I've seen this implemented and have some thoughts that I can share.  

• Delete is not toes over the edge, it is falling and gone. It is a better practice to inactivate a record if possible. Besides, "audits"... (already explained well by @Deepankar Mathur )
• When a request is made, it would be good to have someone responsible and accountable to click the I understand I'm going to nuke someone's account button, and they practice this and see what happens in a test environment before pushing to prod. 
• If possible get more than one of the above. 
• After approval, in the workflow build out your logic to remove groups/roles as needed. As removing these records (deleting) is normal behavior on the sys_user_grmember and sys_user_has_role tables, but... remove records in that order. Inactivate the user account, reset/scramble the password, set locked out to true. 
• Also note, be sure to only remove the records for the said user in the above-mentioned tables, otherwise, prod will be on fire after dropping all the groups for everyone. 
• Then add catalog tasks to send to the service desk or group responsible to double down on checking this. 
• Finally, send notifications to whoever needs them once the request has been completed. 
• During the whole process, log your steps into the main record programmatically if possible, for example, if this was a standard request it would be on the sc_req_item table. 

Sadly some of the above lessons were hard learned, but the goal here is to express the importance of testing and providing fail-safes for yourself in the code to do these actions. 

Hope this helps