At one of our customers we have the following requirement:
- For removal of a few roles an additional manual action is to be performed and an email is to be sent to a specific email-address
We are planning to introduce an extended attributes for roles to indicate if an additional manual action is to be performed. Based on this attribute an email will be send to the team to perform this manual action.
For following revocation scenarios we have a solution.
- For Access Requests (Remove Access) we can adjust the āLCM Provisioningā-workflow
- Revocations from a certification can be captured with a āCertificationPhaseChangeā-rule
It seems not possible to find a way to call a rule (to send the email) for revocations from a policy violation (SOD). These revocations are directly sent to the application connector without calling any rule or Workflow. The āBefore Provisioningā-rule of the application only shows the compiled ProvisioningPlan which does not contain a reference to the revoced role (to check the extended attribute) 
Does anyone have an idea how to call a rule for revocations from Policy Violations and have access to the revoced role in this rule?
ā Remold