ManageEngine ADManager Plus (On-premise)

Trelica supports various ADManager Plus actions from Trelica workflows. To use these you have to connect ADManager Plus to Trelica. As part of this process you will be asked for an "Authtoken". This guide explains how to provide this parameter.

You may however already have ADManager Plus automations configured, so an alternative way to drive workflows is through a Trelica Application Integration in ADManager Plus which is also described here.


Connecting ADManager Plus to Trelica

ManageEngine heavily restrict API access for 'action' API calls, e.g. creating or deprovisioning users. You receive 50 API actions per month per technician license you have.

You will need either the helpdesk technician or built-in admin role delegation to generate an Authtoken.

There are two ways to generate an authtoken:

  1. Via the My Account menu (requires the helpdesk technician role)
  2. Via the Delegation menu (requires the built-in admin role)

The following information should be entered into the authtoken form:

  1. The technician for whom you'd like to generate an authtoken
  2. The name of the authtoken
  3. The scopes of the authtoken:
    1. Create user action
    2. Read user action
    3. Update user action
    4. Read group action
    5. Update group action
  4. The expiry time of the authtoken

My Account

  1. In ADManager Plus, navigate to My Account > Active Authtokens
  2. Click the Generate Authtoken button

Delegation

  1. In ADManager Plus, navigate to Delegation > Technician Authtokens.
  2. Click the Generate Authtoken button.

Connecting Trelica to ADManager Plus

You may however already have ADManager Plus automations configured, so an alternative way to drive workflows is creating a Trelica Application Integration in ADManager Plus.

This can be driven by the results of an API call to Trelica which works particularly well for triggering offboarding automations in ADManager Plus.

Create an API application in Trelica

  1. Go to Admin > Settings > API Access and click New
  2. Upload a logo (one is provided at the bottom of this page - ad logo.svg), and enter ADManager Plus as the App name
  3. Check the Read people scope.
  4. Copy the Client ID and Client Secret values - you will need these shortly so put them in a text file or on your clipboard. 
  5. Click Save. The Client ID and Secret will only be valid once you have clicked Save.

Create a new Application Integration in ADManager Plus

  1. Go to the Automation tab and choose ConfigurationApplication Integrations.
  2. Click Custom Application
  3. Enter a name and upload a logo. You can download a Trelica logo here.
  4. Click Save.

Configure the Application Integration

Authorization

  1. Enter the following values.
    Authorization Type OAuth 2.0
    Header Prefix (leave empty)
    Grant Type Client Credentials
    Access Token URL https://app.trelica.com/connect/token
    Client ID From the Trelica API client
    Client Secret From the Trelica API client
    Scope (leave empty)
    Client Authentication Send Client Credentials In Request Body
  2. Click Configure.
  3. Click Add API Endpoint.

Configuring the endpoint

The Endpoint URL requires a full URL and the query string must be URL Encoded. The API URL you want to call is https://app.trelica.com/api/people/v1?filter=<filter-value>

The filter can be configured to meet your needs but we suggest 

status eq "Terminated" and leavingDate gt "2024-02-01" and (personType eq "Contractor" or personType eq "Employee")

We recommend fetching people terminated after a recent date because otherwise the first run will potentially fetch a lot of already terminated users from long ago.

You can use a site like https://www.urlencoder.org/ to encode your filter. You only need to encode the filter value, not the whole URL. An example of a correctly encoded URL would be

https://app.trelica.com/api/people/v1?filter=status%20eq%20%22Terminated%22%20and%20leavingDate%20gt%20%222024-02-01%22%20and%20(personType%20eq%20%22Contractor%22%20or%20personType%20eq%20%22Employee%22)

The Method should be Get.

No additional Headers (beyond the Authorization header which ADManager Plus adds for you) or Parameters are required. The Message Type can be left as None.

Click Test & Save when you are ready.

You should be shown a tree hierarchy of the data structure returned. Click Proceed.

LDAP Attribute Mapping

Enter a Configuration Name (e.g. Trelica Attributes).

The Primary Key will be response.id

Create a mapping from userPrincipalName to response.email .

ADManager Plus shows all attributes in the JSON response. Several will have 'email' as part of the attribute so make sure you choose the top-level email, and not the Line Manager email address for example.

Click Save.

If you get an error on this step, ADManager Plus may not have saved changes on previous steps properly. It's worth validating each part of the configuration if you encounter issues.

Configure a Scheduled Automation

Go to the Automation menu and click Create New Automation at the top right of the list.

  1. Give the Automation a name, and ensure that the User Automation category is selected.
  2. Select an Automation Task you want to run for each Trelica user that is returned by the API call.
  3. Under Select objects, pick the data source - this will be the Application Integration you configured earlier.
  4.  Pick the Attribute mapping you configured for the Application Integration.
  5. Choose the Incremental sync type in order to just run the automation for new rows returned by the API query.
  6. Click Update.

Testing

Go to the Schedule Automation list.

Ensure that the automation is enabled (it will have a green tick next to the name) and then click Run Now.

Once the automation has run you can see the results by clicking the small icon to the right of the Run Now button.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.