LDAP, PeopleSoft, and Remedy (Oracle Waveset 8.1.1 Deployment Guide)

Oracle Waveset 8.1.1 Deployment Guide

LDAP, PeopleSoft, and Remedy

In this scenario, the LDAP or PeopleSoft resource could theoretically be the primary resource.

If all employees and contractors are tracked in PeopleSoft, then this application can be considered an authoritative resource.
If all employees have LDAP accounts, then LDAP could be considered an authoritative resource.

Remedy is not a candidate to be the primary resource, because only a small percentage of workers have a Remedy account.

In many cases, if you have multiple authoritative resources, then any of those resources can be loaded first. However, the PeopleSoft Component adapter performs Active Sync functions only. (There is another PeopleSoft adapter available, but it is limited in scope.) The PeopleSoft Component adapter does not perform reconciliation, and as a result, reconciliation policy cannot be set for the resource. There are no correlation rules available, so the PeopleSoft accounts must be loaded first. The Waveset account names will match PeopleSoft EMPLID (employee ID) values.

The PeopleSoft employee ID is ideal as a correlation key, because it is unique for all users defined in the system. The LDAP inetOrgPerson object contains an employeeNumber attribute. An employee ID could also be stored in an attribute with a label such as Description, or in a custom attribute. This scenario assumes the employeeNumber LDAP attribute is in use.

The Remedy adapter does not provide default attributes. You must customize the adapter to fit your environment. Because the Remedy application is often configured to send email when a request enters the system, the e-mail attribute should be available. The LDAP inetOrgPerson object also contains the mail attribute. Therefore, the e-mail address will be the correlation key.

The following table lists the correlation keys for each resource in this scenario.

Table 4–7 Dataloading Scenario: Correlation Keys for Each Resource


Possible Correlation Keys	PeopleSoft	LDAP	Remedy
Employee ID	Yes	Yes	No
E-mail address	No	Yes	Yes

Example Users

In this scenario, the following users demonstrate some of the possible problems you might encounter when loading accounts.

Table 4–8 Deployment Scenario: Possible Problems during Account Loading


Worker name	PeopleSoft EMPLI	LDAP EmployeeNumber	LDAP Email(@example.com)	Remedy Email(@example.com)
Robert Blinn	945	945	Bob.Blinn	bblinn
William Cady	None	None	William.Cady	William.Cady
Eric D’Angelo	1096	1096	Eric.D’Angelo	Eric.D’Angelo
Renée LeBec	891	None	None	None
Josie Smith	1436	1463	Josie.Smith	None
John Thomas	509	509	John.Thomas	None
John P. Thomas	None	None	John.P.Thomas	John.P.Thomas

Loading PeopleSoft Users

Use the following steps as a guideline for using reconciliation to load PeopleSoft accounts using Active Sync into Waveset.

To Load PeopleSoft Users

From the Resources page in the Waveset Administrator Interface, select the PeopleSoft Component resource from the New Resource pull-down menu. If this resource is not displayed, click the Configure Managed Resources button and add com.waveset.adapter.PeopleSoftComponentActiveSyncAdapter as a custom resource. This adapter requires the installation of a JAR file provided by PeopleSoft. See the Resource Reference for more information.

Configure the adapter. Make sure you do not delete the accountId or fullname Waveset user attribute from schema map. Also make sure the identity template is correct.

(Optional) Edit the account and password policies as desired. See Setting Account ID and Password Policies for more information.

(Optional) Create a user form that will be used for data loading. The $WSHOME/sample/forms/PeopleSoftForm.xml file can be used as a foundation. See Assigning User Forms for more information.

Start ActiveSync on the PeopleSoft adapter.

Results of This Scenario

Waveset loads all users unless the user form indicates that an account should not be loaded. In this scenario, Renée LeBec does not have an LDAP or Remedy account. Presumably, she no longer works for the company. If you used the default PeopleSoft form, then Waveset disables PeopleSoft accounts for terminated employees.

The accounts for William Cady and John P. Thomas are not created because they are not defined within PeopleSoft.

Loading LDAP Users

In this scenario, the employeeNumber attribute in the LDAP inetOrgPerson object is the correlation key. This attribute is not listed by default in the schema map for the LDAP adapter, so you must add it manually. For this example, add the attribute EmployeeId to the Waveset User Attribute side of the schema map, and employeeNumber to the Resource User Attribute side.

Note –

The PeopleSoft adapter uses the Waveset attribute name EmployeeId by default. This value was chosen to maintain consistency between LDAP and PeopleSoft, although this is not required.

The e-mail address will be the correlation key for the Remedy resource, but it must be set-up and configured before you load LDAP accounts. The inetOrgPerson object contains the mail attribute, which will be the correlation key for loading Remedy accounts. The mail attribute also must be added to the schema map. Add the email attribute to the Waveset User Attribute side of the schema map, and mail to the Resource User Attribute side. email is a predefined Waveset attribute, so it is easier to user this attribute, rather than editing the User Extended Attributes or UserUIConfig configuration objects to include a mail attribute.

Waveset stores account IDs in the User object in the attribute resourceAccountIds. This is a multi-valued attribute, with each value taking the form accountId@objectId. You can create a rule that will compare the EmployeeId value from LDAP to the PeopleSoft accountId using the following rule:

Comparing EmployeeId value from LDAP to PeopleSoft accountId

<Rule subtype=’SUBTYPE_ACCOUNT_CORRELATION_RULE’ name=’Correlate EmployeeId with accountId’>
   <cond>
      <ref>account.EmployeeId</ref>
      <list>
         <new class=’com.waveset.object.AttributeCondition’>
            <s>resourceAccountIds</s>
            <s>startsWith</s>
            <concat>
               <ref>account.EmployeeId</ref>
               <s>@</s>
            </concat>
         </new>
      </list>
   </cond>
</Rule>

In this scenario, it is not necessary to add attributes to the User Extended Attributes or UserUIConfig configuration objects, because the accountId and email attributes are always available to the system.

To Load LDAP Accounts

From the Resources page in the Administrator Interface, select the LDAP resource from the New Resource pull-down menu. Then configure the adapter as follows:
1. Add the EmployeeId and email Waveset User attributes.
2. Make sure you do not delete the accountId Waveset user attribute from the schema map.
3. Ensure that the identity template is correct.
  
  See the online help and the Resource Reference for more information about configuring the adapter.

Configure the reconciliation policy for the resource as follows.
1. Set the Correlation Rule to Correlate EmployeeId with accountId.
2. Set the following situation values:
  
  Set the UNASSIGNED situation to “Link resource account to Identity Manager user”.
  
  Set the UNMATCHED situation to an appropriate action. You might need to discuss with the PeopleSoft administrator about the possibility of adding users who are discovered on other resources. If you select the “Create new Waveset user based on resource account” option, the Waveset user will have, by default, an account name based on the LDAP cn attribute.

Reconcile the LDAP resource.

Results of This Scenario

In this scenario, accounts for William Cady, Josie Smith, and John P. Thomas will be in the UNMATCHED state. For Josie Smith, the employee ID values on the PeopleSoft and LDAP resources do not match. Because employee IDs are generated by PeopleSoft, then LDAP value is incorrect. Correct the mistake and reconcile again.

William Cady and John P. Thomas are not defined in PeopleSoft. As mentioned in step 2 of loading LDAP account procedure, you should consider whether the accounts need to be added to PeopleSoft.

Loading Remedy Users

The Remedy adapter does not have predefined account attributes. You must add these attributes to the schema map. Remedy uses integers to uniquely identify each attribute that it tracks. For example, the Remedy account ID might be assigned a value such as 1002000100. These Remedy attribute numbers must be added as Resource User Attributes on the schema map. At minimum, you must add the following Waveset User attributes:

accountId
email (the correlation key)

The USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR correlation rule will link the Remedy accounts to the Waveset accounts.

To Load Remedy Accounts

From the Resources page in the Waveset Administrator Interface, select the Remedy resource from the New Resource pull-down menu. Then configure the adapter as follows:

At minimum, add the accountId and email Waveset User attributes. Other attributes can also be added.

See the online help and the Resource Reference for more information about configuring the adapter.

Configure the reconciliation policy for the resource as follows.
1. Set the Correlation Rule to USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR.
2. Set the following situation values:
  1. Set the UNASSIGNED situation to “Link resource account to Identity Manager user”.
  2. Set the UNMATCHED situation to an appropriate action.
3. Reconcile the Remedy resource.

Results of This Scenario

The Remedy accounts for William Cady, Eric D’Angelo, and John P. Thomas correlated successfully because the email addresses defined in LDAP and Remedy matched. The Remedy account for Robert Blinn did not correlate. The e-mail address on Remedy was an alias. The other users in this scenario do not have Remedy accounts.