To manage the Identity Governance technical roles in the catalog, you must be a Customer, Global, or Technical Role Administrator. Administrators can also assign an owner for a technical role and delegate certain tasks to the technical owner. For detailed information about the various authorizations, see Section 2.1, Understanding Authorizations in Identity Governance.
After a Customer, Global, or Data Administrator publishes application data, you can create technical roles by grouping permissions that have common or frequent associations. After you create technical roles, Identity Governance detects users with permissions that match the technical roles you defined and lists the technical roles a user has in the user catalog. After you define technical roles, you can create user access review definitions for technical role reviews.
Users are members of a technical role either by detection, assignment or both. A user who has all of the permissions contained in a technical role has the technical role by detection. Having a technical role by assignment means that the user was explicitly assigned the technical role by a process in Identity Governance, such as an access request or a business role auto-grant.
Technical roles might be authorized in a business role for the members of the business role. If an authorized technical role was configured for auto-grant, Identity Governance will immediately assign the technical role to members of the business role. In addition, Identity Governance will issue requests for any permissions contained in the technical role for members of the business role. If the authorized technical role was configured for auto-revoke, and a user is removed from business role membership, Identity Governance will immediately remove the technical role assignment from the user, and will request that any permissions contained in the technical role be removed from the user. For information about business roles and automatic access provisioning and deprovisioning, see Section 18.0, Creating and Managing Business Roles.
Technical roles cannot be deactivated if they form part of any governance policy such as business roles, SoD, access request, or access request approval policy. A deactivated technical role which references a business role, SoD, access request, or access request approval policy, must be activated before any of those policies are imported.