How can we provide SailPoint IIQ read-only access, and AD read-only access through a role request in ServiceNow, based on AD access groups instead of assigning individual user capabilities? Additionally, how should this be configured in SailPoint and Active Directory? Your guidance on a possible approach would be highly appreciated.
first you need to create custom capability with view permission , then you need to create workgroup in IIQ with this capability . Then you need configure a loop back connector for IIQ where you can provision on created workgroup based on AD group membership. or you can call configure Service Now also for provisioning on the work group.