Which statement is true about existing users when new permission constraints are applied to a role?

The correct answer is that existing users can only obtain the new constraints if they are removed and then re-added to the role. This reflects the operational structure of many permission systems, where changes to a role—specifically regarding constraints—do not retroactively apply to users already assigned that role.

When new constraints are added to a role, the system typically processes user permissions based on the state at the time of assignment. Therefore, users who were assigned the role prior to the introduction of the new constraints will not automatically receive these constraints. This design decision often aims to ensure stability in existing user permissions and to prevent unexpected alterations that could disrupt user access in ongoing processes.

In contrast, the other options suggest scenarios that do not align with how role-based access control commonly operates. For instance, inheriting new constraints automatically undermines the principle of explicit user permission management, and requiring manual requests is generally not a practice in well-structured permission systems, as efficient role management aims to minimize user intervention. Similarly, stating that existing users' permissions are not affected ignores the fact that constraints are fundamental in defining what permissions a user does or does not have. Thus, acknowledging the necessity to remove and re-add users for them to inherit role changes maintains the integrity of user