Risk Definition in Portal not able to stop user access request due to violation

Document ID : KB000123327
Last Modified Date : 20/12/2018
Show Technical Document Details
Issue:
The scenario is a BPR configured in Identity Governance to prohibit the assignment of Role1 and Role2 to a user (Segregation of duties).
Identity Portal has risk definition configured to use the Identity Governance BPR.
While a request for a user to assign Role1 and Role2 fails in Identity Governance it is successful in Identity Portal.
Environment:
Identity Portal 14.x
Identity Governance 14.x
Cause:
The reason for this is the fact that Identity Portal checks each role separately as it is a separate entity.
At the time of the request, the user does not have Role2 when checking for Role1 and doe not have Role1 when checking for Role2.
So the BPR allows this, It is only the combination of the two that is prevented.
 
Resolution:
It is necessary to add another condition to the scope of the risk definition.
This rule is to prevent the assignment of Role1 and Role2 together.
So this is blocked on the Identity Portal level.
If by any chance the user did get a request for both roles, it will also be blocked on the Identity Governance side by the BPR.