Hi Community!
I currently have a use case where I have a role set with let's say 600 roles. This role set consists of roles that have a read and write version. For example I have 'Role A - Write' and 'Role A - Read', this combination will always exist for all roles in the role set. However here comes the kicker, a user is never allowed to have the role combination of 'Role A - Write' and 'Role A - Read', however the user is allowed to have 'Role A - Read' and 'Role B - Write'.
Visual overview of this:
In the SoD rules we can configure two entitlement sets that will cause a violation, however as I have 300+ possible 'forbidden' combinations I don't want to configure 300 SoD rules to make certain we keep this in control for all these roles.
My question for you is, do you know of any way we might make this more dynamic? It doesn't have to be using SoD's functionality, membership rules or user access rule based solutions are also welcome.
I'm looking forward to hear from you!
Kind regards, Tim
This should be possible using the new v7.2.0 Advanced SoD capabilities. The details were discussed in Feb 2020's Webinar:
https://community.rsa.com/community/products/governance-and-lifecycle/client-partner-community/blog/2020/03/05/rsa-identity-governance-lifecycle-huddle-7-feb-2020-recording-and-presentation
This new feature is not made publicly available at the moment as it requires slight customizations. I would suggest you reach out to your account manager to involve RSA Professional Services for more details on this use case.