Hi Matt ,
I believe , you can do a small Script just to exclude Portal roles ( IDM Privileges). This way , Portal Role assignments will not be removed by IDM .Script can just include 1) Simple SELECT Statement to extract all roles with the exception of Portal Roles & pass only this values to MXREF_MX_PRIVILEGE for removal .
This way , you dont want to do a remove & add for the user .
Hope it helps .
Thanks ,
Jerry George