Identity Governance removes assigned technical roles when:
The automatic fulfillment process revokes a technical role assignment based on review or access request
Users with fulfiller authorization fulfill review or access requests to revoke technical role assignment
Users lose membership in a business role that authorizes the technical role and is configured to auto-revoke it
By default, when technical roles are removed because of any of the above conditions, Identity Governance triggers fulfillment requests to remove permissions contained in the technical role from users unless the permissions are assigned to the same user by other technical roles or Identity Governance is configured to not generate requests for permissions authorized by business roles.
Administrators can configure Identity Governance to honor business role authorizations so that fulfillment requests are not generated if the permission is authorized by business role membership by setting the com.netiq.iac.request.honorBRoleAuthorizations property to true using the Configuration Utility console mode procedures. Administrators can also control whether fulfillment requests are generated for both auto grant and non-auto grant authorizations only using the com.netiq.iac.request.honorBRoleAutoGrantOnly property.