Share all details related to your problem, including any error messages you may have received.
Why does Sailpoint not allow a user to remove an entitlement if it is not part of an assigned role but is on a detected role?
Also, if there is no way around being able to remove an entitlement from a user and we have to remove it from the role so they can, how long does it take Sailpoint to update before they can submit a request?
Usually, it is recommended to have assignment criteria or IdentitySelector rule to avoid accidental provisioning/deprovisioning. Have you explored that option?
Is there any particular error you are getting when you try to remove the entitlement? Generaly IIQ should not limit you in removal of managed attributes unless you limit it on the quicklink definition level.