To migrate into the ISC environment, I have manually bulk assigned a bunch of identities to roles using the identity list criteria.
What I am now running into is the roles persist once the identities leave my organization and get marked as inactive. This can have unintended side effects, like retriggering provisioning on downstream sources.
How can I automatically remove roles assigned via identity list criteria?
Thanks!
You could create a Workflow that when the Identity Lifecycle State is set to Inactive all roles are removed.
Hey Alicia,
This was my thought, as well. I implore you to try it, this does not work for roles assigned via identity list criteria.
@dominick-miller You are correct about the workflow. Roles granted via an identity list will remain assigned to inactive identities.
Just a thought 
: Depending on the number of roles you have configured this way, it may be better to redefine the membership criteria for those roles to use standard criteria that consider the identity’s lifecycle state into account.
For example, you could add a condition that the lifecycle state must be ‘Active’ for the identity to be a member of the role. This way, when an identity is moved to the ‘Inactive’ lifecycle state, it will automatically lose membership in the role without administrators needing to remove it from the inactive state.
Sorry I didn’t catch the part about Identity Lists.
My first question is do you need to have the access controlled in Identity Lists. Any kind of membership criteria/identity list will require you to update the role either through the UI or by patching the role to remove that user’s identity. If you switched to membership as Raghunath said you can add an additional element that they must be active.
However, for the long term, would you be better to have these users have requested access to the roles? You could write a script get the identities associate with each role, request the role, and the patch the role to remove the users from the Identity List.
The two APIs that you might want are:
patch-role | SailPoint Developer Community
Yeah, I came to the same conclusion 
it looks like if I wanted to solve this it will require external code to be executed or for me to script and make the roles assigned via identity list to instead be requested for the relevant identities.
Looks like there is no native solution in ISC to remove all access, which is a bummer and a huge miss from an identity governance tool lol.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.