17.6 Understanding Technical Role Revocations

Identity Governance removes assigned technical roles when:

  • The automatic fulfillment process revokes a technical role assignment based on review or access request

  • Users with fulfiller authorization fulfill review or access requests to revoke technical role assignment

  • Users lose membership in a business role that authorizes the technical role and is configured to auto-revoke it

By default, when technical roles are removed because of any of the above conditions, Identity Governance triggers fulfillment requests to remove permissions contained in the technical role from users unless the permissions are assigned to the same user by other technical roles or Identity Governance is configured to not generate requests for permissions authorized by business roles.

By using the property, com.netiq.iac.request.honorBRoleAuthorizations you can honor business role authorizations so that fulfillment requests are not generated if the permission is authorized by business role membership. To generate fulfillment requests for both auto grant and non-auto grant authorizations, use the property, com.netiq.iac.request.honorBRoleAutoGrantOnly. Contact your SaaS Operations Administrator to configure Identity Governance by setting these properties.