Separation of Duties, or SoD, and governance policies in IdentityIQ may be leveraged to both detect unwanted access conditions and prevent violations during certain requests.
To leverage SoD and governance policies in a detective manner, both aggregation and refresh tasks may be configured to evaluate active policies in IdentityIQ, and any resulting violations will be sent to the configured user responsible for taking action. In addition, detected policy violations may be included in identity certifications.
Any active SoD and governance policies are also leveraged in a preventative manner, by checking for violations within workflows that facilitate requests for access, or identity creation and editing. Preventative policy evaluation can be configured in these workflows to either continue on violation and display a warning to approvers, present violations to requesters (should they choose to continue, any approvers will still see violations), or fail when policy violations would result.
For more information, refer to the official product documentation.