Sticky entitlement issue for Salesforce

SudheerB · April 29, 2025, 2:40pm

We are assigning a role to a user that includes a Salesforce base permission set and an Entra group from SailPoint ISC. Once the Salesforce account is provisioned with the base permission set, the Salesforce team modifies the permission set to include different permissions. After the Salesforce app is aggregated, SailPoint reprovisions the initial base permission set, which causes the changed permission set to be removed from Salesforce. We understand that this is related to a sticky entitlement issue.

To address this issue, we implemented a before provisioning rule to remove the assignment from the PermissionSet in the plan. However, we are still encountering the same sticky entitlement issue. This solution is part of the DeveloperDays for IIQ, as discussed here: Ungluing Sticky AttributeAssignments.

The code used is as follows:

Attributes atts = reqGroup.getArgs();
if(null != reqGroup.getValue() ) {
if(reqGroup.getValue().equalsIgnoreCase(“InitialPermissionSetNoAccess”)){
if(atts.containsKey(“assignment”)){
atts.remove(“assignment”);
}
}
}

Could anyone assist us with possible solutions?

One important note is that the Salesforce team will continue to modify the permission set and we cant use access profiles to request access, due to requirement restrictions

suresh4iam · April 29, 2025, 2:52pm

Either you need to use Certification or SailPoint API to handle the sticky entitlements. Otherwise it will keep trying to provisioning it.

I would use Workflow to create a cert campaign to handle the add or remove the permission set when there was a change in the identity access or in attributes.

SudheerB · April 29, 2025, 3:00pm

Hi @suresh4iam, thanks for quick response. We are requesting a role which has entra group nd permission from salesforce. even if i remove from workflow. on identity refresh it assign back the permission right

kalyan_dev32 · April 29, 2025, 3:05pm

I remember that setting assignment: true worked for us in one of our implementations.

Give it a try below.

Account account = getAccount(identity, accountRequest);
    if(null != idn.getRawAccountAttribute(account, attribute)) {
      List ents = asList(idn.getRawAccountAttribute(account, attribute));
      if(ents != null) {
     // created attrs and added to attributeRequest
        Attributes attrs = new Attributes();
        attrs.put("assignment", true);
        AttributeRequest attributeRequest = new AttributeRequest(attribute, ProvisioningPlan.Operation.Remove, ents);
        attributeRequest.setArgs(attrs);
        accountRequest.add(attributeRequest);
      }
    }

suresh4iam · April 29, 2025, 3:07pm

The workflow can remove all access items like Roles, Access Profiles and Entitlements. You can handle it in the Workflow by using either a Campaign filter to avoid certain access items if you already know it or using Campaign API to make a decision on each access items.

SudheerB · April 29, 2025, 3:17pm

This works for removal i understand. we used same thing for other apps for removal it worked. this usecase for add entitlement. as part of plan if we remove assignment does it work or do we have any other solution

justinrhaines · May 20, 2025, 4:20pm

Take a look at Dylan’s blog for a solution to sticky entitlements: