8.4p2
We want to setup a SOD policy where if an identity only has 1 specific persona, no other access can be requested for that persona through the access request process. All access for this one persona is managed through a role with pre-approved access. Has anyone encountered this scenario?
Hi Ricardo,
You have an interesting question. SOD policy in the pure sense is codified to restrict roles or entitlements based on the toxic combination. In order to get to the solution approaches it will be helpful if you can explain how you have implemented persona based pre-approved provisioning in IIQ.
Regards,
Nilesh
Hi @brownric,
sounds interesting and you can definitely achieve this utilizing an Advanced Policy which allows you to raise a PolicyViolation for anything you can define with code 
Please allow me to add some thoughts: The PolicyViolation would definitely allow you to explain the situation to the requester. I see the advantage.
However, this also means that they would be able to sample together a request (which might contain a number of items) and in the end they will see the PolicyViolation.
You may want to consider if you want to limit the items which are requestable for those identities.
In that specific cases the requester would just not find any requestable items and does not spend time selecting those.
Does this make sense?
Kindly let me know your thoughts.
Best regards,
Daniel
Thank you both for looking at this.
Our institution is both a HealthCare and Higher Education facility, we have multiple authoritative data sources for people data and those people can be active in multiple sources, so we have the overarching identity that contain the multiple personas and most of those persona are set to get automatically provisioned with an AD Account & Email along with other default access based on the personas built within role based access.
We have one specific persona (Emeritus Faculty) who only get email access and a limited number of groups that are provisioned based on a role and they are not permitted to have any other access when they just have this one persona (If they have other personas, then that access is granted based on the other persona).
Reviewing what has been commented, I’m thinking a better approach is to restrict those identities from being able to request access via quicklink populations, when they only have the Emeritus Persona.
Thank You.