Membership policy determines which users are members of a business role. Membership policy can include membership expressions, membership policy from other business roles, user or group inclusion lists, and user or group exclusion lists. Regardless of how a user becomes a member of a role (matching a membership expression, explicitly included, and so forth), they are authorized to have the resources specified in the business role for as long as they are a member of the business role.
NOTE:Business role authorization of a resource (permission, technical role, or application) for a user is independent of assigning the resource to the user. For example, the business role might authorize a user to have a permission, but Identity Governance might not have assigned the permission. Similarly, Identity Governance might have assigned a permission, but the business role might not authorize the permission.