We need to update the roles docs to include provisioning and deprovisioning based on role assignments.
When a role assignment is removed from a user entry, we now provide the old value to the sync. In this way, we can selectively remove a value from the target when we sync to that target.
The last synchronized value of a virtual attribute is now stored alongside the managed object. To trigger a check on whether virtual attributes must be synced there is a new attribute on managed objects called triggerSyncCheck.
When a role definition changes, the script can call a sync check on the managed user, to check whether any users who have the roles assigned need to be re-synced.
onAssignment and onUnassignment scripts
If the role is deleted, if the assignment is removed from the role, or if the role attribute is removed from a managed user, the onUnassignment script is triggered (in the future we should disallow deleting a role if a user has that role assigned).
The assignmentOperation can be either an alias (e.g mergeWithTarget) or a complete script that indicates what should be done on assignment.