbit IMQ in the form of JSON. After making successful connection, this class returns bearer token to perform further operations. |
GetUsers | 1. URL; 2. client_id; 3. username; 4. token_url; 5. private_key 6. company_Id; 7. fields 8. filter; 9. ConnectorFolder. | Makes connection with SFSF and all the parameters, as well as fields and filter to get user data from SFSF to send back to OpenIAM. This method can be used for importing existing users from SFSF, entitlements like group and simply sending groups and roles as fields from OpenIAM need roles. |
Upsert | 1. URL; 2. access_token; 3. Json; 4. ConnectorFolder. | This method will call for save new and existing users in SFSF as well as other operations. |
It will receive the JSON from PowerShell and send to SuccessFactors. |
PowerShell Information
In PowerShell already has predefined methods such as calling C# module functions.
Get-SAPData: Calling in SEARCH predefined function to get data from SFSF. Save-SAPData: Calling in SAVE, SUSPEND, RESET-PASSORD and RESUME predefined functions.
Security Considerations
SuccessFactors needs to have below permissions to do API operations.
- SF API user Security roles:
- Administrator Permissions -> Employee Central API -> Employee Central HRIS OData API (editable).
- Administrator Permissions -> Employee Central API -> Employee Central HRIS SOAP API.
- To get permissions related groups and roles, it is needed to add API user in below section.
Filter Query
Find by single field: username eq 'sfadmin' Find by status field get all active users: status eq 't' Find by delta: lastModified ge '2022-01-01T00:00:00'
Additional notes
If API user will not have required permissions, then nothing will work. Before starting, please make sure API user will have all the required permissions as mentioned above.
Additionally, one need to consider the following when working with suspend users in SuccessFactors:
- SEARCH after SUSPEND.
Question: When I try to get user after send SUSPEND - I got empty value. In SFSF if user will be inactive, so it will not appear in query. Is it limit of Susccessfactor? Why cannot we return user with status = f?
Answer: This is SFSF limitation.
Search is used to detect whether user exist before saving.
- Provisioning of a new user in OpenIAM.
SuccessFactors have user with userId = test01 and status =f (suspended)
OpenIAM has no such user. We create new user with userId = test01 and sent provision to connector.
Question: What are connector actions for this? Got error? Override suspended user in SuccessFactors?
Answer: It will be active because user ID is already there and the status is sent = t means 'make him active'.
- Synchronization
Question: We search users in SuccessFactors and create users in OpenIAM. We can't synchronize a suspended user. And in OpenIAM their status was not changed (We don't know if their status is suspend or such user does not exist).
Answer: Nothing can be said here due to SFSF limitation.
- Reconciliation
Question: We have different action for different cases, for example:
- User exist in OpenIAM and SuccessFactors - one action (for example update user on OpenIAM from SuccessFactors or update user in SuccessFactors from OpenIAM.)
- user exist in OpenIAM but does not exist in SuccessFactors - other action.
Do we create user in SuccessFactors, or delete user in OpenIAM?
We need have information if user exist but have disable status.
Answer: Nothing can be said here due to SFSF limitation.