put a rule on an attribute def so that if a user comes out of a group, the user will have disabled dates from
a role which has permissions or removed assignments directly to the user
put a rule on an attribute def so that if a user comes out of a group, the user will be removed from
a role which has permissions or removed assignments directly to the user