I have a need to use a form to add a user to an AD group and remove from another group at the same time.
The challenge is: the group being removed, is granted from a role - so the form is not allowing "remove" function.
This is just a timing issue until the role rules are run.
Any ideas?
That is not possible. You will not be able to remove indirect entitlements from a form or from the User's access tab.
What is the use case here? Also if the entitlement is part of a to-be-removed Role then why do you not remove the Role Entitlements also as part of the same request?
You can make the application automatically generate indirect entitlement changes by checking the checkbox "Generate Indirect Entitlements” in the Request Workflow used. That way when you remove a user from a Role, the change request will also try to remove the Role Entitlements (Group in this case) from that user, given that those entitlements are not part of any other Role the user still has.