We are assigning a role to a user that includes a Salesforce base permission set and an Entra group from SailPoint ISC. Once the Salesforce account is provisioned with the base permission set, the Salesforce team modifies the permission set to include different permissions. After the Salesforce app is aggregated, SailPoint reprovisions the initial base permission set, which causes the changed permission set to be removed from Salesforce. We understand that this is related to a sticky entitlement issue.
To address this issue, we implemented a before provisioning rule to remove the assignment from the PermissionSet in the plan. However, we are still encountering the same sticky entitlement issue. This solution is part of the DeveloperDays for IIQ, as discussed here: Ungluing Sticky AttributeAssignments.
One important note is that the Salesforce team will continue to modify the permission set and we cant use access profiles to request access, due to requirement restrictions
Either you need to use Certification or SailPoint API to handle the sticky entitlements. Otherwise it will keep trying to provisioning it.
I would use Workflow to create a cert campaign to handle the add or remove the permission set when there was a change in the identity access or in attributes.
Hi @suresh4iam, thanks for quick response. We are requesting a role which has entra group nd permission from salesforce. even if i remove from workflow. on identity refresh it assign back the permission right
The workflow can remove all access items like Roles, Access Profiles and Entitlements. You can handle it in the Workflow by using either a Campaign filter to avoid certain access items if you already know it or using Campaign API to make a decision on each access items.
This works for removal i understand. we used same thing for other apps for removal it worked. this usecase for add entitlement. as part of plan if we remove assignment does it work or do we have any other solution