Just in case you don't have it, here's an example etautil command to add a provisioning role to a user and sync the user
etautil -d im -u etaadmin -p <password> ^
update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' ^
eTGlobalUser eTGlobalUserName=xyz123 to ^
+eTRoleDN='eTRoleName=PR-AD-EMEA-Partners-Birthright,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' ^
eTSyncUsers='1' >> Log.txt
Best to make sure that inbound sync is turned off during these operations so as not to flood IM and the TP database with messages.
Pearse