Advance SoD Policy

sanjivk · July 25, 2025, 8:30pm

Hi Sailors,

I am trying to write advance sod policy to allow only one role to an identity from the list of roles.

For example;
Roles List = [Role A, Role B, Role C]

Identity can have only one listed role at a time.

Logic:
List existingAssignedRoles = currentIdentityObject.getAssignedRoles();
List futureAssignedRoles = identity.getAssignedRoles();

//list of roles that needs to be added
// This calculates fine
List addRoles = futureAssignedRoles - existingAssignedRoles

List existingDetectedRoles = currentIdentityObject.getBundles();
List futureDetectedRoles = identity.getBundles();

//list of roles that needs to be removed within same request
// This does not calculate as per expected
List removeRoles = existingDetectedRoles - futureDetectedRoles

Here:
If identity already has Role A (which is detected role) and user is requesting Role B

existingDetectedRoles —> [Role A]

my expectation:
futureDetectedRoles —> [Role A, Role B]

actual log o/p:
futureDetectedRoles —> [Role B]

Does anyone have any insights why this might be happening?

Which IIQ version are you inquiring about?

8.4p1

pattabhiiq · July 26, 2025, 6:18am

Hi @sanjivk,

If the roles are limited in count (e.g., fewer than 5), then you can create individual SODs to achieve your requirement. In your example, you have 3 roles, so create 3 SODs:

SOD #1: Role A vs. Role B
SOD #2: Role A vs. Role C
SOD #3: Role B vs. Role C

See if this approach helps.

uditsahntl01 · July 27, 2025, 7:28am

getBundles() is for detected roles only, which do not include removed roles once the request is processed. Instead use getAssignedRoles() instead for accurate comparison.

manogna99 · July 27, 2025, 10:13am

Hi @sanjivk,
I tried to replicate your scenario and noticed why it’s happening.
The reason you’re not seeing both roles (Role A and Role B) in identity.getBundles() is because this method only shows the final state after the request is processed and not the combination of current and requested roles. So if you’re requesting Role B while Role A already exists, identity.getBundles() only shows Role B, not both.

To handle this, I fetched the current identity from the DB like this:

Identity currentIdentity = context.getObjectByName(Identity.class, identity.getName());

Then I checked:
Current roles–> (currentIdentity.getBundles())
Future roles–> (identity.getBundles())

Using both together, I counted how many conflicting roles are present. If more than one, I raised a policy violation.
This approach worked for me.
Happy to share the full snippet if this helps!

Topic		Replies	Views
SOD Policy is not working for Detected Roles IIQ Discussion and Questions identityiq	0	17	August 28, 2025
How to configure SOD for permitted roles IIQ Discussion and Questions workflows , roles	6	984	July 19, 2023
GET /api/role/list Non-Public API Deprecations deprecated	5	441	March 21, 2024
The identity.getAssignedRoles() method is returning null in a Policy Violation rule under Advanced Policy IIQ Discussion and Questions identityiq	3	44	April 22, 2025
More Details for SOD Policies around what has been violated IIQ Discussion and Questions identityiq	9	118	January 27, 2025

Advance SoD Policy

Which IIQ version are you inquiring about?

Related topics