We are trying to do some Role based access and are having issues with the current setup. We have ROLE_ groups that are dynamic and then are memberOf groups. This ends up with the user being an indirect member of groups and some of our external systems do not recognize the AD groups for a user unless they are directly assigned.
Is it possible to setup a powershell script that runs when a user is added to one of the ROLE_ groups and is then added to a specified list of AD groups directly? We'd also need to have one run when a user is removed from one of these groups so their old access is revoked.