Hi @sahincelik
Welcome to SailPoint Developer community.
SOD won’t help you here, it is just to detect.
- Preventive actions
- Let’s say that user already has one of those 10 groups, user is requesting for one more group again then what do you need to do ?
- You can reject the request by using a workflow. Refer to this
Implementing A Request Response Type Trigger in Workflows - If you would like to add that group and remove the existing group then you need to handle this in Before Provisioning Rule which is cloud rule.
-
Access Reviews
Running a certification campaign is recommended to have a look at the current data, remove if user has more than 1 group. Certifier need to work on which all groups to be removed. -
Detective
- After implementing step 1 & 2, if user gets added to the Group at target end (ideally shouldn’t be), just incase then you can go for Access Reviews Periodically.
- You can create an Identity attribute for this, see if user has more than 1 group then mark it as yes.
- Based on this attribute, you can trigger the workflow. Or you can schedule the workflow to run and check if user has more than 1 group in workflow directly if you don’t like to have an identity attribute for this requirement alone.
- Using workflow you can remove the access.
Thanks
Krish