Identity Audit - SoD for multiple roles

Hi, 

i got the challenge, that we´re trying to implement a SoD-model where the identity inherits a SoD-tag (extended attribute) from it´s department.

Now every systemrole we use also has a SoD-tag (extended attribute) assigned. I now need a rule, that checks in the ITShop, if the combination of those tags is allowed (green), prohibited (red) or exception approval relevant (yellow).

I did get it working, using Identity Audit rules and the method CR in the ITShop Approval workflow.

My problem is now, that if a user gets an exception approval for on specific order of a system role, the next order he places for the same SoD-combination now does not trigger the exception approval anymore.

But I do want it to be triggered by every order.

Can someone help me to maybe re-design the Identity Audit query or something, to get this working?

thanks in advance,
Andy