Integration Guide

This guide is designed to help you quickly implement the business logic that lies at the heart of RAC/M Identity’s automated processing. This business logic is what makes it possible to build and maintain the identity and access repository, integrate authoritative sources, target systems including accounts and groups, represent the organizational structure, and manage the metadata that supports IGA processes.

In addition, this business logic enables every automated process, including:

• importing and reconciling identity sources and target systems
• correlating and matching identities to people and accounts to identities
• executing approval and provisioning flows
• continuously analyzing the repository to detect and report anomalies and risk situations
• sending email alerts and notifications
• executing arbitrary processing when trigger events are detected

Quick Start – Sequence Templates

To accelerate the integration phase and deployment of the solution, predefined templates are provided. They contain the complete business logic required to support end-to-end IGA processes such as lifecycle management of identities and access.

These sequence templates are built from blocks and modules organized according to a strict composition order and naming convention. This convention clarifies the nature of the processing performed in each block and guides the configuration or customization work required to adapt the business logic to your environment.

With that in mind, the sequence templates include every processing step that may be necessary to cover all potential scenarios. In practice, many of these processing steps—represented by blocks and modules—may not be required and can be disabled and re-enabled as needed.

Important

It is generally best to proceed in stages: start by integrating identity sources and AD or ENTRA ID directories, and gradually build the repository. Advanced automated provisioning capabilities can be turned on progressively as the project evolves and process maturity increases.

Note

The following instructions assume that you are signed in to the RAC/M Identity management console with an administrator account that has sufficient privileges.

Create a Sequence from a Template

Follow these steps to create a new sequence from a template.

1. Retrieve the sequence templates from your support community on the S-Filer server under RACM-Distribution-SaaS / Nouveau Gabarit de séquence.

2. Open the .dat file corresponding to the template you want to use in a text editor. Edit the sequence name between the <name> and </name> tags and replace it with the name of your choice:

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <sequence>
       <name>1-Sequence - Complete (template)</name>
   

3. Save the file.

4. Import it into CONFIGURATION > Sequences.

The sequence is now available. You must configure it to adapt the business logic to your technical and organizational context.

Configure a Sequence from a Template

To simplify the development and maintenance of the business logic, we strongly recommend adopting a structured naming convention. The templates offer such a convention: numbered blocks executed in numerical order, each dedicated to a specific type of processing.

This structure is commonly used among clients, and adopting it will help you reach value quickly.

To understand the blocks and modules included in the templates, refer to the following sections:

• Block descriptions
• Module descriptions

To tailor the business logic to your technology stack and target IGA processes, configure the blocks and modules included in the newly created sequence. Remove or disable any unused modules and blocks, and add your own custom modules to the appropriate blocks if needed.

Tip

You can use the one-click integration features to generate preconfigured sequences, blocks, and modules that you can incorporate into the sequences derived from the templates.

See also

• About the business logic

Configure a Complete Sequence

The Séquence - Complète template contains all blocks and processing modules that may be required to execute the full data processing pipeline. In practice, many of these blocks and modules may not be necessary and can be removed, disabled, or re-enabled as needed.

The proposed block naming and execution order reflects the general structure of the business logic and the recommended processing order as a starting point.

For example, the complete sequence can be scheduled to run daily at a specific time—typically before business hours, e.g., 3:00 AM—when network traffic and system activity are lower.

It is common to run this sequence on a predetermined schedule to reduce the delay between requests and access creation. For example, you could execute the sequence every four hours.

Because the complete sequence can take several minutes to run—depending on processing volume and complexity—it may be useful to split it into smaller specialized sequences that handle part of the workload and run more frequently if needed.

Advanced usage

The flexibility offered by RAC/M Identity makes it possible to optimize automated processing and deploy virtually unlimited custom functionality through simple configuration of modules, blocks, and sequences. Processing steps can be added, rearranged, or executed in a different order than the one suggested by the quick-start templates.

Tip

Disable unused blocks and modules rather than deleting them. That way, you can always refer back to the examples included in the template to identify where specific processing blocks and modules belong—very handy when fine-tuning the business logic.

To learn more about the blocks and modules that make up the templates, refer to the following sections:

• Block descriptions
• Module descriptions

Configure Specialized Sequences

This section explains how to build specialized sequences starting from the complete sequence template to implement specific capabilities. For example, you can create sequences that only import identities or accounts, allowing you to split processing or progressively build the repository.

These sequences are built by adding blocks from the complete sequence or by removing blocks from it.

Import Identities

From an empty or existing sequence

Follow these steps to create a new sequence that imports identities:

1. In the management console, go to CONFIGURATION > Sequences and create a new empty sequence or select an existing sequence.
2. Add blocks 001, 010, 020, 030, 040, 050, 090, 095, 110, 120, 130, 140, 150, 155, and 180.
3. Save your sequence.
4. Add your modules to the appropriate blocks if required.

From the template

You can also use an existing sequence to create a new one.

Follow these steps to create a new sequence that imports identities:

1. In the management console, go to CONFIGURATION > Sequences and export your complete sequence (the one provided by the template).
2. Edit the exported .dat file to change the sequence name as described above.
3. Save the file.
4. Import it into CONFIGURATION > Sequences.
5. Remove blocks 060, 070, 080, 085, and 100 (you can also remove block 010 if you do not need it).
6. Save your sequence.
7. Add your modules to the appropriate blocks if required.

Import Accounts and Groups

From an empty or existing sequence

Follow these steps to create a new sequence that imports accounts and groups:

1. In the management console, go to CONFIGURATION > Sequences and create a new empty sequence or select an existing sequence.
2. Add blocks 001, 010, 060, 070, 080, 085, 100, 110, 120, 130, 150, 155, and 180.
3. Save your sequence.
4. Add your modules to the appropriate blocks if required.

From the template

An existing sequence can also be used to create a new one.

Follow these steps to create a new sequence that imports accounts:

1. In the management console, go to CONFIGURATION > Sequences and export your complete sequence (the one provided by the template).
2. Edit the exported .dat file to change the sequence name as described above.
3. Save the file.
4. Import it into CONFIGURATION > Sequences.
5. Remove blocks 020, 030, 040, 050, 090, 095, and 140 (you can also remove block 010 if you do not need it).
6. Save your sequence.
7. Add your custom modules to the appropriate blocks if required.

Template Block Descriptions

Blocs	Description
001-Effaçage de la table Import	The modules in this block clear the import tables and rebuild the index.
010-Formatage des fichiers	The modules in this block format CSV or XLSX files. This block is optional.
020-Importation des identités des ressources humaines	The collectors in this block import and manipulate identities from HR systems such as SAP HR, EmployeeCentral, Workday, or PeopleSoft.
030-Importation d'identités en provenance d'autres sources	The collectors in this block import identities from non-HR systems (e.g., Active Directory, LDAP, or a database). These identities are not managed by HR. This block is optional.
040-Importations reliées aux attributs des Identités	The modules in this block import information such as status, position, title, and organization for identities coming from HR and other sources. This block is optional.
50-Importation de l'organisation	The modules in this block import the organization structure. This block is optional.
060-Importations des comptes applicatifs	The modules in this block import accounts from every system connected via an ICF connector or from flat CSV/XLSX files.
070-Manipulation des comptes applicatifs	The modules in this block manipulate the accounts stored in the import tables before they are copied into the target tables. This block is optional.
080-Importation des groupes	The modules in this block import groups from every system connected via an ICF connector or from flat CSV/XLSX files.
085-Modification des groupes	The modules in this block modify group-related information.
090-Copier les identités	The modules in this block copy identity information from authoritative sources and perform the necessary transformations on that information.
095-Copier des informations supplémentaires aux identités	The modules in this block copy identity metadata such as status, employment type, and work location.
100-Copier les comptes applicatifs	The modules in this block copy account and group information from various sources (ICF and flat files) and perform the required transformations.
110-Premier bloc de corrélation	The modules in this block contain the first correlation rules between identities and accounts.
120-Bloc de normalisation	The modules in this block normalize identities and accounts to facilitate manual correlation.
130-Bloc d'homonymisassions	The modules in this block classify accounts or identities that have homonyms.
140-Gestion des personnes	The modules in this block create people records based on identities that have already been created.
150-Deuxième bloc de corrélation	The modules in this block perform additional correlation between identities and accounts. This block is optional.
155-Modifications après corrélation (Actifs logiques)	The modules in this block handle updates that must be performed after accounts are successfully correlated with identities.
155-Modifications après corrélation (Active Directory)	The modules in this block handle updates that must be performed after accounts are successfully correlated with identities for the Active Directory application.
180-Supprimer les objets qui ne sont plus mis à jour	The modules in this block disable or delete objects that have not been updated for a certain period.

Template Module Descriptions

Important

If you need to modify a module that belongs to the complete-sequence template, rename it and use the copy so it is not overwritten during a system upgrade.

Bloc	Module	Description
001-Effaçage de la table d'import	Effacer les tables d'import	This module clears the import tables before new data is loaded.
001-Effaçage de la table d'import	Reconstruction de l'index	This module rebuilds the database index. CAUTION: always place it at the end of the block.
010-Formatage des fichiers	Fractionner sur une autre ligne	Split the input across multiple lines. This is an example formatter. If you need to import flat files that are not already in CSV format, you can add the formatters you configured to convert those files to CSV.
040-Importations reliées aux attributs des identités	Importation des titres d'emploi d'identités	This module populates the JOBS table with job titles associated with identities imported from HR systems.
040-Importations reliées aux attributs des identités	Importation du type d'emploi des identités	This module populates the EMPLOYMENT_TYPE table with employment types associated with identities imported from HR systems.
040-Importations reliées aux attributs des identités	Importation du statut d'identité	This module populates the EMPLOYMENT_STATUS table with employment statuses associated with identities imported from HR systems.
040-Importations reliées aux attributs des identités	Importation du lieu de travail des identités	This module populates the WORK_LOCATION table with work locations associated with identities imported from HR systems.
050-Importation de l'organisation	Importation de la structure (Entreprise)	This CSV collector imports the Enterprise level of the organizational structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Importation de l'organisation	Importation de la structure (Organisation)	This CSV collector imports the Organization level of the structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Importation de l'organisation	Importation de la structure (centre de coût)	This CSV collector imports the Cost Center level of the structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Importation de l'organisation	Copie de la structure	Copies the STRUCTURAL_IMPORT table to STRUCTURAL.
050-Importation de l'organisation	Copie la hiérarchie de la structure	Copies the STRUCTURAL_IMPORT table to HIERARCHY.
095-Copier des informations supplémentaires aux identités	Importation du statut d'identité	This module populates the EMPLOYMENT_STATUS table with employment statuses associated with identities imported from HR systems.
095-Copier des informations supplémentaires aux identités	Importation du type d'emploi des identités	This module populates the EMPLOYMENT_TYPE table with employment types associated with identities imported from HR systems.
095-Copier des informations supplémentaires aux identités	Importation du lieu de travail des identités	This module populates the WORK_LOCATION table with work locations associated with identities imported from HR systems.
095-Copier des informations supplémentaires aux identités	Construction du gestionnaire	This module populates the HR_SUPERVISOR_EMPLOYEE_ID or SUPERVISOR_ID field in the IDENTIFICATION table.
095-Copier des informations supplémentaires aux identités	Construction du certificateur	This module populates the HR_REVIEWER_ID or REVIEWER_ID field in the IDENTIFICATION table.
100-Copier les comptes applicatifs	Copier les statuts des comptes	Populates the STATUS table with account statuses imported from target systems.
100-Copier les comptes applicatifs	Mise à jour des statuts Active Directory	This module updates the description of statuses coming from AD.
100-Copier les comptes applicatifs	Création des regroupements d'actif	Populates the APPLICATION_GROUP table with asset groupings imported into APPLICATION_ACCOUNT_IMPORT.
100-Copier les comptes applicatifs	Création des actifs	Populates the APPLICATION table with application records imported into APPLICATION_ACCOUNT_IMPORT.
100-Copier les comptes applicatifs	Copier les comptes applicatifs	Populates the APPLICATION_ACCOUNT table with account data imported from target systems into APPLICATION_ACCOUNT_IMPORT.
100-Copier les comptes applicatifs	Modifie les noms DN en AccountName - AD	Converts the DN of AD group members to AccountName in the PROFILE_IMPORT table.
100-Copier les comptes applicatifs	Modifie les noms DN du groupe en DisplayName	Converts group DNs into readable names in the PROFILE_IMPORT table.
100-Copier les comptes applicatifs	Copier les groupes	Copies groups and permissions from PROFILE_IMPORT to PROFILE.
100-Copier les comptes applicatifs	Copier le lien entre l'utilisateur et ses groupes	Copies the association between a user and their groups from PROFILE_IMPORT to APPLICATION_PROFILE.
100-Copier les comptes applicatifs	Hiérarchisation des groupes	Builds group nesting in the PROFILE_HIERARCHY table using data from PROFILE_HIERARCHY_IMPORT.
110-Premier bloc de corrélation	Corrélation par numéro d'employé	Correlates identities and accounts based on the employee number.
110-Premier bloc de corrélation	Corrélation par adresse de courriel	Correlates identities and accounts based on email address.
110-Premier bloc de corrélation	Corrélation basée sur le champ IDENTIFIER1	Correlates identities and accounts based on the unique value stored in the IDENTIFIER1 field. This value must have been populated by a prior process, such as import.
120-Bloc de normalisation	Normalisation des identités	Normalizes identities by restricting the character set and removing spaces and punctuation. It also creates permutations for up to four name particles to strengthen correlation accuracy.
120-Bloc de normalisation	Normalisation des comptes	Normalizes accounts by restricting the character set and removing spaces and punctuation. It also creates permutations for up to four name particles to strengthen correlation accuracy.
130-Bloc d'homonymisassions	Homonyme des identités basé sur le nom complet	Detects and flags identities that have full-name duplicates.
130-Bloc d'homonymisassions	Homonyme des comptes basé sur le nom complet	Detects and flags accounts that have name duplicates.
130-Bloc d'homonymisassions	Homonyme des identités basé sur l'identité normalisée	Detects and flags identities that have duplicates based on the normalized identity.
130-Bloc d'homonymisassions	Homonyme des identités basé sur le compte normalisé	Detects and flags accounts that have duplicates based on the normalized account name.
140-Gestion des personnes	Création des personnes	Creates records in the PERSON table based on identities stored in IDENTIFICATION. It creates people based on identity-source data when no matching person exists. The information can be augmented with other sources to complete the representation of people associated with identities.
155-Modifications après corrélation (Actifs logiques)	Actif logique Active Directory Priv	Manages the Active Directory Priv logical asset within the Active Directory application.
155-Modifications après corrélation (Actifs logiques)	Mise à jour des actifs logiques	Uses the ModuleLogicalIntegrity primitive. Run it after base applications (e.g., Active Directory) are updated to keep logical applications in sync. It relies on logical access configuration and Active Directory data.
155-Modifications après corrélation (Actifs logiques)	Intégrité des profils	Run this module in the same block as Mise à jour des actifs logiques to maintain logical application integrity.
155-Modifications après corrélation (Active Directory)	Suppression attribut étendu compte (AD Domain Admins)	Removes extended attributes from AD accounts to maintain correct account values. (OPTIONAL – Disabled)
155-Modifications après corrélation (Active Directory)	Attribut étendu comptes (AD Domain Admins)	Adds an extended attribute to AD accounts to facilitate campaigns involving accounts in the Domain Admins group. (OPTIONAL – Disabled)
180-Supprimer les objets qui ne sont plus mis à jour	Effacer les groupes	Maintains group integrity by removing obsolete groups.
180-Supprimer les objets qui ne sont plus mis à jour	Efface les utilisateurs qui n'ont pas été mis à jour	Removes users that were not updated during the last run.

Utility Sequences and modules

This section is aimed at RAC/M Identity operators and administrators.

It documents sequences and modules that can be used to perform targeted analysis and processing of the repository. These sequences can be run manually when needed or scheduled to run automatically on a regular basis. Modules can be executed directly from the management console or added to blocks and sequences.

This section also proposes a naming convention you can reuse when creating your own extractors or modules. The convention makes it easier for stakeholders to understand the importance and potential impact of a module or data extractor.

The proposed convention uses levels to name extractors and modules according to their potential impact on the repository:

• L1: Read operations or email sending with no impact on the repository.
  Applies to extractors and email-sending modules only.

• L2: Data writes with minor potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

• L3: Data writes with significant potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

• L4: Complex SQL commands with major potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

The "L" level should reflect the potential impact that running the module could have on the repository databases.

Naming convention

Below is the naming convention used for the utility sequences and blocks provided by OKIOK. It clearly identifies the potential impact of the components and distinguishes them from the sequences and blocks used to implement business logic and automated processes.

Sequences and blocks are prefixed with "-- GIA Level---".

Example:

Nom de la séquence	Nom du bloc
--GIA L1-- Suivi des délégués	--GIA L1-- Suivi des délégués

You can insert your own modules to perform specific analysis or processing in the relevant blocks.

Note

OKIOK periodically releases new utility sequences, blocks, and modules. Contact OKIOK Support to obtain the list of available utilities and the most recent versions.

Description of sequences and modules

Élément	Description
--GIA L1-- Suivi des délégués	Sequence that generates a report on delegates and emails it.
--GIA L2-- Renommer une campagne existante	Module that renames an access review campaign (Write).
--GIA L3-- Suppression de campagne	Module that deletes an access review campaign (Write with impact).

Description of the --GIA L1- Suivi des délégués Sequence

Blocs	Modules	Description	Primitive
--GIA L1- Suivi des délégués	--GIA L1-- Délégué (Lecture)	This extractor recovers delegation groups, their owners, and their delegates along with the statuses associated with owners and delegates.	ModuleExtractSQL
--GIA L1- Suivi des délégués	--GIA L1-- Délégué (Courriel)	This module emails the delegate report generated by the sequence.	ModuleSendEmailFolder

Description of utility modules

Important

If you need to modify a module that is part of the sequence template, rename it and use the renamed copy so it is not overwritten during a system upgrade.

Module	Description	Primitive
--GIA L2-- Renommer une campagne existante (Écriture)	GIA Level 2: Rename any access review campaign from its current name to a new name.	ModuleUpdateNumStoreProc
--GIA L3-- Suppression de campagne (Écriture avec impact)	GIA Level 3: Delete an access review campaign by campaign name. Warning: do not delete a campaign that is completed or has already been finalized by certifiers.	ModuleUpdateNumStoreProc

Important

Configuration required before using the module: --GIA L2--Renommer une campagne existante (Écriture)

Edit the module, locate @CURRENT_NAME = and @NEW_NAME =, then update the values with the existing and new campaign names of your choice (single quotes are mandatory):

  DECLARE @CURRENT_NAME AS VARCHAR(255);
  DECLARE @NEW_NAME AS VARCHAR(255)
  SET @CURRENT_NAME = 'Current campaign name'
  SET @NEW_NAME = 'New campaign name'
  UPDATE rev_campaign
  SET campaign_name = @NEW_NAME
  FROM rev_campaign
  WHERE campaign_name = @CURRENT_NAME

Important

Configuration required before using the module: --GIA L3--Suppression de campagne (Écriture avec impact)

Edit the module, find CAMPAIGN_NAME =, and replace the value with the name of the campaign you want to delete (single quotes are mandatory):

  SET @CAMPAIGN_ID = (
  SELECT CAMPAIGN_ID
  FROM REV_CAMPAIGN
  WHERE CAMPAIGN_NAME = '[Name of the campaign to delete]'
  );

Sequence templates and utility modules are available on S-Filer in your support community.