Skip to content

Connector execution

There are several methods for running a provisioning sequence:

  • Using Batch or PowerShell files with command lines that call the HPPRunCli executable
  • Using the job management interface
  • Using SIP web services

Executing provisioning sequences with HPPRUNCLI.exe

In a Batch or PowerShell file, you must call the HppRunClie.exe executable followed by the following options:

Options Function Mandatory (Y/N)
-sec [Sequence Name] Option to specify the sequence to be executed. Y
-cfg [Config_file_name] Option to specify the configuration file to use. N. By default, the hpp.ini file is used.
-obj [Val_attribute1|Val_attribute2|…] Option to specify the matching attribute value to execute the sequence as a unit. If several attribute values must be specified, they must be listed in the order in which the exports must be executed. N
-seq [Directory_nm] Option to specify the name of the output directory for log files. N

Running provisioning sequences via the job management interface

From the provisioning sequence job instance viewing page, you can run a job either individually or in bulk.

To launch a job in bulk, click on the “type:inline” button.

Select the desired job(s), then click on “Validate” to place the jobs in the queue.

To launch a job individually, click on the “type:inline” button.

Select the desired job, then enter the value to select the object on which you want to run the job.

Warning: Currently, if your job contains multiple sequences, in order to run a job in unit mode, the matching attribute must have the same value for all sequences.

Running provisioning sequences via SIP web services

Example of a script for running a provisioning job via a PowerShell script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$urlGenToken = "https://[URL_serveur_SID]:44350/connect/token"
$BodyJsonPostToken = "grant_type=password&client_id=sip&client_secret=sip&username=[login_cpt]&password=[mot_de_passe_compte]"
$MonHeader = @{
        "Content-Type" = "application/x-www-form-urlencoded"
        "accept" = "Application/Json"
        "Host" = "[URL_serveur_SID]:44350"
    }

$MonHeaderReq = @{
        "Content-Type" = "application/x-www-form-urlencoded"
        "accept" = "Application/Json"
        "Host" = "[URL_serveur_SID]:44350"
        "Authorization" = "Bearer $($token_gen)" 
    }

try {

    $result = Invoke-RestMethod -Uri $urlGenToken -Method Post -Headers $MonHeader -Body $BodyJsonPostToken 
    $token_gen = $result.access_token
    #ajouter logs
}
catch {
    $token_gen = ""
    #ajouter logs
}

if ($token_gen -ne "")
{
    $job_code = [code_du_job_à_exécuter]
    $MonHeaderReq = @{
        "Content-Type" = "application/x-www-form-urlencoded"
        "accept" = "Application/Json"
        "Host" = "sid.iam-test.ght49.intra:44355"
        "Authorization" = "Bearer $($token_gen)"
    }
    $urlExecutionJob="https://sid.iam-test.ght49.intra:44355/scim/v2/job/run/$job_code"

    try {
        $res = Invoke-RestMethod -Uri $urlExecutionJob -Method Post -Headers $MonHeaderReq  
        #ajouter logs
    }
    catch {
        #ajouter logs et traitement
    }
}

Similarly, to restart a provisioning job that has been stopped due to an import threshold using a PowerShell script, you need to retrieve the job instance ID by calling the /scim/v2/job-instance/ route (GET method).

For more information, see the Swagger documentation: https://[SIP_Server_URL]:44355/swagger/

Running the new upstream feed connector (from 7.0 SP3)

From version 7.0 SP3 onwards, it is possible to assign roles and/or permissions to identities via a new upstream feed connector.

Identities – Roles and Identities/Roles – Authorizations links created and/or deleted from an authoritative source are managed by a new type of link in the database. Thus, exporting Identities – Roles and Identities/Roles – Authorizations links from the Identity repository will only return roles and authorizations assigned by SIP.

To configure an Identities - Roles link connector, you must create at least:

  • An export from an authoritative source that must contain the following information:
  • Identity UID (required)
    • Role code to be assigned (required) – single value.
    • Role start date (optional)
    • Role end date (optional)
  • An export of the Identity repository of type PERSON_ROLES in which you must specify the types of persons and the codes of the repositories for which you want to create identity-role links.
  • A synchronization rule to define the Matching, Creation, Modification, and Deletion operations
    • In the Matching rule, compare the identity uid and the role code
    • In the creation rule, it is mandatory to specify the identity uid and the role code. The start and end dates are optional
    • In the modification rule, it is mandatory to specify the ID of the person-role link, retrieved from the Identity repository export. Only the dates can be modified
    • In the deletion rule, it is mandatory to specify the ID of the person-role link, retrieved from the Identity repository export.
    • Syntax of Identity codes to be used in synchronization rules:
      • person = UID of the identity
      • role = role code
      • startdate = start date of the role
      • enddate = end date of the role
      • id = ID of the identity-role link (id field in the sid.PersonRoles table)
  • An import into the Identity repository of type PERSON_ROLES. You can check the option to disable on-the-fly account calculation in order to manage import time in the event of large volumes. If the option has been enabled, you must perform an ACCOUNTCALC import to recalculate the accounts in the affected repository.
  • An export from an authoritative source that must contain the following information:
    • Identity UID (required)
    • Role code (required) – single value.
    • Authorization code to assign to the identity/role link (required) – single value
    • Authorization start date (optional)
    • Authorization end date (optional)

Attention

Le lien Identités/Rôles doit préalablement exister pour un bon fonctionnement du connecteur de lien Identité/Rôle – Habilitations

  • An export of the Identity repository of type PERSON_RIGHTS in which you must specify the types of persons and the codes of the repositories for which you want to create identity/role-authorization links.
  • A synchronization rule to define the Matching, Creation, Modification, and Deletion operations
    • In the Matching rule, compare the identity uid, role code, and authorization code.
    • In the creation rule, it is mandatory to specify the identity uid, role code, and authorization code. The start and end dates are optional
    • In the modification rule, it is mandatory to specify the ID of the person/role - authorization link, retrieved from the Identity repository export. Only dates can be modified.
    • In the deletion rule, it is mandatory to specify the ID of the person/role - authorization link, retrieved from the Identity repository export.
    • Syntax of Identity codes to be used in synchronization rules:
    • person = UID of the identity
      • role = role code
      • right = authorization code
      • startdate = authorization start date
      • enddate = authorization end date
    • id = identity-role-right link ID (id field in the sid.PersonRights table)
  • An import into the Identity repository of type PERSON_RIGHTS. You can check the option to disable on-the-fly account calculation in order to manage import time in the event of large volumes. If the option has been enabled, you must perform an ACCOUNTCALC import to recalculate the accounts in the affected repository.