Importing HR data with reconciliation

Edit online

HR data can be imported into the Verify Identity Governance Server from a file written in DSML, with the DSML Identity Feed service provider.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

In a cluster environment, the DSML file is present on all cluster member machines at the same location. In a reconciliation, the DSML file can be found regardless of which cluster member initiates the reconciliation.

The DSML file must be present on the IVIG Server machine for a single server setup.

About this task

When you use the DSML Identity Feed Service to import HR data from a DSML file, only the add and modify person operations are done. The delete person operation is not available when importing identity record information from a DSML file.

Note: When processing identity record information from a DSML file, it is assumed that the data set reconciled does not represent the entire person population for the IVIG Server. Because of this assumption, the polling method can be used to add or modify persons, but not delete them. To delete persons, the event notification interface must be used.

To import the HR data with the DSML Identity Feed service type, complete these steps:

Procedure

  1. Create an instance of the DSML Identity Feed service.
  2. Configure the service to refer to a DSML file that contains the identity record data.
    Specify the full path name to the DSML file. Use the service test feature to verify that the file name is correct.
  3. Reconcile the service.

Results

When reconciling the DSML Identity Feed service, the identity record entries are read from the DSML file. For each identity record entry, the objectclass is matched up to the appropriate person profile in IBM Verify Identity Governance. If a match is made, the distinguished name (dn) is converted into a search filter. The search filter looks for an existing match to a person entry that exists in the organization that contains the service. If a single match is found, then the person entry is used as an update to the existing entry. If no match is found, the individual is added as a new person entry. Duplicate matches return an error and the entry is not added.

Example

These statements are a sample of a DSML entry for a person:
<entry dn="uid=jsmith">
   <objectclass>
          <oc-value>inetOrgPerson</oc-value>
   </objectclass>
   <attr name="sn"><value>smith</value></attr>
   <attr name="uid"><value>jsmith</value></attr>
   <attr name="mail"><value>jsmith@IBM.com</value></attr>
   <attr name="givenname"><value>John</value></attr>
   <attr name="cn"><value>John Smith</value></attr>
</entry>

What to do next

You can now add, modify, and delete identity information with the IVIG interface.

You can add more users, modify existing users with the DSML file, and deleting users.