When a role is updated via a PUT, the conditionalRoles.js script correctly updates the role members, removing those who lost the role due to the change, and adding those who gained the role due to the change. This can be verified by PUTing an updated role in ARC over and over again. However, the UI uses a PATCH to update the role condition. In this case, the onUpdate script causes the conditionalRoles.js function to be invoked, and the calculations it performs are again correct, but the assigned role members are not persisted in the repo. The suspicion is around the script binding of the 'object' parameter, but no obvious smoking gun was discovered looking through the ManagedObjectSet invocation chain traversed in the PATCH vs. PUT invocation.