Why did modifications to the constraints of a security role only affect new hires for Annie?

The answer highlights that modifications to the constraints of a security role will impact previously assigned users only if they are removed and re-added to that role. This is due to how permissions are assigned and managed within the system. When a user is initially assigned a role, they inherit the permissions associated with that role at that point in time.

If changes or modifications are made to the role afterward, existing users who have already been assigned the role do not automatically receive those updates. The security role essentially locks in the permissions based on the state of the role at the time of assignment. Therefore, to see any changes, those users must be re-assigned the role, which prompts the system to refresh their permissions according to the current attributes of that role.

New hires, on the other hand, would be granted the latest version of the role, including any modifications made after the role’s original definitions. This is why changes only come into effect for new users assigned to the role going forward. The requirement of removing and re-adding users to see changes ensures that the system maintains an accurate and manageable approach to security permissions, preventing unexpected privilege escalations or losses among users who had already been assigned a role prior to the modification.