Hi, I’m encountering what appears to be a bug in the Salesforce direct connector regarding how it provisions PermissionSets and PermissionSetLicenses in 8.1p2+.
Description: When executing a provisioning plan with account operation “Create”, including attribute requests for both adding a PermissionSet, and adding a PermissionSetLicense that is required for this PermissionSet in Salesforce, the PermissionSetLicense is not processed first, resulting in a licensing error. This is different from the corresponding behavior if you are modifying an existing account (instead of creating a new one), in which case it correctly processes the license first.
Code to reproduce:
Identity id = context.getObjectByName(Identity.class, "[identityToActOn]"); // Existing ID in IIQ
ProvisioningPlan plan = new ProvisioningPlan();
plan.setNativeIdentity(id.getName());
plan.setIdentity(id);
List accountRequests = new ArrayList();
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication("[appName]"); // The name of the Salesforce application in IIQ
accountRequest.setOp(ProvisioningPlan.ObjectOperation.Create);
List attributeRequests = new ArrayList();
// Not shown: other AttributeRequests needed to create a new account, or otherwise sourced via the provisioning policy
attributeRequests.add(new AttributeRequest("PermissionSetLicense", ProvisioningPlan.Operation.Add, "[permissionSetLicenseID]"));
attributeRequests.add(new AttributeRequest("PermissionSet", ProvisioningPlan.Operation.Add, "[permissionSetID]"));
// Where permissionSetLicenseID is required for permissionSetID
accountRequest.setAttributeRequests(attributeRequests);
accountRequests.add(accountRequest);
plan.setAccountRequests(accountRequests);
// Not shown: executing this ProvisioningPlan
Expected: The account is created, and then the permission set license is applied, and then the permission set is applied, resulting in a successful provisioning action, similarly to if you were to provision these two attribute requests to an existing account with a “Modify” action.
Actual: The account is created, and the permission set license is present on the new account, but the permission set is not applied, and the provisioning action fails with one or more error messages reading: “The user license doesn’t allow the permission: [permission name]”. I assume what is happening here is that the connector is attempting to set the permission set first, before the required license, and encounters the error. Then, it moves on to setting the license, which works successfully.
Workaround: This can be worked around by doing this as two separate provisioning actions: One to create the account and add the permission set license, and another to add the permission set.