Entitlement SOD, allow only one entitlement from an application

Hello, We got around 30 entitlements in an application and we need to allow only one entitlement at any point and time via Access request. What would be the best way to achieve this?

Team - any inputs? We do have the similar situation…I knew we could create multiple rules such as
A → conflict with B,C,D,E…
B → conflict with A,C,D,E…
C → conflict with A,B,D,E…
and go on

But is this the only way? Again all the entitlements are part of the same application in our usecase. Any insight would be appreciated, Thanks!

Have you had an opportunity to review the documentation around advanced policies and IdentitySelectors:

Advanced Policies

I wonder if they could be used here.

I don’t think it is practical or scalable to have to create an SoD Policy with every combination of entitlements. You can always modify the Access Request Worklfow and add a step which validates if the user already has an entitlement on the application, and if they do, then the Workflow terminates with an error saying something like “You must first remove your current entitlement before requesting a new one…”

I agree with @paulo_urcid. Alternatively, a Before Provisioning Rule can be used to inspect the provisioning - if an entitlement is being added, make it replace whatever the user has; if multiple entitlements are being added, throw an exception and make it fail. Or always make it fail if the result of the provisioning action would be multiple entitlements.

Thanks @paulo_urcid/@menno_pieters. It makes sense. BTW, have any sample code handy to perform this.

The Rule Guide on Compass explains how the rule works, inputs/outputs and has some example code:

I am urgently looking for SailPoint Developer!

We need a contractor with a strong understanding of SailPoint IIQ product components, its architecture, and interfaces.

Does this sound like the role for you?

Get in touch!

Duration: 12 Months +

Location: UK

Harry Tawney

07467 617 739 - Call Or Text

[email protected]


Can you be more clear regarding the requirement, do you mean (1) we only want only one entitlement per that application can be assigned or (2) simply user can request only one entitlement of that application per each Access Request?

If you mean the first scenario, then I believe writing a Policy Executor is the way to go. if you want to achieve second scenario, we have a plugin solution which can solve your requirement elegantly: https://community.sailpoint.com/t5/Plugin-Framework/KOGIT-Access-Request-Extension/ta-p/228216

Thanks and Regards,