We are also unable to replicate the behaviour indicated by the screenshot from @princess. The lack of detail from that post isn’t helping the community.
For one, why would Group / Entitlement object be showing up as an Identity in the screenshot?
The group–>group (Parent entitlement → Child entitlement) relationship does not appear to be a supported / documented / catered certifiable line item / object in a certification of the Parent entitlement even though the child entitlement is a ‘member’. i.e. Current observation: Access Review / certification only supports Entitlement → Account relationships.
p.s. I’m of the opinion (and experience) that certification of parent-child nested AD groups / SAP roles / Oracle DB roles are not typically part of IGA. Similar to what’s mentioned by @edmarks here. e.g. IGA doesn’t govern / certify AD tree ACL…
Endpoint-specific privilege association configurations do not generally fall under IGA. Having the client to align with this view is another challenge of its own though.