Using the default managed/user config, there are two properties of the "object" binding presented to the onUpdate script which are not always defined - effectiveRoles and effectiveAssignments. They are missing when the user is granted access to a role using the "PATCH" method of relationship creation; everything works fine when using the "POST" method. To demonstrate the issue, consider this setup:
Add this to your onUpdate script:
Then, add a role to a user with a POST to the "roles" endpoint, like so:
The output from the log statement is something like this:
Now try using PATCH to update the "roles" field on the base user endpoint, like so:
Using this method, we see this output to the console:
Semantically, these two operations should be identical. However, as you can see they are producing very different behavior for effectiveRoles within the onUpdate script. Testing with effectiveAssignments shows the same inconsistent behavior.
Considering these are both "relationship-derived virtual properties" (e.g. they use the "queryConfig" with "isVirtual"), it's likely that plays a significant part in the unusual behavior for these attributes. It's also likely that other RDVP properties (such as the new org-model attributes) suffer from this same issue.
It is worth noting that the Native IDM Admin UI uses the POST method for creating relationships, while the new Platform Admin UI uses the PATCH method.