Using IDM 4.5.2 AE with Role driver and UA driver 0.20141007.205046

I have a role associated with a resource that has a static value
assignment to the AD driver Group entitlement.

A user is assigned to the role.

If the AD group for some reason is renamed or moved then the
"Entitlement Value Information" on the "Entitlement" tab will show that
the value is invalid since the DN has changed (after a code map refresh).

If I in UA IDMProv (or using SOAP) remove the old entitlement value and
add the new one it seems that the connection between the role and
resource is lost even if the interface indicates that the role and
resource are associated. The nrfResourceAssociation object is still there.

For example if I remove the user from the role after changing the
entitlement value on the resource then the role will be removed from the
user but not the resource.

Is this by working as designed?

My options are:

1) Don't change the entitlement value on the resource once it has been
set. It works since the AD driver policy uses the association (GUID) to
add/remove users from AD groups. The downside is that the UA interface
displays the "Invalid" warning when looking at the resource.

2) Change the entitlement ref value on the resource and lose the
connection between role and resource, it looks OK in the interface but
causes stuff to get out of sync.

3) I have tried to change the Group entitlement so that the
"Display-Name" under "Entitlement Consumer Value" is "Association"
instead of "Source Distinguished Name" and do a code map refresh but the
paramvalue column in the provisioning_view_value table is not updated
with ID2 (the display-name), just ID (the value).

4) Forbid the client to move/rename groups in AD.