When updating a tenant with an application, we expected one of the role's permissions on a specific update would change. This was not the case and wondered why the role was not updated and what might be some things to check.
Currently, the role in question is attached to the application meant to update it.
The permission is to grant the user 'create' for an object is has other permissions in already.
We update tenants through the push update button found in the published apps section of the system console. The published apps are pushed from our development tenant that does have the permission set correctly.