[keycloak-user] Client specific enumerated roles

Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382, looks like extending LoginModule is not an option. Thank you and appreciate it.