教學課程:設定從 SAP SuccessFactors 到 Active Directory 的使用者佈建Tutorial: Configure SAP SuccessFactors to Active Directory user provisioning

本教學課程的目標是要說明將使用者從 SuccessFactors 員工中心佈建到 Active Directory (AD) 和 Azure AD 所需的步驟,以及將電子郵件地址回寫至 SuccessFactors 的選用功能。The objective of this tutorial is to show the steps you need to perform to provision users from SuccessFactors Employee Central into Active Directory (AD) and Azure AD, with optional write-back of email address to SuccessFactors.

注意

如果您想要從 SuccessFactors 佈建的使用者需要內部部署 AD 帳戶和 Azure AD 帳戶 (選擇性),請使用本教學課程。Use this tutorial if the users you want to provision from SuccessFactors need an on-premises AD account and optionally an Azure AD account. 如果 SuccessFactors 的使用者只需要 Azure AD 帳戶 (僅限雲端的使用者),則請參閱關於如何設定 SAP SuccessFactors 至 Azure AD 使用者佈建的教學課程。If the users from SuccessFactors only need Azure AD account (cloud-only users), then please refer to the tutorial on configure SAP SuccessFactors to Azure AD user provisioning.

概觀Overview

整合 Azure Active Directory 使用者佈建服務SuccessFactors 員工中心,以管理使用者的身分識別生命週期。The Azure Active Directory user provisioning service integrates with the SuccessFactors Employee Central in order to manage the identity life cycle of users.

Azure AD 使用者佈建服務支援的 SuccessFactors 使用者佈建工作流程,可讓下列人力資源和身分識別生命週期管理案例的自動化:The SuccessFactors user provisioning workflows supported by the Azure AD user provisioning service enable automation of the following human resources and identity lifecycle management scenarios:

  • 雇用新員工 - 將新員工新增至雲端 SuccessFactors 時,系統會在 Active Directory、Azure Active Directory、Microsoft 365 (選擇性) 和 Azure AD 支援的其他 SaaS 應用程式中自動建立使用者帳戶,並將電子郵件地址回寫至 SuccessFactors。Hiring new employees - When a new employee is added to SuccessFactors, a user account is automatically created in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD, with write-back of the email address to SuccessFactors.

  • 員工屬性和設定檔更新 - 在 SuccessFactors 中更新員工記錄時 (例如姓名、職稱或經理),系統會在 Active Directory、Azure Active Directory、Microsoft 365 (選擇性) 和 Azure AD 支援的其他 SaaS 應用程式中自動更新其使用者帳戶。Employee attribute and profile updates - When an employee record is updated in SuccessFactors (such as their name, title, or manager), their user account will be automatically updated in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.

  • 員工離職 - 在 SuccessFactors 中將員工設定為離職時,系統會在 Active Directory、Azure Active Directory、Microsoft 365 (選擇性) 和 Azure AD 支援的其他 SaaS 應用程式中自動停用其使用者帳戶。Employee terminations - When an employee is terminated in SuccessFactors, their user account is automatically disabled in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.

  • 重新雇用員工 - 在 SuccessFactors 中重新雇用員工時,系統會自動重新啟用其舊帳戶或將其重新佈建 (取決於您的喜好設定) 至 Active Directory、Azure Active Directory、Microsoft 365 (選擇性) 和 Azure AD 支援的其他 SaaS 應用程式Employee rehires - When an employee is rehired in SuccessFactors, their old account can be automatically reactivated or re-provisioned (depending on your preference) to Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.

誰最適合使用此使用者佈建解決方案?Who is this user provisioning solution best suited for?

此 SuccessFactors 至 Active Directory 使用者佈建解決方案最適合下列對象:This SuccessFactors to Active Directory user provisioning solution is ideally suited for:

  • 需要以預先建置的雲端式解決方案進行 SuccessFactors 使用者佈建的組織Organizations that desire a pre-built, cloud-based solution for SuccessFactors user provisioning

  • 需要將使用者從 SuccessFactors 直接佈建到 Active Directory 的組織Organizations that require direct user provisioning from SuccessFactors to Active Directory

  • 需要使用從 SuccessFactors 員工中心 (EC) 取得的資料來佈建使用者的組織Organizations that require users to be provisioned using data obtained from the SuccessFactors Employee Central (EC)

  • 需要僅根據在 SuccessFactors 員工中心 (EC) 中偵測到的變更資訊來聯結、移動及保留使用者,使其同步至一或多個 Active Directory 樹系、網域和 OU 的組織Organizations that require joining, moving, and leaving users to be synced to one or more Active Directory Forests, Domains, and OUs based only on change information detected in SuccessFactors Employee Central (EC)

  • 使用 Microsoft 365 來收發電子郵件的組織Organizations using Microsoft 365 for email

方案架構Solution Architecture

本節針對常見的混合式環境,說明端對端使用者佈建方案架構。This section describes the end-to-end user provisioning solution architecture for common hybrid environments. 有兩個相關的流程:There are two related flows:

  • 授權 HR 資料流程 – 從 SuccessFactors 到內部部署 Active Directory: 在此流程中,人員事件 (例如新雇用、調動、解雇) 會先發生在雲端 SuccessFactors 員工中心,然後事件資料會透過 Azure AD 和佈建代理程式流入內部部署 Active Directory。Authoritative HR Data Flow – from SuccessFactors to on-premises Active Directory: In this flow worker events (such as New Hires, Transfers, Terminations) first occur in the cloud SuccessFactors Employee Central and then the event data flows into on-premises Active Directory through Azure AD and the Provisioning Agent. 視事件而定,它可能會在 AD 中產生建立/更新/啟用/停用作業。Depending on the event, it may lead to create/update/enable/disable operations in AD.

  • 電子郵件回寫流程 – 從內部部署 Active Directory 到 SuccessFactors: 在 Active Directory 中建立帳戶之後,帳戶會透過 Azure AD Connect 同步來與 Azure AD 同步,而電子郵件屬性可以回寫至 SuccessFactors。Email Writeback Flow – from on-premises Active Directory to SuccessFactors: Once the account creation is complete in Active Directory, it is synced with Azure AD through Azure AD Connect sync and email attribute can be written back to SuccessFactors.

    概觀

端對端使用者資料流程End-to-end user data flow

  1. HR 小組在 SuccessFactors 員工中心內執行人員異動 (新進人員/異動人員/離職人員或新雇用/異動/解雇)The HR team performs worker transactions (Joiners/Movers/Leavers or New Hires/Transfers/Terminations) in SuccessFactors Employee Central
  2. Azure AD 佈建服務會執行排程好的 SuccessFactors EC 身分識別同步處理作業,並找出需要處理以便與內部部署 Active Directory 同步的變更。The Azure AD Provisioning Service runs scheduled synchronizations of identities from SuccessFactors EC and identifies changes that need to be processed for sync with on-premises Active Directory.
  3. Azure AD 佈建服務會使用包含 AD 帳戶建立/更新/啟用/停用作業的要求承載,叫用內部部署 Azure AD Connect 佈建代理程式。The Azure AD Provisioning Service invokes the on-premises Azure AD Connect Provisioning Agent with a request payload containing AD account create/update/enable/disable operations.
  4. Azure AD Connect 佈建代理程式使用服務帳戶來新增/更新 AD 帳戶資料。The Azure AD Connect Provisioning Agent uses a service account to add/update AD account data.
  5. Azure AD Connect 同步引擎會執行差異同步來提取 AD 中的更新。The Azure AD Connect Sync engine runs delta sync to pull updates in AD.
  6. Active Directory 會與 Azure Active Directory 同步更新。The Active Directory updates are synced with Azure Active Directory.
  7. 如果SuccessFactors Writeback 應用程式已設定,則會根據使用的比對屬性,將電子郵件屬性回寫至 SuccessFactors。If the SuccessFactors Writeback app is configured, it writes back email attribute to SuccessFactors, based on the matching attribute used.

規劃您的部署Planning your deployment

設定從 SuccessFactors 到 AD 且由雲端 HR 驅動的使用者佈建,需要許多涵蓋不同層面的規劃,例如:Configuring Cloud HR driven user provisioning from SuccessFactors to AD requires considerable planning covering different aspects such as:

  • 設定 Azure AD Connect 佈建代理程式Setup of the Azure AD Connect provisioning agent
  • 要部署的 SuccessFactors 至 AD 使用者佈建應用程式數目Number of SuccessFactors to AD user provisioning apps to deploy
  • 比對識別碼、屬性對應、轉換和範圍篩選Matching ID, Attribute mapping, transformation and scoping filters

如需有關這些主題的完整指導方針,請參閱雲端 HR 部署計劃Please refer to the cloud HR deployment plan for comprehensive guidelines around these topics. 請參閱 SAP SuccessFactors 整合參考以了解支援的實體、處理詳細資料,以及如何自訂不同 HR 案例的整合。Please refer to the SAP SuccessFactors integration reference to learn about the supported entities, processing details and how to customize the integration for different HR scenarios.

設定用於整合的 SuccessFactorsConfiguring SuccessFactors for the integration

所有 SuccessFactors 佈建連接器大多需要具有適當權限的 SuccessFactors 帳戶認證,才能叫用 SuccessFactors OData API。A common requirement of all the SuccessFactors provisioning connectors is that they require credentials of a SuccessFactors account with the right permissions to invoke the SuccessFactors OData APIs. 本節說明在 SuccessFactors 中建立服務帳戶,並授與適當權限的步驟。This section describes steps to create the service account in SuccessFactors and grant appropriate permissions.

在 SuccessFactors 中建立/識別 API 使用者帳戶Create/identify API user account in SuccessFactors

請與您的 SuccessFactors 系統管理員小組或實作夥伴合作,在 SuccessFactors 中建立或識別使用者帳戶,以用於叫用 OData API。Work with your SuccessFactors admin team or implementation partner to create or identify a user account in SuccessFactors that will be used to invoke the OData APIs. 在 Azure AD 中設定佈建應用程式時,需要用到此帳戶的使用者名稱和密碼認證。The username and password credentials of this account will be required when configuring the provisioning apps in Azure AD.

建立 API 權限角色Create an API permissions role

  1. 使用可存取系統管理中心的使用者帳戶登入 SAP SuccessFactors。Log in to SAP SuccessFactors with a user account that has access to the Admin Center.

  2. 搜尋 [管理權限角色],然後從搜尋結果中選取 [管理權限角色]。Search for Manage Permission Roles, then select Manage Permission Roles from the search results. 管理權限角色Manage Permission Roles

  3. 從 [權限角色] 清單中,按一下 [新建]。From the Permission Role List, click Create New.

    建立新的權限角色Create New Permission Role

  4. 為新的權限角色新增 角色名稱描述Add a Role Name and Description for the new permission role. 名稱和描述應該指出這是針對 API 使用權限設定的角色。The name and description should indicate that the role is for API usage permissions.

    權限角色詳細資料Permission role detail

  5. 在 [權限設定] 底下,按一下 [權限...],然後向下捲動權限清單,再按一下 [管理整合工具]。Under Permission settings, click Permission..., then scroll down the permission list and click Manage Integration Tools. 核取 [允許系統管理員透過基本驗證存取 OData API] 方塊。Check the box for Allow Admin to Access to OData API through Basic Authentication.

    管理整合工具Manage integration tools

  6. 在相同的方塊中向下捲動,然後選取 [員工中心 API]。Scroll down in the same box and select Employee Central API. 如下所示,新增使用 ODATA API 讀取和使用 ODATA API 編輯的權限。Add permissions as shown below to read using ODATA API and edit using ODATA API. 如果您打算在回寫到 SuccessFactors 的案例中使用相同帳戶,請選取編輯選項。Select the edit option if you plan to use the same account for the Writeback to SuccessFactors scenario.

    讀取寫入權限Read write permissions

  7. 在相同的權限方塊中,移至 [使用者權限] -> [員工資料] 並檢閱服務帳戶可從 SuccessFactors 租用戶讀取的屬性。In the same permissions box, go to User Permissions -> Employee Data and review the attributes that the service account can read from the SuccessFactors tenant. 例如,若要從 SuccessFactors 擷取 [使用者名稱] 屬性,請確保已針對此屬性授與 [檢視] 權限。For example, to retrieve the Username attribute from SuccessFactors, ensure that "View" permission is granted for this attribute. 同樣地,請檢閱檢視權限的每個屬性。Similarly review each attribute for view permission.

    員工資料權限Employee data permissions

    注意

    如需此佈建應用程式所擷取的屬性完整清單,請參閱 SuccessFactors 屬性參考For the complete list of attributes retrieved by this provisioning app, please refer to SuccessFactors Attribute Reference

  8. 按一下 [完成]。Click on Done. 按一下 [儲存變更]Click Save Changes.

為 API 使用者建立權限群組Create a Permission Group for the API user

  1. 在 SuccessFactors 系統管理中心內,搜尋 [管理權限群組],然後從搜尋結果中選取 [管理權限群組]。In the SuccessFactors Admin Center, search for Manage Permission Groups, then select Manage Permission Groups from the search results.

    管理權限群組Manage permission groups

  2. 從 [管理權限群組] 視窗中,按一下 [新建]。From the Manage Permission Groups window, click Create New.

    Add new groupAdd new group

  3. 為新群組新增群組名稱。Add a Group Name for the new group. 群組名稱應指出這是 API 使用者的群組。The group name should indicate that the group is for API users.

    權限群組名稱Permission group name

  4. 將成員新增至群組。Add members to the group. 例如,您可以從 [人員集區] 下拉式功能表中選取 [使用者名稱],然後輸入將用於整合的 API 帳戶使用者名稱。For example, you could select Username from the People Pool drop-down menu and then enter the username of the API account that will be used for the integration.

    新增群組成員Add group members

  5. 按一下 [完成] 即可完成建立權限群組。Click Done to finish creating the Permission Group.

將權限角色授與權限群組Grant Permission Role to the Permission Group

  1. 在 SuccessFactors 系統管理中心內,搜尋 [管理權限角色],然後從搜尋結果中選取 [管理權限角色]。In SuccessFactors Admin Center, search for Manage Permission Roles, then select Manage Permission Roles from the search results.
  2. 權限角色清單 中,選取您為 API 使用權限建立的角色。From the Permission Role List, select the role that you created for API usage permissions.
  3. 在 [將此角色授與...] 底下,按一下 [新增...] 按鈕。Under Grant this role to..., click Add... button.
  4. 從下拉式功能表中選取 [權限群組...],然後按一下 [選取...] 來開啟 [群組] 視窗,搜尋並選取上方建立的群組。Select Permission Group... from the drop-down menu, then click Select... to open the Groups window to search and select the group created above.

    新增權限群組Add permission group

  5. 檢閱授與權限群組的權限角色。Review the Permission Role grant to the Permission Group.

    權限角色和群組詳細資料Permission Role and Group detail

  6. 按一下 [儲存變更]Click Save Changes.

設定從 SuccessFactors 至 Active Directory 的使用者佈建Configuring user provisioning from SuccessFactors to Active Directory

本節提供將使用者帳戶從 SuccessFactors 佈建至整合範圍內每個 Active Directory 網域的步驟。This section provides steps for user account provisioning from SuccessFactors to each Active Directory domain within the scope of your integration.

第 1 部分:新增佈建連接器應用程式和下載佈建代理程式Part 1: Add the provisioning connector app and download the Provisioning Agent

若要設定 SuccessFactors 至 Active Directory 的佈建:To configure SuccessFactors to Active Directory provisioning:

  1. 移至 https://portal.azure.comGo to https://portal.azure.com

  2. 在左側導覽列中,選取 [Azure Active Directory]In the left navigation bar, select Azure Active Directory

  3. 依序選取 [企業應用程式] 和 [所有應用程式]。Select Enterprise Applications, then All Applications.

  4. 選取 [新增應用程式],然後選取 [全部] 類別。Select Add an application, and select the All category.

  5. 搜尋 SuccessFactors 至 Active Directory 使用者佈建,並從資源庫新增該應用程式。Search for SuccessFactors to Active Directory User Provisioning, and add that app from the gallery.

  6. 新增應用程式並顯示應用程式詳細資料畫面之後,請選取 [佈建]After the app is added and the app details screen is shown, select Provisioning

  7. 將 [佈建模式] 設定為 [自動]Change the Provisioning Mode to Automatic

  8. 按一下顯示的資訊橫幅以下載布建代理程式。Click on the information banner displayed to download the Provisioning Agent.

    下載代理程式Download Agent

第 2 部分:安裝並設定內部部署佈建代理程式Part 2: Install and configure on-premises Provisioning Agent(s)

若要佈建至內部部署的 Active Directory,則必須在已加入網域並可透過網路存取所需 Active Directory 網域的伺服器上,安裝佈建代理程式。To provision to Active Directory on-premises, the Provisioning agent must be installed on a domain-joined server that has network access to the desired Active Directory domain(s).

將下載的代理程式安裝程式傳輸到伺服器主機,並遵循安裝代理程式一節中所列的步驟來完成代理程式設定。Transfer the downloaded agent installer to the server host and follow the steps listed in the install agent section to complete the agent configuration.

第 3 部分:在佈建應用程式中,設定 SuccessFactors 和 Active Directory 的連線能力Part 3: In the provisioning app, configure connectivity to SuccessFactors and Active Directory

在此步驟中,我們將在 Azure 入口網站中建立 SuccessFactors 和 Active Directory 的連線能力。In this step, we establish connectivity with SuccessFactors and Active Directory in the Azure portal.

  1. 在 Azure 入口網站中,回到第 1 部分中建立的「SuccessFactors 至 Active Directory 使用者佈建應用程式」In the Azure portal, go back to the SuccessFactors to Active Directory User Provisioning App created in Part 1

  2. 完成 [系統管理員認證] 區段,如下所示:Complete the Admin Credentials section as follows:

    • 系統管理員使用者名稱 – 輸入 SuccessFactors API 使用者帳戶的使用者名稱,並附上公司識別碼。Admin Username – Enter the username of the SuccessFactors API user account, with the company ID appended. 其格式為:username@companyIDIt has the format: username@companyID

    • 系統管理員密碼 – 輸入 SuccessFactors API 使用者帳戶的密碼。Admin password – Enter the password of the SuccessFactors API user account.

    • 租用戶 URL – 輸入 SuccessFactors OData API 服務端點的名稱。Tenant URL – Enter the name of the SuccessFactors OData API services endpoint. 僅輸入不含 http 或 https 的伺服器主機名稱。Only enter the host name of server without http or https. 此值應如下所示: .successfactors.comThis value should look like: .successfactors.com.

    • Active Directory 樹系 – 向代理程式註冊的 Active Directory 網域「名稱」。Active Directory Forest - The "Name" of your Active Directory domain, as registered with the agent. 請使用下拉式清單來選取用於佈建的目標網域。Use the dropdown to select the target domain for provisioning. 此值通常是如下的字串:contoso.comThis value is typically a string like: contoso.com

    • Active Directory 容器 - 輸入容器 DN,其中是代理程式預設應建立使用者帳戶的位置。Active Directory Container - Enter the container DN where the agent should create user accounts by default. 範例:OU=Users,DC=contoso,DC=comExample: OU=Users,DC=contoso,DC=com

      注意

      如果並未在屬性對應中設定 parentDistinguishedName 屬性,此設定僅適用於使用者帳戶建立。This setting only comes into play for user account creations if the parentDistinguishedName attribute is not configured in the attribute mappings. 此設定不適用於使用者搜尋或更新作業。This setting is not used for user search or update operations. 整個網域的子樹狀會落在搜尋作業的範圍中。The entire domain sub tree falls in the scope of the search operation.

    • 通知電子郵件 – 輸入您的電子郵件地址,然後勾選 [發生失敗時傳送電子郵件] 核取方塊。Notification Email – Enter your email address, and check the "send email if failure occurs" checkbox.

      注意

      如果佈建作業進入隔離狀態,Azure AD 佈建服務會傳送電子郵件通知。The Azure AD Provisioning Service sends email notification if the provisioning job goes into a quarantine state.

    • 按一下 [測試連線] 按鈕。Click the Test Connection button. 如果連線測試成功,請按一下頂端的 [儲存] 按鈕。If the connection test succeeds, click the Save button at the top. 如果失敗,請仔細檢查代理程式上設定的 SuccessFactors 認證和 AD 認證是否有效。If it fails, double-check that the SuccessFactors credentials and the AD credentials configured on the agent setup are valid.

      Azure 入口網站Azure portal

    • 順利儲存認證之後,[對應] 區段會顯示 [將 SuccessFactors 使用者同步至內部部署 Active Directory] 預設對應Once the credentials are saved successfully, the Mappings section will display the default mapping Synchronize SuccessFactors Users to On Premises Active Directory

第 4 部分:設定屬性對應Part 4: Configure attribute mappings

在本節中,您會設定使用者資料從 SuccessFactors 流向 Active Directory 的方式。In this section, you will configure how user data flows from SuccessFactors to Active Directory.

  1. 在 [佈建] 索引標籤的 [對應] 底下,按一下 [將 SuccessFactors 使用者同步至內部部署 Active Directory]。On the Provisioning tab under Mappings, click Synchronize SuccessFactors Users to On Premises Active Directory.

  2. 在 [來源物件範圍] 欄位中,您可以透過定義一組屬性型篩選,選取應該佈建至 AD 的 SuccessFactors 使用者集合範圍。In the Source Object Scope field, you can select which sets of users in SuccessFactors should be in scope for provisioning to AD, by defining a set of attribute-based filters. 預設範圍是「SuccessFactors 中的所有使用者」。The default scope is "all users in SuccessFactors". 範例篩選:Example filters:

    • 範例:將範圍限定為 personIdExternal 介於 1000000 到 2000000 (不含 2000000) 之間的使用者Example: Scope to users with personIdExternal between 1000000 and 2000000 (excluding 2000000)

      • 屬性:personIdExternalAttribute: personIdExternal

      • 運算子:REGEX MatchOperator: REGEX Match

      • 值:(1[0-9][0-9][0-9][0-9][0-9][0-9])Value: (1[0-9][0-9][0-9][0-9][0-9][0-9])

    • 範例:僅員工和非約聘人員Example: Only employees and not contingent workers

      • 屬性:EmployeeIDAttribute: EmployeeID

      • 運算子:IS NOT NULLOperator: IS NOT NULL

    提示

    第一次設定佈建應用程式時,您將需要測試及確認屬性對應和運算式,以確保它提供您所需的結果。When you are configuring the provisioning app for the first time, you will need to test and verify your attribute mappings and expressions to make sure that it is giving you the desired result. Microsoft 建議您使用 [來源物件範圍] 底下的範圍篩選,利用幾個來自 SuccessFactors 的測試使用者來測試您的對應。Microsoft recommends using the scoping filters under Source Object Scope to test your mappings with a few test users from SuccessFactors. 確認對應能夠運作之後,您便可以移除篩選,或逐漸擴大篩選來包含更多使用者。Once you have verified that the mappings work, then you can either remove the filter or gradually expand it to include more users.

    警告

    佈建引擎的預設行為是停用/刪除超出範圍的使用者。The default behavior of the provisioning engine is to disable/delete users that go out of scope. 這可能不適合您的 SuccessFactors 至 AD 整合。This may not be desirable in your SuccessFactors to AD integration. 若要覆寫此預設行為,請參閱略過刪除超出範圍的使用者帳戶一文To override this default behavior refer to the article Skip deletion of user accounts that go out of scope

  3. 在 [目標物件動作] 欄位中,您可以全域篩選在 Active Directory 上執行的動作。In the Target Object Actions field, you can globally filter what actions are performed on Active Directory. 最常見的動作是 [建立] 和 [更新]。Create and Update are most common.

  4. 在 [屬性對應] 區段中,您可以定義個別 SuccessFactors 屬性如何對應至 Active Directory 屬性。In the Attribute mappings section, you can define how individual SuccessFactors attributes map to Active Directory attributes.

    注意

    如需應用程式所支援的 SuccessFactors 屬性完整清單,請參閱 SuccessFactors 屬性參考For the complete list of SuccessFactors attribute supported by the application, please refer to SuccessFactors Attribute Reference

  5. 按一下現有的屬性對應以進行更新,或按一下畫面底端的 [新增新對應] 以新增新對應。Click on an existing attribute mapping to update it, or click Add new mapping at the bottom of the screen to add new mappings. 個別屬性對應支援下列屬性:An individual attribute mapping supports these properties:

    • 對應類型Mapping Type

      • 直接 – 將 SuccessFactors 屬性的值原封不動地寫入至 AD 屬性Direct – Writes the value of the SuccessFactors attribute to the AD attribute, with no changes

      • 常數 – 將靜態的常數字串值寫入至 AD 屬性Constant - Write a static, constant string value to the AD attribute

      • 運算式 – 可讓您根據一或多個 SuccessFactors 屬性,將自訂值寫入 AD 屬性。Expression – Allows you to write a custom value to the AD attribute, based on one or more SuccessFactors attributes. 如需詳細資訊,請參閱這篇有關運算式的文章For more info, see this article on expressions.

    • 來源屬性 - 來自 SuccessFactors 的使用者屬性Source attribute - The user attribute from SuccessFactors

    • 預設值 – 選用。Default value – Optional. 如果來源屬性具有空值,則對應將會改為寫入此值。If the source attribute has an empty value, the mapping will write this value instead. 最常見的設定是將其保留空白。Most common configuration is to leave this blank.

    • 目標屬性 – Active Directory 中的使用者屬性。Target attribute – The user attribute in Active Directory.

    • 使用此屬性比對物件 – 是否應該將此對應用於唯一識別 SuccessFactors 與 Active Directory 之間的使用者。Match objects using this attribute – Whether or not this mapping should be used to uniquely identify users between SuccessFactors and Active Directory. 此值通常是在 SuccessFactors 的 [人員識別碼] 欄位上設定的,這通常與 Active Directory 中的其中一個 [員工識別碼] 屬性對應。This value is typically set on the Worker ID field for SuccessFactors, which is typically mapped to one of the Employee ID attributes in Active Directory.

    • 比對優先順序 – 您可以設定多個比對屬性。Matching precedence – Multiple matching attributes can be set. 具有多個屬性時,系統會以此欄位定義的順序進行評估。When there are multiple, they are evaluated in the order defined by this field. 只要找到相符項目,便不會評估任何進一步的比對屬性。As soon as a match is found, no further matching attributes are evaluated.

    • 套用此對應Apply this mapping

      • 一律 – 將此對應套用於使用者建立和更新動作Always – Apply this mapping on both user creation and update actions

      • 僅限建立期間 - 僅將此對應套用於使用者建立動作Only during creation - Apply this mapping only on user creation actions

  6. 若要儲存您的對應,請按一下 [屬性對應] 區段頂端的 [儲存]。To save your mappings, click Save at the top of the Attribute-Mapping section.

當您的屬性對應設定完成後,您可使用隨選佈建來測試單一使用者的佈建,然後啟用並啟動使用者佈建服務Once your attribute mapping configuration is complete, you can test provisioning for a single user using on-demand provisioning and then enable and launch the user provisioning service.

啟用及啟動使用者佈建Enable and launch user provisioning

在 SuccessFactors 佈建應用程式設定完成,且您已使用隨選佈建來驗證單一使用者的佈建後,即可在 Azure 入口網站中開啟佈建服務。Once the SuccessFactors provisioning app configurations have been completed and you have verified provisioning for a single user with on-demand provisioning, you can turn on the provisioning service in the Azure portal.

提示

根據預設,當您開啟佈建服務時,它會為範圍中的所有使用者起始佈建作業。By default when you turn on the provisioning service, it will initiate provisioning operations for all users in scope. 如果有對應錯誤或 SuccessFactors 資料問題,則佈建作業可能失敗並進入隔離狀態。If there are errors in the mapping or SuccessFactors data issues, then the provisioning job might fail and go into the quarantine state. 為了避免這種情況,我們建議您最好是先設定 [來源物件範圍] 篩選,並使用隨選佈建來對幾個測試使用者測試您的屬性對應,然後才為所有使用者啟動完整同步處理。To avoid this, as a best practice, we recommend configuring Source Object Scope filter and testing your attribute mappings with a few test users using on-demand provisioning before launching the full sync for all users. 確認對應能夠運作且提供您所需的結果之後,您便可以移除篩選,或逐漸擴大篩選來包含更多使用者。Once you have verified that the mappings work and are giving you the desired results, then you can either remove the filter or gradually expand it to include more users.

  1. 移至 [佈建] 刀鋒視窗,然後按一下 [開始佈建]。Go to the Provisioning blade and click on Start provisioning.

  2. 此作業會啟動初始同步,所需花費的時數會視 SuccessFactors 租用戶中的使用者人數而定。This operation will start the initial sync, which can take a variable number of hours depending on how many users are in the SuccessFactors tenant. 您可以檢查進度列來追蹤同步週期的進度。You can check the progress bar to the track the progress of the sync cycle.

  3. 您可隨時檢查 Azure 入口網站中的 [稽核記錄] 索引標籤,查看佈建服務執行了哪些動作。At any time, check the Audit logs tab in the Azure portal to see what actions the provisioning service has performed. 稽核記錄會列出佈建服務執行的所有個別同步處理事件,例如從 SuccessFactors 外部讀取了哪些使用者,接著又新增到或更新到 Active Directory 中。The audit logs lists all individual sync events performed by the provisioning service, such as which users are being read out of SuccessFactors and then subsequently added or updated to Active Directory.

  4. 在初始同步完成之後,它會在 [佈建] 索引標籤中寫入稽核摘要報告,如下所示。Once the initial sync is completed, it will write an audit summary report in the Provisioning tab, as shown below.

    佈建進度列Provisioning progress bar

後續步驟Next steps