Membership policy determines which users are members of a business role. Membership policy can include membership expressions, user or group inclusion lists, and user or group exclusion lists. Regardless of whether a user is a member of role by virtue of matching a membership expression or because they are explicitly included, they are authorized resources of a business role for as long as they are a member of the business role.