Rule description
This rule queries the specified Workday data source and provisions new user accounts or updates them according to the Action section settings.
When to use this rule
You can use this rule when performing bulk user account provisioning or updating from the Workday HR system into Active Directory.
Rule Settings
Query Section
Setting name | Description |
---|---|
Workday endpoint URL |
Specify Workday endpoint URL. By default, the value is taken from the Workday HR extension. |
Workday credentials |
Specify Workday credentials. This account must have proper API permissions in the Workday tenant. User format: user@tenant. By default, the value is taken from the Workday HR extension. |
More Options |
|
Workday properties to include |
List of properties to get from Workday HR. |
Hours to sync | Specify how often synchronization will be run (every number of hours). |
Filter data | To hide unwanted data set the filtering conditions by Workday HR atttributes here. |
AD Properties to display | List of properties to get from Workday HR. |
Sync mode |
Select synchronization mode:
|
Data Source Anchor attribute | Defines the Data Source attribute that will be used to determine if the user account already exists. This value is compared to the Active Directory Anchor Attribute. |
Active Directory Anchor attribute |
Defines the attribute in the Active Directory to which the Data Source anchor attribute is to be compared. When a new user is created this value also specifies the Active Directory attribute into which the Data Source anchor is written for comparison the next time the rule is executed.
Note: If the Active Directory attribute you wish to use as the Active Directory Anchor attribute is not displayed, you can enter the LDAP name of the attribute in the field. The attribute must be flagged as searchable (https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx) within Active Directory. To determine if the attribute is flagged as searchable you can use ADSI Edit to view the Schema Objects container and examine the attribute’s searchFlags property.
|
Action Section
Setting name | Description |
---|---|
Create in |
Determines the initial location within Active Directory, where the new user accounts will be created.
Note: For simplicity, Cayosoft recommends that new objects be created in a separate OU and then moved to the final location after provisioning is completed.
|
Account | |
Logon Name (SamAccountName)
|
By default, the SamAccountName is automatically generated from the Data Source assuming the Data Source contains the correct named fields. If field names are not the same as shown for the selected format, contact Cayosoft for an override format. If the SamAccountName resides in the Data Source, then use the Selector button to pick the field that stores the SamAccountName. The SamAccountName must have a unique value in the target domain. |
UPNSuffix
|
It is the domain name component of the new user’s UserPrincipalName (UPN). If you use Microsoft 365, this value should be set to a domain registered in Microsoft 365/Azure AD. |
UserPrincipalName
|
By default, the UserPrincipalName (UPN) is automatically generated from the Data Source assuming the Data Source contains the correct named fields. If field names are not the same as shown for the selected UPN format, contact Cayosoft support for an override format. If the UPN resides in the Data Source, then use the Selector button to pick the desired field. The UPN must be a unique value.
Note: Microsoft best practices assume the Active Directory and Microsoft 365/Azure AD UPNs will match.
|
FirstName (GivenName) |
If the Data Source contains a field named FirstName, do nothing. Otherwise, use the Selector button to choose a field from the Data Source. |
Initials |
Specify user initials. |
Last/SurName (sn) |
If the Data Source contains a field named LastName, do nothing. Otherwise, use the Selector button to choose a field from the Data Source. |
Name (cn)
|
If the Data Source contains fields named FirstName and LastName, choose the desired format or do nothing. Otherwise, use the Selector button to select a field from the Data Source or contact Cayosoft for an override format. |
Display Name
|
If the Data Source contains fields named FirstName and LastName, choose the desired format and do nothing. Otherwise, use the Selector button to select a field from the Data Source or contact Cayosoft for an override format. |
Description
|
If the Data Source contains a field name Description, do nothing. Otherwise, manually enter a static text value or use the Selector button to choose a field from the Data Source. |
Settings |
|
Default Password |
This setting defines the password for the new account. This value can be static text, a field from the Data Source chosen using the Selection button, or set to Generate Random Password
Note: Static passwords or passwords from Data Source must meet the Active Directory Password Complexity Policy of the target container, or the account will be created in a disabled state. Randomly Generated Passwords will be generated to match both the Active Directory Password Complexity Policy and additional complexity requirements defined in the Cayosoft Administrator Password Complexity Policy.
|
Must change password at next logon Account enabled User cannot change password Password never expires |
These settings enable/disable the standard Active Directory user object settings. |
Account Expiration Date |
This setting defines the Account Expiration attribute in Active Directory. In addition to populating this field from the Data Source, a text string can be manually entered into the field in the format MM/DD/YYYY or YYYY-MM-DD. |
Organization |
|
Office Job Title (Title) Department Company Employee Number EmployeeID Division |
If the Data Source contains one of these field names, do nothing. Otherwise, manually enter a static text value or use the Selector button to choose a field from the Data Source. |
Manager Identifier |
Use the Selector button to choose a field from the Data Source that is a unique identifier for the user’s manager. Typically this will be the Managers' EmployeeNumber or EmployeeID. |
AD Attribute for Manager Lookup |
Select an Active Directory attribute used to search for the value of the Manager Identifier specified in the field above. |
Contact Info |
|
Country |
If the Data Source contains a field name Country, do nothing. Otherwise, manually enter a static text value or use the Selector button to choose a field from the Data Source. |
Email Address |
If the Data Source contains a field name or Email Address, do nothing. Otherwise, manually enter a static text value or use the Selector button to choose a field from the Data Source. |
Office Phone (telephoneNumber) Mobile Phone (mobile) Street Address City (l) State Postal Code |
If the Data Source contains a field with one of these names, do nothing. Otherwise, manually enter a static text value or use the Selector button to choose a field from the Data Source. |
Alternate Name Generation Rules |
|
Name conflict resolution |
This option determines how the system should react when the name of a user being created already exists. |
Logon Name (SamAccountName) (Alternative) UserPrincipalName (Alternative) Name (cn) (Alternative) Email Address (Alternative) DisplayName (Alternative) |
The behavior of this attribute is the same as in the Contact Info section.
|
Counter Format |
This setting specifies the number of fixed symbols the counter should have. |
Add counter when |
Specifies if a counter should always be added to the username, or only when name conflicts occur. The counter option is not available when the Use Alternative Generation Rules option is set to On failure record error in Rule Execution History and goes on. |
Other Properties |
|
Other properties |
Using the picker dialog, set a mapping between data source columns and target user properties. |
Other properties script |
Data mapping also can be set by the script. If you want every provisioned user to have extension attribute 1 populated with some string value then use this:
Note: If you set mapping for the same properties both in the Other properties and Other properties script, attribute values will be updated by the script.
|
Notify Manager |
|
Notify Manager |
Specify whether you want to notify the manager when the user is created. You can also select send email for each created user or send one email for all created users. |
Additional to |
Additional emails can be sent to the Default Notify & Alert Email Address - usually, this is the administrator's email address. |
CC, BCC |
Email address where the copy will be sent. |
From |
Users can receive emails from default SMTP from the address. |
Subject |
Email subject.
Tip: It is possible to customize email subject by using different tokens, see Customizing an automation rule or web action output email – Cayosoft Help Center.
|
Message |
Message text.
Tip: It is possible to customize email messages by using different tokens, see Customizing an automation rule or web action output email – Cayosoft Help Center.
|
Limit the number of emails sent per minute |
An integer value that represents the number of emails sent per minute by this rule. To change the default value, navigate to Home > Configuration > Settings > Email Settings (SMTP). The default limit for Microsoft 365 SMTP gate is 30 emails per minute. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
11.2.0 | The rule has been introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.