Skip to content

Managing Roles

Roles allow you to group related sets of access, from a single source or across multiple sources, to simplify access management for your users. Roles often group access according to job functions or other shared user attributes such as departments or locations. You can then configure roles for automated provisioning or for access requests so they can be granted to your users.

You must have Provisioning to use roles.


In addition to org admins, who have full system access, users granted the Role Admin or Role Sub-admin user levels can also create, manage, and edit roles.

  • Role Admins can do this for all roles.
  • Role Sub-admins can perform these actions only for roles they are authorized for.

Creating Roles

  1. Go to Admin > Access Model > Roles.

  2. Select Create New.

  3. Complete the relevant configurations.

    • Configuration - Determine the role's most basic information.
    • Manage Access – Choose which entitlements and access profiles are included in this role.
    • Define Assignment – Optionally specify criteria for automatic role assignment.
    • Access Requests – Optionally enable access requests and set a review process for requests.
  4. Select Enable Role.

    Roles usually get enabled after automated assignment criteria are configured or when they are enabled for access requests.


Any new or updated role configurations must be applied to your identities through identity processing. Refer to Applying Changes for details.


Once you've created a role, you can define its basic details.

  1. In the Name field, enter a unique and descriptive name for your role.

  2. Select the Owner drop-down list to choose an identity to own this role. This identity can be configured as an approver in access requests or certifications.

  3. In the Description field, provide additional details about the role and the access it grants. This field allows a maximum of 2,000 characters.

    Best Practice

    Provide user-friendly, informative names and descriptions for your roles. Both are visible in certifications, access requests, and approvals. A detailed description will improve the quality and speed of reviewer decisions.

  4. Select Common Access if this role represents access that applies to large sets of users in your organization, generally granted only through automated processes. This field is present for customers who have licensed AI-driven Identity Security.

    Designating a role as Common Access means it will be omitted from access request recommendations in the Request Center.

  5. Select Save.

Manage Access

Roles can contain entitlements and access profiles. Each role should contain at least one entitlement or access profile.

To add access items to a role:

  1. Select the Manage Access tab.

  2. Select Add Access.

  3. Select Entitlements or Access Profiles, depending on what access you want to add.

  4. Select the checkboxes next to the access items that will be added to the role. Access items that are already assigned to a role have an Assigned status in the Assigned to Roles column.

  5. Select Review.

  6. If you want to remove any of the access items from the list, select the X action for that item.

  7. Select Add Access.

To remove access items from a role:

  1. On the Manage Access tab, select Entitlements or Access Profiles.

  2. Select the Remove action for the access item to be removed. If you decide to keep the access item in the role, select the Cancel action.

  3. Once you have finished removing access items, select Save.

Editing Roles

You can change most of the attributes you defined for the role while creating it.

To edit an existing role:

  1. Go to Admin > Access Model > Roles.

    You can search for a specific role based on characters contained in the role name. You can also use the Sort icon to sort roles by their name, the date they were last modified, or the date they were created.

  2. Select Edit on the role you want to edit.

  3. Make changes to the role’s configuration, access, assignment criteria, or access request configurations. Select Save on each page you change.

Removing Access from a Role

Changing a role definition to remove access from it does not result in entitlement removal from the identities who have the role. This applies to any of these actions:

  • Removing access profiles from the role
  • Removing entitlements from the role
  • Removing entitlements from an access profile associated with the role
  • Deleting an access profile previously attached to the role
  • Deleting a role

In each of these cases, the entitlements remain in place for the identities but become independent from the changed/deleted role or access profile.

Revoking Entitlements with Role Changes

If you need to revoke entitlements for users based on role changes, you must:

  1. Define and assign a new role with the access you want the users to retain.

    • For auto-provisioned roles, specify its assignment criteria to match the old role and let identity processing assign the new role.
    • For roles managed by access requests, request the new role for the users.
  2. Remove the old role from all users.

    • For auto-provisioned roles, change the role’s assignment criteria so users do not meet it and let identity processing revoke the old role from the users.
    • For roles managed by access requests, use a certification or manager removal request to revoke the old role from users.
  3. Delete the old role once you verify that it is no longer needed.


  • Deprovisioning entitlements does not remove source accounts, even if the accounts were created by role provisioning or if all entitlements are removed from the account.
  • If any of the role’s entitlements overlap with another assigned role for the user, the user will retain the entitlements for the role they still have.

Applying Changes

Role configuration changes are not immediately applied to identities. When a user's identity attributes change, event-based processing can adjust role assignments and provision access changes based on the new information. Otherwise, you must select Apply Changes on the role list page to initiate identity processing for all identities in your organization, to recalculate users’ access based on your changes.

Best Practice

For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.

Disabling or Deleting a Role

You can temporarily or permanently disable roles, or you can delete them from IdentityNow if you no longer need them.

To disable a role:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Edit on the role you want to edit.

  3. Select the Enable Role toggle to turn it off.

To delete a role:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Delete on the role you want to edit. You can also select the checkbox beside the name of each role you want to delete and select the Delete button.

Disabling or deleting a role has these implications:

  • Removes the role from the Request Center
  • Prevents future automated assignment of the role
  • Removes the role from your identities
  • Does not deprovision the role’s access for identities which previously held it. Identities will keep entitlements they were granted through this role, but they will no longer be associated with the role.

Viewing Role Assignments

  1. Go to Admin > Access Model > Roles.

  2. Select View Details for a role to view its details.

  3. Select Identities in the details overlay.

The Details overlay for roles. The Identities option is selected.

This list includes identities who obtained this role through automated assignment and access requests.

Revoking Requested Roles

Roles obtained through an access request can be revoked from the user by an IdentityNow administrator with Admin, Role Admin, or Role Sub-admin access to the role. Auto-assigned roles cannot be manually revoked.

  1. Go to Admin > Access Model > Roles.

  2. Select View Details on a role card to view its details.

  3. Select Identities in the details overlay.

  4. Select an identity from the list.

  5. Select Revoke. This option only appears if the role was granted through a request.

  6. Enter a Comment about the revocation and select Revoke.

  7. Refresh the page to see the user immediately removed from the list.


  • Revocation of the role's entitlements from the user's source account may be automatic and immediate or may require the source owner to complete a manual task.
  • No notification is sent for this administrative revocation, but the action is captured in audit records.


Managers can also initiate revocation of requested roles for members of their team.