Issue summary

In Admin Hub, when a group is configured with multiple product roles (e.g. JSM Customer and Jira User), removing just the JSM Customer role for a user via the UI results in the user being removed from the underlying group entirely. This unintentionally strips the user of the Jira User role as well, even though the admin’s intent was only to remove one specific role. This deterministic behavior is not clearly surfaced and can lead to unexpected access loss for end users.

Feature request / suggestion

Update the behavior and/or UX so that removing a single role from a user who is in a multi-role group does not silently remove all other roles. Some options:

• Introduce a confirmation dialog when the action would remove the user from a group that grants multiple roles, e.g.:
  “Removing this role will remove the user from group <group-name>, which also grants: Jira User. This will revoke those permissions as well. Do you want to continue?”

• Alternatively, prevent the operation from proceeding without an explicit, separate action to remove the user from the group, and surface a clear error or guidance:
  “This user receives additional roles from group <group-name>. To remove only JSM Customer while keeping Jira User, adjust group memberships or role assignments accordingly.”

• Longer term: consider decoupling “remove this role” from “remove this group membership” so that role removal does not implicitly modify group membership unless the admin explicitly chooses that outcome.

The goal is to avoid surprising privilege loss, reduce admin mistakes, and make role effects in Admin Hub more transparent and predictable.