Print this page

Explanation on how Identity Connect Permission Set Licenses are consumed and licensees used.

Knowledge Article Number 000193295
Description When a Identity Connect License is consumed two events will occur, the Used Licenses count will increase and a Salesforce User will be assigned to the Identity Connect Permission Set. The amount of the Used Licenses for the Identity Connect Permission Set License and the Salesforce Users assigned to the Identity Connect Permission Set should the same. 

When Identity Connect consumes a license it may do so even if a AD (Active Directory) user has not been synced to Salesforce.  This article is meant to go over a example scenarios where a Identity Connect license gets consumed even though a AD (Active Directory) user has not been synced to Salesforce. While going through this example scenario, it should also give a understanding and explain how Identity Connect licenses are consumed.
 
A Identity Connect license is consumed as soon as a AD (Active Directory) user is linked to a Salesforce user. This is regardless if the AD (Active Directory) user has actually been synced to Salesforce or not. The example scenario goes over how such a scenario could occur..
 
 
Below is a screen shot for the showing the details for a Identity Connect Permission Set License. This can be found in Salesforce within Setup>>Company Information under the Permission Set Licenses section. Notice the Used Licenses is 15.
 

User-added image

To view the Salesforce Users assigned to the Identity Connect Permission set which can be found within Setup>>Manage Users>>Permission Sets. From the Permission Sets list click on the Identity Connect link this will bring up the Identity Connect Permission Set screen.

User-added image
On the Identity Connect Permission Set screen click on the Assigned Users button. This will bring up all the Salesforce Users assigned to the Identity Connect Permission Set.

See the screen show below which shows a list of Salesforce Users assigned to the Identity Connect Permission Set. Notice the amount of Salesforce Users shown is 15 which is the same amount of consumed Identity Connect licenses mentioned above.
 
User-added image
 


Part of this scenario assumes there are current AD (Active Directory) users and existing Salesforce users that existed before Identity Connect was installed. Although these Salesforce users existed before Identity Connect, some or all of these Salesforce users may have equivalent users in AD (Active Directory). These users are matched based on the Associations Rules defined and configurable in Identity Connect (see Salesforce Identity Connect Implementation Guide for additional information).
 
In this example scenario, Identity Connect has been installed and there are existing AD (Active Directory) users and existing Salesforce users.  This example, will look at one specific user ICTestUser29 ICTestUser, whom exists as a user in AD (Active Directory) and already previously existed in Salesforce before Identity Connect.  Below is a screen shot which shows the ICTestUser29 ICTestUser in Salesforce and AD (Active Directory).
 
User-added image
 
When Identity Connect analyzes associations between AD (Active Directory) users and Salesforce users as mentioned previously, . Idenity Connect does this based on the Association Rules defined in Identity Connect (see Salesforce Identity Connect Implementation Guide for additional information).  Identity Connect comes out of the box with some default Association Rules.  

Based on the default Association Rules Identity Connect will try and match users in AD (Active Directory) and Salesforce and if a match is found it will link these users. In this example scenario a link is found between the AD (Active Directory) user and Salesforce user for the ICTestUser29 ICTestUser so link is created between them. You can see this link from the Identity Connect Admin and ;looking at the Sync screen see screen shot below.

User-added image
 
At this point when the link is made a Identity Connect license will be consumed. Going back and looking at the details for Identity Connect Permission license found in Salesforce within Setup>>Company Information under the Permission Set Licenses section the Used Licenses will now be incremented by 1 to 16.
 

User-added image

In addition, the new user ICTestUser29 ICTestUser will be assigned to the Identity Connect Permission Set. See the screen show below which shows a list of Salesforce Users assigned to the Identity Connect Permission Set. Notice the amount of Salesforce Users shown increased to 16 which is the same amount of consumed Identity Connect licenses mentioned above.

User-added image
 
I this example scenario it has been shown how a Identity Connect license is consumed. In this example, even though a link was made for the ICTestUser29 ICTestUser user between AD (Active Directory) and Salesforce the ICTestUser29 ICTestUser is not syncing from AD (Active Directory) to Salesforce. When setting Identity Connect to sync users/ One part of the setup is to set up a mapping between the AD (Active Directory) groups and Salesforce Profiles. Only AD (Active Directory) users whom are members of these AD (Active Directory) groups which are mapped to Salesforce Profiles will be synced from AD (Active Directory) to Salesforce.  You can always see the AD (Active Directory) groups mapped to a Salesforce Profiles by going into the Identity Connect Admin and navigating to Salesforce Org>>Mapping>>Profile to Group Mapping,  (see Salesforce Identity Connect Implementation Guide for additional information).
 
For this example, scenario below is a screen shot in the Identity Admin showing the AD (Active Directory) groups mapped to Salesforce Profiles.
 

User-added image
 
Below is a screen shot from AD (Active Directory) which shows the groups which user ICTestUser29 ICTestUser is a member of.
 

User-added image

 
Notice the user ICTestUser29 ICTestUser is not a member of any of the AD (Active Directory) groups (Sync_Group, Adm_users ) which are mapped to a Salesforce Profiles. Due to ICTestUser29 ICTestUser not being a member of any of these mapped AD (Active Directory) groups this user will not be synced from AD (Active Directory) to Salesforce.
 
This example shows a scenario where a AD (Active Directory) user whom is not currently synced to Salesforce still consumes a Identity Connect License.

NOTE:
Below are some scenarios as to when a consumed Identity Connect licence is collected (Freed Up) and the Used Licenses is decremented and a Salesforce User is unassigned from the Identity Connect Permission Set. 

When a user has been deleted from AD (Active Directory) and a a full, live or scheduled sync has been performed by Identity Connect. 

1.
When a user has been deleted from AD (Active Directory). After a full, live or scheduled sync has been performed by Identity Connect. 

2.
When a AD (Active Directory) user has been disabled, This can be done from the AD (Active Directory) domain browser by right clicking on a user and from the Account tab and checking the box titled Account is disabled. After a full, live or scheduled sync has been performed by Identity Connect. 

User-added image
 
If a solution to this example scenario is needed see the Resolution section below. 
Resolution The solution to the example scenario detailed above would be to restrict the AD (Active Directory) users read into Identity Connect to only the AD (Active Directory) users whom are members of the AD (active Directory) groups which are mapped to Salesforce Profiles. This can been done by the use of the User Filter rules in identity Connect.  Refer to the Salesforce Identity Connect Implementation Guide for additional information on this. In addition the article below goes over this exact scenario and the steps to create the appropriate User Filter to address this.
 
Article Number: 000193289 Identity Connect example of adding a User Filter to restrict users based on their Active Directory group membership.
Identity Connect example of adding a User Filter to restrict users based on their Active Directory group membership.




promote demote