Exception Approval Deny workflow does not trigger anything

Question

Hi, 
 
 I have assigned system role to the user which has compliance rule. In compliance rule, we have set the condition as follows 
 If user has Role1, it should not have Role2 
 Now, when I assign both system roles to the user, compliance rule is triggered and the workflow goes to Exception approver. Now even if the exception approver denies this violation, system roles are not getting revoked. Is there anything that I am doing wrong? Or it is the expected behavior?

Markus Weiss-Ehlers · Answer

If the violation was triggered by a request, then the assignment never really existed so nothing to do. 
 
In the case of an existing violation, the system does not remove something automatically because it cannot decide which system role - in your case is more important than the other. 
 
Or, let's think about different ways to receive a system role (inheritance, request, etc.). Sometimes it is impossible to remove the system role membership without loosing additional permissions which might be unwanted. 
 
That's why there is the new Compliance Violatin Removal Wizard in the Web Portal of version 8 that helps the Exception Approver in resolving the violation.