Back in September we submitted a ticket (#15047: OpenIDM Role removal does not trigger target LDAP group removal) because we were having trouble getting IDM to remove the LDAP group from DJ when the role was removed from the user on OpenIDM 3.1.0. Since then we have upgraded our Non-Prod environment to 4.5 only to have the same issue.
We determined that the issue we were having was due to a casing mismatch between the ldap group dn in DJ and the assignment definition in the bin/defaults/script/roles/removeFromTarget.js script. Specifically, when the targetValue is an array on line 44 (var index = targetValue.indexOf(value[x]);).
We were able to apply our own custom fix to the script which I have attached, however, maybe this is something that could be accounted for in future releases?