How does the Role hierarchy change enforcement works in ITIM 5.1?

You have just the above part from a longer chapter and it sounds a little bit out of context, but it is not that complicated.

Role hierarchies have to do with relationships between roles. In ITIM/ISIM you can define that roles are parents/children of other roles and thus create hierarchies. It also supports that notion of inheritance, so that for example Provisioning policies that apply to the Parent role, apply to the children roles as well.

A role hierarchy change happens when you add a parent or a child in a given role. If for example you had Role1 and you a provisioning policy that applies to this role, when you add Role2 as a child of the Role1 role, then the provisioning policy will now apply to Role2 too.

As for the other matter in discussion, lets start with two facts :

1. You might have a number of provisioning policies in your system. Depending on how the policy membership is set up, each one of those can apply to specific roles, groups, or all the persons in your system.
2. In the default ITIM configuration, each time you modify a person, the modifyPerson workflow is executed. This can contain a number of nodes, but by default it contains a modifyPerson node and an enforcePolicy node. The modifyPerson performs, as the name implies, the modifications on the person object in ITIM. The enforcePolicy node, again as the name implies, evaluates ALL applicable provisioning policies for the person and performs the necessary actions on the persons accounts according to the provisioning policies.

What the sentence you quoted says is that when you add a role (RoleA) as a child of another role (RoleB), the provisioning policy (lets call it Policy1 ) that applies to RoleA, now applies to RoleB also. And if you had a person that was member of the RoleB, now that you perform the role hierarchy change, the policies for this person will be evaluated because ITIM needs to enforce Policy1 for him. However this does not mean that at this time, the only policy that applies to this person, is Policy1. A number of different policies can apply to him and ALL of them will be evaluated at this time. This can lead to changes in other accounts or more changes in the same account of this person.

By the way, this has been modified a little bit with ISIM 6 , FixPack 3, Intermittent FixPack 11. Now the enforce policy node in the workflow can be configured to only take into consideration the provisioning policies that need to be reevaluated for the specific change that happens and not blindly go through and evaluate everything again.