Use Case Preventing Users from Having Conflicting Roles

Forward, Inc. wants to prevent its employees from having the User Manager role and the User Approver role at the same time. Employees who have both of these roles can modify user attributes, such as salary, and approve them inappropriately.
cim1265
Forward, Inc. wants to prevent its employees from having the User Manager role and the User Approver role at the same time. Employees who have both of these roles can modify user attributes, such as salary, and approve them inappropriately.
To prevent this situation, Forward, Inc. creates a preventative identity policy that applies to users who have the User Manager and User Approver Roles. If an administrator attempts to give these roles to a user,
Identity Manager
rejects the task submission and displays a message that explains the violation.
You configure a preventative identity policy to support this use case as follows:
  • Create an identity policy set for the policy that you want to create.
  • Create a preventative identity policy with the following settings:
    • Policy Condition:
The screen shows the settings that apply to create a preventative identity policy.
Action on Apply Policy:
Reject with message: User cannot be a member of User Approver and User Manager roles