17.5 Understanding Technical Role Detection and Assignments

When you activate a technical role, Identity Governance detects users in the catalog that contain the permissions as members of the role. Identity Governance assigns the technical role to the users when:

  • Global Administrators, Technical Roles Administrators, or Technical Role Owners promote detected roles and assign users to roles

  • Users become members of a business role that is authorized to auto-grant technical role authorization

  • A fulfiller, or the automatic fulfillment process, fulfills technical role assignment requests

    NOTE:For access requests, if an effective date is set when requesting access, the user is not assigned the role until the specified date.

Users might be detected in a role without being assigned the role, or they might be assigned the role without being detected in the role. Identity Governance Customer, Global, or Technical Roles Administrators can view which users are detected or assigned a role from the catalog role page by adding # Users with all Permissions and # Assigned Users as selected columns.

Administrators and owners can also view the details of a technical role assignment in the catalog on the Identity page Roles tab. The assignment details indicate how it was assigned, such as business role, access request, or promotion, as well as when it was assigned. If a role is assigned but not detected, administrators can also see the role permissions that are not held by the user.

Deactivating a role or changing its permissions does not change role assignments. When you deactivate a technical role, Identity Governance no longer detects users as members of the role in the catalog and excludes the technical role from future detection processes. Similarly, if you change the permissions in an active technical role definition, Identity Governance goes through the detection process and updates the catalog. However, users who are assigned the technical role remain assigned independent of detection.