17.10 Editing and Deleting a Technical Role

When you edit a technical role, you can change permissions assigned to the technical role and either leave the technical role active or disable the technical role. However, Identity Governance automatically disables a technical role definition if a permission included in the technical role is deleted from the application. The technical role remains in the disabled state until the permission is removed from the technical role definition or restored in the application and then collected and published to the catalog.

If a technical role references a business role, SoD, access request, or access request approval policy, then Identity Governance will not allow you to delete or deactivate the technical role unless the administrators of those policies remove the technical role from the policies, which reference the technical role.

When you delete a technical role, Identity Governance deletes the technical role in the catalog. However, if the technical role was authorized by a business role, this deletion triggers additional evaluation and consequent actions. When you add or remove permissions from a technical role that is authorized by a business role, the changes may cause business role authorizations to be gained or lost, which may trigger evaluation and consequent actions. For more information, see Section 18.8, Automated Access Provisioning and Deprovisioning.

To edit or delete a technical role:

  1. Log in as a Customer, Global, or Technical Roles Administrator.

  2. Under Catalog, select Roles.

  3. (Optional) Click the gear icon to select additional columns such number of SoDs, number of business roles, and number of users with all permissions.

  4. Select the role you want to edit or delete.

    Selecting the role displays a quick overview of the role definition including the name, description, owner, risk, state, and selected permissions.

  5. Select Edit at the end of the details panel to edit the technical role.

  6. (Conditional) Select Delete to delete the technical role.

    You must edit the technical role to delete the technical role.

    NOTE:When you delete technical roles, Identity Governance removes the role assignments and detections from the users but does not change the permissions held by the users.