Share all details about your problem, including any error messages you may have received.
Hi all,
I’m working with IdentityIQ 8.4 and have run into an issue while configuring Separation of Duties (SoD) policies.
I understand that at the policy level you can assign a Policy Owner and a Policy Violation Owner, and these can be either an identity or a workgroup (as documented in the IIQ 8.4 Policy Management guide). However, when I try to assign a workgroup as the Policy Violation Owner for an individual SOD rule, the value does not persist — it saves as “None”.
From what I can tell, rule‑level Policy Violation Owners appear to support only identities, the manager of the violating user, or a rule that selects an identity. But I want to confirm whether that limitation is intentional and documented, or if there is a supported method to assign a workgroup specifically at the rule level.
My questions:
Is it technically possible in IdentityIQ 8.4 to assign a workgroup as the Policy Violation Owner for a specific SOD policy rule?
If not, are there recommended approaches or best practices for handling rule‑level ownership by groups, such as functional identities or owner‑selection rules?
Any guidance, documentation references, or examples would be greatly appreciated.
Hi @acgsneddon That is not a limitation, as you showed in the screenshot, you didn’t select the Identity radio button. It selected the None radio button, which is why it’s storing None on the policy violation owner. Select the Identity radio button, and it will save the workgroups.
Hi all, thank you for your responses. I tested your suggestions in our lower environment and was able to successfully update the rule owner through the UI. However, when I tried the same steps in our Production environment, any attempt to assign a workgroup as the rule owner reverts back to “None” after saving and reopening the policy rule.
This makes me think the issue may be linked to a configuration difference between environments, although I haven’t yet identified what that might be. My next step is to test whether the update persists if I make the change directly through Debug.
