Replace Removal Action with Add Action

zachm117 · August 17, 2023, 3:33pm

Hey everyone!

We are utilizing the OOTB Salesforce connector and I wanted to see if anybody had any ideas for this usecase. In Salesforce, there is a specific type of entitlement called Profiles. In Salesforce, every account must have one and only one Profile. As such, Salesforce does not support the removal of Profiles, only replacements with another. If we have IDN setup to allow a user that already has a Profile (because their account has to) to request a new Profile, IDN can easily replace it with a new one.

Our problem occurs with certification campaigns and removal operations for Profiles. If IDN sends a removal operation, a response message is received from the Salesforce API that the operation is not supported and the Profile (entitlement) fails to be removed.

My initial thought was to use the beforeProvisioning rule to trigger when a Profile is being removed and instead provision a static/default profile in it’s place. We could also specify multiple branches for certain Profiles to be replaces with other specific Profiles, but I am just keeping it simple.

This would work, however it ends up not being reflected correctly in our campaign reports and event log because the Remove action still occurs and fails, the access is just then replaced afterwards. So our campaign reports still show failures for the access items being removed, and the event log doesn’t capture the new access being added to replace the old access so our events only show the failed provisioning attempts. We have no way of confirming that the access was actually removed without looking at the user’s account after an aggregation or in Salesforce itself.

Is there any way we could replace this Remove operation in the provisioning plan with an Add operation? I am thinking this would be possible in a Before Operation rule, but the OOTB Salesforce connector does not seem to support the Before Operation rule (I can definitely be mistaken on this). So I am not sure how we could replace the Remove operation that will fail every time with an Add operation that will give us our desired outcome.

I very much appreciate any insight into this! Maybe it is an idea I should just submit for an enhancement to the OOTB Salesforce connector.

Thank you,

Zach

My initial

zachm117 · August 25, 2023, 10:21pm

Adding TLDR in case it helps.

Can we replace a Remove operation on the Salesforce OOTB connector with an Add operation?

The Before Provisioning rule partially works, but when we trigger the new event, the old Remove event still occurs and fails.

Does the OOTB Salesforce connector support a Before Operation rule?

system · October 24, 2023, 10:22pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove Old Access when New Access is Requested/Provisioned ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	7	681	October 20, 2023
Web service connector Add Entitelement operation ISC Discussion and Questions	4	2001	July 19, 2023
WebService Connector - Remove Entitlement ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	2	279	April 21, 2024
Remove requested entitlements on termination ISC Discussion and Questions identity-security-cloud	10	1188	November 25, 2023
Saelsforce leaver process deployment ISC Discussion and Questions identity-security-cloud , connectors	2	22	November 11, 2024

Replace Removal Action with Add Action

Related topics