Hi Ian,
It's usually on all users but only on the system corresponding to which new privileges are associated. So sys1 gets impacted here after you add priv4 considering priv1, priv2 and priv3 are already assigned successfully.
whenever a role is modified it's reconciliation that gets triggered. Refer About the identity store
Cheers,
Karthik