Need Help with Preventive SOD Entitlement Policy

karen_delucia · April 9, 2026, 7:55pm

I’m trying to create a policy in IIQ 8.5 to prevent a user from requesting access to an entitlement if they already have a related entitlement.

So, I have 5 entitlements (active directory groups) - Entitlement A, B, C, D and E. If a user has any one of those 5 entitlements, they should not be able to request another of them.

I have a preventive SOD Entitlement policy where in the First Entitlement Set, I have all 5 entitlements.
And the Second Entitlement Set also has all 5 entitlements.

I was thinking that if the user is requesting an entitlement from the First Set, and they already have access to something in the Second Set, the policy violation would be triggered. But if the user does not have any access and is requesting access to one of the entitlements, it would allow them to request access.

But what I’m seeing is that if a user has none of the entitlements and they try to request any one of them, they get an error that they are in violation of the policy. Why? They don’t have any access yet. What do I need to change to allow users to request these entitlements?

Any info is appreciated. Thanks!

robert-hails · April 9, 2026, 8:59pm

Hi @karen_delucia - this is because the requested entitlement is in both sets. In order to fix this, would need to create separate 1-to-many sets (i.e. entitlement A on left and entitlements B,C,D,E on the right), or use an advanced policy.

ryan_toornburg · April 9, 2026, 8:59pm

Hi @karen_delucia - it is because you have the same entitlement on both sides of the policy rule. So IIQ sees that as requesting Entitlement A will conflict with Entitlement A. What you can do is create 5 policies, one for each entitlement, for the conflicts, put the remaining 4. This should allow the requests.

ryan_toornburg · April 9, 2026, 9:00pm

@robert-hails - we have impeccable timing

robert-hails · April 9, 2026, 10:05pm

Blaming Spider-Man GIF

mandarsane · April 10, 2026, 7:02am

Hi @karen_delucia ,

For entitlement SOD policy, you can create set (for 5 entitlements) as below –>

A vs B, C, D, E
B vs C, D, E
C vs D, E
D vs E

karen_delucia · April 10, 2026, 4:54pm

Thanks everyone for your replies. I think deep down I knew that but was hoping it wasn’t so! I’ll split it up into 5 separate rules and expect that will work.

Thanks!

Topic		Replies	Views
Setting up of Separation of Duties Policy Violation IIQ Discussion and Questions identityiq	10	181	February 20, 2026
Entitlement SOD, allow only one entitlement from an application IIQ Discussion and Questions	9	1875	July 19, 2023
SailPoint IIQ SOD Advanced Policies not working IIQ Discussion and Questions identityiq	11	164	December 23, 2025
Violation when requesting entitlements that are part of Role SoD Policy IIQ Discussion and Questions identityiq , roles	7	72	March 16, 2026
SOD Policy detective check ISC Discussion and Questions identity-security-cloud	6	464	September 24, 2024

Need Help with Preventive SOD Entitlement Policy

Related topics