Sure, here are a few reference to help get you started:
- Implementing advanced policy using filters and rules
- Compass Policies Article
- IdentitySelectors in the IdentityIQ User Interface
Looking at your requirement statement: We want the user to not be even able to request for 2 permitted roles… so should be blocked while the access request is being submitted - there are 2 scenarios to consider…
- An Access Request where the user tries to request both roles in the same request - You should be able to configure the access request workflow to not allow policy violations, which should prevent this scenario.
- The user requesting permitted role A in one request, then requesting permitted role B in another request (possibly after the request for A has been provisioned) - This one will be tricky as you’ll need to check the Identity and IdentityRequests for that user to see if A has already been requested/provisioned/assigned. Possible to do in a Beanshell rule, but will definitely require some work to code and test the logic needed to perform these checks.