This guide is all you need to know about UNIFYAssure/Frontier Software chris21/ichris.

Solution objectives

  • Creating and disabling Active Directory/Azure Active Directory Accounts based on chris21 HR data.
  • Keeps account attributes up to date.
  • Maintains Manager and Direct Reports relationships.


UNIFYAssure/chris21 is compatible with:

  • Frontier Software chris21 BRE v.7.1.21 or later with:
    • HTTP Communication Method; or
    • Web Service Method
  • Microsoft Active Directory or Microsoft Azure Active Directory


chris21 connectivity

The UNIFYAssure/chris21 connector uses the chris21 Business Rules Engine (BRE), using the General Transaction Record (GTR) language. UNIFYAssure will need a user in chris21 to access the BRE. The checklist below contains information about the permissions required.

Find out more at our UNIFYBroker/chris21 documentation.

Microsoft Active Directory

UNIFYAssure uses LDAP/SSL to communicate with Microsoft Active Directory. See Networking about how this is secured.

Microsoft Azure Active Directory

UNIFYAssure uses the GRAPH APIs to communicate with Azure Active Directory.


UNIFYAssure will only use secure channels to communicate.

  • TLS 1.3 or higher connections are preferred.
  • If we need to communicate within your network, there are two options:
    • Virtual Private Network (VPN). There are some limitations to this, contact us to discuss.
    • A UNIFYAssure agent. This can be run on a server inside your network, and can be firewalled to only contact those services needed.

Cloud only

flowchart LR UNIFYAssure chris21 AAD[Azure Active Directory] UNIFYAssure-->|Web Services GTR/BRE|chris21 UNIFYAssure-->|GRAPH|AAD

Active Directory with VPN

flowchart LR UNIFYAssure chris21 subgraph Enterprise VPN AD[Active Directory] end UNIFYAssure-->|Web Services GTR/BRE|chris21 UNIFYAssure-->|LDAPS|VPN VPN-->|LDAPS|AD

Active Directory with Agent

flowchart LR UNIFYAssure chris21 subgraph Enterprise Firewall UAAgent[UNIFYAssure Agent] AD[Active Directory] end UNIFYAssure-->|Web Services GTR/BRE|chris21 UAAgent-->|REST|Firewall Firewall-->|REST|UNIFYAssure UAAgent-->|LDAPS|AD

There are other combinations available, just contact us to find out how we can connect.


Find out more about how we handle security in the FAQ.


Using chris21 as the Authoritative Source or “Point of Truth”, the following functionality is offered:

  • Automated On-Boarding and Off-Boarding
  • Active Directory/Azure Active Directory Account Creation
  • Account automatically created in Active Directory based upon employee creation in chris21 and nominated chris21 information synchronised to the relevant Active Directory/Azure Active Directory account. (Includes updating Manager and Direct Reports relationships in Active Directory based upon the Employee’s Position.)


erDiagram chris21_DET ||--|| UNIFYAssure_Person : syncs chris21_TER ||--|| UNIFYAssure_Person : syncs chris21_POS ||--|| UNIFYAssure_Person : syncs chris21_REL ||--|| UNIFYAssure_Person : syncs chris21_PDT ||--|| UNIFYAssure_Person : syncs AD_User ||--|| UNIFYAssure_Person : syncs chris21_DET { string detnumber string detcurman string detemailad string detg1name1 string detg2name2 string detprefnm string detsurname } chris21_TER { string detnumber date terdate string terreascd } chris21_POS { string detnumber date posstart string posarea string posempocc date posend string posl1cd string posl2cd string posl3cd string posl4cd string posl5cd string posl6cd string posnumber string posstatus string postitle } chris21_REL { string pdtcode string relrelat01 } chris21_PDT { string pdtcode string epdestabct string epdoptnl1 string epdoptnl2 string pdtareacd string pdtasetyp string pdtcategory string pdtclass string pdtcomment string pdtcostgrp date pdtcreated date pdteffdate date pdtenddate string pdtesw string pdtexptyp string pdthrsweek string pdtnoteref string pdtorg1cd string pdtorg2cd string pdtorg3cd string pdtorg4cd string pdtorg5cd string pdtorg6cd string pdtorg7cd string pdtotpaid string pdtposloc string pdtpriority string pdtreason string pdtseclvl string pdtstatus string pdtsupvind string pdttimepay string pdttimesch string pdttitle } UNIFYAssure_Person { string PersonNumber string EmployeeNumber string GivenNames string PreferredName string Surname date DateCommenced date TerminationTimeStamp string Manager string Company string Department string JobTitle string WorkAddress phone StreetAddress phone MobileNumber email EmailAddress } AD_User { guid objectGuid date accountExpires string cn string company string department string displayName string ActiveDirectoryPersonDn string employeeID string employeeNumber string givenName string initials AD_User manager string ActiveDirectoryPersonObjectClass string physicalDeliveryOfficeName string sAMAccountName string sn string title string userPrincipalName email mail }

Lifecycle Management

sequenceDiagram UNIFYAssure->>chris21 BRE: Read Data chris21 BRE->>UNIFYAssure: Read results opt Employee Started UNIFYAssure->>AD/AAD: Create account UNIFYAssure->>chris21 BRE: Create User end opt Employee Changed UNIFYAssure->>AD/AAD: Update account end opt Employee Terminated UNIFYAssure->>AD/AAD: Disable account end UNIFYAssure->>AD/AAD: Query AD/AAD->>UNIFYAssure: Query results opt Contact details changed UNIFYAssure->>chris21 BRE: Update contact details end


Some customisations are permitted under UNIFYAssure pricing. This is limited to

  • Additional fields can be read from chris21 BRE tables already forming part of the solution. These fields can be written directly to a field on Active Directory objects with no transformations.
  • Additional fields can be written to chris21, provided these fields already exist in BRE tables that form part of the solution.
  • Additional fields can be read/written from Active Directory/Azure Active Directory, provided they are on the user object, and either available through AD LDAP or AAD GRAPH.

Any customisations outside of this may either be made by a short engagement or by using UNIFYConnect instead. Please contact us to discuss.

Requirements Checklist


  • Directories:
    • Microsoft Active Directory 2008 or later; or
    • Microsoft Azure Active Directory
  • Frontier Software chris21 BRE v.7.1.21 or later with:
    • HTTP Communication Method; or
    • Web Service Method (Web Service Method required for Frontier hosted chris21 instances)


chris21 user account

A user must be created to permit UNIFYAssure/chris21 to communicate with the chris21 server. This account can be created by your organisation’s chris21 administrators:

  • chris21 account created
  • chris21 user granted the following permissions:
    • Read access (Enquiry - 4) to the following tables:
    • ADR
    • TER
    • POS
    • PDT
    • REL
    • Write access (Change - 3 or Add - 2) to the DET form (for email address)
    • Delete access (Delete - 1) to the EAI table to clear EAI changes.
  • End-point details are known, including any valid certificate chains required for SSL.

Correlation IDs

The UNIFYAssure/chris21 service will provision a new AD account for an chris21 HR employee record on synchronisation if an existing AD account cannot first be matched to that employee record. This match requires the use of a correlation ID or breadcrumb on the AD account, such as the employeeID AD user property recommended by UNIFY. This property must already exist in AD and contain the unique chris21 employee for every employee record that must be matched to an existing AD account.

Please contact UNIFY for your options should this not be already set up.


Choose which of the two directory options suits you best.

Active Directory

This section is for those that are connecting the service to Active Directory.

UNIFYAssure must have an account on Active Directory with permissions to create, modify and disable accounts. It must also be aware of the SSL certificate used by the LDAPS end-point on the nominated Active Directory server.

  • An Active Directory account with appropriate permissions has been created for use by UNIFYAssure/chris21
  • Connectivity must be arranged for the Active Directory. The two preferred options are a VPN, or the UNIFYAssure agent.
  • UNIFYAssure must have a valid certificate chain. Therefore, either the Active Directory end-point SSL certificate is from a Windows Trusted Certificate Authority, or UNIFY Solutions must be supplied with a public Certificate Authority root certificate.

Azure Active Directory

To connect to your Azure Active Directory, you will need to create an App Registration with a ClientID and ClientSecret. The permissions granted to this App Registration are User.ReadWrite.All and Group.ReadWrite.All, or Directory.ReadWrite.All.


Active Directory

In any enterprise Active Directory installation, attribute values maintained on user objects are usually used to drive enterprise policy. This may include but not be limited to the following:

  • Use of automation (e.g. in login scripts) to map user home drives and user profile paths to managed network resources/file shares;
  • Use in dynamic distribution lists (e.g. Exchange Dynamic Lists) to leverage user attributes to address emails to collections of users;
  • Use in other policy to drive membership of other AD groups, such as security groups or groups; and
  • Calculation of license (CAL) counts based on the number of active employee records, for example.

With the implementation of synchronisation rules in UNIFYAssure, some of the properties used in policy such as the above will now be mastered (authoritative) in chris21. This implies that any downstream dependencies must be in alignment with the new data source for all mapped and synchronised properties, and that attempts to alter the synchronised attributes directly in AD post implementation may be undone in subsequent synchronisation cycles.

Additionally, in order for UNIFYAssure to provision new AD accounts that meet various uniqueness, GAL visibility and security policy criteria, rules have been built into the solution to initialise the following special attributes:

  • Email address
  • Windows Login Name (pre Windows 2000 format)
  • User Principal Name
  • Common Name
  • Display Name

Given that there will always be scenarios where name clashes occur in an environment which cannot be resolved without some form of human intervention, the synchronisation model is designed to allow these specific values to be changed manually directly in AD post provisioning, and for these to persist despite future synchronisation cycles. The initial values set by the solution are determined according to UNIFY’s accumulated best practice and experience, and that this model has been adopted for this solution to deliver the best, most manageable outcome within budget.

Frontier chris21

A typical chris21 deployment will incorporate policy, in the form of workflow, based on employee attribute values changing. One example might be the changing/setting of an email address resulting in a notification being sent to that target.

Any chris21 workflows which may be initiated as a result of email updates must be understood and adjusted if required to avoid the initiation of unwanted emails, particularly when these occur for large numbers of updates which has the potential to occur in the initial synchronisation steps following deployment.

Disaster Recovery

We are pretty confident in our solution. It has run large enterprise identity systems for years. However, it is always a good idea to plan for the slight risk of something going wrong.

For both your directory and your chris21, you need to make sure you have valid disaster recovery plans that work. We will check with you before we complete the installation.