Important
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements.
- HelloID-Conn-Prov-Target-CAPP12
HelloID-Conn-Prov-Target-CAPP12 is a target connector. CAPP12 provides a set of REST APIs that allow you to programmatically interact with its data.
The following features are available:
| Feature | Supported | Actions | Remarks |
|---|---|---|---|
| Account Lifecycle | ✅ | Create, Update, Delete | |
| Permissions | ✅ | Retrieve, Grant, Revoke | Dynamic |
| Resources | ✅ | Create, Update | |
| Entitlement Import: Accounts | ✅ |
- | |
| Entitlement Import: Permissions | ✅ |
- | |
| Governance Reconciliation Resolutions | ✅ |
- |
The CAPP12 API does not support account deletion so the delete script disables the account instead.
Because of limitations in the API, only active accounts and permissions are imported.
Because of the absence of inactive accounts and permissions in the import, the reconciliation report can report those incorrectly as missing.
URL of the icon used for the HelloID Provisioning target system.
https://raw.githubusercontent.com/Tools4everBV/HelloID-Conn-Prov-Target-CAPP12/refs/heads/main/Icon.png
- Valid CAPP12 API credentials and base URL are required.
The following settings are required to connect to the API.
| Setting | Description | Mandatory |
|---|---|---|
| ClientId | The ClientId to connect to the API | Yes |
| ClientSecret | The ClientSecret to connect to the API | Yes |
| BaseUrl | The URL to the API (example: https://defacto.capp12.nl) | Yes |
The correlation configuration is used to specify which properties will be used to match an existing account within CAPP12 to a person in HelloID.
| Setting | Value |
|---|---|
| Enable correlation | True |
| Person correlation field | PersonContext.Person.ExternalId |
| Account correlation field | code |
Tip
For more information on correlation, please refer to our correlation documentation pages.
The field mapping can be imported by using the fieldMapping.json file.
The account reference is populated with the code property from CAPP12
The connector manages three resources and their relationships through dynamic permissions:
erDiagram
POSITION ||--o{ ASSIGNMENT : ""
USER ||--o{ EMPLOYMENT : ""
DEPARTMENT ||--o{ EMPLOYMENT : ""
USER ||--o{ ASSIGNMENT : ""
USER ||--o{ MANAGER : ""
DEPARTMENT ||--o{ MANAGER : ""
Resources: USER, DEPARTMENT, POSITION
Dynamic permissions:
- EMPLOYMENT: links user to department (employment relationship)
- ASSIGNMENT: links user to position (position assignment)
- MANAGER: defines which user has manager role for which department
codeis the primary account key and is required for account creation. It cannot be updated via the API.adfs_loginandemailare unique attributes and should remain populated for active accounts.adfs_loginis not available in the retrievable data, so field comparison is not possible during update. To prevent account deactivation,adfs_loginis mapped explicitly in the update action.
first_nameandlast_nameare optional update fields. When omitted, existing values remain unchanged.ends_onis not mapped directly from field mapping and is controlled by lifecycle scripts.- The API uses different date formats between write (
dd-MM-yyyy) and read (yyyy-MM-dd) operations.
- The connector applies disable semantics instead of hard delete.
- Create and update actions keep accounts active by setting
ends_ontonull. - Delete sets
ends_onto yesterday to inactivate the account. - In the delete mapping,
adfs_loginandemailare configured with empty string values. This setup can be used to free unique values for reuse after inactivation.- Validate this behavior with the customer before go-live, because it affects identity reuse policy.
- Resources are correlated by
codebased on theirExternalId. Name changes trigger updates.
- Grant actions set
ends_ontonull; revoke actions setends_onto yesterday. - For inactive users, permissions cannot be managed afterwards, so permissions should be revoked before account inactivation.
- The manager permission requires the custom field
ManagerOfwith a comma-separated list of department identifiers (e.g."Department1","Department2").
- Bulk import data is not real-time and is typically current after nightly processing.
adfs_loginis not available in bulk user data.- Account and permission import only supports active items (no end date, or a future end date).
- Accounts with a missing
codeare filtered from the import, because they cannot be referenced or managed from HelloID.
The following endpoints are used by the connector.
| Endpoint | HTTP Method | Description |
|---|---|---|
| /oauth2/token | POST | Retrieve access token |
| /api/v1/users | GET, POST | Import users and read account details |
| /api/v1/assignments | GET, POST | Import and manage position assignments |
| /api/v1/employments | GET, POST | Import and manage departments employments |
| /api/v1/managers | GET, POST | Import and manage department managers |
| /api/v1/departments | GET, POST | Create or update departments |
| /api/v1/positions | GET, POST | Create or update positions |
- Supplier API documentation: HR Import API
Tip
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages.
The official HelloID documentation can be found at: https://docs.helloid.com/