Identity Audit Rule based on entitlements assigned to requestable roles

Hey Folks,

We are testing a scenario where we have nested business role hierarchies that inherit entitlements at various levels. This seems to be working ok, but I have been asked to develop a use case where a person can request a role via the ITShop that may have an account definition that would violate a policy of ours.

Ill break it down (Same target system with different system roles in this instance):

• User has a primary business role assigned (BusRole A) and has the following
  
  
  • System Role A
    • Elevated System Account A (AD Account definition)
      
      
• User wants to request another business role (BusRole B) which has the following
  
  
  • System Role B (AD Account definition)
    • Elevated System Account B (AD Account definition)

I have created a compliance rule that looks at a users business role memberships (it pulls both direct and indirect), and creates a violation as follows:

• The Employee has at least one role or organizational assignment
  • of type: Business Roles, which meets at least one of the following conditions:
    • System Role is "System Role A"

AND

• The Employee has at least one role or organizational assignment
  • of type: Business Roles, which meets at least one of the following conditions:
    • System Role is "System Role B"

So the violation is triggered just as I want, but when the exception approver denies and goes to resolve the violation, it seems to not like that the Role that I want to remove is an indirect assignment.

I get the following:

BusRole A is directly assigned and BusRole B is indirect. If I want to remove BusRole B, then I get the error above. I recall reading something about primary assignments being supported, but I can't find it in the documentation at the moment.

There are a handful of requirements that look like this, and I am scratching my head with regards to the best way to handle this. Am I thinking about this the wrong way?