Birthright or blanket approved accesses or license revocation

Hi Team,
Number of Stake holders were happy with RBAC but now as its audit time they are asking for any possibility that how can we have a revocation through workflows or triggers that should not re-provision access back to user without disabling Birthright and so licenses should not cost them ?


Osman , certifications decisions have priority on automatic assignment. that means that if a BR or any Roles is revoked in a Certification, even if the users falls under the criteria it will not be provision. At least in IIQ.

For ISC you should test, but that is you best chance to achieve the requirement.

We have a IDN Env - we just have Acknowledged but not revocation for birthrights and how can we handle this ?

have you requested the removal through a certification?

IDN: we do not have remove/revoke for birthrights in certification.

What you mean by BR roles? Are these being provisionned in the IdentityProfile? or through role assingment?

Role assignment to users based on emp type.

@osmanmohammed at present birthright roles can only be acknowledged as it wont let you remove them unless the criteria is matching .you can try modifying the criteria which fits your audit requirement .or use request based roles which you can remove

Hi @osmanmohammed,

As long as the users match the Role criteria, the access will be granted back however you remove them.

If there are only a handful of users you are looking to exclude, you can directly exclude them from the rule by passing their employee ID values in the Rule membership criteria with a condition as below:

Or if you can get a specific attribute from the application or the auth source that could identify such users that needs to be excluded, you can make use of that in the membership criteria

we are not trying to exclude, the approach is to revoke licenses from 3000+ users but without changing BR Role criteria.

Hi @osmanmohammed,

If you are revoking access (granted from a role) of users satisfying the role membership criteria, IDN will re-provision the access during the next aggregation or refresh.

So, the only way is to exclude them from the role criteria.

1 Like

Hi @osmanmohammed ,

You cannot revoke the access from the identities which are satisfying the role via membership criteria. The only way is to change the membership criteria based on your audit requirement or update these 3000+ users outside of IDN which doesn’t make them satisfy the existing membership criteria so that entitlement revocation will be triggered.

Thank you


@osmanmohammed , On first place Birthright roles should not be removed as long as the users is ACTIVE within in the organization. These roles should be assigned once joined the organization and needs to be removed once left the organization.

if you have requirement then you have consider Role membership rule update else on next aggregation it will provision accounts


I have gone through your question and understand client’s ask but if a role criteria is met IDN will provision the relevant access profile and or entitlement.

If you do setup a certification you can only acknowledge the access again since the user is still qualifying for that role.

You have modify the criteria to exclude the said 3k members from its assignment and there is no Role membership rule support anymore.

Can confirm based on the extensibility document here.

And the official documentation when managing access under the admin guide here.

Would really like to highlight the following quote within the admin guide below:

Additionally, when a user no longer meets the criteria, IdentityNow deprovisions the role and its associated access profiles. This can occur because the assignment criteria or the identity data changed.