Update

Note: We are pausing rollout of Role Change Propagation in respect of the holidays, and we will resume on January 6, 2026 with full GA planned for January 23, 2026.

Description

This enhancement is brought to you by Idea AI-I-51

This announcement replaces the original GA announcement for Role Change Propagation.

You can view the previous post here: Original Announcement.

This release introduces a key improvement to ISC Role Management. Now, when access is removed from a Role definition, the corresponding access can also be automatically removed from users assigned to that Role—helping reduce the risk of over-provisioning and keeping access aligned with intended Role design.

With this release, you can now configure ISC to automatically de-provision access from users when it’s removed from the Role they are a member of. Access that is added to a Role definition will continue to be propagated automatically and will operate in the same manner as it does today.

New Capabilities

Role Change Propagation allows you to configure ISC to automatically remove access assignments from users when access rights are removed from their associated Role definitions.

• A Global Setting is now available to enable/disable the role change propagation feature.
• The following access changes are now propagated by ISC:
  • Removal of an Entitlement from a Role
  • Removal of an Access Profile from a Role
  • Removal of an entitlement from an Access Profile included in a Role
  • Removal of a Role’s dimension or removing an entitlement or access profile from a
    Role’s dimension.

Problem

Currently in ISC, removing access rights from a Role doesn’t automatically remove that access from users assigned to it—leading to potential over-provisioning and increased risk.

Solution

Role Change Propagation provides the ability to configure ISC so that when access rights are removed from a Role definition, the corresponding access assignments are removed from users who have the Role assigned.

Note: This is an optional capability. A Global Setting is available to enable/disable the Role Change Propagation feature.

When the following access rights are removed from Role’s definition, the corresponding access assignments will be removed from users who have the Role assigned:

• Removal of an Entitlement from a Role
• Removal of an Access Profile from a Role
• Removal of an entitlement from an Access Profile included in a Role
• Removal of a Role’s dimension or removing an entitlement or access profile from a Role’s dimension.

Indication that Role Change Propagation is enabled1920×969 49.4 KB

Indication that Role Change Propagation is enabled - Apply Changes1920×844 120 KB

Who is affected?

Role Change Propagation is available for all customers.

Action Required

Role Change Propagation is a configurable capability which is disabled by default. Customers who opt to use this capability must enable the Role Propagation system feature in ISC Global Settings.

Important Dates

• Sandbox Rollout: Week of November 17, 2025
• Production Rollout for CA/SE/ME/AP Regions: Week of November 24, 2025
• Production Rollout for EU/US Regions: Week of December 1 & 8, 2025
• Full General Availability for All Regions: December 12, 2025

Note: We are pausing rollout of Role Change Propagation in respect of the holidays, and we will resume on January 6, 2026 with full GA planned for January 23, 2026.

Hi, if a role is deleted do the role members lose the access associated with the role?

@PGookin should be able to confirm this, but I think the answer would be yes looking into this documentation.

Only Removal part, anything about addition

• Adding Entitlements to Access Profiles which are in Roles
• Adding Access Profiles to Roles

What about Access Profiles that are not in a Role

• Adding Entitlements
• Removing Entitlements

Deletion

• Delete Access Profiles
• Delete Roles

Hi @PGookin,

Great to see this capability making it to GA! This addresses a significant gap that many of us have been working around.

A few questions:

1. Provisioning Plan Generation: When access is removed from a role and propagated to users, does the deprovisioning follow the same path as manual access removals?

2. Audit Trail: How are these automated removals tracked in the audit logs? Will they clearly indicate they were triggered by role change propagation versus manual admin actions?

Thank you

FYI: I found an issue with the API for role propagation configuration, where the Content-Type is telling us that the response is in plain text instead of in JSON. This can impacts API clients (including browsers), where either syntax highlighting is not working because it doesn’t know the response is JSON, or where an exception is raised due to unexpected Content-Type. Almost all Identity Security Cloud APIs correctly return the Content-Type as something like application/json;charset=utf-8 (lower case, no spaces)

Kind regards,
Angelo

If Role Change propagation feature is enabled, I assume it’s for all roles. In otherwords, if there are some roles that the customer does not want it to apply to, they cannot select that to be exempt from the feature?

That’s correct. If Role Change Propagation is enabled it is enabled for all roles. However, we only process changes that are made to Roles that are enabled. So if there is a specific role change that you do not want to propagate, you could disable the role before making the changes.

Role Change Propagation (rcp) does not remove access when a role is deleted. This is consistent with the current behavior. The documentation is accurate but it is a little confusing. It should explicitly note that that role deletion does not remove access if rcp is enabled or disabled.

We’ve been looking forward to this! Documentation says it will be available for all regions Dec 12, 2025. That’s today, but I still don’t see it in Production - only in Sandbox. Has it been delayed?

According to the important dates this should be available in production tenants, but the feature is not available yet. Is there an ETA?

Wondering the same thing, when is this one going live?