Workflow to Exclude access provided by Roles and access profiles

Hi Team,

I am working on a Workflow that will exclude access given by Roles and Access Profiles however there is not an explicit indication in the logic that speaks to this. Is it possible that the exclusion logic is implemented in a part of the system not shown in this JSON, possibly in the campaign creation process or in how the campaign data is populated?

Below is a snippet of an example workflow.

Anyone come across this before?

{
	"name": "Certification Campaign Excluding Role/Profile Access",
	"description": "Creates a certification campaign that excludes access given by roles or access profiles",
	"modified": "2025-06-30T21:32:42.304397505Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "6",
		"name": "a"
	},
	"definition": {
		"start": "Create Certification Campaign",
		"steps": {
			"Create Certification Campaign": {
				"actionId": "sp:create-campaign",
				"attributes": {
					"activateUponCreation": true,
					"description": "Certification campaign for direct entitlements only",
					"duration": "4w",
					"emailNotificationEnabled": true,
					"name": "Access Review Excluding Roles and Profiles",
					"recommendationsEnabled": true,
					"type": "MANAGER",
					"undecidedAccess": false
				},
				"displayName": "",
				"nextStep": "Get Campaign",
				"type": "action",
				"versionNumber": 2
			},
			"End Step - Success": {
				"displayName": "",
				"type": "success"
			},
			"Get Campaign": {
				"actionId": "sp:get-campaign",
				"attributes": {
					"id.$": "$.Create Certification Campaign.id"
				},
				"displayName": "",
				"nextStep": "Send Email",
				"type": "action",
				"versionNumber": 1
			},
			"Send Email": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "A new certification campaign has been created: ${campaignName}. It excludes access given by roles and access profiles.",
					"context": {
						"campaignName.$": "$.Get Campaign.name"
					},
					"from": "noreply@example.com",
					"recipientEmailList": "admin@example.com",
					"replyTo": "noreply@example.com",
					"subject": "New Certification Campaign Created"
				},
				"displayName": "",
				"nextStep": "End Step - Success",
				"type": "action",
				"versionNumber": 2
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "6",
		"name": "a"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"id": "idn:identity-attributes-changed"
		}
	}
}

Can you help better define your use case?

If you are defining a role to have certain access but then you want to exclude it for some, wouldn’t you just need to refine your membership criteria?

Hi Fred,

I am just wanting to exclude access that is provided by a role or access profile from a campaign. I hwas just attempting to do it using a filter in WOrkflows.