How to configure SOD for permitted roles

Hello All,
i have a use case where there is a business role XYZ which has IT role A and B as permitted. I have created a role based SOD for this IT role A and B and modified the LCM request workflow to check the left bundle and right bundle to catch the violation.

problem : when i just request for it role A and B , it gives me the violation error before submitting.
But when i select the business role XYZ and then IT role A and B as permitted roles. it doesnt throw and violation.

how can i apply the SOD policy for the same IT role when they are requested as permitted roles?

Do let me know if any xml is needed to help troubleshoot

The issue is that the business role XYZ pre-defines both IT roles as permitted (i.e. pre-approved as part of the role definition itself), which excludes them from policy violation checks.

This is a case where I’d generally suggest splitting the business role into 2 separate roles - one business role for each IT role - which would then allow you to have both the IT roles and business roles configured for SOD policies.

The alternative would be to create a custom Advanced policy to manually check the request for this policy violation via Beanshell rule, but this has a lot of potential downsides due to complexity and potential performance impact of other IIQ processes that can check for policy violations as well (like Identity Refresh tasks).

Hello Brian, thanks for the reply… first approach is not something that i could make work with… Use case is for a PAM application where user needs to request a basic AD role and a platform role to provision to PAM… which requires AD to be present as well.

About the second approach, would you happen to have some code and paper link i can refer too ? didnt find much in the user guide for advance policy configuration

We want the user to not be even able to request for 2 permitted roles… so should be blocked while the access request is being submitted

Sure, here are a few reference to help get you started:

Looking at your requirement statement: We want the user to not be even able to request for 2 permitted roles… so should be blocked while the access request is being submitted - there are 2 scenarios to consider…

  1. An Access Request where the user tries to request both roles in the same request - You should be able to configure the access request workflow to not allow policy violations, which should prevent this scenario.
  2. The user requesting permitted role A in one request, then requesting permitted role B in another request (possibly after the request for A has been provisioned) - This one will be tricky as you’ll need to check the Identity and IdentityRequests for that user to see if A has already been requested/provisioned/assigned. Possible to do in a Beanshell rule, but will definitely require some work to code and test the logic needed to perform these checks.

Thank you Brian, appreciate the help for the links and ideas, i went ahead with customization to read the account request in access request workflow and remove it if it has conflicting permitted roles.

Advance SOD seemed like a lot of work lol:D

1 Like