There are two ways you can change a user's permissions: either you can change the policies associated with a role that they have, or you can change the roles associated with their LUSID user.
If you change the policies assigned to a role, for example by adding or removing a policy or policy collection, or by deleting an existing policy or policy collection, the change takes effect immediately. The next request made by the user will take into account the changes to the role.
If you change the roles assigned to a user, then a new API access token is required. For example, if the user is currently signed in to the LUSID web app, they must sign out and sign back in for the role change to take effect. If they continue to use a token that was issued before the role change, it will continue to refer to the user's old set of roles until the token expires.