SOD Policy detective check

Hello ISC experts,

I’ve built an SOD policy,when requesting for conflicting entitlements access for identities SOD policy should detect violation.
but it’s not working as expected, for example when I request for an identity which already one entitlement(access) when requesting for another conflicting entitlement(access) it detects the violation, But when I request both the conflicting entitlements(access) together for an Identity ISC didn’t detect violation.

So ISC Experts, Is this SOD policy working as expected or is this an issue?

First, this probably needs to go in ISC Discussion and Questions to get more visibility, and @community_moderators can probably move it.

When you say that ISC didn’t detect the violation, where are you expecting that to happen? As a part of the access request workflow, or from within the SoD Policy screen? The latter relies on search and may take some time to show the violations because of the time required for search to refresh

1 Like

Hi @mcheek ,

I’m expecting this to happen in request center.

Hi @mehuljogi,

Take a look at this doc which says the preventive SOD is applicable only to the access, the Identity already has. So, as per the documentation, this might be working as expected.

Having said that, I would want the system to detect the violations if the requested violation pairs are part of the same request. May be worth submitting an idea for.

1 Like

Hello @mehuljogi
The thing highlighted by @jesvin90 is correct.
Not just the one you highlighted but this will be an issue with AP or Role as well where if the conflicting entitlement is not provisioned then for all these items you will not find the conflict.
IDN currently only considers accesses that are already provisioned and nothing in flight. Because they may or may not be assigned.

On another note, if those 2 entitlements are requested separately and one of them gets approved then also the other entitlement wont show conflict as it would have already passed the SOD check stage.

2 Likes

@mehuljogi
We have the same requirement and we are thinking of preparing a workflow to do the same for us.

Were you able to come with some kind of solution for this?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.