A scenario has been identified in which revoking Provisioning Roles (PR) does not remove the associated Groups from Active Directory (AD)
1) There is a Provisioning Role called "VPN" that is connected to the Account Template that contains membership to a AD group
2) A user account on the AD endpoint already exists
3) Assigning "VPN" Provisioning Role assigns the group to the user
4) Revoking "VPN" Provisioning Role does not remove group from the user.
The account template is using weak synchronization.
Release : 14.1
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
An issue has been identified in the synchronization code. The issue is resolved in 14.1 CP9