when a provisioning policy is modifed for including/excluding a role membership, it can not be seen in the operation audit.
Is it enough to remark the erpolicymembership=erpolicymembership entry in the enRoleHiddenSearchAttributes.properties file?.
There is another similar entry named ermembership, what is that means?.
Btw, I think we will remarked the erpolicytarget entry too to enrich the provisioning policies audit.
From my point of view, this information is very interested to forensic analysis when an authorization is done and it is needed to know how it was done. In additional the space impact in the Database and a bit less performance, from your point of view, are there any reason to be unset by default?.
Thanks in advance.