Dear all, I've a question regarding the User Storage Federation (https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top...) with respect of LDAP as external user database and the available mappers. Current situation: Right now I'm able to map roles assigned to users and defined in LDAP to Keycloak with the existing Role Mapper. e.g. Administrator/User role for a specific application The JWT output contains then a section like this: "resource_access": { "myApp": { "roles": [ "Administrator" ] } Desired solution: Is it out of the box possible to use the existing Role Mapper as described in chapter https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top... to map composite roles defined in Keycloak to LDAP? The thing is I want in the end to define composite roles in LDAP to collect finer user rights for certain "container" roles - like Users, Editors, Administrator - and map them to Keycloak and respectively the finer grained rights to provide the granted user rights in the JWT. e.g. Rights/Roles: - read page - edit page - delete page - create page Composite Roles: - User = {read page} - Editor = {read page, create page, edit page} - Administrator = {read page, delete page} The final result in the JWT should then contain a section something like where the composite role is automatically resolved with the more specific single rights: "resource_access": { "myApp": { "roles": [ "read page", "delete page" ] } Or is Keycloak designed in that way that the finer rights can be stored in LDAP but the composition is afterwards done in Keycloak? Thanks, Christian