Integration Interfaces

Using PeopleSoft Directory Interface

This chapter provides an overview of PeopleSoft Directory Interface and discusses how to:

Define and configure the directory.
Set up directory authentication.
Set up mappings.
Set up entry membership rules.
Load data into the directory.

Understanding PeopleSoft Directory Interface

PeopleSoft Directory Interface uses Lightweight Directory Access Protocol (LDAP) directory services to authenticate users of PeopleSoft applications.

PeopleSoft Directory Interface provides additional mappings and integration points, such as messages, that enable PeopleSoft data and LDAP data to stay synchronized. Most directory data, such as user ID, name, and email address, is also maintained in your PeopleSoft database. When you use PeopleSoft Directory Interface, you make selected PeopleSoft data available to the directory, and you maintain the data in the PeopleSoft database.

When information changes in the PeopleSoft database, PeopleSoft Directory Interface captures that updated information and automatically updates the equivalent information in the directory server, or it writes the updates to a file for you to apply at another time.

Understanding Data Mapping

PeopleSoft information is stored in tables according to a relational model. The information in your LDAP directory is stored in trees according to a hierarchical model. You use PeopleSoft Directory Interface to map selected PeopleSoft data to corresponding data in the directory service. When PeopleSoft Directory Interface receives user data from the PeopleSoft database, it can map the data objects to the corresponding objects in the directory.

For PeopleSoft Directory Interface to map PeopleSoft information to your directory, it needs information about the directory hierarchical structure, or directory information tree.

Entries are made up of a distinguished name (DN) and attribute and value pairs. The distinguished name identifies an entry’s position in the tree, and the attributes hold the data that make up the entry.

Available attributes for an object class entry are specified in the directory schema. You must load the schema into the Directory Interface before you can map PeopleSoft data to the directory.

PeopleSoft Directory Interface mapping tables map LDAP attributes to PeopleSoft messages. Each message contains selected information about a PeopleSoft record and its fields.

Note. Refer to PeopleSoft application documentation for information about specific messages delivered by PeopleSoft applications.

Understanding Data Synchronization

After you have loaded PeopleSoft data into your LDAP directory, you can synchronize the data. To do this, use one of the following options:

PeopleSoft Business Interlinks.

PeopleSoft Business Interlinks updates the data in real time, so that your directory information is always synchronized with PeopleSoft data.
LDAP Data Interchange Format (LDIF) files.

You can load LDIF files as needed or defined by your system.

Note. The application server needs to be configured for receiving messages.

Delivered Business Interlinks

Oracle delivers the following business interlinks with PeopleSoft Directory Interface:

EO_DS_ADD	Adds a new entry to the directory by creating a distinguished name and its corresponding attributes.
EO_DS_BIND	Authenticates the information exchanged between the database and the directory.
EO_DS_DEL	Deletes an entry from the directory.
EO_DS_MODDN	Renames a directory entry. Changes its distinguished name by renaming the actual entry or changing its position in the directory entry.
EO_DS_MODIFY	Changes the attributes of an entry.
EO_DS_SEARCH	Searches for directory entries and their corresponding attributes.

Refer to Enterprise PeopleTools 8.46 PeopleBook: PeopleSoft Business Interlinks for more information on business interlinks.

Understanding Implementing PeopleSoft Directory Interface

Consider these PeopleSoft Directory Interface implementation guidelines for best results:

LDAP Searches	Some LDAP searches may generate LDAP referrals to other servers participating in your directory. You must be able to ping by hostname all servers in the directory from the application server. If any server is unreachable by hostname from the application server, you can add a line for the server to the hosts. Your directory information tree must have user entries at the leaf level. This is required when an entry needs to be moved from one branch to another. The entry needs to be at the leaf level so that the system can read user attributes, one of which is the password file on the application server.
Entry Limit	In the directory, configure the entry limit value to be larger than the number of rows that you expect will be returned. The default value is usually not sufficient.
Directory Tree	Your directory information tree must have user entries at the leaf level. This is required when an entry needs to be moved from one branch to another. The entry needs to be at the leaf level so that the system can read user attributes, one of which is the password.
Microsoft Active Directory	The following items apply to implementations that use Microsoft Active Directory: The registry key HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed must be present and set to a nonzero DWORD on the Active Directory FSMO Role Owner. When creating structural object classes in Microsoft Active Directory, you need to specify containment. PsftJobs can be children of the following classes of objects only: builtinDomain, organizationalUnit, and domainDNS. You must add the server names in the Directory Setup component as they appear on the DNSHost Name attribute on the server entries under the CN=Sites entry.

Overview of Using PeopleSoft Directory Interface

This section briefly describes the steps needed to use PeopleSoft Directory Interface, including:

Setting up in PeopleSoft Application Designer and PeopleSoft Integration Broker.
Using the Directory Configurations component.

Setting Up in PeopleSoft Application Designer and PeopleSoft Integration Broker

Perform the following steps in PeopleSoft Application Designer and PeopleSoft Integration Broker.

Setting Up in PeopleSoft Application Designer

Access PeopleSoft Application Designer.

Create authentication and user profile maps as needed.

If you are going to authenticate users with the directory server, a PeopleSoft user profile is required—that is, a row in the PSOPRDEFN table where PeopleSoft user information is stored. In this context, you cache LDAP user information inside your PeopleSoft system. Properties that you specify in the Mandatory and Optional Properties pages of the Mappings component are the columns in PSOPRDEFN that the system populates with values from your directory server. PeopleSoft applications use this cache of user information, not your directory server. Whenever a transaction requires user information, the application refers to the local PSOPRDEFN table instead of querying the directory server.
Add Signon PeopleCode.

Directory authentication requires that Signon PeopleCode be enabled and configured with proper permissions. After a user signs onto the system and the Signon PeopleCode runs, the PeopleSoft system creates a row for the user in the user definition table by retrieving the LDAP information and creating a local cache. Signon PeopleCode maintains this row automatically and any changes made in the directory server are reproduced in the local cache. Using the Mappings component, set up mappings. To keep the data synchronized, you must map PeopleSoft data to the equivalent directory objects. PeopleSoft Directory Interface then associates the fields in the message with the attributes in the directory and updates the selected directory attributes with the field data from the message.
Activate the DSCHNL channel.

Open the message channel and select Run.

See Enterprise PeopleTools 8.51 PeopleBook: PeopleSoft Application Designer

Setting Up in PeopleSoft Integration Broker

Access PeopleSoft Integration Broker.

Activate a relevant node.

This node should be the default local node.
Define a service operation.

Note that the service operations, and messages to include in the service operations, depend on the application. For example, in an human resources implementation, you might want to include messages such as Dept, Location, Person, and Job in a service operation, in addition to core messages such as DSMINPUT.

See Enterprise PeopleTools 8.51 PeopleBook: PeopleSoft Integration Broker

Using the Directory Configurations Component

Access Directory Configurations component (PSDSSETUP) from the browser menu.

Using the Directory Configurations component, configure the directory.

Enter appropriate connection information such as the server name (DNS or IP address) and the listening port number, the user DN, and associated password.
Using the Schema Management page, select names of object classes and attribute types and then cache the schema.
To keep the data synchronized, you must map PeopleSoft data to the equivalent directory objects.

Set up mappings using the Mappings component. After this is completed, PeopleSoft Directory Interface associates the fields in the message to the attributes in the directory and updates the selected directory attributes with the field data from the message.
Using the Membership Rules component, create rules and memberships, if desired.
Load data in the directory.
Set directory search criteria.

Enter search parameters to query the directory and view the results.

Common Elements Used in This Chapter

Directory ID	Unique identifier for the directory.
Description	A brief description of the directory.
Directory Product	Select the directory product from the drop-down list box.
Default Connect DN	Displays the connect distinguished name associated with the directory ID that you selected. Use this ID to connect to the directory server.
Password	Password to access the directory.
LDAP Server	The name of the server where the directory resides.
Port	The LDAP server port associated with the LDAP server that you select.
SSL Port	The secure socket layer port.

Defining and Configuring the Directory

Use the Directory Configurations component (PSDSSETUP) to define and configure the directory connection. This section discusses how to:

Configure the directory connection.
Cache the schema.
Delete the directory configuration.

Pages Used to Define and Configure the Directory

Page Name	Definition Name	Navigation	Usage
Directory Setup	DSDIRSETUP	Enterprise Components, Directory Interface, Definitions, Directory Configurations, Directory Setup	Enter values to configure the directory.
Additional Connect DN's	DSSERVERID	Enterprise Components, Directory Interface, Definitions, Directory Configurations, Additional Connect DN's	Add values for additional connect DNs.
Schema Management	DSEXTINSTALL	Enterprise Components, Directory Interface, Definitions, Directory Configurations, Schema Management	Manage schema, and apply PeopleSoft schema extensions.
Test Connectivity	DSSRCHRSLT	Enterprise Components, Directory Interface, Definitions, Directory Configurations, Test Connectivity	Test the directory connectivity.
Cache Schema	DSSCHEMACACHE	Enterprise Components, Directory Interface, Definitions, Schema Cache	Cache the schema.
Delete Directory	DSPURGEDIRID	Enterprise Components, Directory Interface, Definitions, Directory Deletions	Delete the directory configuration.

Configuring the Directory Connection

This section discusses how to:

Set up the directory connection.
Connect additional DN's.
Manage the schema.

Setting up the Directory Connection

Access the Directory Setup page (Enterprise Components, Directory Interface, Definitions, Directory Configurations, Directory Setup).

Use the Directory Setup (DSDIRSETUP) page to enter values to configure the directory.

Connecting Additional DN's

Access the Additional Connect DN's page (Enterprise Components, Directory Interface, Definitions, Directory Configurations, Additional Connect DN's).

Use this page to add values for additional connect DNs. Add more connect DNs and passwords, if needed.

Managing the Schema

Access the Schema Management page (Enterprise Components, Directory Interface, Definitions, Directory Configurations, Schema Management).

Use this page to manage schema, and apply PeopleSoft schema extensions.

Activate the check boxes of those object classes or attribute types that you want applied to the cache schema.

Testing the Connectivity

Access the Test Connectivity page (Enterprise Components, Directory Interface, Definitions, Test Connectivity).

Use this page to test the directory connectivity.

When you access the Test Connectivity page, the connection test launches automatically. The results appear in the page. A successful test shows the message SUCCESS in green.

The preceding example shows the message FAILED in red, confirming that the connection test failed.

Verify that your directory server configuration details contain the correct values (correct server name, port, and so on).

Caching the Schema

Access the Cache Schema page (Enterprise Components, Directory Interface, Definitions, Schema Cache).

Use the Cache Schema (DSSCHEMACACHE) page to cache the schema.

Enter the directory ID and server name of the schema to be cached and click the Cache Schema Now button.

Deleting the Directory Configuration

Access the Delete Directory page (Enterprise Components, Directory Interface, Definitions, Directory Deletions).

Use the Delete Directory (DSPURGEDIRID) page to delete the directory configuration.

Select the check boxes for the desired directory configuration deletions.

(Optional) Setting Up Directory Authentication

This section discusses how to:

Use map authentication.
View user properties.

For information about setting up authentication servers, user profile maps, and role membership rules, refer to the following documentation.

Pages Used to Set Up Directory Authentication

Page Name	Definition Name	Navigation	Usage
Authentication	DSSECMAPMAIN	Enterprise Components, Directory Interface, Mappings, Authentication	Create a mapping for the directory that the system relies on for authenticating users.
Mandatory User Properties	DSUSRPRFLMANMAP	Enterprise Components, Directory Interface, Mappings, User Profiles, Mandatory User Properties	Specify the attributes required for sign-in. You can have the system retrieve these mandatory values from the directory server, or you can enter default values.
Optional User Properties	DSUSRPRFLOPTMAP	Enterprise Components, Directory Interface, Mappings, User Profiles, Optional User Properties	Specify optional user properties to store in and retrieve from the directory. You can specify general, permission list, and workflow attributes. All these attributes appear in the User Profile component.

Using Map Authentication

Access the Authentication page (Enterprise Components, Directory Interface, Mappings, Authentication).

Use this page to create a mapping for the directory that the system relies on for authenticating users.

Anonymous Bind	If directory data required for authentication and user profile maintenance is visible to an anonymous connection, you can select this check box.
Use Secure Socket Layer	Select if you are using SSL between the PeopleSoft system and the directory server.

Viewing User Properties

Access the Mandatory User Properties or Optional User Properties page (Enterprise Components, Directory Interface, Mappings, User Profiles, Mandatory User Properties).

Select Authentication Map and set check boxes and field values as needed.

Use the Mandatory User Properties page or the Optional User Properties page to specify the attributes required for sign-in. You can have the system retrieve these mandatory values from the directory server, or you can enter default values.

The default shows the Attribute Name field available. If you select the Use Constant Value check box, the Constant Value field becomes available instead.

Setting Up Mappings

This section provides an overview of mapping and discusses how to:

Create mappings.
Modify a distinguished name.
Specify distinguished name details.
Translate or perform functions with database values.
Specify distinguished name defaults.
Map PeopleSoft data to directory object class attributes.
Locate delivered messages.

Understanding Mapping

You map PeopleSoft data to the equivalent directory objects to keep the data synchronized. PeopleSoft Directory Interface receives PeopleSoft data from messages contained within service operation that you publish whenever a business event associated with the messages identified in the Directory Mapping component. Each message contains information about records and the most recent data for the record fields. Using the mapping information that you set up, PeopleSoft Directory Interface associates the fields in the message with the attributes in the directory and then updates the selected directory attributes with the field data from the message. Additionally, you can define a constant value or a PeopleCode function that returns a value to supply data used in building temporary Directory Information Trees when not all data exists for an entry.

Pages Used to Set Up Mappings

Page Name	Definition Name	Navigation	Usage
Map Details	EO_DSMAP	Enterprise Components, Directory Interface, Mappings, Directory maps, Map Details	Set up a mapping and enter the data relationship details between PeopleSoft data and directory data.
Modify Connect DN - Directory Interface	EO_DSUSERDN	Click the Modify Connect DN button on the Map Details page.	Modify the Connect DN.
DN Details	EO_DSDN	Enterprise Components, Directory Interface, Mappings, Directory maps, DN Details	Set up the relationship between the data contained in the message that you selected on the Message Details page and the directory entry’s distinguished name.
DN Defaults	EODS_DN_DEFAULTS	Enterprise Components, Directory Interface, Mappings, Directory maps, DN Defaults	Define a constant value or PeopleCode function that returns values that supply the blank values on the Directory Information Tree.
Attribute Details	EO_DSATTRIB	Enterprise Components, Directory Interface, Mappings, Directory maps, Attribute Details	Set up the relationship between the data in the message that you selected on the Message Details page and the directory object class attributes.

Creating Mappings

Access the Map Details page (Enterprise Components, Directory Interface, Mappings, Directory maps, Map Details).

Use this page to set up mapping and enter the data relationship details between PeopleSoft data and directory data.

Status

Select the appropriate status from the following values.

Active: The map is active and ready to be used.
Inactive: The map is not ready to be used.
Remote: The map is not used at this time, and may appear to be unavailable.

Message Information

Message Name

Select the message to associate with this mapping. The message contains the PeopleSoft records and fields that have the data that you want to associate with the attributes that make up the directory entry that you select in the Directory Connect Information group box. For example, if you select the output − DEPTID object class, select the department (DSDEPT_SYNC) message because it contains the fields relevant to the department object class.

Function

Enter the name of the PeopleCode function that you want to run using this message as an input parameter. The function can use any of the fields contained in the message to produce an output value for one or more of the fields that you map. This enables you to use a field in a function without mapping to it directly. For example, if you want the employee ID value sent to the directory to be a value combining the employee ID and the salary code, enter a function that produces that value. You then need to map only to the EmplID field to insert the derived employee ID in the directory.

Directory Connect Information

SeqNum (directory sequence number)	Indicate the order in which the server should be used when the system processes this mapping. If the first server is unavailable, the system attempts to access the other servers in sequence until it finds an available one. If you are using multiple servers, this enables you to distribute the load across servers.
Directory Search Base	Enter a directory search base. The search base is the entry in the directory information tree from which the system begins a search relating to this mapping. For example, if on the Attribute Details page you select to have a field value updated indirectly, PeopleSoft Directory Interface searches for and updates all instances of that field in entries from that point in the information tree down.
Modify Connect DN	Click to access the Modify Connect DN - Directory Interface page to modify the connect DN.
Output Type	Select the method that the system should use to send the mapped data to the directory data. Select I to send data to the directory directly through a business interlink. Select F to send data to an LDAP Data Interchange Format (LDIF) file to be manually updated in the directory. Use the same output type for all your mappings to keep data consistent in the directory.
Retain Original Directory Data	When you move data in your directory using the PeopleSoft Directory Interface, the Directory Interface copies the data to the new location and then deletes the old version. Select this check box to preserve the original data. You can select this check box at a later date provided that you do it before the data move. Note. Select this check box if your directory contains binary data. Move the binary data with your directory administrative tool.

Map Object Class

Directory Object Class

Select one or more directory object classes. The object classes that you select determine the attributes that you can map to PeopleSoft data.

Modifying the Distinguished Name

Access the Modify Connect DN - Directory Interface page. Click the Modify Connect DN button on the Map Details page.

Use this page to modify the connect DN.

Use Default (Admin) DN? (Y/N) (use default [administrative] distinguished name)	Select to use the default connect distinguished name value that you set up in PeopleTools.
User DN (user distinguished name)	Displays the alternative IDs that you can use to connect to the specified directory ID. You can use a user ID (and password) other then the default one listed on the Directory Setup page in PeopleTools. Because the default user ID is most likely an administrative ID, you can set up a more secure user ID for the scope of the mapping.

Specifying Distinguished Name Details

Access the DN Details page (Enterprise Components, Directory Interface, Mappings, Directory maps, DN Details).

Use this page to define a constant value or PeopleCode function that returns values that populate the blank values on the Directory Information Tree.

Associate the data contained in the message that you selected on the Map Details page with the entry's distinguished name.

DN Details

Attr Seq No (attribute sequence number)	The system assigns an attribute sequence number to the attributes. Some directory attribute values consist of multiple values. The attribute sequence number distinguishes between the different attribute values and indicates to PeopleSoft Directory Interface the order in which the PeopleSoft values and constant values should be assigned to the attribute.
Attribute	Select the directory attributes associated with the mapping’s distinguished name. For example, for the Department entry, map the o − Corporation first, the l − location second, and then the ou − Department attribute.
Seq (sequence)	Enter the sequence number of the directory attribute. The directory builds the entry’s distinguished name using the attributes in sequential order.
Use Constant and Constant Value	Select to use the constant value that you enter in the Constant Value field to supply this attribute instead of a PeopleSoft field value.
Record and Field Name	Select the name of the record that contains the PeopleSoft field and the PeopleSoft field containing the value to assign to this attribute.
	Click to access the DN Attribute Function - Directory Interface page and translate database values or instruct the system to perform functions with database values. Note. Use this page when constructing distinguished names across active directory multiple domains.

Example Entry

An entry’s distinguished name is built by applying the attributes in a sequential order. The order for the department entry example would be constructed using the data in the following table:

Sequence Number	Directory Attribute	Attribute Sequence Number	Use Constant Value	Record (Table) Name	Field Name	Constant Value
1	o	1	Yes			Corp
2	l	1	No	DEPT_TBL	LOCATION	NA
3	ou	1	No	DEPT_TBL	DEPTID	NA

Translating or Performing Functions with Database Values

Access the DN Attribute Function - Directory Interface page (Enterprise Components, Directory Interface, Mappings, Directory maps, Attribute Details).

Use this page to set up the relationship between the data in the message that you selected on the Message Details page and the directory object class attributes.

Translate Value	Select to replace the database value with the Distinguished Name field value for the selected attribute.
PeopleCode Function	Select to use the selected database object value as a parameter in a PeopleCode function. The system uses the resulting value as the attribute's distinguished name.
Don’t Transform value	Select to instruct the system to keep the database value as is. This option is the default value for this field.
Database Value	Enter the database value that you want the system to replace. For example, every time the database value Vancouver appears in the Location attribute, the system replaces it with the distinguished name Van. This field is available only when you select Translate Value as the transformation option.
Distinguished Name	Enter the distinguished name value to replace the database value. This field is available only when you select Translate Value as the transformation option.
PeopleCode Function Name	Enter the PeopleCode function that the system should use to calculate the distinguished name for the selected attribute. This field is available only when you select PeopleCode Function as the transformation option.

Setting Up PeopleCode Attribute-Level Functions

When the mapping function accesses the values in the selected field, the field value is passed into a PeopleCode function as a parameter and the output is assigned to the attribute in the directory.

Before you can enter a function on this page in the PeopleCode Function Name field, you must set up the function in the FUNCLIB_EO_DS.DSDYNFUNC FieldFormula.

To create a function:

Open the FUNCLIB_EO_DS.DSDYNFUNC FieldFormula.
Add a section in DSDynamicAttrFunc.
In the evaluate statement, add the following section for each function that you want to add (FuncX is equal to your function name):
```
When = 'FuncX'
   FuncX(&AttrIn, &AttrRT);
   Break;
```
Define a DSDynamicAttrFunc PeopleCode function.

The parameter list must contain two parameters, an attribute type string input and an attribute type string output.

PeopleCode Function Example

The following example displays the setup for functions FuncX, FuncY, and FuncZ.

Specifying Distinguished Name Defaults

Access the DN Defaults page (Enterprise Components, Directory Interface, Mappings, Directory maps, DN Defaults).

Use this page to define a constant value or PeopleCode function that returns values that populate the blank values on the Directory Information Tree.

This page enables you to define defaults for any Record.Field value that is left blank in the data rowset of the message that is used to populate the map. For example, you can enter defaults to enter the blanks left by the lack of Department/Location data for the Persons of Interest constructed by the PeopleSoft Directory Interface.

In the preceding sample page, the value for JOB.DEPTID is by default a method called HCDI_SERVICES:HCDIUtilities.DeptID. This method returns a DeptID constant.

Note. The syntax for the method needs to be fully qualified using the following format: Package_Name:App_Class_Name.Method_Name.

Seq (sequence number)	Displays the sequence number for this attribute.
Record (Table) Name	Select the record name for the value. This field is required.
Field Name	Select the field name for the value. This field is required.
DN Attribute	The name of the distinguished name attribute.
Object Method	Enter the object method you are using to supply the value, if applicable. Leave this field blank if you are using a constant or parameter to supply the value.
Constant/Parameter	Enter the values for the constant or the parameter, if applicable. Leave this field blank if you are using an object method to supply the value.
Force	Select to overwrite the Record.Field values at runtime, even if the values exist.

Mapping Data to Directory Object Class Attributes

Access the Attribute Details page (Enterprise Components, Directory Interface, Mappings, Directory maps, Attribute Details).

Use this page to set up the relationship between the data in the message that you selected on the Message Details page and the directory object class attributes.

On this page, associate the fields contained in the message that you selected on the Map Details page with the attributes that provide more detail about an entry. Some attributes are mandatory (an object class’s mandatory attributes are defined in the directory schema) and must be mapped to either a constant value or record or field. For the department example, you would map PeopleSoft records and fields to the mandatory attributes (such as DeptID), and you could add additional attributes that would give you more information about the object class, such as description.

Note. The system does not update related-display field values unless the source field is also mapped. If the source field is not mapped, the audit process still indicates and enables you to update any discrepancies. For example, when you map to an employee’s job code, the directory entry also includes the job code description. If you change the job code description on the Job Code component, the system updates the related-display description field on the employee’s Job Data page, but it does not update to the directory, because it is not included in the mapping.

Warning! The fields that you map to mandatory attributes must contain data or the mapping will fail. You can guarantee that data will be in the fields by mapping mandatory attributes to required fields.

Attr Seq No (attribute sequence number)	Displays the attribute sequence number assigned to this attribute.
Attribute	In the Mandatory scroll area, the system displays the mandatory attributes for this object class. In the Optional scroll area, select optional attributes.
Seq (sequence number)	Enter a sequence number for this attribute. Some directory attribute values are made up of multiple values. The attribute sequence number distinguishes between the different attribute values and indicates to PeopleSoft Directory Interface the order in which the PeopleSoft values and constant values should be assigned to the attribute.
Ind Upd (indirect update)	Select if the field that you selected is used as an attribute in the directory outside of this mapping and you want it to be updated when this field is updated. The system updates attributes only in entries at lower levels on the directory information tree than this entry.

Locating Delivered Messages

Your PeopleSoft application that supports the PeopleSoft Directory Interface delivers a set of messages to be used to share information with your directory service.

Note. If you have upgraded from a PeopleTools 8.47 or earlier release, the upgrade program creates service operations for these messages. The service operation names and message names are the same.

For information about this delivered data and how it works in conjunction with the PeopleSoft Directory Interface, see your PeopleSoft application documentation.

(Optional) Setting Up Entry Membership Rules

This section discusses how to:

Create entry definitions.
Specify entry membership rules.

Entry membership rules enable you to modify a directory entry, such as a group, based on criteria stored in the PeopleSoft database. This feature provides a method to match any type of directory entry to rules that are meaningful in PeopleSoft applications. You can use membership rules to create any type of logical grouping in the directory. The groupings are not restricted to security purposes.

Pages Used to Set Up Entry Membership Rules

Page Name	Definition Name	Navigation	Usage
Entry Definition	EO_DSCONTAINERDEFN	Enterprise Components, Directory Interface, Membership Rules, Entry Rules, Entry Definition	Create a directory entry definition.
Entry Membership Rules	EO_DSSECRULES	Enterprise Components, Directory Interface, Membership Rules, Entry Rules, Entry Membership Rules	Establish entry membership rules.

Creating Entry Definitions

Access the Entry Definition page (Enterprise Components, Directory Interface, Membership Rules, Entry Rules, Entry Definition).

Use this page to create a directory entry definition.

Entry Name	Displays the entry name that you entered on the search page. The system uses this value for the entry name throughout the application, so it must be the name of an existing entry in the external directory. The PeopleSoft system assumes that the name is unique in the directory.
Active Flag	Select to activate rules. Rules that are not active do not run.

Directory Search Parameters

Search Base

Enter the distinguished name of the base under which this entry will be located in the directory. The application performs an LDAP search to retrieve the distinguished name of the entry using this field as the base.

Search Scope

Select from:

Base: The query searches only the value in the Search Base field.

One: The query searches only the entries one level down from the value in the Search Base field.

Sub: The query searches the value in the Search Base field and all entries beneath it.

Build Filter

( )	Select the check boxes below the parentheses to group expressions. You can group more than one line together using the check box on the left for the first line and the check box on the right for the last line.
Attribute	Enter the name of the attribute that will store the members of the entry in the external directory. It is typically set to member, but the attribute name could be anything that you choose.
Operation	Assign an operator to your rule such as <, <=, <>, =, >, or >=.
Value	Assign a value to the attribute in your rule.
And/Or	To add another line to your rule, select AND or OR depending on your rule logic. Select END to signify the end of the search. Select NONE if you are not using this kind of filter.
Refresh	After you make changes using the Build Filter options, click this button to update the Search Filter edit box to reflect the changes.
Clear LDAP Filter	Click to delete all values from the Search Filter edit box and the Build Filter selections.
Search Filter	Displays the filter that the system applies to the search for the distinguished name of the defined entry. This field typically displays the directory object class of the entry in the form “objectclass = GroupOfUniqueNames”, for example. This indicates what type of entry to search. To retrieve the correct entry distinguished names, the system adds the name of the entry to the search filter at runtime. The name retrieved by the LDAP search using this filter is tied to the rules defined in the Entry Membership Rules page. When these rules run, the employee that the system is currently processing is either added to or deleted from the distinguished name retrieved by the search.

Search Attributes

Directory Attribute

Select the attribute of the entry being defined that will contain all the members of this entry. This attribute must be valid for the current entry in the directory. The employees that satisfy the entry membership rules of this entry are added under this entry as a new value of this attribute. Because of this, as many attribute values may exist as employees satisfying the entry membership rules. If this field is left blank, the application uses member as a default attribute name.

Trigger Message Names

Map Names

Select the names of the maps to associate with the entry definition. Besides being a security feature, this also improves performance at runtime, because only applicable rules are evaluated.

Note. Run the directory audit if an entry rule has changed or if you want to initialize the directory entries.

Specifying Entry Membership Rules

Access the Entry Membership Rules page (Enterprise Components, Directory Interface, Membership Rules, Entry Rules, Entry Membership Rules).

Use this page to establish entry membership rules.

Entry Membership Rules

Sequence	Displays the sequence of a rule within a rule set. The sequence becomes significant when you enter more than one rule.
NOT	Select to negate the rule that you enter. This is similar to using the symbol ! to reverse the truth value of an operand.
( )	Select the check boxes to add parentheses around your rule. You can group more than one line together using the check box on the left for the first line and the check box on the right for the last line.
Record and Field Name	Enter the name of the PeopleSoft record and field containing the information to be tested.
Operation	Enter the appropriate operator, such as: < , <= , <> , = , > , or >=.
Value	Enter the value on which the employee’s data needs to be tested. This can be any value of the same type as the field used in the rule, such as String, number, date, and so on.
AND/OR	To add another line to your rule, select AND or OR depending on your rule logic. Select END to signify the end of the search. Select NONE if you are not using this kind of filter.

The entry rules are logical expressions that can be either true or false. They are composed of filters on database objects associated by logical operators. Rules have the following form:

[NOT] [ ( ]  Record . Field   operatorConstant [ ) ] [AND/OR]

The symbols between square brackets are optional. The operator can be <, <=, <>, =, >, or >=. A rule set is composed of single rules joined by AND or OR Boolean operators if necessary. The following example shows a series of single rules joined to make one compound rule.

( JOB.LOCATION = ‘KC004’ AND [1]
JOB.COMPRATE > 15000 ) OR [2]
NOT JOB.DEPTID = ‘GBIY004’[3]

Note. No limits are imposed on the number of rules used within a rule set.

Loading Data into the Directory

This section provides an overview of how to load the directory and discusses how to load the directory with PeopleSoft data.

Understanding Directory Load Behavior

Use the Directory Load process when no existing data is in the directory. The process overwrites any data in the directory.

If you have data in your directory, use the Directory Audit process instead of the Directory Load process. The audit process compares the PeopleSoft data to your existing directory data and enables you to review and resolve any possible conflicts.

Note. For HRMS customers only, an alternative process named DSMAPINPUT FullSync is available that you can use in place of the Directory Load process. This new process does not replace the Directory Load process; it is provided as an alternative to load the data if performance becomes an issue.

See PeopleSoft Enterprise HRMS Application Fundamentals PeopleBook

Loading the Directory with PeopleSoft Data

Access the Directory Load page (Enterprise Components, Directory Interface, Load Directory).

Use this page to run the Directory Load process.

LDIF File	Select to have the process send the data to an LDIF file for you to load in the directory.
Direct Update	Select to have the process directly update the directory.
Run	Click to run the process using PeopleSoft Process Scheduler.