Skip to content

When permission changes take effect

Permission changes in Brief Connect do not always apply instantly to every existing record.

This is because Brief Connect needs to recalculate and reapply permissions for affected records (and, where applicable, update item-level permissions in SharePoint). Depending on how many records are affected, this can take time and can place noticeable load on SharePoint and Microsoft Graph.

What changes can require propagation

Any change that alters who should have access, or what they can do, can require propagation across existing records, including:

Why it is not immediate

At runtime, Brief Connect evaluates access using a combination of:

  • The active configuration (permission sets, role assignments, and related settings)
  • Per-record calculated access state
  • External directory data (for example, Entra ID group membership)

When you change a rule, Brief Connect must go back through the records impacted by that rule and apply the new access model. In practice, this often means performing many SharePoint operations (for example, updating permissions on record documents) and, in some cases, Microsoft Graph calls.

How permissions are refreshed

There are four common ways permissions are refreshed.

1) Automatic refresh when a record changes

If a record is updated (for example: metadata changes, stage/workflow updates, task updates, supporting document changes), Brief Connect will typically recalculate permissions for that record as part of the update.

This is the most targeted option, but only affects the records that get touched.

Most environments run a scheduled background job overnight that detects records with stale permissions and refreshes them.

This is the preferred approach for changes that happen outside Brief Connect (for example, Entra ID group membership changes), because it avoids doing large amounts of work during business hours.

The exact run time is environment-specific.

3) On-demand refresh via the Web API

If you need changes to apply sooner, you can trigger an on-demand refresh.

  • Refresh stale records (recommended first):
POST /api/permissions/refresh
Content-Type: application/json

false
  • Force refresh all records (use with caution):
POST /api/permissions/refresh
Content-Type: application/json

true
  • Force refresh a single record:
POST /api/permissions/refresh/{recordId}

Only use bulk refresh during low-usage periods. A forced refresh can generate significant SharePoint and Microsoft Graph traffic.

For background job details, see Background Permissions Management.

4) Targeted refresh by updating a record

If you only need to validate a permissions change, a practical approach is to update a single record (for example, a small metadata edit) and then verify access. This causes a recalculation for that record without processing the entire dataset.

Common scenarios and what to expect

Scenario: change a role assignment from read to edit

Example: a role assignment previously granted the "Lead Author" role read-only access to documents, and you update it to grant edit access.

  • Existing records that match the role assignment typically need to be refreshed before the new document permissions are applied in SharePoint.
  • The amount of work is proportional to the number of affected records and documents.

Scenario: change Entra ID group membership

Example: you add or remove a user from an Entra ID security group that is referenced by a role assignment.

  • Brief Connect must resolve group membership via Microsoft Graph.
  • Group membership data is cached, so changes in Entra ID may not be visible to Brief Connect immediately.
  • The overnight refresh is the safest way to bring access into sync; for urgent changes, use the on-demand refresh endpoints.

Scenario: update proxy users

Proxy changes are part of the permissions CRC calculation, so they are also subject to permissions recalculation.

Recommended approach:

  • Prefer waiting for the nightly permissions refresh to bring record access into sync.
  • If the change is urgent, use an on-demand refresh (ideally start with a single record refresh to validate behaviour).

Scenario: a Brief Connect User Group is assigned to a record role

Brief Connect User Groups (managed in Brief Connect) are expanded to their individual members when permissions are calculated.

  • If you change membership of a Brief Connect User Group, existing records that depend on that group may not reflect the change until their permissions are recalculated.
  • Use the overnight refresh, update a specific record, or trigger an on-demand refresh depending on urgency and scale.

See Managing groups for role assignment and workflow tasks.

Practical guidance

  • Make high-impact permission changes out of hours where possible.
  • Prefer the nightly refresh for Entra ID group membership changes.
  • For urgent issues, refresh a single record first to confirm the change behaves as intended, then consider a wider refresh.