A business role authorization policy defines the permissions, technical roles, and applications authorized by the business role. Users are not automatically assigned the permissions of a business role, nor are business role permissions removed if users no longer meet the criteria for a business role. The business role authorization policy defines whether the user is authorized the access.
A business role can authorize technical roles. That means that users and groups that you add to the business role are authorized all of the permissions included in each technical role. For more information, see Managing Technical Roles.
You add an authorization policy to the business role on the Authorizations tab when you create or edit the business role.
There are many different components to an authorization policy. The following information explains the different components.
A user in the business role can be authorized to have all the permissions included in the authorization policy.
A user in the business role can be authorized for technical roles included in the authorization policy.
A user in the business role can be authorized to have an account in all of the applications included in the authorization policy.
Mandatory entitlements include permissions, technical roles, and applications which a user is expected to have if they are assigned the business role. Optional entitlements are permissions, technical roles, or applications which a user is allowed to have but are not required to have.
If you selected Automatic Fulfillment on the Owners and Administration tab, you can select whether to automatically grant and revoke each permission, technical role, and application. Applications must have an account collector to allow you to specify automatic grant or revoke.
A user in the business role can be authorized for a set period of time defined in the authorization policy. Typically you may need to set authorization period only during transitions like mergers or changes related to compliance. Avoid setting authorization period for business roles to change specific role authorization, as it can be more efficiently handled using periodic business role membership reviews.