I'm using groups into roles.  In order to block one user in a group of about 2000 users would require me to either script something to block if they are in a different group or create a second group of 1999 to remove the blocked user.  I would then need to manage all 3 groups and ensure users are properly updated between the groups.  I was hoping to not have to manage the groups in this way, since it would just be inherent for human error.

Having 2K users in the same group and used across multiple project in roles is bound to cause some problem at a future date. One of the things you could do is revisit the group and structure it in a way that it can be easily managed. For example, removing one user from the group is easy enough, create another group with only that user and add to the project role of the other project. Why create another group to add 1999 users when the problem is only from 1 user?

This is a unique case related to security and regulatory requirements.  I thought there might be a way to script this to try to block access if user is in a specific group.  That would be much easier and more secure than trying to redesign all of our groups and then manual effort to ensure the user in the secure groups isn't in the other groups they shouldn't be in.  If we can't script it I will look to redesign the roles/groups.

Hey @Tanya B. there are two approaches here you can consider. Either you block access for the entire project, or you block access to issues within the project. The former is done on permission schemes which will involve changing roles within your user's page. This design has to be straight forward enough, so you can change it easily later on. The latter part of this is to use Issue security (create a security level as default) and you can block access to different groups that are not included in the security level. Scripting in my opinion at this stage is going too far when the problem can be solved using the native features.