It's very difficult right now to express declarative statements like:
- Ensure this user is not in this group, leave it alone otherwise
- Ensure this user is in this group without defining the user, leave it alone otherwise.
I propose that we move group membership to a type of its own. That would also allow us to abstract away the differences between different platforms, some of which consider membership to be an attribute of the group, some of which consider it to be an attribute of the user.
It would allow us to remove all the "authoritative" settings for user/group membership, as they would move to this type instead.