Query: Salesforce UAR – Handling Profile Reassignment

bhoyars_1 · April 23, 2026, 1:43pm

Hi All,

Has anyone integrated Salesforce for UAR?

We have a scenario where we need to perform UAR on Salesforce Profile IDs. However, in Salesforce, a user cannot exist without a Profile ID. Currently, we are conducting UAR for the System Administrator profile. If access is revoked, the user must be reassigned to a read-only profile instead.

How can this be effectively handled within the UAR process?

Thanks in advance,

neel193 · April 23, 2026, 2:02pm

@bhoyars_1 I believe in Salesforce you can have only one profile (could be wrong). In that case, you can actually UAR on the accounts instead of on entitlements (profiles). In this way if user shouldn’t have the access, account will be disabled.

If you still want to handle this via entitlements only, you can write a before provisioning rule where you can check if source is Certification and operation is remove profiles, replace it with Add operation with read only profile. In this way, access will be replaced.

Please try this and let us know if you still has any further queries or need any help with writing the before provisioning rule.

neel193 · April 23, 2026, 5:13pm

@kannan_sb85 Please confirm in case of Certification revocation, does LCM workflow or any workflow comes into play? AFAIK certification APIs generates the plan and directly execute it without using any workflow. Please confirm.

neel193 · April 23, 2026, 5:23pm

For entitlements, we should set operation as Add and entitlement is “ProfileId”. Here is the updated snippet.

if(plan.getSource().toString().equalsIgnoreCase("Certification")){
    for (AccountRequest accReq : plan.getAccountRequests()) {
        if (accReq.getApplication().equals("<appName>") && accReq.getOperation.toString().equalsIgnoreCase("Modify")) {
            List attrReqs = accReq.getAttributeRequests();
            if (attrReqs != null && attrReqs.size()>0) {
                for (AttributeRequest attrReq : attrReqs) {
                    if (attrReq.getName().equalsIgnoreCase("ProfileId") && ProvisioningPlan.Operation.Remove.equals(attrReq.getOperation())) {
                        attrReq.setOperation(ProvisioningPlan.Operation.Add);
                        attrReq.setValue("<read only profile id>");
                    }
                }
            }
        }
    }
}

kannan_sb85 · April 23, 2026, 8:22pm

@neel193 - You’re correct. In IdentityIQ, certification revocations bypass the LCM Provisioning workflow. When a certifier approves a revocation, IdentityIQ creates a ProvisioningPlan and sends it directly to the Provisioner, skipping all workflow logic.

neel193 · April 28, 2026, 3:35pm

@bhoyars_1 Please let us know if it works for you or if you have any further queries.

kannan_sb85 · May 6, 2026, 11:19am

@bhoyars_1 - If you resolved your problem please mark the accepted solutions.

Topic		Replies	Views
Replace Removal Action with Add Action ISC Discussion and Questions apis , identity-security-cloud , provisioning , entitlements	1	605	August 25, 2023
Replace Removal Action with Add Action ISC Discussion and Questions identity-security-cloud	10	321	April 16, 2025
How to Handle Salesforce License Changes via Profile in IdentityIQ 8.4? IIQ Discussion and Questions workflows , rules , aggregation , identityiq , provisioning , connectors	5	85	February 27, 2026
Remove Old Access when New Access is Requested/Provisioned ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	6	913	August 21, 2023
Revoke Detected Access Profile ISC Discussion and Questions identity-security-cloud , access-profiles , access-requests	5	145	March 5, 2025

Query: Salesforce UAR – Handling Profile Reassignment

Related topics