You could set a date in a field--say in the employee or user table labled: AccessTerminatesOn or some such with a second field that stores their account name.
If you set up a script that checks once a day for records in that field with a date on or before today's date it could use Delete Account to delete their account in Manage | Security and then clears the date field so that it doesn't do this more than once.
Such a script can be set to run with full access privileges and it can be part of the start up script that runs when the file is opened or from a daily server schedule if the file is hosted over a network.
THe way it is set up is I share this on a Dropbox, yes I know stupid, but to be honest it works. If for some reason I wanted to shut them out of it I guess I can just delete their account and that will be the end. I would just like to lock anyone without my clearance which is the highest to be locked out every few months. Just in case for some reason he stopped paying his bill or something like that.
Just something that I was thinking about.
A script set to run each time that the user opens the file can do that. It won't automatically lock them out the first time it finds that their rights have 'expired' but it will the next time that they attempt to open the file. It could also use the Enable Account step to deactivate their account. That then allows you to re-activate it after their bill is paid up...
That start up script can also display a warning that their access privileges have been terminated and close the file.