Is there a way to remove all accesses of a specific application for terminated identity? I am building a workflow using Get Access and Manage Access actions. But, the problem is that a few roles are not enabled for accessRequest. So, how can we achieve this? Thanks, Ashish Kumar

If those roles are based on membership criteria, the user will be removed from them only when the user stops meeting the specified criteria.

@sharvari Those are getting removed automatically after identity termination. We have a requirement to remove the rest of the accesses irrespective of assignments.

You can use Before Provisioning Rule to remove the rest of access during the account disable operation.

Thank you @sharvari for your input. I am looking for alternative solutions for this.

Hi Ashish To get a better understanding, can I know how was the role assigned to the user initially ? If you’re looking to disable the accounts, you might have tried “Source Accounts to disable” option using lifecycle state provisioning within Identity Profiles.

Can you please elaborate your use case a little more? What are the “rest of the accesses” that users? Your approach may have to vary depending on how are these accesses assigned to users

[image] Ashish Kumar: s there a way to remove all accesse To assist you more effectively, kindly provide additional details about your specific use case. As mentioned earlier, employing a “before provisioning” rule is one approach to accomplish the desired outcome.

We have an SE, @mostafa_helmy , who just created a workflow for this exact purpose. He may be able to share it with the community.

For some clients, we have used a small piece of Professional Services config that was able to do this (and more) with simple configuration work. I believe if you reach out to your SailPoint contact, they will be able to help you set this up.

Use Case: Identity has already been terminated (all associated accounts have been disabled). Identity still has access left on the disabled accounts. Access details are as follows: Assigned via a role with assignment criteria (they are getting removed automatically after termination) Assigned vi…

Removing all Access at once for a specific application

Identity Security Cloud (ISC) ISC Discussion and Questions

mostafa_helmy (Mostafa Helmy) June 23, 2023, 10:08am 13

I just posted my workflow configuration doing exactly that here! It relies on a targetted micro-certification campaign which we autocomplete and revoke all access, which means it avoids all the trouble you face by doing it with Access Requests.

Topic		Replies	Views
Remove all Access when user state changes from Inactive to Terminated ISC Discussion and Questions workflows , identity-security-cloud	10	449	September 23, 2024
Disable account when access is removed ISC Discussion and Questions workflows , identity-security-cloud , provisioning , roles , access-requests , connectors , entitlements	5	230	August 17, 2025
Need recommendations for removing sticky access for termed users ISC Discussion and Questions workflows , apis , identity-security-cloud , provisioning , access-requests , connectors , entitlements	3	84	September 28, 2025
Workflows remove roles on identity termination ISC Discussion and Questions workflows , access-requests	13	1754	July 7, 2023
New Capability: Remove All Access on Termination Product News identity-security-cloud , accounts , new-capability , sources , access-model	42	3514	April 22, 2026

Removing all Access at once for a specific application

Related topics