Scenario
If a user account is terminated, we want to make sure the roles/groups that user belong to get removed too. There are couple of ways this can be achieved,
1 - Run using Business Rule when account changes inactive run script and remove roles and group.
2 - Trigger flow either as a schedule job, or as part of the user termination flow that disabled the user account in the first place.
Problem
The problem with second approach is, user can be removed from group and roles that are directly assigned but leaves the roles that a user has inherited possibly because of assignment groups/groups user was member of.
Solution
The solution to this problem is attached in the screenshot below, the trick is to grab all roles user is memberof, set inherited to false, wait for few seconds and then look up user roles again and run step to remove roles, and it works like a treat.
