Salesforce-leaver process- removal of permission set

nandiniks · November 25, 2024, 4:47pm

HI All,

We are implementing the leaver process on salesforce OOTB connector. While user is terminated , his salesforce account to be disabled permissionset should be removed for the account, from the below code i am able to disable the account but permissionset is not getting removed. ANy can guide?

// Handle 'Disable' operation
            else if (AccountRequest.Operation.Disable.equals(account.getOperation())) {
    // Check the 'cloudLifecycleState' attribute from the identity
    if (identity != null) {
        String lifecycleStateStatus = (String) identity.getAttribute("cloudLifecycleState");
        if ("terminated".equalsIgnoreCase(lifecycleStateStatus)) {
            log.debug("Lifecycle state is 'terminated'; disabling account and removing all PermissionSets.");

            // Set account operation to 'Disable'
            account.setOperation(ProvisioningPlan.AccountRequest.Operation.Disable);

            // Handle 'PermissionSet' removal
            AttributeRequest permissionSetAttr = account.getAttributeRequest("PermissionSet");
            if (permissionSetAttr != null) {
                Object permissionSetValue = permissionSetAttr.getValue();

                if (permissionSetValue instanceof List) {
                    List permissionSetList = (List) permissionSetValue;

                    // Log the original PermissionSet values
                    log.debug("Original PermissionSet values: " + permissionSetList);

                    // Remove all items from the list using an iterator
                    Iterator iterator = permissionSetList.iterator();
                    while (iterator.hasNext()) {
                        iterator.next(); // Move to the next element
                        iterator.remove(); // Remove the current element
                        log.debug("PermissionSet item removed.");
                    }

                    // Log the PermissionSet values after removal
                    log.debug("PermissionSet values after removal: " + permissionSetList);

                    // Update the AttributeRequest to reflect the cleared list
                    AttributeRequest updatedAttrRequest = new AttributeRequest();
                    updatedAttrRequest.setName("PermissionSet");
                    updatedAttrRequest.setOperation(ProvisioningPlan.Operation.Remove);
                    updatedAttrRequest.setValue(permissionSetList); // Set the updated (now empty) list

                    // Replace the old AttributeRequest with the updated one
                    List attrRequests = account.getAttributeRequests();
                    attrRequests.remove(permissionSetAttr); // Remove the original AttributeRequest
                    attrRequests.add(updatedAttrRequest); // Add the updated AttributeRequest

                    log.debug("Updated AttributeRequest for PermissionSet removal added.");
                } else {
                    log.warn("PermissionSet attribute value is not a List. Unable to process.");
                }
            } else {
                log.warn("No PermissionSet AttributeRequest found for the account.");
                     }
                    }
                  
                }

Regards
Nandini

iamnithesh · November 25, 2024, 6:00pm

If the operation is of type “Disable”, it’s highly likely that there will be no attribute requests inside the account request, which means permissionSetAttr is always null in your code. Hence, the code inside if (permissionSetAttr != null) {} is skipped.

You can achieve this via a workflow (assuming the permission sets are granted via request access) where you can have a loop to send “REVOKE_ACCESS” request for each of the permissionSets user has

nandiniks · November 26, 2024, 5:02am

Thank you Nithesh, but no workflows enabled. we need to achieve this via rule only.
Any suggestions would be appreciated please.

Nandini

GOKUL_ANANTH_M · November 26, 2024, 6:15am

Hi @nandiniks ,

You can handle this using the Rule itself… just there will be a slight change needed in the existing code. I think, the account disable event can be handled by Provisioning settings directly or else, you can also add it in the rule, its not a problem.

Like, @iamnithesh said, “disable” operation, will not have any attribute requests inside the account request. Inorder to handle this case, take a look at the sample piece of rule below,

if (null!=op && null!=nativeIdentity && "terminated".equalsIgnoreCase(lcs) && op.equals(AccountRequest.Operation.Disable)) {
                        List links = identity.getLinks();
                        List entitlementList = new ArrayList();
                        List entitlementsListToRemove = new ArrayList();
                        if (null!=links) {
                            log.error("Before Rule: Link:\n" + links);
                            for(Link link: links) {
                                applicationName = link.getApplicationName();
                                if(null!=applicationName && applicationName.equalsIgnoreCase("<Application Name>")) {
                                    entitlementList = link.getAttribute("memberOf");
                                    log.error("Before Rule: Entitlement List:\n" + entitlementList);
                                    log.error("Before Rule: Entitlement List:\n" + entitlementsListToRemove);
                                    break;
                                }
                            }
                        }
                        accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, entitlementList));
                        log.error("Before Rule: Disable Operation Triggered | Provisioning STATUS_COMMITED");
                    }

Thanks!

nandiniks · November 26, 2024, 7:28am

Thank you Gokul,
Can you please review if below code works as suggested.
else if (AccountRequest.Operation.Disable.equals(operation)) {
// Check the ‘cloudLifecycleState’ attribute from the identity
if (identity != null) {
String lifecycleState = (String) identity.getAttribute(“cloudLifecycleState”);
if (“terminated”.equalsIgnoreCase(lifecycleState)) {
log.debug(“Lifecycle state is ‘terminated’; disabling account and removing all PermissionSets.”);

                    // Retrieve and process links for PermissionSet removal
                    List links = identity.getLinks();
                    List entitlementList = new ArrayList();

                    if (links != null) {
                        log.debug("Links found: " + links);

                        for (Link link : links) {
                            String applicationName = link.getApplicationName();
                            if (applicationName != null && applicationName.equalsIgnoreCase("SF")) { // Check for Salesforce application
                                entitlementList = (List) link.getAttribute("PermissionSet");
                                account.add(new AttributeRequest("PermissionSet", ProvisioningPlan.Operation.Remove, entitlementList));
                                log.debug("Entitlements (PermissionSet) to be removed: " + entitlementList);
                                break;
                            }
                        }
                    }

				
                    // Set account operation to Disable
                    account.setOperation(AccountRequest.Operation.Disable);
                    log.debug("Account has been marked for disablement.");
                }
            }
        }

GOKUL_ANANTH_M · November 26, 2024, 7:39am

I think, this will work. Once, just check the entitlements list are retrieved and placed in the list. Thanks!

nandiniks · November 26, 2024, 9:40am

Thank you Gokul, Given the for deployment. Will share the results tomorrow.

nandiniks · November 27, 2024, 4:57am

HI Gokul, tested the above code, its not removing the permissionset as required. ANy thoughts would be helpful.
Nandini

GOKUL_ANANTH_M · November 27, 2024, 6:00am

Hi @nandiniks ,

Have you checked the logs? especially, log.debug("Entitlements (PermissionSet) to be removed: " + entitlementList);

nandiniks · November 28, 2024, 5:07am

checked, its not entering the loop seems .

GOKUL_ANANTH_M · November 28, 2024, 6:58am

if its not entering the loop, there is only one possibility, that is nothing but the link is not found crct? I can’t think of any other reasons.

nandiniks · December 2, 2024, 9:52am

HI Gokul, for some strange reason, logs are not capturing. Any other options we can try here to acheive, please suggest.

lampard08 · December 31, 2024, 5:13am

are you passing permissionset id or permissionsetassignemnt id to salesforce API?

you cannot remove permissionset directly like most other, its a 2 call process,

first get permissionset assignment id for the users permissionset :

SELECT+Id,+Name,+label+FROM+PermissionSet+WHERE+IsActive+=+true…you can add more to where clause here to include particular user…something like AssigneeId+IN+(user nativeid from plan)+AND+PermissionSetId+IN+(‘psermissionset id from plan’)

the responsebody of the above will contain somethig like :

{“attributes”: {
“type”: “PermissionSetAssignment”,
“url”: “/svc/data/v112.0/sobjects/PermissionSetAssignment/Abcd1257avdcbehjcj”

…}

make a delete call to this url.

mkumariaas · December 31, 2024, 2:13pm

@nandiniks permission set i believe comes with groups so it seems you are getting some error while removing. check if there is any link with role , group for permission set then try remove operation or set operation and see if this is working.
it will remove all the required license and permission as this is working connector until you are getting some error.

system · March 1, 2025, 2:14pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.