HelloID-Conn-Prov-Target-Nedap-AEOS
| âšī¸ Information |
|---|
| This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements. |
Table of contents
Introduction
HelloID-Conn-Prov-Target-Nedap-AEOS is a target connector. Nedap-AEOS provides a set of SOAP API's that allow you to programmatically interact with its data. The HelloID connector uses the API endpoints listed in the table below.
| Endpoint | Description |
|---|---|
| addEmployee | Create an employee |
| changeEmployee | update an employee |
| findEmployee | Search for an employee |
| findCarrierToken | Search for badges assigned to an employee |
| withdrawCarrierToken | removes an assiged badge from an employee |
| findTemplate | lists the available authorization templates |
| addCarrierAuthorizations | assigns an authorization template to an employee |
| removeCarrierAuthorizations | removes an authorization template assignment from an employee |
The following lifecycle events are available:
| Event | Description | Notes |
|---|---|---|
| create.ps1 | Create (or update) and correlate an Account | - |
| update.ps1 | Update the Account | - |
| enable.ps1 | Enable the Account | - |
| disable.ps1 | Disable the Account | - |
| delete.ps1 | This is not available/supported in the current connector |
Getting started
Connection settings
The following settings are required to connect to the API.
| Setting | Description | Mandatory |
|---|---|---|
| UserName | The UserName to connect to the API | Yes |
| Password | The Password to connect to the API | Yes |
| BaseUrl | The URL to the API https://<server ip>/aeosws |
Yes |
| IsDebug | to enable/disable the debug logging |
Prerequisites
No special Prerequisites.
Remarks
-
This connector uses the explicit SOAP messages from the wsdl rather than the function names from de wsdl.
-
All api calls may require the fields to be in a specific order so do not change the order of the fields in the $account object.
-
Create Account will correlate the employee account with
findEmployeebased on thePersonnelNofield, and create (addEmployee) or update (changeEmployee) the employee account as required. The account reference used by HelloId is theIdfield of the employee. TheArrivalDateTimeis set to the far future in order to create the account as disabled. -
Enable Account uses
changeEmployeeendpoint and sets theArrivalDateTimeto the current time andLeaveDateTimeto the far future (because in cannot clear the leaveDateTime). -
Disable Account uses
changeEmployeeendpoint and sets theLeaveDateTimeto the current time. It also usesFindCarrierTokenandwithdrawCarrierTokento remove any badges from the account. -
Delete account is not implemented as part of the life cycle of the account.
-
Badges are only removed from the account when disabling. Creating and assigning badges (Carrier tokens) is not part of this implementation.
-
Permissions are based on the available Permission Templates in AEOS. The permissions script collects a list of available Templates, and the grant en revoke scripts will add/remove (
addCarrierAuthorizationsandremoveCarrierAuthorizations) an permission template to/from an Employee. -
Nedap AEOS Issue found: A template can be assigned multiple times to a single user. Which can cause a problem with revoking the template: Could not revoke Nedap-AEOS account. Error: TemplateId [305] is multiple times assigned to User. Stop Processing! Note that this should not occur under normal operation, unless manual assignments are made outside of HelloId
Here is a code example how one might automatically remove one of the templates by adding the from date to specify a specific template
# $auditLogs.Add([PSCustomObject]@{
# Message = "Revoke Nedap-AEOS entitlement: [$($pRef.DisplayName)] was Partial successful"
# IsError = $true
# })
# [xml]$bodyRemoveAuth = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://www.nedap.com/aeosws/schema">
# <soapenv:Header/>
# <soapenv:Body>
# <sch:ProfileRemove>
# <sch:CarrierId></sch:CarrierId>
# <sch:AuthorisationOnlineId>
# <sch:TemplateAuthorisation>
# <sch:TemplateId></sch:TemplateId>
# <sch:DateFrom>{0}</sch:DateFrom>
# </sch:TemplateAuthorisation>
# </sch:AuthorisationOnlineId>
# </sch:ProfileRemove>
# </soapenv:Body>
# </soapenv:Envelope>
# ' -f ($templates | Select-Object -First 1).DateFromIt is possible to update the account in the target system during the correlation process, this behavior is disabled. Meaning, the account will only be created or correlated.
You can change this behavior in the configuration by enabling the toggle UpdateOnCorrelate.
Be aware that this might have unexpected implications.
Setup the connector
No special configuration required
Getting help
For extended information about the api of AEOS see the
aeos_soap_webservice_icm_en.pdfdocument in this repo
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages
If you need help, feel free to ask questions on our forum
HelloID docs
The official HelloID documentation can be found at: https://docs.helloid.com/
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent