We have an access role "A" and an identity policy that assigns to "A" member a provisioning Role. This provisioning role has an Account Template that assigns an Active Directory Group.

If we add the access role by "Modify User Task" then the identity policy is triggered and the user gets the Provisioning Role and by its relative account template, the account on AD gets the AD Group.

If we add the access role by "Modify Access Role Members/Administrators" the identity policy is triggered and we can see on Provisioning Manager the relative provisioning role, but the user doesn't get the Active Directory group! (until we force a sync on Provisioning Manager)

Release : 14.4

Product : Identity Manager

When we are executing the Modify User Task and assigning the Access Role to a user then Primary Object on the task level is User because of this reason IDM is sending the Synch flag to the provisioning Server.

But when we are executing the Modify Access Roles Members/Administrator task and assigning a user to the member then Primary Object on the task level is Access Role so IDM will not send either User Synch or Account Synch to the provisioning server.  For this we have to set synch on Event level because Identity Manager will have the information of the event and event object. In this case the task is executing Provisioning Event then IDM will send the Synch flag to the provisioning server and account will create as well group will be attached.