Getting an issue with Salesforce and Sailpoint. Salesforce only allows one Role to be assigned to an account at a time. During a transfer Sailpoint is attempting to add another Role while there is already one assigned. Ideally would like Sailpoint to remove the role before assigning a new Role. Is there any way to achieve that?
One way of doing that is with a before provisioning rule. The rule would have to check if there is already an entitlement (= Salesforce role) assigned on the user when you get another ‘add role’ provisioning coming in. If that is the case, you stop the event from happening.
If you get into contact with the SailPoint Implementation team they should be able to provide you with a ‘standardized Before Provisioning’ rule, which I’ve implemented at several of my customers as well. It allows you to configure this type of behavior, without writing your own code.
Of course you can still write your own rule if you prefer, but that takes more effort to code, review by SailPoint, etc.
Hi @SailAway,
When a user changes from one Identity Now Role to another Role there will be a SF role add and remove attribute request in the same provisioning plan.
You can use a before provisioning rule to capture the role add/ remove operation and modify the provisioning plan accordingly.
Below is a rule that i use to capture SF Profile/Role add/remove events and then removing the sf profile/role remove operation from the provisioning plan accordingly.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Rule Name" type="BeforeProvisioning">
<Description> Rule description</Description>
<Source><![CDATA[
import java.util.ArrayList;
import java.util.List;
import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.rule.Account;
if (plan != null )
{
List accountRequests = plan.getAccountRequests();
//Setting Variables
AttributeRequest RoleRemoveAttrRequest = null;
AttributeRequest RoleAddAttrRequest = null;
AttributeRequest ProfileRemoveAttrRequest = null;
AttributeRequest ProfileAddAttrRequest = null;
// Iterating through account requests in the plan
for (AccountRequest accntReq : accountRequests)
{
List attrsList = (List) accntReq.getAttributeRequests();
if (attrsList != null && !attrsList.isEmpty())
{
// Iterating through attribute requests in the account request
for (AttributeRequest attrReq : attrsList)
{
// Checking for Profile entitlement add operation and setting the attribute request into a variable
if ( "ProfileId".equalsIgnoreCase(attrReq.getName()) && ProvisioningPlan.Operation.Remove.equals(attrReq.getOperation()) )
{
ProfileRemoveAttrRequest = attrReq;
}
// Checking for Profile entitlement add operation and setting the attribute request into a variable
if ( "ProfileId".equalsIgnoreCase(attrReq.getName()) && ProvisioningPlan.Operation.Add.equals(attrReq.getOperation()) )
{
ProfileAddAttrRequest = attrReq;
}
// Checking for Role entitlement add operation and setting the attribute request into a variable
if ( "Role".equalsIgnoreCase(attrReq.getName()) && ProvisioningPlan.Operation.Remove.equals(attrReq.getOperation()) )
{
RoleRemoveAttrRequest = attrReq;
}
// Checking for Role entitlement add operation and setting the attribute request into a variable
if ( "Role".equalsIgnoreCase(attrReq.getName()) && ProvisioningPlan.Operation.Add.equals(attrReq.getOperation()) )
{
RoleAddAttrRequest = attrReq;
}
}
// Checking if Role entitlement add and remove operation occured and then removing the role remove operation from the plan
if ( RoleRemoveAttrRequest != null && RoleAddAttrRequest != null)
{
accntReq.remove(RoleRemoveAttrRequest);
}
// Checking if profile entitlement add and remove operation occured and then removing the profile remove operation from the plan
if ( ProfileRemoveAttrRequest != null && ProfileAddAttrRequest != null)
{
accntReq.remove(ProfileRemoveAttrRequest);
}
}
}
}
]]></Source>
</Rule>
Thanks
Thank you for this, I feel like mover flow is basic functionality of a connector and should not require custom code, I have created an idea for such https://ideas.sailpoint.com/ideas/GOV-I-4013
Thanks @mohammedfavazhrb great work!