Displaying SoD violation for inherited roles is disabled by default; however, you can enable it by adding the com.microfocus.idm.sod.inheritedroles=true property in ism-configuration.properties file located at /opt/netiq/idm/apps/tomcat/conf/ directory.
When enabled, a user cannot be assigned a parent role if the SoD Constraint defined at the child role level is violated by the current role of the user.
If SoD approval is configured in the SoD policy, the SoD approval process is triggered to override the SoD constraints, when you assign conflicting roles to users, groups, or containers. However, you can bypass the approval process only when groups and containers are the recipients for the role. This can be achieved by adding the com.microfocus.idm.sod.bypassapproval=true property in ism-configuration.properties file located at /opt/netiq/idm/apps/tomcat/conf/ directory.