Working with Roles

A role is a name for a bundle of access that you can grant to an employee or group of employees in your system if you have Provisioning turned on in IdentityNow. When you grant users a specific role within IdentityNow, you can give them specific access profiles relevant to their position within your company.

For example, you might have a group of accountants in your company. Within IdentityNow you can create a role called Accountants and attach access profiles to it that grant permissions to specific files and apps that users with that role might need. You're able to define membership criteria to assign users to a specific role or roles.

When those users get those access profiles, they also are granted any source accounts and apps attached to them. For instructions, see Creating Access Profiles.

NOTE:  To enable others in your organization to work with roles, you can grant individuals role admin or role sub-admin user levels.  Role admins can create, manage, and edit roles. Role sub-admins can perform these role actions only for roles with access profiles on sources that are associated with the governance groups they are members of. 


Creating Roles


Creating a role requires you to define membership criteria, select the access granted by the role, and then update the related identities.

Prerequisite: Provisioning must be been enabled and set up for your organization.

To create a role, complete the following steps:

1. From the Admin interface, go to Access > Roles.

2. Click New.

roles list.png

3. Provide a name for your role.

4. Provide a description.

Important: If your site has the Access Request, Role Request, or Certifications service, be sure the names and description of your roles are user-friendly, meaning descriptive and easy to understand. This can allow reviewers to process more easily, make good decisions about specific roles, and improve the accuracy and quality of the access granted.

5. Click Continue.

The new role appears in your list of roles.

6. Select an identity in the Role Owner drop-down list.

new role.png

7. Go to the Membership tab.

The Define Membership Criteria panel is displayed.

8. Under Criteria Type, select one of the following options:

  • Standard - Allows you to create a rule that determines which identities get this role based on the entitlements and attributes they have.
  • Identity List - Select users individually by name and grant them the role.
  • Custom - Grant users a role based on a custom rule created for your organization.

See Membership Criteria for instructions for each type.

9. Go to the Access tab.

10. Add one or more access profiles to the Access Config panel by searching for applicable access profiles in Add Existing Access Profile.


  • This list only contains access profiles associated with sources that have the Provisioning flag enabled in the source's Config tab.

  • You can either type all or part of an access profile name to search for a specific access profile. You can also click in the field to see all access profiles in IdentityNow.

  • Assign an access profile to either a role or a lifecycle state. Assigning the same access profile to both can cause problems with provisioning.

Users are granted these access profiles when you give the user a role and update their access.

NOTE: Access profiles that are granted to users by roles are not included in certification campaigns.

11. Click Save.

12. Optionally review which users have received this role in the Identities tab.

role access config.png

13. On the Config tab, select the Enable Role checkbox.

14. Click Save.

role enable.png

15. Click the Update button in the top banner to provision the access profiles you defined in step 10 to the users who have this role.

IMPORTANT: Wait for the role update to complete (noted by the blue line on the page) before updating the identities or accounts that have this role.

If you do not click the Update button, these access profiles are provisioned to your users automatically at 1:00 AM UTC.

NOTE: If you deselect Enable Role to disable a role, it does not trigger any provisioning actions. Disabling a role this way removes the role from the Request Center and the data evaluation that IdentityNow runs to assign roles. 

update role access.png


Membership Criteria


When defining which identities are granted a role, choose from the following options :

If you want to select role members See
Using a filter... Standard
By choosing specific people... Identity List
Using a custom rule created by SailPoint... Custom


NOTE: In the Identities tab of a role’s configuration, you may see names that don't match the criteria for role membership. This occurs when an identity requested the role themselves or another person has requested the role for them.



Using the Standard Criteria type, you can define the criteria to determine which identities will receive a role. The standard option consists of a set of criteria or groups of criteria that filter identities based on an identity's entitlements, attributes, sources, or access profiles. Using these criteria, you can create simple filters or extremely granular filter combinations to add identities to a role. For more information, see Standard Role Membership Criteria Options.

IMPORTANT: Account attributes and identity attributes used as membership criteria for a role  must be either string or boolean typesOther attribute types are not supported

If an account attribute was defined with an integer type when the source schema was defined, and you include that attribute when defining the membership criteria for a role, identities with that attribute may not be included in the role.

On this page, you'll use the following tools to determine which users are added to this role:

1.png Filter - The complete set of groups, criteria, and operators that determines who is added to the role.
2.png Criteria Group - A set of criteria that are evaluated together, using a specific operator. Placing criteria in a group is like placing them inside a set of parentheses.
3.png Criteria - A single rule an identity is measured against. When you're creating criteria, make sure you're grouping them based on the operator you want them to use.
4.png Operator - The way that each criteria is evaluated within a group or between groups. This is either AND or OR.


A group can have a single criteria, or it can have many. Each group will be combined with any other groups in the filter to create a complete filter.

The criteria that you add to a group can be connected by an AND operator or an OR operator. If you want multiple criteria to use the same operator, you can put them in the same group.

You can add as many groups as you want. The operator used between groups will automatically be selected based on what you chose for within groups.

role criteria guide2.png

If you choose AND for your Within Groups Operator, your Between Groups operator will be OR.

within group and.png
If you choose OR, your Between Groups operator will be AND. within group or.png


Using these tools, you can create a filter to add users to the role:

1. Within any new or existing role, go to the Membership tab.

The Define Membership Criteria panel is displayed.

2. Under Criteria Type, select the Standard radio button.

standard criteria button.png

The Standard Criteria Builder is displayed.

On this page, you will create a filter that determines which identities are granted this role.

Click here for a tour of this page.

standard criteria builder.png

3. Under Operator Settings, in the Within Groups radio buttons, choose an operator to use within each criteria group you create.

The Between Groups operator can't be edited individually. To change it, edit the Within Groups operator.

You can see some examples of complete filters here​.

4. Click Add Group.

5. In the criteria group, select a type, and fill in all other applicable fields.

Click here for a description of each type and the options you have when you've selected it.

The criteria in the filter on the right add identities to the role if their manager's name is Sam Johnson.

add group.png

6. If you want to add more criteria within that same group, click Add Criteria.

In the image on the right, the criteria grant the role to anyone with a manager named Sam Johnson or who has the entitlement cloud development.

If you want to add criteria that involve using the other operator, create a new group.

add criteria.png

7. If you want to add another group, repeat steps 4-6 for as many groups as you want. All groups will be evaluated according to the rules you choose.

The filter on the right grants this role to any identity that is in an active lifecycle state who has a manager named Sam Johnson or the entitlement cloud development.

8. Click Save.

completed filter.png



The filter on the right grants this role to:

  • All users who are in the United States who have Mark Johnson as a manager
  • All users who are in Great Britain who have Mark Johnson as a manager

Users who have Mark Johnson as a manager but who live in Canada will not receive the role.

Users who live in the United States or Great Britain but have someone else as their manager will not receive the role.

role filter 01.png

The filter on the right grants this role to:

  • All users who have the cloud development entitlement and the cloud testing entitlement from the specified source


  • Users whose department on the specified source contains the words Cloud Test

Users with only one of the specified entitlements won't receive the role unless they are in a department that contains the words Cloud Test.

Users in the Management department will only receive the role if they have the cloud development entitlement and the cloud testing entitlement.

completed filter 02.png

The filter on the right grants this role to:

  • Users in California who do not have the Guests entitlement, and who do not have the Domain Guests entitlement.

Users who don't have either entitlement who are in Michigan will not receive this role.

Users who are in California who have one or more of the selected entitlements will not receive this role.

completed filter 03.png


Identity List


If you want to grant a role to a specific set of people, you can manually create a list by selecting the Identity List criteria type.

For example, if you are creating a new department at your company, you can use this option to list employees who are joining that department.

Complete the following steps:

1. Go to the Membership tab.

The Define Membership Criteria panel is displayed.

2. Under Criteria Type, select the Identity List radio button.

3. In the Add Identity field, begin typing the name of an identity you want to give the role. Matches appear after you type three or more characters. The first 200 users matching the criteria you enter are displayed in the list.

identity list role.png

4. Click the name of the identity. The identity is added to the Identities list below this panel.

5. Repeat steps 3 and 4 for each identity you want to grant this role.

6. Click Save.

You can verify that the correct identities were added to the list of users who have this role by going to the Identities tab. identities list roles.png




If you have a specific need that can't be satisfied by any of the options described previously, you can ask SailPoint Services to create custom criteria for you by defining rules. For more information, see Building Transforms in IdentityNow.

Prerequisite: SailPoint must have configured one or more custom rules for your organization.

Complete the following steps:

1. Go to the Membership tab.

The Define Membership Criteria panel is displayed.

2. Under Criteria Type, select the Custom radio button.

3. Under Rule, select a custom rule configured for your organization.

NOTE: To get new custom rules for your organization, please contact Expert Services.

4. Click Save.

custom membership criteria.png
You can verify that the correct identities were added to the list of users who have this role by going to the Identities tab. identities list roles.png


Configuring a Role for Access Requests

If you want users to be able to request access to a set of access in the form of a role, you can configure that role for access requests. The role will appear in the Request Center for users and you can configure an approval process to make sure that only the right users get this access.

All access in the role is granted to the user when their request is approved, making it ideal for new users who are requesting access they'll need to start in a new position. 

Best Practice: Ensure that you have an approval process in place before configuring a role that can be requested. Auditors typically recommend two approvals.

NOTE: To track activity related to access requests, go to Global > Reports and generate the Access Requests report.


  • A source connected to IdentityNow with entitlements loaded
  • A Create Profile has been configured for the source
  • Provisioning and Access Request are set up for your org


Complete the following steps:

1. Sign in to IdentityNow and go to the Admin interface.

2. Go to Access > Roles.

3. Create a new role, or click existing roles to edit them.

4. Select the checkbox for Enable Role if it is not already selected.

5. Select the checkbox for Requestable.

6. Enter any other necessary information for your role, such as Role Name, Role Owner, and Description.

7. In Access Request Approval Process, under Required Approvers, select a reviewer or governance group.

8. Click Add.

The user or group is added to the list of required reviewers.

9. Choose any additional reviewers or governance groups that you want to review the access before it's granted to a user.

Each new user or group is added to the bottom of the list.

10. If necessary, rearrange the reviewers using the arrow icons to reflect the order you want them to review the request in.

The list reflects the order that reviewers see the request. You can select as many reviewers from this list as you need.

If you select a governance group, any one person from that group can approve or deny the request.

NOTE: To remove a reviewer from the list, click the X icon by their title.

11. If you want to require the user to provide a comment or a reason for requesting the access, check the When User Requests checkbox under Require Comments.

If you check this box, the user will be required to enter a reason for requesting the access before they can submit their request for this role.

12. If you want to require the reviewers you selected in steps 7 - 9 to provide comments when they reject a request, check the When Approver Denies checkbox.

If you check this box, the reviewer of an access request will be required to enter a reason for denying access before their denial can be completed.

13. Click Save.

The role will now appear in the Request Center and can be requested by users.


  • If the role you are editing is assigned to an identity through its membership criteria, the approval process does not apply.

  • Any approvals defined for a role will override any requirements for the associated access profiles.


If a user requests an app, each reviewer is sent the Access Request Reviewer email when the previous reviewer approves the request. If any one reviewer denies the request, the requester is not granted access and the approval process stops.

If the requester of the role is listed as one of the reviewers, when it's their turn to review the request it will be automatically delegated to their manager.

If you need to configure a role so that users can request it on behalf of others, see How do I configure access to be requested for other people?


Using Roles to Deprovision Entitlements

If you have granted entitlements to your employees through roles, you can deprovision those entitlements by removing those people from the roles.

CAUTION: Removing access from a user does not remove any source accounts that were created as a result of provisioning through the role. Role-based deprovisioning only removes entitlements from a user and removes related apps from their Launchpads.

Review the access profiles associated with the role before deprovisioning that access from your users.

The method of removing access from users based on their role assignments depends on how they were granted the role. 

Method to Grant Roles Method to Remove Access

Change the criteria that must be met to grant the role to users. Users who no longer meet the requirements lose the role.

For example, if you want the criteria to stay the same but you want Bob Johnson to lose the role, you can add a new criteria to your filter that says AND Identity Attribute: Name Does Not Equal Bob Johnson.

Identity List

On the Define Membership Criteria panel, beside the Identity List, click the X icon beside the user you want to remove.


You have two options:

  • Choose a different custom rule required to grant this role to your users. Users who no longer meet the requirements defined by the rule lose the role.

  • Open a support ticket to edit the rule itself so that some users do not meet the requirements.


The following actions do not result in deprovisioning:

  • When an administrator removes access profiles from the list of access granted by the role, those access profiles are not deprovisioned from identities in the role.

  • When an administrator deletes an access profile, identities who got that access profile do not lose the related entitlements.

  • When an administrator deletes a role, identities who had that role do not lose the related access profiles.


Changing the Access Granted by a Role

You might need to make changes to the access for a group of identities in IdentityNow. If you have created a role for this group of users and later need to change the access, you can do so on the Access tab of the role.

To make changes to the role, go to Access > Roles and click the role you want to edit.

CAUTION: Removing an access profile from a role does not take the access away from the identities associated with it. To work around this problem, you can create a new role with the appropriate access. When you remove users from the previous role, their access will be deprovisioned. You can then add them to the new role.

You can make the following changes to the access for your role:

  • Add a new access profile.

Click Add Access Profile and select access profiles to add to the role.

  • Remove access profiles.

Click the X icon beside the access profile you want to remove.

access in a role.png


NOTE: To update the role members' access, click the Update button in the top banner. Their access also updates automatically at 1 AM UTC.


Revoking a Requested Role

Sometimes, a user may no longer need access to a role they requested, or they may have requested a role that they shouldn't have. Whatever the reason, you can easily see which roles were granted by request and revoke requested role access from individual Identities from your Admin menu.

Complete the following steps:

1. From the Admin interface, go to Access > Roles.

2. Click the role you want to view.

3. Click the Identities tab.

You will see the list of identities that have access to the role. In the Assignment Type column, each role is marked Granted by Membership Criteria or Granted by Request.

4. Select any role marked Requested,

5. In the Actions drop-down, click Revoke to revoke role access from the selected identities.

You are then taken back to the Identities tab. The list no longer contains the person whose access you revoked.

NOTE: Once Revoke is clicked, the person is always removed from the list, even if there is a manual task required to complete revocation.


Revoking a role immediately removes access so the person can no longer perform the functions of the role. They are not notified that their access was revoked.


Deleting Roles


If you need to delete a role from your IdentityNow organization, you can do so from the list of roles.

NOTE: Deleting a role does not remove the access profiles granted to the identities that currently have the role.

Complete the following steps:

1. From the Admin interface, go to Access > Roles.

The list of roles is displayed.

2. Select the check box beside any roles you want to delete.

3. Click the Action icon.

4. Click Delete.

You'll see a prompt confirming that you want to delete the role.

delete a role.png

5. Click Continue.

The roles you selected are deleted.

Did you find the information you needed?  If not, please let us know in the Forums. There's also much more on Compass you might find helpful.

Version history
Revision #:
21 of 21
Last update:
‎Dec 01, 2020 02:14 PM
Updated by: