Share all details about your problem, including any error messages you may have received.
*Dear Team,
*
Currently, as part of the preventive SOD checks at the access‑request level, the system evaluates only the Advanced Policy. This Advanced Policy internally scans all application‑specific policies that are kept in an inactive state, because SailPoint does not natively support SOD checks against IT/Detective roles. To address this limitation, we implemented the Advanced Policy to evaluate all inactive application‑level SOD policies.
However, for Detective Policies—which operate only on active policies as defined in the Refresh task—we would be required to activate those application‑specific policies. Activating them would negatively impact the preventive SOD checks during access requests, resulting in issues such as performance degradation and incorrect SOD evaluation results.
To avoid these impacts, we need a solution that allows both Preventive and Detective SOD policies to function seamlessly, without affecting system performance or the accuracy of SOD assessments.
Hi @harishabn ,
This is a known limitation in IIQ. Preventive SoD (during access requests) and Detective SoD (during refresh) don’t work exactly the same way.
A practical approach is to keep things separate:
Use a small and optimized set of policies for preventive checks at request time.
Use detective policies for full SoD evaluation during Identity Refresh.
Instead of activating all application policies, it’s better to:
Keep preventive policies lightweight to avoid performance issues.
Run detailed SoD checks through detective policies via scheduled refresh.
If you need closer alignment, you can use an advanced policy or a custom rule to handle entitlement-level checks during requests
Try to have EntitlementSOD if you want to deal with DetectedRoles where you can check conflicting entitlements directly. But for this you need to always create a new rule. Alternatively, you can create an advanced policy where you can maintain the conflicting details in Custom Object and then do the evaluation. This should work for both preventative and detective.