This has been bugging me for a while. RRSD is a bit of a black box and that offends me personally.
Anyway, I know that when you send an event for a user or Resource or Role into the driver, the policies throw away the specific attribute changes and convert the operation from <modify> or <add> to <nrf:request or nrf:role or nrf:Identity 'commands instead of 'events.
Then the shim considers the object in its entirety. This makes sense for a Role or Resouorce. Look at the associated Reources or child/parent roles and consider what the membership loks like and check that everyone listed has the needed child roles or resources.
But in the case of a user, it re-evaluates the Roles assigned. Thus the question... Where does it look for the assigned Roles?
If you remove an nrfAssignedRoles value from a user and migrate through RRSD it should be put back.
Is it looking at nrfRequest object? But the default is to delete those within 7 days, so what happens on the 8th day?
There is much here I do not understand and would like to understand. Anyone has some insight to share?