Can there be a threshold check while assignment or removal of role?

David_Norris · April 9, 2025, 8:25pm

“Can there be”…yes. Somewhat of a custom job.

For the roles that you want to ‘protect’ with a threshold, specify a dummy approver.

With a periodic workflow / script, get a list of approved access requests with this particular role assigned in the last, say, 24 hours. If the count is greater than 100, deny the approval request. If the count is less than 100, approve the pending approval request. (Handle the pending approval request in a sorted order)

e.g. Get-V2024AccessRequestStatus with filtering and pipelining, Get-V2024PendingApprovals

Additionally, you can leverage metadata attributes to specify per-role threshold. The powershell script just need to get this metadata attribute’s value of the role instead of having hard-coded 100.

Topic		Replies	Views
Trigger alert when multiple access getting revoked from Role ISC Discussion and Questions apis , identity-security-cloud	5	32	March 20, 2026
Thresholds or Controls to Detect Mass Role Assignments in SailPoint ISC ISC Discussion and Questions workflows , apis , identity-security-cloud , roles	5	26	April 9, 2026
Few Queries regarding roles/access ISC Discussion and Questions workflows , identity-security-cloud	5	520	January 16, 2024
Remove all Roles assigned to user (non-criteria) when terminated ISC Discussion and Questions workflows , apis , identity-security-cloud	9	182	July 20, 2025
Role Discovery - Common Access ISC Discussion and Questions identity-security-cloud , role-insights	2	122	November 3, 2024

Can there be a threshold check while assignment or removal of role?

Related topics