Overview

Oort can ingest data from HRIS or HCM (human capital management) systems and compare it to other identity sources in order to highlight inconsistencies or security risks, such as improperly deprovisioned or terminated users.

The common format for exchange of user identity data or objects between systems is SCIM or System for Cross-domain Identity Management.

Aligning your HRIS or HCM data output format to SCIM allows for faster and more consistent mapping of user identities between systems.

Goal

The goal of this document is to outline the elements of the core SCIM model for the "user" resource, which is used in the Oort platform.

Benefits

Mismatches between identity sources such as an HRIS system and a primary identity platform (IDP) or IAM system are a common and significant source of security vulnerabilities.

In many cases, discrepancies may arise, e.g. a user moves departments or managers in HR and the IDP system is not updated (or vice versa)

This problem often propagates itself to a more serious problem of a user account not being deprovisioned in the IDP when the user leaves the organization

User Account Examples

In the case where user account information doesn't match between two identity sources, Oort will provide an indication in the User 360 view

In the scenario where a user account record is missing from the HRIS file, we suggest opening a ticket or emailing the user's manager to determine why the user record might be missing in the HR system.

SCIM User Resource Properties

The Oort platform leverages the following User properties or elements from the SCIM RFC 7643.

• schema

• id

• externaIId

• meta

• username

• name

• displayname

• nickname

• profileurl

• title

• usertype

• preferredlanguage

• locale

• timezone

• active

• phonenumbers

• emails

• addresses

• user

Note that these properties are of different types - some are singular values and some can contain an array of values.

They will also have different formats, as defined in the RFC. For example, "timezone" is formatted according to IANA Time Zone database format [RFC6557].

The "user" property (last in the list above) is defined as part of the Enterprise User Schema Extension. Please see the format below for included sub-attributes, such as costCenter and department.

Oort SCIM JSON Format

The format below represents an ideal SCIM data model for import into Oort.

Note - copy this block into your JSON viewer or editor of choice for better viewing.

You can also download this template file here.

[
  {
    "name": "schemas",
    "type": "array<string>"
  },
  {
    "name": "id",
    "type": "string"
  },
  {
    "name": "externalid",
    "type": "string"
  },
  {
    "name": "meta",
    "type": "struct<resourceType:string,created:string,lastModified:string,location:string,version:string>"
  },
  {
    "name": "username",
    "type": "string"
  },
  {
    "name": "name",
    "type": "struct<formatted:string,familyName:string,givenName:string,middleName:string,honorificPrefix:string,honorificSuffix:string>"
  },
  {
    "name": "displayname",
    "type": "string"
  },
  {
    "name": "nickname",
    "type": "string"
  },
  {
    "name": "profileurl",
    "type": "string"
  },
  {
    "name": "title",
    "type": "string"
  },
  {
    "name": "usertype",
    "type": "string"
  },
  {
    "name": "preferredlanguage",
    "type": "string"
  },
  {
    "name": "locale",
    "type": "string"
  },
  {
    "name": "timezone",
    "type": "string"
  },
  {
    "name": "active",
    "type": "boolean"
  },
  {
    "name": "phonenumbers",
    "type": "array<struct<type:string,value:string>>"
  },
  {
    "name": "emails",
    "type": "array<struct<type:string,value:string,primary:boolean>>"
  },
  {
    "name": "addresses",
    "type": "array<struct<formatted:string,streetAddress:string,locality:string,region:string,postalCode:string,country:string>>"
  },
  {
    "name": "user",
    "type": "struct<employeeNumber:string,costCenter:string,organization:string,division:string,department:string,manager:struct<value:string,displayName:string>>"
  }]

Next Steps

Oort clients can upload HRIS data via the Manual Uploads option within the Add Integration page. Further information is available under "How to Import Workday HRIS Data".

Please reach out to your Oort representative for further information or with any questions on this feature.