ℹ️ Information |
---|
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements. |
HelloID-Conn-Prov-Target-Nedap-AEOS is a target connector. Nedap-AEOS provides a set of SOAP API's that allow you to programmatically interact with its data. The HelloID connector uses the API endpoints listed in the table below.
Endpoint | Description |
---|---|
addEmployee | Create an employee |
changeEmployee | update an employee |
findEmployee | Search for an employee |
findCarrierToken | Search for badges assigned to an employee |
withdrawCarrierToken | removes an assiged badge from an employee |
findTemplate | lists the available authorization templates |
addCarrierAuthorizations | assigns an authorization template to an employee |
removeCarrierAuthorizations | removes an authorization template assignment from an employee |
The following lifecycle events are available:
Event | Description | Notes |
---|---|---|
create.ps1 | Create (or update) and correlate an Account | - |
update.ps1 | Update the Account | - |
enable.ps1 | Enable the Account | - |
disable.ps1 | Disable the Account | - |
delete.ps1 | This is not available/supported in the current connector |
The following settings are required to connect to the API.
Setting | Description | Mandatory |
---|---|---|
UserName | The UserName to connect to the API | Yes |
Password | The Password to connect to the API | Yes |
BaseUrl | The URL to the API https://<server ip >/aeosws |
Yes |
IsDebug | to enable/disable the debug logging |
No special Prerequisites.
-
This connector uses the explicit SOAP messages from the wsdl rather than the function names from de wsdl.
-
All api calls may require the fields to be in a specific order so do not change the order of the fields in the $account object.
-
Create Account will correlate the employee account with
findEmployee
based on thePersonnelNo
field, and create (addEmployee) or update (changeEmployee) the employee account as required. The account reference used by HelloId is theId
field of the employee. TheArrivalDateTime
is set to the far future in order to create the account as disabled. -
Enable Account uses
changeEmployee
endpoint and sets theArrivalDateTime
to the current time andLeaveDateTime
to the far future (because in cannot clear the leaveDateTime). -
Disable Account uses
changeEmployee
endpoint and sets theLeaveDateTime
to the current time. It also usesFindCarrierToken
andwithdrawCarrierToken
to remove any badges from the account. -
Delete account is not implemented as part of the life cycle of the account.
-
Badges are only removed from the account when disabling. Creating and assigning badges (Carrier tokens) is not part of this implementation.
-
Permissions are based on the available Permission Templates in AEOS. The permissions script collects a list of available Templates, and the grant en revoke scripts will add/remove (
addCarrierAuthorizations
andremoveCarrierAuthorizations
) an permission template to/from an Employee. -
Nedap AEOS Issue found: A template can be assigned multiple times to a single user. Which can cause a problem with revoking the template: Could not revoke Nedap-AEOS account. Error: TemplateId [305] is multiple times assigned to User. Stop Processing! Note that this should not occur under normal operation, unless manual assignments are made outside of HelloId
Here is a code example how one might automatically remove one of the templates by adding the from date to specify a specific template
# $auditLogs.Add([PSCustomObject]@{
# Message = "Revoke Nedap-AEOS entitlement: [$($pRef.DisplayName)] was Partial successful"
# IsError = $true
# })
# [xml]$bodyRemoveAuth = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://www.nedap.com/aeosws/schema">
# <soapenv:Header/>
# <soapenv:Body>
# <sch:ProfileRemove>
# <sch:CarrierId></sch:CarrierId>
# <sch:AuthorisationOnlineId>
# <sch:TemplateAuthorisation>
# <sch:TemplateId></sch:TemplateId>
# <sch:DateFrom>{0}</sch:DateFrom>
# </sch:TemplateAuthorisation>
# </sch:AuthorisationOnlineId>
# </sch:ProfileRemove>
# </soapenv:Body>
# </soapenv:Envelope>
# ' -f ($templates | Select-Object -First 1).DateFrom
It is possible to update the account in the target system during the correlation process, this behavior is disabled. Meaning, the account will only be created or correlated.
You can change this behavior in the configuration
by enabling the toggle UpdateOnCorrelate
.
Be aware that this might have unexpected implications.
No special configuration required
For extended information about the api of AEOS see the
aeos_soap_webservice_icm_en.pdf
document in this repo
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages
If you need help, feel free to ask questions on our forum
The official HelloID documentation can be found at: https://docs.helloid.com/