- user U with resource R assigned
- group G with resource R assigned
- U member of G
As a result, U has two reasons to be provisioned to R, both direct and via G.
If U is updated by removing the membership for G, U is also deleted from R; this is bad, as one reason (e.g. the direct assignment) is still in place.