Thresholds or Controls to Detect Mass Role Assignments in SailPoint ISC

ROHPU · April 9, 2026, 8:09am

Hi everyone,

I wanted to check if SailPoint Identity Security Cloud (ISC) provides any built‑in way to detect or prevent mass role changes. Specifically, is there a way to identify if more than 1000 users are added to a role within the last 24 hours?

We are exploring options such as:

Threshold‑based alerts or warnings
Manual or automated checks before role creation/modification is finalized
Any governance controls to prevent accidental mass provisioning or de‑provisioning

Has anyone implemented something similar using ISC features like workflows, alerts, analytics, or APIs?

Appreciate any guidance or best practices.

Thanks!

phil_awlings · April 9, 2026, 10:17am

For your 2nd point, you can create a search with the same parameters as your Role. That will show you how many identities will meet the criteria when it goes live

ROHPU · April 9, 2026, 11:05am

@phil_awlings Thanks for the reply but do we have any other way for this notification. Specifically, is there a way to identify if more than 1000 users are added to a role within the last 24 hours then send notification to role owner or admin?

phil_awlings · April 9, 2026, 11:35am

Hmm….
Daily subscription on the search parameters that matches your Role
A workflow that triggers off of the search, that takes the number of identities in that Role and compares it against a fixed value, and if the difference is greater than ‘1000’, then email the owner of the Role.

That could work

baoussounda · April 9, 2026, 11:37am

With ISC search module you have all events and activities that are logged.

So detection mode can work by using reviewing options available on search.

For example with the following query I can retrieve the list of assignment of role A in last 24 hours :

(status:PASSED) AND (technicalName:“ROLE_ADD_PASSED”) AND (created:[now-24h TO now]) AND (attributes.info:“Your ROle Name”)

Or the list of all roles for which users were added in last 24h

(status:PASSED) AND (technicalName:“ROLE_ADD_PASSED”) AND (created:[now-24h TO now])

Those informations are getting from the events. you can adapt it and filter depending on differents attributes available in events or others search modules : Searchable Fields - SailPoint Identity Services

So from the UI this query can be used, and scheduled to notify a particular team and review is required to check if any threshold or violation is occured.

Another Alternative can be to use search api with same queries and there you count and check whatever you want.

baoussounda · April 9, 2026, 11:41am

You also have this search endpoint which allow you to just count : search-count | SailPoint Developer Community

Topic		Replies	Views
Can there be a threshold check while assignment or removal of role? ISC Discussion and Questions identity-security-cloud , roles , access-profiles , entitlements	8	98	June 8, 2025
Trigger alert when multiple access getting revoked from Role ISC Discussion and Questions apis , identity-security-cloud	5	32	March 20, 2026
Track the new identities and verify the identity after one hour if no roles are assigned and send alert ISC Discussion and Questions workflows , identity-security-cloud	2	43	March 18, 2025
Workflow to detect and report mass removal of people from a Role or Group ISC Discussion and Questions workflows , identity-security-cloud	6	86	February 18, 2025
Role assignment problem ISC Discussion and Questions identity-security-cloud , roles	6	82	April 7, 2026

Thresholds or Controls to Detect Mass Role Assignments in SailPoint ISC

Related topics