Integration guide

This guide is designed to help you quickly implement the business logic that lies at the heart of RAC/M Identity’s automated processing. This business logic is what makes it possible to build and maintain the identity and access repository, integrate authoritative sources, target systems including accounts and groups, represent the organizational structure, and manage the metadata that supports IGA processes.

In addition, this business logic enables every automated process, including:

• importing and reconciling identity sources and target systems
• consolidating, harmonizing, and ensuring attribute integrity across multiple identity sources and target systems
• correlating and matching identities to people and accounts to identities
• executing approval and provisioning flows
• continuously analyzing the repository to detect and report anomalies and risk situations
• sending email alerts and notifications
• executing arbitrary processing when trigger events are detected

Quick start, sequence templates

To accelerate the integration phase and deployment of the solution, predefined templates are provided. They contain the complete business logic required to support end-to-end IGA processes such as lifecycle management of identities and access.

These sequence templates are built from blocks and modules organized according to a strict composition order and naming convention. This convention clarifies the nature of the processing performed in each block and guides the configuration or customization work required to adapt the business logic to your environment.

With that in mind, the sequence templates include every processing step that may be necessary to cover all potential scenarios. In practice, many of these processing steps, represented by blocks and modules, may not be required and can be disabled and re-enabled as needed.

Important

It is generally best to proceed in stages: start by integrating identity sources and AD or ENTRA ID directories, and gradually build the repository. Advanced automated provisioning capabilities can be turned on progressively as the project evolves and process maturity increases.

Note

The following instructions assume that you are signed in to the RAC/M Identity management console with an administrator account that has sufficient privileges.

Create a sequence from a template

Follow these steps to create a new sequence from a template.

1. Retrieve the sequence templates from your support community on the S-Filer server under RACM-Distribution-SaaS / Nouveau Gabarit de séquence.

2. Open the .dat file corresponding to the template you want to use in a text editor. Edit the sequence name between the <name> and </name> tags and replace it with the name of your choice:

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <sequence>
       <name>1-Sequence - Complete (template)</name>
   

3. Save the file.

4. Import it into CONFIGURATION > Sequences.

The sequence is now available. You must configure it to adapt the business logic to your technical and organizational context.

Configure a sequence from a template

To simplify the development and maintenance of the business logic, we strongly recommend adopting a structured naming convention. The templates offer such a convention: numbered blocks executed in numerical order, each dedicated to a specific type of processing.

This structure is commonly used among clients, and adopting it will help you reach value quickly.

To understand the blocks and modules included in the templates, refer to the following sections:

• Block descriptions
• Module descriptions

To tailor the business logic to your technology stack and target IGA processes, configure the blocks and modules included in the newly created sequence. Remove or disable any unused modules and blocks, and add your own custom modules to the appropriate blocks if needed.

Tip

You can use the one-click integration features to generate preconfigured sequences, blocks, and modules that you can incorporate into the sequences derived from the templates.

See also

• About the business logic

Configure a complete sequence

The Séquence - Complète template contains all blocks and processing modules that may be required to execute the full data processing pipeline. In practice, many of these blocks and modules may not be necessary and can be removed, disabled, or re-enabled as needed.

The proposed block naming and execution order reflects the general structure of the business logic and the recommended processing order as a starting point.

For example, the complete sequence can be scheduled to run daily at a specific time, typically before business hours, e.g., 3:00 AM, when network traffic and system activity are lower.

It is common to run this sequence on a predetermined schedule to reduce the delay between requests and access creation. For example, you could execute the sequence every four hours.

Because the complete sequence can take several minutes to run, depending on processing volume and complexity, it may be useful to split it into smaller specialized sequences that handle part of the workload and run more frequently if needed.

Advanced usage

The flexibility offered by RAC/M Identity makes it possible to optimize automated processing and deploy virtually unlimited custom functionality through simple configuration of modules, blocks, and sequences. Processing steps can be added, rearranged, or executed in a different order than the one suggested by the quick-start templates.

Tip

Disable unused blocks and modules rather than deleting them. That way, you can always refer back to the examples included in the template to identify where specific processing blocks and modules belong, very handy when fine-tuning the business logic.

To learn more about the blocks and modules that make up the templates, refer to the following sections:

• Block descriptions
• Module descriptions

Configure specialized sequences

This section explains how to build specialized sequences starting from the complete sequence template to implement specific capabilities. For example, you can create sequences that only import identities or accounts, allowing you to split processing or progressively build the repository.

These sequences are built by adding blocks from the complete sequence or by removing blocks from it.

Import identities

From an empty or existing sequence

Follow these steps to create a new sequence that imports identities:

1. In the management console, go to CONFIGURATION > Sequences and create a new empty sequence or select an existing sequence.
2. Add blocks 001, 010, 020, 030, 040, 050, 090, 095, 110, 120, 130, 140, 150, 155, and 180.
3. Save your sequence.
4. Add your modules to the appropriate blocks if required.

From the template

You can also use an existing sequence to create a new one.

Follow these steps to create a new sequence that imports identities:

1. In the management console, go to CONFIGURATION > Sequences and export your complete sequence (the one provided by the template).
2. Edit the exported .dat file to change the sequence name as described above.
3. Save the file.
4. Import it into CONFIGURATION > Sequences.
5. Remove blocks 060, 070, 080, 085, and 100 (you can also remove block 010 if you do not need it).
6. Save your sequence.
7. Add your modules to the appropriate blocks if required.

Import accounts and groups

From an empty or existing sequence

Follow these steps to create a new sequence that imports accounts and groups:

1. In the management console, go to CONFIGURATION > Sequences and create a new empty sequence or select an existing sequence.
2. Add blocks 001, 010, 060, 070, 080, 085, 100, 110, 120, 130, 150, 155, and 180.
3. Save your sequence.
4. Add your modules to the appropriate blocks if required.

From the template

An existing sequence can also be used to create a new one.

Follow these steps to create a new sequence that imports accounts:

1. In the management console, go to CONFIGURATION > Sequences and export your complete sequence (the one provided by the template).
2. Edit the exported .dat file to change the sequence name as described above.
3. Save the file.
4. Import it into CONFIGURATION > Sequences.
5. Remove blocks 020, 030, 040, 050, 090, 095, and 140 (you can also remove block 010 if you do not need it).
6. Save your sequence.
7. Add your custom modules to the appropriate blocks if required.

Description of template blocks

Blocks	Description
001-Clear import tables	The modules in this block clear the import tables and rebuild the index.
010-File formatting	The modules in this block format CSV or XLSX files. This block is optional.
020-HR identity import	The collectors in this block import and manipulate identities from HR systems such as SAP HR, EmployeeCentral, Workday, or PeopleSoft.
030-Identity import from other sources	The collectors in this block import identities from non-HR systems (e.g., Active Directory, LDAP, or a database). These identities are not managed by HR. This block is optional.
040-Imports related to identity attributes	The modules in this block import information such as status, position, title, and organization for identities coming from HR and other sources. This block is optional.
050-Organization import	The modules in this block import the organization structure. This block is optional.
060-Application account imports	The modules in this block import accounts from every system connected via an ICF connector or from flat CSV/XLSX files.
070-Application account manipulation	The modules in this block manipulate the accounts stored in the import tables before they are copied into the target tables. This block is optional.
080-Group import	The modules in this block import groups from every system connected via an ICF connector or from flat CSV/XLSX files.
085-Group modification	The modules in this block modify group-related information.
090-Copy identities	The modules in this block copy identity information from authoritative sources and perform the necessary transformations on that information.
095-Copy additional information to identities	The modules in this block copy identity metadata such as status, employment type, and work location.
100-Copy application accounts	The modules in this block copy account and group information from various sources (ICF and flat files) and perform the required transformations.
110-First correlation block	The modules in this block contain the first correlation rules between identities and accounts.
120-Normalization block	The modules in this block normalize identities and accounts to facilitate manual correlation.
130-Homonymization block	The modules in this block classify accounts or identities that have homonyms.
140-People management	The modules in this block create people records based on identities that have already been created.
150-Second correlation block	The modules in this block perform additional correlation between identities and accounts. This block is optional.
155-Post-correlation changes (logical assets)	The modules in this block handle updates that must be performed after accounts are successfully correlated with identities.
155-Post-correlation changes (Active Directory)	The modules in this block handle updates that must be performed after accounts are successfully correlated with identities for the Active Directory application.
180-Remove objects that are no longer updated	The modules in this block disable or delete objects that have not been updated for a certain period.

Description of template modules

Important

If you need to modify a module that belongs to the complete-sequence template, rename it and use the copy so it is not overwritten during a system upgrade.

Block	Module	Description
001-Clear import tables	Clear import tables	This module clears the import tables before new data is loaded.
001-Clear import tables	Rebuild index	This module rebuilds the database index. CAUTION: always place it at the end of the block.
010-File formatting	Split onto another line	Split the input across multiple lines. This is an example formatter. If you need to import flat files that are not already in CSV format, you can add the formatters you configured to convert those files to CSV.
040-Imports related to identity attributes	Import identity job titles	This module populates the JOBS table with job titles associated with identities imported from HR systems.
040-Imports related to identity attributes	Import identity employment types	This module populates the EMPLOYMENT_TYPE table with employment types associated with identities imported from HR systems.
040-Imports related to identity attributes	Import identity status	This module populates the EMPLOYMENT_STATUS table with employment statuses associated with identities imported from HR systems.
040-Imports related to identity attributes	Import identity work locations	This module populates the WORK_LOCATION table with work locations associated with identities imported from HR systems.
050-Organization import	Import structure (Enterprise)	This CSV collector imports the Enterprise level of the organizational structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Organization import	Import structure (Organization)	This CSV collector imports the Organization level of the structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Organization import	Import structure (Cost center)	This CSV collector imports the Cost Center level of the structure into the STRUCTURAL_IMPORT table from a CSV file. Adapt this module to import your company structure.
050-Organization import	Copy structure	Copies the STRUCTURAL_IMPORT table to STRUCTURAL.
050-Organization import	Copy structure hierarchy	Copies the STRUCTURAL_IMPORT table to HIERARCHY.
095-Copy additional information to identities	Import identity status	This module populates the EMPLOYMENT_STATUS table with employment statuses associated with identities imported from HR systems.
095-Copy additional information to identities	Import identity employment types	This module populates the EMPLOYMENT_TYPE table with employment types associated with identities imported from HR systems.
095-Copy additional information to identities	Import identity work locations	This module populates the WORK_LOCATION table with work locations associated with identities imported from HR systems.
095-Copy additional information to identities	Build supervisor	This module populates the HR_SUPERVISOR_EMPLOYEE_ID or SUPERVISOR_ID field in the IDENTIFICATION table.
095-Copy additional information to identities	Build reviewer	This module populates the HR_REVIEWER_ID or REVIEWER_ID field in the IDENTIFICATION table.
100-Copy application accounts	Copy account statuses	Populates the STATUS table with account statuses imported from target systems.
100-Copy application accounts	Update Active Directory statuses	This module updates the description of statuses coming from AD.
100-Copy application accounts	Create asset groupings	Populates the APPLICATION_GROUP table with asset groupings imported into APPLICATION_ACCOUNT_IMPORT.
100-Copy application accounts	Create assets	Populates the APPLICATION table with application records imported into APPLICATION_ACCOUNT_IMPORT.
100-Copy application accounts	Copy application accounts	Populates the APPLICATION_ACCOUNT table with account data imported from target systems into APPLICATION_ACCOUNT_IMPORT.
100-Copy application accounts	Convert DN names to AccountName - AD	Converts the DN of AD group members to AccountName in the PROFILE_IMPORT table.
100-Copy application accounts	Convert group DNs to DisplayName	Converts group DNs into readable names in the PROFILE_IMPORT table.
100-Copy application accounts	Copy groups	Copies groups and permissions from PROFILE_IMPORT to PROFILE.
100-Copy application accounts	Copy user–group link	Copies the association between a user and their groups from PROFILE_IMPORT to APPLICATION_PROFILE.
100-Copy application accounts	Group hierarchization	Builds group nesting in the PROFILE_HIERARCHY table using data from PROFILE_HIERARCHY_IMPORT.
110-First correlation block	Correlation by employee number	Correlates identities and accounts based on the employee number.
110-First correlation block	Correlation by email address	Correlates identities and accounts based on email address.
110-First correlation block	Correlation based on IDENTIFIER1 field	Correlates identities and accounts based on the unique value stored in the IDENTIFIER1 field. This value must have been populated by a prior process, such as import.
120-Normalization block	Identity normalization	Normalizes identities by restricting the character set and removing spaces and punctuation. It also creates permutations for up to four name particles to strengthen correlation accuracy.
120-Normalization block	Account normalization	Normalizes accounts by restricting the character set and removing spaces and punctuation. It also creates permutations for up to four name particles to strengthen correlation accuracy.
130-Homonymization block	Identity homonyms (full name)	Detects and flags identities that have full-name duplicates.
130-Homonymization block	Account homonyms (full name)	Detects and flags accounts that have name duplicates.
130-Homonymization block	Identity homonyms (normalized identity)	Detects and flags identities that have duplicates based on the normalized identity.
130-Homonymization block	Account homonyms (normalized account)	Detects and flags accounts that have duplicates based on the normalized account name.
140-People management	Create people	Creates records in the PERSON table based on identities stored in IDENTIFICATION. It creates people based on identity-source data when no matching person exists. The information can be augmented with other sources to complete the representation of people associated with identities.
155-Post-correlation changes (logical assets)	Active Directory Priv logical asset	Manages the Active Directory Priv logical asset within the Active Directory application.
155-Post-correlation changes (logical assets)	Update logical assets	Uses the ModuleLogicalIntegrity primitive. Run it after base applications (e.g., Active Directory) are updated to keep logical applications in sync. It relies on logical access configuration and Active Directory data.
155-Post-correlation changes (logical assets)	Profile integrity	Run this module in the same block as Update logical assets to maintain logical application integrity.
155-Post-correlation changes (Active Directory)	Remove extended account attribute (AD Domain Admins)	Removes extended attributes from AD accounts to maintain correct account values. (OPTIONAL, Disabled)
155-Post-correlation changes (Active Directory)	Extended account attribute (AD Domain Admins)	Adds an extended attribute to AD accounts to facilitate campaigns involving accounts in the Domain Admins group. (OPTIONAL, Disabled)
180-Remove objects that are no longer updated	Clear groups	Maintains group integrity by removing obsolete groups.
180-Remove objects that are no longer updated	Remove users that were not updated	Removes users that were not updated during the last run.

Utility sequences and modules

This section is aimed at RAC/M Identity operators and administrators.

It documents sequences and modules that can be used to perform targeted analysis and processing of the repository. These sequences can be run manually when needed or scheduled to run automatically on a regular basis. Modules can be executed directly from the management console or added to blocks and sequences.

This section also proposes a naming convention you can reuse when creating your own extractors or modules. The convention makes it easier for stakeholders to understand the importance and potential impact of a module or data extractor.

The proposed convention uses levels to name extractors and modules according to their potential impact on the repository:

• L1: Read operations or email sending with no impact on the repository.
  Applies to extractors and email-sending modules only.

• L2: Data writes with minor potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

• L3: Data writes with significant potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

• L4: Complex SQL commands with major potential impact on the repository.
  Applies to write modules, e.g., ModuleUpdateNumStoreProc.

The "L" level should reflect the potential impact that running the module could have on the repository databases.

Naming convention

Below is the naming convention used for the utility sequences and blocks provided by OKIOK. It clearly identifies the potential impact of the components and distinguishes them from the sequences and blocks used to implement business logic and automated processes.

Sequences and blocks are prefixed with "-- GIA Level---".

Example:

Nom de la séquence	Nom du bloc
--GIA L1-- Suivi des délégués	--GIA L1-- Suivi des délégués

You can insert your own modules to perform specific analysis or processing in the relevant blocks.

Note

OKIOK periodically releases new utility sequences, blocks, and modules. Contact OKIOK Support to obtain the list of available utilities and the most recent versions.

Description of sequences and modules

Élément	Description
--GIA L1-- Suivi des délégués	Sequence that generates a report on delegates and emails it.
--GIA L2-- Renommer une campagne existante	Module that renames an access review campaign (Write).
--GIA L3-- Suppression de campagne	Module that deletes an access review campaign (Write with impact).

Description of the --GIA L1- Suivi des délégués Sequence

Blocs	Modules	Description	Primitive
--GIA L1- Suivi des délégués	--GIA L1-- Délégué (Lecture)	This extractor recovers delegation groups, their owners, and their delegates along with the statuses associated with owners and delegates.	ModuleExtractSQL
--GIA L1- Suivi des délégués	--GIA L1-- Délégué (Courriel)	This module emails the delegate report generated by the sequence.	ModuleSendEmailFolder

Description of utility modules

Important

If you need to modify a module that is part of the sequence template, rename it and use the renamed copy so it is not overwritten during a system upgrade.

Module	Description	Primitive
--GIA L2-- Renommer une campagne existante (Écriture)	GIA Level 2: Rename any access review campaign from its current name to a new name.	ModuleUpdateNumStoreProc
--GIA L3-- Suppression de campagne (Écriture avec impact)	GIA Level 3: Delete an access review campaign by campaign name. Warning: do not delete a campaign that is completed or has already been finalized by certifiers.	ModuleUpdateNumStoreProc

Important

Configuration required before using the module: --GIA L2--Renommer une campagne existante (Écriture)

Edit the module, locate @CURRENT_NAME = and @NEW_NAME =, then update the values with the existing and new campaign names of your choice (single quotes are mandatory):

  DECLARE @CURRENT_NAME AS VARCHAR(255);
  DECLARE @NEW_NAME AS VARCHAR(255)
  SET @CURRENT_NAME = 'Current campaign name'
  SET @NEW_NAME = 'New campaign name'
  UPDATE rev_campaign
  SET campaign_name = @NEW_NAME
  FROM rev_campaign
  WHERE campaign_name = @CURRENT_NAME

Important

Configuration required before using the module: --GIA L3--Suppression de campagne (Écriture avec impact)

Edit the module, find CAMPAIGN_NAME =, and replace the value with the name of the campaign you want to delete (single quotes are mandatory):

  SET @CAMPAIGN_ID = (
  SELECT CAMPAIGN_ID
  FROM REV_CAMPAIGN
  WHERE CAMPAIGN_NAME = '[Name of the campaign to delete]'
  );

Sequence templates and utility modules are available on S-Filer in your support community.