REVOKE_ACCESS request is failing

shreyas_nitturkar · November 14, 2025, 7:28am

We are using a workflow to remove the entitlements assigned to a user when a particular event occurs.

The trigger is working well but the REVOKE_ACCESS request submitted using the Submit Access request API is not consistent in removing the entitlements.

We have ENSURED that the entitlement being removed is:

Passed one at a time in the request
the entitlement being removed is revocable i.e not assigned via any role/ birthright / via access profile.
user submitting a request is an ORG_ADMIN

The behaviour is highly inconsistent and mostly works if retried 2-3 times. How to ensure that the access request when submitted is 100% revoking the entitlement?

KRM7 · November 14, 2025, 8:34am

What is the error you are getting, 400 error ?

shreyas_nitturkar · November 14, 2025, 9:04am

No error. it says request processed but the entitlement is not removed.

nhassan · November 14, 2025, 9:45am

Hi @shreyas_nitturkar

Could you try using the ‘Send Email’ action after ‘HTTP Request’ step to see what’s the output or error message/status code?

In the ‘Send Email’ action,
set ‘Body’ to $.hTTPRequest.statusCode

OR set ‘Body’ to $.hTTPRequest.body

Also, try setting the JSON Request Body in the HTTP Request as below.

{
“requestedFor”: [
“Id-of-the-Identity”
],
“requestType”: “REVOKE_ACCESS”,
“requestedItems”: [
{
“type”: “ENTITLEMENT”,
“id”: “Id-of-the-Entitlement”,
“comment”: “Revoking access via workflow”
}
]
}

margocbain · November 14, 2025, 2:28pm

Any chance this is for AD and you also have an OU move happening around the same event? I’ve seen this behaviour before in cert workflows with auto-revoke steps because the DN is changing in the middle of the REVOKE_ACCESS step. ISC can interpret the access as already removed because it can’t locate the account

shreyas_nitturkar · November 19, 2025, 7:57am

I was able to resolve other syntax related issues in Workflow but for one of the entitlements is still failing with the attached error:

nhassan · November 19, 2025, 1:23pm

Regarding this one entitlement that is still failing to be revoked, did you check this might have been granted via birth right access i.e a dynamic role or access profile having this entitlement or the entitlement itself tied to a role and the user is a member of that role, in which case this would fail?

The basic rules of ISC access management still apply i.e only requested roles (not auto-assigned ones) and entitlements that exist outside of roles and access profiles will be revocable.

system · January 18, 2026, 1:24pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISC Workflow step Manage Access issue ISC Discussion and Questions workflows , identity-security-cloud	4	74	January 25, 2026
ISC Workflow to remove access changes important global security setting Bugs workflows , identity-security-cloud , access-requests , entitlements	5	538	November 6, 2024
Remove access from workflow ISC Discussion and Questions workflows , identity-security-cloud , roles	24	2499	July 11, 2023
New Capability: Entitlement Revoke API Product News identity-security-cloud , entitlements , new-capability	15	2361	January 16, 2025
REVOKE_ACCESS API Call ISC Discussion and Questions identity-security-cloud	14	266	April 25, 2025

REVOKE_ACCESS request is failing

Related topics