I have successfully implemented SoD rules in RSA VIA (7.0.2 P07) to meet the requirement that user shouldn't have 2 specific entitlements in the same business source as that leads to toxic level of access in the application and create segregation of duties conflict.
For example - User U shouldn't have entitlement E1 and entitlement E2 in business source B. I am able to achieve this with OOB SOD rule configurations.
Now, my requirement changed such that user can have two entitlements but cannot the third one.
For example - User U shouldn't have entitlements (E1+E2) and E3 in business source B. User can have E1 and E2, but I need to raise a violation if all three are provisioned to the user.
I've tried specifying E1, E2 in the LHS bucket, apply ALL operator, and keep E3 in the RHS bucket. This setup didn't work because no entitlement would be found for the LHS bucket where Resource Name = E1 AND Resource Name = E2.
Has anyone been able to design SoD rule with combination of 3 entitlements?