Automating conditional access with an identity governance bot

carttj · May 20, 2026, 6:11pm

Description

This presentation extends SailPoint’s access request process to solve a common challenge: manually verifying prerequisite attributes required for approval. Although any searchable attribute can be utilized, this presentation focuses on the training requirement (as an entitlement on the account) and location (as an identity attribute) to make the approval and denial decisions.

We will implement an automated “Attribute Checker” bot, built entirely with native SailPoint tools to handle these evaluations. This bot reviews, approves or denies requests, and sends companion emails (in the case of a denial) on a set schedule by checking for specific attributes on a user’s identity, streamlining the entire approval process and eliminating manual overhead.

I have included the workflows as links on this document, to act as examples of how this can be built out.

Additional Resources

Workflows : Workflows - SailPoint Identity Services
- As your workflow would be customized to your needs, this document can help to assess exactly how to create what you require
Access Requests: Access Requests - SailPoint Identity Services
- Just a quick overview of the access requests
Governance Groups: Creating and Maintaining Governance Groups - SailPoint Identity Services
Source creation: Configuring a Generic Flat File Source
- The source utilized is a generic flat file (csv).

Files:

Example workflows
- Note that the creator, owner and a few other data elements have been removed. I have put << >> around the elements and a description of what would need to go there. Just search for “<<” and replace to have a functional version.
  - Training verification workflow JSON (14.7 KB)
  - Location Verification workflow JSON (6.3 KB)

Example Templates:

As they were rather quickly off the screen I wanted to also have how I had templatized my access items (template and then an example) so it is a bit clearer what the bots are “looking at”.

Looking for Training course ONLY
- Template
  - ```
  <x> trainings *:<Training name 2>::<Training name 3>**
```
- Example
  - 2 trainings *HealthTraining:SATSOR5** Grants generic access to the medical center login for IAM
Looking for location ONLY
- Template
  - ```
  |LOCATION:<location name>|| <description of access>
```
- Example
  - |LOCATION:Reno|| Custodial access for Lenel in the Reno, NV office
Looking for BOTH Training Course AND Location
- Template
  - ```
  <X> trainings *<Training Name>** <description> |LOCATION:<location name>|| 
```
- Example
  - 3 trainings *FERPA101:ROCKs::Geo_adv** Geography department advisor at the Austin,TX campus. |LOCATION:Austin||

Topic		Replies	Views
Generic Workflow to Auto-Approve/Reject an access request ISC Community Knowledge Base workflows , identity-security-cloud , access-requests	26	2982	March 5, 2026
Training checks need to be performed for the submitted access requests." ISC Discussion and Questions workflows , apis , identity-security-cloud , access-requests	3	244	April 13, 2024
Specify pre-req for access request ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	5	80	September 12, 2025
Workflow for an access request is submitted ISC Discussion and Questions workflows , identity-security-cloud	14	322	June 30, 2025
Approval details for access requests ISC Discussion and Questions identity-security-cloud	1	60	October 17, 2025

Automating conditional access with an identity governance bot

Description

Additional Resources

Files:

Example Templates:

Related topics