立即与支持人员聊天
与支持团队交流

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID Retrieving Tableau Personal Access Token (PAT)

Mappings for Salesforce version 1.0

Salesforce offers a cloud-based customer relationship management (CRM) platform that lets users track sales, service, and marketing. It includes a social networking plug-in and analytical tools including email alerts, Google search functionality, and access to contracts.

To login to the Salesforce application, you must create a trial account. For more information, see Setting a trial account on Salesforce

Salesforce connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client ID - Consumer key of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).
  • Client Secret - Consumer Secret of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

  • Username

  • Password - <Login password><Security token received over email>

  • Token URL - Salesforce's token URL (https://<saleforce_instance_url>/services/oauth2/token)

  • Grant Type : password

NOTE:

Following will be the new IP addresses post the connector migration to Kubernetes:

  • US: 13.91.196.96 and 40.88.252.103

  • EU: 20.82.221.63 and 51.105.212.253

Supported objects and operations in Salesforce version 1.0

Users

Table 3: Supported operations for Users

Operation

VERB

Create

POST

Update (id)

PUT

Delete (id)

DELETE

Get (id)

GET

Get 

GET

Pagination GET

Groups

Table 4: Supported operations for Groups

Operation

VERB

Create

POST

Update (id)

PUT

Delete  (id)

DELETE

Get (id)

GET

Get

GET

Pagination GET

Roles

Table 5: Supported operations for Roles

Operation

VERB

Get All Roles

GET

Get Role (Id)

GET

Profiles

Table 6: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile (Id)

GET

PermissionSets

Table 7: Supported operations for PermissionSets

Operation

VERB

Create PermissionSets

POST

Update PermissionSets

PUT

Delete PermissionSets

DELETE

Add PermissionSet members

POST

Remove PermissionSet members

DELETE

Get All PermissionSets

GET

Get All PermissionSets by Id

GET

Mandatory fields

Users

  • Last Name
  • Email
  • Alias (Auto populated with the combination of First and/or Last name)
  • Username (Auto populated from email)
  • Nickname (Auto populated from email; takes the name before “@”)
  • Email Encoding
  • Locale Settings (Time Zone, Locale & Language)
  • Entitlements - ProfileId

Groups

  • Group Name

Permissions Sets

  • Name
  • Label

The user and group mapping is listed in the table below.

Table 8: User mapping for Salesforce version 1.0
SCIM parameter Salesforce parameter
Id id
UserName Username
ExternalId FederationIdentifier
Name.GivenName FirstName
Name.FamilyName LastName
Name.Formatted Name
DisplayName Name
NickName CommunityNickname
Emails.Value Email
Photos.Value FullPhotoUrl
Addresses.StreetAddress Street
Addresses.Locality City
Addresses.Region State

Addresses.PostalCode

PostalCode

Addresses.Country

Country

PhoneNumbers.Values

Phone

UserType

UserType

Title

Title

PreferredLanguage

LanguageLocaleKey

Locale

LocaleSidKey

Timezone

TimeZoneSidKey

Active

IsActive

password [* another API Call]

Entitlements[].Value

Profile[].Id

Entitlements[].Display

Profile[].Name

Roles[].Value

UserRole[].Id

Roles[].Display

UserRole[].Name

Extension.PasswordLastSet

LastPasswordChangeDate

Extension.EmailEncoding

EmailEncodingKey

Extension.Organization

CompanyName

Extension.Division

Division

Extension.Department

Department

Extension.Description

AboutMe

Extension.Manager.Value

Manager.Id

Extension.Manager.DisplayName

Manager.Name

Extension.LastLogon

LastLoginDate

Extension.EmployeeNumber

EmployeeNumber

Extension.Alias

Alias

Extension.UserPermissionsMobileUser

UserPermissionsMobileUser

Extension.UserPermissionsSFContentUser

UserPermissionsSFContentUser

Extension.UserPermissionsKnowledgeUser

UserPermissionsKnowledgeUser

Extension.UserPermissionsOfflineUser

UserPermissionsOfflineUser

Extension.UserPermissionsMarketingUser

UserPermissionsMarketingUser

Extension.UserPermissionsCallCenterAutoLogin

UserPermissionsCallCenterAutoLogin

Extension.UserPermissionsInteractionUser

UserPermissionsInteractionUser

Extension.UserPermissionsSupportUser

UserPermissionsSupportUser

Extension.FullPhotoUrl

FullPhotoUrl

Meta.Created

CreatedDate

Meta.LastModified

LastModifiedDate

Table 9: Group mapping for SalesForce version 1.0
SCIM parameter Salesforce parameter
Id Id
DisplayName Name
Members.value UserOrGroupId
Meta.Created CreatedDate
Meta.LastModified LastModifiedDate

 

Table 10: Role mapping for SalesForce version 1.0
SCIM parameter Salesforce parameter
Id Id
Name Name
Members[].value RoleMembers[].Id
Members[].display RoleMembers[].Name

Meta.Created

CreatedDate

Meta.LastModified LastModifiedDate

 

Table 11: Profile mapping for SalesForce version 1.0
SCIM parameter Salesforce parameter
Id Id
Name Name
Members[].value ProfileMembers[].Id
Members[].display ProfileMembers[].Name
Meta.Created CreatedDate

Meta.LastModified

LastModifiedDate

 

Table 12: Permission Sets mapping for Salesforce version 1.0
SCIM parameter Salesforce parameter
Id ID
Name Name

Label

Label

Members[].value PermissionSetMembers[].Id
Members[].display PermissionSetMembers[].Name
Meta.Created CreatedDate

Meta.LastModified

LastModifiedDate

PermissionSetGroupId

PermissionSetGroupId

PermissionSetType

Type

NOTE:The "permissionSetType" is theoretically not updatable in the Salesforce. This is designed to be 'immutable' in the connector schemas simply for handling the update scenario from SCIM client appropriately.

Connector limitations

  • Even if the Count value is less than 2000, the resources are returned as 2000.

    NOTE: Salesforce connector currently supports Salesforce api version 53.0.

  • Salesforce does not display an error when you create Duplicate Groups. It returns the existing group information. A duplicate group will not be created.

  • Connector updates the count value of pagination property to 500 when it is more than 500. This is done to solve common validation error.

  • Due to target API behaviour, only membership management is supported in Permission set groups in the connector.

  • If you disable a parent attribute in the target system, for example manager, but do not disable it in the Starling Connect UI under EnterpriseUser; instead you disable only the child attribute manager.value in the Starling Connect UI, then the connector cannot determine whether the other child attributes manager.displayName and manager.$ref under the parent attribute manager are enabled or not in the target system. Hence, in this case, the request query will contain the other the child attributes manager.displayName and manager.$ref but not the manager.value. The solution is to disable the entire parent attribute manager in the Starling Connect UI.
  • You cannot update the password of an inactive user due to target system limitations. When you try to create an inactive user, the error message Password cannot be updated of an inactive user is displayed. However, the user is created by the system. This is because the User Create operation for inactive user is internally carried out as Create User and Set Password operations, one after the another.
  • The connector supports assignment of roles and profiles to account in accordance with the Salesforce data model.

 

Salesforce connector for Safeguard for Privileged Passwords

  • The Instance parameter (which corresponds with the datacenter the connector should access) is required when configuring the supervisor.

  • The user account used to register the connecter must have sufficient authorization to change another user's password.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in Salesforce version 2.0

Following are the features that are available exclusively in Salesforce v.2.0:

  • The below listed additional attributes are available for the User object:
    • Extension.UserPreferencesContentEmailAsAndWhen
    • Extension.UserPreferencesContentNoEmail
    • Extension.CallCenterId

    NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

Mappings for Salesforce version 2.0

Table 13: User mapping for Salesforce version 2.0
SCIM parameter Salesforce parameter

Extension.UserPreferencesContentEmailAsAndWhen

UserPreferencesContentEmailAsAndWhen

Extension.UserPreferencesContentNoEmail

UserPreferencesContentNoEmail

Extension.CallCenterId

CallCenterId

NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

Features available exclusively in Salesforce v.3.0

Following are the features that are available exclusively in Salesforce v.3.0:

  • You can configure custom attributes for the Salesforce v.3.0 SCIM connector in Starling Connect for the User object.

    NOTE:

    • For more information about how to configure custom attributes, see Configuring custom attributes in connectors.
    • As the Salesforce target system does not support the disabling attributes feature, the Salesforce connector is enhanced only to support the configuration of custom attributes in the SCIM connector in version 3.0.

Features available exclusively in Salesforce v.4.0

Following are the features that are available exclusively in Salesforce v.4.0:

  • You can disable attributes in the Salesforce v.4.0 SCIM connector in Starling Connect for the User object.

    NOTE:

    • For more information, see Disabling attributes.
    • Although the Salesforce target system does not support disabling attributes, the Salesforce connector is enhanced to support the disable attributes feature to remove the attributes for all USER operations in v.4.0.

    Support for filter condition

    Salesforce connector supports filter condition for User objects. Filters can be applied and the Users filtered absed on the provided condition can be retrieved.

    To configure changes to One Identity Manager to support filter conditions

    1. Open the Synchronization Editor tool.
    2. Select SCIM connector.

    3. Select the Target system and navigate to Schema Classes.
    4. Add a new schema class for the user.
    5. Add the System filter and Select Object condition. Click Commit to Database.
    6. In User mappings, edit the Target system schema class with the recently created schema and click Commit to Database.
    7. Run the synchronization.

      Filter conditions are created.

    IMPORTANT:

    • The connector supports filter condition on all versions but only for User objects.

    • Supports only AND and OR logical operators.

    • Supports only parenthesis () for grouping the condition.

    • Filter condition can be applied for any of the User attributes supported by Salesforce workbench.

    • Complex attributes are not supported in filter condition. For example, name or email. Only sub-attributes are supported (email.value, name.familyName).

    • Filter condition should follow the below syntax

      For example:

      Example 1.<attribute_name><space><operator><space>'<string_value or date_value>' Example 2.<attribute_name><space><operators><space><int_value or bool_value>

    • The attribute name should not contain or be preceded with a Schema URN.

    • Filter condition values should not have single quotes or percentage with the filter condition value. For example, (userName co 'O'Malley') or (userName co 'O%Malley%').

    • Filter condition is not supported by connector for Custom attributes.

    • The filter condition related to Id fields attribute VALUES are case sensitive in the target system. For example, manager.value, roles.value.

      • Target system has the Id of Manager as 'aB12eqQ'

        • manager.value ='aB12eqQ' - condition matches and returns the results.

        • manager.value ='ab12eqq' - condition does not match and doesn't return the results.

    • Supports the following operators to filter the values with example should apply in OneIM.

      Table 14: Supported operators to filter values
      Operators OneIM System filters OneIM Select Objects
      eq → equal to  userType eq 'Standard' userType = 'Standard'
      ne → not equal to userType ne 'Standard' userType <> 'Standard'
      co → contains userType co 'Standard' userType like '%Standard%'
      sw → starts with userType sw 'Standard' userType like 'Standard%'
      ew → ends with userType ew 'Standard' userType like '%Standard'
      gt → greater than userType gt 100 userType > 100
      lt → less than userType lt 100 userType < 100
      ge → greater than or equal to userType ge 500 userType >= 500
      le → less than or equal to userType le 500 userType <= 500

    Examples of filter conditions that must be applied at OneIM:

    • userType co 'stand'

    • userType eq 'standard'

    • emails.value co 'baskar.may' or emails.value co 'test.user'

    • userType co 'stand' and (emails.value co 'baskar.may' or emails.value co 'test.user')

    Synchronization and integration of PermssionSets object type with One Identity Manager

    For more information, see Synchronization and assignment of PermissionSets to Users with One Identity Manager.

  • Connector limitations

    Salesforce offers a cloud-based customer relationship management (CRM) platform that lets users track sales, service, and marketing. It includes a social networking plug-in and analytical tools including email alerts, Google search functionality, and access to contracts.

    To login to the Salesforce application, you must create a trial account. For more information, see Setting a trial account on Salesforce

    Salesforce connectors are available for use with One Identity Safeguard for Privileged Passwords.

    Supervisor configuration parameters

    To configure the connector, following parameters are required:

    • Connector Name

    • Client ID - Consumer key of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).
    • Client Secret - Consumer Secret of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

    • Username

    • Password - <Login password><Security token received over email>

    • Token URL - Salesforce's token URL (https://<saleforce_instance_url>/services/oauth2/token)

    • Grant Type : password

    NOTE:

    Following will be the new IP addresses post the connector migration to Kubernetes:

    • US: 13.91.196.96 and 40.88.252.103

    • EU: 20.82.221.63 and 51.105.212.253

    Supported objects and operations in Salesforce version 1.0

    Users

    Table 3: Supported operations for Users

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete (id)

    DELETE

    Get (id)

    GET

    Get 

    GET

    Pagination GET

    Groups

    Table 4: Supported operations for Groups

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete  (id)

    DELETE

    Get (id)

    GET

    Get

    GET

    Pagination GET

    Roles

    Table 5: Supported operations for Roles

    Operation

    VERB

    Get All Roles

    GET

    Get Role (Id)

    GET

    Profiles

    Table 6: Supported operations for Profiles

    Operation

    VERB

    Get All Profiles

    GET

    Get Profile (Id)

    GET

    PermissionSets

    Table 7: Supported operations for PermissionSets

    Operation

    VERB

    Create PermissionSets

    POST

    Update PermissionSets

    PUT

    Delete PermissionSets

    DELETE

    Add PermissionSet members

    POST

    Remove PermissionSet members

    DELETE

    Get All PermissionSets

    GET

    Get All PermissionSets by Id

    GET

    Mandatory fields

    Users

    • Last Name
    • Email
    • Alias (Auto populated with the combination of First and/or Last name)
    • Username (Auto populated from email)
    • Nickname (Auto populated from email; takes the name before “@”)
    • Email Encoding
    • Locale Settings (Time Zone, Locale & Language)
    • Entitlements - ProfileId

    Groups

    • Group Name

    Permissions Sets

    • Name
    • Label

    Mappings for Salesforce version 1.0

    The user and group mapping is listed in the table below.

    Table 8: User mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id id
    UserName Username
    ExternalId FederationIdentifier
    Name.GivenName FirstName
    Name.FamilyName LastName
    Name.Formatted Name
    DisplayName Name
    NickName CommunityNickname
    Emails.Value Email
    Photos.Value FullPhotoUrl
    Addresses.StreetAddress Street
    Addresses.Locality City
    Addresses.Region State

    Addresses.PostalCode

    PostalCode

    Addresses.Country

    Country

    PhoneNumbers.Values

    Phone

    UserType

    UserType

    Title

    Title

    PreferredLanguage

    LanguageLocaleKey

    Locale

    LocaleSidKey

    Timezone

    TimeZoneSidKey

    Active

    IsActive

    password [* another API Call]

    Entitlements[].Value

    Profile[].Id

    Entitlements[].Display

    Profile[].Name

    Roles[].Value

    UserRole[].Id

    Roles[].Display

    UserRole[].Name

    Extension.PasswordLastSet

    LastPasswordChangeDate

    Extension.EmailEncoding

    EmailEncodingKey

    Extension.Organization

    CompanyName

    Extension.Division

    Division

    Extension.Department

    Department

    Extension.Description

    AboutMe

    Extension.Manager.Value

    Manager.Id

    Extension.Manager.DisplayName

    Manager.Name

    Extension.LastLogon

    LastLoginDate

    Extension.EmployeeNumber

    EmployeeNumber

    Extension.Alias

    Alias

    Extension.UserPermissionsMobileUser

    UserPermissionsMobileUser

    Extension.UserPermissionsSFContentUser

    UserPermissionsSFContentUser

    Extension.UserPermissionsKnowledgeUser

    UserPermissionsKnowledgeUser

    Extension.UserPermissionsOfflineUser

    UserPermissionsOfflineUser

    Extension.UserPermissionsMarketingUser

    UserPermissionsMarketingUser

    Extension.UserPermissionsCallCenterAutoLogin

    UserPermissionsCallCenterAutoLogin

    Extension.UserPermissionsInteractionUser

    UserPermissionsInteractionUser

    Extension.UserPermissionsSupportUser

    UserPermissionsSupportUser

    Extension.FullPhotoUrl

    FullPhotoUrl

    Meta.Created

    CreatedDate

    Meta.LastModified

    LastModifiedDate

    Table 9: Group mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    DisplayName Name
    Members.value UserOrGroupId
    Meta.Created CreatedDate
    Meta.LastModified LastModifiedDate

     

    Table 10: Role mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value RoleMembers[].Id
    Members[].display RoleMembers[].Name

    Meta.Created

    CreatedDate

    Meta.LastModified LastModifiedDate

     

    Table 11: Profile mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value ProfileMembers[].Id
    Members[].display ProfileMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

     

    Table 12: Permission Sets mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id ID
    Name Name

    Label

    Label

    Members[].value PermissionSetMembers[].Id
    Members[].display PermissionSetMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

    PermissionSetGroupId

    PermissionSetGroupId

    PermissionSetType

    Type

    NOTE:The "permissionSetType" is theoretically not updatable in the Salesforce. This is designed to be 'immutable' in the connector schemas simply for handling the update scenario from SCIM client appropriately.

    • Even if the Count value is less than 2000, the resources are returned as 2000.

      NOTE: Salesforce connector currently supports Salesforce api version 53.0.

    • Salesforce does not display an error when you create Duplicate Groups. It returns the existing group information. A duplicate group will not be created.

    • Connector updates the count value of pagination property to 500 when it is more than 500. This is done to solve common validation error.

    • Due to target API behaviour, only membership management is supported in Permission set groups in the connector.

    • If you disable a parent attribute in the target system, for example manager, but do not disable it in the Starling Connect UI under EnterpriseUser; instead you disable only the child attribute manager.value in the Starling Connect UI, then the connector cannot determine whether the other child attributes manager.displayName and manager.$ref under the parent attribute manager are enabled or not in the target system. Hence, in this case, the request query will contain the other the child attributes manager.displayName and manager.$ref but not the manager.value. The solution is to disable the entire parent attribute manager in the Starling Connect UI.
    • You cannot update the password of an inactive user due to target system limitations. When you try to create an inactive user, the error message Password cannot be updated of an inactive user is displayed. However, the user is created by the system. This is because the User Create operation for inactive user is internally carried out as Create User and Set Password operations, one after the another.
    • The connector supports assignment of roles and profiles to account in accordance with the Salesforce data model.

     

    Salesforce connector for Safeguard for Privileged Passwords

    • The Instance parameter (which corresponds with the datacenter the connector should access) is required when configuring the supervisor.

    • The user account used to register the connecter must have sufficient authorization to change another user's password.

    Connector versions and features

    The following subsections describe the different connector version(s) and features available with them.

    Features available exclusively in Salesforce version 2.0

    Following are the features that are available exclusively in Salesforce v.2.0:

    • The below listed additional attributes are available for the User object:
      • Extension.UserPreferencesContentEmailAsAndWhen
      • Extension.UserPreferencesContentNoEmail
      • Extension.CallCenterId

      NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Mappings for Salesforce version 2.0

    Table 13: User mapping for Salesforce version 2.0
    SCIM parameter Salesforce parameter

    Extension.UserPreferencesContentEmailAsAndWhen

    UserPreferencesContentEmailAsAndWhen

    Extension.UserPreferencesContentNoEmail

    UserPreferencesContentNoEmail

    Extension.CallCenterId

    CallCenterId

    NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Features available exclusively in Salesforce v.3.0

    Following are the features that are available exclusively in Salesforce v.3.0:

    • You can configure custom attributes for the Salesforce v.3.0 SCIM connector in Starling Connect for the User object.

      NOTE:

      • For more information about how to configure custom attributes, see Configuring custom attributes in connectors.
      • As the Salesforce target system does not support the disabling attributes feature, the Salesforce connector is enhanced only to support the configuration of custom attributes in the SCIM connector in version 3.0.

    Features available exclusively in Salesforce v.4.0

    Following are the features that are available exclusively in Salesforce v.4.0:

  • You can disable attributes in the Salesforce v.4.0 SCIM connector in Starling Connect for the User object.

    NOTE:

    • For more information, see Disabling attributes.
    • Although the Salesforce target system does not support disabling attributes, the Salesforce connector is enhanced to support the disable attributes feature to remove the attributes for all USER operations in v.4.0.

    Support for filter condition

    Salesforce connector supports filter condition for User objects. Filters can be applied and the Users filtered absed on the provided condition can be retrieved.

    To configure changes to One Identity Manager to support filter conditions

    1. Open the Synchronization Editor tool.
    2. Select SCIM connector.

    3. Select the Target system and navigate to Schema Classes.
    4. Add a new schema class for the user.
    5. Add the System filter and Select Object condition. Click Commit to Database.
    6. In User mappings, edit the Target system schema class with the recently created schema and click Commit to Database.
    7. Run the synchronization.

      Filter conditions are created.

    IMPORTANT:

    • The connector supports filter condition on all versions but only for User objects.

    • Supports only AND and OR logical operators.

    • Supports only parenthesis () for grouping the condition.

    • Filter condition can be applied for any of the User attributes supported by Salesforce workbench.

    • Complex attributes are not supported in filter condition. For example, name or email. Only sub-attributes are supported (email.value, name.familyName).

    • Filter condition should follow the below syntax

      For example:

      Example 1.<attribute_name><space><operator><space>'<string_value or date_value>' Example 2.<attribute_name><space><operators><space><int_value or bool_value>

    • The attribute name should not contain or be preceded with a Schema URN.

    • Filter condition values should not have single quotes or percentage with the filter condition value. For example, (userName co 'O'Malley') or (userName co 'O%Malley%').

    • Filter condition is not supported by connector for Custom attributes.

    • The filter condition related to Id fields attribute VALUES are case sensitive in the target system. For example, manager.value, roles.value.

      • Target system has the Id of Manager as 'aB12eqQ'

        • manager.value ='aB12eqQ' - condition matches and returns the results.

        • manager.value ='ab12eqq' - condition does not match and doesn't return the results.

    • Supports the following operators to filter the values with example should apply in OneIM.

      Table 14: Supported operators to filter values
      Operators OneIM System filters OneIM Select Objects
      eq → equal to  userType eq 'Standard' userType = 'Standard'
      ne → not equal to userType ne 'Standard' userType <> 'Standard'
      co → contains userType co 'Standard' userType like '%Standard%'
      sw → starts with userType sw 'Standard' userType like 'Standard%'
      ew → ends with userType ew 'Standard' userType like '%Standard'
      gt → greater than userType gt 100 userType > 100
      lt → less than userType lt 100 userType < 100
      ge → greater than or equal to userType ge 500 userType >= 500
      le → less than or equal to userType le 500 userType <= 500

    Examples of filter conditions that must be applied at OneIM:

    • userType co 'stand'

    • userType eq 'standard'

    • emails.value co 'baskar.may' or emails.value co 'test.user'

    • userType co 'stand' and (emails.value co 'baskar.may' or emails.value co 'test.user')

    Synchronization and integration of PermssionSets object type with One Identity Manager

    For more information, see Synchronization and assignment of PermissionSets to Users with One Identity Manager.

  • Salesforce connector for Safeguard for Privileged Passwords

    Salesforce offers a cloud-based customer relationship management (CRM) platform that lets users track sales, service, and marketing. It includes a social networking plug-in and analytical tools including email alerts, Google search functionality, and access to contracts.

    To login to the Salesforce application, you must create a trial account. For more information, see Setting a trial account on Salesforce

    Salesforce connectors are available for use with One Identity Safeguard for Privileged Passwords.

    Supervisor configuration parameters

    To configure the connector, following parameters are required:

    • Connector Name

    • Client ID - Consumer key of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).
    • Client Secret - Consumer Secret of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

    • Username

    • Password - <Login password><Security token received over email>

    • Token URL - Salesforce's token URL (https://<saleforce_instance_url>/services/oauth2/token)

    • Grant Type : password

    NOTE:

    Following will be the new IP addresses post the connector migration to Kubernetes:

    • US: 13.91.196.96 and 40.88.252.103

    • EU: 20.82.221.63 and 51.105.212.253

    Supported objects and operations in Salesforce version 1.0

    Users

    Table 3: Supported operations for Users

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete (id)

    DELETE

    Get (id)

    GET

    Get 

    GET

    Pagination GET

    Groups

    Table 4: Supported operations for Groups

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete  (id)

    DELETE

    Get (id)

    GET

    Get

    GET

    Pagination GET

    Roles

    Table 5: Supported operations for Roles

    Operation

    VERB

    Get All Roles

    GET

    Get Role (Id)

    GET

    Profiles

    Table 6: Supported operations for Profiles

    Operation

    VERB

    Get All Profiles

    GET

    Get Profile (Id)

    GET

    PermissionSets

    Table 7: Supported operations for PermissionSets

    Operation

    VERB

    Create PermissionSets

    POST

    Update PermissionSets

    PUT

    Delete PermissionSets

    DELETE

    Add PermissionSet members

    POST

    Remove PermissionSet members

    DELETE

    Get All PermissionSets

    GET

    Get All PermissionSets by Id

    GET

    Mandatory fields

    Users

    • Last Name
    • Email
    • Alias (Auto populated with the combination of First and/or Last name)
    • Username (Auto populated from email)
    • Nickname (Auto populated from email; takes the name before “@”)
    • Email Encoding
    • Locale Settings (Time Zone, Locale & Language)
    • Entitlements - ProfileId

    Groups

    • Group Name

    Permissions Sets

    • Name
    • Label

    Mappings for Salesforce version 1.0

    The user and group mapping is listed in the table below.

    Table 8: User mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id id
    UserName Username
    ExternalId FederationIdentifier
    Name.GivenName FirstName
    Name.FamilyName LastName
    Name.Formatted Name
    DisplayName Name
    NickName CommunityNickname
    Emails.Value Email
    Photos.Value FullPhotoUrl
    Addresses.StreetAddress Street
    Addresses.Locality City
    Addresses.Region State

    Addresses.PostalCode

    PostalCode

    Addresses.Country

    Country

    PhoneNumbers.Values

    Phone

    UserType

    UserType

    Title

    Title

    PreferredLanguage

    LanguageLocaleKey

    Locale

    LocaleSidKey

    Timezone

    TimeZoneSidKey

    Active

    IsActive

    password [* another API Call]

    Entitlements[].Value

    Profile[].Id

    Entitlements[].Display

    Profile[].Name

    Roles[].Value

    UserRole[].Id

    Roles[].Display

    UserRole[].Name

    Extension.PasswordLastSet

    LastPasswordChangeDate

    Extension.EmailEncoding

    EmailEncodingKey

    Extension.Organization

    CompanyName

    Extension.Division

    Division

    Extension.Department

    Department

    Extension.Description

    AboutMe

    Extension.Manager.Value

    Manager.Id

    Extension.Manager.DisplayName

    Manager.Name

    Extension.LastLogon

    LastLoginDate

    Extension.EmployeeNumber

    EmployeeNumber

    Extension.Alias

    Alias

    Extension.UserPermissionsMobileUser

    UserPermissionsMobileUser

    Extension.UserPermissionsSFContentUser

    UserPermissionsSFContentUser

    Extension.UserPermissionsKnowledgeUser

    UserPermissionsKnowledgeUser

    Extension.UserPermissionsOfflineUser

    UserPermissionsOfflineUser

    Extension.UserPermissionsMarketingUser

    UserPermissionsMarketingUser

    Extension.UserPermissionsCallCenterAutoLogin

    UserPermissionsCallCenterAutoLogin

    Extension.UserPermissionsInteractionUser

    UserPermissionsInteractionUser

    Extension.UserPermissionsSupportUser

    UserPermissionsSupportUser

    Extension.FullPhotoUrl

    FullPhotoUrl

    Meta.Created

    CreatedDate

    Meta.LastModified

    LastModifiedDate

    Table 9: Group mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    DisplayName Name
    Members.value UserOrGroupId
    Meta.Created CreatedDate
    Meta.LastModified LastModifiedDate

     

    Table 10: Role mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value RoleMembers[].Id
    Members[].display RoleMembers[].Name

    Meta.Created

    CreatedDate

    Meta.LastModified LastModifiedDate

     

    Table 11: Profile mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value ProfileMembers[].Id
    Members[].display ProfileMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

     

    Table 12: Permission Sets mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id ID
    Name Name

    Label

    Label

    Members[].value PermissionSetMembers[].Id
    Members[].display PermissionSetMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

    PermissionSetGroupId

    PermissionSetGroupId

    PermissionSetType

    Type

    NOTE:The "permissionSetType" is theoretically not updatable in the Salesforce. This is designed to be 'immutable' in the connector schemas simply for handling the update scenario from SCIM client appropriately.

    Connector limitations

    • Even if the Count value is less than 2000, the resources are returned as 2000.

      NOTE: Salesforce connector currently supports Salesforce api version 53.0.

    • Salesforce does not display an error when you create Duplicate Groups. It returns the existing group information. A duplicate group will not be created.

    • Connector updates the count value of pagination property to 500 when it is more than 500. This is done to solve common validation error.

    • Due to target API behaviour, only membership management is supported in Permission set groups in the connector.

    • If you disable a parent attribute in the target system, for example manager, but do not disable it in the Starling Connect UI under EnterpriseUser; instead you disable only the child attribute manager.value in the Starling Connect UI, then the connector cannot determine whether the other child attributes manager.displayName and manager.$ref under the parent attribute manager are enabled or not in the target system. Hence, in this case, the request query will contain the other the child attributes manager.displayName and manager.$ref but not the manager.value. The solution is to disable the entire parent attribute manager in the Starling Connect UI.
    • You cannot update the password of an inactive user due to target system limitations. When you try to create an inactive user, the error message Password cannot be updated of an inactive user is displayed. However, the user is created by the system. This is because the User Create operation for inactive user is internally carried out as Create User and Set Password operations, one after the another.
    • The connector supports assignment of roles and profiles to account in accordance with the Salesforce data model.

     

    • The Instance parameter (which corresponds with the datacenter the connector should access) is required when configuring the supervisor.

    • The user account used to register the connecter must have sufficient authorization to change another user's password.

    Connector versions and features

    The following subsections describe the different connector version(s) and features available with them.

    Features available exclusively in Salesforce version 2.0

    Following are the features that are available exclusively in Salesforce v.2.0:

    • The below listed additional attributes are available for the User object:
      • Extension.UserPreferencesContentEmailAsAndWhen
      • Extension.UserPreferencesContentNoEmail
      • Extension.CallCenterId

      NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Mappings for Salesforce version 2.0

    Table 13: User mapping for Salesforce version 2.0
    SCIM parameter Salesforce parameter

    Extension.UserPreferencesContentEmailAsAndWhen

    UserPreferencesContentEmailAsAndWhen

    Extension.UserPreferencesContentNoEmail

    UserPreferencesContentNoEmail

    Extension.CallCenterId

    CallCenterId

    NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Features available exclusively in Salesforce v.3.0

    Following are the features that are available exclusively in Salesforce v.3.0:

    • You can configure custom attributes for the Salesforce v.3.0 SCIM connector in Starling Connect for the User object.

      NOTE:

      • For more information about how to configure custom attributes, see Configuring custom attributes in connectors.
      • As the Salesforce target system does not support the disabling attributes feature, the Salesforce connector is enhanced only to support the configuration of custom attributes in the SCIM connector in version 3.0.

    Features available exclusively in Salesforce v.4.0

    Following are the features that are available exclusively in Salesforce v.4.0:

  • You can disable attributes in the Salesforce v.4.0 SCIM connector in Starling Connect for the User object.

    NOTE:

    • For more information, see Disabling attributes.
    • Although the Salesforce target system does not support disabling attributes, the Salesforce connector is enhanced to support the disable attributes feature to remove the attributes for all USER operations in v.4.0.

    Support for filter condition

    Salesforce connector supports filter condition for User objects. Filters can be applied and the Users filtered absed on the provided condition can be retrieved.

    To configure changes to One Identity Manager to support filter conditions

    1. Open the Synchronization Editor tool.
    2. Select SCIM connector.

    3. Select the Target system and navigate to Schema Classes.
    4. Add a new schema class for the user.
    5. Add the System filter and Select Object condition. Click Commit to Database.
    6. In User mappings, edit the Target system schema class with the recently created schema and click Commit to Database.
    7. Run the synchronization.

      Filter conditions are created.

    IMPORTANT:

    • The connector supports filter condition on all versions but only for User objects.

    • Supports only AND and OR logical operators.

    • Supports only parenthesis () for grouping the condition.

    • Filter condition can be applied for any of the User attributes supported by Salesforce workbench.

    • Complex attributes are not supported in filter condition. For example, name or email. Only sub-attributes are supported (email.value, name.familyName).

    • Filter condition should follow the below syntax

      For example:

      Example 1.<attribute_name><space><operator><space>'<string_value or date_value>' Example 2.<attribute_name><space><operators><space><int_value or bool_value>

    • The attribute name should not contain or be preceded with a Schema URN.

    • Filter condition values should not have single quotes or percentage with the filter condition value. For example, (userName co 'O'Malley') or (userName co 'O%Malley%').

    • Filter condition is not supported by connector for Custom attributes.

    • The filter condition related to Id fields attribute VALUES are case sensitive in the target system. For example, manager.value, roles.value.

      • Target system has the Id of Manager as 'aB12eqQ'

        • manager.value ='aB12eqQ' - condition matches and returns the results.

        • manager.value ='ab12eqq' - condition does not match and doesn't return the results.

    • Supports the following operators to filter the values with example should apply in OneIM.

      Table 14: Supported operators to filter values
      Operators OneIM System filters OneIM Select Objects
      eq → equal to  userType eq 'Standard' userType = 'Standard'
      ne → not equal to userType ne 'Standard' userType <> 'Standard'
      co → contains userType co 'Standard' userType like '%Standard%'
      sw → starts with userType sw 'Standard' userType like 'Standard%'
      ew → ends with userType ew 'Standard' userType like '%Standard'
      gt → greater than userType gt 100 userType > 100
      lt → less than userType lt 100 userType < 100
      ge → greater than or equal to userType ge 500 userType >= 500
      le → less than or equal to userType le 500 userType <= 500

    Examples of filter conditions that must be applied at OneIM:

    • userType co 'stand'

    • userType eq 'standard'

    • emails.value co 'baskar.may' or emails.value co 'test.user'

    • userType co 'stand' and (emails.value co 'baskar.may' or emails.value co 'test.user')

    Synchronization and integration of PermssionSets object type with One Identity Manager

    For more information, see Synchronization and assignment of PermissionSets to Users with One Identity Manager.

  • Connector versions and features

    Salesforce offers a cloud-based customer relationship management (CRM) platform that lets users track sales, service, and marketing. It includes a social networking plug-in and analytical tools including email alerts, Google search functionality, and access to contracts.

    To login to the Salesforce application, you must create a trial account. For more information, see Setting a trial account on Salesforce

    Salesforce connectors are available for use with One Identity Safeguard for Privileged Passwords.

    Supervisor configuration parameters

    To configure the connector, following parameters are required:

    • Connector Name

    • Client ID - Consumer key of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).
    • Client Secret - Consumer Secret of the connected app under API. Enable OAuth Settings (Left Menu | Build | Create | Apps).

    • Username

    • Password - <Login password><Security token received over email>

    • Token URL - Salesforce's token URL (https://<saleforce_instance_url>/services/oauth2/token)

    • Grant Type : password

    NOTE:

    Following will be the new IP addresses post the connector migration to Kubernetes:

    • US: 13.91.196.96 and 40.88.252.103

    • EU: 20.82.221.63 and 51.105.212.253

    Supported objects and operations in Salesforce version 1.0

    Users

    Table 3: Supported operations for Users

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete (id)

    DELETE

    Get (id)

    GET

    Get 

    GET

    Pagination GET

    Groups

    Table 4: Supported operations for Groups

    Operation

    VERB

    Create

    POST

    Update (id)

    PUT

    Delete  (id)

    DELETE

    Get (id)

    GET

    Get

    GET

    Pagination GET

    Roles

    Table 5: Supported operations for Roles

    Operation

    VERB

    Get All Roles

    GET

    Get Role (Id)

    GET

    Profiles

    Table 6: Supported operations for Profiles

    Operation

    VERB

    Get All Profiles

    GET

    Get Profile (Id)

    GET

    PermissionSets

    Table 7: Supported operations for PermissionSets

    Operation

    VERB

    Create PermissionSets

    POST

    Update PermissionSets

    PUT

    Delete PermissionSets

    DELETE

    Add PermissionSet members

    POST

    Remove PermissionSet members

    DELETE

    Get All PermissionSets

    GET

    Get All PermissionSets by Id

    GET

    Mandatory fields

    Users

    • Last Name
    • Email
    • Alias (Auto populated with the combination of First and/or Last name)
    • Username (Auto populated from email)
    • Nickname (Auto populated from email; takes the name before “@”)
    • Email Encoding
    • Locale Settings (Time Zone, Locale & Language)
    • Entitlements - ProfileId

    Groups

    • Group Name

    Permissions Sets

    • Name
    • Label

    Mappings for Salesforce version 1.0

    The user and group mapping is listed in the table below.

    Table 8: User mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id id
    UserName Username
    ExternalId FederationIdentifier
    Name.GivenName FirstName
    Name.FamilyName LastName
    Name.Formatted Name
    DisplayName Name
    NickName CommunityNickname
    Emails.Value Email
    Photos.Value FullPhotoUrl
    Addresses.StreetAddress Street
    Addresses.Locality City
    Addresses.Region State

    Addresses.PostalCode

    PostalCode

    Addresses.Country

    Country

    PhoneNumbers.Values

    Phone

    UserType

    UserType

    Title

    Title

    PreferredLanguage

    LanguageLocaleKey

    Locale

    LocaleSidKey

    Timezone

    TimeZoneSidKey

    Active

    IsActive

    password [* another API Call]

    Entitlements[].Value

    Profile[].Id

    Entitlements[].Display

    Profile[].Name

    Roles[].Value

    UserRole[].Id

    Roles[].Display

    UserRole[].Name

    Extension.PasswordLastSet

    LastPasswordChangeDate

    Extension.EmailEncoding

    EmailEncodingKey

    Extension.Organization

    CompanyName

    Extension.Division

    Division

    Extension.Department

    Department

    Extension.Description

    AboutMe

    Extension.Manager.Value

    Manager.Id

    Extension.Manager.DisplayName

    Manager.Name

    Extension.LastLogon

    LastLoginDate

    Extension.EmployeeNumber

    EmployeeNumber

    Extension.Alias

    Alias

    Extension.UserPermissionsMobileUser

    UserPermissionsMobileUser

    Extension.UserPermissionsSFContentUser

    UserPermissionsSFContentUser

    Extension.UserPermissionsKnowledgeUser

    UserPermissionsKnowledgeUser

    Extension.UserPermissionsOfflineUser

    UserPermissionsOfflineUser

    Extension.UserPermissionsMarketingUser

    UserPermissionsMarketingUser

    Extension.UserPermissionsCallCenterAutoLogin

    UserPermissionsCallCenterAutoLogin

    Extension.UserPermissionsInteractionUser

    UserPermissionsInteractionUser

    Extension.UserPermissionsSupportUser

    UserPermissionsSupportUser

    Extension.FullPhotoUrl

    FullPhotoUrl

    Meta.Created

    CreatedDate

    Meta.LastModified

    LastModifiedDate

    Table 9: Group mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    DisplayName Name
    Members.value UserOrGroupId
    Meta.Created CreatedDate
    Meta.LastModified LastModifiedDate

     

    Table 10: Role mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value RoleMembers[].Id
    Members[].display RoleMembers[].Name

    Meta.Created

    CreatedDate

    Meta.LastModified LastModifiedDate

     

    Table 11: Profile mapping for SalesForce version 1.0
    SCIM parameter Salesforce parameter
    Id Id
    Name Name
    Members[].value ProfileMembers[].Id
    Members[].display ProfileMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

     

    Table 12: Permission Sets mapping for Salesforce version 1.0
    SCIM parameter Salesforce parameter
    Id ID
    Name Name

    Label

    Label

    Members[].value PermissionSetMembers[].Id
    Members[].display PermissionSetMembers[].Name
    Meta.Created CreatedDate

    Meta.LastModified

    LastModifiedDate

    PermissionSetGroupId

    PermissionSetGroupId

    PermissionSetType

    Type

    NOTE:The "permissionSetType" is theoretically not updatable in the Salesforce. This is designed to be 'immutable' in the connector schemas simply for handling the update scenario from SCIM client appropriately.

    Connector limitations

    • Even if the Count value is less than 2000, the resources are returned as 2000.

      NOTE: Salesforce connector currently supports Salesforce api version 53.0.

    • Salesforce does not display an error when you create Duplicate Groups. It returns the existing group information. A duplicate group will not be created.

    • Connector updates the count value of pagination property to 500 when it is more than 500. This is done to solve common validation error.

    • Due to target API behaviour, only membership management is supported in Permission set groups in the connector.

    • If you disable a parent attribute in the target system, for example manager, but do not disable it in the Starling Connect UI under EnterpriseUser; instead you disable only the child attribute manager.value in the Starling Connect UI, then the connector cannot determine whether the other child attributes manager.displayName and manager.$ref under the parent attribute manager are enabled or not in the target system. Hence, in this case, the request query will contain the other the child attributes manager.displayName and manager.$ref but not the manager.value. The solution is to disable the entire parent attribute manager in the Starling Connect UI.
    • You cannot update the password of an inactive user due to target system limitations. When you try to create an inactive user, the error message Password cannot be updated of an inactive user is displayed. However, the user is created by the system. This is because the User Create operation for inactive user is internally carried out as Create User and Set Password operations, one after the another.
    • The connector supports assignment of roles and profiles to account in accordance with the Salesforce data model.

     

    Salesforce connector for Safeguard for Privileged Passwords

    • The Instance parameter (which corresponds with the datacenter the connector should access) is required when configuring the supervisor.

    • The user account used to register the connecter must have sufficient authorization to change another user's password.

    The following subsections describe the different connector version(s) and features available with them.

    Features available exclusively in Salesforce version 2.0

    Following are the features that are available exclusively in Salesforce v.2.0:

    • The below listed additional attributes are available for the User object:
      • Extension.UserPreferencesContentEmailAsAndWhen
      • Extension.UserPreferencesContentNoEmail
      • Extension.CallCenterId

      NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Mappings for Salesforce version 2.0

    Table 13: User mapping for Salesforce version 2.0
    SCIM parameter Salesforce parameter

    Extension.UserPreferencesContentEmailAsAndWhen

    UserPreferencesContentEmailAsAndWhen

    Extension.UserPreferencesContentNoEmail

    UserPreferencesContentNoEmail

    Extension.CallCenterId

    CallCenterId

    NOTE: The above three attributes are available in Salesforce v.2.0 in addition to the attributes that are available in version 1.0.

    Features available exclusively in Salesforce v.3.0

    Following are the features that are available exclusively in Salesforce v.3.0:

    • You can configure custom attributes for the Salesforce v.3.0 SCIM connector in Starling Connect for the User object.

      NOTE:

      • For more information about how to configure custom attributes, see Configuring custom attributes in connectors.
      • As the Salesforce target system does not support the disabling attributes feature, the Salesforce connector is enhanced only to support the configuration of custom attributes in the SCIM connector in version 3.0.

    Features available exclusively in Salesforce v.4.0

    Following are the features that are available exclusively in Salesforce v.4.0:

  • You can disable attributes in the Salesforce v.4.0 SCIM connector in Starling Connect for the User object.

    NOTE:

    • For more information, see Disabling attributes.
    • Although the Salesforce target system does not support disabling attributes, the Salesforce connector is enhanced to support the disable attributes feature to remove the attributes for all USER operations in v.4.0.

    Support for filter condition

    Salesforce connector supports filter condition for User objects. Filters can be applied and the Users filtered absed on the provided condition can be retrieved.

    To configure changes to One Identity Manager to support filter conditions

    1. Open the Synchronization Editor tool.
    2. Select SCIM connector.

    3. Select the Target system and navigate to Schema Classes.
    4. Add a new schema class for the user.
    5. Add the System filter and Select Object condition. Click Commit to Database.
    6. In User mappings, edit the Target system schema class with the recently created schema and click Commit to Database.
    7. Run the synchronization.

      Filter conditions are created.

    IMPORTANT:

    • The connector supports filter condition on all versions but only for User objects.

    • Supports only AND and OR logical operators.

    • Supports only parenthesis () for grouping the condition.

    • Filter condition can be applied for any of the User attributes supported by Salesforce workbench.

    • Complex attributes are not supported in filter condition. For example, name or email. Only sub-attributes are supported (email.value, name.familyName).

    • Filter condition should follow the below syntax

      For example:

      Example 1.<attribute_name><space><operator><space>'<string_value or date_value>' Example 2.<attribute_name><space><operators><space><int_value or bool_value>

    • The attribute name should not contain or be preceded with a Schema URN.

    • Filter condition values should not have single quotes or percentage with the filter condition value. For example, (userName co 'O'Malley') or (userName co 'O%Malley%').

    • Filter condition is not supported by connector for Custom attributes.

    • The filter condition related to Id fields attribute VALUES are case sensitive in the target system. For example, manager.value, roles.value.

      • Target system has the Id of Manager as 'aB12eqQ'

        • manager.value ='aB12eqQ' - condition matches and returns the results.

        • manager.value ='ab12eqq' - condition does not match and doesn't return the results.

    • Supports the following operators to filter the values with example should apply in OneIM.

      Table 14: Supported operators to filter values
      Operators OneIM System filters OneIM Select Objects
      eq → equal to  userType eq 'Standard' userType = 'Standard'
      ne → not equal to userType ne 'Standard' userType <> 'Standard'
      co → contains userType co 'Standard' userType like '%Standard%'
      sw → starts with userType sw 'Standard' userType like 'Standard%'
      ew → ends with userType ew 'Standard' userType like '%Standard'
      gt → greater than userType gt 100 userType > 100
      lt → less than userType lt 100 userType < 100
      ge → greater than or equal to userType ge 500 userType >= 500
      le → less than or equal to userType le 500 userType <= 500

    Examples of filter conditions that must be applied at OneIM:

    • userType co 'stand'

    • userType eq 'standard'

    • emails.value co 'baskar.may' or emails.value co 'test.user'

    • userType co 'stand' and (emails.value co 'baskar.may' or emails.value co 'test.user')

    Synchronization and integration of PermssionSets object type with One Identity Manager

    For more information, see Synchronization and assignment of PermissionSets to Users with One Identity Manager.

  • 相关文档

    The document was helpful.

    选择评级

    I easily found the information I needed.

    选择评级