Hey, both of these are possible:
For the service desk with use or RBAC policies:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200891-Understanding-Admin-Access-and-RBAC-Poli.html
For the endpoint group is also viable, ...
You will have to remove it.
And to remove hot patch you should have another hot patch that works for the removal of these you need to install it , the following example is for illustrate you : * Install hotpatch : application install HOTPATCH_install...