16.9 Understanding and Configuring Salesforce Templates

Identity Governance provides the following templates for Salesforce:

  • Salesforce Identity

  • Salesforce Account

  • Salesforce Permission

  • Salesforce Profile Permission

  • Salesforce Role Permission

  • Salesforce Fulfillment

For additional information about configuring Salesforce templates, see the following sections:

16.9.1 About Salesforce Collectors

Using standard Identity Governance Salesforce collector templates, you can collect data from User, UserRole, and Profile objects. The User object is used for Salesforce Identity and Salesforce Account collectors as well as the permission-holder information in the permission collectors.

The generic Salesforce permission collector is configured by default to collect UserRole permissions. However, you can configure the collector to collect other permission types such as UserLicense, PackageLicense, PermissionSetLicense, PermissionSet, PermissionSetGroup, and Profile. For your convenience, Identity Governance also provides Salesforce Role Permission and Salesforce Profile Permission collector templates to collect only UserRole and Profile objects respectively.

16.9.2 About Salesforce Fulfillment

The Identity Governance Salesforce Fulfillment template provides a transformation policy that:

  • Executes a query for a single existing user and creates a new Salesforce User if needed

  • Assigns or revokes the following permission types: UserRole, Profile, PackageLicense, PermissionSetLicense, PermissionSet, and PermissionSetGroup

To assign some PermissionSet or PermissionSetGroup permissions, it might be necessary to assign an appropriate license first. We therefore recommend that you assign all licenses before you assign other permission types.

The default transformation policy also includes fulfillment attributes required for fulfillment operations. One required User attribute is ProfileId, which must contain the native ID value of a Profile permission. Since all Salesforce Users must have a Profile assignment at all times, it is your responsibility to provide a default ID that can be used for new Users or to reset a User whose profile has been removed by Identity Governance fulfillment actions. This attribute ID should replace the ID of default profile string in the transformation policy.

Depending on your operations, you might also need to specify additional Fulfillment Context attributes for userProfile and permissionProfile.