I have a need to use a form to add a user to an AD group and remove from another group at the same time.
The challenge is: the group being removed, is granted from a role - so the form is not allowing "remove" function.
This is just a timing issue until the role rules are run.
Any ideas?
That is not possible. You will not be able to remove indirect entitlements from a form or from the User's access tab.
What is the use case here? Also if the entitlement is part of a to-be-removed Role then why do you not remove the Role Entitlements also as part of the same request?
You can make the application automatically generate indirect entitlement changes by checking the checkbox "Generate Indirect Entitlements” in the Request Workflow used. That way when you remove a user from a Role, the change request will also try to remove the Role Entitlements (Group in this case) from that user, given that those entitlements are not part of any other Role the user still has.
As Mostafa stated, the role layer has to be removed first in order for the group to be able to be removed accordingly. If you removed the role from the user and had the "include indirect entitlements" option checked, the role only will be removed. If you check the user's access page right after that, you will find the group directly entitled to the user where it will be enabled for removal.
That is not possible. You will not be able to remove indirect entitlements from a form or from the User's access tab.
What is the use case here? Also if the entitlement is part of a to-be-removed Role then why do you not remove the Role Entitlements also as part of the same request?
You can make the application automatically generate indirect entitlement changes by checking the checkbox "Generate Indirect Entitlements” in the Request Workflow used. That way when you remove a user from a Role, the change request will also try to remove the Role Entitlements (Group in this case) from that user, given that those entitlements are not part of any other Role the user still has.