In addition to the current policy actions in IDM 4.7 to request and revoke roles and resources and to the upcoming new actions in 4.8 it would be great to also be able to read assigned roles and resources.

For example on user termination we would like to be able to automatically read all roles and resources assigned explicitly to the user and revoke them. And I guess it would also make sense to be able to read all running requests for a user so that they can be denied.

So maybe something like the following argument builder nouns "Assigned Roles", "Assigned Resources" and "Running Requests" and an action "deny request"?