Role revoke for bulk identities

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Revoke/Add Role for set of identities given as input as csv file.

2

@kankdekar ,

What is your exact requirement?Revoking role for Bulk identities?Can you explain?

3

@kankdekar Please explain little more about your requirement !

4

HI @BalajiK3 , Can you please explain the what is the issue , Do you need remove or add role to bulk identitties ?

5

Hi @kankdekar,

If your requirement is to assign role for bulk users, you can utilize sailpoint provided ruby script (IdentityNow Bulk Access Profile and Role Importer - Compass).
But if requirement is for revoking you can utilize access request API (create-access-request | SailPoint Developer Community)

You can refer to similar post here: Create Bulk Access Requests in ISC - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community

6

Hi @kankdekar Kindly provide bit more information about this requirement to understand in better?

7

Hi,

Thanks for sharing your thoughts.

Requirment is, suppose there are 1000 members assigned to 1 AD group, need to remove 350 members membership at a time. Is there any predefined task/process available ? If not how we can achieve.

8

Hi,

There is no out-of-the-box task in SailPoint Identity Security Cloud that takes a CSV of identities and bulk removes a specific entitlement/group membership from only those users.

A few approaches you can consider:

  • Access Request API / Bulk Requests: Generate requests programmatically for the 350 users and revoke the AD group entitlement.
  • Workflow + CSV Input: Upload the CSV, parse the identities, and use a workflow to remove the entitlement from each user.
  • Source-side update: If the AD group is managed directly in AD, use a PowerShell script to remove the 350 users from the group and let ISC pick up the change during aggregation.
  • Custom Script/Automation: Use ISC APIs to read the CSV and submit entitlement removal requests in bulk.

For a one-time cleanup of 350 users from a 1000-member AD group, many organizations would use a PowerShell script against AD (if the group is source-managed) or automate entitlement revocation through the ISC APIs if the group is SailPoint-managed.