You need a SailPoint account to access that site/documentation. You should be able to create one if you are an active customer/partner. Here is another post talking about how to deploy this rule if you haven’t before. You would still need a SailPoint account to open a request with support to deploy this rule.
In this solution, the role would just provision (grant) only the dummy AD group to the specified group of users given whatever criteria you set.
However, I was just reading through the documentation to respond to this post and I realized I was mistaken. I forgot this rule only has the option to remove all or all but one entitlement, it cannot remove a single specified entitlement. Sorry about that!
Instead, you would either have to write your own Before Provisioning rule, or use something like the AfterModify AD connector rule which will call a PowerShell script to take whatever action, such as removing a group.
There is one more way I just thought of that could work and might be the simplest option. You could make a role that has the assignment criteria if the stale identity attribute is false and if the user has the AD group (entitlement) assigned to them, the users get added to the role. The role would include the AD group (entitlement) in the access assignment also, but it wouldn’t actually assign this group since it would be a requirement to be a member of the group in the first place to get added to the role. In this case, if the stale identity attribute changes, the users no longer meet the role criteria, and the group would be removed automatically.