Catch Misconfigured Role Assignments Before They Cause Problems

February 11, 2026 · GrantFlow Team

There's a frustrating failure mode in any access management system: a user is told they're eligible for a role, they request it, and then the activation fails because the underlying configuration was never quite right. We've shipped smarter validation at assignment time to catch these problems before users ever see them.

The problem

Role misconfiguration is easy to introduce and hard to notice. An admin creates a role that references an AD group in a specific domain — but the connector for that domain is misconfigured. Or a role is assigned to a user who doesn't exist in the connector's scope. The role shows up in the user's request list, they submit a request, it gets approved, and then provisioning fails. At that point, the user is blocked and the admin needs to untangle why.

What's new

GrantFlow now runs a validation pass when an assignment is created or updated:

  • Connector availability check — the connector referenced by the role's provisioning steps is confirmed to be active and reachable
  • Principal resolution — the assigned user or group is verified to exist within the connector's sync scope
  • Provisioning consistency — the configuration used at assignment time is validated against the same rules applied during activation, so there are no surprises at request time
  • Immediate feedback — if validation fails, the assignment UI shows a clear, specific explanation of what's wrong and what to fix — not a generic error
  • Soft warnings for degraded connectors — if a connector is temporarily unhealthy at assignment time, GrantFlow creates the assignment with a warning rather than blocking it, and re-validates when the connector recovers

How it affects your workflow

For administrators, the change is visible in the Assignments view. After adding a user or group to a role, a validation indicator appears next to the new assignment. A green check means everything looks good. An amber warning means the assignment was created but has a non-blocking concern (typically a temporarily degraded connector). A red indicator means the assignment has a configuration error that should be resolved before the user tries to activate.

For end users, the most visible change is that activations succeed more consistently. Roles that appear in the request list are now much more likely to provision successfully on the first attempt.

See the Assignments guide and Role Management guide for details.

What's next

We're extending validation to cover custom provisioning actions (webhooks, external API calls) and adding a bulk re-validation sweep that runs nightly to catch assignments that may have become invalid since they were created.