I was playing around with security level rules on a recent nightly build (b2019031902), and deleted some levels that had rules on one of my identity providers. The next time I did a test login on that identity provider, the “Security Level Grants” showed that I still had the level that had been deleted. When I re-added the security level back to the list, my old expression was still there.
I think keeping the expression around is neat in case you accidentally delete a level you don’t mean to, but it probably shouldn’t be granted anymore when someone logs in if the level doesn’t exist in the tree…
What you are describing is working as designed. Just because a security level is not defined in the main security level tree config doesn’t mean it cannot be granted. The main security level tree is an IdP-agnostic authorization reference model which guides you in bridging the IdP-specific granting configuration and the application access control specific logic. In this way, you may build your application authorization model in a vacuum and deal with mapping the necessary logic to grant access in this model during IdP-configuration.
Each Identity Provider configuration drives how a security level is granted. When you delete the security level from the main security level tree and save, then go to the Identity Provider config which has the user grant or security level rule for the “deleted” security level, you should still see that rule or grant there. There should also be some visual indication that the grant or rule does not map to a security level on the main tree so that it is clear to you. Delete it from this config in order to make sure that the IdP no longer grants it.
While the rest of your reply made sense, this doesn't appear to be true for me right now. You may want to double-check this on your side. I was using a super-simple rule that just had the expression 1 so it would always be enabled on if that matters.
Ah, you are correct in calling me out. Looks like we still have a ticket in the backlog to add the UI indication for the case where a security level rule or user grant points to a missing security level. We’ll update this thread when that gets completed.