Working with an IDM Implementation where for whatever reason they used
LDAP to modify nrfAssignedTo on lots of users. In the end this is a bad
idea, they should have actually granted the Roles.

So now we have a mixed case of users who had Roles properly granted, and
others who did not. What I am trying to figure out, if there is enough
data in the vault to determine this via LDAP? We will fix it by
granting all the roles properly now, and we have a way to bulk do this.
(Workflow is one way, second way is via Delim Text import, different
tools for different use cases).

So far, I know if I look at nrfRequest object, whose
nrfSourceDN=myUserDN then they really do have the role assigned.

But my question is, how long do nrfRequest objects (with no expirations)
persist in the AppConfig container? Do they ever go away? I.e. Is this
pool of objects a reliable source of data? (I look at some examples and
see objects from 2011, or earlier, so I think it is ok, but I see next
to nothing in 2014, which is odd).

Secondarily the question could be rephrased as, where is Role
assignments really stored? Is the only place nrfRequest? Does the DB
have a copy? Or is it somewhere else I am missing?

Version of UA probably is irrelevant, but since someone will ask to
stall, it is 4.02D on SLES 11 SP3, 64 bit on JBoss, with a PostGress DB.
This issue should be much the same on all versions of RBPM, since it is
a core principle of how it all works.

Third question would come down to to what is the ECMA function:
RoleVault.getRolesUserIn(userDN) looking at?