why is this not allowed? what is the actual risk?
if the end user level access is more "employee self service" then you would be limiting them to their own data.Their admin level/super level access would then be built to only grant them what they need to do their job.
I would look at auditing and monitoring of any segregation of duties as detective controls. You need to trust you employees to do their job and provide appropriate access. You can look at SAL (security audit log), RAL (real time audit log), check critical authorisations/sod and other logging tools to check what the super user does
Without investing in GRC, you could have a process to temporarily increase their access for critical transactions and access as required (could be temporary role assignment or reference user). This would involve a process to approve access, monitor usage, etc.
Do you have a specific example of what access combination you want to grant but cannot? What sort of level access have you granted end users (could it be too powerful and causing some conflict). It does sound like your policy/rule is a bit too black and white and inflexible.
If by two user codes you mean two user IDs then this is pointless as you are effectively granting them the access. It'd be easier to keep their access on the single ID and monitor it for. You also risk using up licenses for the user.
Regards
Colleen