User and Group Object Modification
The Salesforce connector supports user object modification while enabling and disabling the accounts. For enable or disable account operations, you can modify other attributes of the account that are part of the user object.
The Salesforce connector supports multiple group objects and entitlements by having the group object schemas defined and aggregated.
The following are the group object schemas:
-
PublicGroups -
QueueNames -
RoleNote
Includes the role's hierarchy. -
PermissionSet -
PermissionSetGroup -
PermissionSetLicense -
ManagedPackage -
DelegateGroup
User and group object modification is supported by default in new Salesforce sources. You must add the objects manually for pre-existing sources.
Important
You must manually add multi-group object schemas.
You must remove the UserRoleName and UserRoleId attributes and add an attribute named Role into the account schema.
Adding the Role entitlement attribute into the account schema will add duplicate Role entitlements. This can be helpful if you can't remove the UserRoleName attribute from the account schema.
Note the following when adding or modifying a group object:
-
Use API to create new group schema
-
Use the POST Method.
-
Use the beta/sources/<source-id>/schemas URI
JSON Payload example:
{
"name": "PublicGroups",
"nativeObjectType": "PublicGroups",
"identityAttribute": "Id",
"displayAttribute": "Name",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "Id",
"type": "STRING",
"schema": null,
"description": "PublicGroups Id.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Name",
"type": "STRING",
"schema": null,
"description": "PublicGroups name.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
…
…
]
}The example given adds the following schema for the PublicGroups group object:
<Schema displayAttribute="Name" identityAttribute="Id" nativeObjectType="PublicGroups" objectType="PublicGroups">
<AttributeDefinition name="Id" type="string">
<Description>PublicGroups Id.</Description>
</AttributeDefinition>
<AttributeDefinition name="Name" type="string">
<Description>PublicGroups name.</Description>
</AttributeDefinition>
</Schema>DelegateGroup
The Salesforce connector supports the Salesforce DelegateGroup object. This section discusses additional considerations when configuring this object.
Updating Existing Source Schemas to Support DelegateGroup
If you have an existing source, you need to add the following attribute to your account schema to manage DelegateGroup objects in account aggregation. New sources have the attribute by default.
{
"name": "DelegateGroup",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": <Add the Schema ID for the Delegate Group Object>,
"name": "DelegateGroup"
},
"description": "The ID of the Delegate Group assigned to the user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},To aggregate DelegateGroup as a group object, add the following JSON to the group schema via IDN REST API to add the new schema to an existing source.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
{
"name": "DelegateGroup",
"nativeObjectType": "DelegateGroup",
"identityAttribute": "Id",
"displayAttribute": "Name",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "Id",
"type": "STRING",
"schema": null,
"description": "The Delegate Group's unique identifier",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Name",
"type": "STRING",
"schema": null,
"description": "The developer group's unique label",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "DeveloperName",
"type": "STRING",
"schema": null,
"description": "The unique developer name for the delegate group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "IsLoginAccessEnabled",
"type": "BOOLEAN",
"schema": null,
"description": "Indicates if login access is enabled for the developer group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
]
}Role Hierarchy
Before using the Role Hierarchy management feature, you must perform an unoptimized aggregation using the REST APIs. For example, https://{tenant}.api.identitynow.com/beta/entitlements/aggregate/sources/:id?disableOptimization=true
For connectors created before June 2024 you need to update your source schema to get support for Role hierarchy.
For existing sources, modify the existing Role schema by adding the following attributes:
{
"hierarchyAttribute": "ParentRoleId",
"attributes": [{
"name": "CaseAccessForAccountOwner",
"type": "STRING",
"schema": null,
"description": "The case access level for the account owner",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}, {
"name": "ContactAccessForAccountOwner",
"type": "STRING",
"schema": null,
"description": "The contact access level for the account owner",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}, {
"name": "OpportunityAccessForAccountOwner",
"type": "STRING",
"schema": null,
"description": "The opportunity access level for the account owner",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}, {
"name": "ParentRoleId",
"type": "STRING",
"schema": null,
"description": "Unique identifier for role's parent role",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
}
]
}