We've set up a role hierarchy where users are assigned a role as a birthright by technical rules. The roles inherit entitlements from child roles in a hierarchy. It seems to work, but then an AD import job recreated the contents of the account_entitlements1 table, clearing the values in assignedFromRule, assignedFromRole and assignedFromRoles columns. So when user tech rules are re-evaluated and users no longer match the conditions of the technical rule, Saviynt won't remove the entitlements since account_entitlements1 table no longer contains the information that the entitlements were added from a rule and a role.
I have set up a RetrofitJob (tried both Rule and Role option) to restore these values in the account_entitlements1 table. It's able to restore the values for the entitlements that belong to the roles that has been assigned to users, but it doesn't restore the values for entitlements that were inherited from a child role. Is this expected behaviour?
If RetrofitJob cannot restore those entitlements, then I'm thinking of changing the design so that parent-child-relationship is not established between the roles, but users will be directly assigned membership in all the required roles in the hierarchy.
