Business Roles
Business Roles are organizational designations within IdentityCenter that map logical job functions to one or more Active Directory groups. Located at /access-review/roles, the Business Roles page allows administrators to create, manage, and link roles that simplify access governance, streamline approval workflows, and provide meaningful context to the Access Catalog.
What are Business Roles?
A business role represents a job function or responsibility within your organization. Rather than managing access at the individual AD group level, business roles let you define access bundles that correspond to how people actually work.
| Without Business Roles |
With Business Roles |
| User requests "VPN-FullAccess" group |
User requests "IT Admin" role |
| User requests "ServerAdmin-Tier1" group |
Role automatically includes VPN, server admin, and monitoring groups |
| User requests "Monitoring-ReadWrite" group |
One request, one approval, three groups provisioned |
| Three separate approvals needed |
Single workflow covers the role |
Business Roles Page Overview
The Business Roles page at /access-review/roles displays summary statistics and a management interface.
Statistics Dashboard
| Statistic |
Description |
| Total Roles |
Number of business roles configured in the system |
| Linked Roles |
Roles that are mapped to at least one AD group |
| Unlinked Roles |
Roles with no AD group mapping (require configuration) |
| Total Members |
Sum of all members across all roles |
Role List
The main table displays all configured roles with:
- Role name and icon
- Category badge
- Number of linked AD groups
- Member count
- Status (Active / Inactive)
- Quick actions (Edit, Delete, View Members)
Creating a Business Role
- Navigate to Access Reviews > Business Roles
- Click New Role
- Fill in the role details:
| Field |
Required |
Description |
Example |
| Name |
Yes |
A clear, descriptive name |
IT Security Analyst |
| Description |
Yes |
What this role represents and what access it provides |
Security team member responsible for monitoring, incident response, and vulnerability management |
| Category |
Yes |
Organizational category (see below) |
Security |
| Icon |
No |
Visual icon for the role |
Shield icon |
| Color |
No |
Display color for the role badge |
Blue |
Step 2: Select a Category
Categories organize roles for browsing and filtering:
| Category |
Description |
Example Roles |
| Executive |
C-suite and senior leadership |
CEO, CFO, CTO, CISO |
| IT |
Information technology staff |
IT Admin, Helpdesk, DBA, Network Engineer |
| Security |
Information security team |
Security Analyst, SOC Operator, Pen Tester |
| Compliance |
Audit and compliance staff |
Compliance Officer, Internal Auditor, Risk Analyst |
| Operations |
Business operations |
Operations Manager, Facilities, Procurement |
| Finance |
Financial operations |
Controller, AP Clerk, Financial Analyst |
| HR |
Human resources |
HR Manager, Recruiter, Benefits Admin |
| Custom |
Organization-specific categories |
Any custom category you define |
Step 3: Link AD Groups
Map the role to one or more AD groups that provide the actual access:
- Click Link Groups
- Search for AD groups by name
- Select the groups that correspond to this role
- Each linked group will be provisioned when a user is granted this role
| Example Role |
Linked AD Groups |
| IT Admin |
IT-VPN-FullAccess, ServerAdmin-Tier1, Monitoring-ReadWrite, IT-SharedDrive |
| Helpdesk |
Helpdesk-Agents, PasswordReset-Operators, AD-UserAccountManagement |
| CISO |
Security-Leadership, Audit-ReadAll, Compliance-Reports, Executive-Team |
| Security Team |
SOC-Analysts, SIEM-Access, VulnScanner-Users, IR-Team |
Tip: When linking groups, include only the groups that every person in this role needs. If some group memberships are optional, create a separate sub-role or keep them as individually requestable resources in the catalog.
| Setting |
Description |
| Auto-Sync Membership |
Automatically sync role membership from linked AD groups |
| Fallback Email |
Email address for notifications when the role has no AD group (e.g., for notification-only roles) |
| Approval Workflow |
The workflow triggered when someone requests this role via the catalog |
| Risk Level |
Low, Medium, or High -- drives approval routing and catalog display |
Auto-Sync Role Membership
When Auto-Sync Membership is enabled, IdentityCenter automatically updates the business role's member list based on the membership of its linked AD groups.
How It Works
- During synchronization, IdentityCenter reads group memberships from AD
- For each linked AD group, the members are resolved
- The business role's member list is updated to reflect the union of all linked groups
- Members added to or removed from the AD group are automatically reflected in the role
Sync Behavior
| Scenario |
Result |
| User added to linked AD group |
User automatically appears as a role member |
| User removed from linked AD group |
User removed from role (if no other linked groups include them) |
| New AD group linked to role |
Existing members of that group are added to the role |
| AD group unlinked from role |
Members from only that group are removed (if not in other linked groups) |
Using Roles as Approvers in Workflows
Business roles serve double duty: they define access bundles and can act as approver groups in workflows.
Role-Based Approver Resolution
When a workflow Approver node is configured with the By Role resolution method:
- The workflow engine looks up the specified business role
- All members of that role are eligible to approve
- Any single member can approve (or a quorum can be configured)
| Workflow Node |
Role Used |
Behavior |
| "Security Review" Approver |
Security Team |
Any Security Team member can approve |
| "Compliance Approval" Approver |
Compliance Officer |
Any Compliance Officer can approve |
| "Executive Sign-Off" Approver |
CISO |
The CISO (or their delegate) approves |
For more details, see Approver Resolution.
Fallback Email for Notification-Only Roles
Some roles are used purely for notification routing and do not correspond to an AD group. For these roles, configure a Fallback Email so that workflow notifications reach the right people.
| Scenario |
Configuration |
| CISO role with one person |
Link the CISO's user account; set fallback email as backup |
| Compliance Committee (no AD group) |
Create the role without linked groups; set fallback email to the committee distribution list |
| External Auditor |
Create a role with no AD group; set fallback email to the auditor's email |
Example Business Roles
| Property |
Value |
| Category |
Executive |
| Description |
Chief Information Security Officer responsible for security strategy, risk management, and compliance oversight |
| Linked Groups |
Security-Leadership, Audit-ReadAll, Compliance-Reports, Executive-Team |
| Risk Level |
High |
| Workflow |
Executive Access Approval (Board + CEO) |
Helpdesk
| Property |
Value |
| Category |
IT |
| Description |
IT helpdesk staff who handle user support, password resets, and basic account management |
| Linked Groups |
Helpdesk-Agents, PasswordReset-Operators, AD-UserAccountManagement |
| Risk Level |
Medium |
| Workflow |
IT Manager Approval |
IT Admin
| Property |
Value |
| Category |
IT |
| Description |
IT administrators with elevated access to servers, network equipment, and management tools |
| Linked Groups |
IT-VPN-FullAccess, ServerAdmin-Tier1, Monitoring-ReadWrite, IT-SharedDrive, RemoteDesktop-Admins |
| Risk Level |
High |
| Workflow |
Two-Level Approval (IT Manager + Security) |
Security Team
| Property |
Value |
| Category |
Security |
| Description |
Security operations team members responsible for monitoring, incident response, and threat hunting |
| Linked Groups |
SOC-Analysts, SIEM-Access, VulnScanner-Users, IR-Team |
| Risk Level |
High |
| Workflow |
Security Leadership Approval (CISO) |
Role Statistics and Reporting
Dashboard Metrics
| Metric |
Description |
| Roles by Category |
Distribution of roles across categories |
| Linked vs Unlinked |
Percentage of roles properly mapped to AD groups |
| Members per Role |
Average and maximum membership counts |
| Role Coverage |
Percentage of users who are assigned at least one business role |
Common Issues
| Issue |
Cause |
Resolution |
| Role shows 0 members |
Auto-sync not enabled or linked groups are empty |
Enable auto-sync and verify group membership in AD |
| Unlinked role |
No AD groups mapped |
Link at least one AD group or configure a fallback email |
| Duplicate role members |
User is in multiple linked groups |
This is expected behavior; the member appears once in the role |
| Stale membership |
Sync has not run recently |
Run a synchronization to refresh group memberships |
Best Practices
- Map roles to real job functions -- Roles should reflect how people work, not how AD groups are structured
- Keep roles focused -- Each role should represent a single responsibility; avoid "super roles" with dozens of groups
- Use meaningful names -- "Security Analyst" is better than "SecRole-01"
- Write detailed descriptions -- Help catalog users understand what access a role provides
- Review regularly -- As AD groups change, verify that linked groups are still appropriate
- Set accurate risk levels -- Risk levels drive workflow routing in the Access Catalog
- Enable auto-sync -- Keep role membership in sync with AD to avoid stale data
- Use roles as approvers -- Leverage business roles in Workflow Designer for dynamic approver resolution
Next Steps