19.5 Managing Technical Roles

Technical roles allow business owners to simplify the review process by grouping permissions, which provides a higher level of abstraction, and reduces the number of items for business leaders to review. Technical roles allow the business to provide context for the set of items including a business relevant title and description, risk, cost ,and ownership.

After you have published application data, you can create technical roles to group permissions that are common to these technical roles. When you have created technical roles, Identity Governance detects users with permissions that match the technical roles you have defined and lists the technical roles a user has in the user catalog. When you have defined technical roles, you can create user access review definitions for technical roles reviews.

19.5.1 Understanding Technical Role States

There are several states in the life cycle of a technical role after they are created manually or mined. From beginning to end, the technical role goes through the following states:

Technical Role State



Technical role was created by role mining and must be promoted before it can be activated. This state corresponds to the internal state called MINED.


Valid, meaning all included permissions are available in the catalog, and the role is included in the detection process.


Valid; however, the role is excluded from the detection process. This state corresponds to the internal state called REJECTED.


Invalid and excluded from detection process due to a detected error. Detection errors are usually the result of a deleted permission that is included in the technical role.

19.5.2 Understanding Technical Role Mining

Identity Governance uses advanced analytics to mine business data and identify role candidates. This process of discovering and analyzing business data in order to group multiple users and access rights under one business or technical role candidate is called Role Mining or Role Discovery. Global or Technical Role administrators can use role mining to create technical roles with common permissions. Identity Governance uses two approaches to technical role mining to identify technical role candidates.

  • Automatic Suggestions enables administrators to direct the mining calculations by either saving the defaults, or by specifying minimum number of permissions that specified number of users should have in common, coverage percentage, maximum number of role suggestions, and other role mining options and saving the options.

  • Visual Role Mining enables administrators to select role candidates from a visual representation of the distribution of users based on permissions. Administrators can click in the user access map and drag to select an area in the map, and then view technical role candidates.

NOTE:Technical role candidate can also be generated when using mining to create business roles. For more information about business roles, see Section 25.0, Creating and Managing Business Roles

NOTE:Mined business or technical roles are created in a candidate state. Role candidates can be edited and saved, but must be promoted before they can be approved or published as a role.

19.5.3 Creating Technical Roles

To create technical roles you must have either the Global Administrator or the Technical Roles Administrator authorization. You can create technical either manually or by using role mining analytics. Additionally, Business Role Administrator can generate technical roles when creating business role candidate.

When using role mining analytics, permissions are automatically grouped together and presented as role candidates. You must promote role candidates as roles, before they can be activated.

When creating technical roles manually, an understanding of what permissions you want to assign to the technical role is helpful. However, you can create the technical role without adding any permissions to it in order to delegate responsibility for assigning the permissions in a technical role to the Technical Role Owner. The designated owner can then log in to Identity Governance and add the appropriate permissions to the technical role. You cannot activate a technical role until you have added permissions to the technical role.

To create a technical role:

  1. Log in as a Global or Technical Roles Administrator.

  2. Under Catalog, select Roles.

  3. Select the Mining tab.



    You want to direct role mining calculations and create more than one technical roles

    • Select Automatic Suggestions.

    • Save default options, or specify options, and save.

    • Select one or more items from the list and Create Roles.

      NOTE:Suggestions are sorted by number of users times the number of permissions. For example, if there are five users who match the role mining options and who hold four permissions in common, they will be listed first, followed by a suggestion with four users who hold four permissions in common.

    You want to use user access map to create a role candidate

    • Select Visual Role Mining.

    • Click in the map and drag to select an area.

    • Click View Candidate.

    • (Optional) Click more to add description, risk, cost, or category.

    • (Optional) Click + to add permissions, or click Remove next to a permission to remove permissions.

    • Estimate impact.

    • Click Create candidate.

  4. In the Roles page, click on the mined role.

  5. (Optional) Edit the role name, description, risk, cost, or category.

  6. Estimate impact by viewing list of associated users and analyzing SoD violations if SoD policies had been previously defined.

  7. (Optional) Add or remove permissions based on the estimated impact and save the changes.

  8. Select Yes to promote the role candidate.

    NOTE:If a role candidate is not promoted, it cannot be activated and published as a role.

  9. Alternately, in the Roles page, select + to create a role manually.

  10. Enter the required information.

  11. (Optional) Select + next to Permissions and select the permissions to include in the role, and then select Add.

  12. (Conditional) If permissions have been added to the technical role, estimate impact and edit role if needed.

  13. Save your settings.

NOTE:When you add a permission to a role, the dialog displays all application permissions in Identity Governance. You can quickly sort or filter permissions by name, description, or application. You can also use the advanced search options to limit the displayed permissions further.

19.5.4 Activating Technical Roles

After you have added permissions to a technical role definition, you can see an estimate of the number of users holding the permissions of the technical role, and you can activate the definition. If you do not activate the definition, Identity Governance does not identify the users that hold the permissions in the technical role.

NOTE:Mined technical roles are created in a candidate state and must be promoted before they can be activated and published.

To activate a technical role:

  1. Under Catalog, select Roles as a Global or Technical Roles Administrator.

  2. Select the role from the list, then select Edit.

  3. In the role definition, select Active.

Activating and deactivating a technical role both start a detection process. Identity Governance detects users in the catalog that contain the permissions when you activate a technical role. When you deactivate a technical role, Identity Governance removes the detected technical roles in the catalog. Similarly, if you change the permissions in an active technical role definition, Identity Governance goes through the detection process and updates the catalog.

You can quickly search for a role by name or description. Identity Governance performs a case-insensitive search of all of the technical roles in the catalog and returns any that contain the string in the technical role name, description, or cost. You can also use the advanced search feature to limit the number of roles.

19.5.5 Editing and Deleting a Technical Role

When you edit a technical role, you can change permissions assigned to the technical role and either leave the technical role active or disable the technical role. However, Identity Governance automatically disables a technical role definition if a permission included in the technical role is deleted from the application. The technical role remains in the disabled state until the permission is removed from the technical role definition or restored in the application and then collected and published to the catalog.

To edit or delete a technical role:

  1. Under Catalog, select Roles as a Global or Technical Roles Administrator.

  2. Select the role you want to edit or delete.

    Selecting the role displays a quick overview of the role definition including the name, description, owner, risk, state, selected permissions, and any Separation of Duties policies that reference the technical role.

  3. Select Edit at the end of the details panel to edit the technical role.

  4. (Conditional) Select Delete to delete the technical role.

    You must edit the technical role to delete the technical role.

19.5.6 Downloading and Importing Technical Roles

You can download technical roles as a json file and import them later into another environment.

To download or import technical roles:

  1. Under Catalog, select Roles as a Global or Technical Roles Administrator.

  2. Select a role or all the roles on the Roles tab.

  3. Select Actions > Download.

    1. (Optional) Include references to technical role owners and download associated applications and assigned categories.

    2. Select Download.

  4. If you make changes, or want to want to import previously downloaded technical roles into another environment, select Import Technical Roles on the Roles tab.

  5. Navigate to the technical roles json file, select the file to import, and click Open.

  6. Identity Governance detects whether you are importing new or updated roles and whether the updates would create any conflicts or have unresolved references.

  7. Select how to continue based on what information is displayed.

    NOTE:You must activate the role for Identity Governance to recognize the users that hold the permissions as members of a technical role. For more information, see Activating Technical Roles.