Group has an auth_membership attribute which controls whether or not any members not listed are removed from the group. This is very much not clear from the documentation description. Can we get a documentation update?
whether the provider is authoritative for group membership.
Valid values are true, false, yes, no.
Further, the wording of attribute_membership is even worse. I cannot fathom what this attribute does, or what the values mean in that context:
Whether specified attribute value pairs should be treated as the only attributes of the user or whether they should merely be treated as the minimum list.
Valid values are inclusive, minimum.