Compliance rule - auto remove or deny access when rule is violated

Question

I have created a compliance rule in the Identity Audit section when user is granted access to more than two system roles based on specific names. 
 The rule picks up the violations as it should. 
 
 My question, how can i get the access which violated the rule to be removed automatically if the rule violation is denied by its approver? Right now, nothing happens if the rule violation is denied. It will only stay flagged as an unapproved violation. 
 Or, can implement this as an approval procedure in the IT Shop Approval workflow? I know that i can add the approval procedure "CR - Compliance check simplified" and route the request further based on that. But, this will check for any rule violation, i would like it to only check for a specific rule violation in this case and route it to correct team for approval if violated.

Markus Weiss-Ehlers · Accepted Answer

There is no automatic removal out-of-the-box for existing rule violations but you can easily prevent violations from happening in the request approval. Let me explain why. 
 According to your rule, a violation occurs if a person has more than two system roles assigned. 
 Now, when a violation occurs which one should the system remove? 
 
 Picking enough roles randomly until the rule is satisfied? 
 Remove all System Role memberships? 
 
 If you have come to a conclusion about what you want do in your specific use-case, you can implement a custom process that does what you have determined to do. 
 Remember that OneIM uses two ways to evaluate the rule vioations. 
 In the approval workflow, you would have the preventiv detection. The violation is not currently present but would occur, if the current request is fullfiled. In that case, the solution is easy. Use an approval step OC - Exception approvers for violated rules on the error exit of the CR approval step. The violation will then be routed to the members of the exception approver role defined at the compliance rule. 
 If the system detects an existing violation, you will see entries in the table PersonInNonCompliance ( this is the existing violation) that you can also approve and deny. In that case, when you really need to remove an existing violation, you need to attach a custom process to the UPDATE event of the table PersonInNonCompliance and check for denied execeptions. 
 HtH