Skip to main content

Troubleshooting

Testing create operations

Salesforce does not allow administrators to delete accounts once created, only disable them. So the [delete] operation only implements [disable]. Also, since the accounts listed from a template account include attributes that are calculated (so read-only), in order to test implementing the [create] operation, several attempts at creating accounts may be required.

To reduce the number of test accounts populating the test Salesforce account, use the following steps:

  1. Generate an input KVGroup file using the pstee utility.

    1. Rename agent\agtsalesforce.exe to agent\ agtsalesforce-orig.exe.

    2. Copy util\pstee.exe to agent\agtsalesforce.exe.

    3. Run a [create] operation.

      The input/output KVGroup files from the connector will be saved in the instance's <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory (where idmsuite.log is located).

  2. Copy the input KVGroup file that was generated to the agent folder.

  3. Add a pseudo attribute to the input file, right before the last closing curly bracket } :

    "attribute" "@disableAddResourceOperation" = { 
                "GROUP" = "0" 
                "SEQUENCE" = "-1" 
                "ACTION" = "VALUE" 
                "VALUE" = "" 
              }

    1. Look in the idmsuite.log at the lines generated by agtsalesforce-orig.exe when running the [create] operation.

    2. If the attributes that mention (read-only or RO) when they are read from the template account are not present in the input KVGroup, add them (add an attribute group like the one above, before @disableAddResourceOperation).

    3. Make sure that all read-only attributes in the input KVGroup are configured with "ACTION" = "IGNORE" (or edit the file to make it so, and edit the attribute mapping in Manage the system > Resources > Account attributes > Target system type > Salesforce. Add override with that attribute name, and disable the action on Create and Update).

  4. Redirect the input KVGroup into the agent, by opening an administrator command prompt into the agent\ folder and running:

    agtsalesforce < agtsalesforce-input-<timestamp>.kvg

    Ensure that you replace the <timestamp> with the actual value for the generated input KVGroup, or rename the input KVGroup to something simpler to type on the command line.

  5. Check the idmsuite.log again to see if there were any missed attributes or other errors. The same account will be used (no new one created).

No accounts returned from discovery

Discovery may return no accounts if the Salesforce connector encounters an error when attempting to list account attributes. This can occur when the connector is configured to load an attribute that does not exist or is not enabled in your Salesforce organization.

Check the idmsuite.log for an error similar to the following:

No such column 'X' on entity 'User'. If you are attempting to use a custom field,
be sure to append the '__c' after the custom field name. Please reference your WSDL
or the describe call for the appropriate names.

In this error, X represents the name of the attribute that could not be found in Salesforce.

If the error exists and the column named X is not a field you need or use in Salesforce, override the account attribute for X for the Salesforce target system so that it does not load:

  1. Navigate to Manage the system > Resources > Account attributes > Target system type > Salesforce.

  2. Add an override for the attribute named X.

  3. Ensure that Load attribute values from target system is unchecked.

  4. Run discovery again to verify that accounts are now returned.

If the account attribute override does not resolve the issue, contact Bravura Security Support for further assistance.

Known issue

A known issue in versions prior to Bravura Security Fabric 12.8 (build 39093) could cause account attribute overrides to not be honored. This was subsequently fixed. If you are running an older build, upgrading may resolve the problem.

In this section: