Remove all Roles assigned to user (non-criteria) when terminated

ugochuik · May 20, 2025, 4:39pm

I plan to use a webhook running PS which will

Get all roles assigned to a user.
Foreach role in collection–Check if each role uses identity-based membership (membership.criteria is null ).
If yes, get the list of identities in the role membership, remove the terminated user from the identity list and patch the role with the updated list.

Is there any other way to do the same remove operation via say workflow?

sanekkanti · May 20, 2025, 4:48pm

Yes, you can handle this entirely in an ISC workflow.

For Trigger:
Use the Identity Lifecycle State Changed event and branch on lifecycleState == “TERMINATED” or something based on the requirement.

Get Access

Action: Get Access

Access Selection Method: By Identity → {{trigger.identityId}}

Types: Roles (and/or Access Profiles, Entitlements—filter) something like $.getAccess.accessItems` is an array of objects `{ id, name, type }`

Extract Only Roles

Use a Transform (JSONPath) or Filter operator to select only items where type == "ROLE":

$.getAccess.accessItems[?(@.type=="ROLE")]

Save that to, say, {{rolesToRemove}}.

Manage Access

Action: Manage Access

Request Type: Remove Access

Identities: {{trigger.identityId}}

Access to Manage: {{rolesToRemove}}

Comment: “Remove all non-criteria role assignments on termination”

This submits a single request to strip the user from every role in rolesToRemove.

ugochuik · May 20, 2025, 7:22pm

Thanks for the info but that solution has its issues. I built it and I got 400 bad request. Comes from this

which is from

sanekkanti · May 20, 2025, 7:28pm

Were you able to resolve it using Iterate Loop?

ugochuik · May 20, 2025, 9:12pm

—Iterate a loop over identities assigned to the role—
The get access just returns the roles the user has, it does not return the role information with the identities assigned

suresh4iam · May 20, 2025, 10:23pm

You cannot remove the identities from the automated roles i.e roles with membership criteria. They will get revoked only based on criteria. So, you can add additional criteria in the automated role to define the identity status like LCS = active, this will revoke the role when identity moving to inactive.
For the non membership criteria roles or requestable role, you can use Certification campaign to revoke the access when they move to inactive. This is pretty much possible using Workflow Workflow to remove ALL leavers' standing access

ugochuik · May 20, 2025, 10:38pm

Thanks. I can amend the non-criteria based roles membership via the api. I will go with that method in my leaver workflow (call webhook).

jesvin90 · May 21, 2025, 10:35am

Hi @ugochuik,

Have you considered adding a wait time to the workflow, so that the role membership criteria would take care of the BR roles removal and the WF will have only the non-membership roles for revocation.

ugochuik · May 21, 2025, 11:19am

it would work if all the criteria roles had say LCS = Active as part of the required criteria for membership but that is not always the case and this means it may fail depending on the users role membership.