how to configure inbound provisioning - docs.centrify.com are now ready to assign the integration...

How to configure inbound provisioning


You can provision user data from specified systems to Active Directory using inbound provisioning. Currently, we only support provisioning from Workday. After you configure the provisioning, you can define synchronization schedules to synchronize user data from Workday to Active Directory.

If you have existing Workday users in Active Directory, we perform a lookup at sync time using the Workday ID and Active Directory SamAccountName. Users with these matching data are considered the same user and paired up accordingly.

This scenario includes the following topics:

Prerequisites

Configuring Workday

Adding source

Defining provisioning rules

Synchronizing Data

Generating and using custom attributes

Attribute Mapping

Editing a provisioning source

Prerequisites

Before you start configuring inbound provisioning on Admin Portal, confirm that you have done the following:

Configured Workday for inbound provisioning. See Configuring Workday.

Store domain administrator account to Centrify Identity Services. This step is only required if the Centrify Connector is not run by a domain administrator. See How to store domain administrative accounts.

Populated the relevant user data in Workday.

Installed the Centrify Connector. See How to install a Centrify Connector.

• 1


Configuring Workday

You must configure Workday for inbound provisioning before you start configuring Admin Portal. You must be a systems administrator in Workday to perform these tasks. The high level steps for configuring Workday are:

Creating an integration system user

Creating a security group

Assigning the integration system user to the security group

Configuring security group options

Activating security policy changes

Creating an integration system user

The integration system user you create here must have staffing and human resources web services privilege. This privilege is necessary for Centrify Identity Services to call the Workday API to pull the user data. You will need the integration system user name and password when adding the Workday source in Admin Portal.

To create an integration system user:

1 In the Workday Workbench, enter “create user” in the search box, and then click the Create Integration System User link.

2 Provide a user name and password for a new Integration System User.

Make note of the user name and password because you will need this information to configure the source in Admin Portal.

Admin Portal user’s guide 2


3 Leave the Require New Password at Next Sign In option unchecked, because this user will be logging on programmatically.

4 Leave the Session Timeout Minutes with its default value of 0, which will prevent the user’s sessions from timing out prematurely.

5 Click OK.

Creating a security group

This procedure helps you to create an unconstrained integration system security group.

To create a security group:

1 Enter “create security group” in the search box, and then click the Create Security Group link.

2 Select Integration System Security Group—Unconstrained from the Type of Tenanted Security Group drop-down list, to create a security group to which members will be explicitly added.

3 Click OK.

Assigning the integration system user to the security group

You are now ready to assign the integration system user to the security group.

• 3


To assign the integration system user to the security group:

1 Enter “edit security group” in the search box, and then click the Edit Security Group link.

2 Search for the security group using the Security Group search box and select it.

3 Click OK to add it.

Configuring security group options

This procedure allows the systems administrator to grant the new security group permissions for Get operations on the objects secured by the following domain security policies:

Manage: Organization Integration

External Account Provisioning

Worker Data: Public Worker Reports

Worker Data: All Positions

Worker Data: Current Staffing Information

Worker Data: Business Title on Worker Profile

Worker Data: Organization Information

To configure security group options:

1 Enter “domain security policies” in the search box, then click the Domain Security Policies for Functional Area link.



2 To configure Manage: Organization Integration:

a Enter “Organization and Roles” in the Function Area text box and select Organization and Roles.

b Click OK.

• 5


c Click Manage: Organization Integration.

d Click Edit Permissions and grant Get permissions.

e Click OK > Done.

3 To configure External Account Provisioning:

a Navigate back to the “Domain Security Policies for Functional Area” page (typically by placing the cursor in the “domain security policies” search box and hitting Enter.



b Enter “system”in the Function Area text box and select System.

c Click OK.

d Expand Security Administration in the list of security policies for the System functional area and select the External Account Provisioning domain security policy.

• 7


e Click the Edit Permissions button.

The Edit Permissions screen opens.

f Add the new security group to the list of security groups with Get integration permissions.

Click the + icon in the Security Groups areas.

Enter the name of your group.

Enable the associated Get permission.



g Click OK > Done.

4 To configure External Account Provisioning:

a Navigate back to the “Domain Security Policies for Functional Area” page (typically by placing the cursor in the “domain security policies” search box and hitting Enter.

b Enter “staffing” in the Function Area text box and select Staffing.

c Click OK.

d Expand Worker Data: Staffing in the list of security policies for the Staffing functional area and assign Get permissions for each of these remaining security policies:

Worker Data: Public Worker Reports

Worker Data: All Positions

Worker Data: Current Staffing Information

Worker Data: Business Title on Worker Profile

Worker Data: Organization Information

• 9


Activating security policy changes

To activate the security policy changes:

1 Enter “activate” in the search box and click the Activate Pending Security Policy Changes link.



2 Enter a comment for auditing purposes.

3 Click OK.

4 Enable the Confirm check box.

5 Click OK.

Adding source

You must identify the source (system) from which you are provisioning user data. Currently we only support provisioning from Workday.

Important: You must meet all prerequisites before you start adding and configuring a provisioning source. See Prerequisites.

To add and configure a source:

1 Log in to Admin Portal.

2 Click Settings > Users > Inbound Provisioning.

3 Click Add Source (on the Sources tab) to start defining the Workday service information.

The Provisioning Source window opens.

• 11


a Select the source environment type for which you are configuring.Workday (Integration): Select if you are configuring the synchronization or a test environment. Workday (Production): Select if you are configuring the synchronization for a production environment.

b Select the Enable check box to enable the feature.

c Enter a Name for this source.

d Enter the Workday server URL in the specified format (https://<workday_cloud_host_name>/ccx/service/<tenant>) into the URL field.Sample production URL: https://wd-sample-services.workday.com/ccx/service/companyFooIf you are setting up a test environment, in other words you have selected Workday (Integration) in step 3a, then you must append _pt1 to the URL. Sample integration URL: https://wd-sample-services.workday.com/ccx/service/companyFoo_pt1For help getting the Workday cloud hostname, see Getting the Workday cloud hostname.



e Enter the Integration User Name appended with @ and your tenant ID. For example if the integration user name in Workday is johnIntegrationUser and your tenant ID is fooCompany, then you must enter johnIntegrationUser@fooCompany here.This integration system user must have staffing and human resources web services privilege. This privilege is necessary for Centrify Identity Services to call the Workday API to pull the user data. See Creating an integration system user for instructions on generating the user name.

f Enter the Integration Password.

g Click Verify to verify the integration user name and password combination.

4 (Optional) Click the Reports Integration option to configure Centrify Identity Services for custom attributes. Before you can configure Centrify Identity Services to use custom attributes, you must first create the custom attributes in Workday. See Generating and using custom attributes.

5 (Optional) Click Sync Settings to configure new hire pre-provisioning and time offsets.

a Specify the Enable New Hire Pre-Provisioning options to tell Centrify Identity Services to provision a user prior to the user employment start date. For example, if you have users starting 2 days after your synchronization action, you can tell Centrify Identity Services to synchronize those user data to Active Directory by setting the Interval field to 48 hours. If you do not configure this option, those users will not be provisioned until the start date or later (based on your synchronization schedule).

b Enable Run incremental sync automatically and specify the sync frequency in minutes. See Synchronizing Data for more sync options.

c Specify the time offset between your Workday tenant and UTC using the Workday Tenant UTC Offset (minutes) option to prevent delayed or premature user data synchronization. Synchronizations are performed based on UTC time. If you need to compensate for time zone differences between your Workday tenant and UTC, specify that offset here.

d Enable Do not create new users (update existing user only) if you want the sync job to ONLY update existing user data and NOT create any new users in Active Directory.

• 13


e Enable Ignore sync cache if you want to sync with Workday regardless of existing user data in Active Directory.Centrify Identity Services keeps a cache of Workday user data. If systems administrators update user data in Active Directory, then that data is out of sync from Workday. This option allows Centrify Identity Services to ignore existing data in Active Directory and sync with Workday.Enabling this option makes available the Disregard directory identifiers for cached entries. Enable this option if you want Centrify Identity Services to discard existing user IDs stored in Active Directory and re-discovers users from UPN or samaaccount name.

6 Click Save.

Your configured source is listed in the Sources table.

Getting the Workday cloud hostname

You need the Workday cloud hostname to generate the Workday server URL that is required for adding the data source. The following are standard procedures, but your steps may differ slightly depending on your Workday customizations.

To get the Workday cloud hostname:

1 Log in to Workday as an administrator.

2 Enter “Public Web Services” into the search box.

3 Select Public Web Services.

4 Click Actions > Web Service > View URLs.

5 Click Workday XML.

A new tab opens with a URL similar to https://wd2-impl-services1.workday.com/ccx/service/systemreport2/companyFoo_pt1/Public_Web_Services.

6 Copy/paste the hostname.



Defining provisioning rules

You define provisioning rules to identify users, map user attributes, and other important provisioning configuration. You can define more than one rule for each source. You must first add and configure a source before you can define the rules.

To define a provisioning rule:



3 Click the + icon associated with the source you have previous configured.

4 Enter a Name for this rule.

5 Select a Provisioning Rule Mode:

Active -- Makes a rule active. Not recommended until you have finished all configurations. You must activate a rule before synchronizing.

Preview -- Sets the rule in preview mode. Select this option for a production environment to verify the user mapping between Workday and Active Directory before you make the rule Active.

Inactive -- Sets the rule as inactive. Recommended until you have finished all configuration steps. You can come back to this option and activate the rule when you are ready.

6 Select the Source Selection Rule to define the users to which these rules apply.

• 15


If you are provisioning all your Workday users (by selecting All Users from the drop-down list) to one Organizational Unit (OU), then you do not need to perform the following sub-steps.

If you are provisioning specific groups of users to specific OUs, then do the following:

a Click Add to select the specific group.

b Select the Workday group from the drop-down list and click the associated Add button.

c Repeat these sub-steps until you have added all relevant Workday groups.

7 Click Next.

8 Define the target directory and the specific OU to which you want users in the Workday groups provisioned.

a Select the relevant forest from the Target drop-down list.When you select the forest, Centrify Identity Services looks for the stored domain administrator account and shows a warning message if one is not available (unless the Centrify Connector is run by a domain administrator). See How to store domain administrative accounts.

b Select the relevant Domain.

c Select the relevant Domain Controller.

d Select the relevant OU or expand an OU and select the relevant groups in the Target OU area to which you want user accounts provisioned.



9 Click Next.

10 Map the attributes.

a Review the required and automatically mapped attributes.You can delete optional attributes. You also have the option to map additional attributes.

b (Optional) Click Add and select the Target Attribute (attribute name in Active Directory) to add more attributes.

If there is only one match in Workday, then no corresponding Workday attributes are displayed; click Add again to add the attribute and view the mapping in the table.

If more than one Workday attributes can be mapped to the selected Active Directory attributed, then select a corresponding Source Attribute (attribute name in Workday) from the drop-down list; click Add again to add the attribute and view the mapping in the table.

See Attribute Mapping for information on the more obscure attributes.

Continue mapping attributes until all necessary attributes are mapped.

c Click Next to configure additional provisioning rule options.

11 (Optional) Configure the following attribute related options:

Set user’s manager attribute -- If enabled, users’ manager attributes in Workday are synchronized to Active Directory.

• 17


Disable user in AD if worker employment status is terminated -- If enabled, users with the terminated employment status in Workday are automatically disabled in Active Directory.

12 Specify the Password Type for new Active Directory user accounts.

If you select Static Password from the drop-down list, then the system uses the same password for all new users. Provide the following information:

a Password -- Specify the password to be used for all users.

b Require password change at next login -- If enabled, new users will be required to change their passwords after the initial log in. Disabled by default.

If you select Generated Password from the drop-down list, then the system randomly generates different passwords for each new user. Provide the following information:

a Require password change at next login -- If enabled, new users will be required to change their passwords after the initial log in. Disabled by default.

b Delivery options -- Select the email address to which you want the auto-generated password sent. This is to help in your new employee onboarding process. When new users are created in Active Directory, an email will be sent to the specified address with the credentials for those users.Send password to email address: Enter the email address to which you want the password sent.Send password to user’s manager: Sends the password to the manager’s email address. Ensure that you have the email address specified in Workday.Send password to user’s personal email: Sends the password to the user’s personal email address. Ensure that you have the email address specified in Workday.If you have more than one option selected, the password is sent to all the selected email addresses.

13 (Optional) Specify the Active Directory group to which you want users added. This option assigns the users to the selected Active Directory group.

a Enable the Add users to groups check box.

b Select the Add button within the Active Directory Group Options area. The Add Active Directory Group window opens.



c Confirm that the appropriate source is selected.

d Start entering the group name into the Search box to find the group.

e Select the group and click Add.

14 (Optional) Select Map Workday Provisioning Groups to Active Directory Groups if you want to map specific Workday provisioning groups to Active Directory groups.

a Enable the Map Workday Provisioning Groups to Active Directory Groups check box.

b Select the associated Add button.

c Select the Provisioning Group Name from the drop-down list.

d Confirm that the appropriate source is selected.

e Start entering the group name into the Search box to find the group.

f Select the group and click Add.

15 (Optional) Select Assign user to an OU upon termination if you want to specify the organizational unit (OU) in which terminated users will be placed.

If you do not enable this check box, then terminated user will remain in the current OU.

16 Click Save to save the rule configuration.

The provisioning rule has been configured and the rule is listed in the Sources table.

17 Click the rule to change its status if you did not set the rule to Active in step 5.

• 19


18 Click Save.

Define additional provisioning rules as needed. You can define more than one rule for each source.

Synchronizing Data

After you have configured the source and provisioning rule, you are ready to synchronize user data from Workday to Active Directory. You have the option to manually trigger a full or incremental sync or schedule incremental syncs. Full syncs are time and resource intensive so it must be triggered manually and we recommend doing it only when necessary. For the initial sync, you must perform a full one. You can only schedule automatic incremental syncs.

Configuring manual syncs

You can initiate a full or incremental manual sync.

To trigger a manual sync:



3 Confirm that you have the source and provisioning rule configured and click the Sync Options tab next to Sources.

4 Select either Incremental or Full in the Manual Sync Options area.

For the initial sync, you must perform a full one.

5 Select the source (a specific source or all configured sources) that you want to synchronize.



6 Click Run Sync.

Scheduling incremental syncs

Scheduled automatic syncs are limited to incremental syncs because full syncs are time and resource intensive. If you need to perform a full sync, you must trigger it manually. See Configuring manual syncs.

To schedule incremental syncs:



3 Confirm that you have the source and provisioning rule configured and click the + icon associated with the source you have previous configured.

4 Click Sync Settings.

5 Enable the Run incremental sync automatically check box.

6 Specify how frequently you want to run the sync in the Frequency text box.

• 21


7 Click Save.

Configuring sync reports

You can configure Centrify Identity Services to send reports via email after each sync completion. Sample email report below.

To view the detailed job report using the link provided, you must log in with full administrator privileges or read only administrator privilege.

To configure sending of sync reports:

1 Enable the Send report on sync completion check box if you want to receive a sync report.

2 Specify the type of syncs in which the report includes:

All Syncs

Incremental Syncs

Full Syncs

3 Specify an email address to which reports are sent.



a Click Add.The default email address is that of the logged in system administrator. You can enter a new email address by editing the default address.

b Click the associated Add button.The email address is added to the table.

c Repeat these sub-steps to add more email addresses.

4 Click Save.

Generating and using custom attributes

In most cases, Workday automatically creates the necessary attributes for your use. However, sometimes you may need to create custom ones. In those instances, you can use Workday to generate custom attributes and use Admin Portal to map them to Active Directory. For example, the default attribute to create a Common Name in AD is the Workday User. However, Workday does not generate an alphabetic Workday User attribute for contingent workers (contract or part-time employees). Contingent workers are only issued a numerical ID. To remedy this, you may want to create a custom attribute so that all workers are given human-friendly names. You can do this by creating a custom report in Workday with custom attributes and writing a script to map those attributes to the proper Active Directory attributes.

The high-level procedure for creating and using custom attributes are:

Use Workday to create custom attributes by creating an advanced custom report. See Generating custom attributes.

• 23


Use Admin Portal to connect Centrify Identity Services to the Workday report. See Adding Workday URLs to provisioning source.

Use Admin Portal to run a script mapping each column in the report to relevant Active Directory attributes. See Mapping custom attributes.

Generating custom attributes

You create custom attributes by creating an advanced custom report. After you create it, the report is automatically run with each data synchronization between Workday and Active Directory.

To create an advanced custom report:

1 Log in to Workday.

2 Click Reporting & Analytics > Create Custom Report.

3 Provide the necessary information.

Report Type - Select Advanced to get access from the web services.

Data Source - Select All > All Active and Terminated Workers.

Enable As Web Service - enable the check box.

4 Click OK.

The Edit Custom Report page opens.

5 In the Field text box, type workday_id and hit the Enter key.



You must enter workday_id for the mapping and scripting to work. The text resolves to Workday ID.

6 (Optional) Click the + icon to enter additional custom fields.

7 Click OK > Done.

8 Share the report with relevant integration groups or users.

You have likely created these integration users or groups when you configured Workday for inbound provisioning. See Creating an integration system user or Creating a security group. Until you share the report this, only you have access to the report.

To share the report with relevant integration groups or users:

a Click Edit Custom Report.

b Click in the Report Name drop-down box, select My Reports, and select the newly created report.

c Click OK.

• 25


d Click the Share tab and select the Share with specific authorized groups and users radio button.

e Enter the integration group (in which the user is a member) or the individual user that was specified in the Admin Portal source configuration into the Authorized Groups text box.Type the first few letters of the group or user name, click enter, and the matching group or user names display.

f Click OK.

9 Copy the XSD and JSON URLs for use in Admin Portal.

Adding these URLs into Admin Portal connect Centrify Identity Services to the custom reports.

To copy the URLs:

a Hover over the report name associated with the Report Definition field and select the dotted icon next to the name.The Actions page slides open.



b Select Web Service > View URLs.

c Copy the XSD (within the Workday XML area) and JSON URLs by right clicking each and selecting Copy URL.

• 27


You must add these URLs to the provisioning source in Admin Portal. See Adding Workday URLs to provisioning source.

Adding Workday URLs to provisioning source

Centrify Identity Services needs to communicate with the custom report to get the attribute values. You enable this communication by adding the report XSD and JSON URLs to the Admin Portal provision source.

To add the XSD and JSON URLs to the provisioning source:



3 Click the edit icon associated with the relevant source.



4 Click Report Integration on the Provisioning Source page.

5 Select the Enable Report Integration checkbox.

The Base Report URL is automatically prefilled.

6 Paste the XSD URL (starting from ccx/service…) into the Relative Schema (XSD) URL field.

7 Paste the JSON URL (starting from ccx/service…) into the Relative JSON Data URL field.

These custom URLs allow Centrify Identity Services to get the attribute values from the report.

8 Enter workday_id into the Worker Unique ID Field Name.

This field name mirrors the one entered in Workday (step 5) when you created the advanced custom report.

9 Enter the number of minutes Centrify Identity Services should wait for Workday to respond with the custom attributes information.

10 Click Save.

Mapping custom attributes

You use Admin Portal to run a script mapping each column in the Workday report to relevant Active Directory attributes. Below is a sample script that maps the workday_ID custom attribute to WorkEmail attribute in Active Directory.

if(SyncContext){

trace("Starting script");

• 29


sc.TargetUserRecord.EmployeeId = sc.SourceUserRecord.EmployeeId;

sc.TargetUserRecord.DisplayName = sc.SourceUserRecord.FormattedName;

sc.TargetUserRecord.Name = sc.SourceUserRecord.ReportingName;

sc.TargetUserRecord.Mail = sc.SourceUserRecord.WorkEmail;

sc.TargetUserRecord.Title = sc.SourceUserRecord.BusinessTitle;

sc.TargetUserRecord.EmployeeType = sc.SourceUserRecord.PositionType;

sc.TargetUserRecord.GivenName = sc.SourceUserRecord.FirstName;

sc.TargetUserRecord.Sn = sc.SourceUserRecord.LastName;

sc.TargetUserRecord.MiddleName = sc.SourceUserRecord.MiddleName;

sc.TargetUserRecord.Department = "My Department";

sc.TargetUserRecord.C = sc.SourceUserRecord.Alpha2WorkCountry;

sc.TargetUserRecord.CountryCode = sc.SourceUserRecord.Alpha3WorkCountry;

sc.TargetUserRecord.Co = sc.SourceUserRecord.Numeric3WorkCountry;

sc.TargetUserRecord.St = sc.SourceUserRecord.WorkRegion;

sc.TargetUserRecord.PostalCode = sc.SourceUserRecord.WorkPostalCode;

sc.TargetUserRecord.L = sc.SourceUserRecord.WorkMunicipality;

• 31


sc.TargetUserRecord.StreetAddress = sc.SourceUserRecord.WorkAddressLine1 + "," + sc.SourceUserRecord.WorkAddressLine2;

sc.TargetUserRecord.PhysicalDeliveryOfficeName = "1234 C";

sc.TargetUserRecord.TelephoneNumber = sc.SourceUserRecord.WorkMobile;

sc.TargetUserRecord.Mobile = sc.SourceUserRecord.WorkMobile;

sc.TargetUserRecord.Company = "Bunnies of doom";

sc.TargetUserRecord.Disabled = true;

if(sc.TargetUserRecord.MemberObjectGuids){

var newGroupList = [];

for(var idx = 0; idx < sc.TargetUserRecord.MemberObjectGuids.Length; ++idx){

trace("Group guid is " + sc.TargetUserRecord.MemberObjectGuids[idx]);

newGroupList.push(sc.TargetUserRecord.MemberObjectGuids[idx]);

}

// newGroupList.push("f1a7e28aa5bb4f59a3e6566fc69545e8");

// sc.TargetUserRecord.MemberObjectGuids = newGroupList;

} else {

trace("MemberObjectGuids is empty or not defined.");

}

trace("Term date is " + sc.SourceUserRecord.TerminationDate);



trace("Exiting script");

}

To add a script for a provisioning rule:



3 Select the provisioning rule for which you want to add the script.

4 Click the Attributes tab.

5 Confirm that the Use Attribute Mapping Script checkbox is enabled.

6 Click Load Sample to load the sample script.

7 (Optional) Click Test to verify that the script meets your purpose.

a Enter a Worker ID for an employee with relevant attributes.

b Select the Worker ID Type from the drop-down list that corresponds to worker ID you entered. For example, if you entered an ID for a contingent worker, then select Contingent Worker here.

c Click Next. Attribute values associated with the worker ID is displayed.

• 33


8 Update the script as necessary for your purpose.

9 Click Save.

When a synchronization between Workday and Active Directory is triggered, the script runs automatically.

Attribute Mapping

Most attributes map logically. However, a few attributes may require additional guidance. This table documents those attributes.



Editing a provisioning source

To edit a provisioning source after one has been created, do the following:



3 Click the pencil icon associated with the source.

Active Directory Attri-butes

Possible Workday Attri-butes

Notes

C, Co Alpha2WorkCountry or Alpha3WorkCountry

Options for mapping country code. Alpha2 maps to a 2 char-acter country code (for exam-ple, US). Alpha3 maps to a 3 character country code (for example, USA).

CountryCode Numeric3WorkCountry Use if the country code is numeric.

L WorkMunicipality Maps to the user’s city

Mail WorkEmail Maps to the user’s email address

Sn LastName Maps to the user’s last name

St WorkRegion Maps to the street name

• 35


The Provisioning Source window opens for edits.


how to configure inbound provisioning - docs.centrify.com are now ready to assign the integration...

Documents