4me Mappings

Background

In 4me SCIM user data is not directly stored in 4me person records. The same applies to SCIM group data. Instead all incoming SCIM data is stored in separate SCIM user and group records in 4me. Automation rules are then used to map the SCIM users to 4me people and SCIM groups to 4me organizations or sites.

After each update to a SCIM user, all SCIM user automation rules are executed against that SCIM user to update the person record. After each update of a SCIM group, first the SCIM group automation rules are executed, followed by the SCIM user automation rules for all members of the group that were added or deleted.

In case the SCIM user or SCIM group automation rules themselves are updated, all SCIM users/groups are reprocessed automatically.

Using automation rules to define the mapping gives the account administrator a lot of flexibility to get the SCIM integration customized correctly to their situation.

A set of default mappings is provided by 4me to get you started quickly.

To access the automation rules, login to 4me as an account administrator and go to the Settings console. Open the SCIM Users or SCIM Groups menu and click on Automation Rules… in the Actions menu.

Automation Rules

Default mappings

When the SCIM user or SCIM group automation rules are accessed for the first time, 4me will populate the automation rules using the default mappings as described below. You can either use them as is, or customize the automation rules as you see fit.

To revert to the default automation rules, simply delete all SCIM user or SCIM group automation rules, close the automation rules window and open it again.

Default user mapping

The default user mapping tries to populate as much of the 4me person fields as possible given the SCIM user attributes available. This is how the automation rule works:

Primary email

As explained in the mapping section the userName attribute should contain the primary email address of the user. If that is not the case, 4me will look at the emails attribute. First it tries to find an email address marked as primary, if that fails it just takes the first email address defined.

Emails

Next all SCIM emails are collected. The SCIM email that holds the primary email address is excluded so as not to duplicate data in the 4me person record.

Name

In case the userName attribute was not an email address, 4me assumes it contains the name, however 4me prefers the name to be set in the displayName attribute. If both attributes are empty the name.formatted attribute is taken. As a final fallback the name is generated by combining the name.givenName and name.familyName attributes. In case the name could not be resolved, the person.name is left unchanged. The name attributes can of course be customized.

Job title

The title attribute is mapped to the job title. If blank, it defaults to the current job title of the person.

Organization

The <enterprise extension>.organization is used to find an organization in 4me with that name. If missing, the first group-membership of an organization group is used. If the organization is disabled it is not used. If no enabled organization was found, the current organization of the person is used. If the person was new and no organization is known yet, it defaults to the organization linked to the 4me account.

Site

The <enterprise extension>.site is used to find a site in 4me with that name. If missing, the first group-membership of a site group is used. If the site is disabled it is not used. If no enabled site was found, the current site of the person is used.

Location

The <enterprise extension>.location attribute is mapped to the location. If blank, it defaults to the current location of the person.

EmployeeID

The <enterprise extension>.employeeNumber attribute is mapped to the employeeID. If blank, it defaults to the current employeeID of the person.

SupportID

The <enterprise extension>.supportID attribute is mapped to the supportID. If blank, it defaults to the current supportID of the person.

Manager

The <enterprise extension>.manager.value attribute is used to find a SCIM user record in 4me. If found, the related person record is taken. In case the person record is disabled it is cleared. If no manager was found it defaults to the current manager of the person.

Locale

Only for new person records the locale attribute is mapped to the locale. As users in 4me are able to update their locale preference, the locale SCIM attribute is ignored for existing people.

Time zone

Only for new person records the timezone attribute is mapped to the time zone. As users in 4me are able to update their time zone preference, the timezone SCIM attribute is ignored for existing people.

VIP

If the userType attribute is not blank and contains the string VIP the person is marked as VIP. If the userType attribute is blank the person’s VIP status is not altered. If the userType attribute is not blank and does not contain the string VIP the person’s VIP status will be removed.

Contacts

The person’s contacts are marked with the integration flag when they were added by the SCIM integration. Before adding all phoneNumbers as contacts, the existing integration contacts will be cleared.

Addresses

The person’s addresses are marked with the integration flag when they were added by the SCIM integration. Before adding all addresses as addresses, the existing integration addresses will be cleared.

Condition

People records in 4me can only be created when at least the primary email and name are known. The condition is defined to make sure 4me does not try to create invalid person records in vain.

Source

The source and sourceID are set to SCIM and the SCIM user record id, respectively. All other actions are simple assignments of the data gathered by the mappings described above.

Default group mappings

Organizations

The displayName attribute is used to search for an organization in 4me. When this SCIM group was already linked to a 4me organization, that organization is kept (and possibly the name is updated). If an organization is present, the SCIM group is linked to that organization and the classification of the SCIM group is set to organization. Finally the name of the organization is kept in sync with the displayName attribute of the SCIM group.

The members of the group are always processed so that the SCIM group is linked to all SCIM users that are a member of this group. This is not part of the mapping.

Sites

The displayName attribute is used to search for a site in 4me. When this SCIM group was already linked to a 4me site, that site is kept (and possibly the name is updated). If a site is present, the SCIM group is linked to that site and the classification of the SCIM group is set to site. Finally the name of the site is kept in sync with the displayName attribute of the SCIM group.

The members of the group are always processed so that the SCIM group is linked to all SCIM users that are a member of this group. This is not part of the mapping.

Custom mappings

As the SCIM mappings in 4me are defined as automation rules, there are many possibilities to tweak your SCIM integration.

Feel free to contact your 4me partner for assistance.

Some common customizations are shared below. Do you have some great customization that could be beneficial to other 4me customers? If so, then please contact 4me, and they will be added to the documentation below. Thanks in advance!

Custom user mappings

Family name first

A customization could be to format the name of the person as “[name.familyName], [name.givenName]”. When you are sure that both attributes are always provided replace the default name mapping:

Name

with

Name

Custom group mappings

Coming soon.