We usually use a batch job with a ToIdentityStore pass for this.
Source tab: depending on the process either a request object or the valid date (or whatever) is used to determine when all users which shall be processed on each day (scheduled nightly if time dependent or called using uRunJobNow if prcessed on the same day)
Destination: All PRIV:GROUP's of the users are selected with a {D} using a script (plus any other privileges like Java or SAP or ...)
Additionally we use our own plugins to handle the deprovisioning.
If you are not syncing all groups, use batch job with a FromLDAP and a filter on all users which shall be deprovisioned or re-calling the job (using two jobs alternatively)