We are in the process of implementing Role Based Access Controls (RBAC) which has brought up issues related to SoD.
Application-A has two Entitlements: User-access and Admin-access, these are mutually exclusive within the Application…meaning you can only have User-access or Admin-access...not both.
A team has two RBAC Roles…the Base-role which contains the entire the team as Members and Engineer-role which only a subset of the team would be Members. The Base role contains the User-access whereas the Engineer role contains the Admin-access. If a user who needs the Admin-access is manually put into the Base-role first by the Role Owner (using the Members tab) and then is put into the Engineer-role in the same manner, the Admin-access “overrides” the User-access and all is well with the user.
However...and here is the issue...if the user who needs the Admin-access is put into the Engineer-role first and then the Base-role…the User-access “wins out” over the Admin-access. This is not good since the Engineer should have the Admin-access and not the User-access.
I've tested it out and although the SoD Rules are enforced when the end-user requests to be added to the role through the normal request process, the SoD rules DON'T seem to be enforced when the Role Owner manually adds Members.
Any thoughts on enforcing SoD between RBAC roles?