Technical roles allow business owners to simplify the review process by grouping permissions, which provides a higher level of abstraction and reduces the number of items for business leaders to review. Technical roles allow the business to provide context for the set of items including a business-relevant title and description, risk, cost, and ownership.
To manage the Identity Governance technical roles in the catalog, you must have a Customer, Global, or Technical Roles Administrator authorization. Administrators can also assign an owner for a technical role and delegate certain tasks to the technical owner. For detailed information about the various authorizations, see Section 2.1, Understanding Authorizations in Identity Governance.
After application data publication by Customer, Global, or Data administrators, you can group permissions that have common or frequent associations to create technical roles. When you have created technical roles, Identity Governance detects users with permissions that match the technical roles you have defined and lists the technical roles a user has in the user catalog. When you have defined technical roles, you can create user access review definitions for technical role reviews.
Users have a technical role either by detection, assignment or both. Having a technical role by detection means that the user was detected to have all of the permissions contained in the technical role. Having a technical role by assignment means that the user was explicitly assigned the technical role by some process in Identity Governance, such as an access request or a business role auto-grant.
Technical roles might be authorized in a business role for the members of the business role. If an authorized technical role was configured for auto-grant, Identity Governance will immediately assign the technical role to members of the business role. In addition, Identity Governance will issue requests for any permissions contained in the technical role for members of the business role. If the authorized technical role was configured for auto-revoke, and a user is removed from business role membership, Identity Governance will immediately remove the technical role assignment from the user and will request that any permissions contained in the technical role be removed from the user. For information about business roles and automatic access provisioning and deprovisioning, see Section 17.0, Creating and Managing Business Roles.