Hi J K
by mistake the administrator does not block the object OR add an entry which we do not authorize
Would it be better to trust your administrators to know how to do their jobs and if necessary, include a validation process as a pre-requisite before releasing your transport? Part of this process could include running critical auth check (or if you have GRC SoD check) over the role to identify issues.
This functionality does not exist as Standard in PFCG. But if you were to develop such a thing what happens if you legitimately need to include the authorisation in the role?
If these authorisations are not required in your design, you could reduce this issue partly by cleaning up your SU24 proposals. By removing the proposal, the administrator would have to deliberately add the object to the role.
Do you have specific examples of such authorisations?
Regards
Colleen