<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Exclude Permission Sets when Pushing a User Profile Update from Okta to Salesforce
Oct 3, 2025
Okta Integration Network
Overview

There is a configured Salesforce application integration with Provisioning API enabled in the Okta org.

In Directory > Profile Editor > Salesforce User > Mappings, the Salesforce Permission Sets attribute does not have an Okta User to Salesforce mapping as shown below:

mapping

 

The Permission Sets are managed in Salesforce. When Okta pushes a user profile update to Salesforce, Permission Sets in Salesforce are overwritten.

For example:

  • User's Permission Sets in Salesforce are as shown below: Test_PermissionSets_3 and Test_PermissionSets_4

User's Permission Sets in Salesforce

  • User's Permission Sets in Okta are selected as shown below, and profile update is pushed to Salesforce: Test_PermissionSets_1, Test_PermissionSets_2 and Test_PermissionSets_5

User's Permission sets in Okta

The Permission Sets in Salesforce are overwritten. When Okta pushed the profile update to Salesforce, it replaced the Permission Sets in Salesforce.

Permission Sets

This article describes how to exclude Permission Sets when executing a push user profile from Okta.

 
Applies To
  • Salesforce Provisioning
  • Mappings
  • Attributes
Cause

Permission Sets cannot be controlled from both Okta and Salesforce. It is possible to either manage the permission set from Salesforce or from Okta. That is because when Okta is pushing the permission set to Salesforce, it replaces the old permission set.

Solution

NOTE: Okta does not support partial profile push. During a profile update, Okta pushes the app user's full profile, including attributes that are set to Apply mapping on user create only and Do Not map. Refer to About Profile Push.

To stop Okta from overwriting the permission sets in Salesforce, perform the steps below.

  • NOTE: If Permission Sets is a custom attribute in the Salesforce application, it may be deleted. This will stop Okta from overwriting the Permission sets values in Salesforce.

To delete the Permission Sets attribute:

  1. Go to Okta Admin Console and navigate to Directory > Profile editor.
  2. Search for the Salesforce app.
  3. Press on the name of the app.
  4. Search for the Permission Sets attribute.

Permission Sets attribute

  1. Delete the Permission Sets attribute.
    Delete the Permission Sets attribute 


NOTE: If the Permission Set attribute needs to be restored, Schema Discovery will not currently re-discover it. Instead, the application will need to have the API integration turned off and then re-enabled, as this attribute is only discovered at the time of API integration.

 

Related References

Recommended content

Still looking for help?
Loading
How to Exclude Permission Sets when Pushing a User Profile Update from Okta to Salesforce