Good question Kathryn,
We have quite similar difficulty trying to config the Roles/Access profile A and B (linked to the entitlements A and B) auto revoking when a request for Access profile C is being requested and granted. And vice versa for any of A, B or C.
Ideally the Role and/or Access profile form should have a [missing now] section where we all could define what to revoke/remove from other Roles/AP/Entitlements before the point when it will be approved or granted. IdentityNow has no that yet.
I’d highly support your question here to see the other people’s response and proposed workaround.
An IDN custom Workflow revoke access, or [microcertification with access revoking](SailPoint IdentityNow - Revoke previous access for movers SailPoint IdentityNow - Revoke previous access for movers)… both have limitations as a workaround…
…do we have more strong and simple way to grant an access via request to the one of three entitlements, revoking automatically an identity access before from any of second and third entitlements ?
Criteria is that an identity should never have more than one of those three entitlements at any time period, even temporary .
With best wishes
Dimitri