16.9 Understanding and Configuring Salesforce Templates

Using standard Identity Governance Salesforce collector templates, you can collect data from User, UserRole, and Profile objects. The User object is used for Salesforce Identity and Salesforce Account collectors as well as the permission-holder information in the permission collectors.

The generic Salesforce permission collector is configured by default to collect UserRole permissions. However, you can configure the collector to collect other permission types such as UserLicense, PackageLicense, PermissionSetLicense, PermissionSet, PermissionSetGroup, and Profile. For your convenience, Identity Governance also provides Salesforce Role Permission and Salesforce Profile Permission collector templates to collect only UserRole and Profile objects respectively.

The Identity Governance Salesforce Fulfillment template provides a transformation policy that:

To assign some PermissionSet or PermissionSetGroup permissions, it might be necessary to assign an appropriate license first. We therefore recommend that you assign all licenses before you assign other permission types.

The default transformation policy also includes fulfillment attributes required for fulfillment operations. One required User attribute is ProfileId, which must contain the native ID value of a Profile permission. Since all Salesforce Users must have a Profile assignment at all times, it is your responsibility to provide a default ID that can be used for new Users or to reset a User whose profile has been removed by Identity Governance fulfillment actions. This attribute ID should replace the ID of default profile string in the transformation policy.

Depending on your operations, you might also need to specify additional Fulfillment Context attributes for userProfile and permissionProfile.