A customer is using dynamic groups to grant RBPM Roles. When they have exceptions they add the user to the excluded members of the dynamic group.

It would be great if the dynamic group could be used in a fulfillment to remove permissions by adding the user to the excluded members. This way custom workflows wouldn't have to always be considered. The customer would still need to clean up data for long term use of the attributes in the filter. You wouldn't want all non-active students at a university added to an excluded list that would accumlate over the years. It would be intended for short term use cases where the rights could be revoked either till the status change comes through on the dynamic filter data that is basing it's rights, or until the user's temporary restrictions can be removed and they are removed from the excluded list. A background job might have to be used to validate if an excluded user could be removed if the ldap filter wouldn't find the user any longer in the group.

Is this a possibility with the current fulfillment architecture to add this as an enhancement request?
If it isn't currently possible, would it be worth to have a worflow template to enable to handle dynamic group exclusions?