The legacy googleapps provisioner had the option to provision members who were also group admins or updaters with the MANAGER role. The new provisioner does not look at privileges, so has set all those users to having the MEMBER role where it used to be MANAGER.

Proposed:

1) The membership config section 2 has types to provision, and options for members vs. admins. We would add an option for "members and admins", "members and readers", and "members and updaters"

2) In the memberships attributes, support some kind of objects for jexl, so the user can construct an expression to compute the role. E.g. a field called role could beL

member.hasUpdate() ? "MANAGER" : "MEMBER"

This should be pre-cached to avoid 100k+ individual lookups. To not disrupt existing provisioners, the provisioner should be aware of the special handling of role field, replacing the hardcoded MEMBER role when there is a role attribute, but default to MEMBER if there is no role attribute