Local entitlements belonging to roles are not consistently added to users in RSA Identity Governance & Lifecycle. This behavior has been seen in the following two circumstances. There may be other scenarios as well.

1. Roles have nested entitlements, or
2. Members of roles are removed from a role and later added back to the same role.

Below is an example use case where role entitlements are nested with nested group memberships.

1. Create three Active Directory groups called Group1, Group2, and Group3.
2. Make Group2 a member of Group1.
3. Make Group3 a member of Group 2.
4. These groups and subgroups are collected into an Active Directory Application in RSA Identity Governance & Lifecycle.
5. Create three technical roles called Group1, Group2, Group3 (names same as groups). AD Group1 is a member of technical role Group1, AD Group2 is a member of technical role Group2 and AD Group3 is a member of technical role Group3.   
6. Create a business role called Business Role and initially add technical role Group3 as an entitlement to the business role. Add UserID1 to the business role.
7. When changes are applied, a change request is created with two role changes, one account change, and two user changes. This is correct and expected behavior.

Image description

8. Add technical role Group2 as an entitlement to the Business Role and apply changes. 
9. A change request is created with two role changes and one user change. The expected account change that would add account UserID1 to Group2 is missing. 

Image description