Due to the functionality of the 'Person_OnSaved' script, it tries to create an order for the product "Identity & Access Lifecycle\Identity Lifecycle\Challenge loss of role membership".
To be able to request this product the Employee must be a member in the shop "Identity & Access Lifecycle".
The issue here may be that the Employee is not a member in this shop - that's why the Employee is not permitted to order something from there, and you receive the error message.
If you wish to use this functionality, incorporating the 'Person_OnSaved', then you can check if the modified Employee account, is a member of the respective shop. If not, you can deactivate the configuration parameter "QER\ITShop\ChallengeRoleRemoval".