Hi John,
Whilst I can see your requirement, the question is how will you check whether the roles have SOD violations or not in the access request?
They could be contributing to an SOD or critical access violation depending on the way in which the roles are assigned to the users.
Unless you evaluate the Risk analysis at the point in time then you'll never know. You can set the risk analysis to run automatically but that will only consider the default values and may therefore miss elements in the reporting.
You should really have at least one human interaction stage initially to certify that the analysis is done and that the request is genuine & appropriate but then it can be auto-provisioned from there onward.
Why are you trying to avoid BRF+ rules? Its not that hard and really enhances the solution by enabling you to configure proper behaviours based upon more complete use cases than simply hoping that you can align to the standard SAP template.
Simon