Share all details about your problem, including any error messages you may have received.
We configured an advanced SOD Policy for an application using Rule. The violations for the identity are getting generated (Detective scan), but we need to know more about the conflicting entitlements (as it is shown during entitlement sod policy). The Policy Violation currently tab shows the violation with Allow option only.
Below is the snippet on how we are returning the violation via rule.
PolicyViolation policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setOwner(violationOwner);
policyViolation.setName("Advanced Policy Violation");
policyViolation.setConstraint(constraint);
policyViolation.setStatus(PolicyViolation.Status.Open);
policyViolation.setDescription("This is Advanced Policy Violation");
return policyViolation;
How can we show conflicting entitlements in PolicyViolation?
If yes, then does it automatically show two options - Approve, Revoke?
In an Advanced SoD policy, IIQ will only show “what you give it.” If your rule creates a violation with just a name/description, the UI has nothing to display as the actual “conflicting entitlements.”
Show the conflicting entitlements
After your rule detects the conflicting entitlements, populate them on the PolicyViolation:
• policyViolation.setViolatingEntitlements(…)
• (optional) policyViolation.setDetails(…) for extra context (app, entitlement names/IDs, why it’s a conflict, etc.)
Fastest/most reliable: also put the entitlement names directly into the violation description, so it’s visible everywhere even if the UI doesn’t render a nice entitlement grid.
policyViolation.setViolatingEntitlements(violatingList); // list you build from entitlements you found
policyViolation.setDetails(detailsMapOrString); // optional
return policyViolation;
About “Approve/Revoke”
• In IIQ, the action is Revoke (not Approve) on the policy violation side.
• Seeing only Allow vs Allow + Revoke is controlled by policy configuration / compliance settings.
• Also: Advanced SoD doesn’t always give the same OOTB “pick what to revoke” remediation experience as Entitlement SoD. If you need that classic SoD remediation, you either:
• switch to Entitlement SoD (when possible), or
• keep Advanced SoD and handle remediation via a Policy Violation workflow/work item (present the conflicting entitlements and drive a deprovision plan).
Recommendation
If you want the standard SoD experience (clear conflicting items + easy revoke), prefer Entitlement SoD. If you must stay Advanced (complex logic), then:
• populate violatingEntitlements + add entitlement names in the description/details
• do remediation with a workflow/work item (since Advanced SoD remediation is not as turnkey).