ah so simple, I overlooked that one.
and do I delete the user from the users in the app to block access? Assuming so but will that be an issue because team members keyfield is the username
Ideally, most app permission ms will come from assigning a Group to an App. That way when you onboard a new user, you just add them to the correct groups and the app permissions are done!As for removing the denied users from groups, I would do that once I know that user has been replaced. ie, the whole purpose of a slow delete of a user is to ensure the smooth onboarding of their replacement.
If you just have one app, it's less of an issue, but I have a client with 50+ apps so we don't want to have a new hire be subjected to all kind of hassles in the first week or two as they try to access apps where their access is incorrect.