• State Verified Answer
  • Replies 6 replies
  • Subscribers 94 subscribers
  • Views 1899 views
  • Users 0 members are here
Options
Related

HRIS User Attribute and AD Group Mapping?

DV-BB
over 2 years ago

Hello – we are currently running OneIM 8.1.3 and have our HRIS system successfully sending user data into our DB and sync’d with Active Directory.  We recently ran across a use case that requires that; A User from our HRIS system with a Sub-Department listed as “xyz”  will need to be mapped to the corresponding group in AD during create/update functions.

 Therefore, if we have John Doe starting tomorrow and his Sub-Dept group attribute within the HRIS system is; “Finance Core”, then the requirement is so that when his profile object is created in AD by OneIM, his profile automatically gets the corresponding Finance Core AD Group added to his profile as well.   Can anyone advise on a way to successfully do this?  We’re new to OneIM and researching the best way to accomplish this.  Thanks in advance for any help

  • 0 over 2 years ago

    A business role could do the job here. When this Finance Core is set in the HRIS system does anything get set on the Person object in Identity Manager? Such as a custom column or an out of the box column

  • 0 over 2 years ago in reply to Troy Grandy

    Hi Troy - Thanks for your response.   When the Finance Core sub-dept is set in HRIS system, nothing actually happens and/or is set on the Person object in OneIM.  We actually pull down a csv from the HRIS system with the user data then import into OneIM, where there are additional workflows that trigger to create/update into the Person records.   This AD groups mapping is a different use case for us however, as we're not sure how to map the user attribute (sub-dept) from HRIS to a specific ADS group.   Hope this helps and please let me know if you need any additional info. thanks

  • 0 over 2 years ago in reply to DV-BB

    Why don't you have your CSV import write the value to one of the custom property columns on the Person object. Then have a business role that looks at that column and based on the value within it grants this AD Group. This way if the user leaves that sub dept then the Person object no longer meets the condition of the business role and therefore the AD Group is removed.

  • 0 over 2 years ago in reply to Troy Grandy

    Thanks Troy and this guidance definitely helps.  Just one more quick question; when you say; " have a business role that looks at that column and grants AD group", can this be done via standard configuration with the Manager tool? Or would we need to script this part out essentially? Thanks

  • +1 over 2 years ago in reply to DV-BB

    It is done out of the box, you can use what's called a dynamic role. With this you can set a condition on the person object. I have a simple one pasted below where if a person object has the department set as IT then they are a member of this business role. As you can see if a person object meets the criteria of this business role they will get a membership to the Active Directory group999

  • 0 over 2 years ago in reply to Troy Grandy

    Thanks for the detailed help Troy and very greatly appreciated.  We'll try / go this route and thanks again.