I’ve built an SOD policy,when requesting for conflicting entitlements access for identities SOD policy should detect violation.
but it’s not working as expected, for example when I request for an identity which already one entitlement(access) when requesting for another conflicting entitlement(access) it detects the violation, But when I request both the conflicting entitlements(access) together for an Identity ISC didn’t detect violation.
So ISC Experts, Is this SOD policy working as expected or is this an issue?
When you say that ISC didn’t detect the violation, where are you expecting that to happen? As a part of the access request workflow, or from within the SoD Policy screen? The latter relies on search and may take some time to show the violations because of the time required for search to refresh
Take a look at this doc which says the preventive SOD is applicable only to the access, the Identity already has. So, as per the documentation, this might be working as expected.
Having said that, I would want the system to detect the violations if the requested violation pairs are part of the same request. May be worth submitting an idea for.
Hello @mehuljogi
The thing highlighted by @jesvin90 is correct.
Not just the one you highlighted but this will be an issue with AP or Role as well where if the conflicting entitlement is not provisioned then for all these items you will not find the conflict.
IDN currently only considers accesses that are already provisioned and nothing in flight. Because they may or may not be assigned.
On another note, if those 2 entitlements are requested separately and one of them gets approved then also the other entitlement wont show conflict as it would have already passed the SOD check stage.
