Openshift was initially configured to use IdP/Oauth but creating user with preferred_email as main login ID.
That means that when a user updates/changes its email address at FAS/ACO side, he loses his rights in openshift and deployed applications.
We have a plan to discuss massively reflect a change to get back to user instead of email and process all groups/projects but for the time being, if someone in such situation is creating a ticket, here is a simple way to fix it directly in openshift.
Let's assume that user is foo and his previous email foo@bar.com but he has a new email address now in FAS (which you can query https://fasjson.fedoraproject.org to find).
Basically we have to :
Login on the node that is in the ocp-ci-management ansible group , become ocpadm user and run the following (cli and eventually ansible playbook to come later) :
user="foo"
email="foo@bar.com"
[ocpadm@<node> ~]$ oc get identities | grep "${email}"
CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f CentOS_and_Fedora_account f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f
# Now that we have identity, just delete it
[ocpadm@<node> ~]$ oc delete identity CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f
identity.user.openshift.io "CentOS_and_Fedora_account:f84377f827c00de9cbd03a3cf01af0fc09c2807c16e790d6d07cd0c8a9f58e2f" deleted
# Let's now delete user
[ocpadm@<node> ~]$ oc delete user ${user}
We can now ask the user to login again and his new user will be created and linked with FAS/ACO.
Don't forget to reflect his new email address for his projects and update projecs (like you'd do to create it, so push to git and oc apply)