Skip to content

Managing Roles

Roles allow you to group related sets of access, from a single source or across multiple sources, to simplify access management for your users. Roles often group access according to job functions or other shared user attributes such as departments or locations. You can then configure roles for automated provisioning or for access requests.

You must have the Provisioning service to use roles.

Permissions for Managing Roles

In addition to org admins, who have full system access, users granted the Role admin or Role sub-admin user levels can also create, manage, and edit roles.

  • Role admins can do this for all roles.
  • Role sub-admins can perform these actions only for roles they are authorized for.

Creating Roles

To create a role:

  1. From the Admin interface, go to Access > Roles.

  2. Select Create New.

  3. Complete the relevant configurations.

    • Configuration - Determine the role's most basic information.
    • Manage Access – Choose which access profiles are included in this role.
    • Define Assignment – Optionally specify criteria for automatic role assignment.
    • Access Requests – Optionally enable access requests and set a review process for requests.

    To be associated with an identity, a role must be either automatically assigned to them or the identity must request the role and have that request approved.


Any new or updated role configurations must be applied to your identities through identity processing, Refer to Applying Changes for details.


Once you've created a role, you can define its basic details.

  1. In the Name field, enter a unique and descriptive name for your role.

  2. Select the Owner drop-down list to choose an identity to own this role. This identity can be configured as an approver in access requests or certifications.

  3. In the Description field, provide additional details about the role and the access it grants. This field allows a maximum of 2,000 characters.

    Best Practice

    Provide user-friendly, informative names and descriptions for your roles. Both are visible in certifications, access requests, and approvals. A detailed description will improve the quality and speed of reviewer decisions.

  4. Select Common Access if this role represents access that applies to large sets of users in your organization, generally granted only through automated processes.

    Designating a role as Common Access means it will be omitted from access request recommendations in the Request Center.

  5. Select Enable to enable the role now or wait until you are ready to apply it to identities.

    Roles usually get enabled after automated assignment criteria are configured or when they are marked as available for access requests.

  6. Select Save.

Manage Access

Each role should contain at least one access profile.

  1. In Manage Access, for an access profile, and select + to add it to the role. Repeat to add more access profiles, as needed.

    Select the X in the Action column of any access profile row to remove it from the role.

  2. Select Save.

Editing Roles

You can change most of the attributes you defined for the role while creating it.

To edit an existing role:

  1. In the admin interface, go to Access > Roles.

    In the list of roles, you can search for a specific role based on the characters its name starts with or its exact name.

    In the Cards view, you can also use the Sort icon to sort roles by their name, the date they were last modified, or the date they were created.

  2. In the cards view, select Edit on the role you want to edit.

  3. Make changes to the role’s configuration, access, assignment criteria, or access request configurations. Select Save on each page you change.

Removing Access from a Role

Changing a role definition to remove access from it does not result in entitlement removal from the identities who have the role. This applies to any of these actions:

  • Removing access profiles from the role
  • Removing entitlements from an access profile associated with the role
  • Deleting an access profile previously attached to the role
  • Deleting a role

In each of these cases, the entitlements remain in place for the identities but become independent from the changed/deleted role or access profile.

Revoking Entitlements with Role Changes

If you need to revoke entitlements for users based on role changes, you must:

  1. Define and assign a new role with the access you want the users to retain.

    • For auto-provisioned roles, specify its assignment criteria to match the old role and let identity processing assign the new role.
    • For roles managed by access requests, request the new role for the users.
  2. Remove the old role from all users.

    • For auto-provisioned roles, change the role’s assignment criteria so users do not meet it and let identity processing revoke the old role from the users.
    • For roles managed by access requests, use a certification or manager removal request to revoke the old role from users.
  3. Delete the old role once you verify that it is no longer needed.


  • Deprovisioning entitlements does not remove source accounts, even if the accounts were created by role provisioning or if all entitlements are removed from the account.
  • If any of the role’s entitlements overlap with another assigned role for the user, the user will retain the entitlements for the role they still have.

Applying Changes

Role configuration changes do not immediately get automatically applied to identities. The Roles list page offers an Apply Changes option to perform recalculation of role memberships and of users’ access based on roles. This option performs an identity processing for all identities in your organization.

For best system performance, this should be selected only when you are done making role and access profile changes and are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles or for access profiles automatically includes both.

Disabling or Deleting a Role

You can temporarily or permanently disable roles, or you can delete them from IdentityNow if you no longer need them.

To disable a role:

  1. From the Admin interface, go to Access > Roles.

  2. In the cards view, select Edit on the role you want to disable.

  3. In the role’s Configuration page, select the Enable Role toggle to turn it off.

To delete a role:

  1. From the Admin interface, go to Access > Roles.

  2. In the Cards view, select Actions > Delete on the role you want to remove.

    You can also select the checkbox beside the name of each role you want to delete and select the Delete button.

Disabling or deleting a role has these implications:

  • Removes the role from the Request Center
  • Prevents future automated assignment of the role
  • Removes the role from your identities
  • Does not deprovision the role’s access for identities which previously held it. Identities will keep entitlements they were granted through this role, but they will no longer be associated with the role.

Viewing Role Assignments

To view the set of identities who have a role:

  1. From the Admin interface, go to Access > Roles.

  2. In the cards view, select Details on the desired role.

  3. Select Identities in the details overlay.

The Details overlay for roles. The Identities option is selected.

This list includes identities who obtained this role through automated assignment and access requests.

Revoking Requested Roles

Roles obtained through an access request can be revoked from the user by an IdentityNow administrator. Auto-assigned roles cannot be manually revoked.

  1. From the Admin interface, go to Access > Roles.

  2. In the cards view, select Details on the desired role.

  3. Select Identities in the details overlay.

  4. Select Revoke.


Once Revoke is selected, the user is immediately removed from the list, even if the source owner must complete a manual task to finish the revocation on the source.

No notification is sent for this revocation, but the action is captured in audit records.