A business role authorization policy defines the permissions, technical roles, and applications authorized by the business role. Users are not automatically assigned the permissions of a business role, nor are business role permissions removed if users no longer meet the criteria for a business role. The business role authorization policy defines only whether the user is authorized the access but does not assign the resource.
A business role can authorize technical roles. That means that the business role authorizes all business role users and groups for all of the permissions included in each technical role. For more information, see Section 7.5, Managing Technical Roles.
You add an authorization policy to the business role on the Authorizations tab when you create or edit the business role.
There are many different components to an authorization policy. The following information explains the different components.
The authorization policy can authorize a user in the business role for all of the permissions included in the authorization policy. If an authorized permission comes from an Identity Manager application and is an Identity Manager role (parent) that contains other Identity Manager roles and Identity Manager resources (children), the authorization policy can authorize the user for permission that the Identity Manager role contains.
The authorization policy can authorize a user in the business role for technical roles included in the authorization policy. If an authorized technical roles comes from an Identity Manager application and is an Identity Manager role that contains other Identity Manager roles and Identity Manager resources, the authorization policy can authorize the member of the business role for both the explicitly specified and contained permissions (direct permissions) and permissions contained within the contained permissions (indirect permissions).
The authorization policy can authorize a user in the business role to have accounts in the applications included in the authorization policy.
When an authorization policy specifies Mandatory on a permission, technical role, or application, it means that a user is expected to have it if they are a member of the business role. However, there is no enforcement of having the mandatory item. Optional means the authorization policy allows a user to have a resource, but the authorization policy does not require it.
You can select whether to automatically grant or revoke each permission, technical role, and application. Applications must have an account collector to allow you to specify automatic grant or revoke. When the authorization policy applies the auto-grant or the auto-revoke policies in the business roles, Identity Governance might issue grant requests if the user does not have a resource, and revoke requests if the user has a resource. Under certain conditions, Identity Governance might issue grant requests even if a user has a resource, and revoke requests even if a user does not have a resource.
If you specify auto request on a technical role, the auto request only applies to the permissions explicitly specified in the technical role. It does not apply to any of the permissions that those permissions might contain. For example, for Identity Manager roles that contain children permissions, Identity Governance issues auto request only for the top-level role and then Identity Manager rules apply for all children authorizations. For more information, see Section 14.11, Automated Access Provisioning and Deprovisioning.
The authorization policy can authorize a user in the business role for a set period of time defined in the authorization policy. Typically, you might need to set the authorization period only during transitions like mergers or changes related to compliance. Avoid setting authorization period for business roles to change specific role authorization, as you handle it more efficiently using periodic business role membership reviews.