Deprovisioning Without Disconnect

We have the following setup:
- 1 HR MA that always projects to the MV
- a number of MAs that always join to the MV

The HR MA initiates provisioning/deprovisioning requests. Presently when an 
HR MA connector is disconnected, the MetaVerse object is deleted and 
deprovisioning calls flow to the other MAs.

However recently i added "action" and "actionData" fields to
the MetaVerse. 
I want to deprovision only if "action" is set to
"deprovision" (adds some 
extra layer of security plus provides some data that the Operational MA is 
able to use to do post-deprovisioning tasks).

So when, a connector comes in to the HR MA with action set to
"deprovision" 
i want it to become an explicit disconnector and initiate the deprovisioning. 
This is instead of deprovisioning initiating automatically when the HR MA 
connector is disconnected. I don't want deprovisioning to be initiatated from 
a disconnect. Initiating deprovisioning from a disconnect + 
action=="deprovisioning" (by implementing MetaVerse.SHouldDeleteFromMV
is 
also not ideal).

I attempted to implement this with a rules extension - i added an import 
rule from the HR MA to the MetaVerse, which checks the value of
"action", if 
it's "deprovision" then i had it call csentry.Deprovision() - but this
throws 
an exception:
System.InvalidOperationException: Connection is read-only.

The only reason why initiating deprovisioning from a disconnect AND a check 
that action=="deprovisioning" is that an employee Termination can
remain open 
for a few days, meanwhile the employee's HR MA connector will be around (so 
the disconnect does not happen immediately) - plus there are some logging 
issues associated with this specific to our environment. I'll go with this 
approach if required, but i'm curious as to why i get the "read-only"
error 
when calling csentry.Deprovision().

Thoughs and ideas are appreciated.