[keycloak-user] Where to define Roles?

Any thoughts on where to define roles. It seems there may be three choices: 1. Define Roles in the user storage provider. I believe Red Hat Identity Manager (LDAP) supports this for example. Then I believe Keycloak can be configured to load the roles 2. Define Roles directly in Keycloak (possibly defined based on groups synced from LDAP) 3. Define Roles in client applications (possibly defined based on groups queried from Keycloak). I believe Wildly client adapter "Elytron" subsystem might support this? Not sure. Custom clients certainly could query Keycloak for groups and then define their own roles.