I'm currently evaluating RSA Identity G&L and when I compare two scenarios I followed, the result is unexpected.
I would appreciate if someone with more experience could confirm if this is a bug or intended behaviour.
I have an application configured both for account/app-role collection and AFX fulfillment.
I checked "Entitlements Require Account" so that assigning app-roles create an account.
In scenario #1: I collect existing accounts and app-roles, then I map them manually to users.
As a result, the account and app-roles are visible in the user details (user "Access" tab, where I can add more entitlements).
In scenario #2: I add one or several app-roles to a user with no prior account in this application, and launch the change request. After approval and fulfillment, the account is created by AFX and app-roles are also assigned in the target application. After account+entitlement collection, the fulfillment is verified and the change request complete.
In the user "Access" tab, the account becomes visible, but not app-roles. The app-roles are linked to the account but not to the user.
I find this result surprising: I would really expect entitlements added in this tab to become visible at the same location.
Does this look like a bug?
I'm using 7.0.1 P02.