Active Directory

Active Directory (AD) is a Microsoft directory service that acts as a single repository for user and computer-related information. Sage People can integrate with Active Directory to synchronize certain data items between Sage People and the Active Directory database.

Benefits of integrating Sage People with Active Directory (AD) include: 

  • reduction in overhead creating and updating User Records in two places
  • up-to-date employee information is available for IT by syncing data from your HR system of record to AD
  • a more secure system as departing employees can't access their emails after their leaving date

How Sage People integrates with Active Directory (AD)

Typically, you'll implement an integration between AD and Sage People using a PowerShell script. It's also possible to use Payflow to transfer CSV files via SFTP. You can do this if security requirements don't permit the use of the PowerShell method. Who has the responsibility to set up and maintain the AD synchronization setup depends on your agreements with Sage.

Sage People as the master source of data

Note

  • Sage People recommends you use Sage People as the master source of data and push data from Sage People to AD

  • It's possible to use both Sage People and AD as the master source of data for various fields

The integration pulls information from Sage People data tables and checks the AD database. It then either updates or creates the user record in AD. For example, an HR manager creates a new Team Member in Sage People. The script and API pushes this data into AD and creates the user record there.

AD generally uses an employee’s UPN as the unique identifier.

Active Directory (AD) as the master source of data

Although we recommend you use Sage People as the master source of data, it's possible to push data from AD into Sage People. Typically, you'll push data such as phone numbers you maintain in AD into Sage People to update the Team Member record.

Note

If AD acts as the master source of data for certain fields, consider making these fields read only in Sage People.

API Profile and security

Sage People creates a Profile (usually called API) for the AD integration. In newer orgs, this Profile can already be present as standard. The profile is blank and we only enable the following permissions:

  • API Enabled: we enable this to allow API access

  • Api Only User: we enable this to ensure that the holder of the API account can log in to Salesforce via API only. They can't log in with a username and password

  • Password Never Expires: we enable this to prevent the integration downtime that an expired password causes

On a Profile, these settings are in: 

  • Administrative Permissions in classic Profile interface

  • System Permissions in Enhanced Profile Interface

Warning

  • Don't enable other permissions on the API profile. Enabling any other permissions on the profile can result in a security breach. This includes object level access, field level access, VisualForce page access, apex class access.

If no API profile is present in the org, select New Profile to create it. The system will prompt you to enter the Existing Profile from which to clone. Ensure you select Minimum Access – Salesforce so you don't enable any permissions by default as in the screenshot below. Then enable the 3 permissions specified:
Screenshot: Select an existing profile for closing a new profile

We use field-level security to control access to fields for APIs. To do this, create a permission set to grant access only to those fields you included in the synchronization. In the API profile, set fields where AD is the source of truth with Edit access. Set fields where Sage People is the source of truth with Read access.