If a user has a Role as a direct entitlement and later becomes a member of another Role (Parent) that has the same Role (Child) as an entitlement, their access to the Child Role is not getting revoked if the Child Role is removed from the Parent Role.
For example, if a user has direct access to a Technical Role and is later granted membership to a Business Role that has the Technical Role as an entitlement, their access to the Technical Role is now explained via their membership to the Business Role. If the Technical Role entitlement is removed from the Business Role, the user should lose access to the Technical Role unless they belong to one or more other Business Roles that have that same Technical Role as an entitlement. Once they do not belong to any Business Role that explains their right to be a member of the Technical Role, they are no longer entitled to be a member of the Technical Role regardless of how they originally acquired that access.
Create Technical Role 1 with no entitlements.
Add user Cherry Blossom as a member of Technical Role 1.
Cherry Blossom now has direct access to Technical Role 1.
Create Business Role 1.
Add Technical Role 1 as an entitlement to Business Role 1.
Add user Cherry Blossom as a member of Business Role 1.
Now Cherry Blossom's access toTechnical Role 1 is explained by her membership to Business Role 1.
The problem occurs if Technical Role 1 is removed as an entitlement from Business Role 1. In this case Cherry Blossom should lose the access to Technical Role 1 but she does not.
This is a known issue reported in engineering ticket ACM-98417.
This issue is resolved in the following RSA Identity Governance & Lifecycle patch levels: