SalesForce Connector Aggregation

Hi Team,

We have integrated a salesforce connector in our system. We are currently aggregating only Enabled accounts in the system. However whenever the user leaves the organization the accounts are disabled and is not aggregated into the system. Now when the user wants to re-joins the org and would need access to this application, as he is disabled he will not be aggregated to our system. We cannot modify his account as the account is not present in IdentityNow but present in the target system.

We are using soft delete concept here so can you please suggest if there is a way to handle this Re-joiner scenario.

Hi Sindhu,

As mentioned by you once the user leaves the org his salesforce account is disabled and if in future he rejoins the org that same account could be made enabled again.
I would suggest using cloud lifecycle state and provisioning policies in the identity profile to handle this use case.
Such that when the user lifecycle state is marked as inactive disable the account for salesforce and further create a new lifecycle state such as “rehire” and for that you can configure enable account setting for salesforce.

image1841×677 43.5 KB

Hi @DeepanshuBisht,

It is not an Authoritative source for us hence we are not creating identity profile.Is there any other aproach?

Hi Sindhu,
You don’t need to create a separate identity profile for salesforce. Considering the user is aggregated from some other authorative source even for that identity profile you can configure these changes you’ll just need to enable configure changes->enable account and after that you can add for whatever source you want to enable accounts for that lifecycle state.

Hi @DeepanshuBisht,

Apologies for being late have tried this also. Have added my salesforce source in active and leaver LCS state.
Scenario: User is in leaver LCS and account is disabled, now when user needs access only to salesforce application as his LCS is still leaver and account is disabled when i try to provision him any access profile related to salesforce i get the below error

image811×484 16 KB

Somehow salesforce connector is not letting us create accounts for disabled user. Is there any solution to this? Am i doing something wrong? Please suggest
Is there any changes required to be made in salesforce connector end?

Hi Sindhu,
Before you assign the user any access profile related to salesforce make sure it’s salesforce account is enabled back. From what you mentioned you’re trying to assign salesforce access to a user who’s LCS state is in still leaver which means his salesforce account is in disabled state. You’ll first need to update it’s lifecycle state back to active and enable it’s salesforce account. Post which you can request back Salesforce access for that user

Okay, so there is no way to provision an account to user when its account is disabled right?

You’ll need to modify the create account policy since the account already exist for that user in Salesforce in disabled state and you’re trying to create another account using the same user attributes it will error out.

@DeepanshuBisht Yes, I am creating the create policy as below

    {
        "name": "SalesForce Provisioning Policy",
        "description": null,
        "usageType": "CREATE",
        "fields": [
            {
                "name": "Alias",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "Username",
                "transform": {
                    "name": "create username",
                    "type": "concat",
                    "attributes": {
                        "values": [
                            {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "email"
                                }
                            },
                            ".gdw"
                        ]
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "Email",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "email"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "FirstName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "firstname"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "LastName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "lastname"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "TimeZoneSidKey",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "Europe/Berlin"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "LocaleSidKey",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "de_DE"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "IsActive",
                "transform": {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "name": "cloudLifecycleState"
                            },
                            "type": "identityAttribute"
                        },
                        "table": {
                            "active": "true",
                            "default": "false",
                            "special": "true"
                        }
                    },
                    "type": "lookup"
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "LanguageLocaleKey",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "de"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "EmailEncodingKey",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "UTF-8"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "FederationIdentifier",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "UserType",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "STANDARD"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "AccountName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "Country",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "country"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "UserPermissionsMarketingUser",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "True"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "SalesForce Disable Provisioning Policy",
        "description": null,
        "usageType": "DISABLE",
        "fields": [
            {
                "name": "Username",
                "transform": {
                    "name": "create username",
                    "type": "concat",
                    "attributes": {
                        "values": [
                            {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "email"
                                }
                            },
                            "zzz"
                        ]
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "FederationIdentifier",
                "transform": {
                    "name": "create FederationIdentifier",
                    "type": "concat",
                    "attributes": {
                        "values": [
                            {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "uid"
                                }
                            },
                            "0"
                        ]
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]

I am trying to create an account with email.gdw value first and then when account is disabled just moving that value to junk value. So next time when user rejoins the organization username with email.gdw value account is created.
So currently user will have 2 accounts one with enabled and one with disabled with username zzz.
I want to modify this code in disabled to add dynamic value like email.zzz$uniqueencounter, however if i try to add it is creating new account and is erroring out.

Can you please suggest what i can use to achieve the creation of duplicate accounts with new usernames when user re-joins the system.

Hi @SindhuVMurthy,

What is your real use case here.? Do you want to assign the same Salesforce account back to the users when they rejoin.?

If so, you would need to aggregate the disabled user accounts as well so that they will remain correlated to the original user. Is there a reason why you are not doing it in the first place.?

In the scenario of assigning the same account back to the rejoined user, you can make use of a before provisioning rule to enable the account first, before assigning the Salesforce access to the user.

I was also wondering about this… I can only think that maybe they want to delete an identity without having to deal with the uncorrelated account? Unsure.

Hi @jesvin90,

Our vendors do not want to aggregate the users with disabled accounts. So we are trying to tackle it as below using create account provisioning policy.

Scenario: We are trying to provision new account to rejoiner with username as email.gdw(whenever new account is created this should be the format of username) and trying to edit the older account by appending the username with junk value email.gdwzzz.

We are trying to achieve a scenario as below:

New user joins the system and salesforce account is provisioned to him. Now the salesforce account is created with username email.gdw for the user.
When user becomes leaver the account is disabled for the user and as we are not aggregating disabled accounts the existing account will not be visible in our system.

Here we are trying to make the existing account of user with username with some junk value as email.gdwzzz so next time if the user joins the system back the new enabled account will be provisioned with correct username format as email.gdw and it will be enabled, while older account username has junk value with zzz appended.

We are trying to do this as we are aggregating only active users and when the user is disabled its account is not visible in idn and it tries to create new account but as it is present in target it will it be modify operation in salesforce and hence creating the account fails.

To avoid this conflict we are trying the above approach to provision the duplicate the account for the user. However we need it to dynamiccaly create as rejoiner scenario may occur more than once for same user.

Maybe it’s just me, but this seems like an overly complex workaround to support a questionable policy decision.

@mcheek - I too feel the same

@SindhuVMurthy - If you just want to push some unique value to avoid duplication, you can try a before provisioning rule that can append a date value to the user’s email/federation ID in SF as part of user account disable process.

So a disabled user record would look something like email.gdw03122024