Remove the entitlements assigned via Roles/ applications for SAP direct connector

Hi Team,

We are in the process of implementing the SAP provisioning with IdentityNow. SAP account is getting created as request based via application request/ role request. When the user terminated we would like to remove all the assigned roles and keep some default roles within. Is anyone worked on this. Is this needs to be implemented via before provisioning rule or certification campaign to revoke access. Any suggestion will help

Yes, this will require a before provisioning rule.