Do not deprovision access when removing Role

We have current users with access granted via Role membership but for a subset of these users we want to exclude IDN from handling their access and let Admins manage it manually. To do this, we want to remove the role but not de-provision their access (just for this role).

Is there a sequence of events that can accomplish this in the UI or will this require logic in the Before Provisioning rule?

What would be the best approach to remove Roles from users without taking away the entitlements?

Some options I have:

  • Disable the Roles
  • Disable the Access Profiles
  • Remove the Access Profile from the Role

Then after the users no longer have the role I would reverse the action from above. Is there anything I need to consider from above or would any of these 3 options work better than the others?