Hi, I am aware that if "Import users" is enabled, the users will be automatically imported from LDAP into Keycloak and I can go to a user's settings, and add roles to that user as needed. But in my case, I don't want the users to be imported automatically and get access to the application. I would like to restrict the access to a few LDAP users by manually adding/importing LDAP users and assign roles to them. I managed to create my own Rest endpoint to import the selected LDAP user into Keycloak DB as a local user by adding the Federation link and required LDAP attributes to the user. It is working fine. But the problem comes when I assign a client level role to this imported user. It throws "Read-only Mode" exception because "Import Users" is set to OFF in LDAP configuration. I tried the below code to grant the roles to the user which works only after the service. Is there a better way to assign the roles to an LDAP user? UserModel user = keycloakSession.userLocalStorage().getUserById(userId, realm); RoleModel roleModel = client.getRole(role.getName()); user.grantRole(roleModel); Thanks.