|
|
|
At run time, any request, such as a task or Reverse Synchronization, is checked for an SOD violation.
Example
According to the SOD rules, a person cannot be a member of the RACF group grp1 and a member of the Active Directory group Administrator at the same time.
Therefore, if the user requests RACF group grp1 and Active Directory group Administrator at the same time, a violation is triggered. The SOD engine looks up all the SOD rules, as defined, for the action taken, such as Reject or Workflow.
If the user is already a member of the Active Directory group Administrator, and their manager decides to add them to RACF group grp1, the same violation is triggered and the same action lookup takes place.
If the SOD rule action is Workflow, the SOD approver gets an approval task. Any SOD approval requires a reason for approval or rejection.