Salesforce error after patch upgrade

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hi All
We just upgraded our IdentityIQ from 8.2p2 to 8.2p6. Since then our leaver workflow is throwing errors for disabling Salesforce accounts where we set the profileid to “loginless”

The error is “Validation rule preventing activation of Loginless and ReadOnly users”. We did not have these errors with 8.2p2.

Has anybody seen similar error before? Any hint where to look?

Thanks.
Pasha

Hi @pasha,
Is this a salesforce error ? Please provide more details on the error
Did you had a chat with salesforce app team to understand if this is at app end.

Hi Vinod
That IS salesforce error. The issue is we didn’t get the error when on 8.2p2. I’ve asked our salesforce team to look into it too.

1 Like

I would suggest open sailpoint support ticket for this .

Hi @vinnysail,

you can review the connectors documentations of p2 and p6 and check if it has any difference about Salesforce:

8.2p2
https://community.sailpoint.com/t5/IdentityIQ-Server-Software/IdentityIQ-8-2p2/ta-p/210684

8.2p6
https://community.sailpoint.com/t5/IdentityIQ-Server-Software/IdentityIQ-8-2p6/ta-p/247485

Also you can try to active the logs for salesforce connettor and if you dont find any solution open a ticket to SP, like @vishal_kejriwal1 says

Thanks !! FYI to @pasha who posted the query on the same.

We have opened the case with Sailpoint support. Nothing yet. It’s quite strange that going from p2 to p6 could cause such errors.

Hi @vishal_kejriwal1 and @vinnysail and @enistri_devo

Support says I’m on my own :frowning:

The error is from Salesforce when I try to disable AND set profileid to loginless
Is there way to make the connector to do the disable first then set the profileid?

Thanks.
Pasha

What is Loginless and ReadOnly users ? are these separate profiles ?

Loginless is a profile so is ReadOnly.

Our salesforce team has this policy that the user has to be disabled before it can get Loginless. 8.2p2 did it in the right order. 8.2p6 connector does not :frowning:

Salesforce application can have one profile at a time . it’s a single valued attribute .

I know. Active users have only one role which could be sales, marketing, …

When the user leaves the company I need to disable their account AND set their profile to be “Loginless”. I do that in the beforeprovisioning rule and 8.2p2 did the right thing. But 8.2p6 is not.
Next reply has a sample plan that fails. 00eG000dfj0cLsDIAU is the profileid for “loginless”:

<ProvisioningPlan nativeIdentity="[email protected]" targetIntegration="Salesforce" trackingId="c358a5895c094b43a55f024a0f5cbadc">
  <AccountRequest application="Salesforce" nativeIdentity="0056f0kfdl000Bg3vEAAR" op="Disable">
    <AttributeRequest name="ProfileId" op="Set" value="00eG000dfj0cLsDIAU"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0000000251"/>
      <entry key="requester" value="somebody"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a104d7987bc1d63818829a55db2723e" name="somebody"/>
  </Requesters>
</ProvisioningPlan>

Just to update this case. The Salesforce connector has changed between 8.2p2 and 8.2p6. What used to be done in one call for setting the profileid and disable, now is done in two separate API calls.

I ended up changing my beforeprovisioning rule to add disable modify as a separate accountrequest first.

Thanks.
Pasha

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.