Business Roles with IT roles that can be auto assigned as well request based

nmuthusamy · February 26, 2026, 9:57am

Hi All,

I have a requirement where we need to configure Business Roles. It has IT roles grouped together with two categories together - Auto-assigned (Required) and Request-based(Permitted). How do I group this in a single role in IIQ. Please suggest a high-level solution. Eg BizRole 1 has IT Role1, IT Role 2 - should be auto-assigned and IT Role 3 - should be request based. Thanks

msingh900 · February 26, 2026, 10:37am

@nmuthusamy

You can use the OOTB feature of SailPoint IIQ Business Roles.

For Example - Create a Business Role and assign the roles to the Required Roles section, which needs to be auto-assigned. Request-based roles should be added in the Permitted Roles section.

Thanks

neel193 · February 26, 2026, 11:27am

@msingh900 You can try creating the roles as mentioned by @msingh900 .

Additionally, don’t mark these permitted roles as requestable. Once business role is assigned, they will automatically become requestable for that user.

naveenkumar3 · February 26, 2026, 12:35pm

In IdentityIQ you can keep both auto-assigned and requestable IT roles inside a single Business Role by using the assignment type setting at the IT-role level. For your example, create one Business Role (BizRole1) and add all three IT roles to it. Mark IT Role1 and IT Role2 as Required, which means they will be automatically assigned whenever BizRole1 is assigned to a user. Then mark IT Role3 as Permitted, which makes it optional/requestable under that same Business Role.

With this setup, when BizRole1 is granted (either manually or via role assignment rule), IdentityIQ will automatically provision IT Role1 and IT Role2, while IT Role3 will appear as an optional access item that users or requesters can select if needed. This allows you to group mandatory and optional access under one Business Role without creating separate roles.

mandarsane · February 27, 2026, 3:03pm

Hi @nmuthusamy ,

As @msingh900 mentioned, you can configure business role with required and permitted IT roles.

When someone requests business role, requester can have choice - Permitted role along with its entitlements should be provisioned or not. Required IT role and its entitlements are provisioned anyway.

msingh900 · February 27, 2026, 3:15pm

Required roles will get automatically assigned along with its entitlements but permitted roles won’t get automatically assigned even if they are present in the Business role

They need to requested.

Topic		Replies	Views
Business Roles with IT roles that can be auto assigned as well request based ISC Discussion and Questions identity-security-cloud , roles	6	47	April 27, 2026
IIQ Custom Report IIQ Discussion and Questions identityiq , entitlements	4	74	October 27, 2025
Assigning IT Roles in IIQ through a Rule Runner Task IIQ Community Knowledge Base apis , rules , identityiq , provisioning , access-requests	0	128	January 21, 2026
Infamous red “X” on IT Roles IIQ Discussion and Questions webservice-connector , identityiq , provisioning	2	108	June 17, 2025
Report showing detected IT roles which are not allow by a Business role IIQ Discussion and Questions identityiq , reports	3	310	April 7, 2024

Business Roles with IT roles that can be auto assigned as well request based

Related topics