Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
Of all of the drivers for Identity Manager, I have found the PeopleSoft driver to be the hardest to understand and implement. Not because of the policies or rules it contains, but because this driver is, unlike the others, only really a demonstration of what you can do, not a canned solution to do it with.
In order to successfully implement the PeopleSoft driver, you will need a good understanding of Identity Manager, but you will also need a cooperative PeopleSoft Component Interface (CI) developer, and Human Resources contact people that can describe their business processes and how things work in your HR system. This will likely take longer than you expect, even if everybody involves tells you that they know exactly how everything works, as you will find things that they forgot to tell you about, or didn't think mattered, or didn't even know themselves.
On the Identity Management side of things, you will also have to know or decide what you want to do about the various HR events that will be coming down the Publisher channel, and what data you will need. This all has to be communicated with your CI developer.
Why bring all of this up? Because in the description that follows, please keep in mind that these are sample policies. Think of them as being for a sample company. One that is not your company. They are intended to show you what is possible, but unless the needs of your actual company match the sample, you will be doing quite a bit of customizing before you're done.
So, with that caveat, let's get started...
Purpose: If the association value (usually the PeopleSoft EMPLID) is available, this rule adds an <operation-data> element to the document, and squirrels away the association value as "peoplesoft-src-id". This is eventually used to process the Status document on the Output Transform (sub-otp-WritebackCNandDNaftersuccessfulPublisherChannelAdd).
Purpose: This is a simple reformat from 'Y' to 'true' of the 'Manager' value if it is present in the document.
Purpose: This is a simple reformat from 'N' to 'false' of the 'Manager' value if it is present in the document.
This provides a sample mapping of data attributes between eDirectory and PeopleSoft. This will be a major area of work with your Component Interface developer. The fields you see on the right ("application") side of the schema map are those that he will be exposing to you via the CI. Many of these terms are obviously named, others you can probably figure out with little effort. Just remember that when you talk of "Full Name", the CI developer is hearing "FULL_NAME".
As with any Identity Manager driver, the Filter specifies what attributes you are interested in, and what to do with them. The samples here show examples of attributes that should flow only in one direction (CN), some that should flow in both directions (employee status), and one that absolutely must flow only in one direction (isManager).
For the most part, you will be customizing the Filter along with the Schema map. Note, for example, that the CN is a Subscriber Only attribute. Any attempt to set the CN from PeopleSoft will be dropped by the Filter. That makes sense to us as Identity Manager afficianados. But look at the Employee Status attribute. This is used to track the current employment status (active, terminated, etc.), and it is very unlikely that your HR system is going to allow this to be updated from Identity Manager. The isManager attribute is much more likely to reflect your eventual implmentation, where any change to this from eDirectory will not only be ignored, but will be actively reset back to its correct value from the HR system.
You may have some other data attributes, like email address, that do need to be sent back to HR, once the other system that is the authoritative source for that attribute has filled it in.
Purpose: In PeopleSoft, every person is identified with a unique number, referred to as the EMPLID. The default configuration here maps the EMPLID to eDirectory attribute workforceID (see the Schema Map). Then when a User is created in eDirectory, the EMPLID from PeopleSoft is saved on it for later use. Normally at this point the Association would have taken care of finding the correct object to modify, but in cases where a resync is happening and Association values are not to be trusted, or as part of an initial migration, this rule can be handy for associating the correct eDirectory User object with the right PeopleSoft person entry. As a migration strategy, you might get a list of everybody with their EMPLID value, and manually update their User object with the workforceID value. Then the migrate from PeopleSoft proceeds smoothly through this rule.
Purpose: This Matching Rule does exactly what it says. Assuming that the match on EMPLID (workforceID) did not work, then this rule will attempt to find the correct eDirectory User object based on their Given Name and Surname. That might work, in a very small tree, but with more than a few dozen people, you are likely to find at least two John Smiths. This is another area where customization depending on the data you have to work with will be needed. A detailed examination of the eDirectory data will be necessary.
Purpose: A minimal list of attributes, without which an object cannot or should not be created in eDirectory. This rule only checks for Given Name and Surname. For eDirectory, that is sufficient, but for an actual implementation it is likely that far more will be needed.
Purpose: This rule checks to see if a CN is available in the current document (it will never be, because the Filter would have thrown it away), then goes and creates one. The default naming scheme combines Given Name, Surname, and a counter digit. It is likely that you will have some other needs here in naming your User objects.
Purpose: This is an interesting demonstration of handling an "active" (vs. "inactive") employee. If the object to be created has an Employee Status of "A", which presumably stands for "Active", then the user is to be created in the "Active Users Container". This, in turn, is fetched from a Global Configuration Value, allowing more than one Identity Manager driver to be told where to look for, or place, "active" users.
If the user is active, though, the rather unfriendly "A" is stripped, and replaced by the word "active", in the eventual employeeStatus attribute that reaches eDirectory.
Purpose: An obvious corrolary rule to the "Active User Placement", this rule has similar logic to decide what to do with a User object to be created for a person with an "I" in his Employee Status. Interestingly, though, the Global Configuration Value used is the same, so all Active and Inactive users will actually be created in the same container in eDirectory.
As with "Active", the "I" is stripped and replaced with the word "inactive". This is probably only useful if people are reading this attribute for something. Identity Manager and eDirectory obviously do not care what value is stored here.
Another area for customization presents itself here. In PeopleSoft, many possible Employee Status values are possible. You will need to find out which ones are being used, and what they mean to your organization. Not all "inactive" status codes necessarily need to be handled as though the person is being terminated ("on leave" for example may indicate inactive employment, but not necessarily a termination of access or duties).
Purpose: If the Employee Status is neither "A" nor "I", then the first two rules in this Policy Set will not execute. This rule then does, and assumes that "not active" (ie: Employee Status is not "A") is the same as "Inactive" and acts accordingly. Good error case handling here, so if HR sets up somebody with an Employee Status that is unexpected, at least something will happen, even if it is not quite what HR was expecting. Your needs may vary, but we wary of any test that only applies to specific values, as unexpected values may show up some day.
Purpose: This duplicates the logic of the Publisher Create Rule that replaces "I" in the Employee Status with the word "inactive".
Purpose: This duplicates the logic of the Publisher Create Rule that replaces "A" in the Employee Status with the word "active".
Sadly, there is no error case handling here, so if HR changes somebody from "A" to "R", the result in eDirectory will be a User object with "R" as the employeeStatus. This will stand out in a sea of "active" and "inactive" values, but still looks wrong. If you are using the "active" and "inactive" logic on the Publisher Create Rule, you should add a third rule to this policy set to handle error cases.
Better yet might be to remove the logic from the Publisher Create Rule that does this and have it only on the Publisher Command Transform. That way the rules are only in one Policy Set, not in two. This is good programming practice.
These are four of the standard Policy Sets for Password Synchronization based on Universal Password. Geoffrey Carman's article (Password Transformation Rules in the Publisher Channel) describes these already, so I won't repeat them here.
Purpose: This sample configuration writes back several eDirectory attribute values to the PeopleSoft system. This rule takes a Delete event and uses it to remove those values, since presumably they are no longer relevant to the person that this User object represents. It has, after all, been deleted.
Purpose: In eDirectory, changing the name of an object modifies its CN and its DN. Since these two data values are being provided back to the PeopleSoft system, this rule updates them in PeopleSoft when they change. PeopleSoft does not have a concept of "rename", though, so this must be done as a Modify event. It will then, via the Component Interface, update the CN and DN values in the database.
Purpose: Similarly to the handling of Rename events, if an object is moved in eDirectory that will change its DN. This rule updates PeopleSoft with the new value.
Purpose: This is identical to the rule on the Publisher Matching Rule. It will attempt to match an eDirectory User object with a PeopleSoft person based on the workforceID (EMPLID) value. If you have workforceID values populated on your eDirectory User objects, this works well and quickly.
Purpose: Better than nothing at all, this will attempt to match on Given Name and Surname. You will likely want to customize this one, along with the similar rule on the Publisher Matching Rule.
Purpose: This rule describes the minimum data necessary to create an object. But since we are on the Subscriber here, this is the list of attribute data needed to create a new Person in the PeopleSoft system. At least in theory, this is possible, but in the real world of HR systems it is unlikely that your HR department will be allowing new eDirectory objects, even if they have all of the required data, to actually create new People in their HR system. There is even specifically a Subscriber Option on this driver to prevent Add events from being sent to PeopleSoft. So this rule could easily be replaced by a single veto() and nobody would ever notice.
Purpose: The inverse of the Publisher channel, where 'A' is mapped to the word 'active' in two policies, here a change in the employeeStatus attribute to 'active' is written to the PeopleSoft system as 'A'.
Purpose: The inverse of mapping 'I' to 'inactive' on the Publisher Channel, here 'inactive' is mapped to 'I'.
Purpose: The Manager (isManager) attribute in eDirectory is multi-valued, so here a nodeset of its current values is built, then transformed to what PeopleSoft expects the values to be. Since the default Filter has isManager configured as "Reset", this rule is only going to apply to <query> documents, and is a really interesting demonstration of XPath and nodeset processing.
Purpose: If the status of an event that was processed on the Publisher Channel is Success, then the CN and DN of the processed (created or modified) object are written back to the PeopleSoft system in to a staging table. This uses the operation-data / peoplesoft-src-id that was set up on the Input Transform to get the EMPLID of the Person to modify, since Status documents don't contain Association values.
Purpose: When the Publisher processed an Add event that uses the Matching Rule to find and update an object that already exists in eDirectory, the Modify event is tagged as being "from-merge=True" so that it can be distinguished from other Modify events. When the Status of that Modify is processed here, the DN of the modified object is then written back to PeopleSoft.
Purpose: If an Add event is being submitted to PeopleSoft by the Subscriber channel (unlikely), then the DN of the added object is added to the event.
This is another of the standard Policy Sets for Password Synchronization based on Universal Password. Geoffrey Carman's article (Password Transformation Rule Sets ) describes these already, so I won't repeat them here.
Authentication ID In this driver, this parameter specifies the account that will be used by the driver to log in to the PeopleSoft system. Your DBA will need to create the account and configure PeopleSoft security as needed for this account.
Connection Information //host:port This specifies the host and port of the application server that the driver to connect to. Check with your DBA. Ask about the "Jolt" port.
Schema CI Name Your Component Interface programmer will specify a Schema CI Name as part of building the CI. The default name, DIRXML_SCHEMA01, works with the default CI supplied with this driver, but you will probably use a different name in your actual deployment.
Data Record ID Field Also part of your CI development. This parameter specifies what field will be used to identify a person. The default, ASSOC_ID, works with the default CI supplied with the driver. You may or may not be changing this, again depending on your CI developer.
Use Case Sensitive Search Yes or no. The default, No, seems reasonable unless you know you need case sensitive searching (in PeopleSoft).
Allow Subscriber channel 'add' events This configuration option (default is 'No') prevents the driver from attempting to add new people to the PeopleSoft system. Unless you have a really unusual HR system, you will probably be leaving this option disabled.
Allow Subscriber channel 'delete' events This configuration option prevents (or allows) the driver to remove people from the HR system. As with 'add' events, it is very unlikely that you will be enabling this option.
Transaction CI Name This is another option that you will be negotiating with your CI developer. It specifies the name of the staging table that the driver will be polling for events.
Driver Subset Identifier The name of the field in the CI (Data) that uniquely identifies a PeopleSoft object.
Publisher Polling Option This driver can be configured to poll every X seconds (see the Queue Poll Interval, below), or on a schedule based on a crontab type format.
Queue Poll Interval (seconds) How often the publisher thread should poll the staging table (DIRXML_TRANS01) for available transactions.
Publisher Heartbeat interval If the publisher is configured to send 'Heartbeat' status messages, they will be sent every 1 (default) seconds when the publisher is otherwise idle.