Recently I've read an interesting article about separation of duties or "segregation of duties". In brief SoD means that the entity that approves an action, the entity that carries out an action, and the entity that monitors that action must be separate. This is very prevalent principle in accounting and IT communities.
For example, someone who requests a computer cannot also sign for it, nor should they directly receive the computer. This prevents the user from requesting many computers, and claiming they never arrived.
How it can be done with ActiveRoles? As we know approval is out-of-box feature in Active Roles. But sometimes we require more severe restrictions. For this case there is custom Separation of Duties Policy on community which prevents group modifications from violating SoD rules, and reports any existing violations on Policy Check result screen. This policy can be found here:
After importing policy we require to change some settings. I created multivalued virtual attribute with DN syntax and used it in policy.
Rephrasing above example about ordering computers in ARS terms we have two groups and we don't want users to be members of both simultaneously. Then we need to specify group B in edsvaSOD attribute of group A and vice-versa.
After that we can try how it works. Our user tried to request access to group which can approve request for new computer and was refused.
And don't forget to setup periodical Attestation Review for group membership - it is good way to audit SoD.