diff --git a/src/groups.js b/src/groups.js
index 344daedc0..f3bbd918b 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -90,13 +90,18 @@ async function del(group, auditSource) {
     assert.strictEqual(typeof group, 'object');
     assert(auditSource && typeof auditSource === 'object');
 
+    const arSearch = `JSON_SEARCH(accessRestrictionJson, 'one', ?, NULL, '$.groups')`;
+    const opSearch = `JSON_SEARCH(operatorsJson, 'one', ?, NULL, '$.groups')`;
+
     const queries = [
+        { query: `UPDATE apps SET accessRestrictionJson=JSON_REMOVE(accessRestrictionJson, REPLACE(${arSearch}, '"', '')) WHERE ${arSearch} IS NOT NULL`, args: [ group.id, group.id ] },
+        { query: `UPDATE apps SET operatorsJson=JSON_REMOVE(operatorsJson, REPLACE(${opSearch}, '"', '')) WHERE ${opSearch} IS NOT NULL`, args: [ group.id, group.id ] },
         { query: 'DELETE FROM groupMembers WHERE groupId = ?', args: [ group.id ] },
-        { query: 'DELETE FROM userGroups WHERE id = ?', args: [ group.id ] }
+        { query: 'DELETE FROM userGroups WHERE id = ?', args: [ group.id ] }, // keep this the last query as we check affectedRows below
     ];
 
     const result = await database.transaction(queries);
-    if (result[1].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Group not found');
+    if (result[queries.length-1].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Group not found');
 
     await eventlog.add(eventlog.ACTION_GROUP_REMOVE, auditSource, { group });
 }
diff --git a/src/users.js b/src/users.js
index 9da7a96b9..a6e351f5e 100644
--- a/src/users.js
+++ b/src/users.js
@@ -316,16 +316,22 @@ async function del(user, auditSource) {
 
     if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
-    const queries = [];
-    queries.push({ query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ user.id ] });
-    queries.push({ query: 'DELETE FROM tokens WHERE identifier = ?', args: [ user.id ] });
-    queries.push({ query: 'DELETE FROM appPasswords WHERE userId = ?', args: [ user.id ] });
-    queries.push({ query: 'DELETE FROM users WHERE id = ?', args: [ user.id ] });
+    const arSearch = `JSON_SEARCH(accessRestrictionJson, 'one', ?, NULL, '$.users')`;
+    const opSearch = `JSON_SEARCH(operatorsJson, 'one', ?, NULL, '$.users')`;
+
+    const queries = [
+        { query: `UPDATE apps SET accessRestrictionJson=JSON_REMOVE(accessRestrictionJson, REPLACE(${arSearch}, '"', '')) WHERE ${arSearch} IS NOT NULL`, args: [ user.id, user.id ] },
+        { query: `UPDATE apps SET operatorsJson=JSON_REMOVE(operatorsJson, REPLACE(${opSearch}, '"', '')) WHERE ${opSearch} IS NOT NULL`, args: [ user.id, user.id ] },
+        { query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ user.id ] },
+        { query: 'DELETE FROM tokens WHERE identifier = ?', args: [ user.id ] },
+        { query: 'DELETE FROM appPasswords WHERE userId = ?', args: [ user.id ] },
+        { query: 'DELETE FROM users WHERE id = ?', args: [ user.id ] }, // keep this the last query as we check affectedRows below
+    ];
 
     const [error, result] = await safe(database.transaction(queries));
     if (error && error.sqlCode === 'ER_NO_REFERENCED_ROW_2') throw new BoxError(BoxError.NOT_FOUND, error);
     if (error) throw error;
-    if (result[3].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'User not found');
+    if (result[queries.length-1].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'User not found');
 
     await eventlog.add(eventlog.ACTION_USER_REMOVE, auditSource, { userId: user.id, user: removePrivateFields(user) });
 }