After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning requests to the third-party system based on specific events in your organization, either through the UI or through API calls. The following table shows the events that trigger user provisioning requests.
| Event | Operation | Object |
|---|---|---|
| Create user | Create | User |
| Update user (for selected attributes) | Update | User |
| Disable user | Deactivate | User |
| Enable user | Activate | User |
| Freeze user | Freeze | UserLogin |
| Unfreeze user | Unfreeze | UserLogin |
| Reactivate user | Reactivate | User |
| Change user profile | Create/Deactivate | User |
| Assign/Unassign a permission set to a user | Create/Deactivate | PermissionSetAssignment |
| Assign/Unassign a profile to the connected app | Create/Deactivate | SetupEntityAccess |
| Assign/Unassign a permission set to the connected app | Create/Deactivate | SetupEntityAccess |
The operation value is stored in the UserProvisioningRequest object.
Salesforce can either process the request, immediately, or wait for a complete approval process (if you add an approval process during the User Provisioning Wizard steps).
To process the request, Salesforce uses a flow of the type User Provisioning, which includes a reference to the Apex UserProvisioningPlugin class. The flow calls the third-party service’s API to manage user account provisioning on that system.
If you want to send user provisioning requests based on events in Active Directory, use Salesforce Identity Connect to capture those events and synchronize them into your Salesforce organization. Then, Salesforce sends the user provisioning requests to the third-party system to provision or de-provision users.
Limitations
- Entitlements
- The roles and permissions for the service provider can’t be managed or stored in the Salesforce organization. So, specific entitlements to resources at the service provider are not included when a user requests access to a third-party app that has user provisioning enabled. While a user account can be created for a service provider, any additional roles or permissions for that user account should be managed via the service provider.
- Scheduled account reconciliation
- Run the User Provisioning Wizard each time you want to collect and analyze users in the third-party system. You can’t configure an interval for an automatic collection and analysis.
- Access re-certification
- After an account is created for the user, validation of the user’s access to resources at the service provider must be performed at the service provider.
