When calling token do-add-role (or do-remove-role), the request actually goes to the UserApp, which does its magic to change the role assignment, does this happen synchronously or asynchronously? I'm trying to find out if I can provably say that once do-add-role returns, that the role has been added. The docs hint that it might be synchronous, but don't say explicitly.

Ref: https://www.netiq.com/documentation/...oaddrole.html#

Add Role

Initiates a request to the Roles Based Provisioning Module (RBPM) to assign the specified role (in the Role DN field) to the specified user (in the Object field). This field is only available if the Identity Manager server version is set to 3.6 or later. If a policy containing this action encounters an error, Designer generates the error as the local variable error.do-add-role. For more information about local error variables, see Local Variable Selector.

Ref: https://www.netiq.com/documentation/...-add-role.html


The <do-add-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to assign the Role specified by role-id to an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s. 
If any type of error occurs while requestion the role assignment, the error string will be available to the enclosing policy in the local variable named error.do-add-role. Otherwise that local variable will be unavailable.

The way I'd like to read this is that if error-do-add-role does not exist, then I'm reasonably sure that the role request has been accepted, processed, and completed. But, I could also read this as saying that if there is a problem submitting the request, then error.do-add-role gets set, so I can only say that if error.do-add-role doesn't exist, then submission of the request was ok, but I have no information as to whether the request has actually been processed and completed.