Is it normal that when we remove an entitlement through an ARS request, both the entitlement and its mapped entitlements peers are staged for removal, but doing the same via the UI + triggering Technical Rule's "Remove Birthright Access if condition fails" retains the the mapped entitlements?
---
For context, we have a technical rule that assigns an entitlement based on the user's department + role. A subset of departments have a secondary entitlement tied to these department entitlements which are being added via entitlement mappings.
When an ARS request is made to remove their department entitlement, both the department entitlement and the mapped entitlement are staged for removal.
However, if we modify the user from the UI and trigger the technical rule via a User Update rule, the technical rule's "Remove Birthright Access if condition fails" removes only the department entitlement. The corresponding mapped entitlement stays on the account.
Is this expected behavior, and is there a recommended work-around? I understand we could duplicate the entitlement map as if-else technical rule logic, but this seems unnecessarily over complicated and difficult to maintain.
