Reply to comment
You can use API_UserRoles to get all the users that are in roles for your application, along with all of the roles for each user.
You can use API_ChangeUserRole to move a user to a different role. You would also use this call if you wanted to suspend the user access, but still keep the user on the application access list to make it easier to activate their access again. This would be role 0, (zero), which is the None role, meaning no access. Later, you could invoke API_ChangeUserRole again to assign the user to an access role.
You could call API_RemoveUserFromRole if you wanted to permanently remove the user from access.