I have a use case where "application roles" assigned to users in LDAP correspond to CQ5 groups and when a user first logs in to CQ5, the user sync event results in them being assigned to all the correct CQ5 groups. However, a user's LDAP record can be updated to add or remove these "application rol...