Removing identity links doesn't remove authorizations


I have a process being accessed purely through the Rest APIs. When a new task is created the candidateGroup is added and an authorization is automatically created for that group to have READ, UPDATE permissions on the task.

If I add another candidate group or candidate user via POST /task/{id}/identity-links, they also get a new authorization created. So far so good.

If I them remove one of the candidates from the task using POST /task/{id}/identity-links/delete they are removed, and that is confirmed by GET /task/{id}/identity-links. However the authorization still exists for the removed candidate group on the task.

I can still see it with GET /authorization?resourceId= and a user in one of those groups can read and update the task.

Shouldn’t the authorization be automatically removed when the candidate group is removed or does this have to be done for each individual authorization?