Customer was using Provisioning Roles that had been defined in Identity Manager. There was a connector in Identity Governance to Identity Manager and the two were in sync.
Target Permissions for the IM provisioning roles (IM connector in Portal) need to be created.
Target Permissions for the IG provisioning roles (IG connector) need to be created.
Permissions linked to the IM Target Permissions need to be created.
The IM Target Permissions need to reference the IG Target Permissions in the Compliance tab.
Ensure Risk is enabled in the Portal (Setup -> General Config) and be aware that only one risk needs to be defined per IG BPR Policy. The risk value returned in the portal is the defined in the portal - none of the risk values in IG for the various rules are ever passed back to IP, just the fact that a violation has been found.
Define a risk and set its Scope to Violations from external Source.
Define rules in BPRs. By default there is a BankPolicy BPR and the easiest way is to reuse this, as the rest of the configuration is in place.
If you want to create your own Policies then you'll need to update the Audit Settings file (default-paramaters.properties) for the universe you are connecting to. This file is found under IG's application server e.g. for wildfly <wildfly_home>/conf/audit/parameters. The first line lists the BPR files that will be checked:
bpr.files = BankPolicy
Adding more policies as comma separated entries is possible (This requires either root or Wildfly credentials, both of which are not available. In future releases this will be fixed to be available for the config user.).).
Once your rules are in place everything should work as planned.
Back to the Portal:
In the Portal go to e.g. the Access Module and click either Request for Self or User Search. Applications you defined earlier are visible(when setting up the Permissions) on a tab on the left of the screen. Choose the permissions you want to assign to the user from the middle screen. A few seconds after being placed in the basket a risk evaluation happens. This should go to IG and check against the BPRs defined (ootb just BankPolicy rules) and return any risk found.
Regardless of how many violations are found from IG the risk value presented in the Portal is that from the portal defined risk. The risks found do say which rules they violated in IG though.
Note: if using vApp then you cannot modify the IG files, so need to use BankPolicy. The suggested Best Practice is to implement risk locally in the portal and not use an external source (This is fixed in post 14.0 SP1 versions).