Exactly.
I noticed that the tag IDM 7.2 was added.
Provisioning should be done from IDM tasks and not locally.
If ABAP is user store then you can use PFCG_COMPRESS_TIMES to remove invalid roles (with all consequences for Java stack).
But the best solution is to have the whole identity pot and assignments centrally in an IDM and manage it there without local interferance, even if it is technically possible.
Cheers,
Julius7