You must modify policies and filters to work with your specific business environment. We recommend that you make modifications in this order:
Modify the driver filter to include desired attributes to be synchronized.
Modify the Mapping policy to include all attributes specified in the driver filter.
Modify the InputTransformation policy
Modify the OutputTransformation policy
Modify the Publisher Placement policy
Modify the Publisher Matching policy
Modify the Publisher Creation policy
Modify the Publisher Command Transformation policy
Modify the Subscriber Matching policy
Refer to the following sections:
The driver filter contains the set of classes and attributes whose updates publish from the SAP system to the Identity Vault, and from the Identity Vault to SAP.
To use the default driver configuration, you shouldn’t filter out any of the CommExec, Organizational Role, or Organizational Unit attributes. Also, do not remove the Given Name, Surname, and workforceID attributes from the User class object.
Table 6-1 Filter Classes and Attributes
The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber and Publisher channel. The purpose of the Schema Mapping policy is to map schema names (particularly attribute names and class names) between the Identity Vault and the SAP HR database. Any modification or removal of existing entries in the Schema Mapping policy could destroy the default configuration and policies processing behavior. Adding new attribute mappings is optional. The following attribute mappings are included with the default driver configuration:
Table 6-2 Attribute Mappings - Default Driver Configuration
Identity Vault Class |
SAP Class |
SAP Description |
---|---|---|
CommExec |
C |
Job |
Organizational Role |
S |
Position |
Organizational Unit |
O |
Organization |
User |
P |
Person |
The User class is configured to synchronize bidirectionally between SAP and the Identity Vault. A change made in one system transfers to the other system. However, changes made to the CommExec, Organizational Role, and Organizational Unit attributes are synchronized from SAP to the Identity Vault only.
All attributes in the Publisher and Subscriber filters should be mapped unless they are only used for policies processing (for example, Login Disabled.)
The following table includes common attribute mappings for the User class and their descriptions:
Table 6-3 Attribute Mappings - User Class
You modify the Input Transformation policy to implement your specific business rules. The Input Transformation policy is applied to transform the data received from the driver shim.
The policy is applied as the first step of processing an XML document received from the driver shim. The Input Transformation policy converts the syntax of the SAP attributes into the syntax for the Identity Vault. The Input Transformation policy is implemented as an XSLT style sheet.
The default driver configuration includes templates that complete the following actions:
Modifies the association for non-Person objects to include the Class code.
Manipulates the OU attribute to contain a name-number syntax.
Manipulates the Title to contain text data.
Manipulates the Job Code to contain text data.
Transforms Postal Address from string syntax to structure syntax.
Translates telephone numbers from a numerical string into a formatted telephone number.
Translates employee status from numerical format into either an A (Active) or I (Inactive) status code.
Adds an employee status code if it is not present in query replies.
You modify the Output Transformation policy to implement your specific business rules. The Output Transformation policy is referenced by the driver object and applies to both the Subscriber channel and to the Publisher channel. The purpose of the Output Transformation policy is to perform any final transformation necessary on XML documents sent to the driver by Identity Manager and returned to the driver by Identity Manager. The Output Transformation policy is implemented as an XSLT style sheet.
The Output Transformation policy reverses the logic of the Input Transformation policy. The default driver configuration includes templates that complete the following actions:
Transforms Postal Address from structure syntax to string syntax.
Returns telephone numbers to string format.
Removes the Class code from non-Person object associations.
The Publisher Placement policy is applied to an Add Object event document to determine the placement of the new object in the hierarchical structure of the Identity Vault. Only the Publisher channel utilizes the Placement policy.
The Placement policy uses the employeeStatus attribute value and the values of driver object placement Global Configuration Values (GCVs) to place objects in specified Identity Vault containers.
The Publisher Matching policy is applied to a modify object event document. Matching policies establish links between an existing entry in the Identity Vault and an existing entry in the SAP system. The Matching policy attempts to find an existing object that matches the object generating the event by the criteria specified in the policy.
The default driver checks for matches based primarily on the workforceID attribute. A secondary rule is provided to attempt matching by Surname and Given Name values.
The Publisher Creation policy is applied when a new object is to be added to the Identity Vault. The Creation policy is implemented by using both Policy Builder and XSLT style sheets.
The default driver configuration has Creation policies for the following:
Organizational Unit (if a Description attribute is present).
Creates a name for the object based on its Description.
Creates the OU attribute.
Organizational Role Object (if a Description attribute is present).
Creates a name for the object based on its Description.
Creates the CN attribute.
CommExec Object (if Description attribute is present).
Creates a name for the object based on its Description.
Creates the CN attribute.
User Object (the Surname and Given Name are transferred).
Generates an object name based on Given Name and Surname.
Sets the initial password to the user’s Surname.
The Publisher Command Transformation policy is used to apply any remaining business logic to event documents received from the driver. The default driver performs the following transformations:
Creates and maintains User object Manager and Direct Reports organizational relationships.
Sets the Login Disabled attribute based on employee status.
Maintains proper Group Membership for an Employee or Manager group based on a User’s position, employee status, and GCV group name values.
Handles placement of User objects in Active or Inactive containers based on employee status and GCV user placement values.