we want to prevent a role request / assignment to a specific sub-identity.
Some user do have two different Accounts in AD (therefor one additional sub-identity) and we want to block the role assignment to the sub-identity.
Initially, we wanted to do this with a SoD / Identity Audit rule, but I couldn't not figure out the specific role.
Creating an IT shop sounds exaggerate.
Is there a best practice how to do this?