- Enforcement means that role conflict is not allowed. Any attempt to assign conflicting roles will end with an error.
- Pruning means that the conflicting roles are unassigned. When a new role is assigned the existing roles that are in conflict with the new role will be unassigned.
- Approval means that the request will be subject to an additional approval. The approver may decide whether to allow assignment of conflicting roles. If the operation is approved then a policy exception will be recorded in the assignment.it proceeds. (Optionally you can request recording the situation in the assignments by using "record" policy action.)
MidPoint does not have direct configuration for role exclusion classes (set of roles where each excludes all other roles from the same class or from different classes). However this configuration can easily be created an maintained by using role hierarchies and metaroles.