Share all details about your problem, including any error messages you may have received.
For role selection restriction, I have implemented it through an Advanced Policy. I have also added logic to restrict entitlement selection, but somehow the system is calculating both the entitlements coming from role requests and direct entitlement selections, which results in a policy violation.
Example:
I set the maximum allowed roles/entitlements to 20.
Role A contains 10 entitlements.
Role B contains 7 entitlements.
These two roles together already consume most of the allowed entitlements, causing the policy violation when additional entitlements are selected.
Is there any custom plugin or solution available to handle this scenario?
I have created an Advanced Policy Rule to restrict the number of access items (both Roles and Entitlements) that can be selected on the Manage User Access page, with the threshold set to 20. However, when I select only 3 roles and click Submit, I am still receiving a policy violation.
The issue is that the system is counting all entitlements contained within those selected roles. Since each role contains around 20 entitlements, the total count exceeds the threshold, which triggers the policy violation. Ideally, the system should only consider the number of roles selected and allow the request to be submitted, rather than expanding the entitlements within each role.
Since the rule currently appears to count all elements included in the provisioning plan (role and entitlements), why not customize your rule to allow analysis of the elements of the access request (the provisioning plan or the object of the access request) and manual determination of the number of relevant elements (in this case, only objects of type Role or Bundle) before applying your threshold logic.