When a user with multiple Active Directory group–based roles assigned logs into the Enforce Console and attempts to change the default role by clicking the Profile button (/ProtectManager/enforce/profile/edit), a validation error occurs when saving the change. As a result, the default role cannot be updated. Additionally, the automatically assigned AD-based DLP roles temporarily disappear from the list, and the following validation error is displayed: "The default Role selection is not valid"

This issue only occurs when changing the default role through the Profile page. Changing the role through System > Login Management > DLP Users > User Edit works as expected.

The issue is limited to the Profile page role update validation and does not affect AD synchronization or role mapping.
The user can either change the default role from the DLP Users management page or re-log in with the desired role using the role prefix syntax.

Workaround:

• If the affected user has the User Administration privilege, the default role can be changed using the following path:
  System > Login Management > DLP Users > Configure DLP User > User Edit
• If the user does not have the User Administration privilege, another DLP user with User Admin rights can make the change on their behalf through the same path.
• Alternatively, the user can manually log in under a different role by entering the following syntax in the Login field:
  <Role>\<UserID>
• If the user accidentally saves a non-AD role as the default role and their AD-based roles disappear, these roles will be automatically restored the next time the Active Directory Login Source is re-imported.