Can there be a threshold check while assignment or removal of role?

Amrit1897 · April 9, 2025, 1:20pm

Can there be a threshold check while assignment or removal of role?
Basically if lets say there are more than 100 roles are getting removed then threshold check should stop removing the accesses?

coelhoya2 · April 9, 2025, 1:30pm

Hello Amrit,

For criteria roles as far i know there is nothing that you can do.

But lets say you are revoking roles via workflow it is possible to control how many roles you will revoke.

Att.

vishal_kejriwal1 · April 9, 2025, 3:17pm

I think you are talking this assignment as part of daily refresh ? if yes i don’t think if any option available . I would suggest to check this with sailpoint support .

David_Norris · April 9, 2025, 8:25pm

“Can there be”…yes. Somewhat of a custom job.

For the roles that you want to ‘protect’ with a threshold, specify a dummy approver.

With a periodic workflow / script, get a list of approved access requests with this particular role assigned in the last, say, 24 hours. If the count is greater than 100, deny the approval request. If the count is less than 100, approve the pending approval request. (Handle the pending approval request in a sorted order)

e.g. Get-V2024AccessRequestStatus with filtering and pipelining, Get-V2024PendingApprovals

Additionally, you can leverage metadata attributes to specify per-role threshold. The powershell script just need to get this metadata attribute’s value of the role instead of having hard-coded 100.

sunnyajmera · April 9, 2025, 9:08pm

I think managing it outside SailPoint will be little easy as compare to doing it via workflows.

David_Norris · April 9, 2025, 9:24pm

Yeah, it’s far more liberating once you get outside of the confines of ISC. ISC itself is functionally rather rudimentary with its OOTB IGA use cases coverage. A lot of additional business logic has to be bolted on here and there.

Like you can’t even have ‘new’ custom email templates at the tenant level…you need to going to a step-level in workflow to define the email. There’s no OOTB access removal workflow (it’s community-built), no account deletion, no identity deletion, no per entitlement deletion OOTB. It doesn’t handle multi-account per source per identity very well either.

Also, with all the transforms built in JSON, just give us a graphical editor already. (e.g. below or similar to the workflow builder) Better yet, give us the AI and LLM to build transforms.

sunnyajmera · April 9, 2025, 10:02pm

Totally agree. If I remember right, threshold support came late in IIQ too. Hopefully, there’s already something like that in the works—or at least an idea submitted around for it.

David_Norris · April 9, 2025, 10:53pm

True…but that should be a lesson learnt from back then, and now it should come under “I know better now” kind of feature / functionality / configuration…and IDN / ISC is not exactly young anymore.

system · June 8, 2025, 10:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.