Active Directory

Active Directory (AD) is a Microsoft directory service for simplifying user management. It acts as a single repository for user and computer related information. Sage People can integrate with Active Directory to enable the synchronization of certain data items from Sage People into the Active Directory database and from the Active Directory database into Sage People.

Benefits of integrating Sage People with Active Directory (AD) include: 

  • reduced overhead of having to create and update User Records in two places.
  • up to date employee information available for IT by syncing data from your HR system of record to AD.
  • a more secure system as departing employees cannot access their emails after their leaving date.

How Sage People integrates with Active Directory (AD)

Typically, an integration between AD and Sage People is implemented using a PowerShell script. It is also possible to use Payflow to transfer CSV files via SFTP if security requirements do not permit the use of the PowerShell method. Who has the responsibility to set up and maintain the AD synchronization setup depends on your agreements with Sage.

Sage People as the master source of data

Note

  • Sage People recommends you use Sage People as the master source of data and push data from Sage People to AD.

  • It is possible to use both Sage People as the master source of data for some fields, and AD as the master source of data for other fields.

The integration pulls information from Sage People data tables, checks the AD database, and then either updates or creates the user record in AD. For example, an HR manager creates a new Team Member in Sage People and the script and API push this data into AD and creates the user record there.

AD generally uses an employee’s UPN as the unique identifier.

Active Directory (AD) as the master source of data

Although it is recommended you use Sage People as the master source of data, it is possible to push data from AD into Sage People. Typically, data such as phone and extension numbers maintained in AD is pushed into Sage People to update the Team Member record.

Note

If AD acts as the master source of data for certain fields, consider making these fields read only in Sage People.

API Profile and security

Sage People creates a Profile (usually called API) for the AD integration. In newer orgs this Profile may already be present as standard. The profile is completely blank with only the following permissions enabled:

  • API Enabled: enabled to allow API access.

  • Api Only User: enabled to ensure the holder of the API account can log in to Salesforce via API only and not with a username and password.

  • Password Never Expires: enabled to prevent integration downtime caused by an expired password.

On a Profile, these settings are located in: 

  • Administrative Permissions in classic Profile interface

  • System Permissions in Enhanced Profile Interface

Warning

  • No other permissions should be enabled on the API profile. Enabling object level access, field level access, VisualForce page access, apex class access or any other permissions on the profile could result in a security breach.

If no API profile is present in the org, select New Profile to create it. When prompted to enter the Existing Profile from which to clone, ensure Minimum Access – Salesforce is selected so no permissions are enabled by default as in the screenshot below, then enable the 3 permissions specified:
Screenshot: Select an existing profile for closing a new profile

For APIs field-level security is used to control access to fields. To do this, create a permission set to grant access only to those fields included in the synchronization. In the API profile, set fields where AD is the source of truth with Edit access, and fields where Sage People is the source of truth with Read access.