Hey everyone!
I have a use case for our Salesforce connector I could use some advice on how to best try and figure out a solution. We are using the standard OOTB Salesforce connector.
In Salesforce, we primarily use entitlements, Profiles (called groups in IDN) and PermissionSets and public groups and a custom attribute as entitlements.
Use case:
When the user Lifecyclestatus changes from active to terminated/dormant , all his entitlements should be removed and his profile should be deactivated.
What could be the best approach to achieve this requirement.
I have linked an example below where someone has documented various workflows on how to remove ALL access from an identity on a leaver lifecycle state change.
In your case, you can take this example and adapt it to only remove entitlements for your SalesForce source
You can use SailPoint Roles to provide access to users for SF account. In Roles, you can add the lcs attribute as one of the conditions, so when lcs changes to terminated, the role will be removed and the corresponding entitlements will be removed from user’s SF account.
One thing to be noted here is that, SF Profile cannot be removed from a SF account. So you will get error in tasks where sailpoint tries to remove the SF profile and fails. You can avoid that by using a before provisioning rule, in which you can check for this profile remove event (also check there is no profile add request in plan to make sure this event is not a sailpoint role change) and remove the profile removal request from the provisioning plan.
Also if you need to provide the default portal user profile to the terminated users, you can also add that attribute request in the provisioning plan.