App authorization -- "what the app asks for" vs "what the user authorized"

There are two different elements that you are likely to think about when you think "authorization:"
  * the amount of access that your app requests -- required and optional auth rules
  * the amount of access that any particular user has granted

Think of the first as a domain table, perhaps, and the latter as a collection of values or instances.

The authorization state that the HealthVault platform references at run-time is a set of access that has been approved for a particular application by a particular user on a particular record.  With optional auth, different amounts of access can get approved for different (application, user, record) triples.  This bundle of access is stored in the HealthVault authorization system along with the (app, user, record) triple.

The bundle of data access gets presented to the user during app auth is a function of what is configured in the online and offline auth rules in ACC.  Changing what is configured in ACC does not change what users have already authorized.  But if a user logs into a HealthVault-connected app and the platform sees that their currently-granted access doesn't match the required minimum that was configured in ACC, then the user is prompted to re-auth.