Technical roles allow business owners to simplify the review process by grouping permissions, which provides a higher level of abstraction and reduces the number of items for business leaders to review. Technical roles allow the business to provide context for the set of items including a business-relevant title and description, risk, cost, and ownership.
To manage the Identity Governance technical roles in the catalog, you must be a Customer, Global, or Technical Roles Administrator. Administrators can also assign an owner for a technical role and delegate certain tasks to the technical owner. For detailed information about the various authorizations, see Section 2.1, Understanding Authorizations in Identity Governance.
After a Customer, Global, or Data Administrator publishes application data, you can create technical roles by grouping permissions that have common or frequent associations. After you create technical roles, Identity Governance detects users with permissions that match the technical roles you defined and lists the technical roles a user has in the user catalog. After you define technical roles, you can create user access review definitions for technical role reviews.
Users are members of a technical role either by detection, assignment or both. A user who has all of the permissions contained in a technical role has the technical role by detection. Having a technical role by assignment means that the user was explicitly assigned the technical role by a process in Identity Governance, such as an access request or a business role auto-grant.
Technical roles might be authorized in a business role for the members of the business role. If an authorized technical role was configured for auto-grant, Identity Governance will immediately assign the technical role to members of the business role. In addition, Identity Governance will issue requests for any permissions contained in the technical role for members of the business role. If the authorized technical role was configured for auto-revoke, and a user is removed from business role membership, Identity Governance will immediately remove the technical role assignment from the user, and will request that any permissions contained in the technical role be removed from the user. For information about business roles and automatic access provisioning and deprovisioning, see Section 17.0, Creating and Managing Business Roles.