Adding role to user breaks his access

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.9, 1.3, and even OpenDistro couple years ago

Describe the issue:
We have a user that has 2 roles “sa” and “own_index” as per “View roles and identities” link. All is working as expected, user is able to access indices, alerting etc.

One day user was added to another group and granted additional role, name it “dev” which has limited access to some indices.

Now user has three roles “dev”, “own_index”, and “sa” at his “View roles and identities” link. However, it turns out that now user is unable to access the data he was able to access previously.
It is now acting as he just have “dev” role and no “sa” role.

Configuration:
Pretty straightforward, Keycloak and LDAP as authentication backend.

Question:
Could somebody please point me to the solution for this issue?
Is there a way for user to gain all his roles but not the only one randomly-selected role?

Hi @rlevitsky,

Could you please run the belove and share the output (NOTE: please blank if any sensitive data):

curl --insecure -u <username>:<password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

curl --insecure -u <admin>:<password> -XGET https://<OS_node>:9200/_plugins/_security/api/roles/sa

curl --insecure -u <admin>:<password> -XGET https://<OS_node>:9200/_plugins/_security/api/roles/dev

best,
mj

Hi @Mantas ,
Sorry missed your reply.
This issue was posted multiple times here, say, Users getting least permissions when mapped to multiple roles - #6 by rlevitsky
There is a workaround that worked for me: How is DLS applied when user has multiple roles - #6 by rlevitsky

However, this wokraround breaks Index Patter updating, Weird error when trying to update index pattern - #3 by pablo