- resource RES with mapping for both users and roles
- role ROLE with RES assigned
- user USER with role ROLE assigned, and no RES assigned for other reasons (directly or via another role)
As result, USER is present on the physical resource represented by RES (e.g. an actual LDAP server, for example).
When removing ROLE from Syncope, ROLE is also removed from the physical resource represented by RES, while USER is not removed from the physical resource: this must be fixed, USER is needed to be also removed from there.
If, instead, USER has RES assigned directly or via another role, no action must be performed onto the physical resource.