How to Add an IT Role to an Identity using a script/rule?

maheshraj9 · January 12, 2026, 7:51am

Which IIQ version are you inquiring about? IIQ 8.4

Hi Team. I have seen ways to add the Business Role to an Identity. In that, one of the lines is:

”testPlan.add(“IIQ”, testIdName, “assignedRoles”, ProvisioningPlan.Operation.Add, “{RoleName”);”

, here when I add the “assignedRole” then I can see the IT Role as assigned on the Identity. But I wanted to show that IT Role as Detected. For this, when I used the “detectedRole” instead of “assignedRoles”, I dont see that IT Role getting added to the Identity.

So what could be the possible way to add the IT Role to an Identity using a script? Please let me know.

Please Note: identity.addRole() and all the other stuff didn’t worked for me in IIQ 8.4.

Pankaj_IAM_SailPoint · January 12, 2026, 8:05am

You cannot directly add an IT Role as “Detected” using a script or ProvisioningPlan.
Detected roles are computed, not stored.

msingh900 · January 12, 2026, 8:35am

Hi @maheshraj9

You can only add the role as assignedRoles. Once it is added, IT Roles will get detected based on the access that you have and also if you have an IT role with that access available in your environment.

msingh900 · January 12, 2026, 8:37am

Once Assigned Role is added, run the Refresh Identity Task with below options selected:

Refresh assigned & detected roles, and promote additional entitlements

msingh900 · January 12, 2026, 8:46am

You cannot add an IT Role directly to the user via OOTB functionality. Instead, you can use below Rule Runner task to assign an IT Role.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="SailPoint IIQ Role Request Rule">
  <Source>
    <![CDATA[

  import java.util.List;

  import sailpoint.api.SailPointContext;
  import sailpoint.api.Provisioner;
  import sailpoint.object.Identity;
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.object.ProvisioningProject;
  import sailpoint.tools.GeneralException;

  // Method to create a Provisioning Plan for Assigned Roles
  /***
	 * 
	 * @param identityName
	 * @param roles
	 * @param operation
	 * @return
	 */
  public ProvisioningPlan prepareRolePlan(String identityName, List roles, String operation) {
    System.out.println("Entering method prepareRolePlan");
    ProvisioningPlan plan = new ProvisioningPlan();

    try {
      Identity identity = context.getObjectByName(Identity.class, identityName);
      if(null != identity) {
        plan.setIdentity(identity);
      }

      if("addRole".equalsIgnoreCase(operation)) {
        plan.add(ProvisioningPlan.APP_IIQ, identityName, "assignedRoles", ProvisioningPlan.Operation.Add, roles);
      }else if("removeRole".equalsIgnoreCase(operation)){
        plan.add(ProvisioningPlan.APP_IIQ, identityName, "assignedRoles", ProvisioningPlan.Operation.Remove, roles);
      }

      plan.setSource("LCM");

    } catch (GeneralException e) {
      System.out.println("Exception occured while creating plan " + e.getMessage());
    }


    System.out.println("Exiting method prepareRolePlan");
    return plan;
  }

  /***
	 * 
	 * @param identityName
	 * @param operation
	 * @param roles
	 */
  public void processPlan(String identityName, String operation, List roles) {
    System.out.println("Entering method processPlan");
    ProvisioningPlan plan = null;
    ProvisioningProject proj = null;

    try {
      Identity iden = context.getObjectByName(Identity.class, identityName);
      if(null != iden) {
        Provisioner provisioner = new Provisioner(context);
        plan = prepareRolePlan(identityName, roles, operation);
        proj = provisioner.compile(plan);
        provisioner.execute(proj);
      }else {
        System.out.println(" Identity is Missing ");
      }
    }catch(Exception exp) {
      System.out.println(" Error occure dwhile processing plan "+ exp.getMessage());
    }

    System.out.println("Entering method processPlan");
  }
  
  List roles = new ArrayList();
  roles.add("SuperUser-Access");
  return processPlan("ms2612", "removeRole", roles);
]]>
  </Source>
</Rule>

maheshraj9 · January 12, 2026, 2:21pm

Hi Manish,

When you say “assign”, after this rule is executed, the IT Role will be assigned to the Identity and on the Identity, it will say “detected” or “assigned”?

Thanks and Regards,
Mahesh.

msingh900 · January 12, 2026, 2:23pm

IT Role will say as assigned if you try to assign it via the code that I have shared.

maheshraj9 · January 12, 2026, 2:28pm

Okay Manish. That is the one I meant in my question. Im getting assigned too when I tried. But Im looking for the word “Detected” besides “Assigned”. Thank you Manish!

msingh900 · January 12, 2026, 2:36pm

If it resolves your problem. please mark it solved.

Thanks

Topic		Replies	Views
Assigning IT Roles in IIQ through a Rule Runner Task IIQ Community Knowledge Base apis , rules , identityiq , provisioning , access-requests	0	58	January 21, 2026
PostJoiner Rule is not adding user to Role IIQ Discussion and Questions rules , identityiq , provisioning	9	76	July 4, 2025
SailPoint IIQ Rule - Isolating Identities based on Detected Role? IIQ Discussion and Questions rules , identityiq , provisioning	6	218	September 15, 2024
Infamous red “X” on IT Roles IIQ Discussion and Questions webservice-connector , identityiq , provisioning	2	91	June 17, 2025
Role detection not in sync with role assignments IIQ Discussion and Questions identityiq , roles	24	218	January 2, 2026

How to Add an IT Role to an Identity using a script/rule?

Which IIQ version are you inquiring about? IIQ 8.4

Hi Team. I have seen ways to add the Business Role to an Identity. In that, one of the lines is:

Related topics