I am probably getting confused by IDM'isms versus Role Based
Entitlement'isms which are basically LDAP Dynamic groups...

I want an RBE that applies when a user is made the member of a specific
group.

I see how I would do an RBE for all object of say an object class
acmeAddOnUsers

I see how I would do an RBE for all users where acmeGiveMeEmail=true is set.

What I want to do is if a user is placed in the group acmeMeWannaEmail
in say AD, it syncs to the vault, syncs to the next tree, to make them
appear in the entitlement.

I could convert the Group membership change to acmeGiveMeEmail=true in
IDM policy pretty easily. But it seems like a backwards approach.

Ought to be an easy way to do it directly.

I tried:
objectClass=User
Group Membership=acmeMeWannaEmail.groups.ou.o

also tried

Group Membership is equal to cn=AcmeMeWannaEmail,ou=groups,ou=ou,o=o

You know the obvious stuff. I must be missing something really obvious
as this should be really easy and common to do.