Role Wildcards for adding a license when someone requests the first access profile for an application

Is it possible to use wildcards in roles?

We want to be able to trigger a role to add a license (specific entitlement) if someone requests any access profile for a certain application. I don’t want to have to list each and every entitlement possibility to the role criteria and maintain a lengthy list. I would also like this license to be removed when they no longer have any of the access profiles assigned to this application. Unfortunately, it does not appear you can use a wildcard in a role.

What is the best way to accomplish this task? We don’t want to add the license to each access profile because if an access profile certification campaign is conducted and one access profile is revoked, and the user has another access profile for the same application, it will break because the license entitlement overlaps multiple access profiles.


Application A

Access Profile A: Entitlement A
Access Profile B: Entitlement B
Access Profile C: Entitlement C

Role A: Entitlement L (licence)

If a user requests any of the access profiles for Application A, they will automatically be assigned Role A. However, I do not want to have to maintain a list of each and every access profile that belongs in Application A in the role criteria with OR statements.

1 Like

Good question Kathryn,

We have quite similar difficulty trying to config the Roles/Access profile A and B (linked to the entitlements A and B) auto revoking when a request for Access profile C is being requested and granted. And vice versa for any of A, B or C.

Ideally the Role and/or Access profile form should have a [missing now] section where we all could define what to revoke/remove from other Roles/AP/Entitlements before the point when it will be approved or granted. IdentityNow has no that yet.

I’d highly support your question here to see the other people’s response and proposed workaround.

An IDN custom Workflow revoke access, or [microcertification with access revoking](SailPoint IdentityNow - Revoke previous access for movers SailPoint IdentityNow - Revoke previous access for movers)… both have limitations as a workaround…

…do we have more strong and simple way to grant an access via request to the one of three entitlements, revoking automatically an identity access before from any of second and third entitlements ?

Criteria is that an identity should never have more than one of those three entitlements at any time period, even temporary .

With best wishes