This guide is all you need to know about UNIFYConnect/Frontier Software chris21/ichris.

Solution objectives

  • Creating and disabling Active Directory/Entra ID (formerly Azure Active Directory) Accounts based on chris21 HR data.
  • Keeps account attributes up to date.
  • Maintains Manager and Direct Reports relationships.

Compatibility

UNIFYConnect/chris21 is compatible with:

  • Frontier Software chris21 BRE v.7.1.21 or later with:
    • HTTP Communication Method; or
    • Web Service Method
  • Microsoft Active Directory or Microsoft Entra ID (formerly Azure Active Directory)

Connectivity

chris21 connectivity

The UNIFYConnect/chris21 connector uses the chris21 Business Rules Engine (BRE), using the General Transaction Record (GTR) language. UNIFYConnect will need a user in chris21 to access the BRE. The checklist below contains information about the permissions required.

Find out more at our UNIFYBroker/chris21 documentation.

Microsoft Active Directory

UNIFYConnect uses LDAP/SSL to communicate with Microsoft Active Directory. See Networking about how this is secured.

Microsoft Entra ID

UNIFYConnect uses the GRAPH APIs to communicate with Entra ID (formerly Azure Active Directory).

Networking

UNIFYConnect will only use secure channels to communicate.

  • TLS 1.3 or higher connections are preferred.
  • If we need to communicate within your network, there are two options:
    • Virtual Private Network (VPN). There are some limitations to this, contact us to discuss.
    • A UNIFYConnect agent. This can be run on a server inside your network, and can be firewalled to only contact those services needed.

Cloud only

flowchart LR UNIFYConnect chris21 AAD[Entra ID] UNIFYConnect-->|Web Services GTR/BRE|chris21 UNIFYConnect-->|GRAPH|AAD

Active Directory with VPN

flowchart LR UNIFYConnect chris21 subgraph Enterprise VPN AD[Active Directory] end UNIFYConnect-->|Web Services GTR/BRE|chris21 UNIFYConnect-->|LDAPS|VPN VPN-->|LDAPS|AD

Active Directory with Agent

flowchart LR UNIFYConnect chris21 subgraph Enterprise Firewall UAAgent[UNIFYConnect Agent] AD[Active Directory] end UNIFYConnect-->|Web Services GTR/BRE|chris21 UAAgent-->|REST|Firewall Firewall-->|REST|UNIFYConnect UAAgent-->|LDAPS|AD

There are other combinations available, just contact us to find out how we can connect.

Security

Find out more about how we handle security in the FAQ.

Functionality

Using chris21 as the Authoritative Source or “Point of Truth”, the following functionality is offered:

  • Automated On-Boarding and Off-Boarding
  • Active Directory/Entra ID (formerly Azure Active Directory) Account Creation
  • Account automatically created in Active Directory based upon employee creation in chris21 and nominated chris21 information synchronised to the relevant Active Directory/Entra ID (formerly Azure Active Directory) account. (Includes updating Manager and Direct Reports relationships in Active Directory based upon the Employee’s Position.)

Schema

erDiagram chris21_DET ||--|| UNIFYConnect_Person : syncs chris21_TER ||--|| UNIFYConnect_Person : syncs chris21_POS ||--|| UNIFYConnect_Person : syncs chris21_REL ||--|| UNIFYConnect_Person : syncs chris21_PDT ||--|| UNIFYConnect_Person : syncs AD_User ||--|| UNIFYConnect_Person : syncs chris21_DET { string detnumber string detcurman string detemailad string detg1name1 string detg2name2 string detprefnm string detsurname } chris21_TER { string detnumber date terdate string terreascd } chris21_POS { string detnumber date posstart string posarea string posempocc date posend string posl1cd string posl2cd string posl3cd string posl4cd string posl5cd string posl6cd string posnumber string posstatus string postitle } chris21_REL { string pdtcode string relrelat01 } chris21_PDT { string pdtcode string epdestabct string epdoptnl1 string epdoptnl2 string pdtareacd string pdtasetyp string pdtcategory string pdtclass string pdtcomment string pdtcostgrp date pdtcreated date pdteffdate date pdtenddate string pdtesw string pdtexptyp string pdthrsweek string pdtnoteref string pdtorg1cd string pdtorg2cd string pdtorg3cd string pdtorg4cd string pdtorg5cd string pdtorg6cd string pdtorg7cd string pdtotpaid string pdtposloc string pdtpriority string pdtreason string pdtseclvl string pdtstatus string pdtsupvind string pdttimepay string pdttimesch string pdttitle } UNIFYConnect_Person { string PersonNumber string EmployeeNumber string GivenNames string PreferredName string Surname date DateCommenced date TerminationTimeStamp string Manager string Company string Department string JobTitle string WorkAddress phone StreetAddress phone MobileNumber email EmailAddress } AD_User { guid objectGuid date accountExpires string cn string company string department string displayName string ActiveDirectoryPersonDn string employeeID string employeeNumber string givenName string initials AD_User manager string ActiveDirectoryPersonObjectClass string physicalDeliveryOfficeName string sAMAccountName string sn string title string userPrincipalName email mail }

Lifecycle Management

sequenceDiagram UNIFYConnect->>chris21 BRE: Read Data chris21 BRE->>UNIFYConnect: Read results opt Employee Started UNIFYConnect->>AD/Entra ID: Create account UNIFYConnect->>chris21 BRE: Create User end opt Employee Changed UNIFYConnect->>AD/Entra ID: Update account end opt Employee Terminated UNIFYConnect->>AD/Entra ID: Disable account end UNIFYConnect->>AD/Entra ID: Query AD/Entra ID->>UNIFYConnect: Query results opt Contact details changed UNIFYConnect->>chris21 BRE: Update contact details end

Customisations

  • Additional fields can be read from chris21 BRE tables already forming part of the solution. These fields can be written directly to a field on Active Directory objects with no transformations.
  • Additional fields can be written to chris21, provided these fields already exist in BRE tables that form part of the solution.
  • Additional fields can be read/written from Active Directory/Entra ID (formerly Azure Active Directory), provided they are on the user object, and either available through AD LDAP or Entra ID GRAPH.

Any customisations outside of this may either be made by a short engagement or by using UNIFYConnect instead. Please contact us to discuss.

Requirements Checklist

Software

  • Directories:
    • Microsoft Active Directory 2008 or later; or
    • Microsoft Entra ID (formerly Azure Active Directory)
  • Frontier Software chris21 BRE v.7.1.21 or later with:
    • HTTP Communication Method; or
    • Web Service Method (Web Service Method required for Frontier hosted chris21 instances)

Configuration

chris21 user account

A user must be created to permit UNIFYConnect/chris21 to communicate with the chris21 server. This account can be created by your organisation’s chris21 administrators:

  • chris21 account created
  • chris21 user granted the following permissions:
    • Read access (Enquiry - 4) to the following tables:
    • ADR
    • TER
    • POS
    • PDT
    • REL
    • Write access (Change - 3 or Add - 2) to the DET form (for email address)
    • Delete access (Delete - 1) to the EAI table to clear EAI changes.
  • End-point details are known, including any valid certificate chains required for SSL.

Correlation IDs

The UNIFYConnect/chris21 service will provision a new AD account for an chris21 HR employee record on synchronisation if an existing AD account cannot first be matched to that employee record. This match requires the use of a correlation ID or breadcrumb on the AD account, such as the employeeID AD user property recommended by UNIFY. This property must already exist in AD and contain the unique chris21 employee for every employee record that must be matched to an existing AD account.

Please contact UNIFY for your options should this not be already set up.

Directories

Choose which of the two directory options suits you best.

Active Directory

This section is for those that are connecting the service to Active Directory.

UNIFYConnect must have an account on Active Directory with permissions to create, modify and disable accounts. It must also be aware of the SSL certificate used by the LDAPS end-point on the nominated Active Directory server.

  • An Active Directory account with appropriate permissions has been created for use by UNIFYConnect/chris21
  • Connectivity must be arranged for the Active Directory. The two preferred options are a VPN, or the UNIFYConnect agent.
  • UNIFYConnect must have a valid certificate chain. Therefore, either the Active Directory end-point SSL certificate is from a Windows Trusted Certificate Authority, or UNIFY Solutions must be supplied with a public Certificate Authority root certificate.

Entra ID

To connect to your Entra ID (formerly Azure Active Directory), you will need to create an App Registration with a ClientID and ClientSecret. The permissions granted to this App Registration are User.ReadWrite.All and Group.ReadWrite.All, or Directory.ReadWrite.All.

Dependencies

Active Directory

In any enterprise Active Directory installation, attribute values maintained on user objects are usually used to drive enterprise policy. This may include but not be limited to the following:

  • Use of automation (e.g. in login scripts) to map user home drives and user profile paths to managed network resources/file shares;
  • Use in dynamic distribution lists (e.g. Exchange Dynamic Lists) to leverage user attributes to address emails to collections of users;
  • Use in other policy to drive membership of other AD groups, such as security groups or groups; and
  • Calculation of license (CAL) counts based on the number of active employee records, for example.

With the implementation of synchronisation rules in UNIFYConnect, some of the properties used in policy such as the above will now be mastered (authoritative) in chris21. This implies that any downstream dependencies must be in alignment with the new data source for all mapped and synchronised properties, and that attempts to alter the synchronised attributes directly in AD post implementation may be undone in subsequent synchronisation cycles.

Additionally, in order for UNIFYConnect to provision new AD accounts that meet various uniqueness, GAL visibility and security policy criteria, rules have been built into the solution to initialise the following special attributes:

  • Email address
  • Windows Login Name (pre Windows 2000 format)
  • User Principal Name
  • Common Name
  • Display Name

Given that there will always be scenarios where name clashes occur in an environment which cannot be resolved without some form of human intervention, the synchronisation model is designed to allow these specific values to be changed manually directly in AD post provisioning, and for these to persist despite future synchronisation cycles. The initial values set by the solution are determined according to UNIFY’s accumulated best practice and experience, and that this model has been adopted for this solution to deliver the best, most manageable outcome within budget.

Frontier chris21

A typical chris21 deployment will incorporate policy, in the form of workflow, based on employee attribute values changing. One example might be the changing/setting of an email address resulting in a notification being sent to that target.

Any chris21 workflows which may be initiated as a result of email updates must be understood and adjusted if required to avoid the initiation of unwanted emails, particularly when these occur for large numbers of updates which has the potential to occur in the initial synchronisation steps following deployment.

Disaster Recovery

We are pretty confident in our solution. It has run large enterprise identity systems for years. However, it is always a good idea to plan for the slight risk of something going wrong.

For both your directory and your chris21, you need to make sure you have valid disaster recovery plans that work. We will check with you before we complete the installation.

Copyright ©2024 UNIFY Solutions Trust Center