Violation when requesting entitlements that are part of Role SoD Policy

Which IIQ version are you inquiring about?

8.5

Share all details about your problem, including any error messages you may have received.

is there any OOTB way to detect Role SoD violations when access requests are submitted for underlying role entitlements?

For example -

I have an SoD policy for Role 1 (Role contains Entitlement A) and Role 2 (Role contains Entitlement B).

Role 1 is already assigned to my identity. When I submit an access request for Entitlement B (just the entitlement, not the role), is there a way to throw a violation?

@SReddy_IAM there isn’t a clean out‑of‑the‑box way for a Role SoD policy to fire when you request just an underlying entitlement.

Hi @SReddy_IAM ,

Try using advanced policy to see if it works

@SReddy_IAM Have you tried Entitlement SOD with Ent A vs Ent B as conflicting entitlements?

Hi @SReddy_IAM

OOTB feature as such is not available. However you can utilize Entitlement SOD Policy or Advanced Policy to tackle this usecase

Hi @SReddy_IAM

OOTB in IdentityIQ, SoD policies are usually checked based on the access a user will have after the request is completed. If the policy is defined at the role level, the violation is normally detected when the conflicting roles are assigned.since the request is only for Entitlement B and not Role 2, the violation may not trigger if the SoD rule is defined only between Role 1 and Role 2.

Hi @SReddy_IAM you can create an Entitlement SoD policy.

@SReddy_IAM I tested this with EntSOD and it is working for me. TestPrism1 and TestPrism2 are conflicting entitlements defined in policy. I assigned a role having TestPrism1 and tried assigning TestPrism2.. it is throwing the conflict.

image2998×1066 190 KB