17.5 Publishing or Deactivating Business Roles

Two possible versions of a business role can exist:

  • Published: Before you can publish a business role, it must go through the approval process and be approved, if it requires approval. A published business role is available for the governance process and in the general catalog.

  • Deactivated: You can edit published, approved, and deactivated roles. When you edit a published business role, Identity Governance creates a draft of the business role that appears on the Draft tab that you can send for approval if required, publish, or discard. However, deactivated roles are not available for the governance process or in the general catalog.

The edit and approve cycle is a single cycle that is independent of the publication cycle. When you edit the published business role, Identity Governance creates a draft version of the business role.

The approval cycle is not independent of the draft. If no approval is required, Identity Governance automatically approves the draft but does not publish the draft. If an administrator publishes the draft, it replaces the currently published version.

When the business role administrator deactivates a published role, Identity Governance takes one of the following actions:

  • If there is an approved draft, Identity Governance archives the active version and the approved draft replaces it.

  • If there is not an approved draft when the published role is deactivated, Identity Governance prompts the administrator to keep the published version or the unapproved draft version of the business role.

  • If there is no draft, Identity Governance moves the published business role to the approved state.

To publish or deactivate a business role:

  1. Log in to Identity Governance as a Customer, Global, Business Role Administrator.

  2. Select Policy > Business Roles.

  3. Select the business role to change, then select Edit.

  4. If you have one version of the business role, select Publish or Deactivate the business role.

    NOTE:Deactivating a business role disables the role from being a part of the review process and removes resource authorizations from its members for its resources. However, deactivation does not issue auto-revoke requests for resources that specify auto-revoke, and does not change or retract any current or pending auto-grant or auto-revoke request.

    or

    If you have multiple versions of the business role, select the Draft or Published tab, then select Publish or Deactivate.

    NOTE:You must have two versions of the business role to have the Draft and Publish tabs appear.

If you have many business roles that need to be published, Identity Governance provides a way to publish all of the roles at the same time. On the Business Roles page, select the business roles to publish, then select Actions > Publish.